{ "metadata": { "source_file": "primevul_valid_grouped.json", "filter_min_depth": 4, "filter_max_depth": 4, "original_groups": 4777, "filtered_groups": 50, "total_functions": 619, "depth_distribution": { "25": 1, "1": 4057, "14": 3, "13": 1, "5": 13, "2": 489, "6": 16, "3": 135, "4": 50, "7": 6, "8": 2, "12": 2, "11": 1, "10": 1 } }, "groups": [ { "call_depth": 4, "longest_call_chain": [ "crypto_get_certificate_data", "crypto_cert_fingerprint", "crypto_cert_fingerprint_by_hash", "crypto_cert_hash" ], "group_size": 9, "functions": [ { "func": "char* crypto_cert_issuer(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_issuer_name(xcert));\n}", "project": "FreeRDP", "hash": 205497471462573990909815156371579244197, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473452 }, { "func": "char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)\n{\n\tUINT32 fp_len, i;\n\tBYTE* fp;\n\tchar* p;\n\tchar* fp_buffer;\n\n\tfp = crypto_cert_hash(xcert, hash, &fp_len);\n\tif (!fp)\n\t\treturn NULL;\n\n\tfp_buffer = calloc(fp_len * 3 + 1, sizeof(char));\n\tif (!fp_buffer)\n\t\tgoto fail;\n\n\tp = fp_buffer;\n\n\tfor (i = 0; i < (fp_len - 1); i++)\n\t{\n\t\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \":\", fp[i]);\n\t\tp = &fp_buffer[(i + 1) * 3];\n\t}\n\n\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \"\", fp[i]);\nfail:\n\tfree(fp);\n\n\treturn fp_buffer;\n}", "project": "FreeRDP", "hash": 137722397787957957021174819917513700282, "size": 29, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473456 }, { "func": "char* crypto_cert_fingerprint(X509* xcert)\n{\n\treturn crypto_cert_fingerprint_by_hash(xcert, \"sha256\");\n}", "project": "FreeRDP", "hash": 115650122252764947943603801708902861010, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473462 }, { "func": "static int verify_cb(int ok, X509_STORE_CTX* csc)\n{\n\tif (ok != 1)\n\t{\n\t\tint err = X509_STORE_CTX_get_error(csc);\n\t\tint derr = X509_STORE_CTX_get_error_depth(csc);\n\t\tX509* where = X509_STORE_CTX_get_current_cert(csc);\n\t\tconst char* what = X509_verify_cert_error_string(err);\n\t\tchar* name = crypto_cert_subject(where);\n\n\t\tWLog_WARN(TAG, \"Certificate verification failure '%s (%d)' at stack position %d\", what, err,\n\t\t derr);\n\t\tWLog_WARN(TAG, \"%s\", name);\n\n\t\tfree(name);\n\t}\n\treturn ok;\n}", "project": "FreeRDP", "hash": 75265801506247543146779012995879849204, "size": 18, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473427 }, { "func": "void crypto_cert_print_info(X509* xcert)\n{\n\tchar* fp;\n\tchar* issuer;\n\tchar* subject;\n\tsubject = crypto_cert_subject(xcert);\n\tissuer = crypto_cert_issuer(xcert);\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t{\n\t\tWLog_ERR(TAG, \"error computing fingerprint\");\n\t\tgoto out_free_issuer;\n\t}\n\n\tWLog_INFO(TAG, \"Certificate details:\");\n\tWLog_INFO(TAG, \"\\tSubject: %s\", subject);\n\tWLog_INFO(TAG, \"\\tIssuer: %s\", issuer);\n\tWLog_INFO(TAG, \"\\tThumbprint: %s\", fp);\n\tWLog_INFO(TAG,\n\t \"The above X.509 certificate could not be verified, possibly because you do not have \"\n\t \"the CA certificate in your certificate store, or the certificate has expired. \"\n\t \"Please look at the OpenSSL documentation on how to add a private CA to the store.\");\n\tfree(fp);\nout_free_issuer:\n\tfree(issuer);\n\tfree(subject);\n}", "project": "FreeRDP", "hash": 64076208521481089131010558823372035251, "size": 28, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473432 }, { "func": "char* crypto_cert_subject(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_subject_name(xcert));\n}", "project": "FreeRDP", "hash": 177180604460491566370377171358096486095, "size": 4, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473454 }, { "func": "rdpCertificateData* crypto_get_certificate_data(X509* xcert, const char* hostname, UINT16 port)\n{\n\tchar* issuer;\n\tchar* subject;\n\tchar* fp;\n\trdpCertificateData* certdata;\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t\treturn NULL;\n\n\tissuer = crypto_cert_issuer(xcert);\n\tsubject = crypto_cert_subject(xcert);\n\tcertdata = certificate_data_new(hostname, port, issuer, subject, fp);\n\tfree(subject);\n\tfree(issuer);\n\tfree(fp);\n\treturn certdata;\n}", "project": "FreeRDP", "hash": 170554719668291881438898249097327745004, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473455 }, { "func": "BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)\n{\n\tUINT32 fp_len = EVP_MAX_MD_SIZE;\n\tBYTE* fp;\n\tconst EVP_MD* md = EVP_get_digestbyname(hash);\n\tif (!md)\n\t\treturn NULL;\n\tif (!length)\n\t\treturn NULL;\n\tif (!xcert)\n\t\treturn NULL;\n\n\tfp = calloc(fp_len, sizeof(BYTE));\n\tif (!fp)\n\t\treturn NULL;\n\n\tif (X509_digest(xcert, md, fp, &fp_len) != 1)\n\t{\n\t\tfree(fp);\n\t\treturn NULL;\n\t}\n\n\t*length = fp_len;\n\treturn fp;\n}", "project": "FreeRDP", "hash": 258407869867369743474326334091914072928, "size": 25, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473451 }, { "func": "static char* crypto_print_name(X509_NAME* name)\n{\n\tchar* buffer = NULL;\n\tBIO* outBIO = BIO_new(BIO_s_mem());\n\n\tif (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)\n\t{\n\t\tunsigned long size = BIO_number_written(outBIO);\n\t\tbuffer = calloc(1, size + 1);\n\n\t\tif (!buffer)\n\t\t\treturn NULL;\n\n\t\tBIO_read(outBIO, buffer, size);\n\t}\n\n\tBIO_free_all(outBIO);\n\treturn buffer;\n}", "project": "FreeRDP", "hash": 89260255256165807681288006501973762861, "size": 19, "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea", "message": "Fixed GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)", "target": 0, "dataset": "other", "idx": 473437 } ] }, { "call_depth": 4, "longest_call_chain": [ "zend_throw_exception_object", "zend_throw_exception_internal", "zend_exception_error", "zend_error_va" ], "group_size": 7, "functions": [ { "func": "ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *ce_exception = Z_OBJCE_P(exception);\n\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\tzval *str, *file, *line;\n\n\t\tEG(exception) = NULL;\n\n\t\tzend_call_method_with_0_params(&exception, ce_exception, NULL, \"__tostring\", &str);\n\t\tif (!EG(exception)) {\n\t\t\tif (Z_TYPE_P(str) != IS_STRING) {\n\t\t\t\tzend_error(E_WARNING, \"%s::__toString() must return a string\", ce_exception->name);\n\t\t\t} else {\n\t\t\t\tzend_update_property_string(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, EG(exception) ? ce_exception->name : Z_STRVAL_P(str) TSRMLS_CC);\n\t\t\t}\n\t\t}\n\t\tzval_ptr_dtor(&str);\n\n\t\tif (EG(exception)) {\n\t\t\t/* do the best we can to inform about the inner exception */\n\t\t\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\t\t\tfile = zend_read_property(default_exception_ce, EG(exception), \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\t\t\tline = zend_read_property(default_exception_ce, EG(exception), \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\t\t\tconvert_to_string(file);\n\t\t\t\tfile = (Z_STRLEN_P(file) > 0) ? file : NULL;\n\t\t\t\tline = (Z_TYPE_P(line) == IS_LONG) ? line : NULL;\n\t\t\t} else {\n\t\t\t\tfile = NULL;\n\t\t\t\tline = NULL;\n\t\t\t}\n\t\t\tzend_error_va(E_WARNING, file ? Z_STRVAL_P(file) : NULL, line ? Z_LVAL_P(line) : 0, \"Uncaught %s in exception handling during call to %s::__tostring()\", Z_OBJCE_P(EG(exception))->name, ce_exception->name);\n\t\t}\n\n\t\tstr = zend_read_property(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, 1 TSRMLS_CC);\n\t\tfile = zend_read_property(default_exception_ce, exception, \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\tline = zend_read_property(default_exception_ce, exception, \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\tconvert_to_string(str);\n\t\tconvert_to_string(file);\n\t\tconvert_to_long(line);\n\n\t\tzend_error_va(severity, (Z_STRLEN_P(file) > 0) ? Z_STRVAL_P(file) : NULL, Z_LVAL_P(line), \"Uncaught %s\\n thrown\", Z_STRVAL_P(str));\n\t} else {\n\t\tzend_error(severity, \"Uncaught exception '%s'\", ce_exception->name);\n\t}\n}", "project": "php-src", "hash": 233019637263204593162642334084906168743, "size": 47, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374469 }, { "func": "ZEND_API void zend_throw_exception_object(zval *exception TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *exception_ce;\n\n\tif (exception == NULL || Z_TYPE_P(exception) != IS_OBJECT) {\n\t\tzend_error(E_ERROR, \"Need to supply an object when throwing an exception\");\n\t}\n\n\texception_ce = Z_OBJCE_P(exception);\n\n\tif (!exception_ce || !instanceof_function(exception_ce, default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Exceptions must be valid objects derived from the Exception base class\");\n\t}\n\tzend_throw_exception_internal(exception TSRMLS_CC);\n}", "project": "php-src", "hash": 168358188494444651132316427800666457773, "size": 15, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374451 }, { "func": "static void zend_error_va(int type, const char *file, uint lineno, const char *format, ...) /* {{{ */\n{\n\tva_list args;\n\n\tva_start(args, format);\n\tzend_error_cb(type, file, lineno, format, args);\n\tva_end(args);\n}", "project": "php-src", "hash": 313633724532951233240989058937036034067, "size": 8, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374463 }, { "func": "void zend_exception_restore(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tif (EG(exception)) {\n\t\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t\t} else {\n\t\t\tEG(exception) = EG(prev_exception);\n\t\t}\n\t\tEG(prev_exception) = NULL;\n\t}\n}", "project": "php-src", "hash": 65940455749340376476088943638997947991, "size": 11, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374462 }, { "func": "void zend_exception_set_previous(zval *exception, zval *add_previous TSRMLS_DC)\n{\n\tzval *previous;\n\n\tif (exception == add_previous || !add_previous || !exception) {\n\t\treturn;\n\t}\n\tif (Z_TYPE_P(add_previous) != IS_OBJECT && !instanceof_function(Z_OBJCE_P(add_previous), default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Cannot set non exception as previous exception\");\n\t\treturn;\n\t}\n\twhile (exception && exception != add_previous && Z_OBJ_HANDLE_P(exception) != Z_OBJ_HANDLE_P(add_previous)) {\n\t\tprevious = zend_read_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, 1 TSRMLS_CC);\n\t\tif (Z_TYPE_P(previous) == IS_NULL) {\n\t\t\tzend_update_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, add_previous TSRMLS_CC);\n\t\t\tZ_DELREF_P(add_previous);\n\t\t\treturn;\n\t\t}\n\t\texception = previous;\n\t}\n}", "project": "php-src", "hash": 159666285129417513959591408876495337624, "size": 21, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374466 }, { "func": "void zend_throw_exception_internal(zval *exception TSRMLS_DC) /* {{{ */\n{\n#ifdef HAVE_DTRACE\n\tif (DTRACE_EXCEPTION_THROWN_ENABLED()) {\n\t\tconst char *classname;\n\t\tzend_uint name_len;\n\n\t\tif (exception != NULL) {\n\t\t\tzend_get_object_classname(exception, &classname, &name_len TSRMLS_CC);\n\t\t\tDTRACE_EXCEPTION_THROWN((char *)classname);\n\t\t} else {\n\t\t\tDTRACE_EXCEPTION_THROWN(NULL);\n\t\t}\n\t}\n#endif /* HAVE_DTRACE */\n\n\tif (exception != NULL) {\n\t\tzval *previous = EG(exception);\n\t\tzend_exception_set_previous(exception, EG(exception) TSRMLS_CC);\n\t\tEG(exception) = exception;\n\t\tif (previous) {\n\t\t\treturn;\n\t\t}\n\t}\n\tif (!EG(current_execute_data)) {\n\t\tif(EG(exception)) {\n\t\t\tzend_exception_error(EG(exception), E_ERROR TSRMLS_CC);\n\t\t}\n\t\tzend_error(E_ERROR, \"Exception thrown without a stack frame\");\n\t}\n\n\tif (zend_throw_exception_hook) {\n\t\tzend_throw_exception_hook(exception TSRMLS_CC);\n\t}\n\n\tif (EG(current_execute_data)->opline == NULL ||\n\t (EG(current_execute_data)->opline+1)->opcode == ZEND_HANDLE_EXCEPTION) {\n\t\t/* no need to rethrow the exception */\n\t\treturn;\n\t}\n\tEG(opline_before_exception) = EG(current_execute_data)->opline;\n\tEG(current_execute_data)->opline = EG(exception_op);\n}", "project": "php-src", "hash": 247917911400170479938783393940056166910, "size": 43, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374455 }, { "func": "void zend_exception_save(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t}\n\tif (EG(exception)) {\n\t\tEG(prev_exception) = EG(exception);\n\t}\n\tEG(exception) = NULL;\n}", "project": "php-src", "hash": 116066607902918107578657479066223949823, "size": 10, "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0", "message": "More fixes for bug #69152", "target": 0, "dataset": "other", "idx": 374448 } ] }, { "call_depth": 4, "longest_call_chain": [ "Open_table_context", "m_flags", "Profiler", "BindToCPU" ], "group_size": 13, "functions": [ { "func": "static long get_us_interval(struct timeval *start, struct timeval *end) {\n return (((end->tv_sec - start->tv_sec) * 1000000)\n + (end->tv_usec - start->tv_usec));\n}", "project": "hhvm", "hash": 226869654135616472232911777556010156798, "size": 4, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219250 }, { "func": " MachineInfo() {\n m_cpu_num = sysconf(_SC_NPROCESSORS_CONF);\n m_cpu_frequencies = get_cpu_frequency_from_file(\"/proc/cpuinfo\", m_cpu_num);\n\n if (m_cpu_frequencies)\n return;\n\n m_cpu_frequencies = new int64_t[m_cpu_num];\n for (int i = 0; i < m_cpu_num; i++) {\n cpu_set_t prev_mask;\n GET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n BindToCPU(i);\n // Make sure the current process gets scheduled to the target cpu. This\n // might not be necessary though.\n usleep(0);\n m_cpu_frequencies[i] = get_cpu_frequency();\n SET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n }\n }", "project": "hhvm", "hash": 180263000948610311410935395853679103945, "size": 19, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219057 }, { "func": "static int64_t* get_cpu_frequency_from_file(const char *file, int ncpus)\n{\n std::ifstream cpuinfo(file);\n if (cpuinfo.fail()) {\n return nullptr;\n }\n char line[MAX_LINELENGTH];\n int64_t* freqs = new int64_t[ncpus];\n for (int i = 0; i < ncpus; ++i) {\n freqs[i] = 0;\n }\n int processor = -1;\n\n while (cpuinfo.getline(line, sizeof(line))) {\n if (sscanf(line, \"processor : %d\", &processor) == 1) {\n continue;\n }\n float freq;\n if ((sscanf(line, \"cpu MHz : %f\", &freq) == 1) ||\n (sscanf(line, \"clock : %f\", &freq) == 1)) {\n if (processor != -1 && processor < ncpus) {\n freqs[processor] = nearbyint(freq);\n processor = -1;\n }\n }\n }\n for (int i = 0; i < ncpus; ++i) {\n if (freqs[i] == 0) {\n delete[] freqs;\n return nullptr;\n }\n }\n return freqs;\n}", "project": "hhvm", "hash": 248085455882707873436144105338088029488, "size": 34, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219292 }, { "func": " static void BindToCPU(uint32_t cpu_id) {\n cpu_set_t new_mask;\n CPU_ZERO(&new_mask);\n CPU_SET(cpu_id, &new_mask);\n SET_AFFINITY(0, sizeof(cpu_set_t), &new_mask);\n }", "project": "hhvm", "hash": 252561999300798108266609964241078876025, "size": 6, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219879 }, { "func": " explicit TraceProfiler(int flags)\n : Profiler(true)\n , m_traceBuffer(nullptr)\n , m_traceBufferSize(0)\n , m_nextTraceEntry(0)\n , m_traceBufferFilled(false)\n , m_maxTraceBuffer(0)\n , m_overflowCalls(0)\n , m_flags(flags)\n {\n if (!(m_flags & IHaveInfiniteMemory) && pthread_mutex_trylock(&s_inUse)) {\n // This profiler uses a very large amount of memory. Only allow\n // one in the process at any time.\n m_successful = false;\n } else {\n m_maxTraceBuffer = RuntimeOption::ProfilerMaxTraceBuffer;\n Extension* ext = ExtensionRegistry::get(s_hotprofiler);\n assertx(ext);\n IniSetting::Bind(ext, IniSetting::PHP_INI_ALL,\n \"profiler.max_trace_buffer\",\n &m_maxTraceBuffer);\n }\n }", "project": "hhvm", "hash": 97949173461319208565106839514492844861, "size": 23, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219466 }, { "func": " explicit HierarchicalProfiler(int flags) : Profiler(true), m_flags(flags) {\n }", "project": "hhvm", "hash": 56700908204766941970227207576771894312, "size": 2, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219660 }, { "func": "void Profiler::endAllFrames() {\n while (m_stack) {\n endFrame(nullptr, nullptr, true);\n }\n}", "project": "hhvm", "hash": 245415849160079604862531924084058340861, "size": 5, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219314 }, { "func": " void endAllFrames() override {\n // Nothing to do for this profiler since all work is done as we go.\n }", "project": "hhvm", "hash": 150441449384399467871760114204802685380, "size": 3, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219864 }, { "func": "Profiler::~Profiler() {\n if (m_has_affinity) {\n SET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n }\n\n endAllFrames();\n for (Frame *p = m_frame_free_list; p;) {\n Frame *cur = p;\n p = p->m_parent;\n delete cur;\n }\n}", "project": "hhvm", "hash": 218080934643076592466588935207842016775, "size": 12, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219479 }, { "func": " explicit MemoProfiler(int /*flags*/) : Profiler(true) {}", "project": "hhvm", "hash": 76196938429753322405609073721382273498, "size": 1, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219768 }, { "func": "static int64_t get_cpu_frequency() {\n struct timeval start;\n struct timeval end;\n\n if (gettimeofday(&start, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n uint64_t tsc_start = cpuCycles();\n uint64_t tsc_end;\n volatile int i;\n // Busy loop for 5 miliseconds. Don't use usleep() here since it causes the\n // CPU to halt which will generate meaningless results.\n do {\n for (i = 0; i < 1000000; i++);\n if (gettimeofday(&end, 0)) {\n perror(\"gettimeofday\");\n return 0.0;\n }\n tsc_end = cpuCycles();\n } while (get_us_interval(&start, &end) < 5000);\n\n return nearbyint((tsc_end - tsc_start) * 1.0\n / (get_us_interval(&start, &end)));\n}", "project": "hhvm", "hash": 82995547803504983128639277702102155539, "size": 25, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219071 }, { "func": "Profiler::Profiler(bool needCPUAffinity) : m_successful(true),\n m_stack(nullptr),\n m_frame_free_list(nullptr),\n m_has_affinity(needCPUAffinity) {\n if (!s_rand_initialized) {\n s_rand_initialized = true;\n srand(math_generate_seed());\n }\n\n if (m_has_affinity) {\n //\n // Bind to a random cpu so that we can use rdtsc instruction.\n //\n int cur_cpu_id = rand() % s_machine.m_cpu_num;\n GET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n MachineInfo::BindToCPU(cur_cpu_id);\n m_MHz = s_machine.m_cpu_frequencies[cur_cpu_id];\n } else {\n //\n // Take cpu0's speed as a proxy for all cpus.\n //\n m_MHz = s_machine.m_cpu_frequencies[0];\n }\n\n memset(m_func_hash_counters, 0, sizeof(m_func_hash_counters));\n}", "project": "hhvm", "hash": 228890197525810853672696827937472522779, "size": 26, "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca", "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html", "target": 0, "dataset": "other", "idx": 219669 }, { "func": "Open_table_context::Open_table_context(THD *thd, uint flags)\n :m_thd(thd),\n m_failed_table(NULL),\n m_start_of_statement_svp(thd->mdl_context.mdl_savepoint()),\n m_timeout(flags & MYSQL_LOCK_IGNORE_TIMEOUT ?\n LONG_TIMEOUT : thd->variables.lock_wait_timeout),\n m_flags(flags),\n m_action(OT_NO_ACTION),\n m_has_locks(thd->mdl_context.has_locks()),\n m_has_protection_against_grl(0)\n{}", "target": 0, "cwe": [ "CWE-416" ], "project": "server", "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38", "hash": 231716104947654513237673151084075997257, "size": 11, "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.", "dataset": "other", "idx": 514562 } ] }, { "call_depth": 4, "longest_call_chain": [ "latm_dmx_process", "latm_dmx_check_pid", "latm_dmx_check_dur", "latm_dmx_sync_frame_bs" ], "group_size": 6, "functions": [ { "func": "static void latm_dmx_check_pid(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tu8 *dsi_b;\n\tu32 dsi_s, sr, timescale=0;\n\tu32 codecid;\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\t\tlatm_dmx_check_dur(filter, ctx);\n\t}\n\tif (!GF_M4ASampleRates[ctx->acfg.base_sr_index]) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[LATMDmx] Wrong sample rate in audio config, broken stream\\n\"));\n\t\tctx->in_error = GF_NON_COMPLIANT_BITSTREAM;\n\t\treturn;\n\t}\n\n\tif ((ctx->sr_idx == ctx->acfg.base_sr_index) && (ctx->nb_ch == ctx->acfg.nb_chan )\n\t\t&& (ctx->base_object_type == ctx->acfg.base_object_type) ) return;\n\n\tif (ctx->acfg.base_object_type==GF_M4A_USAC)\n\t\tcodecid = GF_CODECID_USAC;\n\telse\n\t\tcodecid = GF_CODECID_AAC_MPEG4;\n\t//copy properties at init or reconfig\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT( GF_STREAM_AUDIO));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT( codecid));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLES_PER_FRAME, & PROP_UINT(ctx->frame_size) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_UNFRAMED, & PROP_BOOL(GF_FALSE) );\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\n\tctx->nb_ch = ctx->acfg.nb_chan;\n\tctx->base_object_type = ctx->acfg.base_object_type;\n\n\tsr = GF_M4ASampleRates[ctx->acfg.base_sr_index];\n\tif (!ctx->timescale) {\n\t\t//we change sample rate, change cts\n\t\tif (ctx->cts && (ctx->sr_idx != ctx->acfg.base_sr_index)) {\n\t\t\tctx->cts *= sr;\n\t\t\tctx->cts /= GF_M4ASampleRates[ctx->sr_idx];\n\t\t}\n\t}\n\tctx->sr_idx = ctx->acfg.base_sr_index;\n\n\tctx->dts_inc = ctx->frame_size;\n\tgf_m4a_write_config(&ctx->acfg, &dsi_b, &dsi_s);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA_NO_COPY(dsi_b, dsi_s) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PROFILE_LEVEL, & PROP_UINT (ctx->acfg.audioPL) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(sr));\n\n\ttimescale = sr;\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->timescale ? ctx->timescale : timescale));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_NUM_CHANNELS, & PROP_UINT(ctx->nb_ch) );\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n}", "project": "gpac", "hash": 165495346712678193500478445775721262302, "size": 63, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271472 }, { "func": "static GFINLINE void latm_dmx_update_cts(GF_LATMDmxCtx *ctx)\n{\n\tassert(ctx->dts_inc);\n\n\tif (ctx->timescale) {\n\t\tu64 inc = ctx->dts_inc;\n\t\tinc *= ctx->timescale;\n\t\tinc /= GF_M4ASampleRates[ctx->sr_idx];\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += ctx->dts_inc;\n\t}\n}", "project": "gpac", "hash": 326400713483767484341063456654570434654, "size": 13, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271475 }, { "func": "static void latm_dmx_check_dur(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tFILE *stream;\n\tGF_BitStream *bs;\n\tGF_M4ADecSpecInfo acfg;\n\tu64 duration, cur_dur, cur_pos, rate;\n\ts32 sr_idx = -1;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tif (ctx->index<=0) {\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tctx->is_file = GF_TRUE;\n\n\tstream = gf_fopen(p->value.string, \"rb\");\n\tif (!stream) return;\n\n\tctx->index_size = 0;\n\n\tmemset(&acfg, 0, sizeof(GF_M4ADecSpecInfo));\n\n\n\tbs = gf_bs_from_file(stream, GF_BITSTREAM_READ);\n\tduration = 0;\n\tcur_dur = 0;\n\tcur_pos = gf_bs_get_position(bs);\n\twhile (latm_dmx_sync_frame_bs(bs, &acfg, 0, NULL, NULL)) {\n\t\tif ((sr_idx>=0) && (sr_idx != acfg.base_sr_index)) {\n\t\t\tduration *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tduration /= GF_M4ASampleRates[sr_idx];\n\n\t\t\tcur_dur *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tcur_dur /= GF_M4ASampleRates[sr_idx];\n\t\t}\n\t\tsr_idx = acfg.base_sr_index;\n\t\tduration += ctx->frame_size;\n\t\tcur_dur += ctx->frame_size;\n\t\tif (cur_dur > ctx->index * GF_M4ASampleRates[sr_idx]) {\n\t\t\tif (!ctx->index_alloc_size) ctx->index_alloc_size = 10;\n\t\t\telse if (ctx->index_alloc_size == ctx->index_size) ctx->index_alloc_size *= 2;\n\t\t\tctx->indexes = gf_realloc(ctx->indexes, sizeof(LATMIdx)*ctx->index_alloc_size);\n\t\t\tctx->indexes[ctx->index_size].pos = cur_pos;\n\t\t\tctx->indexes[ctx->index_size].duration = (Double) duration;\n\t\t\tctx->indexes[ctx->index_size].duration /= GF_M4ASampleRates[sr_idx];\n\t\t\tctx->index_size ++;\n\t\t\tcur_dur = 0;\n\t\t}\n\n\t\tcur_pos = gf_bs_get_position(bs);\n\t}\n\trate = gf_bs_get_position(bs);\n\tgf_bs_del(bs);\n\tgf_fclose(stream);\n\n\tif (sr_idx>=0) {\n\t\tif (!ctx->duration.num || (ctx->duration.num * GF_M4ASampleRates[sr_idx] != duration * ctx->duration.den)) {\n\t\t\tctx->duration.num = (s32) duration;\n\t\t\tctx->duration.den = GF_M4ASampleRates[sr_idx];\n\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\t\t\tif (duration && !gf_sys_is_test_mode() ) {\n\t\t\t\trate *= 8 * ctx->duration.den;\n\t\t\t\trate /= ctx->duration.num;\n\t\t\t\tctx->bitrate = (u32) rate;\n\t\t\t}\n\t\t}\n\t}\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );\n}", "project": "gpac", "hash": 268079972344018463318373147938902590521, "size": 81, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271469 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data, *output;\n\tu32 pck_size, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 129393460693122238437209841613363417813, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 1, "dataset": "other", "idx": 198278 }, { "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data=NULL, *output;\n\tu32 pck_size=0, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t} else {\n\t\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}", "project": "gpac", "hash": 10482263121380563115286320698149929915, "size": 138, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271474 }, { "func": "static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u32 *nb_bytes, u8 *buffer, u32 *nb_skipped)\n{\n\tu32 val, size;\n\tu64 pos, mux_size;\n\tif (nb_skipped) *nb_skipped = 0;\n\tif (!acfg) return 0;\n\n\twhile (gf_bs_available(bs)>3) {\n\t\tval = gf_bs_read_u8(bs);\n\t\tif (val!=0x56) {\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tval = gf_bs_read_int(bs, 3);\n\t\tif (val != 0x07) {\n\t\t\tgf_bs_read_int(bs, 5);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tmux_size = gf_bs_read_int(bs, 13);\n\t\tpos = gf_bs_get_position(bs);\n\t\tif (mux_size>gf_bs_available(bs) ) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\t/*use same stream mux*/\n\t\tif (!gf_bs_read_int(bs, 1)) {\n\t\t\tBool amux_version, amux_versionA;\n\n\t\t\tamux_version = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tamux_versionA = GF_FALSE;\n\t\t\tif (amux_version) amux_versionA = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tif (!amux_versionA) {\n\t\t\t\tu32 i, allStreamsSameTimeFraming, numProgram;\n\t\t\t\tif (amux_version) gf_latm_get_value(bs);\n\n\t\t\t\tallStreamsSameTimeFraming = gf_bs_read_int(bs, 1);\n\t\t\t\t/*numSubFrames = */gf_bs_read_int(bs, 6);\n\t\t\t\tnumProgram = gf_bs_read_int(bs, 4);\n\t\t\t\tfor (i=0; i<=numProgram; i++) {\n\t\t\t\t\tu32 j, num_lay;\n\t\t\t\t\tnum_lay = gf_bs_read_int(bs, 3);\n\t\t\t\t\tfor (j=0; j<=num_lay; j++) {\n\t\t\t\t\t\tu32 frameLengthType;\n\t\t\t\t\t\tBool same_cfg = GF_FALSE;\n\t\t\t\t\t\tif (i || j) same_cfg = (Bool)gf_bs_read_int(bs, 1);\n\n\t\t\t\t\t\tif (!same_cfg) {\n\t\t\t\t\t\t\tif (amux_version==1) gf_latm_get_value(bs);\n\t\t\t\t\t\t\tgf_m4a_parse_config(bs, acfg, GF_FALSE);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tframeLengthType = gf_bs_read_int(bs, 3);\n\t\t\t\t\t\tif (!frameLengthType) {\n\t\t\t\t\t\t\t/*latmBufferFullness = */gf_bs_read_int(bs, 8);\n\t\t\t\t\t\t\tif (!allStreamsSameTimeFraming) {\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t/*not supported*/\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t/*other data present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n//\t\t\t\t\tu32 k = 0;\n\t\t\t\t}\n\t\t\t\t/*CRCcheck present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsize = 0;\n\t\twhile (1) {\n\t\t\tu32 tmp = gf_bs_read_int(bs, 8);\n\t\t\tsize += tmp;\n\t\t\tif (tmp!=255) break;\n\t\t}\n\t\tif (gf_bs_available(bs) < size) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\tif (nb_bytes) {\n\t\t\t*nb_bytes = (u32) size;\n\t\t}\n\n\t\tif (buffer) {\n\t\t\tgf_bs_read_data(bs, (char *) buffer, size);\n\t\t} else {\n\t\t\twhile (size) {\n\t\t\t\tgf_bs_read_int(bs, 8);\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\n\t\t/*parse amux*/\n\t\tgf_bs_seek(bs, pos + mux_size);\n\n\t\tif ((gf_bs_available(bs)>2) && gf_bs_peek_bits(bs, 11, 0) != 0x2B7) {\n\t\t\tgf_bs_seek(bs, pos + 1);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;\n}", "project": "gpac", "hash": 156960673027032244624743319408540723268, "size": 110, "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca", "message": "fixed #1728", "target": 0, "dataset": "other", "idx": 271470 } ] }, { "call_depth": 4, "longest_call_chain": [ "process_update", "verify_signature", "get_esl_cert", "get_esl_signature_list" ], "group_size": 15, "functions": [ { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int check_timestamp(const char *key, const struct efi_time *timestamp,\n\t\t char *last_timestamp)\n{\n\tstruct efi_time *prev;\n\tuint64_t new;\n\tuint64_t last;\n\n\tprev = get_last_timestamp(key, last_timestamp);\n\tif (prev == NULL)\n\t\treturn OPAL_INTERNAL_ERROR;\n\n\tprlog(PR_DEBUG, \"timestamp year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(timestamp->year), timestamp->month,\n\t\t\ttimestamp->day);\n\tprlog(PR_DEBUG, \"prev year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(prev->year), prev->month, prev->day);\n\n\tnew = unpack_timestamp(timestamp);\n\tlast = unpack_timestamp(prev);\n\n\tif (new > last)\n\t\treturn OPAL_SUCCESS;\n\n\treturn OPAL_PERMISSION;\n}", "idx": 521655, "cwe": "CWE-681", "hash": 71734921946669776012689805880040557221, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int verify_signature(const struct efi_variable_authentication_2 *auth,\n\t\t\t const char *newcert, const size_t new_data_size,\n\t\t\t const struct secvar *avar)\n{\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tmbedtls_x509_crt x509;\n\tchar *signing_cert = NULL;\n\tchar *x509_buf = NULL;\n\tint signing_cert_size;\n\tint rc = 0;\n\tchar *errbuf;\n\tint eslvarsize;\n\tint eslsize;\n\tint offset = 0;\n\n\tif (!auth)\n\t\treturn OPAL_PARAMETER;\n\n\t/* Extract the pkcs7 from the auth structure */\n\tpkcs7 = get_pkcs7(auth);\n\t/* Failure to parse pkcs7 implies bad input. */\n\tif (!pkcs7)\n\t\treturn OPAL_PARAMETER;\n\n\tprlog(PR_INFO, \"Load the signing certificate from the keystore\");\n\n\teslvarsize = avar->data_size;\n\n\t/* Variable is not empty */\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = get_esl_signature_list_size(avar->data + offset,\n\t\t\t\t\t\t eslvarsize);\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tsigning_cert_size = get_esl_cert(avar->data + offset,\n\t\t\t\t\t\t eslvarsize, &signing_cert);\n\t\tif (signing_cert_size < 0) {\n\t\t\trc = signing_cert_size;\n\t\t\tbreak;\n\t\t}\n\n\t\tmbedtls_x509_crt_init(&x509);\n\t\trc = mbedtls_x509_crt_parse(&x509,\n\t\t\t\t\t signing_cert,\n\t\t\t\t\t signing_cert_size);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif(rc) {\n\t\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\t\trc = mbedtls_x509_crt_info(x509_buf,\n\t\t\t\t\t CERT_BUFFER_SIZE,\n\t\t\t\t\t \"CRT:\",\n\t\t\t\t\t &x509);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif (rc < 0) {\n\t\t\tfree(x509_buf);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tprlog(PR_INFO, \"%s \\n\", x509_buf);\n\t\tfree(x509_buf);\n\t\tx509_buf = NULL;\n\n\t\trc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size);\n\n\t\t/* If you find a signing certificate, you are done */\n\t\tif (rc == 0) {\n\t\t\tprlog(PR_INFO, \"Signature Verification passed\\n\");\n\t\t\tmbedtls_x509_crt_free(&x509);\n\t\t\tbreak;\n\t\t} else {\n\t\t\terrbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tmbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tprlog(PR_ERR, \"Signature Verification failed %02x %s\\n\",\n\t\t\t\t\trc, errbuf);\n\t\t\tfree(errbuf);\n\t\t\trc = OPAL_PERMISSION;\n\t\t}\n\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tmbedtls_x509_crt_free(&x509);\n\t\tfree(signing_cert);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tsigning_cert = NULL;\n\n\t}\n\n\tfree(signing_cert);\n\tmbedtls_pkcs7_free(pkcs7);\n\tfree(pkcs7);\n\n\treturn rc;\n}", "idx": 521654, "cwe": "CWE-681", "hash": 169175420840573290317758226120475277153, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int process_update(const struct secvar *update, char **newesl,\n\t\t int *new_data_size, struct efi_time *timestamp,\n\t\t struct list_head *bank, char *last_timestamp)\n{\n\tstruct efi_variable_authentication_2 *auth = NULL;\n\tvoid *auth_buffer = NULL;\n\tint auth_buffer_size = 0;\n\tconst char *key_authority[3];\n\tchar *tbhbuffer = NULL;\n\tsize_t tbhbuffersize = 0;\n\tstruct secvar *avar = NULL;\n\tint rc = 0;\n\tint i;\n\n\t/* We need to split data into authentication descriptor and new ESL */\n\tauth_buffer_size = get_auth_descriptor2(update->data,\n\t\t\t\t\t\tupdate->data_size,\n\t\t\t\t\t\t&auth_buffer);\n\tif ((auth_buffer_size < 0)\n\t || (update->data_size < auth_buffer_size)) {\n\t\tprlog(PR_ERR, \"Invalid auth buffer size\\n\");\n\t\trc = auth_buffer_size;\n\t\tgoto out;\n\t}\n\n\tauth = auth_buffer;\n\n\tif (!timestamp) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\tmemcpy(timestamp, auth_buffer, sizeof(struct efi_time));\n\n\trc = check_timestamp(update->key, timestamp, last_timestamp);\n\t/* Failure implies probably an older command being resubmitted */\n\tif (rc != OPAL_SUCCESS) {\n\t\tprlog(PR_ERR, \"Timestamp verification failed for key %s\\n\", update->key);\n\t\tgoto out;\n\t}\n\n\t/* Calculate the size of new ESL data */\n\t*new_data_size = update->data_size - auth_buffer_size;\n\tif (*new_data_size < 0) {\n\t\tprlog(PR_ERR, \"Invalid new ESL (new data content) size\\n\");\n\t\trc = OPAL_PARAMETER;\n\t\tgoto out;\n\t}\n\t*newesl = zalloc(*new_data_size);\n\tif (!(*newesl)) {\n\t\trc = OPAL_NO_MEM;\n\t\tgoto out;\n\t}\n\tmemcpy(*newesl, update->data + auth_buffer_size, *new_data_size);\n\n\t/* Validate the new ESL is in right format */\n\trc = validate_esl_list(update->key, *newesl, *new_data_size);\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"ESL validation failed for key %s with error %04x\\n\",\n\t\t update->key, rc);\n\t\tgoto out;\n\t}\n\n\tif (setup_mode) {\n\t\trc = OPAL_SUCCESS;\n\t\tgoto out;\n\t}\n\n\t/* Prepare the data to be verified */\n\ttbhbuffer = get_hash_to_verify(update->key, *newesl, *new_data_size,\n\t\t\t\ttimestamp);\n\tif (!tbhbuffer) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\t/* Get the authority to verify the signature */\n\tget_key_authority(key_authority, update->key);\n\n\t/*\n\t * Try for all the authorities that are allowed to sign.\n\t * For eg. db/dbx can be signed by both PK or KEK\n\t */\n\tfor (i = 0; key_authority[i] != NULL; i++) {\n\t\tprlog(PR_DEBUG, \"key is %s\\n\", update->key);\n\t\tprlog(PR_DEBUG, \"key authority is %s\\n\", key_authority[i]);\n\t\tavar = find_secvar(key_authority[i],\n\t\t\t\t strlen(key_authority[i]) + 1,\n\t\t\t\t bank);\n\t\tif (!avar || !avar->data_size)\n\t\t\tcontinue;\n\n\t\t/* Verify the signature */\n\t\trc = verify_signature(auth, tbhbuffer, tbhbuffersize,\n\t\t\t\t avar);\n\n\t\t/* Break if signature verification is successful */\n\t\tif (rc == OPAL_SUCCESS) {\n\t\t\tprlog(PR_INFO, \"Key %s successfully verified by authority %s\\n\", update->key, key_authority[i]);\n\t\t\tbreak;\n\t\t}\n\t}\n\nout:\n\tfree(auth_buffer);\n\tfree(tbhbuffer);\n\n\treturn rc;\n}", "idx": 521660, "cwe": "CWE-681", "hash": 178401092850407839532373766829369702237, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 1, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le32_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 217514, "cwe": "CWE-681", "hash": 261903108962534180969470598132431142070, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le16_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}", "idx": 521649, "cwe": "CWE-681", "hash": 337463125729458282018478225518421551092, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)\n{\n\tuint32_t dw_length;\n\tsize_t size;\n\n\tassert(auth != NULL);\n\n\tdw_length = le32_to_cpu(auth->auth_info.hdr.dw_length);\n\tsize = dw_length - (sizeof(auth->auth_info.hdr.dw_length)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_revision)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_certificate_type)\n\t\t\t+ sizeof(auth->auth_info.cert_type));\n\n\treturn size;\n}", "idx": 521659, "cwe": "CWE-681", "hash": 250773754624625586965202166265104085065, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffer)\n{\n\tconst struct efi_variable_authentication_2 *auth = buf;\n\tint auth_buffer_size;\n\tsize_t len;\n\n\tassert(auth_buffer != NULL);\n\tif (buflen < sizeof(struct efi_variable_authentication_2)\n\t || !buf)\n\t\t\treturn OPAL_PARAMETER;\n\n\tlen = get_pkcs7_len(auth);\n\t/* pkcs7 content length cannot be greater than buflen */ \n\tif (len > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\tauth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)\n\t\t\t + sizeof(auth->auth_info.cert_type) + len;\n\n\t*auth_buffer = zalloc(auth_buffer_size);\n\tif (!(*auth_buffer))\n\t\treturn OPAL_NO_MEM;\n\n\t/*\n\t * Data = auth descriptor + new ESL data.\n\t * Extracts only the auth descriptor from data.\n\t */\n\tmemcpy(*auth_buffer, buf, auth_buffer_size);\n\n\treturn auth_buffer_size;\n}", "idx": 521656, "cwe": "CWE-681", "hash": 305644016089787436408464435206138914640, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_hash(uuid_t type, int size)\n{\n if (uuid_equals(&type, &EFI_CERT_SHA1_GUID) && (size == 20))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA224_GUID) && (size == 28))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA256_GUID) && (size == 32))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA384_GUID) && (size == 48))\n return true;\n\n if (uuid_equals(&type, &EFI_CERT_SHA512_GUID) && (size == 64))\n return true;\n\n return false;\n}", "idx": 521657, "cwe": "CWE-681", "hash": 178128338452607838604171323429136382734, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth)\n{\n\tchar *checkpkcs7cert = NULL;\n\tsize_t len;\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tint rc;\n\n\tlen = get_pkcs7_len(auth);\n\n\tpkcs7 = malloc(sizeof(struct mbedtls_pkcs7));\n\tif (!pkcs7)\n\t\treturn NULL;\n\n\tmbedtls_pkcs7_init(pkcs7);\n\trc = mbedtls_pkcs7_parse_der( auth->auth_info.cert_data, len, pkcs7);\n\tif (rc <= 0) {\n\t\tprlog(PR_ERR, \"Parsing pkcs7 failed %04x\\n\", rc);\n\t\tgoto out;\n\t}\n\n\tcheckpkcs7cert = zalloc(CERT_BUFFER_SIZE);\n\tif (!checkpkcs7cert)\n\t\tgoto out;\n\n\trc = mbedtls_x509_crt_info(checkpkcs7cert, CERT_BUFFER_SIZE, \"CRT:\",\n\t\t\t\t &(pkcs7->signed_data.certs));\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"Failed to parse the certificate in PKCS7 structure\\n\");\n\t\tfree(checkpkcs7cert);\n\t\tgoto out;\n\t}\n\n\tprlog(PR_DEBUG, \"%s \\n\", checkpkcs7cert);\n\tfree(checkpkcs7cert);\n\treturn pkcs7;\n\nout:\n\tmbedtls_pkcs7_free(pkcs7);\n\tpkcs7 = NULL;\n\treturn pkcs7;\n}", "idx": 521644, "cwe": "CWE-681", "hash": 285422590631529911090789466166025019210, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static void get_key_authority(const char *ret[3], const char *key)\n{\n\tint i = 0;\n\n\tif (key_equals(key, \"PK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"KEK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"db\") || key_equals(key, \"dbx\")) {\n\t\tret[i++] = \"KEK\";\n\t\tret[i++] = \"PK\";\n\t}\n\n\tret[i] = NULL;\n}", "idx": 521642, "cwe": "CWE-681", "hash": 297738273191075284106162991641740642673, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\treturn le32_to_cpu(list->SignatureListSize);\n}", "idx": 521643, "cwe": "CWE-681", "hash": 78060638800999667578112940727001384482, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\tif (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)\n\t\treturn NULL;\n\n\tlist = (EFI_SIGNATURE_LIST *)buf;\n\n\treturn list;\n}", "idx": 521652, "cwe": "CWE-681", "hash": 120387305635648549803864652788577802214, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static int get_esl_cert(const char *buf, const size_t buflen, char **cert)\n{\n\tsize_t sig_data_offset;\n\tsize_t size;\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\tassert(cert != NULL);\n\n\tsize = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);\n\n\tprlog(PR_DEBUG,\"size of signature list size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureListSize));\n\tprlog(PR_DEBUG, \"size of signature header size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureHeaderSize));\n\tprlog(PR_DEBUG, \"size of signature size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureSize));\n\n\tsig_data_offset = sizeof(EFI_SIGNATURE_LIST)\n\t\t\t + le32_to_cpu(list->SignatureHeaderSize)\n\t\t\t + 16 * sizeof(uint8_t);\n\tif (sig_data_offset > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\t*cert = zalloc(size);\n\tif (!(*cert))\n\t\treturn OPAL_NO_MEM;\n\n\t/* Since buf can have more than one ESL, copy only the size calculated\n\t * to return single ESL */\n\tmemcpy(*cert, buf + sig_data_offset, size);\n\n\treturn size;\n}", "idx": 521650, "cwe": "CWE-681", "hash": 76056064316561882808219871420473489575, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "static bool validate_cert(char *signing_cert, int signing_cert_size)\n{\n\tmbedtls_x509_crt x509;\n\tchar *x509_buf = NULL;\n\tint rc;\n\n\tmbedtls_x509_crt_init(&x509);\n\trc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size);\n\n\t/* If failure in parsing the certificate, exit */\n\tif(rc) {\n\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\treturn false;\n\t}\n\n\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\trc = mbedtls_x509_crt_info(x509_buf, CERT_BUFFER_SIZE, \"CRT:\", &x509);\n\n\tmbedtls_x509_crt_free(&x509);\n\tfree(x509_buf);\n\tx509_buf = NULL;\n\n\t/* If failure in reading the certificate, exit */\n\tif (rc < 0)\n\t\treturn false;\n\n\treturn true;\n}", "idx": 521646, "cwe": "CWE-681", "hash": 89322362298830297891556293893589653635, "dataset": "other" }, { "project": "skiboot", "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7", "target": 0, "func": "int validate_esl_list(const char *key, const char *esl, const size_t size)\n{\n\tint count = 0;\n\tint dsize;\n\tchar *data = NULL;\n\tint eslvarsize = size;\n\tint eslsize;\n\tint rc = OPAL_SUCCESS;\n\tint offset = 0;\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Check Supported ESL Type */\n\t\tlist = get_esl_signature_list(esl, eslvarsize);\n\n\t\tif (!list)\n\t\t\treturn OPAL_PARAMETER;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = le32_to_cpu(list->SignatureListSize);\n\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\tprlog(PR_ERR, \"Invalid size of the ESL: %u\\n\",\n\t\t\t\t\tle32_to_cpu(list->SignatureListSize));\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tdsize = get_esl_cert(esl, eslvarsize, &data);\n\t\tif (dsize < 0) {\n\t\t\trc = dsize;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (key_equals(key, \"dbx\")) {\n\t\t\tif (!validate_hash(list->SignatureType, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid hash is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t if (!uuid_equals(&list->SignatureType, &EFI_CERT_X509_GUID)\n\t\t\t || !validate_cert(data, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid cert is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t }\n\t\t}\n\n\t\tcount++;\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tfree(data);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tdata = NULL;\n\t}\n\n\tif (rc == OPAL_SUCCESS) {\n\t\tif (key_equals(key, \"PK\") && (count > 1)) {\n\t\t\tprlog(PR_ERR, \"PK can only be one\\n\");\n\t\t\trc = OPAL_PARAMETER;\n\t\t} else {\n\t\t\trc = count;\n\t\t}\n\t}\n\n\tfree(data);\n\n\tprlog(PR_INFO, \"Total ESLs are %d\\n\", rc);\n\treturn rc;\n}", "idx": 521648, "cwe": "CWE-681", "hash": 135687032396769714616764529094035254125, "dataset": "other" } ] }, { "call_depth": 4, "longest_call_chain": [ "xdp_umem_release_deferred", "xdp_umem_release", "xdp_umem_clear_dev", "xdp_clear_umem_at_qid" ], "group_size": 14, "functions": [ { "func": "static int xdp_umem_account_pages(struct xdp_umem *umem)\n{\n\tunsigned long lock_limit, new_npgs, old_npgs;\n\n\tif (capable(CAP_IPC_LOCK))\n\t\treturn 0;\n\n\tlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;\n\tumem->user = get_uid(current_user());\n\n\tdo {\n\t\told_npgs = atomic_long_read(&umem->user->locked_vm);\n\t\tnew_npgs = old_npgs + umem->npgs;\n\t\tif (new_npgs > lock_limit) {\n\t\t\tfree_uid(umem->user);\n\t\t\tumem->user = NULL;\n\t\t\treturn -ENOBUFS;\n\t\t}\n\t} while (atomic_long_cmpxchg(&umem->user->locked_vm, old_npgs,\n\t\t\t\t new_npgs) != old_npgs);\n\treturn 0;\n}", "project": "linux", "hash": 268538672441488282436843170881902415474, "size": 22, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364111 }, { "func": "static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)\n{\n\tbool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;\n\tu32 chunk_size = mr->chunk_size, headroom = mr->headroom;\n\tunsigned int chunks, chunks_per_page;\n\tu64 addr = mr->addr, size = mr->len;\n\tint size_chk, err;\n\n\tif (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {\n\t\t/* Strictly speaking we could support this, if:\n\t\t * - huge pages, or*\n\t\t * - using an IOMMU, or\n\t\t * - making sure the memory area is consecutive\n\t\t * but for now, we simply say \"computer says no\".\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif (mr->flags & ~(XDP_UMEM_UNALIGNED_CHUNK_FLAG |\n\t\t\tXDP_UMEM_USES_NEED_WAKEUP))\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks && !is_power_of_2(chunk_size))\n\t\treturn -EINVAL;\n\n\tif (!PAGE_ALIGNED(addr)) {\n\t\t/* Memory area has to be page size aligned. For\n\t\t * simplicity, this might change.\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif ((addr + size) < addr)\n\t\treturn -EINVAL;\n\n\tchunks = (unsigned int)div_u64(size, chunk_size);\n\tif (chunks == 0)\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks) {\n\t\tchunks_per_page = PAGE_SIZE / chunk_size;\n\t\tif (chunks < chunks_per_page || chunks % chunks_per_page)\n\t\t\treturn -EINVAL;\n\t}\n\n\tsize_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;\n\tif (size_chk < 0)\n\t\treturn -EINVAL;\n\n\tumem->address = (unsigned long)addr;\n\tumem->chunk_mask = unaligned_chunks ? XSK_UNALIGNED_BUF_ADDR_MASK\n\t\t\t\t\t : ~((u64)chunk_size - 1);\n\tumem->size = size;\n\tumem->headroom = headroom;\n\tumem->chunk_size_nohr = chunk_size - headroom;\n\tumem->npgs = size / PAGE_SIZE;\n\tumem->pgs = NULL;\n\tumem->user = NULL;\n\tumem->flags = mr->flags;\n\tINIT_LIST_HEAD(&umem->xsk_list);\n\tspin_lock_init(&umem->xsk_list_lock);\n\n\trefcount_set(&umem->users, 1);\n\n\terr = xdp_umem_account_pages(umem);\n\tif (err)\n\t\treturn err;\n\n\terr = xdp_umem_pin_pages(umem);\n\tif (err)\n\t\tgoto out_account;\n\n\tumem->pages = kvcalloc(umem->npgs, sizeof(*umem->pages),\n\t\t\t GFP_KERNEL_ACCOUNT);\n\tif (!umem->pages) {\n\t\terr = -ENOMEM;\n\t\tgoto out_pin;\n\t}\n\n\terr = xdp_umem_map_pages(umem);\n\tif (!err)\n\t\treturn 0;\n\n\tkvfree(umem->pages);\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_account:\n\txdp_umem_unaccount_pages(umem);\n\treturn err;\n}", "project": "linux", "hash": 269028637877237764370672455302491205384, "size": 91, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 1, "dataset": "other", "idx": 204723 }, { "func": "static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)\n{\n\tbool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;\n\tu32 chunk_size = mr->chunk_size, headroom = mr->headroom;\n\tunsigned int chunks, chunks_per_page;\n\tu64 addr = mr->addr, size = mr->len;\n\tint err;\n\n\tif (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {\n\t\t/* Strictly speaking we could support this, if:\n\t\t * - huge pages, or*\n\t\t * - using an IOMMU, or\n\t\t * - making sure the memory area is consecutive\n\t\t * but for now, we simply say \"computer says no\".\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif (mr->flags & ~(XDP_UMEM_UNALIGNED_CHUNK_FLAG |\n\t\t\tXDP_UMEM_USES_NEED_WAKEUP))\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks && !is_power_of_2(chunk_size))\n\t\treturn -EINVAL;\n\n\tif (!PAGE_ALIGNED(addr)) {\n\t\t/* Memory area has to be page size aligned. For\n\t\t * simplicity, this might change.\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif ((addr + size) < addr)\n\t\treturn -EINVAL;\n\n\tchunks = (unsigned int)div_u64(size, chunk_size);\n\tif (chunks == 0)\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks) {\n\t\tchunks_per_page = PAGE_SIZE / chunk_size;\n\t\tif (chunks < chunks_per_page || chunks % chunks_per_page)\n\t\t\treturn -EINVAL;\n\t}\n\n\tif (headroom >= chunk_size - XDP_PACKET_HEADROOM)\n\t\treturn -EINVAL;\n\n\tumem->address = (unsigned long)addr;\n\tumem->chunk_mask = unaligned_chunks ? XSK_UNALIGNED_BUF_ADDR_MASK\n\t\t\t\t\t : ~((u64)chunk_size - 1);\n\tumem->size = size;\n\tumem->headroom = headroom;\n\tumem->chunk_size_nohr = chunk_size - headroom;\n\tumem->npgs = size / PAGE_SIZE;\n\tumem->pgs = NULL;\n\tumem->user = NULL;\n\tumem->flags = mr->flags;\n\tINIT_LIST_HEAD(&umem->xsk_list);\n\tspin_lock_init(&umem->xsk_list_lock);\n\n\trefcount_set(&umem->users, 1);\n\n\terr = xdp_umem_account_pages(umem);\n\tif (err)\n\t\treturn err;\n\n\terr = xdp_umem_pin_pages(umem);\n\tif (err)\n\t\tgoto out_account;\n\n\tumem->pages = kvcalloc(umem->npgs, sizeof(*umem->pages),\n\t\t\t GFP_KERNEL_ACCOUNT);\n\tif (!umem->pages) {\n\t\terr = -ENOMEM;\n\t\tgoto out_pin;\n\t}\n\n\terr = xdp_umem_map_pages(umem);\n\tif (!err)\n\t\treturn 0;\n\n\tkvfree(umem->pages);\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_account:\n\txdp_umem_unaccount_pages(umem);\n\treturn err;\n}", "project": "linux", "hash": 42054657955985470671897377670619516821, "size": 90, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364107 }, { "func": "static void xdp_umem_release(struct xdp_umem *umem)\n{\n\trtnl_lock();\n\txdp_umem_clear_dev(umem);\n\trtnl_unlock();\n\n\tida_simple_remove(&umem_ida, umem->id);\n\n\tif (umem->fq) {\n\t\txskq_destroy(umem->fq);\n\t\tumem->fq = NULL;\n\t}\n\n\tif (umem->cq) {\n\t\txskq_destroy(umem->cq);\n\t\tumem->cq = NULL;\n\t}\n\n\txsk_reuseq_destroy(umem);\n\n\txdp_umem_unmap_pages(umem);\n\txdp_umem_unpin_pages(umem);\n\n\tkvfree(umem->pages);\n\tumem->pages = NULL;\n\n\txdp_umem_unaccount_pages(umem);\n\tkfree(umem);\n}", "project": "linux", "hash": 217396931244922685619923757724925916399, "size": 29, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364104 }, { "func": "static void xdp_umem_unaccount_pages(struct xdp_umem *umem)\n{\n\tif (umem->user) {\n\t\tatomic_long_sub(umem->npgs, &umem->user->locked_vm);\n\t\tfree_uid(umem->user);\n\t}\n}", "project": "linux", "hash": 247610559453453652885989910169467502202, "size": 7, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364102 }, { "func": "int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev,\n\t\t\tu16 queue_id, u16 flags)\n{\n\tbool force_zc, force_copy;\n\tstruct netdev_bpf bpf;\n\tint err = 0;\n\n\tASSERT_RTNL();\n\n\tforce_zc = flags & XDP_ZEROCOPY;\n\tforce_copy = flags & XDP_COPY;\n\n\tif (force_zc && force_copy)\n\t\treturn -EINVAL;\n\n\tif (xdp_get_umem_from_qid(dev, queue_id))\n\t\treturn -EBUSY;\n\n\terr = xdp_reg_umem_at_qid(dev, umem, queue_id);\n\tif (err)\n\t\treturn err;\n\n\tumem->dev = dev;\n\tumem->queue_id = queue_id;\n\n\tif (flags & XDP_USE_NEED_WAKEUP) {\n\t\tumem->flags |= XDP_UMEM_USES_NEED_WAKEUP;\n\t\t/* Tx needs to be explicitly woken up the first time.\n\t\t * Also for supporting drivers that do not implement this\n\t\t * feature. They will always have to call sendto().\n\t\t */\n\t\txsk_set_tx_need_wakeup(umem);\n\t}\n\n\tdev_hold(dev);\n\n\tif (force_copy)\n\t\t/* For copy-mode, we are done. */\n\t\treturn 0;\n\n\tif (!dev->netdev_ops->ndo_bpf || !dev->netdev_ops->ndo_xsk_wakeup) {\n\t\terr = -EOPNOTSUPP;\n\t\tgoto err_unreg_umem;\n\t}\n\n\tbpf.command = XDP_SETUP_XSK_UMEM;\n\tbpf.xsk.umem = umem;\n\tbpf.xsk.queue_id = queue_id;\n\n\terr = dev->netdev_ops->ndo_bpf(dev, &bpf);\n\tif (err)\n\t\tgoto err_unreg_umem;\n\n\tumem->zc = true;\n\treturn 0;\n\nerr_unreg_umem:\n\tif (!force_zc)\n\t\terr = 0; /* fallback to copy mode */\n\tif (err)\n\t\txdp_clear_umem_at_qid(dev, queue_id);\n\treturn err;\n}", "project": "linux", "hash": 126635444260904263682819293481218507053, "size": 63, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364110 }, { "func": "static void xdp_umem_unpin_pages(struct xdp_umem *umem)\n{\n\tunpin_user_pages_dirty_lock(umem->pgs, umem->npgs, true);\n\n\tkfree(umem->pgs);\n\tumem->pgs = NULL;\n}", "project": "linux", "hash": 254606291712845223014071918045503359746, "size": 7, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364117 }, { "func": "static void xdp_clear_umem_at_qid(struct net_device *dev, u16 queue_id)\n{\n\tif (queue_id < dev->real_num_rx_queues)\n\t\tdev->_rx[queue_id].umem = NULL;\n\tif (queue_id < dev->real_num_tx_queues)\n\t\tdev->_tx[queue_id].umem = NULL;\n}", "project": "linux", "hash": 104632601349284797194213397935015920102, "size": 7, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364103 }, { "func": "static int xdp_umem_map_pages(struct xdp_umem *umem)\n{\n\tunsigned int i;\n\tvoid *addr;\n\n\tfor (i = 0; i < umem->npgs; i++) {\n\t\tif (PageHighMem(umem->pgs[i]))\n\t\t\taddr = vmap(&umem->pgs[i], 1, VM_MAP, PAGE_KERNEL);\n\t\telse\n\t\t\taddr = page_address(umem->pgs[i]);\n\n\t\tif (!addr) {\n\t\t\txdp_umem_unmap_pages(umem);\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tumem->pages[i].addr = addr;\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 50613713072544451655542689635667364971, "size": 21, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364113 }, { "func": "static void xdp_umem_release_deferred(struct work_struct *work)\n{\n\tstruct xdp_umem *umem = container_of(work, struct xdp_umem, work);\n\n\txdp_umem_release(umem);\n}", "project": "linux", "hash": 96177688199214672207149422695399068976, "size": 6, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364114 }, { "func": "static int xdp_reg_umem_at_qid(struct net_device *dev, struct xdp_umem *umem,\n\t\t\t u16 queue_id)\n{\n\tif (queue_id >= max_t(unsigned int,\n\t\t\t dev->real_num_rx_queues,\n\t\t\t dev->real_num_tx_queues))\n\t\treturn -EINVAL;\n\n\tif (queue_id < dev->real_num_rx_queues)\n\t\tdev->_rx[queue_id].umem = umem;\n\tif (queue_id < dev->real_num_tx_queues)\n\t\tdev->_tx[queue_id].umem = umem;\n\n\treturn 0;\n}", "project": "linux", "hash": 234138038399570815048179683194141842007, "size": 15, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364101 }, { "func": "static void xdp_umem_unmap_pages(struct xdp_umem *umem)\n{\n\tunsigned int i;\n\n\tfor (i = 0; i < umem->npgs; i++)\n\t\tif (PageHighMem(umem->pgs[i]))\n\t\t\tvunmap(umem->pages[i].addr);\n}", "project": "linux", "hash": 146591201870171263235681356786529738192, "size": 8, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364116 }, { "func": "void xdp_umem_clear_dev(struct xdp_umem *umem)\n{\n\tstruct netdev_bpf bpf;\n\tint err;\n\n\tASSERT_RTNL();\n\n\tif (!umem->dev)\n\t\treturn;\n\n\tif (umem->zc) {\n\t\tbpf.command = XDP_SETUP_XSK_UMEM;\n\t\tbpf.xsk.umem = NULL;\n\t\tbpf.xsk.queue_id = umem->queue_id;\n\n\t\terr = umem->dev->netdev_ops->ndo_bpf(umem->dev, &bpf);\n\n\t\tif (err)\n\t\t\tWARN(1, \"failed to disable umem!\\n\");\n\t}\n\n\txdp_clear_umem_at_qid(umem->dev, umem->queue_id);\n\n\tdev_put(umem->dev);\n\tumem->dev = NULL;\n\tumem->zc = false;\n}", "project": "linux", "hash": 98411041127965363436279721513388452524, "size": 27, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364099 }, { "func": "static int xdp_umem_pin_pages(struct xdp_umem *umem)\n{\n\tunsigned int gup_flags = FOLL_WRITE;\n\tlong npgs;\n\tint err;\n\n\tumem->pgs = kcalloc(umem->npgs, sizeof(*umem->pgs),\n\t\t\t GFP_KERNEL | __GFP_NOWARN);\n\tif (!umem->pgs)\n\t\treturn -ENOMEM;\n\n\tdown_read(¤t->mm->mmap_sem);\n\tnpgs = pin_user_pages(umem->address, umem->npgs,\n\t\t\t gup_flags | FOLL_LONGTERM, &umem->pgs[0], NULL);\n\tup_read(¤t->mm->mmap_sem);\n\n\tif (npgs != umem->npgs) {\n\t\tif (npgs >= 0) {\n\t\t\tumem->npgs = npgs;\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out_pin;\n\t\t}\n\t\terr = npgs;\n\t\tgoto out_pgs;\n\t}\n\treturn 0;\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_pgs:\n\tkfree(umem->pgs);\n\tumem->pgs = NULL;\n\treturn err;\n}", "project": "linux", "hash": 313636902645447711638277821491787845349, "size": 34, "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02", "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh \nSigned-off-by: Magnus Karlsson \nSigned-off-by: Daniel Borkmann \nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com", "target": 0, "dataset": "other", "idx": 364115 } ] }, { "call_depth": 4, "longest_call_chain": [ "cardos_init", "cardos_add_algs", "SC_FUNC_CALLED", "sc_format_apdu" ], "group_size": 65, "functions": [ { "func": "static int tcos_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)\n{\n\tint r;\n\n\tif (!serial)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\n\t/* see if we have cached serial number */\n\tif (card->serialnr.len) {\n\t\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\t\treturn SC_SUCCESS;\n\t}\n\n\tcard->serialnr.len = sizeof card->serialnr.value;\n\tr = sc_parse_ef_gdo(card, card->serialnr.value, &card->serialnr.len, NULL, 0);\n\tif (r < 0) {\n\t\tcard->serialnr.len = 0;\n\t\treturn r;\n\t}\n\n\t/* copy and return serial number */\n\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 246565780126900044203384817876515447629, "size": 25, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453697 }, { "func": "static int cardos_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)\n{\n\tint r;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x81);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\tif (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)\n\t\treturn SC_ERROR_INTERNAL;\n\tif ((apdu.resplen == 8) && (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3)) {\n\t\t/* cache serial number */\n\t\tmemcpy(card->serialnr.value, rbuf, 8);\n\t\tcard->serialnr.len = 8;\n\t} else if (apdu.resplen == 32) {\n\t\t/* cache serial number */\n\t\tmemcpy(card->serialnr.value, &rbuf[10], 6);\n\t\tcard->serialnr.len = 6;\n\t} else {\n\t\tsc_log(card->ctx, \"unexpected response to GET DATA serial\"\n\t\t\t\t\" number\\n\");\n\t\treturn SC_ERROR_INTERNAL;\n\t}\n\t/* copy and return serial number */\n\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 154421957446064598755895165006922596116, "size": 31, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270679 }, { "func": "static int cardos_create_file(sc_card_t *card, sc_file_t *file)\n{\n\tint r;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_GENERIC ||\n\t card->type == SC_CARD_TYPE_CARDOS_M4_01) {\n\t\tr = cardos_set_file_attributes(card, file);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t\treturn iso_ops->create_file(card, file);\n\t} else if (card->type == SC_CARD_TYPE_CARDOS_M4_2 ||\n\t card->type == SC_CARD_TYPE_CARDOS_M4_3 ||\n\t\t card->type == SC_CARD_TYPE_CARDOS_M4_2B ||\n\t card->type == SC_CARD_TYPE_CARDOS_M4_2C ||\n\t\t card->type == SC_CARD_TYPE_CARDOS_M4_4) {\n\t\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\t\tsize_t len = sizeof(sbuf);\n\t\tsc_apdu_t apdu;\n\n\t\tr = cardos_construct_fcp(card, file, sbuf, &len);\n\t\tif (r < 0) {\n\t\t\tsc_log(card->ctx, \"unable to create FCP\");\n\t\t\treturn r;\n\t\t}\n\t\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE0, 0x00, 0x00);\n\t\tapdu.lc = len;\n\t\tapdu.datalen = len;\n\t\tapdu.data = sbuf;\n\n\t\tr = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\t\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t} else\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n}", "project": "OpenSC", "hash": 288258945563116713298860710976484617827, "size": 39, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270696 }, { "func": "static int tcos_create_file(sc_card_t *card, sc_file_t *file)\n{\n\tint r;\n\tsize_t len;\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tsc_apdu_t apdu;\n\n\tlen = SC_MAX_APDU_BUFFER_SIZE;\n\tr = tcos_construct_fci(file, sbuf, &len);\n\tLOG_TEST_RET(card->ctx, r, \"tcos_construct_fci() failed\");\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE0, 0x00, 0x00);\n\tapdu.cla |= 0x80; /* this is an proprietary extension */\n\tapdu.lc = len;\n\tapdu.datalen = len;\n\tapdu.data = sbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}", "project": "OpenSC", "hash": 87076920813955038984168861991618883272, "size": 21, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453692 }, { "func": "static int tcos_compute_signature(sc_card_t *card, const u8 * data, size_t datalen, u8 * out, size_t outlen)\n{\n\tsize_t i, dlen=datalen;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tint tcos3, r;\n\n\tassert(card != NULL && data != NULL && out != NULL);\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\n\t// We can sign (key length / 8) bytes\n\tif (datalen > 256) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\n\tif(((tcos_data *)card->drv_data)->next_sign) {\n\t\tif(datalen>48) {\n\t\t\tsc_log(card->ctx, \"Data to be signed is too long (TCOS supports max. 48 bytes)\\n\");\n\t\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\t\t}\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x9E, 0x9A);\n\t\tmemcpy(sbuf, data, datalen);\n\t\tdlen=datalen;\n\t} else {\n\t\tint keylen= tcos3 ? 256 : 128;\n\t\tsc_format_apdu(card, &apdu, keylen>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);\n\t\tfor(i=0; ictx, r, \"APDU transmit failed\");\n\tif (tcos3 && apdu.p1==0x80 && apdu.sw1==0x6A && apdu.sw2==0x87) {\n\t\tint keylen=128;\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);\n\t\tfor(i=0; ictx, r, \"APDU transmit failed\");\n\t}\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len = apdu.resplen>outlen ? outlen : apdu.resplen;\n\t\tmemcpy(out, apdu.resp, len);\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, len);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}", "project": "OpenSC", "hash": 296448152350111572857031665246126932505, "size": 61, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453704 }, { "func": "static int tcos_setperm(sc_card_t *card, int enable_nullpin)\n{\n\tint r;\n\tsc_apdu_t apdu;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xEE, 0x00, 0x00);\n\tapdu.cla |= 0x80;\n\tapdu.lc = 0;\n\tapdu.datalen = 0;\n\tapdu.data = NULL;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}", "project": "OpenSC", "hash": 135071921926935975134723629067504187915, "size": 16, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453707 }, { "func": "static int cardos_pass_algo_flags(sc_card_t *card, struct sc_cardctl_cardos_pass_algo_flags * ptr)\n{\n\tcardos_data_t * priv = (cardos_data_t *)card->drv_data;\n\tint r = 0;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tswitch (ptr->pass) {\n\t\tcase 1:\n\t\t\tptr->card_flags = card->flags;\n\t\t\tptr->used_flags = priv->flags;\n\t\t\tptr->ec_flags = priv->ec_flags;\n\t\t\tptr->ext_flags = priv->ext_flags;\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tr = cardos_add_algs(card,ptr->new_flags, ptr->ec_flags, ptr->ext_flags);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsc_log(card->ctx, \"ptr->pass: %ul invalid\", ptr->pass);\n\t\t\tr = SC_ERROR_INTERNAL;\n\t}\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 322754554900044373761081908493363275949, "size": 22, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270678 }, { "func": "static int tcos_set_security_env(sc_card_t *card, const sc_security_env_t *env, int se_num)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE], *p;\n\tint r, default_key, tcos3;\n\ttcos_data *data;\n\n\tassert(card != NULL && env != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tif (se_num || (env->operation!=SC_SEC_OPERATION_DECIPHER && env->operation!=SC_SEC_OPERATION_SIGN)) {\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tif(!(env->flags & SC_SEC_ENV_KEY_REF_PRESENT))\n\t\tsc_log(ctx,\n\t\t\t\"No Key-Reference in SecEnvironment\\n\");\n\telse\n\t\tsc_log(ctx,\n\t\t\t\"Key-Reference %02X (len=%\"SC_FORMAT_LEN_SIZE_T\"u)\\n\",\n\t\t\tenv->key_ref[0], env->key_ref_len);\n\t/* Key-Reference 0x80 ?? */\n\tdefault_key= !(env->flags & SC_SEC_ENV_KEY_REF_PRESENT) || (env->key_ref_len==1 && env->key_ref[0]==0x80);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\", tcos3,\n\t\t!!(env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tdata->pad_flags = env->algorithm_flags;\n\tdata->next_sign = default_key;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, tcos3 ? 0x41 : 0xC1, 0xB8);\n\tp = sbuf;\n\tif (env->flags & SC_SEC_ENV_KEY_REF_PRESENT) {\n\t\t*p++ = (env->flags & SC_SEC_ENV_KEY_REF_SYMMETRIC) ? 0x83 : 0x84;\n\t\t*p++ = env->key_ref_len;\n\t\tmemcpy(p, env->key_ref, env->key_ref_len);\n\t\tp += env->key_ref_len;\n\t}\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = (p - sbuf);\n\n\tr=sc_transmit_apdu(card, &apdu);\n\tif (r) {\n\t\tsc_log(ctx,\n\t\t\t\"%s: APDU transmit failed\", sc_strerror(r));\n\t\treturn r;\n\t}\n\tif (apdu.sw1==0x6A && (apdu.sw2==0x81 || apdu.sw2==0x88)) {\n\t\tsc_log(ctx,\n\t\t\t\"Detected Signature-Only key\\n\");\n\t\tif (env->operation==SC_SEC_OPERATION_SIGN && default_key) return SC_SUCCESS;\n\t}\n\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}", "project": "OpenSC", "hash": 46602344664369450852260308414175827075, "size": 56, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453705 }, { "func": "static int tcos_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)\n{\n\tswitch (cmd) {\n\tcase SC_CARDCTL_TCOS_SETPERM:\n\t\treturn tcos_setperm(card, !!ptr);\n\tcase SC_CARDCTL_GET_SERIALNR:\n\t\treturn tcos_get_serialnr(card, (sc_serial_number_t *)ptr);\n\t}\n\treturn SC_ERROR_NOT_SUPPORTED;\n}", "project": "OpenSC", "hash": 144617548674885742297924822046400097296, "size": 10, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453698 }, { "func": "static int iasecc_parse_ef_atr(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_private_data *pdata = (struct iasecc_private_data *) card->drv_data;\n\tstruct iasecc_version *version = &pdata->version;\n\tstruct iasecc_io_buffer_sizes *sizes = &pdata->max_sizes;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\trv = sc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\tif (card->ef_atr->pre_issuing_len < 4)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid pre-issuing data\");\n\n\tversion->ic_manufacturer =\tcard->ef_atr->pre_issuing[0];\n\tversion->ic_type =\t\tcard->ef_atr->pre_issuing[1];\n\tversion->os_version =\t\tcard->ef_atr->pre_issuing[2];\n\tversion->iasecc_version =\tcard->ef_atr->pre_issuing[3];\n\tsc_log(ctx, \"EF.ATR: IC manufacturer/type %X/%X, OS/IasEcc versions %X/%X\",\n\t\tversion->ic_manufacturer, version->ic_type, version->os_version, version->iasecc_version);\n\n\tif (card->ef_atr->issuer_data_len < 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid issuer data\");\n\n\tsizes->send =\t card->ef_atr->issuer_data[2] * 0x100 + card->ef_atr->issuer_data[3];\n\tsizes->send_sc = card->ef_atr->issuer_data[6] * 0x100 + card->ef_atr->issuer_data[7];\n\tsizes->recv =\t card->ef_atr->issuer_data[10] * 0x100 + card->ef_atr->issuer_data[11];\n\tsizes->recv_sc = card->ef_atr->issuer_data[14] * 0x100 + card->ef_atr->issuer_data[15];\n\n\tcard->max_send_size = sizes->send;\n\tcard->max_recv_size = sizes->recv;\n\n\t/* Most of the card producers interpret 'send' values as \"maximum APDU data size\".\n\t * Oberthur strictly follows specification and interpret these values as \"maximum APDU command size\".\n\t * Here we need 'data size'.\n\t */\n\tif (card->max_send_size > 0xFF)\n\t\tcard->max_send_size -= 5;\n\n\tsc_log(ctx,\n\t \"EF.ATR: max send/recv sizes %\"SC_FORMAT_LEN_SIZE_T\"X/%\"SC_FORMAT_LEN_SIZE_T\"X\",\n\t card->max_send_size, card->max_recv_size);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 66128117229491948271469462797222185054, "size": 46, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263055 }, { "func": "static int tcos_construct_fci(const sc_file_t *file,\n u8 *out, size_t *outlen)\n{\n\tu8 *p = out;\n\tu8 buf[64];\n\tsize_t n;\n\n\t/* FIXME: possible buffer overflow */\n\n\t*p++ = 0x6F; /* FCI */\n\tp++;\n\n\t/* File size */\n\tbuf[0] = (file->size >> 8) & 0xFF;\n\tbuf[1] = file->size & 0xFF;\n\tsc_asn1_put_tag(0x81, buf, 2, p, 16, &p);\n\n\t/* File descriptor */\n\tn = 0;\n\tbuf[n] = file->shareable ? 0x40 : 0;\n\tswitch (file->type) {\n\tcase SC_FILE_TYPE_WORKING_EF:\n\t\tbreak;\n\tcase SC_FILE_TYPE_DF:\n\t\tbuf[0] |= 0x38;\n\t\tbreak;\n\tdefault:\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t}\n\tbuf[n++] |= file->ef_structure & 7;\n\tif ( (file->ef_structure & 7) > 1) {\n\t\t/* record structured file */\n\t\tbuf[n++] = 0x41; /* indicate 3rd byte */\n\t\tbuf[n++] = file->record_length;\n\t}\n\tsc_asn1_put_tag(0x82, buf, n, p, 8, &p);\n\n\t/* File identifier */\n\tbuf[0] = (file->id >> 8) & 0xFF;\n\tbuf[1] = file->id & 0xFF;\n\tsc_asn1_put_tag(0x83, buf, 2, p, 16, &p);\n\n\t/* Directory name */\n\tif (file->type == SC_FILE_TYPE_DF) {\n\t\tif (file->namelen) {\n\t\t\tsc_asn1_put_tag(0x84, file->name, file->namelen,\n p, 16, &p);\n\t\t} else {\n\t\t\t/* TCOS needs one, so we use a faked one */\n\t\t\tsnprintf ((char *) buf, sizeof(buf)-1, \"foo-%lu\",\n (unsigned long) time (NULL));\n\t\t\tsc_asn1_put_tag(0x84, buf, strlen ((char *) buf), p, 16, &p);\n\t\t}\n\t}\n\n\t/* File descriptor extension */\n\tif (file->prop_attr_len && file->prop_attr) {\n\t\tn = file->prop_attr_len;\n\t\tmemcpy(buf, file->prop_attr, n);\n\t} else {\n\t\tn = 0;\n\t\tbuf[n++] = 0x01; /* not invalidated, permanent */\n\t\tif (file->type == SC_FILE_TYPE_WORKING_EF)\n\t\t\tbuf[n++] = 0x00; /* generic data file */\n\t}\n\tsc_asn1_put_tag(0x85, buf, n, p, 16, &p);\n\n\t/* Security attributes */\n\tif (file->sec_attr_len && file->sec_attr) {\n\t\tmemcpy(buf, file->sec_attr, file->sec_attr_len);\n\t\tn = file->sec_attr_len;\n\t} else {\n\t\t/* no attributes given - fall back to default one */\n\t\tmemcpy (buf+ 0, \"\\xa4\\x00\\x00\\x00\\xff\\xff\", 6); /* select */\n\t\tmemcpy (buf+ 6, \"\\xb0\\x00\\x00\\x00\\xff\\xff\", 6); /* read bin */\n\t\tmemcpy (buf+12, \"\\xd6\\x00\\x00\\x00\\xff\\xff\", 6); /* upd bin */\n\t\tmemcpy (buf+18, \"\\x60\\x00\\x00\\x00\\xff\\xff\", 6); /* admin grp*/\n\t\tn = 24;\n\t}\n\tsc_asn1_put_tag(0x86, buf, n, p, sizeof (buf), &p);\n\n\n\t/* fixup length of FCI */\n\tout[1] = p - out - 2;\n\n\t*outlen = p - out;\n\treturn 0;\n}", "project": "OpenSC", "hash": 163425523657768046224170230800267043710, "size": 88, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453699 }, { "func": "static int tcos_list_files(sc_card_t *card, u8 *buf, size_t buflen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE], p1;\n\tint r, count = 0;\n\n\tassert(card != NULL);\n\tctx = card->ctx;\n\n\tfor (p1=1; p1<=2; p1++) {\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xAA, p1, 0);\n\t\tapdu.cla = 0x80;\n\t\tapdu.resp = rbuf;\n\t\tapdu.resplen = sizeof(rbuf);\n\t\tapdu.le = 256;\n\t\tr = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(ctx, r, \"APDU transmit failed\");\n\t\tif (apdu.sw1==0x6A && (apdu.sw2==0x82 || apdu.sw2==0x88)) continue;\n\t\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t\tLOG_TEST_RET(ctx, r, \"List Dir failed\");\n\t\tif (apdu.resplen > buflen) return SC_ERROR_BUFFER_TOO_SMALL;\n\t\tsc_log(ctx,\n\t\t\t\"got %\"SC_FORMAT_LEN_SIZE_T\"u %s-FileIDs\\n\",\n\t\t\tapdu.resplen / 2, p1 == 1 ? \"DF\" : \"EF\");\n\n\t\tmemcpy(buf, apdu.resp, apdu.resplen);\n\t\tbuf += apdu.resplen;\n\t\tbuflen -= apdu.resplen;\n\t\tcount += apdu.resplen;\n\t}\n\treturn count;\n}", "project": "OpenSC", "hash": 77871488236966928341429659826285412295, "size": 33, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453701 }, { "func": "static int cardos_construct_fcp(sc_card_t *card, const sc_file_t *file,\n\tu8 *out, size_t *outlen)\n{\n\tu8 buf[64], *p = out;\n\tsize_t inlen = *outlen, len;\n\tint r;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tif (out == NULL || inlen < 64)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t/* add FCP tag */\n\t*p++ = 0x62;\n\t/* we will add the length later */\n\tp++;\n\n\tmemset(buf, 0, sizeof(buf));\n\n\t/* set the length */\n\tbuf[0] = (file->size >> 8) & 0xff;\n\tbuf[1] = file->size & 0xff;\n\tif (file->type == SC_FILE_TYPE_DF)\n\t\tr = sc_asn1_put_tag(0x81, buf, 2, p, 4, &p);\n\telse\n\t\tr = sc_asn1_put_tag(0x80, buf, 2, p, 4, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set file type */\n\tif (file->shareable != 0)\n\t\tbuf[0] = 0x40;\n\telse\n\t\tbuf[0] = 0x00;\n\tif (file->type == SC_FILE_TYPE_WORKING_EF) {\n\t\tswitch (file->ef_structure) {\n\t\tcase SC_FILE_EF_TRANSPARENT:\n\t\t\tbuf[0] |= 0x01;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_LINEAR_VARIABLE_TLV:\n\t\t\tbuf[0] |= 0x05;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_LINEAR_FIXED:\n\t\t\tbuf[0] |= 0x02;\n\t\t\tbuf[1] |= 0x21;\n\t\t\tbuf[2] |= 0x00;\n\t\t\tbuf[3] |= (u8) file->record_length;\n\t\t\tbuf[4] |= (u8) file->record_count;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_CYCLIC:\n\t\t\tbuf[0] |= 0x06;\n\t\t\tbuf[1] |= 0x21;\n\t\t\tbuf[2] |= 0x00;\n\t\t\tbuf[3] |= (u8) file->record_length;\n\t\t\tbuf[4] |= (u8) file->record_count;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsc_log(card->ctx, \"unknown EF type: %u\", file->type);\n\t\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t\t}\n\t\tif (file->ef_structure == SC_FILE_EF_CYCLIC ||\n\t\t file->ef_structure == SC_FILE_EF_LINEAR_FIXED)\n\t\tr = sc_asn1_put_tag(0x82, buf, 5, p, 8, &p);\n\telse\n\t\tr = sc_asn1_put_tag(0x82, buf, 1, p, 8, &p);\n\t} else if (file->type == SC_FILE_TYPE_DF) {\n\t\tbuf[0] |= 0x38;\n\t\tr = sc_asn1_put_tag(0x82, buf, 1, p, 8, &p);\n\t} else\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set file id */\n\tbuf[0] = (file->id >> 8) & 0xff;\n\tbuf[1] = file->id & 0xff;\n\tr = sc_asn1_put_tag(0x83, buf, 2, p, 8, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set aid (for DF only) */\n\tif (file->type == SC_FILE_TYPE_DF && file->namelen != 0) {\n\t\tr = sc_asn1_put_tag(0x84, file->name, file->namelen, p, 20, &p);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\t/* set proprietary file attributes */\n\tbuf[0] = 0x00;\t\t/* use default values */\n\tif (file->type == SC_FILE_TYPE_DF)\n\t\tr = sc_asn1_put_tag(0x85, buf, 1, p, 8, &p);\n\telse {\n\t\tbuf[1] = 0x00;\n\t\tbuf[2] = 0x00;\n\t\tr = sc_asn1_put_tag(0x85, buf, 1, p, 8, &p);\n\t}\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set ACs */\n\tlen = 9;\n\tr = cardos_acl_to_bytes(card, file, buf, &len);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\tr = sc_asn1_put_tag(0x86, buf, len, p, 18, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* finally set the length of the FCP */\n\tout[1] = p - out - 2;\n\n\t*outlen = p - out;\n\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 42348384099158164533092156599026838044, "size": 108, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270675 }, { "func": "static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len, u8 * out, size_t outlen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\ttcos_data *data;\n\tint tcos3, r;\n\n\tassert(card != NULL && crgram != NULL && out != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\",tcos3,\n\t\t!!(data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tsc_format_apdu(card, &apdu, crgram_len>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = crgram_len;\n\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = crgram_len+1;\n\tsbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);\n\tmemcpy(sbuf+1, crgram, crgram_len);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len= (apdu.resplen>outlen) ? outlen : apdu.resplen;\n\t\tunsigned int offset=0;\n\t\tif(tcos3 && (data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) && apdu.resp[0]==0 && apdu.resp[1]==2) {\n\t\t\toffset=2; while(offsetctx, SC_LOG_DEBUG_VERBOSE, len-offset);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}", "project": "OpenSC", "hash": 35692446162590344930620836498368260919, "size": 44, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 1, "dataset": "other", "idx": 211948 }, { "func": "static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len, u8 * out, size_t outlen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\ttcos_data *data;\n\tint tcos3, r;\n\n\tassert(card != NULL && crgram != NULL && out != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\",tcos3,\n\t\t!!(data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tsc_format_apdu(card, &apdu, crgram_len>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = crgram_len;\n\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = crgram_len+1;\n\tsbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);\n\tif (sizeof sbuf - 1 < crgram_len)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\tmemcpy(sbuf+1, crgram, crgram_len);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len= (apdu.resplen>outlen) ? outlen : apdu.resplen;\n\t\tunsigned int offset=0;\n\t\tif(tcos3 && (data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) && apdu.resp[0]==0 && apdu.resp[1]==2) {\n\t\t\toffset=2; while(offsetctx, SC_LOG_DEBUG_VERBOSE, len-offset);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}", "project": "OpenSC", "hash": 135428929269373710791680828572609443287, "size": 46, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453691 }, { "func": "static int acl_to_byte(const sc_acl_entry_t *e)\n{\n\tif (e != NULL) {\n\t\tswitch (e->method) {\n\t\tcase SC_AC_NONE:\n\t\t\treturn 0x00;\n\t\tcase SC_AC_NEVER:\n\t\t\treturn 0xFF;\n\t\tcase SC_AC_CHV:\n\t\tcase SC_AC_TERM:\n\t\tcase SC_AC_AUT:\n\t\t\tif (e->key_ref == SC_AC_KEY_REF_NONE)\n\t\t\t\treturn -1;\n\t\t\tif (e->key_ref > 0x7F)\n\t\t\t\treturn -1;\n\t\t\treturn e->key_ref;\n\t\t}\n\t}\n return 0x00;\n}", "project": "OpenSC", "hash": 173709416336833647761968270085829929264, "size": 20, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270692 }, { "func": "static int cardos_init(sc_card_t *card)\n{\n\tcardos_data_t * priv = NULL;\n\tunsigned long flags = 0;\n\tsize_t data_field_length;\n\tsc_apdu_t apdu;\n\tu8 rbuf[2];\n\tint r;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tpriv = calloc(1, sizeof(cardos_data_t));\n\tif (!priv)\n\t\tLOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);\n\tcard->drv_data = priv;\n\n\tcard->name = \"Atos CardOS\";\n\tcard->cla = 0x00;\n\n\t/* let user override flags and type from opensc.conf */\n\t/* user can override card->type too.*/\n\tif (card->flags) {\n\t flags = card->flags;\n\t} else {\n\n\t\t/* Set up algorithm info. */\n\t\tflags = 0;\n\t\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0) {\n\t\t\tflags |= SC_ALGORITHM_RSA_PAD_PKCS1;\n\t\t} else if(card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\t\tflags |= SC_ALGORITHM_RSA_RAW\n\t\t\t\t| SC_ALGORITHM_RSA_HASH_NONE\n\t\t\t\t| SC_ALGORITHM_ONBOARD_KEY_GEN;\n\t\t} else {\n\t\t\tflags |= SC_ALGORITHM_RSA_RAW\n\t\t\t\t| SC_ALGORITHM_RSA_HASH_NONE\n\t\t\t\t| SC_ALGORITHM_NEED_USAGE\n\t\t\t\t| SC_ALGORITHM_ONBOARD_KEY_GEN;\n\t\t}\n\t}\n\n\tpriv->flags = flags;\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_2) {\n\t\tr = cardos_have_2048bit_package(card);\n\t\tif (r < 0) {\n\t\t\tr = SC_ERROR_INVALID_CARD;\n\t\t\tgoto err;\n\t\t}\n\t\tif (r == 1)\n\t\t\tpriv->rsa_2048 = 1;\n\t\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\t} else if (card->type == SC_CARD_TYPE_CARDOS_M4_3\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_2B\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_2C\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_4\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_V5_0\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tpriv->rsa_2048 = 1;\n\t\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\t\t/* TODO check this. EC only if in supported_algo */\n\t\tpriv->ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;\n\t}\n\n\t/* probe DATA FIELD LENGTH with GET DATA */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x8D);\n\tapdu.le = sizeof rbuf;\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tif (r < 0)\n\t\tLOG_TEST_GOTO_ERR(card->ctx,\n\t\t\t\tSC_ERROR_INVALID_CARD,\n\t\t\t\t\"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tif (r < 0)\n\t\tLOG_TEST_GOTO_ERR(card->ctx,\n\t\t\t\tSC_ERROR_INVALID_CARD,\n\t\t\t\t\"GET DATA command returned error\");\n\tif (apdu.resplen != 2) {\n\t\tr = SC_ERROR_INVALID_CARD;\n\t\tgoto err;\n\t}\n\tdata_field_length = ((rbuf[0] << 8) | rbuf[1]);\n\n\t/* TODO is this really needed? strip the length of possible Lc and Le bytes */\n\n\t/* Use Min card sizes and reader too. for V5_3 at least*/\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tsc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, \"data_field_length:%\"SC_FORMAT_LEN_SIZE_T\"u \"\n\t\t\t\t\"card->reader->max_send_size:%\"SC_FORMAT_LEN_SIZE_T\"u \"\n\t\t\t\t\"card->reader->max_recv_size:%\"SC_FORMAT_LEN_SIZE_T\"u %s\",\n\t\t\t\tdata_field_length, card->reader->max_send_size, card->reader->max_recv_size,\n\t\t\t\t(card->caps & SC_CARD_CAP_APDU_EXT) ? \"SC_CARD_CAP_APDU_EXT\" : \" \");\n\n\t\tif (card->caps & SC_CARD_CAP_APDU_EXT) {\n\t\t\tcard->max_send_size = data_field_length - 6;\n#ifdef _WIN32\n\t\t\t/* Windows does not support PCSC PART_10 and may have forced reader to 255/256\n\t\t\t * https://github.com/OpenSC/OpenSC/commit/eddea6f3c2d3dafc2c09eba6695c745a61b5186f\n\t\t\t * may have reset this. if so, will override and force extended \n\t\t\t * Most, if not all, cardos cards do extended, but not chaining \n\t\t\t */\n\t\t\tif (card->reader->max_send_size == 255 && card->reader->max_recv_size == 256) {\n\t\t\t\tsc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, \"resetting reader to use data_field_length\");\n\t\t\t\tcard->reader->max_send_size = data_field_length - 6;\n\t\t\t\tcard->reader->max_recv_size = data_field_length - 3;\n\t\t\t}\n#endif\n\t\t} else\n\t\t\tcard->max_send_size = data_field_length - 3;\n\n\t\tcard->max_send_size = sc_get_max_send_size(card); /* include reader sizes and protocol */\n\t\tcard->max_recv_size = data_field_length - 2;\n\t\tcard->max_recv_size = sc_get_max_recv_size(card);\n\t} else {\n\t\t/* old way, disregards reader capabilities */\n\t\tif (card->caps & SC_CARD_CAP_APDU_EXT)\n\t\t\tcard->max_send_size = data_field_length - 6;\n\t\telse\n\t\t\tcard->max_send_size = data_field_length - 3;\n\t\t/* strip the length of SW bytes */\n\t\tcard->max_recv_size = data_field_length - 2;\n\t}\n\n\t/*for new cards, wait till after sc_pkcs15_bind_internal reads tokeninfo */\n\tif (card->type != SC_CARD_TYPE_CARDOS_V5_0 && card->type != SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tr = cardos_add_algs(card, flags, 0, 0);\n\t}\n\nerr:\n\tif (r != SC_SUCCESS) {\n\t\tfree(priv);\n\t\tcard->drv_data = NULL;\n\t}\n\n\treturn r;\n}", "project": "OpenSC", "hash": 135725401098783659846816081236713466705, "size": 140, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270700 }, { "func": "do_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,\n\t\t u8 *out, size_t outlen)\n{\n\t/* cardos_data_t* priv = (cardos_data_t*)card->drv_dataa */;\n\tint r;\n\tsc_apdu_t apdu;\n\n\t/* INS: 0x2A PERFORM SECURITY OPERATION\n\t * P1: 0x9E Resp: Digital Signature\n\t * P2: 0x9A Cmd: Input for Digital Signature */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);\n\tapdu.resp = out;\n\tapdu.le = outlen;\n\tapdu.resplen = outlen;\n\n\tapdu.data = data;\n\tapdu.lc = datalen;\n\tapdu.datalen = datalen;\n\tfixup_transceive_length(card, &apdu);\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, apdu.resplen);\n\telse\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}", "project": "OpenSC", "hash": 202624707865085526865329845707584797210, "size": 27, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270677 }, { "func": "iasecc_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, size_t *out_len)\n{\n\tstruct sc_apdu apdu;\n\tunsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];\n\tint rv;\n\n\t/* Select application (deselect previously selected application) */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);\n\tapdu.lc = aid->len;\n\tapdu.data = aid->value;\n\tapdu.datalen = aid->len;\n\tapdu.resplen = sizeof(apdu_resp);\n\tapdu.resp = apdu_resp;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, rv, \"Cannot select AID\");\n\n\tif (*out_len < apdu.resplen)\n\t\tLOG_TEST_RET(card->ctx, SC_ERROR_BUFFER_TOO_SMALL, \"Cannot select AID\");\n\tmemcpy(out, apdu.resp, apdu.resplen);\n\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 314375111371679731751921746163275144084, "size": 25, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477393 }, { "func": "static int cardos_set_file_attributes(sc_card_t *card, sc_file_t *file)\n{\n\tint r;\n\n\tif (file->type_attr_len == 0) {\n\t\tu8 type[3];\n\n\t\tmemset(type, 0, sizeof(type));\n\t\ttype[0] = 0x00;\n\t\tswitch (file->type) {\n\t\tcase SC_FILE_TYPE_WORKING_EF:\n\t\t\tbreak;\n\t\tcase SC_FILE_TYPE_DF:\n\t\t\ttype[0] = 0x38;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t\t}\n\t\tif (file->type != SC_FILE_TYPE_DF) {\n\t\t\tswitch (file->ef_structure) {\n\t\t\tcase SC_FILE_EF_LINEAR_FIXED_TLV:\n\t\t\tcase SC_FILE_EF_LINEAR_VARIABLE:\n\t\t\tcase SC_FILE_EF_CYCLIC_TLV:\n\t\t\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t\t\t\t/* No idea what this means, but it\n\t\t\t\t * seems to be required for key\n\t\t\t\t * generation. */\n\t\t\tcase SC_FILE_EF_LINEAR_VARIABLE_TLV:\n\t\t\t\ttype[1] = 0xff;\n\t\t\t\t/* fall through */\n\t\t\tdefault:\n\t\t\t\ttype[0] |= file->ef_structure & 7;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tr = sc_file_set_type_attr(file, type, sizeof(type));\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\tif (file->prop_attr_len == 0) {\n\t\tu8 status[3];\n\n\t\tstatus[0] = 0x01;\n\t\tif (file->type == SC_FILE_TYPE_DF) {\n\t\t\tstatus[1] = (file->size >> 8) & 0xFF;\n\t\t\tstatus[2] = file->size & 0xFF;\n\t\t} else {\n\t\t\tstatus[1] = status[2] = 0x00; /* not used */\n\t\t}\n\t\tr = sc_file_set_prop_attr(file, status, sizeof(status));\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\tif (file->sec_attr_len == 0) {\n\t\tu8 acl[9];\n\t\tsize_t blen = sizeof(acl);\n\n\t\tr = cardos_acl_to_bytes(card, file, acl, &blen);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t\tr = sc_file_set_sec_attr(file, acl, blen);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 8159461168753449454459203169536368628, "size": 66, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270674 }, { "func": "sc_awp_parse_df(struct sc_pkcs15_card *p15card, struct sc_pkcs15_df *df)\n{\n\tstruct sc_context *ctx = p15card->card->ctx;\n\tunsigned char *buf = NULL;\n\tsize_t buf_len;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (df->type != SC_PKCS15_PRKDF && df->type != SC_PKCS15_DODF)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tif (df->enumerated)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\n\trv = sc_oberthur_read_file(p15card, AWP_OBJECTS_LIST_PRV, &buf, &buf_len, 1);\n\tLOG_TEST_RET(ctx, rv, \"Parse DF: read private objects info failed\");\n\n\trv = sc_oberthur_parse_privateinfo(p15card, buf, buf_len, 0);\n\n\tif (buf)\n\t\tfree(buf);\n\n\tif (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\n\tLOG_TEST_RET(ctx, rv, \"Parse DF: private info parse error\");\n\tdf->enumerated = 1;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 55332694305653857702712485092716248016, "size": 30, "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27", "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843", "target": 0, "dataset": "other", "idx": 230099 }, { "func": "sc_pkcs15emu_oberthur_init_ex(struct sc_pkcs15_card * p15card, struct sc_aid *aid)\n{\n\tint rv;\n\n\tLOG_FUNC_CALLED(p15card->card->ctx);\n\trv = oberthur_detect_card(p15card);\n\tif (!rv)\n\t\trv = sc_pkcs15emu_oberthur_init(p15card);\n\n\tLOG_FUNC_RETURN(p15card->card->ctx, rv);\n}", "project": "OpenSC", "hash": 245335353404583265920343713660703353903, "size": 11, "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27", "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843", "target": 0, "dataset": "other", "idx": 230109 }, { "func": "sc_oberthur_parse_tokeninfo (struct sc_pkcs15_card *p15card,\n\t\tunsigned char *buff, size_t len, int postpone_allowed)\n{\n\tstruct sc_context *ctx = p15card->card->ctx;\n\tchar label[0x21];\n\tunsigned flags;\n\tint ii;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (!buff || len < 0x24)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"Cannot parse token info\");\n\n\tmemset(label, 0, sizeof(label));\n\n\tmemcpy(label, buff, 0x20);\n\tii = 0x20;\n\twhile (*(label + --ii)==' ' && ii)\n\t\t;\n\t*(label + ii + 1) = '\\0';\n\n\tflags = *(buff + 0x22) * 0x100 + *(buff + 0x23);\n\n\tset_string(&p15card->tokeninfo->label, label);\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"Oberthur/OpenSC\");\n\n\tif (flags & 0x01)\n\t\tp15card->tokeninfo->flags |= SC_PKCS15_TOKEN_PRN_GENERATION;\n\n\tsc_log(ctx, \"label %s\", p15card->tokeninfo->label);\n\tsc_log(ctx, \"manufacturer_id %s\", p15card->tokeninfo->manufacturer_id);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 73661682719962094701154276042337108222, "size": 33, "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27", "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843", "target": 0, "dataset": "other", "idx": 230111 }, { "func": "iasecc_sdo_get_data(struct sc_card *card, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv, sdo_tag;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tsdo_tag = iasecc_sdo_tag_from_class(sdo->sdo_class);\n\n\trv = iasecc_sdo_get_tagged_data(card, sdo_tag, sdo);\n\t/* When there is no public data 'GET DATA' returns error */\n\tif (rv != SC_ERROR_INCORRECT_PARAMETERS)\n\t\tLOG_TEST_RET(ctx, rv, \"cannot parse ECC SDO data\");\n\n\trv = iasecc_sdo_get_tagged_data(card, IASECC_DOCP_TAG, sdo);\n\tLOG_TEST_RET(ctx, rv, \"cannot parse ECC DOCP data\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 49310794631010853128006989686318405656, "size": 19, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263039 }, { "func": "iasecc_erase_binary(struct sc_card *card, unsigned int offs, size_t count, unsigned long flags)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *tmp = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t \"iasecc_erase_binary(card:%p) count %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t card, count);\n\tif (!count)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"'ERASE BINARY' failed: invalid size to erase\");\n\n\ttmp = malloc(count);\n\tif (!tmp)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"Cannot allocate temporary buffer\");\n\tmemset(tmp, 0xFF, count);\n\n\trv = sc_update_binary(card, offs, tmp, count, flags);\n\tfree(tmp);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 305103293588835110101823939097430484444, "size": 23, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263042 }, { "func": "iasecc_get_chv_reference_from_se(struct sc_card *card, int *se_reference)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_se_info se;\n\tstruct sc_crt crt;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (!se_reference)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"Invalid arguments\");\n\n\tmemset(&se, 0, sizeof(se));\n\tse.reference = *se_reference;\n\n\trv = iasecc_se_get_info(card, &se);\n\tLOG_TEST_RET(ctx, rv, \"get SE info error\");\n\n\tmemset(&crt, 0, sizeof(crt));\n\tcrt.tag = IASECC_CRT_TAG_AT;\n\tcrt.usage = IASECC_UQB_AT_USER_PASSWORD;\n\n\trv = iasecc_se_get_crt(card, &se, &crt);\n\tLOG_TEST_RET(ctx, rv, \"Cannot get 'USER PASSWORD' authentication template\");\n\n\tsc_file_free(se.df);\n\tLOG_FUNC_RETURN(ctx, crt.refs[0]);\n}", "project": "OpenSC", "hash": 331721932546177784077675557689432422364, "size": 28, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263046 }, { "func": "iasecc_chv_cache_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_pin_status *current = NULL;\n\tunsigned char data_sha1[SHA_DIGEST_LENGTH];\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (pin_cmd->pin1.data)\n\t\tSHA1(pin_cmd->pin1.data, pin_cmd->pin1.len, data_sha1);\n\telse\n\t\tmemset(data_sha1, 0, SHA_DIGEST_LENGTH);\n\tsc_log_hex(ctx, \"data_sha1: %s\", data_sha1, SHA_DIGEST_LENGTH);\n\n\tfor(current = checked_pins; current; current = current->next)\n\t\tif (current->reference == pin_cmd->pin_reference)\n\t\t\tbreak;\n\n\tif (current && !memcmp(data_sha1, current->sha1, SHA_DIGEST_LENGTH)) {\n\t\tsc_log(ctx, \"PIN-%i status 'verified'\", pin_cmd->pin_reference);\n\t\treturn current;\n\t}\n\n\tsc_log(ctx, \"PIN-%i status 'not verified'\", pin_cmd->pin_reference);\n\treturn NULL;\n}", "project": "OpenSC", "hash": 100182165700546527777392159720951233771, "size": 26, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263056 }, { "func": "iasecc_decipher(struct sc_card *card,\n\t\tconst unsigned char *in, size_t in_len,\n\t\tunsigned char *out, size_t out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char sbuf[0x200];\n\tunsigned char resp[SC_MAX_APDU_BUFFER_SIZE];\n\tsize_t offs;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(card->ctx,\n\t \"crgram_len %\"SC_FORMAT_LEN_SIZE_T\"u; outlen %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t in_len, out_len);\n\tif (!out || !out_len || in_len > SC_MAX_APDU_BUFFER_SIZE)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\n\toffs = 0;\n\tsbuf[offs++] = 0x81;\n\tmemcpy(sbuf + offs, in, in_len);\n\toffs += in_len;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.flags |= SC_APDU_FLAGS_CHAINING;\n\tapdu.data = sbuf;\n\tapdu.datalen = offs;\n\tapdu.lc = offs;\n\tapdu.resp = resp;\n\tapdu.resplen = sizeof(resp);\n\tapdu.le = 256;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"Card returned error\");\n\n\tif (out_len > apdu.resplen)\n\t\tout_len = apdu.resplen;\n\n\tmemcpy(out, apdu.resp, out_len);\n\trv = out_len;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 310842747367203805416055449723509140251, "size": 45, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263062 }, { "func": "iasecc_sdo_get_tagged_data(struct sc_card *card, int sdo_tag, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char sbuf[0x100];\n\tsize_t offs = sizeof(sbuf) - 1;\n\tunsigned char rbuf[0x400];\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tsbuf[offs--] = 0x80;\n\tsbuf[offs--] = sdo_tag & 0xFF;\n\tif ((sdo_tag >> 8) & 0xFF)\n\t\tsbuf[offs--] = (sdo_tag >> 8) & 0xFF;\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\n\tsbuf[offs--] = sdo->sdo_ref & 0x9F;\n\tsbuf[offs--] = sdo->sdo_class | IASECC_OBJECT_REF_LOCAL;\n\tsbuf[offs--] = IASECC_SDO_TAG_HEADER;\n\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\tsbuf[offs--] = IASECC_SDO_TEMPLATE_TAG;\n\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\tsbuf[offs] = 0x4D;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xCB, 0x3F, 0xFF);\n\tapdu.data = sbuf + offs;\n\tapdu.datalen = sizeof(sbuf) - offs;\n\tapdu.lc = sizeof(sbuf) - offs;\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = 0x100;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"SDO get data error\");\n\n\trv = iasecc_sdo_parse(card, apdu.resp, apdu.resplen, sdo);\n\tLOG_TEST_RET(ctx, rv, \"cannot parse SDO data\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 25529644230219156488265076316226132132, "size": 48, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263066 }, { "func": "iasecc_pin_get_status(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_pin_cmd_data info;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (data->pin_type != SC_AC_CHV)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"PIN type is not supported for status\");\n\n\tmemset(&info, 0, sizeof(info));\n\tinfo.cmd = SC_PIN_CMD_GET_INFO;\n\tinfo.pin_type = data->pin_type;\n\tinfo.pin_reference = data->pin_reference;\n\n\trv = iso_ops->pin_cmd(card, &info, tries_left);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN info\");\n\n\tdata->pin1.max_tries = info.pin1.max_tries;\n\tdata->pin1.tries_left = info.pin1.tries_left;\n\tdata->pin1.logged_in = info.pin1.logged_in;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 106841744387906902811671076600302558838, "size": 25, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263067 }, { "func": "iasecc_sdo_delete(struct sc_card *card, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char data[6] = {\n\t\t0x70, 0x04, 0xBF, 0xFF, 0xFF, 0x00\n\t};\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (sdo->magic != SC_CARDCTL_IASECC_SDO_MAGIC)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid SDO data\");\n\n\tdata[2] = IASECC_SDO_TAG_HEADER;\n\tdata[3] = sdo->sdo_class | 0x80;\n\tdata[4] = sdo->sdo_ref;\n\tsc_log(ctx, \"delete SDO %02X%02X%02X\", data[2], data[3], data[4]);\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xDB, 0x3F, 0xFF);\n\tapdu.data = data;\n\tapdu.datalen = sizeof(data);\n\tapdu.lc = sizeof(data);\n\tapdu.flags |= SC_APDU_FLAGS_CHAINING;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"delete SDO error\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 43258280201331597194492542871471416732, "size": 31, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263070 }, { "func": "iasecc_get_challenge(struct sc_card *card, u8 * rnd, size_t len)\n{\n\t/* As IAS/ECC cannot handle other data length than 0x08 */\n\tu8 rbuf[8];\n\tsize_t out_len;\n\tint r;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tr = iso_ops->get_challenge(card, rbuf, sizeof rbuf);\n\tLOG_TEST_RET(card->ctx, r, \"GET CHALLENGE cmd failed\");\n\n\tif (len < (size_t) r) {\n\t\tout_len = len;\n\t} else {\n\t\tout_len = (size_t) r;\n\t}\n\tmemcpy(rnd, rbuf, out_len);\n\n\tLOG_FUNC_RETURN(card->ctx, (int) out_len);\n}", "project": "OpenSC", "hash": 261201501953976210586813636913118699689, "size": 21, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263071 }, { "func": "iasecc_emulate_fcp(struct sc_context *ctx, struct sc_apdu *apdu)\n{\n\tunsigned char dummy_df_fcp[] = {\n\t\t0x62,0xFF,\n\t\t\t0x82,0x01,0x38,\n\t\t\t0x8A,0x01,0x05,\n\t\t\t0xA1,0x04,0x8C,0x02,0x02,0x00,\n\t\t\t0x84,0xFF,\n\t\t\t\t0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\n\t\t\t\t0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF\n\t};\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (apdu->p1 != 0x04)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"FCP emulation supported only for the DF-NAME selection type\");\n\tif (apdu->datalen > 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid DF-NAME length\");\n\tif (apdu->resplen < apdu->datalen + 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, \"not enough space for FCP data\");\n\n\tmemcpy(dummy_df_fcp + 16, apdu->data, apdu->datalen);\n\tdummy_df_fcp[15] = apdu->datalen;\n\tdummy_df_fcp[1] = apdu->datalen + 14;\n\tmemcpy(apdu->resp, dummy_df_fcp, apdu->datalen + 16);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 176776630660953583824664816852844312503, "size": 28, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263075 }, { "func": "iasecc_logout(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_path path;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (!card->ef_atr || !card->ef_atr->aid.len)\n\t\treturn SC_SUCCESS;\n\n\tmemset(&path, 0, sizeof(struct sc_path));\n\tpath.type = SC_PATH_TYPE_DF_NAME;\n\tmemcpy(path.value, card->ef_atr->aid.value, card->ef_atr->aid.len);\n\tpath.len = card->ef_atr->aid.len;\n\n\trv = iasecc_select_file(card, &path, NULL);\n\tsc_log(ctx, \"Select ECC ROOT with the AID from EF.ATR: rv %i\", rv);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 148666483426494250974710574127556653719, "size": 20, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263081 }, { "func": "iasecc_pin_get_info(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_pin_policy policy;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"iasecc_pin_get_info(card:%p)\", card);\n\n\t/*\n\t * Get PIN status first and thereafter update with info from PIN policy, when available.\n\t * The first one is typically used for the PIN verification status and number of remaining\n\t * tries, and the second one for the maximum tries. If a field is present in both, the\n\t * policy takes precedence.\n\t */\n\trv = iasecc_pin_get_status(card, data, tries_left);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN status\");\n\n\trv = iasecc_pin_get_policy(card, data, &policy);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN policy\");\n\n\t/*\n\t * We only care about the tries_xxx fields in the PIN policy, since the other ones are not\n\t * commonly expected or used in a SC_PIN_CMD_GET_INFO response.\tNote that max_tries is\n\t * always taken from the policy, since it is never expected to be available in status (it\n\t * is set to -1 when not available in policy).\n\t */\n\tdata->pin1.max_tries = policy.tries_maximum;\n\tif (policy.tries_remaining >= 0)\n\t\tdata->pin1.tries_left = policy.tries_remaining;\n\n\tif (tries_left)\n\t\t*tries_left = data->pin1.tries_left;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 132552394277754119898556595827787832900, "size": 36, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263082 }, { "func": "iasecc_read_public_key(struct sc_card *card, unsigned type,\n\t\tstruct sc_path *key_path, unsigned ref, unsigned size,\n\t\tunsigned char **out, size_t *out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo sdo;\n\tstruct sc_pkcs15_bignum bn[2];\n\tstruct sc_pkcs15_pubkey_rsa rsa_key;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (type != SC_ALGORITHM_RSA)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tsc_log(ctx, \"read public kay(ref:%i;size:%i)\", ref, size);\n\n\tmemset(&bn, 0, sizeof bn);\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;\n\tsdo.sdo_ref = ref & ~IASECC_OBJECT_REF_LOCAL;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_GOTO_ERR(ctx, rv, \"failed to read public key: cannot get RSA SDO data\");\n\n\tif (out)\n\t\t*out = NULL;\n\tif (out_len)\n\t\t*out_len = 0;\n\n\tbn[0].data = (unsigned char *) malloc(sdo.data.pub_key.n.size);\n\tif (!bn[0].data)\n\t\tLOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate modulus\");\n\tbn[0].len = sdo.data.pub_key.n.size;\n\tmemcpy(bn[0].data, sdo.data.pub_key.n.value, sdo.data.pub_key.n.size);\n\n\tbn[1].data = (unsigned char *) malloc(sdo.data.pub_key.e.size);\n\tif (!bn[1].data)\n\t\tLOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate exponent\");\n\tbn[1].len = sdo.data.pub_key.e.size;\n\tmemcpy(bn[1].data, sdo.data.pub_key.e.value, sdo.data.pub_key.e.size);\n\n\trsa_key.modulus = bn[0];\n\trsa_key.exponent = bn[1];\n\n\trv = sc_pkcs15_encode_pubkey_rsa(ctx, &rsa_key, out, out_len);\n\tLOG_TEST_GOTO_ERR(ctx, rv, \"failed to read public key: cannot encode RSA public key\");\n\n\tif (out && out_len)\n\t\tsc_log(ctx, \"encoded public key: %s\", sc_dump_hex(*out, *out_len));\n\nerr:\n\tif (bn[0].data)\n\t\tfree(bn[0].data);\n\tif (bn[1].data)\n\t\tfree(bn[1].data);\n\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 315203167397516228462441843403656781758, "size": 60, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263083 }, { "func": "iasecc_init_oberthur(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned int flags;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tflags = IASECC_CARD_DEFAULT_FLAGS;\n\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);\n\t_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);\n\n\tcard->caps = IASECC_CARD_DEFAULT_CAPS;\n\n\tiasecc_parse_ef_atr(card);\n\n\t/* if we fail to select CM, */\n\tif (gp_select_card_manager(card)) {\n\t\tgp_select_isd_rid(card);\n\t}\n\n\trv = iasecc_oberthur_match(card);\n\tLOG_TEST_RET(ctx, rv, \"unknown Oberthur's IAS/ECC card\");\n\n\trv = iasecc_select_mf(card, NULL);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\trv = iasecc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"EF.ATR read or parse error\");\n\n\tsc_log(ctx, \"EF.ATR(aid:'%s')\", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 205389055147630064158010606194876395963, "size": 34, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263085 }, { "func": "iasecc_oberthur_match(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *hist = card->reader->atr_info.hist_bytes;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (*hist != 0x80 || ((*(hist+1)&0xF0) != 0xF0))\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OBJECT_NOT_FOUND);\n\n\tsc_log_hex(ctx, \"AID in historical_bytes\", hist + 2, *(hist+1) & 0x0F);\n\n\tif (memcmp(hist + 2, OberthurIASECC_AID.value, *(hist+1) & 0x0F))\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_RECORD_NOT_FOUND);\n\n\tif (!card->ef_atr)\n\t\tcard->ef_atr = calloc(1, sizeof(struct sc_ef_atr));\n\tif (!card->ef_atr)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\n\tmemcpy(card->ef_atr->aid.value, OberthurIASECC_AID.value, OberthurIASECC_AID.len);\n\tcard->ef_atr->aid.len = OberthurIASECC_AID.len;\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 163712996260215261531884654967222438081, "size": 25, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263087 }, { "func": "iasecc_mi_match(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char resp[0x100];\n\tsize_t resp_len;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tresp_len = sizeof(resp);\n\trv = iasecc_select_aid(card, &MIIASECC_AID, resp, &resp_len);\n\tLOG_TEST_RET(ctx, rv, \"IASECC: failed to select MI IAS/ECC applet\");\n\n\tif (!card->ef_atr)\n\t\tcard->ef_atr = calloc(1, sizeof(struct sc_ef_atr));\n\tif (!card->ef_atr)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\n\tmemcpy(card->ef_atr->aid.value, MIIASECC_AID.value, MIIASECC_AID.len);\n\tcard->ef_atr->aid.len = MIIASECC_AID.len;\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 95111025810445059847280487070484214495, "size": 23, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263092 }, { "func": "iasecc_keyset_change(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo_update update;\n\tstruct iasecc_sdo sdo;\n\tunsigned scb;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"Change keyset(ref:%i,lengths:%i)\", data->pin_reference, data->pin2.len);\n\tif (!data->pin2.data || data->pin2.len < 32)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Needs at least 32 bytes for a new keyset value\");\n\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_KEYSET;\n\tsdo.sdo_ref = data->pin_reference;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_RET(ctx, rv, \"Cannot get keyset data\");\n\n\tif (sdo.docp.acls_contact.size == 0)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Bewildered ... there are no ACLs\");\n\tscb = sdo.docp.scbs[IASECC_ACLS_KEYSET_PUT_DATA];\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tsc_log(ctx, \"SCB:0x%X\", scb);\n\tif (!(scb & IASECC_SCB_METHOD_SM))\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"Other then protected by SM, the keyset change is not supported\");\n\n\tmemset(&update, 0, sizeof(update));\n\tupdate.magic = SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA;\n\tupdate.sdo_class = sdo.sdo_class;\n\tupdate.sdo_ref = sdo.sdo_ref;\n\n\tupdate.fields[0].parent_tag = IASECC_SDO_KEYSET_TAG;\n\tupdate.fields[0].tag = IASECC_SDO_KEYSET_TAG_MAC;\n\t/* FIXME is it safe to modify the const value here? */\n\tupdate.fields[0].value = (unsigned char *) data->pin2.data;\n\tupdate.fields[0].size = 16;\n\n\tupdate.fields[1].parent_tag = IASECC_SDO_KEYSET_TAG;\n\tupdate.fields[1].tag = IASECC_SDO_KEYSET_TAG_ENC;\n\t/* FIXME is it safe to modify the const value here? */\n\tupdate.fields[1].value = (unsigned char *) data->pin2.data + 16;\n\tupdate.fields[1].size = 16;\n\n\trv = iasecc_sm_sdo_update(card, (scb & IASECC_SCB_METHOD_MASK_REF), &update);\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 204991041015945350884073502971386064385, "size": 49, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263101 }, { "func": "iasecc_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, size_t *out_len)\n{\n\tstruct sc_apdu apdu;\n\tunsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];\n\tint rv;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\t/* Select application (deselect previously selected application) */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);\n\tapdu.lc = aid->len;\n\tapdu.data = aid->value;\n\tapdu.datalen = aid->len;\n\tapdu.resplen = sizeof(apdu_resp);\n\tapdu.resp = apdu_resp;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, rv, \"Cannot select AID\");\n\n\tif (*out_len < apdu.resplen)\n\t\tLOG_TEST_RET(card->ctx, SC_ERROR_BUFFER_TOO_SMALL, \"Cannot select AID\");\n\tmemcpy(out, apdu.resp, apdu.resplen);\n\n\tLOG_FUNC_RETURN(card->ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 21848766340836499823157684633773894841, "size": 27, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263102 }, { "func": "iasecc_se_at_to_chv_reference(struct sc_card *card, unsigned reference,\n\t\tunsigned *chv_reference)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_se_info se;\n\tstruct sc_crt crt;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"SE reference %i\", reference);\n\n\tif (reference > IASECC_SE_REF_MAX)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\n\tmemset(&se, 0, sizeof(se));\n\tse.reference = reference;\n\n\trv = iasecc_se_get_info(card, &se);\n\tLOG_TEST_RET(ctx, rv, \"SDO get data error\");\n\n\tmemset(&crt, 0, sizeof(crt));\n\tcrt.tag = IASECC_CRT_TAG_AT;\n\tcrt.usage = IASECC_UQB_AT_USER_PASSWORD;\n\n\trv = iasecc_se_get_crt(card, &se, &crt);\n\tLOG_TEST_RET(ctx, rv, \"no authentication template for USER PASSWORD\");\n\n\tif (chv_reference)\n\t\t*chv_reference = crt.refs[0];\n\n\tsc_file_free(se.df);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 97041316709397951495231138749203507311, "size": 34, "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c", "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800", "target": 0, "dataset": "other", "idx": 263103 }, { "func": "cardos_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data,\n\t\t int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tdata->flags |= SC_PIN_CMD_NEED_PADDING;\n\tdata->pin_reference |= 0x80;\n\n\tsc_log(ctx, \"PIN_CMD(cmd:%i, ref:%i)\", data->cmd, data->pin_reference);\n\tsc_log(ctx,\n\t \"PIN1(max:%\"SC_FORMAT_LEN_SIZE_T\"u, min:%\"SC_FORMAT_LEN_SIZE_T\"u)\",\n\t data->pin1.max_length, data->pin1.min_length);\n\tsc_log(ctx,\n\t \"PIN2(max:%\"SC_FORMAT_LEN_SIZE_T\"u, min:%\"SC_FORMAT_LEN_SIZE_T\"u)\",\n\t data->pin2.max_length, data->pin2.min_length);\n\n\t/* FIXME: the following values depend on what pin length was\n\t * used when creating the BS objects */\n\tif (data->pin1.max_length == 0)\n\t\tdata->pin1.max_length = 8;\n\tif (data->pin2.max_length == 0)\n\t\tdata->pin2.max_length = 8;\n\n\trv = iso_ops->pin_cmd(card, data, tries_left);\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 110217722918257014182321427742726906495, "size": 29, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270683 }, { "func": "iasecc_init_oberthur(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned int flags;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tflags = IASECC_CARD_DEFAULT_FLAGS;\n\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);\n\t_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);\n\n\tcard->caps = SC_CARD_CAP_RNG;\n\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\tcard->caps |= SC_CARD_CAP_USE_FCI_AC;\n\n\tiasecc_parse_ef_atr(card);\n\n\t/* if we fail to select CM, */\n\tif (gp_select_card_manager(card)) {\n\t\tgp_select_isd_rid(card);\n\t}\n\n\trv = iasecc_oberthur_match(card);\n\tLOG_TEST_RET(ctx, rv, \"unknown Oberthur's IAS/ECC card\");\n\n\trv = iasecc_select_mf(card, NULL);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\trv = iasecc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"EF.ATR read or parse error\");\n\n\tsc_log(ctx, \"EF.ATR(aid:'%s')\", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 241877578292856038970382487397898662950, "size": 36, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477388 }, { "func": "iasecc_erase_binary(struct sc_card *card, unsigned int offs, size_t count, unsigned long flags)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *tmp = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t \"iasecc_erase_binary(card:%p) count %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t card, count);\n\tif (!count)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"'ERASE BINARY' failed: invalid size to erase\");\n\n\ttmp = malloc(count);\n\tif (!tmp)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"Cannot allocate temporary buffer\");\n\tmemset(tmp, 0xFF, count);\n\n\trv = sc_update_binary(card, offs, tmp, count, flags);\n\tfree(tmp);\n\tLOG_TEST_RET(ctx, rv, \"iasecc_erase_binary() update binary error\");\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 286767445392702469437890767623375659064, "size": 23, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477391 }, { "func": "iasecc_pin_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd_data,\n\t\tint *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_pin_cmd_data pin_cmd;\n struct sc_acl_entry acl = pin_cmd_data->pin1.acls[IASECC_ACLS_CHV_VERIFY];\n\tint rv = SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (pin_cmd_data->pin_type != SC_AC_CHV)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"PIN type is not supported for the verification\");\n\n\tsc_log(ctx, \"Verify ACL(method:%X;ref:%X)\", acl.method, acl.key_ref);\n\tif (acl.method != IASECC_SCB_ALWAYS)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_SECURITY_STATUS_NOT_SATISFIED);\n\n\tpin_cmd = *pin_cmd_data;\n\tpin_cmd.pin1.data = (unsigned char *)\"\";\n\tpin_cmd.pin1.len = 0;\n\n\trv = iasecc_chv_verify(card, &pin_cmd, tries_left);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 56839879132402598366734645598041357512, "size": 25, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477397 }, { "func": "iasecc_delete_file(struct sc_card *card, const struct sc_path *path)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tconst struct sc_acl_entry *entry = NULL;\n\tstruct sc_apdu apdu;\n\tstruct sc_file *file = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_print_cache(card);\n\n\trv = iasecc_select_file(card, path, &file);\n\tif (rv == SC_ERROR_FILE_NOT_FOUND)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\tLOG_TEST_RET(ctx, rv, \"Cannot select file to delete\");\n\n\tentry = sc_file_get_acl_entry(file, SC_AC_OP_DELETE);\n\tif (!entry)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, \"Cannot delete file: no 'DELETE' acl\");\n\n\tsc_log(ctx, \"DELETE method/reference %X/%X\", entry->method, entry->key_ref);\n\tif (entry->method == SC_AC_SCB && (entry->key_ref & IASECC_SCB_METHOD_SM)) {\n\t\tunsigned char se_num = (entry->method == SC_AC_SCB) ? (entry->key_ref & IASECC_SCB_METHOD_MASK_REF) : 0;\n\t\trv = iasecc_sm_delete_file(card, se_num, file->id);\n\t}\n\telse {\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xE4, 0x00, 0x00);\n\n\t\trv = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\t\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t\tLOG_TEST_RET(ctx, rv, \"Delete file failed\");\n\n\t\tif (card->cache.valid)\n\t\t\tsc_file_free(card->cache.current_ef);\n\t\tcard->cache.current_ef = NULL;\n\t}\n\n\tsc_file_free(file);\n\tLOG_FUNC_RETURN(ctx, rv);\n}", "project": "OpenSC", "hash": 106435940525695054652280206737331373380, "size": 41, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477399 }, { "func": "iasecc_read_public_key(struct sc_card *card, unsigned type,\n\t\tstruct sc_path *key_path, unsigned ref, unsigned size,\n\t\tunsigned char **out, size_t *out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo sdo;\n\tstruct sc_pkcs15_bignum bn[2];\n\tstruct sc_pkcs15_pubkey_rsa rsa_key;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (type != SC_ALGORITHM_RSA)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tsc_log(ctx, \"read public kay(ref:%i;size:%i)\", ref, size);\n\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;\n\tsdo.sdo_ref = ref & ~IASECC_OBJECT_REF_LOCAL;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_RET(ctx, rv, \"failed to read public key: cannot get RSA SDO data\");\n\n\tif (out)\n\t\t*out = NULL;\n\tif (out_len)\n\t\t*out_len = 0;\n\n\tbn[0].data = (unsigned char *) malloc(sdo.data.pub_key.n.size);\n\tif (!bn[0].data)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate modulus\");\n\tbn[0].len = sdo.data.pub_key.n.size;\n\tmemcpy(bn[0].data, sdo.data.pub_key.n.value, sdo.data.pub_key.n.size);\n\n\tbn[1].data = (unsigned char *) malloc(sdo.data.pub_key.e.size);\n\tif (!bn[1].data)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate exponent\");\n\tbn[1].len = sdo.data.pub_key.e.size;\n\tmemcpy(bn[1].data, sdo.data.pub_key.e.value, sdo.data.pub_key.e.size);\n\n\trsa_key.modulus = bn[0];\n\trsa_key.exponent = bn[1];\n\n\trv = sc_pkcs15_encode_pubkey_rsa(ctx, &rsa_key, out, out_len);\n\tLOG_TEST_RET(ctx, rv, \"failed to read public key: cannot encode RSA public key\");\n\n\tif (out && out_len)\n\t\tsc_log(ctx, \"encoded public key: %s\", sc_dump_hex(*out, *out_len));\n\n\tif (bn[0].data)\n\t\tfree(bn[0].data);\n\tif (bn[1].data)\n\t\tfree(bn[1].data);\n\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 249819631170925573129321638182432322482, "size": 58, "commit_id": "03628449b75a93787eb2359412a3980365dda49b", "message": "iasecc: fixed unbound recursion", "target": 0, "dataset": "other", "idx": 477409 }, { "func": "static int cardos_match_card(sc_card_t *card)\n{\n\tunsigned char atr[SC_MAX_ATR_SIZE];\n\tint i;\n\n\ti = _sc_match_atr(card, cardos_atrs, &card->type);\n\tif (i < 0)\n\t\treturn 0;\n\n\tmemcpy(atr, card->atr.value, sizeof(atr));\n\n\t/* Do not change card type for CIE! */\n\tif (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_4)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_3)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_2) {\n\t\tint rv;\n\t\tsc_apdu_t apdu;\n\t\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\t\t/* first check some additional ATR bytes */\n\t\tif ((atr[4] != 0xff && atr[4] != 0x02) ||\n\t\t (atr[6] != 0x10 && atr[6] != 0x0a) ||\n\t\t (atr[9] != 0x55 && atr[9] != 0x58))\n\t\t\treturn 0;\n\t\t/* get the os version using GET DATA and compare it with\n\t\t * version in the ATR */\n\t\tsc_log(card->ctx, \"checking cardos version ...\");\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x82);\n\t\tapdu.resp = rbuf;\n\t\tapdu.resplen = sizeof(rbuf);\n\t\tapdu.le = 256;\n\t\tapdu.lc = 0;\n\t\trv = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\t\tif (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)\n\t\t\treturn 0;\n\t\tif (apdu.resp[0] != atr[10] ||\n\t\t apdu.resp[1] != atr[11])\n\t\t\t/* version mismatch */\n\t\t\treturn 0;\n\t\tif (atr[11] <= 0x04) {\n\t\t\tsc_log(card->ctx, \"found cardos m4.01\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_01;\n\t\t} else if (atr[11] == 0x08) {\n\t\t\tsc_log(card->ctx, \"found cardos v4.3b\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_3;\n\t\t} else if (atr[11] == 0x09) {\n\t\t\tsc_log(card->ctx, \"found cardos v4.2b\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_2B;\n\t\t} else if (atr[11] >= 0x0B) {\n\t\t\tsc_log(card->ctx, \"found cardos v4.2c or higher\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_2C;\n\t\t} else {\n\t\t\tsc_log(card->ctx, \"found cardos m4.2\");\n\t\t}\n\t}\n\treturn 1;\n}", "project": "OpenSC", "hash": 32307202605202363560520887583044093580, "size": 63, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270685 }, { "func": "static int cardos_finish(sc_card_t *card)\n{\n\tint r = 0;\n\n\tif (card == NULL )\n\t\treturn 0;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t/* free priv data */\n\tif (card->drv_data) { /* priv */\n\t\tfree(card->drv_data);\n\t\tcard->drv_data = NULL;\n\t}\n\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);\n}", "project": "OpenSC", "hash": 244173873168509094839430270510823033122, "size": 17, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270682 }, { "func": "static int cardos_select_file(sc_card_t *card,\n\t\t\t const sc_path_t *in_path,\n\t\t\t sc_file_t **file)\n{\n\tint r;\n\t\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tr = iso_ops->select_file(card, in_path, file);\n\tif (r >= 0 && file)\n\t\tparse_sec_attr((*file), (*file)->sec_attr, (*file)->sec_attr_len);\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 220167332415412336103533624089271004879, "size": 12, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270699 }, { "func": "static int cardos_acl_to_bytes(sc_card_t *card, const sc_file_t *file,\n\tu8 *buf, size_t *outlen)\n{\n\tint i, byte;\n\tconst int *idx;\n\n\tif (buf == NULL || *outlen < 9)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\n\tidx = (file->type == SC_FILE_TYPE_DF) ? df_acl : ef_acl;\n\tfor (i = 0; i < 9; i++) {\n\t\tif (idx[i] < 0)\n\t\t\tbyte = 0x00;\n\t\telse\n\t\t\tbyte = acl_to_byte(sc_file_get_acl_entry(file, idx[i]));\n\t\tif (byte < 0) {\n\t\t\tsc_log(card->ctx, \"Invalid ACL\\n\");\n\t\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t\t}\n\t\tbuf[i] = byte;\n\t}\n\t*outlen = 9;\n\n\treturn SC_SUCCESS;\n}", "project": "OpenSC", "hash": 116603371760897077753850198424747802332, "size": 25, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270669 }, { "func": "static int tcos_delete_file(sc_card_t *card, const sc_path_t *path)\n{\n\tint r;\n\tu8 sbuf[2];\n\tsc_apdu_t apdu;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tif (path->type != SC_PATH_TYPE_FILE_ID && path->len != 2) {\n\t\tsc_log(card->ctx, \"File type has to be SC_PATH_TYPE_FILE_ID\\n\");\n\t\tLOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tsbuf[0] = path->value[0];\n\tsbuf[1] = path->value[1];\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE4, 0x00, 0x00);\n\tapdu.cla |= 0x80;\n\tapdu.lc = 2;\n\tapdu.datalen = 2;\n\tapdu.data = sbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}", "project": "OpenSC", "hash": 321169854647165267216778895686755280248, "size": 23, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453696 }, { "func": "static int cardos_list_files(sc_card_t *card, u8 *buf, size_t buflen)\n{\n\tsc_apdu_t apdu;\n\tu8 rbuf[256], offset = 0;\n\tconst u8 *p = rbuf, *q;\n\tint r;\n\tsize_t fids = 0, len;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t/* 0x16: DIRECTORY */\n\t/* 0x02: list both DF and EF */\n\nget_next_part:\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0x16, 0x02, offset);\n\tapdu.cla = 0x80;\n\tapdu.le = 256;\n\tapdu.resplen = 256;\n\tapdu.resp = rbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"DIRECTORY command returned error\");\n\n\tif (apdu.resplen > 256) {\n\t\tsc_log(card->ctx, \"directory listing > 256 bytes, cutting\");\n\t}\n\n\tlen = apdu.resplen;\n\twhile (len != 0) {\n\t\tsize_t tlen = 0, ilen = 0;\n\t\t/* is there a file information block (0x6f) ? */\n\t\tp = sc_asn1_find_tag(card->ctx, p, len, 0x6f, &tlen);\n\t\tif (p == NULL) {\n\t\t\tsc_log(card->ctx, \"directory tag missing\");\n\t\t\treturn SC_ERROR_INTERNAL;\n\t\t}\n\t\tif (tlen == 0)\n\t\t\t/* empty directory */\n\t\t\tbreak;\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x86, &ilen);\n\t\tif (q == NULL || ilen != 2) {\n\t\t\tsc_log(card->ctx, \"error parsing file id TLV object\");\n\t\t\treturn SC_ERROR_INTERNAL;\n\t\t}\n\t\t/* put file id in buf */\n\t\tif (buflen >= 2) {\n\t\t\tbuf[fids++] = q[0];\n\t\t\tbuf[fids++] = q[1];\n\t\t\tbuflen -= 2;\n\t\t} else\n\t\t\t/* not enough space left in buffer => break */\n\t\t\tbreak;\n\t\t/* extract next offset */\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x8a, &ilen);\n\t\tif (q != NULL && ilen == 1) {\n\t\t\toffset = (u8)ilen;\n\t\t\tgoto get_next_part;\n\t\t}\n\t\tlen -= tlen + 2;\n\t\tp += tlen;\n\t}\n\n\tr = fids;\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 256535442528642757002930638413340543712, "size": 68, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270687 }, { "func": "static int cardos_add_algs(sc_card_t *card, unsigned long flags, unsigned long ec_flags, unsigned long ext_flags)\n{\n\n\tcardos_data_t * priv = (cardos_data_t *)card->drv_data;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t_sc_card_add_rsa_alg(card, 512, flags, 0);\n\t_sc_card_add_rsa_alg(card, 768, flags, 0);\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0);\n\tif (priv->rsa_2048 == 1) {\n\t\t_sc_card_add_rsa_alg(card, 1280, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 1536, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 1792, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 2048, flags, 0);\n\t}\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\t/* Starting with CardOS 5, the card supports PIN query commands */\n\t\tcard->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;\n\t\t_sc_card_add_rsa_alg(card, 3072, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 4096, flags, 0);\n\t}\n\n\t/* TODO need to get sizes from supported_algos too */\n\tif (ec_flags != 0) {\n\t\t _sc_card_add_ec_alg(card, 256, ec_flags, priv->ext_flags, NULL);\n\t\t _sc_card_add_ec_alg(card, 384, ec_flags, priv->ext_flags, NULL);\n\t}\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 64861983557475617371339454162084572131, "size": 32, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270686 }, { "func": "static int tcos_select_file(sc_card_t *card,\n const sc_path_t *in_path,\n sc_file_t **file_out)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tsc_file_t *file=NULL;\n\tu8 buf[SC_MAX_APDU_BUFFER_SIZE], pathbuf[SC_MAX_PATH_SIZE], *path = pathbuf;\n\tint r, pathlen;\n\n\tassert(card != NULL && in_path != NULL);\n\tctx=card->ctx;\n\tmemcpy(path, in_path->value, in_path->len);\n\tpathlen = in_path->len;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0, 0x04);\n\n\tswitch (in_path->type) {\n\tcase SC_PATH_TYPE_FILE_ID:\n\t\tif (pathlen != 2) return SC_ERROR_INVALID_ARGUMENTS;\n\t\t/* fall through */\n\tcase SC_PATH_TYPE_FROM_CURRENT:\n\t\tapdu.p1 = 9;\n\t\tbreak;\n\tcase SC_PATH_TYPE_DF_NAME:\n\t\tapdu.p1 = 4;\n\t\tbreak;\n\tcase SC_PATH_TYPE_PATH:\n\t\tapdu.p1 = 8;\n\t\tif (pathlen >= 2 && memcmp(path, \"\\x3F\\x00\", 2) == 0) path += 2, pathlen -= 2;\n\t\tif (pathlen == 0) apdu.p1 = 0;\n\t\tbreak;\n\tcase SC_PATH_TYPE_PARENT:\n\t\tapdu.p1 = 3;\n\t\tpathlen = 0;\n\t\tbreak;\n\tdefault:\n\t\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tif( pathlen == 0 ) apdu.cse = SC_APDU_CASE_2_SHORT;\n\n\tapdu.lc = pathlen;\n\tapdu.data = path;\n\tapdu.datalen = pathlen;\n\n\tif (file_out != NULL) {\n\t\tapdu.resp = buf;\n\t\tapdu.resplen = sizeof(buf);\n\t\tapdu.le = 256;\n\t} else {\n\t\tapdu.resplen = 0;\n\t\tapdu.le = 0;\n\t\tapdu.p2 = 0x0C;\n\t\tapdu.cse = (pathlen == 0) ? SC_APDU_CASE_1 : SC_APDU_CASE_3_SHORT;\n\t}\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, r, \"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tif (r || file_out == NULL) SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, r);\n\n\tif (apdu.resplen < 1 || apdu.resp[0] != 0x62) {\n\t\tsc_log(ctx, \"received invalid template %02X\\n\", apdu.resp[0]);\n\t\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);\n\t}\n\n\tfile = sc_file_new();\n\tif (file == NULL) LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\t*file_out = file;\n\tfile->path = *in_path;\n\n\tiso_ops->process_fci(card, file, apdu.resp, apdu.resplen);\n\n\tparse_sec_attr(card, file, file->sec_attr, file->sec_attr_len);\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 23889856979611356599779607889701841783, "size": 77, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453702 }, { "func": "static int cardos_have_2048bit_package(sc_card_t *card)\n{\n\tsc_apdu_t apdu;\n u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n int r;\n\tconst u8 *p = rbuf, *q;\n\tsize_t len, tlen = 0, ilen = 0;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.lc = 0;\n\tapdu.le = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif ((len = apdu.resplen) == 0)\n\t\t/* looks like no package has been installed */\n\t\treturn 0;\n\n\twhile (len != 0) {\n\t\tp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);\n\t\tif (p == NULL)\n\t\t\treturn 0;\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);\n\t\tif (q == NULL || ilen != 4)\n\t\t\treturn 0;\n\t\tif (q[0] == 0x1c)\n\t\t\treturn 1;\n\t\tp += tlen;\n\t\tlen -= tlen + 2;\n\t}\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 92357617617140958826267024638443033197, "size": 35, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 1, "dataset": "other", "idx": 198234 }, { "func": "static int cardos_have_2048bit_package(sc_card_t *card)\n{\n\tsc_apdu_t apdu;\n u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n int r;\n\tconst u8 *p = rbuf, *q, *pp;\n\tsize_t len, tlen = 0, ilen = 0;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.lc = 0;\n\tapdu.le = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif ((len = apdu.resplen) == 0)\n\t\t/* looks like no package has been installed */\n\t\treturn 0;\n\n\twhile (len != 0) {\n\t\tpp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);\n\t\tif (pp == NULL)\n\t\t\treturn 0;\n\t\tq = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);\n\t\tif (q == NULL || ilen != 4)\n\t\t\treturn 0;\n\t\tif (q[0] == 0x1c)\n\t\t\treturn 1;\n\t\tp += tlen;\n\t\tlen -= tlen + 2;\n\t}\n\n\treturn 0;\n}", "project": "OpenSC", "hash": 331177212470604586059658277731450158649, "size": 35, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270673 }, { "func": "static void parse_sec_attr(sc_file_t *file, const u8 *buf, size_t len)\n{\n\tsize_t i;\n\tconst int *idx;\n\n\tidx = (file->type == SC_FILE_TYPE_DF) ? df_acl : ef_acl;\n\n\t/* acl defaults to 0xFF if unspecified */\n\tfor (i = 0; i < 9; i++)\n\t\tif (idx[i] != -1)\n\t\t\tadd_acl_entry(file, idx[i], (u8)((i < len) ? buf[i] : 0xFF));\n}", "project": "OpenSC", "hash": 163767943676078759362856467431489935218, "size": 12, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270681 }, { "func": "static void parse_sec_attr(sc_card_t *card,\n sc_file_t *file, const u8 *buf, size_t len)\n{\n\tunsigned int op;\n\n\t/* list directory is not covered by ACLs - so always add an entry */\n\tsc_file_add_acl_entry (file, SC_AC_OP_LIST_FILES,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t/* FIXME: check for what LOCK is used */\n\tsc_file_add_acl_entry (file, SC_AC_OP_LOCK,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\tfor (; len >= 6; len -= 6, buf += 6) {\n\t\t/* FIXME: temporary hacks */\n\t\tif (!memcmp(buf, \"\\xa4\\x00\\x00\\x00\\xff\\xff\", 6)) {/* select */\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_SELECT,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\xb0\\x00\\x00\\x00\\xff\\xff\", 6)) {/*read*/\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_READ,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\xd6\\x00\\x00\\x00\\xff\\xff\", 6)) {/*upd*/\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_UPDATE,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\x60\\x00\\x00\\x00\\xff\\xff\", 6)) {/*adm */\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_WRITE,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_CREATE,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_INVALIDATE,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_REHABILITATE,\n SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else {\n\t\t\t/* the first byte tells use the command or the\n\t\t\t command group. We have to mask bit 0\n\t\t\t because this one distinguish between AND/OR\n\t\t\t combination of PINs*/\n\t\t\top = map_operations (buf[0]);\n\t\t\tif (op == (unsigned int)-1) {\n\t\t\t\tsc_log(card->ctx,\n\t\t\t\t\t\"Unknown security command byte %02x\\n\",\n\t\t\t\t\tbuf[0]);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!buf[1])\n\t\t\t\tsc_file_add_acl_entry (file, op,\n SC_AC_NONE,\n SC_AC_KEY_REF_NONE);\n\t\t\telse\n\t\t\t\tsc_file_add_acl_entry (file, op,\n SC_AC_CHV, buf[1]);\n\n\t\t\tif (!buf[2] && !buf[3])\n\t\t\t\tsc_file_add_acl_entry (file, op,\n SC_AC_NONE,\n SC_AC_KEY_REF_NONE);\n\t\t\telse\n\t\t\t\tsc_file_add_acl_entry (file, op,\n SC_AC_TERM,\n (buf[2]<<8)|buf[3]);\n\t\t}\n\t}\n}", "project": "OpenSC", "hash": 284667084980065280010456910650927112728, "size": 62, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453694 }, { "func": "oberthur_detect_card(struct sc_pkcs15_card * p15card)\n{\n\tstruct sc_card *card = p15card->card;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tif (p15card->card->type != SC_CARD_TYPE_OBERTHUR_64K)\n\t\tLOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_WRONG_CARD);\n\tLOG_FUNC_RETURN(p15card->card->ctx, SC_SUCCESS);\n}", "project": "OpenSC", "hash": 1983533969969801423954953399161347915, "size": 9, "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27", "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843", "target": 0, "dataset": "other", "idx": 230101 }, { "func": "cardos_put_data_oci(sc_card_t *card,\n\t\t\tstruct sc_cardctl_cardos_obj_info *args)\n{\n\tsc_apdu_t\tapdu;\n\tint\t\tr;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tmemset(&apdu, 0, sizeof(apdu));\n\tapdu.cse = SC_APDU_CASE_3_SHORT;\n\tapdu.cla = 0x00;\n\tapdu.ins = 0xda;\n\tapdu.p1 = 0x01;\n\tapdu.p2 = 0x6e;\n\tapdu.lc = args->len;\n\tapdu.data = args->data;\n\tapdu.datalen = args->len;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 50999835762767213036437079009335667961, "size": 26, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270676 }, { "func": "cardos_lifecycle_set(sc_card_t *card, int *mode)\n{\n\tsc_apdu_t\tapdu;\n\tint\t\tr;\n\n\tint current;\n\tint target;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\ttarget = *mode;\n\n\tr = cardos_lifecycle_get(card, ¤t);\n\t\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\n\tif (current == target || current == SC_CARDCTRL_LIFECYCLE_OTHER)\n\t\treturn SC_SUCCESS;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x10, 0, 0);\n\tapdu.cla = 0x80;\n\tapdu.le = 0;\n\tapdu.resplen = 0;\n\tapdu.resp = NULL;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 146465645650993959180142670245930613814, "size": 34, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270690 }, { "func": "cardos_restore_security_env(sc_card_t *card, int se_num)\n{\n\tsc_apdu_t apdu;\n\tint\tr;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x22, 0, se_num);\n\tapdu.p1 = (card->type == SC_CARD_TYPE_CARDOS_CIE_V1 ? 0xF3 : 0x03);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}", "project": "OpenSC", "hash": 317882808282407343140909309524103511340, "size": 18, "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f", "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912", "target": 0, "dataset": "other", "idx": 270694 }, { "func": "static unsigned int map_operations (int commandbyte)\n{\n\tunsigned int op = (unsigned int)-1;\n\n\tswitch ( (commandbyte & 0xfe) ) {\n\t\tcase 0xe2: /* append record */ op = SC_AC_OP_UPDATE; break;\n\t\tcase 0x24: /* change password */ op = SC_AC_OP_UPDATE; break;\n\t\tcase 0xe0: /* create */ op = SC_AC_OP_CREATE; break;\n\t\tcase 0xe4: /* delete */ op = SC_AC_OP_DELETE; break;\n\t\tcase 0xe8: /* exclude sfi */ op = SC_AC_OP_WRITE; break;\n\t\tcase 0x82: /* external auth */ op = SC_AC_OP_READ; break;\n\t\tcase 0xe6: /* include sfi */ op = SC_AC_OP_WRITE; break;\n\t\tcase 0x88: /* internal auth */ op = SC_AC_OP_READ; break;\n\t\tcase 0x04: /* invalidate */ op = SC_AC_OP_INVALIDATE; break;\n\t\tcase 0x2a: /* perform sec. op */ op = SC_AC_OP_SELECT; break;\n\t\tcase 0xb0: /* read binary */ op = SC_AC_OP_READ; break;\n\t\tcase 0xb2: /* read record */ op = SC_AC_OP_READ; break;\n\t\tcase 0x44: /* rehabilitate */ op = SC_AC_OP_REHABILITATE; break;\n\t\tcase 0xa4: /* select */ op = SC_AC_OP_SELECT; break;\n\t\tcase 0xee: /* set permanent */ op = SC_AC_OP_CREATE; break;\n\t\tcase 0x2c: /* unblock password */op = SC_AC_OP_WRITE; break;\n\t\tcase 0xd6: /* update binary */ op = SC_AC_OP_WRITE; break;\n\t\tcase 0xdc: /* update record */ op = SC_AC_OP_WRITE; break;\n\t\tcase 0x20: /* verify password */ op = SC_AC_OP_SELECT; break;\n\t\tcase 0x60: /* admin group */ op = SC_AC_OP_CREATE; break;\n\t}\n\treturn op;\n}", "project": "OpenSC", "hash": 107567217371536538402704324989314269568, "size": 28, "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817", "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512", "target": 0, "dataset": "other", "idx": 453693 } ] }, { "call_depth": 4, "longest_call_chain": [ "removeServiceTable", "freeService", "freeSubscriptionList", "freeSubscription" ], "group_size": 11, "functions": [ { "func": "DOMString getElementValue(IXML_Node *node)\n{\n\tIXML_Node *child = (IXML_Node *)ixmlNode_getFirstChild(node);\n\tconst DOMString temp = NULL;\n\n\tif (child && ixmlNode_getNodeType(child) == eTEXT_NODE) {\n\t\ttemp = ixmlNode_getNodeValue(child);\n\n\t\treturn ixmlCloneDOMString(temp);\n\t} else {\n\t\treturn NULL;\n\t}\n}", "project": "pupnp", "hash": 248963931478249921935728461291453646516, "size": 13, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269111 }, { "func": "void freeServiceList(service_info *head)\n{\n\tservice_info *next = NULL;\n\n\twhile (head) {\n\t\tif (head->serviceType)\n\t\t\tixmlFreeDOMString(head->serviceType);\n\t\tif (head->serviceId)\n\t\t\tixmlFreeDOMString(head->serviceId);\n\t\tif (head->SCPDURL)\n\t\t\tfree(head->SCPDURL);\n\t\tif (head->controlURL)\n\t\t\tfree(head->controlURL);\n\t\tif (head->eventURL)\n\t\t\tfree(head->eventURL);\n\t\tif (head->UDN)\n\t\t\tixmlFreeDOMString(head->UDN);\n\t\tif (head->subscriptionList)\n\t\t\tfreeSubscriptionList(head->subscriptionList);\n\n\t\thead->TotalSubscriptions = 0;\n\t\tnext = head->next;\n\t\tfree(head);\n\t\thead = next;\n\t}\n}", "project": "pupnp", "hash": 135565784073126001774038307721809943269, "size": 26, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269098 }, { "func": "void RemoveSubscriptionSID(Upnp_SID sid, service_info *service)\n{\n\tsubscription *finger = service->subscriptionList;\n\tsubscription *previous = NULL;\n\n\twhile (finger) {\n\t\tif (!strcmp(sid, finger->sid)) {\n\t\t\tif (previous) {\n\t\t\t\tprevious->next = finger->next;\n\t\t\t} else {\n\t\t\t\tservice->subscriptionList = finger->next;\n\t\t\t}\n\t\t\tfinger->next = NULL;\n\t\t\tfreeSubscriptionList(finger);\n\t\t\tfinger = NULL;\n\t\t\tservice->TotalSubscriptions--;\n\t\t} else {\n\t\t\tprevious = finger;\n\t\t\tfinger = finger->next;\n\t\t}\n\t}\n}", "project": "pupnp", "hash": 308857782096118505859637858428697989434, "size": 22, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269106 }, { "func": "int getSubElement(const char *element_name, IXML_Node *node, IXML_Node **out)\n{\n\tconst DOMString NodeName = NULL;\n\tint found = 0;\n\tIXML_Node *child = (IXML_Node *)ixmlNode_getFirstChild(node);\n\n\t(*out) = NULL;\n\twhile (child && !found) {\n\t\tswitch (ixmlNode_getNodeType(child)) {\n\t\tcase eELEMENT_NODE:\n\t\t\tNodeName = ixmlNode_getNodeName(child);\n\t\t\tif (!strcmp(NodeName, element_name)) {\n\t\t\t\t(*out) = child;\n\t\t\t\tfound = 1;\n\t\t\t\treturn found;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t\tchild = (IXML_Node *)ixmlNode_getNextSibling(child);\n\t}\n\n\treturn found;\n}", "project": "pupnp", "hash": 130033586932793095968088401711419811378, "size": 25, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269103 }, { "func": "void freeSubscriptionList(subscription *head)\n{\n\tsubscription *next = NULL;\n\n\twhile (head) {\n\t\tnext = head->next;\n\t\tfreeSubscription(head);\n\t\tfree(head);\n\t\thead = next;\n\t}\n}", "project": "pupnp", "hash": 273543639749319163163564002725204598084, "size": 11, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269110 }, { "func": "void freeService(service_info *in)\n{\n\tif (in) {\n\t\tif (in->serviceType)\n\t\t\tixmlFreeDOMString(in->serviceType);\n\n\t\tif (in->serviceId)\n\t\t\tixmlFreeDOMString(in->serviceId);\n\n\t\tif (in->SCPDURL)\n\t\t\tfree(in->SCPDURL);\n\n\t\tif (in->controlURL)\n\t\t\tfree(in->controlURL);\n\n\t\tif (in->eventURL)\n\t\t\tfree(in->eventURL);\n\n\t\tif (in->UDN)\n\t\t\tixmlFreeDOMString(in->UDN);\n\n\t\tif (in->subscriptionList)\n\t\t\tfreeSubscriptionList(in->subscriptionList);\n\n\t\tin->TotalSubscriptions = 0;\n\t\tfree(in);\n\t}\n}", "project": "pupnp", "hash": 287091917212498406403175565134292375135, "size": 28, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269112 }, { "func": "int getServiceTable(\n\tIXML_Node *node, service_table *out, const char *DefaultURLBase)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *URLBase = NULL;\n\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tif (getSubElement(\"URLBase\", root, &URLBase)) {\n\t\t\tout->URLBase = getElementValue(URLBase);\n\t\t} else {\n\t\t\tif (DefaultURLBase) {\n\t\t\t\tout->URLBase =\n\t\t\t\t\tixmlCloneDOMString(DefaultURLBase);\n\t\t\t} else {\n\t\t\t\tout->URLBase = ixmlCloneDOMString(\"\");\n\t\t\t}\n\t\t}\n\t\tout->serviceList = getAllServiceList(\n\t\t\troot, out->URLBase, &out->endServiceList);\n\t\tif (out->serviceList) {\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "pupnp", "hash": 310742550464226623180272532368275699227, "size": 26, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269115 }, { "func": "int addServiceTable(\n\tIXML_Node *node, service_table *in, const char *DefaultURLBase)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *URLBase = NULL;\n\tservice_info *tempEnd = NULL;\n\n\tif (in->URLBase) {\n\t\tfree(in->URLBase);\n\t\tin->URLBase = NULL;\n\t}\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tif (getSubElement(\"URLBase\", root, &URLBase)) {\n\t\t\tin->URLBase = getElementValue(URLBase);\n\t\t} else {\n\t\t\tif (DefaultURLBase) {\n\t\t\t\tin->URLBase =\n\t\t\t\t\tixmlCloneDOMString(DefaultURLBase);\n\t\t\t} else {\n\t\t\t\tin->URLBase = ixmlCloneDOMString(\"\");\n\t\t\t}\n\t\t}\n\t\tif ((in->endServiceList->next = getAllServiceList(\n\t\t\t root, in->URLBase, &tempEnd))) {\n\t\t\tin->endServiceList = tempEnd;\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\treturn 0;\n}", "project": "pupnp", "hash": 173558270051215024034795038958309722594, "size": 31, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269113 }, { "func": "void freeSubscription(subscription *sub)\n{\n\tif (sub) {\n\t\tfree_URL_list(&sub->DeliveryURLs);\n\t\tfreeSubscriptionQueuedEvents(sub);\n\t}\n}", "project": "pupnp", "hash": 292329439855868910009566177099290783325, "size": 7, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269114 }, { "func": "int removeServiceTable(IXML_Node *node, service_table *in)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *currentUDN = NULL;\n\tDOMString UDN = NULL;\n\tIXML_NodeList *deviceList = NULL;\n\tservice_info *current_service = NULL;\n\tservice_info *start_search = NULL;\n\tservice_info *prev_service = NULL;\n\tlong unsigned int NumOfDevices = 0lu;\n\tlong unsigned int i = 0lu;\n\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tstart_search = in->serviceList;\n\t\tdeviceList = ixmlElement_getElementsByTagName(\n\t\t\t(IXML_Element *)root, \"device\");\n\t\tif (deviceList) {\n\t\t\tNumOfDevices = ixmlNodeList_length(deviceList);\n\t\t\tfor (i = 0lu; i < NumOfDevices; i++) {\n\t\t\t\tif ((start_search) &&\n\t\t\t\t\t((getSubElement(\n\t\t\t\t\t\t \"UDN\", node, ¤tUDN)) &&\n\t\t\t\t\t\t(UDN = getElementValue(\n\t\t\t\t\t\t\t currentUDN)))) {\n\t\t\t\t\tcurrent_service = start_search;\n\t\t\t\t\t/* Services are put in the service table\n\t\t\t\t\t * in the order in which they appear in\n\t\t\t\t\t * the description document, therefore\n\t\t\t\t\t * we go through the list only once to\n\t\t\t\t\t * remove a particular root device */\n\t\t\t\t\twhile ((current_service) &&\n\t\t\t\t\t\t(strcmp(current_service->UDN,\n\t\t\t\t\t\t\tUDN))) {\n\t\t\t\t\t\tcurrent_service =\n\t\t\t\t\t\t\tcurrent_service->next;\n\t\t\t\t\t\tif (current_service != NULL)\n\t\t\t\t\t\t\tprev_service =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t}\n\t\t\t\t\twhile ((current_service) &&\n\t\t\t\t\t\t(!strcmp(current_service->UDN,\n\t\t\t\t\t\t\tUDN))) {\n\t\t\t\t\t\tif (prev_service) {\n\t\t\t\t\t\t\tprev_service->next =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tin->serviceList =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (current_service ==\n\t\t\t\t\t\t\tin->endServiceList)\n\t\t\t\t\t\t\tin->endServiceList =\n\t\t\t\t\t\t\t\tprev_service;\n\t\t\t\t\t\tstart_search =\n\t\t\t\t\t\t\tcurrent_service->next;\n\t\t\t\t\t\tfreeService(current_service);\n\t\t\t\t\t\tcurrent_service = start_search;\n\t\t\t\t\t}\n\t\t\t\t\tixmlFreeDOMString(UDN);\n\t\t\t\t\tUDN = NULL;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tixmlNodeList_free(deviceList);\n\t\t}\n\t}\n\treturn 1;\n}", "project": "pupnp", "hash": 31963404102913016798591168904916052274, "size": 71, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269099 }, { "func": "void freeServiceTable(service_table *table)\n{\n\tixmlFreeDOMString(table->URLBase);\n\tfreeServiceList(table->serviceList);\n\ttable->serviceList = NULL;\n\ttable->endServiceList = NULL;\n}", "project": "pupnp", "hash": 319711546520869408852480328531628814913, "size": 7, "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0", "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.", "target": 0, "dataset": "other", "idx": 269107 } ] }, { "call_depth": 4, "longest_call_chain": [ "update_send_surface_frame_marker", "update_force_flush", "update_flush", "update_begin_paint" ], "group_size": 25, "functions": [ { "func": "static void free_bitmap_data(BITMAP_DATA* data, size_t count)\n{\n\tsize_t x;\n\n\tif (!data)\n\t\treturn;\n\n\tfor (x = 0; x < count; x++)\n\t\tfree(data[x].bitmapDataStream);\n\n\tfree(data);\n}", "project": "FreeRDP", "hash": 83561454008892408570795373937698034714, "size": 12, "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c", "message": "Fixed possible NULL dereference", "target": 0, "dataset": "other", "idx": 269195 }, { "func": "static void update_flush(rdpContext* context)\n{\n\trdpUpdate* update = context->update;\n\n\tif (update->numberOrders > 0)\n\t{\n\t\tupdate_end_paint(update);\n\t\tupdate_begin_paint(update);\n\t}\n}", "project": "FreeRDP", "hash": 48646700703847888200234582864219006834, "size": 10, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295104 }, { "func": "void free_bitmap_update(rdpContext* context, BITMAP_UPDATE* pointer)\n{\n\tif (!pointer)\n\t\treturn;\n\n\tfree_bitmap_data(pointer->rectangles, pointer->number);\n\tfree(pointer);\n}", "project": "FreeRDP", "hash": 208939052026127177066053869993369151852, "size": 8, "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c", "message": "Fixed possible NULL dereference", "target": 0, "dataset": "other", "idx": 269192 }, { "func": "static const char* update_type_to_string(UINT16 updateType)\n{\n\tif (updateType >= ARRAYSIZE(UPDATE_TYPE_STRINGS))\n\t\treturn \"UNKNOWN\";\n\n\treturn UPDATE_TYPE_STRINGS[updateType];\n}", "project": "FreeRDP", "hash": 159219454954151929240053594586134427915, "size": 7, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295037 }, { "func": "static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tWINPR_UNUSED(update);\n\tif (Stream_GetRemainingLength(s) < 18)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, bitmapData->destLeft);\n\tStream_Read_UINT16(s, bitmapData->destTop);\n\tStream_Read_UINT16(s, bitmapData->destRight);\n\tStream_Read_UINT16(s, bitmapData->destBottom);\n\tStream_Read_UINT16(s, bitmapData->width);\n\tStream_Read_UINT16(s, bitmapData->height);\n\tStream_Read_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Read_UINT16(s, bitmapData->flags);\n\tStream_Read_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Read_UINT16(s, bitmapData->cbScanWidth); /* cbScanWidth (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t\tbitmapData->bitmapLength = bitmapData->cbCompMainBodySize;\n\t\t}\n\n\t\tbitmapData->compressed = TRUE;\n\t}\n\telse\n\t\tbitmapData->compressed = FALSE;\n\n\tif (Stream_GetRemainingLength(s) < bitmapData->bitmapLength)\n\t\treturn FALSE;\n\n\tif (bitmapData->bitmapLength > 0)\n\t{\n\t\tbitmapData->bitmapDataStream = malloc(bitmapData->bitmapLength);\n\n\t\tif (!bitmapData->bitmapDataStream)\n\t\t\treturn FALSE;\n\n\t\tmemcpy(bitmapData->bitmapDataStream, Stream_Pointer(s), bitmapData->bitmapLength);\n\t\tStream_Seek(s, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 118353352329739050106188835974278769803, "size": 51, "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637", "message": "Fixed #6005: Bounds checks in update_read_bitmap_data", "target": 1, "dataset": "other", "idx": 202811 }, { "func": "static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tWINPR_UNUSED(update);\n\tif (Stream_GetRemainingLength(s) < 18)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, bitmapData->destLeft);\n\tStream_Read_UINT16(s, bitmapData->destTop);\n\tStream_Read_UINT16(s, bitmapData->destRight);\n\tStream_Read_UINT16(s, bitmapData->destBottom);\n\tStream_Read_UINT16(s, bitmapData->width);\n\tStream_Read_UINT16(s, bitmapData->height);\n\tStream_Read_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Read_UINT16(s, bitmapData->flags);\n\tStream_Read_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tif (Stream_GetRemainingLength(s) < 8)\n\t\t\t\treturn FALSE;\n\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Read_UINT16(s, bitmapData->cbScanWidth); /* cbScanWidth (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t\tbitmapData->bitmapLength = bitmapData->cbCompMainBodySize;\n\t\t}\n\n\t\tbitmapData->compressed = TRUE;\n\t}\n\telse\n\t\tbitmapData->compressed = FALSE;\n\n\tif (Stream_GetRemainingLength(s) < bitmapData->bitmapLength)\n\t\treturn FALSE;\n\n\tif (bitmapData->bitmapLength > 0)\n\t{\n\t\tbitmapData->bitmapDataStream = malloc(bitmapData->bitmapLength);\n\n\t\tif (!bitmapData->bitmapDataStream)\n\t\t\treturn FALSE;\n\n\t\tmemcpy(bitmapData->bitmapDataStream, Stream_Pointer(s), bitmapData->bitmapLength);\n\t\tStream_Seek(s, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 19434549241602046540304179152592702379, "size": 54, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295074 }, { "func": "static BOOL update_write_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tif (!Stream_EnsureRemainingCapacity(s, 64 + bitmapData->bitmapLength))\n\t\treturn FALSE;\n\n\tif (update->autoCalculateBitmapData)\n\t{\n\t\tbitmapData->flags = 0;\n\t\tbitmapData->cbCompFirstRowSize = 0;\n\n\t\tif (bitmapData->compressed)\n\t\t\tbitmapData->flags |= BITMAP_COMPRESSION;\n\n\t\tif (update->context->settings->NoBitmapCompressionHeader)\n\t\t{\n\t\t\tbitmapData->flags |= NO_BITMAP_COMPRESSION_HDR;\n\t\t\tbitmapData->cbCompMainBodySize = bitmapData->bitmapLength;\n\t\t}\n\t}\n\n\tStream_Write_UINT16(s, bitmapData->destLeft);\n\tStream_Write_UINT16(s, bitmapData->destTop);\n\tStream_Write_UINT16(s, bitmapData->destRight);\n\tStream_Write_UINT16(s, bitmapData->destBottom);\n\tStream_Write_UINT16(s, bitmapData->width);\n\tStream_Write_UINT16(s, bitmapData->height);\n\tStream_Write_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Write_UINT16(s, bitmapData->flags);\n\tStream_Write_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tStream_Write_UINT16(s,\n\t\t\t bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Write_UINT16(s,\n\t\t\t bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Write_UINT16(s, bitmapData->cbScanWidth); /* cbScanWidth (2 bytes) */\n\t\t\tStream_Write_UINT16(s,\n\t\t\t bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t}\n\n\t\tStream_Write(s, bitmapData->bitmapDataStream, bitmapData->bitmapLength);\n\t}\n\telse\n\t{\n\t\tStream_Write(s, bitmapData->bitmapDataStream, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 150799345268186021110095569864090669993, "size": 52, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295067 }, { "func": "BOOL update_begin_paint(rdpUpdate* update)\n{\n\tif (!update)\n\t\treturn FALSE;\n\n\tEnterCriticalSection(&update->mux);\n\n\tif (!update->BeginPaint)\n\t\treturn TRUE;\n\n\treturn update->BeginPaint(update->context);\n}", "project": "FreeRDP", "hash": 220278009081811703954206093061125416118, "size": 12, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295073 }, { "func": "static BOOL update_send_bitmap_update(rdpContext* context, const BITMAP_UPDATE* bitmapUpdate)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\trdpUpdate* update = context->update;\n\tBOOL ret = TRUE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_bitmap_update(update, s, bitmapUpdate) ||\n\t !fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_BITMAP, s,\n\t bitmapUpdate->skipCompression))\n\t{\n\t\tret = FALSE;\n\t\tgoto out_fail;\n\t}\n\n\tupdate_force_flush(context);\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}", "project": "FreeRDP", "hash": 259785527431013201702141036429401273574, "size": 25, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295090 }, { "func": "static BOOL update_send_surface_frame_marker(rdpContext* context,\n const SURFACE_FRAME_MARKER* surfaceFrameMarker)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_surfcmd_frame_marker(s, surfaceFrameMarker->frameAction,\n\t surfaceFrameMarker->frameId) ||\n\t !fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s, FALSE))\n\t\tgoto out_fail;\n\n\tupdate_force_flush(context);\n\tret = TRUE;\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}", "project": "FreeRDP", "hash": 14746646581806677941908773020690319643, "size": 23, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295048 }, { "func": "BITMAP_UPDATE* copy_bitmap_update(rdpContext* context, const BITMAP_UPDATE* pointer)\n{\n\tBITMAP_UPDATE* dst = calloc(1, sizeof(BITMAP_UPDATE));\n\n\tif (!dst || !pointer)\n\t\tgoto fail;\n\n\t*dst = *pointer;\n\tdst->rectangles = copy_bitmap_data(pointer->rectangles, pointer->number);\n\n\tif (!dst->rectangles)\n\t\tgoto fail;\n\n\treturn dst;\nfail:\n\tfree_bitmap_update(context, dst);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 120969353999494657473109322312513246110, "size": 18, "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c", "message": "Fixed possible NULL dereference", "target": 0, "dataset": "other", "idx": 269196 }, { "func": "BOOL update_end_paint(rdpUpdate* update)\n{\n\tBOOL rc = FALSE;\n\n\tif (!update)\n\t\treturn FALSE;\n\n\tif (update->EndPaint)\n\t\trc = update->EndPaint(update->context);\n\n\tLeaveCriticalSection(&update->mux);\n\treturn rc;\n}", "project": "FreeRDP", "hash": 281226130786164898487470841172171184793, "size": 13, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295042 }, { "func": "PALETTE_UPDATE* update_read_palette(rdpUpdate* update, wStream* s)\n{\n\tint i;\n\tPALETTE_ENTRY* entry;\n\tPALETTE_UPDATE* palette_update = calloc(1, sizeof(PALETTE_UPDATE));\n\n\tif (!palette_update)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 6)\n\t\tgoto fail;\n\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\tStream_Read_UINT32(s, palette_update->number); /* numberColors (4 bytes), must be set to 256 */\n\n\tif (palette_update->number > 256)\n\t\tpalette_update->number = 256;\n\n\tif (Stream_GetRemainingLength(s) < palette_update->number * 3)\n\t\tgoto fail;\n\n\t/* paletteEntries */\n\tfor (i = 0; i < (int)palette_update->number; i++)\n\t{\n\t\tentry = &palette_update->entries[i];\n\t\tStream_Read_UINT8(s, entry->red);\n\t\tStream_Read_UINT8(s, entry->green);\n\t\tStream_Read_UINT8(s, entry->blue);\n\t}\n\n\treturn palette_update;\nfail:\n\tfree_palette_update(update->context, palette_update);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 283340729672566557322005741550262330782, "size": 35, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295055 }, { "func": "static void update_force_flush(rdpContext* context)\n{\n\tupdate_flush(context);\n}", "project": "FreeRDP", "hash": 256528792647568151068722085504517172170, "size": 4, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295107 }, { "func": "static BOOL update_check_flush(rdpContext* context, int size)\n{\n\twStream* s;\n\trdpUpdate* update = context->update;\n\ts = update->us;\n\n\tif (!update->us)\n\t{\n\t\tupdate_begin_paint(update);\n\t\treturn FALSE;\n\t}\n\n\tif (Stream_GetPosition(s) + size + 64 >= 0x3FFF)\n\t{\n\t\tupdate_flush(context);\n\t\treturn TRUE;\n\t}\n\n\treturn FALSE;\n}", "project": "FreeRDP", "hash": 309124954730636076383571471676715976119, "size": 20, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295050 }, { "func": "static BOOL update_recv_orders(rdpUpdate* update, wStream* s)\n{\n\tUINT16 numberOrders;\n\n\tif (Stream_GetRemainingLength(s) < 6)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 6\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Seek_UINT16(s); /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2OctetsB (2 bytes) */\n\n\twhile (numberOrders > 0)\n\t{\n\t\tif (!update_recv_order(update, s))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"update_recv_order() failed\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tnumberOrders--;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 70322016649550153851599919894853004418, "size": 27, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295094 }, { "func": "static BOOL _update_begin_paint(rdpContext* context)\n{\n\twStream* s;\n\trdpUpdate* update = context->update;\n\n\tif (update->us)\n\t{\n\t\tif (!update_end_paint(update))\n\t\t\treturn FALSE;\n\t}\n\n\ts = fastpath_update_pdu_init_new(context->rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tStream_SealLength(s);\n\tStream_Seek(s, 2); /* numberOrders (2 bytes) */\n\tupdate->combineUpdates = TRUE;\n\tupdate->numberOrders = 0;\n\tupdate->us = s;\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 206165084711978400762292566521593991429, "size": 23, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295041 }, { "func": "BOOL update_recv(rdpUpdate* update, wStream* s)\n{\n\tBOOL rc = FALSE;\n\tUINT16 updateType;\n\trdpContext* context = update->context;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 2\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, updateType); /* updateType (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"%s Update Data PDU\", UPDATE_TYPE_STRINGS[updateType]);\n\n\tif (!update_begin_paint(update))\n\t\tgoto fail;\n\n\tswitch (updateType)\n\t{\n\t\tcase UPDATE_TYPE_ORDERS:\n\t\t\trc = update_recv_orders(update, s);\n\t\t\tbreak;\n\n\t\tcase UPDATE_TYPE_BITMAP:\n\t\t{\n\t\t\tBITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);\n\n\t\t\tif (!bitmap_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_BITMAP - update_read_bitmap_update() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->BitmapUpdate, context, bitmap_update);\n\t\t\tfree_bitmap_update(update->context, bitmap_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_PALETTE:\n\t\t{\n\t\t\tPALETTE_UPDATE* palette_update = update_read_palette(update, s);\n\n\t\t\tif (!palette_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_PALETTE - update_read_palette() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->Palette, context, palette_update);\n\t\t\tfree_palette_update(context, palette_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_SYNCHRONIZE:\n\t\t\tif (!update_read_synchronize(update, s))\n\t\t\t\tgoto fail;\n\t\t\trc = IFCALLRESULT(TRUE, update->Synchronize, context);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\nfail:\n\n\tif (!update_end_paint(update))\n\t\trc = FALSE;\n\n\tif (!rc)\n\t{\n\t\tWLog_ERR(TAG, \"UPDATE_TYPE %s [%\" PRIu16 \"] failed\", update_type_to_string(updateType),\n\t\t updateType);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 241599745468172248070055396754810927395, "size": 78, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 1, "dataset": "other", "idx": 199894 }, { "func": "BOOL update_recv(rdpUpdate* update, wStream* s)\n{\n\tBOOL rc = FALSE;\n\tUINT16 updateType;\n\trdpContext* context = update->context;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 2\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, updateType); /* updateType (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"%s Update Data PDU\", update_type_to_string(updateType));\n\n\tif (!update_begin_paint(update))\n\t\tgoto fail;\n\n\tswitch (updateType)\n\t{\n\t\tcase UPDATE_TYPE_ORDERS:\n\t\t\trc = update_recv_orders(update, s);\n\t\t\tbreak;\n\n\t\tcase UPDATE_TYPE_BITMAP:\n\t\t{\n\t\t\tBITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);\n\n\t\t\tif (!bitmap_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_BITMAP - update_read_bitmap_update() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->BitmapUpdate, context, bitmap_update);\n\t\t\tfree_bitmap_update(update->context, bitmap_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_PALETTE:\n\t\t{\n\t\t\tPALETTE_UPDATE* palette_update = update_read_palette(update, s);\n\n\t\t\tif (!palette_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_PALETTE - update_read_palette() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->Palette, context, palette_update);\n\t\t\tfree_palette_update(context, palette_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_SYNCHRONIZE:\n\t\t\tif (!update_read_synchronize(update, s))\n\t\t\t\tgoto fail;\n\t\t\trc = IFCALLRESULT(TRUE, update->Synchronize, context);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\nfail:\n\n\tif (!update_end_paint(update))\n\t\trc = FALSE;\n\n\tif (!rc)\n\t{\n\t\tWLog_ERR(TAG, \"UPDATE_TYPE %s [%\" PRIu16 \"] failed\", update_type_to_string(updateType),\n\t\t updateType);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 210712111577567156501672184535618537131, "size": 78, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295081 }, { "func": "static BOOL update_read_synchronize(rdpUpdate* update, wStream* s)\n{\n\tWINPR_UNUSED(update);\n\treturn Stream_SafeSeek(s, 2); /* pad2Octets (2 bytes) */\n\t /**\n\t * The Synchronize Update is an artifact from the\n\t * T.128 protocol and should be ignored.\n\t */\n}", "project": "FreeRDP", "hash": 15521892922773362950883267377898803764, "size": 9, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295084 }, { "func": "BITMAP_UPDATE* update_read_bitmap_update(rdpUpdate* update, wStream* s)\n{\n\tUINT32 i;\n\tBITMAP_UPDATE* bitmapUpdate = calloc(1, sizeof(BITMAP_UPDATE));\n\n\tif (!bitmapUpdate)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, bitmapUpdate->number); /* numberRectangles (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"BitmapUpdate: %\" PRIu32 \"\", bitmapUpdate->number);\n\n\tif (bitmapUpdate->number > bitmapUpdate->count)\n\t{\n\t\tUINT32 count = bitmapUpdate->number * 2;\n\t\tBITMAP_DATA* newdata =\n\t\t (BITMAP_DATA*)realloc(bitmapUpdate->rectangles, sizeof(BITMAP_DATA) * count);\n\n\t\tif (!newdata)\n\t\t\tgoto fail;\n\n\t\tbitmapUpdate->rectangles = newdata;\n\t\tZeroMemory(&bitmapUpdate->rectangles[bitmapUpdate->count],\n\t\t sizeof(BITMAP_DATA) * (count - bitmapUpdate->count));\n\t\tbitmapUpdate->count = count;\n\t}\n\n\t/* rectangles */\n\tfor (i = 0; i < bitmapUpdate->number; i++)\n\t{\n\t\tif (!update_read_bitmap_data(update, s, &bitmapUpdate->rectangles[i]))\n\t\t\tgoto fail;\n\t}\n\n\treturn bitmapUpdate;\nfail:\n\tfree_bitmap_update(update->context, bitmapUpdate);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 33813168314939692314756191926075884636, "size": 41, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295080 }, { "func": "static BITMAP_DATA* copy_bitmap_data(const BITMAP_DATA* data, size_t count)\n{\n\tsize_t x;\n\tBITMAP_DATA* dst = (BITMAP_DATA*)calloc(count, sizeof(BITMAP_DATA));\n\n\tif (!dst)\n\t\tgoto fail;\n\n\tfor (x = 0; x < count; x++)\n\t{\n\t\tdst[x] = data[x];\n\n\t\tif (data[x].bitmapLength > 0)\n\t\t{\n\t\t\tdst[x].bitmapDataStream = malloc(data[x].bitmapLength);\n\n\t\t\tif (!dst[x].bitmapDataStream)\n\t\t\t\tgoto fail;\n\n\t\t\tmemcpy(dst[x].bitmapDataStream, data[x].bitmapDataStream, data[x].bitmapLength);\n\t\t}\n\t}\n\n\treturn dst;\nfail:\n\tfree_bitmap_data(dst, count);\n\treturn NULL;\n}", "project": "FreeRDP", "hash": 188655361286083133164433477309812156230, "size": 28, "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c", "message": "Fixed possible NULL dereference", "target": 0, "dataset": "other", "idx": 269201 }, { "func": "static BOOL update_write_bitmap_update(rdpUpdate* update, wStream* s,\n const BITMAP_UPDATE* bitmapUpdate)\n{\n\tint i;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, UPDATE_TYPE_BITMAP); /* updateType */\n\tStream_Write_UINT16(s, bitmapUpdate->number); /* numberRectangles (2 bytes) */\n\n\t/* rectangles */\n\tfor (i = 0; i < (int)bitmapUpdate->number; i++)\n\t{\n\t\tif (!update_write_bitmap_data(update, s, &bitmapUpdate->rectangles[i]))\n\t\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "project": "FreeRDP", "hash": 151834610885528242589531618165967839061, "size": 20, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295043 }, { "func": "static BOOL update_send_surface_frame_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cmd,\n BOOL first, BOOL last, UINT32 frameId)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (first)\n\t{\n\t\tif (!update_write_surfcmd_frame_marker(s, SURFACECMD_FRAMEACTION_BEGIN, frameId))\n\t\t\tgoto out_fail;\n\t}\n\n\tif (!update_write_surfcmd_surface_bits(s, cmd))\n\t\tgoto out_fail;\n\n\tif (last)\n\t{\n\t\tif (!update_write_surfcmd_frame_marker(s, SURFACECMD_FRAMEACTION_END, frameId))\n\t\t\tgoto out_fail;\n\t}\n\n\tret = fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s,\n\t cmd->skipCompression);\n\tupdate_force_flush(context);\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}", "project": "FreeRDP", "hash": 156186922337010680300695249917953025135, "size": 34, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295025 }, { "func": "static BOOL update_send_surface_bits(rdpContext* context,\n const SURFACE_BITS_COMMAND* surfaceBitsCommand)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_surfcmd_surface_bits(s, surfaceBitsCommand))\n\t\tgoto out_fail;\n\n\tif (!fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s,\n\t surfaceBitsCommand->skipCompression))\n\t\tgoto out_fail;\n\n\tupdate_force_flush(context);\n\tret = TRUE;\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}", "project": "FreeRDP", "hash": 262077567665186060034193325515015087867, "size": 25, "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf", "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019", "target": 0, "dataset": "other", "idx": 295075 } ] }, { "call_depth": 4, "longest_call_chain": [ "APar_ExtractDetails", "APar_ExtractTrackDetails", "APar_Extract_esds_Info", "APar_skip_filler" ], "group_size": 18, "functions": [ { "func": "uint16_t purge_extraneous_characters(char *data) {\n uint16_t purgings = 0;\n uint16_t str_len = strlen(data);\n for (uint16_t str_offset = 0; str_offset < str_len; str_offset++) {\n if (data[str_offset] < 32 || data[str_offset] == 127) {\n data[str_offset] = 19;\n purgings++;\n break;\n }\n }\n return purgings;\n}", "project": "atomicparsley", "hash": 101683490117903831020536704146633947144, "size": 12, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417014 }, { "func": "uint8_t APar_skip_filler(FILE *isofile, uint32_t start_position) {\n uint8_t skip_bytes = 0;\n\n while (true) {\n uint8_t eval_byte = APar_read8(isofile, start_position + skip_bytes);\n\n if (eval_byte == 0x80 || eval_byte == 0x81 ||\n eval_byte == 0xFE) { // seems sometimes QT writes 0x81\n skip_bytes++;\n } else {\n break;\n }\n }\n return skip_bytes;\n}", "project": "atomicparsley", "hash": 62628116556512224921278752125499736093, "size": 15, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417016 }, { "func": "void APar_Extract_devc_Info(FILE *isofile,\n short track_level_atom,\n TrackInfo *track_info) {\n uint64_t offset_into_devc = 8;\n APar_readX(track_info->encoder_name,\n isofile,\n parsedAtoms[track_level_atom].AtomicStart + offset_into_devc,\n 4);\n return;\n}", "project": "atomicparsley", "hash": 191832240744506458608612189209332629083, "size": 10, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417006 }, { "func": "void APar_ExtractTrackDetails(char *uint32_buffer,\n FILE *isofile,\n Trackage *track,\n TrackInfo *track_info) {\n uint64_t _offset = 0;\n\n APar_TrackLevelInfo(track, \"tkhd\");\n if (APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 8) ==\n 0) {\n if (APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 11) &\n 1) {\n track_info->track_enabled = true;\n }\n track_info->creation_time =\n APar_read32(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 12);\n track_info->modified_time =\n APar_read32(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 16);\n track_info->duration =\n APar_read32(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 28);\n } else {\n track_info->creation_time =\n APar_read64(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 12);\n track_info->modified_time =\n APar_read64(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 20);\n track_info->duration =\n APar_read64(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 36);\n }\n\n // language code\n APar_TrackLevelInfo(track, \"mdhd\");\n memset(uint32_buffer, 0, 5);\n uint16_t packed_language = APar_read16(\n uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 28);\n memset(track_info->unpacked_lang, 0, 4);\n APar_UnpackLanguage(\n track_info->unpacked_lang,\n packed_language); // http://www.w3.org/WAI/ER/IG/ert/iso639.htm\n\n // track handler type\n APar_TrackLevelInfo(track, \"hdlr\");\n memset(uint32_buffer, 0, 5);\n track_info->track_type = APar_read32(\n uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 16);\n if (track_info->track_type == 0x736F756E) { // soun\n track_info->type_of_track = AUDIO_TRACK;\n } else if (track_info->track_type == 0x76696465) { // vide\n track_info->type_of_track = VIDEO_TRACK;\n }\n if (parsedAtoms[track->track_atom].AtomicLength > 34) {\n memset(track_info->track_hdlr_name, 0, sizeof(track_info->track_hdlr_name));\n APar_readX(track_info->track_hdlr_name,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + 32,\n std::min((uint64_t)sizeof(track_info->track_hdlr_name),\n parsedAtoms[track->track_atom].AtomicLength - 32));\n }\n\n // codec section\n APar_TrackLevelInfo(track, \"stsd\");\n memset(uint32_buffer, 0, 5);\n track_info->track_codec = APar_read32(\n uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 20);\n\n if (track_info->type_of_track & VIDEO_TRACK) { // vide\n track_info->video_width =\n APar_read16(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom + 1].AtomicStart + 32);\n track_info->video_height =\n APar_read16(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom + 1].AtomicStart + 34);\n track_info->macroblocks =\n (track_info->video_width / 16) * (track_info->video_height / 16);\n\n // avc profile & level\n if (track_info->track_codec == 0x61766331 ||\n track_info->track_codec == 0x64726D69) { // avc1 or drmi\n track_info->contains_esds = false;\n APar_TrackLevelInfo(track, \"avcC\");\n // get avc1 profile/level; atom 'avcC' is :\n // byte 1\tconfigurationVersion byte 2\tAVCProfileIndication byte 3\n // profile_compatibility byte 4\tAVCLevelIndication\n track_info->avc_version =\n APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 8);\n if (track_info->avc_version == 1) {\n track_info->profile =\n APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 9);\n // uint8_t profile_compatibility = APar_read8(isofile,\n // parsedAtoms[track.track_atom].AtomicStart + 10); /* is this reserved\n // ?? */\n track_info->level = APar_read8(\n isofile, parsedAtoms[track->track_atom].AtomicStart + 11);\n }\n\n // avc1 doesn't have a hardcoded bitrate, so calculate it (off of stsz\n // table summing) later\n } else if (track_info->track_codec == 0x73323633) { // s263\n APar_TrackLevelInfo(track, \"d263\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"d263\", 4) == 0) {\n APar_Extract_d263_Info(\n uint32_buffer, isofile, track->track_atom, track_info);\n }\n\n } else { // mp4v\n APar_TrackLevelInfo(track, \"esds\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"esds\", 4) == 0) {\n APar_Extract_esds_Info(\n uint32_buffer,\n isofile,\n track->track_atom - 1,\n track_info); // right, backtrack to the atom before 'esds' so we can\n // offset_into_stsd++\n } else if (track_info->track_codec == 0x73323633) { // s263\n track_info->type_of_track = VIDEO_TRACK;\n } else if (track_info->track_codec == 0x73616D72 ||\n track_info->track_codec == 0x73617762 ||\n track_info->track_codec == 0x73617770 ||\n track_info->track_codec ==\n 0x73766D72) { // samr, sawb, sawp & svmr\n track_info->type_of_track = AUDIO_TRACK;\n } else {\n track_info->type_of_track = OTHER_TRACK; // a 'jpeg' track will fall\n // here\n }\n }\n\n } else if (track_info->type_of_track & AUDIO_TRACK) {\n if (track_info->track_codec == 0x73616D72 ||\n track_info->track_codec == 0x73617762 ||\n track_info->track_codec == 0x73617770 ||\n track_info->track_codec ==\n 0x73766D72) { // samr,sawb, svmr (sawp doesn't contain modes)\n APar_Extract_AMR_Info(\n uint32_buffer, isofile, track->track_atom + 2, track_info);\n\n } else if (track_info->track_codec == 0x73657663) { // sevc\n APar_TrackLevelInfo(track, \"devc\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"devc\", 4) == 0) {\n APar_Extract_devc_Info(isofile, track->track_atom, track_info);\n }\n\n } else if (track_info->track_codec == 0x73716370) { // sqcp\n APar_TrackLevelInfo(track, \"dqcp\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"dqcp\", 4) == 0) {\n APar_Extract_devc_Info(isofile,\n track->track_atom,\n track_info); // its the same thing\n }\n\n } else if (track_info->track_codec == 0x73736D76) { // ssmv\n APar_TrackLevelInfo(track, \"dsmv\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"dsmv\", 4) == 0) {\n APar_Extract_devc_Info(isofile,\n track->track_atom,\n track_info); // its the same thing\n }\n\n } else {\n APar_Extract_esds_Info(\n uint32_buffer, isofile, track->track_atom, track_info);\n }\n }\n\n // in case bitrate isn't found, manually determine it off of stsz summing\n if ((track_info->type_of_track & AUDIO_TRACK ||\n track_info->type_of_track & VIDEO_TRACK) &&\n track_info->avg_bitrate == 0) {\n if (track_info->track_codec == 0x616C6163) { // alac\n track_info->channels =\n APar_read16(uint32_buffer,\n isofile,\n parsedAtoms[track->track_atom + 1].AtomicStart + 24);\n }\n }\n\n APar_TrackLevelInfo(track, \"stsz\");\n if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"stsz\", 4) == 0) {\n track_info->sample_aggregate =\n calcuate_sample_size(uint32_buffer, isofile, track->track_atom);\n }\n\n // get what exactly 'drmX' stands in for\n if (track_info->track_codec >= 0x64726D00 &&\n track_info->track_codec <= 0x64726DFF) {\n track_info->type_of_track += DRM_PROTECTED_TRACK;\n APar_TrackLevelInfo(track, \"frma\");\n memset(uint32_buffer, 0, 5);\n track_info->protected_codec = APar_read32(\n uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 8);\n }\n\n // Encoder string; occasionally, it appears under stsd for a video track; it\n // is typcally preceded by ' ' (1st char is unprintable) or 0x01B2\n if (track_info->contains_esds) {\n APar_TrackLevelInfo(track, \"esds\");\n\n // technically, user_data_start_code should be tested aginst 0x000001B2;\n // TODO: it should only be read up to section 3's length too\n _offset = APar_FindValueInAtom(\n uint32_buffer, isofile, track->track_atom, 24, 0x01B2);\n\n if (_offset > 0 && _offset < parsedAtoms[track->track_atom].AtomicLength) {\n _offset += 2;\n memset(track_info->encoder_name,\n 0,\n parsedAtoms[track->track_atom].AtomicLength - _offset);\n APar_readX(track_info->encoder_name,\n isofile,\n parsedAtoms[track->track_atom].AtomicStart + _offset,\n parsedAtoms[track->track_atom].AtomicLength - _offset);\n }\n }\n return;\n}", "project": "atomicparsley", "hash": 127721703970755291690436684429299715513, "size": 227, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417020 }, { "func": "void APar_ExtractMovieDetails(char *uint32_buffer,\n FILE *isofile,\n AtomicInfo *mvhd_atom) {\n if (mvhd_atom->AtomicVerFlags & 0x01000000) {\n movie_info.creation_time =\n APar_read64(uint32_buffer, isofile, mvhd_atom->AtomicStart + 12);\n movie_info.modified_time =\n APar_read64(uint32_buffer, isofile, mvhd_atom->AtomicStart + 20);\n movie_info.timescale =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 28);\n movie_info.duration =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 32);\n movie_info.timescale =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 36);\n movie_info.duration =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 40);\n movie_info.playback_rate =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 44);\n movie_info.volume =\n APar_read16(uint32_buffer, isofile, mvhd_atom->AtomicStart + 48);\n } else {\n movie_info.creation_time = (uint64_t)APar_read32(\n uint32_buffer, isofile, mvhd_atom->AtomicStart + 12);\n movie_info.modified_time = (uint64_t)APar_read32(\n uint32_buffer, isofile, mvhd_atom->AtomicStart + 16);\n movie_info.timescale =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 20);\n movie_info.duration =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 24);\n movie_info.playback_rate =\n APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 28);\n movie_info.volume =\n APar_read16(uint32_buffer, isofile, mvhd_atom->AtomicStart + 32);\n }\n\n movie_info.seconds = (float)movie_info.duration / (float)movie_info.timescale;\n#if defined(_MSC_VER)\n __int64 media_bits = (__int64)mdatData * 8;\n#else\n uint64_t media_bits = (uint64_t)mdatData * 8;\n#endif\n movie_info.simple_bitrate_calc =\n ((double)media_bits / movie_info.seconds) / 1000.0;\n\n return;\n}", "project": "atomicparsley", "hash": 42901587396681727887008920962788444091, "size": 46, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417005 }, { "func": "void APar_TrackLevelInfo(Trackage *track, const char *track_search_atom_name) {\n uint8_t track_tally = 0;\n short iter = 0;\n\n while (parsedAtoms[iter].NextAtomNumber != 0) {\n\n if (strncmp(parsedAtoms[iter].AtomicName, \"trak\", 4) == 0) {\n track_tally += 1;\n if (track->track_num == 0) {\n track->total_tracks += 1;\n\n } else if (track->track_num == track_tally) {\n\n short next_atom = parsedAtoms[iter].NextAtomNumber;\n while (parsedAtoms[next_atom].AtomicLevel >\n parsedAtoms[iter].AtomicLevel) {\n\n if (strncmp(parsedAtoms[next_atom].AtomicName,\n track_search_atom_name,\n 4) == 0) {\n\n track->track_atom = parsedAtoms[next_atom].AtomicNumber;\n return;\n } else {\n next_atom = parsedAtoms[next_atom].NextAtomNumber;\n }\n if (parsedAtoms[next_atom].AtomicLevel ==\n parsedAtoms[iter].AtomicLevel) {\n track->track_atom = 0;\n }\n }\n }\n }\n iter = parsedAtoms[iter].NextAtomNumber;\n }\n return;\n}", "project": "atomicparsley", "hash": 122636019844906488610343867539066292935, "size": 37, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417011 }, { "func": "void APar_ShowMPEG4VisualProfileInfo(TrackInfo *track_info) {\n fprintf(stdout, \" MPEG-4 Visual \");\n uint8_t mp4v_profile = 0;\n if (movie_info.contains_iods) {\n mp4v_profile = iods_info.video_profile_level;\n } else {\n mp4v_profile = track_info->m4v_profile;\n }\n\n // unparalleled joy - Annex G table g1 - a binary listing (this from\n // 14496-2:2001)\n if (mp4v_profile == 0x01) {\n fprintf(stdout, \"Simple Profile, Level 1\"); // 00000001\n } else if (mp4v_profile == 0x02) {\n fprintf(stdout, \"Simple Profile, Level 2\"); // 00000010\n } else if (mp4v_profile == 0x03) {\n fprintf(stdout,\n \"Simple Profile, Level 3\"); // most files will land here //00000011\n\n } else if (mp4v_profile == 0x08) { // Compressor can create these in 3gp files\n fprintf(stdout, \"Simple Profile, Level 0\"); // ISO 14496-2:2004(e)\n // //00001000\n\n // Reserved 00000100 - 00000111\n } else if (mp4v_profile == 0x10) {\n fprintf(stdout, \"Simple Scalable Profile, Level 0\"); // 00010000\n } else if (mp4v_profile == 0x11) {\n fprintf(stdout, \"Simple Scalable Profile, Level 1\"); // 00010001\n } else if (mp4v_profile == 0x12) {\n fprintf(stdout, \"Simple Scalable Profile, Level 2\"); // 00010010\n\n // Reserved 00010011 - 00100000\n } else if (mp4v_profile == 0x21) {\n fprintf(stdout, \"Core Profile, Level 1\"); // 00100001\n } else if (mp4v_profile == 0x22) {\n fprintf(stdout, \"Core Profile, Level 2\"); // 00100010\n\n // Reserved 00100011 - 00110001\n } else if (mp4v_profile == 0x32) {\n fprintf(stdout, \"Main Profile, Level 2\"); // 00110010\n } else if (mp4v_profile == 0x33) {\n fprintf(stdout, \"Main Profile, Level 3\"); // 00110011\n } else if (mp4v_profile == 0x34) {\n fprintf(stdout, \"Main Profile, Level 4\"); // 00110100\n\n // Reserved 00110101 - 01000001\n } else if (mp4v_profile == 0x42) {\n fprintf(stdout, \"N-bit Profile, Level 2\"); // 01000010\n\n // Reserved 01000011 - 01010000\n } else if (mp4v_profile == 0x51) {\n fprintf(stdout, \"Scalable Texture Profile, Level 1\"); // 01010001\n\n // Reserved 01010010 - 01100000\n } else if (mp4v_profile == 0x61) {\n fprintf(stdout, \"Simple Face Animation, Level 1\"); // 01100001\n } else if (mp4v_profile == 0x62) {\n fprintf(stdout, \"Simple Face Animation, Level 2\"); // 01100010\n\n } else if (mp4v_profile == 0x63) {\n fprintf(stdout, \"Simple FBA Profile, Level 1\"); // 01100011\n } else if (mp4v_profile == 0x64) {\n fprintf(stdout, \"Simple FBA Profile, Level 2\"); // 01100100\n\n // Reserved 01100101 - 01110000\n } else if (mp4v_profile == 0x71) {\n fprintf(stdout, \"Basic Animated Texture Profile, Level 1\"); // 01110001\n } else if (mp4v_profile == 0x72) {\n fprintf(stdout, \"Basic Animated Texture Profile, Level 2\"); // 01110010\n\n // Reserved 01110011 - 10000000\n } else if (mp4v_profile == 0x81) {\n fprintf(stdout, \"Hybrid Profile, Level 1\"); // 10000001\n } else if (mp4v_profile == 0x82) {\n fprintf(stdout, \"Hybrid Profile, Level 2\"); // 10000010\n\n // Reserved 10000011 - 10010000\n } else if (mp4v_profile == 0x91) {\n fprintf(stdout, \"Advanced Real Time Simple Profile, Level 1\"); // 10010001\n } else if (mp4v_profile == 0x92) {\n fprintf(stdout, \"Advanced Real Time Simple Profile, Level 2\"); // 10010010\n } else if (mp4v_profile == 0x93) {\n fprintf(stdout, \"Advanced Real Time Simple Profile, Level 3\"); // 10010011\n } else if (mp4v_profile == 0x94) {\n fprintf(stdout, \"Advanced Real Time Simple Profile, Level 4\"); // 10010100\n\n // Reserved 10010101 - 10100000\n } else if (mp4v_profile == 0xA1) {\n fprintf(stdout, \"Core Scalable Profile, Level 1\"); // 10100001\n } else if (mp4v_profile == 0xA2) {\n fprintf(stdout, \"Core Scalable Profile, Level 2\"); // 10100010\n } else if (mp4v_profile == 0xA3) {\n fprintf(stdout, \"Core Scalable Profile, Level 3\"); // 10100011\n\n // Reserved 10100100 - 10110000\n } else if (mp4v_profile == 0xB1) {\n fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 1\"); // 10110001\n } else if (mp4v_profile == 0xB2) {\n fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 2\"); // 10110010\n } else if (mp4v_profile == 0xB3) {\n fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 3\"); // 10110011\n } else if (mp4v_profile == 0xB4) {\n fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 4\"); // 10110100\n\n // Reserved 10110101 11000000\n } else if (mp4v_profile == 0xC1) {\n fprintf(stdout, \"Advanced Core Profile, Level 1\"); // 11000001\n } else if (mp4v_profile == 0xC2) {\n fprintf(stdout, \"Advanced Core Profile, Level 2\"); // 11000010\n\n // Reserved 11000011 11010000\n } else if (mp4v_profile == 0xD1) {\n fprintf(stdout, \"Advanced Scalable Texture, Level 1\"); // 11010001\n } else if (mp4v_profile == 0xD2) {\n fprintf(stdout, \"Advanced Scalable Texture, Level 2\"); // 11010010\n } else if (mp4v_profile == 0xD2) {\n fprintf(stdout, \"Advanced Scalable Texture, Level 3\"); // 11010011\n\n // from a draft document - 1999 (earlier than the 2000 above!!)\n } else if (mp4v_profile == 0xE1) {\n fprintf(stdout, \"Simple Studio Profile, Level 1\"); // 11100001\n } else if (mp4v_profile == 0xE2) {\n fprintf(stdout, \"Simple Studio Profile, Level 2\"); // 11100010\n } else if (mp4v_profile == 0xE3) {\n fprintf(stdout, \"Simple Studio Profile, Level 3\"); // 11100011\n } else if (mp4v_profile == 0xE4) {\n fprintf(stdout, \"Simple Studio Profile, Level 4\"); // 11100100\n\n } else if (mp4v_profile == 0xE5) {\n fprintf(stdout, \"Core Studio Profile, Level 1\"); // 11100101\n } else if (mp4v_profile == 0xE6) {\n fprintf(stdout, \"Core Studio Profile, Level 2\"); // 11100110\n } else if (mp4v_profile == 0xE7) {\n fprintf(stdout, \"Core Studio Profile, Level 3\"); // 11100111\n } else if (mp4v_profile == 0xE8) {\n fprintf(stdout, \"Core Studio Profile, Level 4\"); // 11101000\n\n // Reserved 11101001 - 11101111\n // ISO 14496-2:2004(e)\n } else if (mp4v_profile == 0xF0) {\n fprintf(stdout, \"Advanced Simple Profile, Level 0\"); // 11110000\n } else if (mp4v_profile == 0xF1) {\n fprintf(stdout, \"Advanced Simple Profile, Level 1\"); // 11110001\n } else if (mp4v_profile == 0xF2) {\n fprintf(\n stdout,\n \"Advanced Simple Profile, Level 2\"); // 11110010 ////3gp files that QT\n // says is H.263 have esds to 0xF2\n // & their ObjectType set to 0x20\n // (mpeg-4 visual)\n ////...and its been figured out -\n /// FILE EXTENSION of all things\n /// determines mpeg-4 ASP or H.263\n } else if (mp4v_profile == 0xF3) {\n fprintf(stdout, \"Advanced Simple Profile, Level 3\"); // 11110011\n } else if (mp4v_profile == 0xF4) {\n fprintf(stdout, \"Advanced Simple Profile, Level 4\"); // 11110100\n } else if (mp4v_profile == 0xF5) {\n fprintf(stdout, \"Advanced Simple Profile, Level 5\"); // 11110101\n\n // Reserved 11110110\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Advanced Simple Profile, Level 3b\"); // 11110111\n\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 0\"); // 11111000\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 1\"); // 11111001\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 2\"); // 11111010\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 3\"); // 11111011\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 4\"); // 11111100\n } else if (mp4v_profile == 0xF7) {\n fprintf(stdout, \"Fine Granularity Scalable Profile/Level 5\"); // 11111101\n\n // Reserved 11111110\n // Reserved for Escape 11111111\n\n } else {\n fprintf(stdout, \"Unknown profile: 0x%X\", mp4v_profile);\n }\n return;\n}", "project": "atomicparsley", "hash": 266341568058411294601031432860065260063, "size": 185, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417022 }, { "func": "uint8_t APar_ExtractChannelInfo(FILE *isofile, uint32_t pos) {\n uint8_t packed_channels = APar_read8(isofile, pos);\n uint8_t unpacked_channels =\n (packed_channels << 1); // just shift the first bit off the table\n unpacked_channels =\n (unpacked_channels >> 4); // and slide it on over back on the uint8_t\n return unpacked_channels;\n}", "project": "atomicparsley", "hash": 237421857616930203238808630521330313243, "size": 8, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417010 }, { "func": "void APar_ShowMPEG4AACProfileInfo(TrackInfo *track_info) {\n if (track_info->descriptor_object_typeID == 1) {\n fprintf(stdout, \" MPEG-4 AAC Main Profile\");\n } else if (track_info->descriptor_object_typeID == 2) {\n fprintf(\n stdout,\n \" MPEG-4 AAC Low Complexity/LC Profile\"); // most files will land here\n } else if (track_info->descriptor_object_typeID == 3) {\n fprintf(stdout, \" MPEG-4 AAC Scaleable Sample Rate/SSR Profile\");\n } else if (track_info->descriptor_object_typeID == 4) {\n fprintf(stdout, \" MPEG-4 AAC Long Term Prediction Profile\");\n } else if (track_info->descriptor_object_typeID == 5) {\n fprintf(stdout, \" MPEG-4 AAC High Efficiency/HE Profile\");\n } else if (track_info->descriptor_object_typeID == 6) {\n fprintf(stdout, \" MPEG-4 AAC Scalable Profile\");\n } else if (track_info->descriptor_object_typeID == 7) {\n fprintf(stdout,\n \" MPEG-4 AAC Transform domain Weighted INterleave Vector \"\n \"Quantization/TwinVQ Profile\");\n } else if (track_info->descriptor_object_typeID == 8) {\n fprintf(stdout, \" MPEG-4 AAC Code Excited Linear Predictive/CELP Profile\");\n } else if (track_info->descriptor_object_typeID == 9) {\n fprintf(stdout, \" MPEG-4 AAC HVXC Profile\");\n\n } else if (track_info->descriptor_object_typeID == 12) {\n fprintf(stdout, \" MPEG-4 AAC TTSI Profile\");\n } else if (track_info->descriptor_object_typeID == 13) {\n fprintf(stdout, \" MPEG-4 AAC Main Synthesis Profile\");\n } else if (track_info->descriptor_object_typeID == 14) {\n fprintf(stdout, \" MPEG-4 AAC Wavetable Synthesis Profile\");\n } else if (track_info->descriptor_object_typeID == 15) {\n fprintf(stdout, \" MPEG-4 AAC General MIDI Profile\");\n } else if (track_info->descriptor_object_typeID == 16) {\n fprintf(stdout, \" MPEG-4 AAC Algorithmic Synthesis & Audio FX Profile\");\n } else if (track_info->descriptor_object_typeID == 17) {\n fprintf(stdout,\n \" MPEG-4 AAC AAC Low Complexity/LC (+error recovery) Profile\");\n\n } else if (track_info->descriptor_object_typeID == 19) {\n fprintf(stdout,\n \" MPEG-4 AAC Long Term Prediction (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 20) {\n fprintf(stdout, \" MPEG-4 AAC Scalable (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 21) {\n fprintf(stdout,\n \" MPEG-4 AAC Transform domain Weighted INterleave Vector \"\n \"Quantization/TwinVQ (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 22) {\n fprintf(stdout,\n \" MPEG-4 AAC Bit Sliced Arithmetic Coding/BSAC (+error \"\n \"recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 23) {\n fprintf(stdout, \" MPEG-4 AAC Low Delay/LD (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 24) {\n fprintf(stdout,\n \" MPEG-4 AAC Code Excited Linear Predictive/CELP (+error \"\n \"recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 25) {\n fprintf(stdout, \" MPEG-4 AAC HXVC (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 26) {\n fprintf(stdout,\n \" MPEG-4 AAC Harmonic and Individual Lines plus \"\n \"Noise/HILN (+error recovery) Profile\");\n } else if (track_info->descriptor_object_typeID == 27) {\n fprintf(stdout, \" MPEG-4 AAC Parametric (+error recovery) Profile\");\n\n } else if (track_info->descriptor_object_typeID == 31) {\n fprintf(\n stdout,\n \" MPEG-4 ALS Audio Lossless Coding\"); // I think that mp4alsRM18 writes\n // the channels wrong after\n // objectedID: 0xF880 has 0\n // channels; 0xF890 is 2ch\n } else {\n fprintf(stdout,\n \" MPEG-4 Unknown profile: 0x%X\",\n track_info->descriptor_object_typeID);\n }\n return;\n}", "project": "atomicparsley", "hash": 165598504010110280304160833310444978647, "size": 80, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417019 }, { "func": "void APar_ShowObjectProfileInfo(uint8_t track_type, TrackInfo *track_info) {\n if (track_info->contains_esds) {\n switch (track_info->ObjectTypeIndication) {\n // 0x00 es Lambada/Verboten/Forbidden\n case 0x01:\n case 0x02: {\n fprintf(stdout, \" MPEG-4 Systems (BIFS/ObjDesc)\");\n break;\n }\n case 0x03: {\n fprintf(stdout, \" Interaction Stream\");\n break;\n }\n case 0x04: {\n fprintf(stdout, \" MPEG-4 Systems Extended BIFS\");\n break;\n }\n case 0x05: {\n fprintf(stdout, \" MPEG-4 Systems AFX\");\n break;\n }\n case 0x06: {\n fprintf(stdout, \" Font Data Stream\");\n break;\n }\n case 0x08: {\n fprintf(stdout, \" Synthesized Texture Stream\");\n break;\n }\n case 0x07: {\n fprintf(stdout, \" Streaming Text Stream\");\n break;\n }\n // 0x09-0x1F reserved\n case 0x20: {\n APar_ShowMPEG4VisualProfileInfo(track_info);\n break;\n }\n\n case 0x40: { // vererable mpeg-4 aac\n APar_ShowMPEG4AACProfileInfo(track_info);\n break;\n }\n\n // 0x41-0x5F reserved\n case 0x60: {\n fprintf(stdout,\n \" MPEG-2 Visual Simple Profile\"); //'Visual ISO/IEC 13818-2\n // Simple Profile'\n break;\n }\n case 0x61: {\n fprintf(stdout, \" MPEG-2 Visual Main Profile\"); //'Visual ISO/IEC 13818-2\n // Main Profile'\n break;\n }\n case 0x62: {\n fprintf(\n stdout,\n \" MPEG-2 Visual SNR Profile\"); //'Visual ISO/IEC 13818-2 SNR Profile'\n break;\n }\n case 0x63: {\n fprintf(stdout,\n \" MPEG-2 Visual Spatial Profile\"); //'Visual ISO/IEC 13818-2\n // Spatial Profile'\n break;\n }\n case 0x64: {\n fprintf(stdout, \" MPEG-2 Visual High Profile\"); //'Visual ISO/IEC 13818-2\n // High Profile'\n break;\n }\n case 0x65: {\n fprintf(stdout, \" MPEG-2 Visual 4:2:2 Profile\"); //'Visual ISO/IEC\n // 13818-2 422 Profile'\n break;\n }\n case 0x66: {\n fprintf(\n stdout,\n \" MPEG-2 AAC Main Profile\"); //'Audio ISO/IEC 13818-7 Main Profile'\n break;\n }\n case 0x67: {\n fprintf(stdout,\n \" MPEG-2 AAC Low Complexity Profile\"); // Audio ISO/IEC 13818-7\n // LowComplexity Profile\n break;\n }\n case 0x68: {\n fprintf(\n stdout,\n \" MPEG-2 AAC Scaleable Sample Rate Profile\"); //'Audio ISO/IEC\n // 13818-7 Scaleable\n // Sampling Rate\n // Profile'\n break;\n }\n case 0x69: {\n fprintf(stdout, \" MPEG-2 Audio\"); //'Audio ISO/IEC 13818-3'\n break;\n }\n case 0x6A: {\n fprintf(stdout, \" MPEG-1 Visual\"); //'Visual ISO/IEC 11172-2'\n break;\n }\n case 0x6B: {\n fprintf(stdout, \" MPEG-1 Audio\"); //'Audio ISO/IEC 11172-3'\n break;\n }\n case 0x6C: {\n fprintf(stdout, \" JPEG\"); //'Visual ISO/IEC 10918-1'\n break;\n }\n case 0x6D: {\n fprintf(stdout, \" PNG\"); // http://www.mp4ra.org/object.html\n break;\n }\n case 0x6E: {\n fprintf(stdout, \" JPEG2000\"); //'Visual ISO/IEC 15444-1'\n break;\n }\n case 0xA0: {\n fprintf(stdout, \" 3GPP2 EVRC Voice\"); // http://www.mp4ra.org/object.html\n break;\n }\n case 0xA1: {\n fprintf(stdout, \" 3GPP2 SMV Voice\"); // http://www.mp4ra.org/object.html\n break;\n }\n case 0xA2: {\n fprintf(\n stdout,\n \" 3GPP2 Compact Multimedia Format\"); // http://www.mp4ra.org/object.html\n break;\n }\n\n // 0xC0-0xE0 user private\n case 0xE1: {\n fprintf(stdout,\n \" 3GPP2 QCELP (14K Voice)\"); // http://www.mp4ra.org/object.html\n break;\n }\n // 0xE2-0xFE user private\n // 0xFF no object type specified\n\n default: {\n // so many profiles, so little desire to list them all (in 14496-2 which I\n // don't have)\n if (movie_info.contains_iods && iods_info.audio_profile == 0xFE) {\n fprintf(stdout,\n \" Private user object: 0x%X\",\n track_info->ObjectTypeIndication);\n } else {\n fprintf(\n stdout,\n \" Object Type Indicator: 0x%X Description Ojbect Type ID: 0x%X\\n\",\n track_info->ObjectTypeIndication,\n track_info->descriptor_object_typeID);\n }\n break;\n }\n }\n\n } else if (track_type == AVC1_TRACK) {\n // profiles & levels are in the 14496-10 pdf (which I don't have access to),\n // so... http://lists.mpegif.org/pipermail/mp4-tech/2006-January/006255.html\n // http://iphome.hhi.de/suehring/tml/doc/lenc/html/configfile_8c-source.html\n // 66=baseline, 77=main, 88=extended; 100=High, 110=High 10, 122=High 4:2:2,\n // 144=High 4:4:4\n\n switch (track_info->profile) {\n case 66: {\n fprintf(stdout, \" AVC Baseline Profile\");\n break;\n }\n case 77: {\n fprintf(stdout, \" AVC Main Profile\");\n break;\n }\n case 88: {\n fprintf(stdout, \" AVC Extended Profile\");\n break;\n }\n case 100: {\n fprintf(stdout, \" AVC High Profile\");\n break;\n }\n case 110: {\n fprintf(stdout, \" AVC High 10 Profile\");\n break;\n }\n case 122: {\n fprintf(stdout, \" AVC High 4:2:2 Profile\");\n break;\n }\n case 144: {\n fprintf(stdout, \" AVC High 4:4:4 Profile\");\n break;\n }\n default: {\n fprintf(stdout, \" Unknown Profile: %u\", track_info->profile);\n break;\n }\n } // end profile switch\n\n // Don't have access to levels either, but working off of:\n // http://iphome.hhi.de/suehring/tml/doc/lenc/html/configfile_8c-source.html\n\n // and the 15 levels it says here:\n // http://www.chiariglione.org/mpeg/technologies/mp04-avc/index.htm (1b in\n // http://en.wikipedia.org/wiki/H.264 seems nonsensical) working backwards,\n // we get... a simple 2 digit number (with '20' just drop the 0; with 21,\n // put in a decimal)\n if (track_info->level > 0) {\n switch (track_info->level) {\n case 10:\n case 20:\n case 30:\n case 40:\n case 50: {\n fprintf(stdout, \", Level %u\", track_info->level / 10);\n break;\n }\n case 11:\n case 12:\n case 13:\n case 21:\n case 22:\n case 31:\n case 32:\n case 41:\n case 42:\n case 51: {\n fprintf(stdout,\n \", Level %u.%u\",\n track_info->level / 10,\n track_info->level % 10);\n break;\n }\n default: {\n fprintf(stdout,\n \", Unknown level %u.%u\",\n track_info->level / 10,\n track_info->level % 10);\n }\n\n } // end switch\n } // end level if\n } else if (track_type == S_AMR_TRACK) {\n char amr_modes[500] = {};\n if (track_info->track_codec == 0x73616D72 ||\n track_info->track_codec == 0x73617762) {\n if (track_info->amr_modes & 0x0001)\n mem_append(\"0\", amr_modes);\n if (track_info->amr_modes & 0x0002)\n mem_append(\"1\", amr_modes);\n if (track_info->amr_modes & 0x0004)\n mem_append(\"2\", amr_modes);\n if (track_info->amr_modes & 0x0008)\n mem_append(\"3\", amr_modes);\n if (track_info->amr_modes & 0x0010)\n mem_append(\"4\", amr_modes);\n if (track_info->amr_modes & 0x0020)\n mem_append(\"5\", amr_modes);\n if (track_info->amr_modes & 0x0040)\n mem_append(\"6\", amr_modes);\n if (track_info->amr_modes & 0x0080)\n mem_append(\"7\", amr_modes);\n if (track_info->amr_modes & 0x0100)\n mem_append(\"8\", amr_modes);\n if (strlen(amr_modes) == 0)\n memcpy(amr_modes, \"none\", 4);\n } else if (track_info->track_codec == 0x73766D72) {\n if (track_info->amr_modes & 0x0001)\n mem_append(\"VMR-WB Mode 0, \", amr_modes);\n if (track_info->amr_modes & 0x0002)\n mem_append(\"VMR-WB Mode 1, \", amr_modes);\n if (track_info->amr_modes & 0x0004)\n mem_append(\"VMR-WB Mode 2, \", amr_modes);\n if (track_info->amr_modes & 0x0008)\n mem_append(\"VMR-WB Mode 3 (AMR-WB interoperable mode), \", amr_modes);\n if (track_info->amr_modes & 0x0010)\n mem_append(\"VMR-WB Mode 4, \", amr_modes);\n if (track_info->amr_modes & 0x0020)\n mem_append(\"VMR-WB Mode 2 with maximum half-rate, \", amr_modes);\n if (track_info->amr_modes & 0x0040)\n mem_append(\"VMR-WB Mode 4 with maximum half-rate, \", amr_modes);\n uint16_t amr_modes_len = strlen(amr_modes);\n if (amr_modes_len > 0)\n memset(amr_modes + (amr_modes_len - 1), 0, 2);\n }\n\n if (track_info->track_codec == 0x73616D72) { // samr\n fprintf(stdout,\n \" AMR Narrow-Band. Modes: %s. Encoder vendor code: %s\\n\",\n amr_modes,\n track_info->encoder_name);\n } else if (track_info->track_codec == 0x73617762) { // sawb\n fprintf(stdout,\n \" AMR Wide-Band. Modes: %s. Encoder vendor code: %s\\n\",\n amr_modes,\n track_info->encoder_name);\n } else if (track_info->track_codec == 0x73617770) { // sawp\n fprintf(stdout,\n \" AMR Wide-Band WB+. Encoder vendor code: %s\\n\",\n track_info->encoder_name);\n } else if (track_info->track_codec == 0x73766D72) { // svmr\n fprintf(stdout,\n \" AMR VBR Wide-Band. Encoder vendor code: %s\\n\",\n track_info->encoder_name);\n }\n } else if (track_type == EVRC_TRACK) {\n fprintf(stdout,\n \" EVRC (Enhanced Variable Rate Coder). Encoder vendor code: %s\\n\",\n track_info->encoder_name);\n\n } else if (track_type == QCELP_TRACK) {\n fprintf(stdout,\n \" QCELP (Qualcomm Code Excited Linear Prediction). Encoder vendor \"\n \"code: %s\\n\",\n track_info->encoder_name);\n\n } else if (track_type == S263_TRACK) {\n if (track_info->profile == 0) {\n fprintf(stdout,\n \" H.263 Baseline Profile, Level %u. Encoder vendor code: %s\",\n track_info->level,\n track_info->encoder_name);\n } else {\n fprintf(stdout,\n \" H.263 Profile: %u, Level %u. Encoder vendor code: %s\",\n track_info->profile,\n track_info->level,\n track_info->encoder_name);\n }\n }\n if (track_type == AUDIO_TRACK) {\n if (track_info->section5_length == 0) {\n fprintf(stdout, \" channels: (%u)\\n\", track_info->channels);\n } else {\n fprintf(stdout, \" channels: [%u]\\n\", track_info->channels);\n }\n }\n}", "project": "atomicparsley", "hash": 124350642846074410248190708765891059001, "size": 346, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417012 }, { "func": "void APar_Extract_iods_Info(FILE *isofile, AtomicInfo *iods_atom) {\n uint64_t iods_offset = iods_atom->AtomicStart + 8;\n if (iods_atom->AtomicVerFlags == 0 &&\n APar_read8(isofile, iods_offset + 4) == 0x10) {\n iods_offset += 5;\n iods_offset += APar_skip_filler(isofile, iods_offset);\n uint8_t iods_objdescrip_len = APar_read8(isofile, iods_offset);\n iods_offset++;\n if (iods_objdescrip_len >= 7) {\n iods_info.od_profile_level = APar_read8(isofile, iods_offset + 2);\n iods_info.scene_profile_level = APar_read8(isofile, iods_offset + 3);\n iods_info.audio_profile = APar_read8(isofile, iods_offset + 4);\n iods_info.video_profile_level = APar_read8(isofile, iods_offset + 5);\n iods_info.graphics_profile_level = APar_read8(isofile, iods_offset + 6);\n }\n }\n return;\n}", "project": "atomicparsley", "hash": 277384074896141257014460403709543671039, "size": 18, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417015 }, { "func": "void mem_append(const char *add_string, char *dest_string) {\n uint8_t str_len = strlen(dest_string);\n if (str_len > 0) {\n memcpy(dest_string + str_len, \", \", 2);\n memcpy(dest_string + str_len + 2, add_string, strlen(add_string));\n } else {\n memcpy(dest_string, add_string, strlen(add_string));\n }\n return;\n}", "project": "atomicparsley", "hash": 60652369648347309681691534134780812327, "size": 10, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417013 }, { "func": "void APar_Print_TrackDetails(TrackInfo *track_info) {\n if (track_info->max_bitrate > 0 && track_info->avg_bitrate > 0) {\n fprintf(stdout, \" %.2f kbp/s\", (float)track_info->avg_bitrate / 1000.0);\n } else { // some ffmpeg encodings have avg_bitrate set to 0, but an inexact\n // max_bitrate - actually, their esds seems a mess to me\n#if defined(_MSC_VER)\n fprintf(stdout,\n \" %.2lf* kbp/s\",\n ((double)((__int64)track_info->sample_aggregate) /\n ((double)((__int64)track_info->duration) /\n (double)((__int64)movie_info.timescale))) /\n 1000.0 * 8);\n fprintf(stdout,\n \" %.3f sec\",\n (float)track_info->duration / (float)movie_info.timescale);\n#else\n fprintf(stdout,\n \" %.2lf* kbp/s\",\n ((double)track_info->sample_aggregate /\n ((double)track_info->duration / (double)movie_info.timescale)) /\n 1000.0 * 8);\n fprintf(stdout,\n \" %.3f sec\",\n (float)track_info->duration / (float)movie_info.timescale);\n#endif\n }\n\n if (track_info->track_codec == 0x6D703476) { // mp4v profile\n APar_ShowObjectProfileInfo(MP4V_TRACK, track_info);\n } else if (track_info->track_codec == 0x6D703461 ||\n track_info->protected_codec == 0x6D703461) { // mp4a profile\n APar_ShowObjectProfileInfo(AUDIO_TRACK, track_info);\n } else if (track_info->track_codec ==\n 0x616C6163) { // alac - can't figure out a hardcoded bitrate either\n fprintf(\n stdout, \" Apple Lossless channels: [%u]\\n\", track_info->channels);\n } else if (track_info->track_codec == 0x61766331 ||\n track_info->protected_codec == 0x61766331) {\n if (track_info->avc_version == 1) { // avc profile & level\n APar_ShowObjectProfileInfo(AVC1_TRACK, track_info);\n }\n } else if (track_info->track_codec == 0x73323633) { // s263 in 3gp\n APar_ShowObjectProfileInfo(S263_TRACK, track_info);\n } else if (track_info->track_codec == 0x73616D72 ||\n track_info->track_codec == 0x73617762 ||\n track_info->track_codec == 0x73617770 ||\n track_info->track_codec ==\n 0x73766D72) { // samr,sawb,sawp & svmr in 3gp\n track_info->type_of_track = S_AMR_TRACK;\n APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n } else if (track_info->track_codec == 0x73657663) { // evrc in 3gp\n track_info->type_of_track = EVRC_TRACK;\n APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n } else if (track_info->track_codec == 0x73716370) { // qcelp in 3gp\n track_info->type_of_track = QCELP_TRACK;\n APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n } else if (track_info->track_codec == 0x73736D76) { // smv in 3gp\n track_info->type_of_track = SMV_TRACK;\n APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n } else { // unknown everything, 0 hardcoded bitrate\n APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n fprintf(stdout, \"\\n\");\n }\n\n if (track_info->type_of_track & VIDEO_TRACK &&\n ((track_info->max_bitrate > 0 &&\n track_info->ObjectTypeIndication == 0x20) ||\n track_info->avc_version == 1 || track_info->protected_codec != 0)) {\n fprintf(stdout,\n \" %ux%u (%\" PRIu32 \" macroblocks)\\n\",\n track_info->video_width,\n track_info->video_height,\n track_info->macroblocks);\n } else if (track_info->type_of_track & VIDEO_TRACK) {\n fprintf(stdout, \"\\n\");\n }\n return;\n}", "project": "atomicparsley", "hash": 312415387240572110707737637139613228674, "size": 78, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417021 }, { "func": "void APar_Extract_d263_Info(char *uint32_buffer,\n FILE *isofile,\n short track_level_atom,\n TrackInfo *track_info) {\n uint64_t offset_into_d263 = 8;\n APar_readX(track_info->encoder_name,\n isofile,\n parsedAtoms[track_level_atom].AtomicStart + offset_into_d263,\n 4);\n track_info->level = APar_read8(isofile,\n parsedAtoms[track_level_atom].AtomicStart +\n offset_into_d263 + 4 + 1);\n track_info->profile = APar_read8(isofile,\n parsedAtoms[track_level_atom].AtomicStart +\n offset_into_d263 + 4 + 2);\n // possible 'bitr' bitrate box afterwards\n return;\n}", "project": "atomicparsley", "hash": 170389225265527118918192526862948718799, "size": 18, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417008 }, { "func": "void APar_Extract_AMR_Info(char *uint32_buffer,\n FILE *isofile,\n short track_level_atom,\n TrackInfo *track_info) {\n uint32_t amr_specific_offet = 8;\n APar_readX(track_info->encoder_name,\n isofile,\n parsedAtoms[track_level_atom].AtomicStart + amr_specific_offet,\n 4);\n if (track_info->track_codec == 0x73616D72 ||\n track_info->track_codec == 0x73617762 ||\n track_info->track_codec ==\n 0x73766D72) { // samr,sawb & svmr contain modes only\n track_info->amr_modes = APar_read16(\n uint32_buffer,\n isofile,\n parsedAtoms[track_level_atom].AtomicStart + amr_specific_offet + 4 + 1);\n }\n return;\n}", "project": "atomicparsley", "hash": 120362767435234697194582042432714238529, "size": 20, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417024 }, { "func": "void APar_ExtractDetails(FILE *isofile, uint8_t optional_output) {\n char uint32_buffer[5];\n Trackage track = {0};\n\n AtomicInfo *mvhdAtom = APar_FindAtom(\"moov.mvhd\", false, VERSIONED_ATOM, 0);\n if (mvhdAtom != NULL) {\n APar_ExtractMovieDetails(uint32_buffer, isofile, mvhdAtom);\n fprintf(stdout,\n \"Movie duration: %.3lf seconds (%s) - %.2lf* kbp/sec bitrate \"\n \"(*=approximate)\\n\",\n movie_info.seconds,\n secsTOtime(movie_info.seconds),\n movie_info.simple_bitrate_calc);\n if (optional_output & SHOW_DATE_INFO) {\n fprintf(stdout,\n \" Presentation Creation Date (UTC): %s\\n\",\n APar_extract_UTC(movie_info.creation_time));\n fprintf(stdout,\n \" Presentation Modification Date (UTC): %s\\n\",\n APar_extract_UTC(movie_info.modified_time));\n }\n }\n\n AtomicInfo *iodsAtom = APar_FindAtom(\"moov.iods\", false, VERSIONED_ATOM, 0);\n if (iodsAtom != NULL) {\n movie_info.contains_iods = true;\n APar_Extract_iods_Info(isofile, iodsAtom);\n }\n\n if (optional_output & SHOW_TRACK_INFO) {\n APar_TrackLevelInfo(&track,\n NULL); // With track_num set to 0, it will return the\n // total trak atom into total_tracks here.\n\n fprintf(\n stdout, \"Low-level details. Total tracks: %u\\n\", track.total_tracks);\n fprintf(stdout,\n \"Trk Type Handler Kind Lang Bytes\\n\");\n\n if (track.total_tracks > 0) {\n while (track.total_tracks > track.track_num) {\n track.track_num += 1;\n TrackInfo track_info = {0};\n\n // tracknum, handler type, handler name\n APar_ExtractTrackDetails(uint32_buffer, isofile, &track, &track_info);\n uint16_t more_whitespace =\n purge_extraneous_characters(track_info.track_hdlr_name);\n\n if (strlen(track_info.track_hdlr_name) == 0) {\n memcpy(track_info.track_hdlr_name, \"[none listed]\", 13);\n }\n fprintf(stdout,\n \"%u %s %s\",\n track.track_num,\n uint32tochar4(track_info.track_type, uint32_buffer),\n track_info.track_hdlr_name);\n\n uint16_t handler_len = strlen(track_info.track_hdlr_name);\n if (handler_len < 25 + more_whitespace) {\n for (uint16_t i = handler_len; i < 25 + more_whitespace; i++) {\n fprintf(stdout, \" \");\n }\n }\n\n // codec, language\n fprintf(stdout,\n \" %s %s %\" PRIu64,\n uint32tochar4(track_info.track_codec, uint32_buffer),\n track_info.unpacked_lang,\n track_info.sample_aggregate);\n\n if (track_info.encoder_name[0] != 0 && track_info.contains_esds) {\n purge_extraneous_characters(track_info.encoder_name);\n fprintf(stdout, \" Encoder: %s\", track_info.encoder_name);\n }\n if (track_info.type_of_track & DRM_PROTECTED_TRACK) {\n fprintf(stdout,\n \" (protected %s)\",\n uint32tochar4(track_info.protected_codec, uint32_buffer));\n }\n\n fprintf(stdout, \"\\n\");\n /*---------------------------------*/\n\n if (track_info.type_of_track & VIDEO_TRACK ||\n track_info.type_of_track & AUDIO_TRACK) {\n APar_Print_TrackDetails(&track_info);\n }\n\n if (optional_output & SHOW_DATE_INFO) {\n fprintf(stdout,\n \" Creation Date (UTC): %s\\n\",\n APar_extract_UTC(track_info.creation_time));\n fprintf(stdout,\n \" Modification Date (UTC): %s\\n\",\n APar_extract_UTC(track_info.modified_time));\n }\n }\n }\n }\n}", "project": "atomicparsley", "hash": 235760196453077041717585104526456578938, "size": 102, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 1, "dataset": "other", "idx": 208981 }, { "func": "void APar_ExtractDetails(FILE *isofile, uint8_t optional_output) {\n char uint32_buffer[8];\n Trackage track = {0};\n\n AtomicInfo *mvhdAtom = APar_FindAtom(\"moov.mvhd\", false, VERSIONED_ATOM, 0);\n if (mvhdAtom != NULL) {\n APar_ExtractMovieDetails(uint32_buffer, isofile, mvhdAtom);\n fprintf(stdout,\n \"Movie duration: %.3lf seconds (%s) - %.2lf* kbp/sec bitrate \"\n \"(*=approximate)\\n\",\n movie_info.seconds,\n secsTOtime(movie_info.seconds),\n movie_info.simple_bitrate_calc);\n if (optional_output & SHOW_DATE_INFO) {\n fprintf(stdout,\n \" Presentation Creation Date (UTC): %s\\n\",\n APar_extract_UTC(movie_info.creation_time));\n fprintf(stdout,\n \" Presentation Modification Date (UTC): %s\\n\",\n APar_extract_UTC(movie_info.modified_time));\n }\n }\n\n AtomicInfo *iodsAtom = APar_FindAtom(\"moov.iods\", false, VERSIONED_ATOM, 0);\n if (iodsAtom != NULL) {\n movie_info.contains_iods = true;\n APar_Extract_iods_Info(isofile, iodsAtom);\n }\n\n if (optional_output & SHOW_TRACK_INFO) {\n APar_TrackLevelInfo(&track,\n NULL); // With track_num set to 0, it will return the\n // total trak atom into total_tracks here.\n\n fprintf(\n stdout, \"Low-level details. Total tracks: %u\\n\", track.total_tracks);\n fprintf(stdout,\n \"Trk Type Handler Kind Lang Bytes\\n\");\n\n if (track.total_tracks > 0) {\n while (track.total_tracks > track.track_num) {\n track.track_num += 1;\n TrackInfo track_info = {0};\n\n // tracknum, handler type, handler name\n APar_ExtractTrackDetails(uint32_buffer, isofile, &track, &track_info);\n uint16_t more_whitespace =\n purge_extraneous_characters(track_info.track_hdlr_name);\n\n if (strlen(track_info.track_hdlr_name) == 0) {\n memcpy(track_info.track_hdlr_name, \"[none listed]\", 13);\n }\n fprintf(stdout,\n \"%u %s %s\",\n track.track_num,\n uint32tochar4(track_info.track_type, uint32_buffer),\n track_info.track_hdlr_name);\n\n uint16_t handler_len = strlen(track_info.track_hdlr_name);\n if (handler_len < 25 + more_whitespace) {\n for (uint16_t i = handler_len; i < 25 + more_whitespace; i++) {\n fprintf(stdout, \" \");\n }\n }\n\n // codec, language\n fprintf(stdout,\n \" %s %s %\" PRIu64,\n uint32tochar4(track_info.track_codec, uint32_buffer),\n track_info.unpacked_lang,\n track_info.sample_aggregate);\n\n if (track_info.encoder_name[0] != 0 && track_info.contains_esds) {\n purge_extraneous_characters(track_info.encoder_name);\n fprintf(stdout, \" Encoder: %s\", track_info.encoder_name);\n }\n if (track_info.type_of_track & DRM_PROTECTED_TRACK) {\n fprintf(stdout,\n \" (protected %s)\",\n uint32tochar4(track_info.protected_codec, uint32_buffer));\n }\n\n fprintf(stdout, \"\\n\");\n /*---------------------------------*/\n\n if (track_info.type_of_track & VIDEO_TRACK ||\n track_info.type_of_track & AUDIO_TRACK) {\n APar_Print_TrackDetails(&track_info);\n }\n\n if (optional_output & SHOW_DATE_INFO) {\n fprintf(stdout,\n \" Creation Date (UTC): %s\\n\",\n APar_extract_UTC(track_info.creation_time));\n fprintf(stdout,\n \" Modification Date (UTC): %s\\n\",\n APar_extract_UTC(track_info.modified_time));\n }\n }\n }\n }\n}", "project": "atomicparsley", "hash": 27305014511647361793546293488526992046, "size": 102, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417017 }, { "func": "void APar_Extract_esds_Info(char *uint32_buffer,\n FILE *isofile,\n short track_level_atom,\n TrackInfo *track_info) {\n uint64_t offset_into_stsd = 0;\n\n while (offset_into_stsd < parsedAtoms[track_level_atom].AtomicLength) {\n offset_into_stsd++;\n if (APar_read32(uint32_buffer,\n isofile,\n parsedAtoms[track_level_atom].AtomicStart +\n offset_into_stsd) == 0x65736473) {\n track_info->contains_esds = true;\n\n uint64_t esds_start =\n parsedAtoms[track_level_atom].AtomicStart + offset_into_stsd - 4;\n uint64_t esds_length = APar_read32(uint32_buffer, isofile, esds_start);\n uint64_t offset_into_esds =\n 12; // 4bytes length + 4 bytes name + 4bytes null\n\n if (APar_read8(isofile, esds_start + offset_into_esds) == 0x03) {\n offset_into_esds++;\n offset_into_esds +=\n APar_skip_filler(isofile, esds_start + offset_into_esds);\n }\n\n uint8_t section3_length =\n APar_read8(isofile, esds_start + offset_into_esds);\n if (section3_length <= esds_length && section3_length != 0) {\n track_info->section3_length = section3_length;\n } else {\n break;\n }\n\n // for whatever reason, when mp4box muxes in ogg into an mp4 container,\n // section 3 gets a 0x9D byte (which doesn't fall inline with what AP\n // considers 'filler') then again, I haven't *completely* read the ISO\n // specifications, so I could just be missing it the the ->voluminous<-\n // 14496-X specifications.\n uint8_t test_byte =\n APar_read8(isofile, esds_start + offset_into_esds + 1);\n if (test_byte != 0) {\n offset_into_esds++;\n }\n\n offset_into_esds += 4; // 1 bytes section 0x03 length + 2 bytes + 1 byte\n\n if (APar_read8(isofile, esds_start + offset_into_esds) == 0x04) {\n offset_into_esds++;\n offset_into_esds +=\n APar_skip_filler(isofile, esds_start + offset_into_esds);\n }\n\n uint8_t section4_length =\n APar_read8(isofile, esds_start + offset_into_esds);\n if (section4_length <= section3_length && section4_length != 0) {\n track_info->section4_length = section4_length;\n\n if (section4_length == 0x9D)\n offset_into_esds++; // upper limit? when gpac puts an ogg in, section\n // 3 is 9D - so is sec4 (section 4 real length\n // with ogg = 0x0E86)\n\n offset_into_esds++;\n track_info->ObjectTypeIndication =\n APar_read8(isofile, esds_start + offset_into_esds);\n\n // this is just so that ogg in mp4 won't have some bizarre high bitrate\n // of like 2.8megabits/sec\n uint8_t a_v_flag =\n APar_read8(isofile,\n esds_start + offset_into_esds +\n 1); // mp4box with ogg will set this to DD,\n // mp4a has it as 0x40, mp4v has 0x20\n\n if (track_info->ObjectTypeIndication < 0xC0 &&\n a_v_flag < 0xA0) { // 0xC0 marks user streams; but things below that\n // might still be wrong (like 0x6D - png)\n offset_into_esds += 5;\n track_info->max_bitrate = APar_read32(\n uint32_buffer, isofile, esds_start + offset_into_esds);\n offset_into_esds += 4;\n track_info->avg_bitrate = APar_read32(\n uint32_buffer, isofile, esds_start + offset_into_esds);\n offset_into_esds += 4;\n }\n } else {\n break;\n }\n\n if (APar_read8(isofile, esds_start + offset_into_esds) == 0x05) {\n offset_into_esds++;\n offset_into_esds +=\n APar_skip_filler(isofile, esds_start + offset_into_esds);\n\n uint8_t section5_length =\n APar_read8(isofile, esds_start + offset_into_esds);\n if ((section5_length <= section4_length || section4_length == 1) &&\n section5_length != 0) {\n track_info->section5_length = section5_length;\n offset_into_esds += 1;\n\n if (track_info->type_of_track & AUDIO_TRACK) {\n uint8_t packed_objID = APar_read8(\n isofile,\n esds_start + offset_into_esds); // its packed with channel, but\n // channel is fetched separately\n track_info->descriptor_object_typeID = packed_objID >> 3;\n offset_into_esds += 1;\n\n track_info->channels = (uint16_t)APar_ExtractChannelInfo(\n isofile, esds_start + offset_into_esds);\n\n } else if (track_info->type_of_track & VIDEO_TRACK) {\n // technically, visual_object_sequence_start_code should be tested\n // aginst 0x000001B0\n if (APar_read16(uint32_buffer,\n isofile,\n esds_start + offset_into_esds + 2) == 0x01B0) {\n track_info->m4v_profile =\n APar_read8(isofile, esds_start + offset_into_esds + 2 + 2);\n }\n }\n }\n break; // uh, I've extracted the pertinent info\n }\n }\n if (offset_into_stsd > parsedAtoms[track_level_atom].AtomicLength) {\n break;\n }\n }\n if ((track_info->section5_length == 0 &&\n track_info->type_of_track & AUDIO_TRACK) ||\n track_info->channels == 0) {\n track_info->channels = APar_read16(\n uint32_buffer, isofile, parsedAtoms[track_level_atom].AtomicStart + 40);\n }\n return;\n}", "project": "atomicparsley", "hash": 338529420259989405369420107226016196272, "size": 139, "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1", "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32", "target": 0, "dataset": "other", "idx": 417018 } ] }, { "call_depth": 4, "longest_call_chain": [ "v4l_enumstd", "v4l_video_std_enumstd", "v4l2_video_std_construct", "v4l2_video_std_frame_period" ], "group_size": 21, "functions": [ { "func": "static int v4l_dqbuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_dqbuf(file, fh, p);\n}", "project": "linux", "hash": 52691748936560615690582291522302673890, "size": 8, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381470 }, { "func": "static int v4l_create_bufs(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_create_buffers *create = arg;\n\tint ret = check_fmt(file, create->format.type);\n\n\tif (ret)\n\t\treturn ret;\n\n\tCLEAR_AFTER_FIELD(create, capabilities);\n\n\tv4l_sanitize_format(&create->format);\n\n\tret = ops->vidioc_create_bufs(file, fh, create);\n\n\tif (create->format.type == V4L2_BUF_TYPE_VIDEO_CAPTURE ||\n\t create->format.type == V4L2_BUF_TYPE_VIDEO_OUTPUT)\n\t\tcreate->format.fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\n\treturn ret;\n}", "project": "linux", "hash": 62121059000265789082663182956814599375, "size": 21, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381476 }, { "func": "static int v4l_prepare_buf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *b = arg;\n\tint ret = check_fmt(file, b->type);\n\n\treturn ret ? ret : ops->vidioc_prepare_buf(file, fh, b);\n}", "project": "linux", "hash": 93593508668867886508753059939189803048, "size": 8, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381446 }, { "func": "static int v4l_g_parm(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_streamparm *p = arg;\n\tv4l2_std_id std;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\tif (ops->vidioc_g_parm)\n\t\treturn ops->vidioc_g_parm(file, fh, p);\n\tif (p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE &&\n\t p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)\n\t\treturn -EINVAL;\n\tp->parm.capture.readbuffers = 2;\n\tret = ops->vidioc_g_std(file, fh, &std);\n\tif (ret == 0)\n\t\tv4l2_video_std_frame_period(std, &p->parm.capture.timeperframe);\n\treturn ret;\n}", "project": "linux", "hash": 285217389858183627080514663830040305361, "size": 20, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381463 }, { "func": "static int v4l_reqbufs(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_requestbuffers *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\tCLEAR_AFTER_FIELD(p, capabilities);\n\n\treturn ops->vidioc_reqbufs(file, fh, p);\n}", "project": "linux", "hash": 240349342782416093504801919514051773914, "size": 13, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381542 }, { "func": "int v4l2_video_std_construct(struct v4l2_standard *vs,\n\t\t\t int id, const char *name)\n{\n\tvs->id = id;\n\tv4l2_video_std_frame_period(id, &vs->frameperiod);\n\tvs->framelines = (id & V4L2_STD_525_60) ? 525 : 625;\n\tstrscpy(vs->name, name, sizeof(vs->name));\n\treturn 0;\n}", "project": "linux", "hash": 120352557544698135776876024147406169370, "size": 9, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381439 }, { "func": "int v4l_video_std_enumstd(struct v4l2_standard *vs, v4l2_std_id id)\n{\n\tv4l2_std_id curr_id = 0;\n\tunsigned int index = vs->index, i, j = 0;\n\tconst char *descr = \"\";\n\n\t/* Return -ENODATA if the id for the current input\n\t or output is 0, meaning that it doesn't support this API. */\n\tif (id == 0)\n\t\treturn -ENODATA;\n\n\t/* Return norm array in a canonical way */\n\tfor (i = 0; i <= index && id; i++) {\n\t\t/* last std value in the standards array is 0, so this\n\t\t while always ends there since (id & 0) == 0. */\n\t\twhile ((id & standards[j].std) != standards[j].std)\n\t\t\tj++;\n\t\tcurr_id = standards[j].std;\n\t\tdescr = standards[j].descr;\n\t\tj++;\n\t\tif (curr_id == 0)\n\t\t\tbreak;\n\t\tif (curr_id != V4L2_STD_PAL &&\n\t\t\t\tcurr_id != V4L2_STD_SECAM &&\n\t\t\t\tcurr_id != V4L2_STD_NTSC)\n\t\t\tid &= ~curr_id;\n\t}\n\tif (i <= index)\n\t\treturn -EINVAL;\n\n\tv4l2_video_std_construct(vs, curr_id, descr);\n\treturn 0;\n}", "project": "linux", "hash": 178397725439587788310168144641963259498, "size": 33, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381433 }, { "func": "void v4l2_video_std_frame_period(int id, struct v4l2_fract *frameperiod)\n{\n\tif (id & V4L2_STD_525_60) {\n\t\tframeperiod->numerator = 1001;\n\t\tframeperiod->denominator = 30000;\n\t} else {\n\t\tframeperiod->numerator = 1;\n\t\tframeperiod->denominator = 25;\n\t}\n}", "project": "linux", "hash": 148089183722148806808021314289397622229, "size": 10, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381520 }, { "func": "static int v4l_qbuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_qbuf(file, fh, p);\n}", "project": "linux", "hash": 157222351844404168784673082968847329956, "size": 8, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381445 }, { "func": "static int v4l_g_sliced_vbi_cap(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_sliced_vbi_cap *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/* Clear up to type, everything after type is zeroed already */\n\tmemset(p, 0, offsetof(struct v4l2_sliced_vbi_cap, type));\n\n\treturn ops->vidioc_g_sliced_vbi_cap(file, fh, p);\n}", "project": "linux", "hash": 329128045205648246809876828593763808289, "size": 14, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381454 }, { "func": "static void v4l_pix_format_touch(struct v4l2_pix_format *p)\n{\n\t/*\n\t * The v4l2_pix_format structure contains fields that make no sense for\n\t * touch. Set them to default values in this case.\n\t */\n\n\tp->field = V4L2_FIELD_NONE;\n\tp->colorspace = V4L2_COLORSPACE_RAW;\n\tp->flags = 0;\n\tp->ycbcr_enc = 0;\n\tp->quantization = 0;\n\tp->xfer_func = 0;\n}", "project": "linux", "hash": 137219025372022743751639520916036802044, "size": 14, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381474 }, { "func": "static int v4l_enum_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct video_device *vdev = video_devdata(file);\n\tstruct v4l2_fmtdesc *p = arg;\n\tint ret = check_fmt(file, p->type);\n\tu32 mbus_code;\n\tu32 cap_mask;\n\n\tif (ret)\n\t\treturn ret;\n\tret = -EINVAL;\n\n\tif (!(vdev->device_caps & V4L2_CAP_IO_MC))\n\t\tp->mbus_code = 0;\n\n\tmbus_code = p->mbus_code;\n\tCLEAR_AFTER_FIELD(p, type);\n\tp->mbus_code = mbus_code;\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tcap_mask = V4L2_CAP_VIDEO_CAPTURE_MPLANE |\n\t\t\t V4L2_CAP_VIDEO_M2M_MPLANE;\n\t\tif (!!(vdev->device_caps & cap_mask) !=\n\t\t (p->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE))\n\t\t\tbreak;\n\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_overlay(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tcap_mask = V4L2_CAP_VIDEO_OUTPUT_MPLANE |\n\t\t\t V4L2_CAP_VIDEO_M2M_MPLANE;\n\t\tif (!!(vdev->device_caps & cap_mask) !=\n\t\t (p->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE))\n\t\t\tbreak;\n\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_out(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_sdr_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_sdr_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_sdr_out(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_meta_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_meta_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_meta_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_meta_out(file, fh, arg);\n\t\tbreak;\n\t}\n\tif (ret == 0)\n\t\tv4l_fill_fmtdesc(p);\n\treturn ret;\n}", "project": "linux", "hash": 90328786900484574553755598205915494385, "size": 75, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381443 }, { "func": "static void v4l_sanitize_format(struct v4l2_format *fmt)\n{\n\tunsigned int offset;\n\n\t/* Make sure num_planes is not bogus */\n\tif (fmt->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE ||\n\t fmt->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)\n\t\tfmt->fmt.pix_mp.num_planes = min_t(u32, fmt->fmt.pix_mp.num_planes,\n\t\t\t\t\t VIDEO_MAX_PLANES);\n\n\t/*\n\t * The v4l2_pix_format structure has been extended with fields that were\n\t * not previously required to be set to zero by applications. The priv\n\t * field, when set to a magic value, indicates the the extended fields\n\t * are valid. Otherwise they will contain undefined values. To simplify\n\t * the API towards drivers zero the extended fields and set the priv\n\t * field to the magic value when the extended pixel format structure\n\t * isn't used by applications.\n\t */\n\n\tif (fmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE &&\n\t fmt->type != V4L2_BUF_TYPE_VIDEO_OUTPUT)\n\t\treturn;\n\n\tif (fmt->fmt.pix.priv == V4L2_PIX_FMT_PRIV_MAGIC)\n\t\treturn;\n\n\tfmt->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\n\toffset = offsetof(struct v4l2_pix_format, priv)\n\t + sizeof(fmt->fmt.pix.priv);\n\tmemset(((void *)&fmt->fmt.pix) + offset, 0,\n\t sizeof(fmt->fmt.pix) - offset);\n}", "project": "linux", "hash": 25238072194471410135196938329748927821, "size": 34, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381536 }, { "func": "static int v4l_querybuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_querybuf(file, fh, p);\n}", "project": "linux", "hash": 249838897503378101136415139617656208493, "size": 8, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381466 }, { "func": "static int v4l_enumstd(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct video_device *vfd = video_devdata(file);\n\tstruct v4l2_standard *p = arg;\n\n\treturn v4l_video_std_enumstd(p, vfd->tvnorms);\n}", "project": "linux", "hash": 159782614002686590299693129890328166837, "size": 8, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381486 }, { "func": "static int v4l_g_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/*\n\t * fmt can't be cleared for these overlay types due to the 'clips'\n\t * 'clipcount' and 'bitmap' pointers in struct v4l2_window.\n\t * Those are provided by the user. So handle these two overlay types\n\t * first, and then just do a simple memset for the other types.\n\t */\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {\n\t\tstruct v4l2_clip *clips = p->fmt.win.clips;\n\t\tu32 clipcount = p->fmt.win.clipcount;\n\t\tvoid __user *bitmap = p->fmt.win.bitmap;\n\n\t\tmemset(&p->fmt, 0, sizeof(p->fmt));\n\t\tp->fmt.win.clips = clips;\n\t\tp->fmt.win.clipcount = clipcount;\n\t\tp->fmt.win.bitmap = bitmap;\n\t\tbreak;\n\t}\n\tdefault:\n\t\tmemset(&p->fmt, 0, sizeof(p->fmt));\n\t\tbreak;\n\t}\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_g_fmt_vid_cap))\n\t\t\tbreak;\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tret = ops->vidioc_g_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\treturn ops->vidioc_g_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\treturn ops->vidioc_g_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_g_fmt_vid_out))\n\t\t\tbreak;\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tret = ops->vidioc_g_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\treturn ops->vidioc_g_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\treturn ops->vidioc_g_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 235318075384291975866263478208759487946, "size": 80, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381427 }, { "func": "static void v4l_fill_fmtdesc(struct v4l2_fmtdesc *fmt)\n{\n\tconst unsigned sz = sizeof(fmt->description);\n\tconst char *descr = NULL;\n\tu32 flags = 0;\n\n\t/*\n\t * We depart from the normal coding style here since the descriptions\n\t * should be aligned so it is easy to see which descriptions will be\n\t * longer than 31 characters (the max length for a description).\n\t * And frankly, this is easier to read anyway.\n\t *\n\t * Note that gcc will use O(log N) comparisons to find the right case.\n\t */\n\tswitch (fmt->pixelformat) {\n\t/* Max description length mask:\tdescr = \"0123456789012345678901234567890\" */\n\tcase V4L2_PIX_FMT_RGB332:\tdescr = \"8-bit RGB 3-3-2\"; break;\n\tcase V4L2_PIX_FMT_RGB444:\tdescr = \"16-bit A/XRGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_ARGB444:\tdescr = \"16-bit ARGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_XRGB444:\tdescr = \"16-bit XRGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGBA444:\tdescr = \"16-bit RGBA 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGBX444:\tdescr = \"16-bit RGBX 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_ABGR444:\tdescr = \"16-bit ABGR 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_XBGR444:\tdescr = \"16-bit XBGR 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_BGRA444:\tdescr = \"16-bit BGRA 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_BGRX444:\tdescr = \"16-bit BGRX 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGB555:\tdescr = \"16-bit A/XRGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_ARGB555:\tdescr = \"16-bit ARGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_XRGB555:\tdescr = \"16-bit XRGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_ABGR555:\tdescr = \"16-bit ABGR 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_XBGR555:\tdescr = \"16-bit XBGR 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_RGBA555:\tdescr = \"16-bit RGBA 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_RGBX555:\tdescr = \"16-bit RGBX 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_BGRA555:\tdescr = \"16-bit BGRA 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_BGRX555:\tdescr = \"16-bit BGRX 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_RGB565:\tdescr = \"16-bit RGB 5-6-5\"; break;\n\tcase V4L2_PIX_FMT_RGB555X:\tdescr = \"16-bit A/XRGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_ARGB555X:\tdescr = \"16-bit ARGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_XRGB555X:\tdescr = \"16-bit XRGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_RGB565X:\tdescr = \"16-bit RGB 5-6-5 BE\"; break;\n\tcase V4L2_PIX_FMT_BGR666:\tdescr = \"18-bit BGRX 6-6-6-14\"; break;\n\tcase V4L2_PIX_FMT_BGR24:\tdescr = \"24-bit BGR 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGB24:\tdescr = \"24-bit RGB 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGR32:\tdescr = \"32-bit BGRA/X 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_ABGR32:\tdescr = \"32-bit BGRA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XBGR32:\tdescr = \"32-bit BGRX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGB32:\tdescr = \"32-bit A/XRGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_ARGB32:\tdescr = \"32-bit ARGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XRGB32:\tdescr = \"32-bit XRGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGRA32:\tdescr = \"32-bit ABGR 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGRX32:\tdescr = \"32-bit XBGR 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGBA32:\tdescr = \"32-bit RGBA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGBX32:\tdescr = \"32-bit RGBX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_GREY:\t\tdescr = \"8-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y4:\t\tdescr = \"4-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y6:\t\tdescr = \"6-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y10:\t\tdescr = \"10-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y12:\t\tdescr = \"12-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y14:\t\tdescr = \"14-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y16:\t\tdescr = \"16-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y16_BE:\tdescr = \"16-bit Greyscale BE\"; break;\n\tcase V4L2_PIX_FMT_Y10BPACK:\tdescr = \"10-bit Greyscale (Packed)\"; break;\n\tcase V4L2_PIX_FMT_Y10P:\t\tdescr = \"10-bit Greyscale (MIPI Packed)\"; break;\n\tcase V4L2_PIX_FMT_Y8I:\t\tdescr = \"Interleaved 8-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y12I:\t\tdescr = \"Interleaved 12-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Z16:\t\tdescr = \"16-bit Depth\"; break;\n\tcase V4L2_PIX_FMT_INZI:\t\tdescr = \"Planar 10:16 Greyscale Depth\"; break;\n\tcase V4L2_PIX_FMT_CNF4:\t\tdescr = \"4-bit Depth Confidence (Packed)\"; break;\n\tcase V4L2_PIX_FMT_PAL8:\t\tdescr = \"8-bit Palette\"; break;\n\tcase V4L2_PIX_FMT_UV8:\t\tdescr = \"8-bit Chrominance UV 4-4\"; break;\n\tcase V4L2_PIX_FMT_YVU410:\tdescr = \"Planar YVU 4:1:0\"; break;\n\tcase V4L2_PIX_FMT_YVU420:\tdescr = \"Planar YVU 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_YUYV:\t\tdescr = \"YUYV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YYUV:\t\tdescr = \"YYUV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YVYU:\t\tdescr = \"YVYU 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_UYVY:\t\tdescr = \"UYVY 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_VYUY:\t\tdescr = \"VYUY 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YUV422P:\tdescr = \"Planar YUV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YUV411P:\tdescr = \"Planar YUV 4:1:1\"; break;\n\tcase V4L2_PIX_FMT_Y41P:\t\tdescr = \"YUV 4:1:1 (Packed)\"; break;\n\tcase V4L2_PIX_FMT_YUV444:\tdescr = \"16-bit A/XYUV 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_YUV555:\tdescr = \"16-bit A/XYUV 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_YUV565:\tdescr = \"16-bit YUV 5-6-5\"; break;\n\tcase V4L2_PIX_FMT_YUV32:\tdescr = \"32-bit A/XYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_AYUV32:\tdescr = \"32-bit AYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XYUV32:\tdescr = \"32-bit XYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_VUYA32:\tdescr = \"32-bit VUYA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_VUYX32:\tdescr = \"32-bit VUYX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_YUV410:\tdescr = \"Planar YUV 4:1:0\"; break;\n\tcase V4L2_PIX_FMT_YUV420:\tdescr = \"Planar YUV 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_HI240:\tdescr = \"8-bit Dithered RGB (BTTV)\"; break;\n\tcase V4L2_PIX_FMT_HM12:\t\tdescr = \"YUV 4:2:0 (16x16 Macroblocks)\"; break;\n\tcase V4L2_PIX_FMT_M420:\t\tdescr = \"YUV 4:2:0 (M420)\"; break;\n\tcase V4L2_PIX_FMT_NV12:\t\tdescr = \"Y/CbCr 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_NV21:\t\tdescr = \"Y/CrCb 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_NV16:\t\tdescr = \"Y/CbCr 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_NV61:\t\tdescr = \"Y/CrCb 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_NV24:\t\tdescr = \"Y/CbCr 4:4:4\"; break;\n\tcase V4L2_PIX_FMT_NV42:\t\tdescr = \"Y/CrCb 4:4:4\"; break;\n\tcase V4L2_PIX_FMT_NV12M:\tdescr = \"Y/CbCr 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV21M:\tdescr = \"Y/CrCb 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV16M:\tdescr = \"Y/CbCr 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV61M:\tdescr = \"Y/CrCb 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV12MT:\tdescr = \"Y/CbCr 4:2:0 (64x32 MB, N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV12MT_16X16:\tdescr = \"Y/CbCr 4:2:0 (16x16 MB, N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV420M:\tdescr = \"Planar YUV 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU420M:\tdescr = \"Planar YVU 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV422M:\tdescr = \"Planar YUV 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU422M:\tdescr = \"Planar YVU 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV444M:\tdescr = \"Planar YUV 4:4:4 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU444M:\tdescr = \"Planar YVU 4:4:4 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR8:\tdescr = \"8-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG8:\tdescr = \"8-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG8:\tdescr = \"8-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB8:\tdescr = \"8-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10:\tdescr = \"10-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10:\tdescr = \"10-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10:\tdescr = \"10-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10:\tdescr = \"10-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10P:\tdescr = \"10-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10P:\tdescr = \"10-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10P:\tdescr = \"10-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10P:\tdescr = \"10-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SBGGR10: descr = \"10-bit bayer BGGR IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SGBRG10: descr = \"10-bit bayer GBRG IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SGRBG10: descr = \"10-bit bayer GRBG IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SRGGB10: descr = \"10-bit bayer RGGB IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10ALAW8:\tdescr = \"8-bit Bayer BGBG/GRGR (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10ALAW8:\tdescr = \"8-bit Bayer GBGB/RGRG (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10ALAW8:\tdescr = \"8-bit Bayer GRGR/BGBG (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10ALAW8:\tdescr = \"8-bit Bayer RGRG/GBGB (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10DPCM8:\tdescr = \"8-bit Bayer BGBG/GRGR (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10DPCM8:\tdescr = \"8-bit Bayer GBGB/RGRG (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10DPCM8:\tdescr = \"8-bit Bayer GRGR/BGBG (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10DPCM8:\tdescr = \"8-bit Bayer RGRG/GBGB (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR12:\tdescr = \"12-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG12:\tdescr = \"12-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG12:\tdescr = \"12-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB12:\tdescr = \"12-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR12P:\tdescr = \"12-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG12P:\tdescr = \"12-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG12P:\tdescr = \"12-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB12P:\tdescr = \"12-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR14:\tdescr = \"14-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG14:\tdescr = \"14-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG14:\tdescr = \"14-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB14:\tdescr = \"14-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR14P:\tdescr = \"14-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG14P:\tdescr = \"14-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG14P:\tdescr = \"14-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB14P:\tdescr = \"14-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR16:\tdescr = \"16-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG16:\tdescr = \"16-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG16:\tdescr = \"16-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB16:\tdescr = \"16-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SN9C20X_I420:\tdescr = \"GSPCA SN9C20X I420\"; break;\n\tcase V4L2_PIX_FMT_SPCA501:\tdescr = \"GSPCA SPCA501\"; break;\n\tcase V4L2_PIX_FMT_SPCA505:\tdescr = \"GSPCA SPCA505\"; break;\n\tcase V4L2_PIX_FMT_SPCA508:\tdescr = \"GSPCA SPCA508\"; break;\n\tcase V4L2_PIX_FMT_STV0680:\tdescr = \"GSPCA STV0680\"; break;\n\tcase V4L2_PIX_FMT_TM6000:\tdescr = \"A/V + VBI Mux Packet\"; break;\n\tcase V4L2_PIX_FMT_CIT_YYVYUY:\tdescr = \"GSPCA CIT YYVYUY\"; break;\n\tcase V4L2_PIX_FMT_KONICA420:\tdescr = \"GSPCA KONICA420\"; break;\n\tcase V4L2_PIX_FMT_HSV24:\tdescr = \"24-bit HSV 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_HSV32:\tdescr = \"32-bit XHSV 8-8-8-8\"; break;\n\tcase V4L2_SDR_FMT_CU8:\t\tdescr = \"Complex U8\"; break;\n\tcase V4L2_SDR_FMT_CU16LE:\tdescr = \"Complex U16LE\"; break;\n\tcase V4L2_SDR_FMT_CS8:\t\tdescr = \"Complex S8\"; break;\n\tcase V4L2_SDR_FMT_CS14LE:\tdescr = \"Complex S14LE\"; break;\n\tcase V4L2_SDR_FMT_RU12LE:\tdescr = \"Real U12LE\"; break;\n\tcase V4L2_SDR_FMT_PCU16BE:\tdescr = \"Planar Complex U16BE\"; break;\n\tcase V4L2_SDR_FMT_PCU18BE:\tdescr = \"Planar Complex U18BE\"; break;\n\tcase V4L2_SDR_FMT_PCU20BE:\tdescr = \"Planar Complex U20BE\"; break;\n\tcase V4L2_TCH_FMT_DELTA_TD16:\tdescr = \"16-bit Signed Deltas\"; break;\n\tcase V4L2_TCH_FMT_DELTA_TD08:\tdescr = \"8-bit Signed Deltas\"; break;\n\tcase V4L2_TCH_FMT_TU16:\t\tdescr = \"16-bit Unsigned Touch Data\"; break;\n\tcase V4L2_TCH_FMT_TU08:\t\tdescr = \"8-bit Unsigned Touch Data\"; break;\n\tcase V4L2_META_FMT_VSP1_HGO:\tdescr = \"R-Car VSP1 1-D Histogram\"; break;\n\tcase V4L2_META_FMT_VSP1_HGT:\tdescr = \"R-Car VSP1 2-D Histogram\"; break;\n\tcase V4L2_META_FMT_UVC:\t\tdescr = \"UVC Payload Header Metadata\"; break;\n\tcase V4L2_META_FMT_D4XX:\tdescr = \"Intel D4xx UVC Metadata\"; break;\n\tcase V4L2_META_FMT_VIVID: descr = \"Vivid Metadata\"; break;\n\tcase V4L2_META_FMT_RK_ISP1_PARAMS:\tdescr = \"Rockchip ISP1 3A Parameters\"; break;\n\tcase V4L2_META_FMT_RK_ISP1_STAT_3A:\tdescr = \"Rockchip ISP1 3A Statistics\"; break;\n\n\tdefault:\n\t\t/* Compressed formats */\n\t\tflags = V4L2_FMT_FLAG_COMPRESSED;\n\t\tswitch (fmt->pixelformat) {\n\t\t/* Max description length mask:\tdescr = \"0123456789012345678901234567890\" */\n\t\tcase V4L2_PIX_FMT_MJPEG:\tdescr = \"Motion-JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_JPEG:\t\tdescr = \"JFIF JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_DV:\t\tdescr = \"1394\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG:\t\tdescr = \"MPEG-1/2/4\"; break;\n\t\tcase V4L2_PIX_FMT_H264:\t\tdescr = \"H.264\"; break;\n\t\tcase V4L2_PIX_FMT_H264_NO_SC:\tdescr = \"H.264 (No Start Codes)\"; break;\n\t\tcase V4L2_PIX_FMT_H264_MVC:\tdescr = \"H.264 MVC\"; break;\n\t\tcase V4L2_PIX_FMT_H264_SLICE:\tdescr = \"H.264 Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_H263:\t\tdescr = \"H.263\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG1:\tdescr = \"MPEG-1 ES\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG2:\tdescr = \"MPEG-2 ES\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG2_SLICE:\tdescr = \"MPEG-2 Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG4:\tdescr = \"MPEG-4 Part 2 ES\"; break;\n\t\tcase V4L2_PIX_FMT_XVID:\t\tdescr = \"Xvid\"; break;\n\t\tcase V4L2_PIX_FMT_VC1_ANNEX_G:\tdescr = \"VC-1 (SMPTE 412M Annex G)\"; break;\n\t\tcase V4L2_PIX_FMT_VC1_ANNEX_L:\tdescr = \"VC-1 (SMPTE 412M Annex L)\"; break;\n\t\tcase V4L2_PIX_FMT_VP8:\t\tdescr = \"VP8\"; break;\n\t\tcase V4L2_PIX_FMT_VP8_FRAME: descr = \"VP8 Frame\"; break;\n\t\tcase V4L2_PIX_FMT_VP9:\t\tdescr = \"VP9\"; break;\n\t\tcase V4L2_PIX_FMT_HEVC:\t\tdescr = \"HEVC\"; break; /* aka H.265 */\n\t\tcase V4L2_PIX_FMT_HEVC_SLICE:\tdescr = \"HEVC Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_FWHT:\t\tdescr = \"FWHT\"; break; /* used in vicodec */\n\t\tcase V4L2_PIX_FMT_FWHT_STATELESS:\tdescr = \"FWHT Stateless\"; break; /* used in vicodec */\n\t\tcase V4L2_PIX_FMT_CPIA1:\tdescr = \"GSPCA CPiA YUV\"; break;\n\t\tcase V4L2_PIX_FMT_WNVA:\t\tdescr = \"WNVA\"; break;\n\t\tcase V4L2_PIX_FMT_SN9C10X:\tdescr = \"GSPCA SN9C10X\"; break;\n\t\tcase V4L2_PIX_FMT_PWC1:\t\tdescr = \"Raw Philips Webcam Type (Old)\"; break;\n\t\tcase V4L2_PIX_FMT_PWC2:\t\tdescr = \"Raw Philips Webcam Type (New)\"; break;\n\t\tcase V4L2_PIX_FMT_ET61X251:\tdescr = \"GSPCA ET61X251\"; break;\n\t\tcase V4L2_PIX_FMT_SPCA561:\tdescr = \"GSPCA SPCA561\"; break;\n\t\tcase V4L2_PIX_FMT_PAC207:\tdescr = \"GSPCA PAC207\"; break;\n\t\tcase V4L2_PIX_FMT_MR97310A:\tdescr = \"GSPCA MR97310A\"; break;\n\t\tcase V4L2_PIX_FMT_JL2005BCD:\tdescr = \"GSPCA JL2005BCD\"; break;\n\t\tcase V4L2_PIX_FMT_SN9C2028:\tdescr = \"GSPCA SN9C2028\"; break;\n\t\tcase V4L2_PIX_FMT_SQ905C:\tdescr = \"GSPCA SQ905C\"; break;\n\t\tcase V4L2_PIX_FMT_PJPG:\t\tdescr = \"GSPCA PJPG\"; break;\n\t\tcase V4L2_PIX_FMT_OV511:\tdescr = \"GSPCA OV511\"; break;\n\t\tcase V4L2_PIX_FMT_OV518:\tdescr = \"GSPCA OV518\"; break;\n\t\tcase V4L2_PIX_FMT_JPGL:\t\tdescr = \"JPEG Lite\"; break;\n\t\tcase V4L2_PIX_FMT_SE401:\tdescr = \"GSPCA SE401\"; break;\n\t\tcase V4L2_PIX_FMT_S5C_UYVY_JPG:\tdescr = \"S5C73MX interleaved UYVY/JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_MT21C:\tdescr = \"Mediatek Compressed Format\"; break;\n\t\tcase V4L2_PIX_FMT_SUNXI_TILED_NV12: descr = \"Sunxi Tiled NV12 Format\"; break;\n\t\tdefault:\n\t\t\tif (fmt->description[0])\n\t\t\t\treturn;\n\t\t\tWARN(1, \"Unknown pixelformat 0x%08x\\n\", fmt->pixelformat);\n\t\t\tflags = 0;\n\t\t\tsnprintf(fmt->description, sz, \"%c%c%c%c%s\",\n\t\t\t\t\t(char)(fmt->pixelformat & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 8) & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 16) & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 24) & 0x7f),\n\t\t\t\t\t(fmt->pixelformat & (1UL << 31)) ? \"-BE\" : \"\");\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (descr)\n\t\tWARN_ON(strscpy(fmt->description, descr, sz) < 0);\n\tfmt->flags |= flags;\n}", "project": "linux", "hash": 304550767409001950021568096384696210436, "size": 252, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381456 }, { "func": "static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\tunsigned int i;\n\n\tif (ret)\n\t\treturn ret;\n\n\tv4l_sanitize_format(p);\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_try_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t bytesperline);\n\t\treturn ops->vidioc_try_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_try_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_try_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_try_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t bytesperline);\n\t\treturn ops->vidioc_try_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_try_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_try_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_try_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sdr_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_try_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_meta_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_try_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_meta_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_try_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 251677547459383194768234227378707781497, "size": 101, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381442 }, { "func": "static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\tunsigned int i;\n\n\tif (ret)\n\t\treturn ret;\n\n\tret = v4l_enable_media_source(vfd);\n\tif (ret)\n\t\treturn ret;\n\tv4l_sanitize_format(p);\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_s_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t bytesperline);\n\t\treturn ops->vidioc_s_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_s_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_s_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_s_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t bytesperline);\n\t\treturn ops->vidioc_s_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_s_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_s_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_s_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sdr_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_s_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_meta_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_s_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_meta_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_s_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 211174988759662803706465165093416971314, "size": 104, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381434 }, { "func": "static int check_fmt(struct file *file, enum v4l2_buf_type type)\n{\n\tconst u32 vid_caps = V4L2_CAP_VIDEO_CAPTURE |\n\t\t\t V4L2_CAP_VIDEO_CAPTURE_MPLANE |\n\t\t\t V4L2_CAP_VIDEO_OUTPUT |\n\t\t\t V4L2_CAP_VIDEO_OUTPUT_MPLANE |\n\t\t\t V4L2_CAP_VIDEO_M2M | V4L2_CAP_VIDEO_M2M_MPLANE;\n\tconst u32 meta_caps = V4L2_CAP_META_CAPTURE |\n\t\t\t V4L2_CAP_META_OUTPUT;\n\tstruct video_device *vfd = video_devdata(file);\n\tconst struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;\n\tbool is_vid = vfd->vfl_type == VFL_TYPE_VIDEO &&\n\t\t (vfd->device_caps & vid_caps);\n\tbool is_vbi = vfd->vfl_type == VFL_TYPE_VBI;\n\tbool is_sdr = vfd->vfl_type == VFL_TYPE_SDR;\n\tbool is_tch = vfd->vfl_type == VFL_TYPE_TOUCH;\n\tbool is_meta = vfd->vfl_type == VFL_TYPE_VIDEO &&\n\t\t (vfd->device_caps & meta_caps);\n\tbool is_rx = vfd->vfl_dir != VFL_DIR_TX;\n\tbool is_tx = vfd->vfl_dir != VFL_DIR_RX;\n\n\tif (ops == NULL)\n\t\treturn -EINVAL;\n\n\tswitch (type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif ((is_vid || is_tch) && is_rx &&\n\t\t (ops->vidioc_g_fmt_vid_cap || ops->vidioc_g_fmt_vid_cap_mplane))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif ((is_vid || is_tch) && is_rx && ops->vidioc_g_fmt_vid_cap_mplane)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (is_vid && is_rx && ops->vidioc_g_fmt_vid_overlay)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (is_vid && is_tx &&\n\t\t (ops->vidioc_g_fmt_vid_out || ops->vidioc_g_fmt_vid_out_mplane))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (is_vid && is_tx && ops->vidioc_g_fmt_vid_out_mplane)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (is_vid && is_tx && ops->vidioc_g_fmt_vid_out_overlay)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (is_vbi && is_rx && ops->vidioc_g_fmt_vbi_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (is_vbi && is_tx && ops->vidioc_g_fmt_vbi_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (is_vbi && is_rx && ops->vidioc_g_fmt_sliced_vbi_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (is_vbi && is_tx && ops->vidioc_g_fmt_sliced_vbi_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (is_sdr && is_rx && ops->vidioc_g_fmt_sdr_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (is_sdr && is_tx && ops->vidioc_g_fmt_sdr_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (is_meta && is_rx && ops->vidioc_g_fmt_meta_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (is_meta && is_tx && ops->vidioc_g_fmt_meta_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn -EINVAL;\n}", "project": "linux", "hash": 112015074752453142575913723608615365673, "size": 88, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381468 }, { "func": "static int v4l_s_parm(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_streamparm *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/* Note: extendedmode is never used in drivers */\n\tif (V4L2_TYPE_IS_OUTPUT(p->type)) {\n\t\tmemset(p->parm.output.reserved, 0,\n\t\t sizeof(p->parm.output.reserved));\n\t\tp->parm.output.extendedmode = 0;\n\t\tp->parm.output.outputmode &= V4L2_MODE_HIGHQUALITY;\n\t} else {\n\t\tmemset(p->parm.capture.reserved, 0,\n\t\t sizeof(p->parm.capture.reserved));\n\t\tp->parm.capture.extendedmode = 0;\n\t\tp->parm.capture.capturemode &= V4L2_MODE_HIGHQUALITY;\n\t}\n\treturn ops->vidioc_s_parm(file, fh, p);\n}", "project": "linux", "hash": 27353891032889472259832183470436911914, "size": 23, "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899", "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann \nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus \nAcked-by: Arnd Bergmann \nAcked-by: Hans Verkuil \nReviewed-by: Laurent Pinchart \nSigned-off-by: Mauro Carvalho Chehab ", "target": 0, "dataset": "other", "idx": 381462 } ] }, { "call_depth": 4, "longest_call_chain": [ "do_rt_tgsigqueueinfo", "__copy_siginfo_from_user", "post_copy_siginfo_from_user", "known_siginfo_layout" ], "group_size": 16, "functions": [ { "func": "int copy_siginfo_from_user32(struct kernel_siginfo *to,\n\t\t\t const struct compat_siginfo __user *ufrom)\n{\n\tstruct compat_siginfo from;\n\n\tif (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))\n\t\treturn -EFAULT;\n\n\treturn post_copy_siginfo_from_user32(to, &from);\n}", "project": "linux", "hash": 134574228271886297296357745617865034674, "size": 10, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375302 }, { "func": "static int post_copy_siginfo_from_user(kernel_siginfo_t *info,\n\t\t\t\t const siginfo_t __user *from)\n{\n\tif (unlikely(!known_siginfo_layout(info->si_signo, info->si_code))) {\n\t\tchar __user *expansion = si_expansion(from);\n\t\tchar buf[SI_EXPANSION_SIZE];\n\t\tint i;\n\t\t/*\n\t\t * An unknown si_code might need more than\n\t\t * sizeof(struct kernel_siginfo) bytes. Verify all of the\n\t\t * extra bytes are 0. This guarantees copy_siginfo_to_user\n\t\t * will return this data to userspace exactly.\n\t\t */\n\t\tif (copy_from_user(&buf, expansion, SI_EXPANSION_SIZE))\n\t\t\treturn -EFAULT;\n\t\tfor (i = 0; i < SI_EXPANSION_SIZE; i++) {\n\t\t\tif (buf[i] != 0)\n\t\t\t\treturn -E2BIG;\n\t\t}\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 55060182503102099690780687840941700041, "size": 22, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375326 }, { "func": "static int __copy_siginfo_from_user(int signo, kernel_siginfo_t *to,\n\t\t\t\t const siginfo_t __user *from)\n{\n\tif (copy_from_user(to, from, sizeof(struct kernel_siginfo)))\n\t\treturn -EFAULT;\n\tto->si_signo = signo;\n\treturn post_copy_siginfo_from_user(to, from);\n}", "project": "linux", "hash": 102542278264639564529155079165514057120, "size": 8, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375267 }, { "func": "static int do_rt_sigqueueinfo(pid_t pid, int sig, kernel_siginfo_t *info)\n{\n\t/* Not even root can pretend to send signals from the kernel.\n\t * Nor can they impersonate a kill()/tgkill(), which adds source info.\n\t */\n\tif ((info->si_code >= 0 || info->si_code == SI_TKILL) &&\n\t (task_pid_vnr(current) != pid))\n\t\treturn -EPERM;\n\n\t/* POSIX.1b doesn't mention process groups. */\n\treturn kill_proc_info(sig, info, pid);\n}", "project": "linux", "hash": 48458042341210538429166068446592037897, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375176 }, { "func": "SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,\n\t\tsiginfo_t __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_sigqueueinfo(pid, sig, &info);\n}", "project": "linux", "hash": 322302222265666934385751767273215607712, "size": 9, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375240 }, { "func": "COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,\n\t\t\tcompat_pid_t, pid,\n\t\t\tint, sig,\n\t\t\tstruct compat_siginfo __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user32(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_sigqueueinfo(pid, sig, &info);\n}", "project": "linux", "hash": 65988940899178370911489318588231214916, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375253 }, { "func": "static inline bool has_si_pid_and_uid(struct kernel_siginfo *info)\n{\n\tbool ret = false;\n\tswitch (siginfo_layout(info->si_signo, info->si_code)) {\n\tcase SIL_KILL:\n\tcase SIL_CHLD:\n\tcase SIL_RT:\n\t\tret = true;\n\t\tbreak;\n\tcase SIL_TIMER:\n\tcase SIL_POLL:\n\tcase SIL_FAULT:\n\tcase SIL_FAULT_MCEERR:\n\tcase SIL_FAULT_BNDERR:\n\tcase SIL_FAULT_PKUERR:\n\tcase SIL_SYS:\n\t\tret = false;\n\t\tbreak;\n\t}\n\treturn ret;\n}", "project": "linux", "hash": 121501169807631765073914300583175770846, "size": 21, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375303 }, { "func": "static bool known_siginfo_layout(unsigned sig, int si_code)\n{\n\tif (si_code == SI_KERNEL)\n\t\treturn true;\n\telse if ((si_code > SI_USER)) {\n\t\tif (sig_specific_sicodes(sig)) {\n\t\t\tif (si_code <= sig_sicodes[sig].limit)\n\t\t\t\treturn true;\n\t\t}\n\t\telse if (si_code <= NSIGPOLL)\n\t\t\treturn true;\n\t}\n\telse if (si_code >= SI_DETHREAD)\n\t\treturn true;\n\telse if (si_code == SI_ASYNCNL)\n\t\treturn true;\n\treturn false;\n}", "project": "linux", "hash": 36307247290948407761413240940045488122, "size": 18, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375221 }, { "func": "static int __copy_siginfo_from_user32(int signo, struct kernel_siginfo *to,\n\t\t\t\t const struct compat_siginfo __user *ufrom)\n{\n\tstruct compat_siginfo from;\n\n\tif (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))\n\t\treturn -EFAULT;\n\n\tfrom.si_signo = signo;\n\treturn post_copy_siginfo_from_user32(to, &from);\n}", "project": "linux", "hash": 124247512926836462060108247314911283729, "size": 11, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375181 }, { "func": "int copy_siginfo_from_user(kernel_siginfo_t *to, const siginfo_t __user *from)\n{\n\tif (copy_from_user(to, from, sizeof(struct kernel_siginfo)))\n\t\treturn -EFAULT;\n\treturn post_copy_siginfo_from_user(to, from);\n}", "project": "linux", "hash": 124625986354863302893265354423885863625, "size": 6, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375134 }, { "func": "static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, kernel_siginfo_t *info)\n{\n\t/* This is only valid for single tasks */\n\tif (pid <= 0 || tgid <= 0)\n\t\treturn -EINVAL;\n\n\t/* Not even root can pretend to send signals from the kernel.\n\t * Nor can they impersonate a kill()/tgkill(), which adds source info.\n\t */\n\tif ((info->si_code >= 0 || info->si_code == SI_TKILL) &&\n\t (task_pid_vnr(current) != pid))\n\t\treturn -EPERM;\n\n\treturn do_send_specific(tgid, pid, sig, info);\n}", "project": "linux", "hash": 277171545470617207900572637566811702249, "size": 15, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375241 }, { "func": "COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo,\n\t\t\tcompat_pid_t, tgid,\n\t\t\tcompat_pid_t, pid,\n\t\t\tint, sig,\n\t\t\tstruct compat_siginfo __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user32(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_tgsigqueueinfo(tgid, pid, sig, &info);\n}", "project": "linux", "hash": 129110984812650198519765204128016640632, "size": 12, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375277 }, { "func": "SYSCALL_DEFINE4(rt_tgsigqueueinfo, pid_t, tgid, pid_t, pid, int, sig,\n\t\tsiginfo_t __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_tgsigqueueinfo(tgid, pid, sig, &info);\n}", "project": "linux", "hash": 325930772512610538513707827592825328742, "size": 9, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375280 }, { "func": "static int copy_siginfo_from_user_any(kernel_siginfo_t *kinfo, siginfo_t *info)\n{\n#ifdef CONFIG_COMPAT\n\t/*\n\t * Avoid hooking up compat syscalls and instead handle necessary\n\t * conversions here. Note, this is a stop-gap measure and should not be\n\t * considered a generic solution.\n\t */\n\tif (in_compat_syscall())\n\t\treturn copy_siginfo_from_user32(\n\t\t\tkinfo, (struct compat_siginfo __user *)info);\n#endif\n\treturn copy_siginfo_from_user(kinfo, info);\n}", "project": "linux", "hash": 151402371257721093837308914835718232254, "size": 14, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375167 }, { "func": "static int post_copy_siginfo_from_user32(kernel_siginfo_t *to,\n\t\t\t\t\t const struct compat_siginfo *from)\n{\n\tclear_siginfo(to);\n\tto->si_signo = from->si_signo;\n\tto->si_errno = from->si_errno;\n\tto->si_code = from->si_code;\n\tswitch(siginfo_layout(from->si_signo, from->si_code)) {\n\tcase SIL_KILL:\n\t\tto->si_pid = from->si_pid;\n\t\tto->si_uid = from->si_uid;\n\t\tbreak;\n\tcase SIL_TIMER:\n\t\tto->si_tid = from->si_tid;\n\t\tto->si_overrun = from->si_overrun;\n\t\tto->si_int = from->si_int;\n\t\tbreak;\n\tcase SIL_POLL:\n\t\tto->si_band = from->si_band;\n\t\tto->si_fd = from->si_fd;\n\t\tbreak;\n\tcase SIL_FAULT:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tbreak;\n\tcase SIL_FAULT_MCEERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_addr_lsb = from->si_addr_lsb;\n\t\tbreak;\n\tcase SIL_FAULT_BNDERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_lower = compat_ptr(from->si_lower);\n\t\tto->si_upper = compat_ptr(from->si_upper);\n\t\tbreak;\n\tcase SIL_FAULT_PKUERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_pkey = from->si_pkey;\n\t\tbreak;\n\tcase SIL_CHLD:\n\t\tto->si_pid = from->si_pid;\n\t\tto->si_uid = from->si_uid;\n\t\tto->si_status = from->si_status;\n#ifdef CONFIG_X86_X32_ABI\n\t\tif (in_x32_syscall()) {\n\t\t\tto->si_utime = from->_sifields._sigchld_x32._utime;\n\t\t\tto->si_stime = from->_sifields._sigchld_x32._stime;\n\t\t} else\n#endif\n\t\t{\n\t\t\tto->si_utime = from->si_utime;\n\t\t\tto->si_stime = from->si_stime;\n\t\t}\n\t\tbreak;\n\tcase SIL_RT:\n\t\tto->si_pid = from->si_pid;\n\t\tto->si_uid = from->si_uid;\n\t\tto->si_int = from->si_int;\n\t\tbreak;\n\tcase SIL_SYS:\n\t\tto->si_call_addr = compat_ptr(from->si_call_addr);\n\t\tto->si_syscall = from->si_syscall;\n\t\tto->si_arch = from->si_arch;\n\t\tbreak;\n\t}\n\treturn 0;\n}", "project": "linux", "hash": 254289020798927830663748991786288110989, "size": 77, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375166 }, { "func": "enum siginfo_layout siginfo_layout(unsigned sig, int si_code)\n{\n\tenum siginfo_layout layout = SIL_KILL;\n\tif ((si_code > SI_USER) && (si_code < SI_KERNEL)) {\n\t\tif ((sig < ARRAY_SIZE(sig_sicodes)) &&\n\t\t (si_code <= sig_sicodes[sig].limit)) {\n\t\t\tlayout = sig_sicodes[sig].layout;\n\t\t\t/* Handle the exceptions */\n\t\t\tif ((sig == SIGBUS) &&\n\t\t\t (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))\n\t\t\t\tlayout = SIL_FAULT_MCEERR;\n\t\t\telse if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))\n\t\t\t\tlayout = SIL_FAULT_BNDERR;\n#ifdef SEGV_PKUERR\n\t\t\telse if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))\n\t\t\t\tlayout = SIL_FAULT_PKUERR;\n#endif\n\t\t}\n\t\telse if (si_code <= NSIGPOLL)\n\t\t\tlayout = SIL_POLL;\n\t} else {\n\t\tif (si_code == SI_TIMER)\n\t\t\tlayout = SIL_TIMER;\n\t\telse if (si_code == SI_SIGIO)\n\t\t\tlayout = SIL_POLL;\n\t\telse if (si_code < 0)\n\t\t\tlayout = SIL_RT;\n\t}\n\treturn layout;\n}", "project": "linux", "hash": 45926953882594310783656867328119504000, "size": 30, "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da", "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" ", "target": 0, "dataset": "other", "idx": 375222 } ] }, { "call_depth": 4, "longest_call_chain": [ "udev_util_replace_chars", "utf8_encoded_valid_unichar", "utf8_encoded_to_unichar", "utf8_encoded_expected_len" ], "group_size": 8, "functions": [ { "func": "int udev_util_replace_chars(char *str, const char *white)\n{\n\tsize_t i = 0;\n\tint replaced = 0;\n\n\twhile (str[i] != '\\0') {\n\t\tint len;\n\n\t\tif (is_whitelisted(str[i], white)) {\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* accept hex encoding */\n\t\tif (str[i] == '\\\\' && str[i+1] == 'x') {\n\t\t\ti += 2;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* accept valid utf8 */\n\t\tlen = utf8_encoded_valid_unichar(&str[i]);\n\t\tif (len > 1) {\n\t\t\ti += len;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* if space is allowed, replace whitespace with ordinary space */\n\t\tif (isspace(str[i]) && white != NULL && strchr(white, ' ') != NULL) {\n\t\t\tstr[i] = ' ';\n\t\t\ti++;\n\t\t\treplaced++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* everything else is replaced with '_' */\n\t\tstr[i] = '_';\n\t\ti++;\n\t\treplaced++;\n\t}\n\treturn replaced;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 5405405786316417121901887607525383556, "size": 41, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490332 }, { "func": "static int utf8_encoded_to_unichar(const char *str)\n{\n\tint unichar;\n\tint len;\n\tint i;\n\n\tlen = utf8_encoded_expected_len(str);\n\tswitch (len) {\n\tcase 1:\n\t\treturn (int)str[0];\n\tcase 2:\n\t\tunichar = str[0] & 0x1f;\n\t\tbreak;\n\tcase 3:\n\t\tunichar = (int)str[0] & 0x0f;\n\t\tbreak;\n\tcase 4:\n\t\tunichar = (int)str[0] & 0x07;\n\t\tbreak;\n\tcase 5:\n\t\tunichar = (int)str[0] & 0x03;\n\t\tbreak;\n\tcase 6:\n\t\tunichar = (int)str[0] & 0x01;\n\t\tbreak;\n\tdefault:\n\t\treturn -1;\n\t}\n\n\tfor (i = 1; i < len; i++) {\n\t\tif (((int)str[i] & 0xc0) != 0x80)\n\t\t\treturn -1;\n\t\tunichar <<= 6;\n\t\tunichar |= (int)str[i] & 0x3f;\n\t}\n\n\treturn unichar;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 206051964674283888462618593096782618800, "size": 38, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490338 }, { "func": "static int utf8_encoded_valid_unichar(const char *str)\n{\n\tint len;\n\tint unichar;\n\tint i;\n\n\tlen = utf8_encoded_expected_len(str);\n\tif (len == 0)\n\t\treturn -1;\n\n\t/* ascii is valid */\n\tif (len == 1)\n\t\treturn 1;\n\n\t/* check if expected encoded chars are available */\n\tfor (i = 0; i < len; i++)\n\t\tif ((str[i] & 0x80) != 0x80)\n\t\t\treturn -1;\n\n\tunichar = utf8_encoded_to_unichar(str);\n\n\t/* check if encoded length matches encoded value */\n\tif (utf8_unichar_to_encoded_len(unichar) != len)\n\t\treturn -1;\n\n\t/* check if value has valid range */\n\tif (!utf8_unichar_valid_range(unichar))\n\t\treturn -1;\n\n\treturn len;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 206053476377274378364373590995660911050, "size": 31, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490329 }, { "func": "static int is_whitelisted(char c, const char *white)\n{\n\tif ((c >= '0' && c <= '9') ||\n\t (c >= 'A' && c <= 'Z') ||\n\t (c >= 'a' && c <= 'z') ||\n\t strchr(\"#+-.:=@_\", c) != NULL ||\n\t (white != NULL && strchr(white, c) != NULL))\n\t\treturn 1;\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 301965509586629387251827066972038220926, "size": 10, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490346 }, { "func": "int udev_util_encode_string(const char *str, char *str_enc, size_t len)\n{\n\tsize_t i, j;\n\n\tif (str == NULL || str_enc == NULL || len == 0)\n\t\treturn -1;\n\n\tstr_enc[0] = '\\0';\n\tfor (i = 0, j = 0; str[i] != '\\0'; i++) {\n\t\tint seqlen;\n\n\t\tseqlen = utf8_encoded_valid_unichar(&str[i]);\n\t\tif (seqlen > 1) {\n\t\t\tmemcpy(&str_enc[j], &str[i], seqlen);\n\t\t\tj += seqlen;\n\t\t\ti += (seqlen-1);\n\t\t} else if (str[i] == '\\\\' || !is_whitelisted(str[i], NULL)) {\n\t\t\tsprintf(&str_enc[j], \"\\\\x%02x\", (unsigned char) str[i]);\n\t\t\tj += 4;\n\t\t} else {\n\t\t\tstr_enc[j] = str[i];\n\t\t\tj++;\n\t\t}\n\t\tif (j+3 >= len)\n\t\t\tgoto err;\n\t}\n\tstr_enc[j] = '\\0';\n\treturn 0;\nerr:\n\treturn -1;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 128389350005845428979590129521706681485, "size": 31, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490331 }, { "func": "static int utf8_encoded_expected_len(const char *str)\n{\n\tunsigned char c = (unsigned char)str[0];\n\n\tif (c < 0x80)\n\t\treturn 1;\n\tif ((c & 0xe0) == 0xc0)\n\t\treturn 2;\n\tif ((c & 0xf0) == 0xe0)\n\t\treturn 3;\n\tif ((c & 0xf8) == 0xf0)\n\t\treturn 4;\n\tif ((c & 0xfc) == 0xf8)\n\t\treturn 5;\n\tif ((c & 0xfe) == 0xfc)\n\t\treturn 6;\n\treturn 0;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 256127015334813263581801085103652188798, "size": 18, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490327 }, { "func": "static int utf8_unichar_valid_range(int unichar)\n{\n\tif (unichar > 0x10ffff)\n\t\treturn 0;\n\tif ((unichar & 0xfffff800) == 0xd800)\n\t\treturn 0;\n\tif ((unichar > 0xfdcf) && (unichar < 0xfdf0))\n\t\treturn 0;\n\tif ((unichar & 0xffff) == 0xffff)\n\t\treturn 0;\n\treturn 1;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 195740263550096629321937696988533578169, "size": 12, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490344 }, { "func": "static int utf8_unichar_to_encoded_len(int unichar)\n{\n\tif (unichar < 0x80)\n\t\treturn 1;\n\tif (unichar < 0x800)\n\t\treturn 2;\n\tif (unichar < 0x10000)\n\t\treturn 3;\n\tif (unichar < 0x200000)\n\t\treturn 4;\n\tif (unichar < 0x4000000)\n\t\treturn 5;\n\treturn 6;\n}", "target": 0, "cwe": [ "CWE-120" ], "project": "udev", "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314", "hash": 176663044449808812580689980385047039729, "size": 14, "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)", "dataset": "other", "idx": 490341 } ] }, { "call_depth": 4, "longest_call_chain": [ "bcf_read", "bcf_record_check", "bcf_dec_size_safe", "bcf_dec_typed_int1_safe" ], "group_size": 8, "functions": [ { "func": "int bcf_readrec(BGZF *fp, void *null, void *vv, int *tid, hts_pos_t *beg, hts_pos_t *end)\n{\n bcf1_t *v = (bcf1_t *) vv;\n int ret = bcf_read1_core(fp, v);\n if (ret == 0) ret = bcf_record_check(NULL, v);\n if (ret >= 0)\n *tid = v->rid, *beg = v->pos, *end = v->pos + v->rlen;\n return ret;\n}", "project": "htslib", "hash": 33818452448365810705567639192787771876, "size": 9, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402249 }, { "func": "static int bcf_dec_size_safe(uint8_t *p, uint8_t *end, uint8_t **q,\n int *num, int *type) {\n int r;\n if (p >= end) return -1;\n *type = *p & 0xf;\n if (*p>>4 != 15) {\n *q = p + 1;\n *num = *p >> 4;\n return 0;\n }\n r = bcf_dec_typed_int1_safe(p + 1, end, q, num);\n if (r) return r;\n return *num >= 0 ? 0 : -1;\n}", "project": "htslib", "hash": 141373285537262292830683104823021389913, "size": 14, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402201 }, { "func": "static int bcf_dec_typed_int1_safe(uint8_t *p, uint8_t *end, uint8_t **q,\n int32_t *val) {\n uint32_t t;\n if (end - p < 2) return -1;\n t = *p++ & 0xf;\n /* Use if .. else if ... else instead of switch to force order. Assumption\n is that small integers are more frequent than big ones. */\n if (t == BCF_BT_INT8) {\n *q = p + 1;\n *val = *(int8_t *) p;\n } else if (t == BCF_BT_INT16) {\n if (end - p < 2) return -1;\n *q = p + 2;\n *val = le_to_i16(p);\n } else if (t == BCF_BT_INT32) {\n if (end - p < 4) return -1;\n *q = p + 4;\n *val = le_to_i32(p);\n#ifdef VCF_ALLOW_INT64\n } else if (t == BCF_BT_INT64) {\n // This case should never happen because there should be no 64-bit BCFs\n // at all, definitely not coming from htslib\n if (end - p < 8) return -1;\n *q = p + 8;\n *val = le_to_i64(p);\n#endif\n } else {\n return -1;\n }\n return 0;\n}", "project": "htslib", "hash": 234731386941793576194670991723107717916, "size": 31, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402180 }, { "func": "static inline int bcf_read1_core(BGZF *fp, bcf1_t *v)\n{\n uint8_t x[32];\n ssize_t ret;\n uint32_t shared_len, indiv_len;\n if ((ret = bgzf_read(fp, x, 32)) != 32) {\n if (ret == 0) return -1;\n return -2;\n }\n bcf_clear1(v);\n shared_len = le_to_u32(x);\n if (shared_len < 24) return -2;\n shared_len -= 24; // to exclude six 32-bit integers\n if (ks_resize(&v->shared, shared_len) != 0) return -2;\n indiv_len = le_to_u32(x + 4);\n if (ks_resize(&v->indiv, indiv_len) != 0) return -2;\n v->rid = le_to_i32(x + 8);\n v->pos = le_to_u32(x + 12);\n v->rlen = le_to_i32(x + 16);\n v->qual = le_to_float(x + 20);\n v->n_info = le_to_u16(x + 24);\n v->n_allele = le_to_u16(x + 26);\n v->n_sample = le_to_u32(x + 28) & 0xffffff;\n v->n_fmt = x[31];\n v->shared.l = shared_len;\n v->indiv.l = indiv_len;\n // silent fix of broken BCFs produced by earlier versions of bcf_subset, prior to and including bd6ed8b4\n if ( (!v->indiv.l || !v->n_sample) && v->n_fmt ) v->n_fmt = 0;\n\n if (bgzf_read(fp, v->shared.s, v->shared.l) != v->shared.l) return -2;\n if (bgzf_read(fp, v->indiv.s, v->indiv.l) != v->indiv.l) return -2;\n return 0;\n}", "project": "htslib", "hash": 12751460557049634954365934146773465993, "size": 33, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402240 }, { "func": "static int bcf_record_check(const bcf_hdr_t *hdr, bcf1_t *rec) {\n uint8_t *ptr, *end;\n size_t bytes;\n uint32_t err = 0;\n int type = 0;\n int num = 0;\n int reflen = 0;\n uint32_t i, reports;\n const uint32_t is_integer = ((1 << BCF_BT_INT8) |\n (1 << BCF_BT_INT16) |\n#ifdef VCF_ALLOW_INT64\n (1 << BCF_BT_INT64) |\n#endif\n (1 << BCF_BT_INT32));\n const uint32_t is_valid_type = (is_integer |\n (1 << BCF_BT_NULL) |\n (1 << BCF_BT_FLOAT) |\n (1 << BCF_BT_CHAR));\n int32_t max_id = hdr ? hdr->n[BCF_DT_ID] : 0;\n\n // Check for valid contig ID\n if (rec->rid < 0\n || (hdr && (rec->rid >= hdr->n[BCF_DT_CTG]\n || hdr->id[BCF_DT_CTG][rec->rid].key == NULL))) {\n hts_log_warning(\"Bad BCF record at %\"PRIhts_pos\": Invalid %s id %d\", rec->pos+1, \"CONTIG\", rec->rid);\n err |= BCF_ERR_CTG_INVALID;\n }\n\n // Check ID\n ptr = (uint8_t *) rec->shared.s;\n end = ptr + rec->shared.l;\n if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n if (type != BCF_BT_CHAR) {\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"ID\", type, get_type_name(type));\n err |= BCF_ERR_TAG_INVALID;\n }\n bytes = (size_t) num << bcf_type_shift[type];\n if (end - ptr < bytes) goto bad_shared;\n ptr += bytes;\n\n // Check REF and ALT\n reports = 0;\n for (i = 0; i < rec->n_allele; i++) {\n if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n if (type != BCF_BT_CHAR) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"REF/ALT\", type, get_type_name(type));\n err |= BCF_ERR_CHAR;\n }\n if (i == 0) reflen = num;\n bytes = (size_t) num << bcf_type_shift[type];\n if (end - ptr < bytes) goto bad_shared;\n ptr += bytes;\n }\n\n // Check FILTER\n reports = 0;\n if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n if (num > 0) {\n bytes = (size_t) num << bcf_type_shift[type];\n if (((1 << type) & is_integer) == 0) {\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FILTER\", type, get_type_name(type));\n err |= BCF_ERR_TAG_INVALID;\n if (end - ptr < bytes) goto bad_shared;\n ptr += bytes;\n } else {\n if (end - ptr < bytes) goto bad_shared;\n for (i = 0; i < num; i++) {\n int32_t key = bcf_dec_int1(ptr, type, &ptr);\n if (key < 0\n || (hdr && (key >= max_id\n || hdr->id[BCF_DT_ID][key].key == NULL))) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FILTER\", key);\n err |= BCF_ERR_TAG_UNDEF;\n }\n }\n }\n }\n\n // Check INFO\n reports = 0;\n for (i = 0; i < rec->n_info; i++) {\n int32_t key = -1;\n if (bcf_dec_typed_int1_safe(ptr, end, &ptr, &key) != 0) goto bad_shared;\n if (key < 0 || (hdr && (key >= max_id\n || hdr->id[BCF_DT_ID][key].key == NULL))) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"INFO\", key);\n err |= BCF_ERR_TAG_UNDEF;\n }\n if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n if (((1 << type) & is_valid_type) == 0) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"INFO\", type, get_type_name(type));\n err |= BCF_ERR_TAG_INVALID;\n }\n bytes = (size_t) num << bcf_type_shift[type];\n if (end - ptr < bytes) goto bad_shared;\n ptr += bytes;\n }\n\n // Check FORMAT and individual information\n ptr = (uint8_t *) rec->indiv.s;\n end = ptr + rec->indiv.l;\n reports = 0;\n for (i = 0; i < rec->n_fmt; i++) {\n int32_t key = -1;\n if (bcf_dec_typed_int1_safe(ptr, end, &ptr, &key) != 0) goto bad_indiv;\n if (key < 0\n || (hdr && (key >= max_id\n || hdr->id[BCF_DT_ID][key].key == NULL))) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FORMAT\", key);\n err |= BCF_ERR_TAG_UNDEF;\n }\n if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_indiv;\n if (((1 << type) & is_valid_type) == 0) {\n if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FORMAT\", type, get_type_name(type));\n err |= BCF_ERR_TAG_INVALID;\n }\n bytes = ((size_t) num << bcf_type_shift[type]) * rec->n_sample;\n if (end - ptr < bytes) goto bad_indiv;\n ptr += bytes;\n }\n\n if (!err && rec->rlen < 0) {\n // Treat bad rlen as a warning instead of an error, and try to\n // fix up by using the length of the stored REF allele.\n static int warned = 0;\n if (!warned) {\n hts_log_warning(\"BCF record at %s:%\"PRIhts_pos\" has invalid RLEN (%\"PRIhts_pos\"). \"\n \"Only one invalid RLEN will be reported.\",\n bcf_seqname_safe(hdr,rec), rec->pos+1, rec->rlen);\n warned = 1;\n }\n rec->rlen = reflen >= 0 ? reflen : 0;\n }\n\n rec->errcode |= err;\n\n return err ? -2 : 0; // Return -2 so bcf_read() reports an error\n\n bad_shared:\n hts_log_error(\"Bad BCF record at %s:%\"PRIhts_pos\" - shared section malformed or too short\", bcf_seqname_safe(hdr,rec), rec->pos+1);\n return -2;\n\n bad_indiv:\n hts_log_error(\"Bad BCF record at %s:%\"PRIhts_pos\" - individuals section malformed or too short\", bcf_seqname_safe(hdr,rec), rec->pos+1);\n return -2;\n}", "project": "htslib", "hash": 13043732940354638373013501762813051039, "size": 152, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402177 }, { "func": "int vcf_read(htsFile *fp, const bcf_hdr_t *h, bcf1_t *v)\n{\n int ret;\n ret = hts_getline(fp, KS_SEP_LINE, &fp->line);\n if (ret < 0) return ret;\n return vcf_parse1(&fp->line, h, v);\n}", "project": "htslib", "hash": 18430956208465103548864436074290095431, "size": 7, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402182 }, { "func": "int bcf_subset_format(const bcf_hdr_t *hdr, bcf1_t *rec)\n{\n if ( !hdr->keep_samples ) return 0;\n if ( !bcf_hdr_nsamples(hdr) )\n {\n rec->indiv.l = rec->n_sample = 0;\n return 0;\n }\n\n int i, j;\n uint8_t *ptr = (uint8_t*)rec->indiv.s, *dst = NULL, *src;\n bcf_dec_t *dec = &rec->d;\n hts_expand(bcf_fmt_t, rec->n_fmt, dec->m_fmt, dec->fmt);\n for (i=0; im_fmt; ++i) dec->fmt[i].p_free = 0;\n\n for (i=0; in_fmt; i++)\n {\n ptr = bcf_unpack_fmt_core1(ptr, rec->n_sample, &dec->fmt[i]);\n src = dec->fmt[i].p - dec->fmt[i].size;\n if ( dst )\n {\n memmove(dec->fmt[i-1].p + dec->fmt[i-1].p_len, dec->fmt[i].p - dec->fmt[i].p_off, dec->fmt[i].p_off);\n dec->fmt[i].p = dec->fmt[i-1].p + dec->fmt[i-1].p_len + dec->fmt[i].p_off;\n }\n dst = dec->fmt[i].p;\n for (j=0; jnsamples_ori; j++)\n {\n src += dec->fmt[i].size;\n if ( !bit_array_test(hdr->keep_samples,j) ) continue;\n memmove(dst, src, dec->fmt[i].size);\n dst += dec->fmt[i].size;\n }\n rec->indiv.l -= dec->fmt[i].p_len - (dst - dec->fmt[i].p);\n dec->fmt[i].p_len = dst - dec->fmt[i].p;\n }\n rec->unpacked |= BCF_UN_FMT;\n\n rec->n_sample = bcf_hdr_nsamples(hdr);\n return 0;\n}", "project": "htslib", "hash": 313869283831717057726771406159143661219, "size": 40, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402194 }, { "func": "int bcf_read(htsFile *fp, const bcf_hdr_t *h, bcf1_t *v)\n{\n if (fp->format.format == vcf) return vcf_read(fp,h,v);\n int ret = bcf_read1_core(fp->fp.bgzf, v);\n if (ret == 0) ret = bcf_record_check(h, v);\n if ( ret!=0 || !h->keep_samples ) return ret;\n return bcf_subset_format(h,v);\n}", "project": "htslib", "hash": 59715034301581063666044249619776521944, "size": 8, "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c", "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields. It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097", "target": 0, "dataset": "other", "idx": 402164 } ] }, { "call_depth": 4, "longest_call_chain": [ "acpi_boot_init", "acpi_process_madt", "acpi_parse_madt_ioapic_entries", "acpi_sci_ioapic_setup" ], "group_size": 5, "functions": [ { "func": "static int __init acpi_parse_madt_lapic_entries(void)\n{\n\tint count;\n\n\tif (!cpu_has_apic)\n\t\treturn -ENODEV;\n\n\t/* \n\t * Note that the LAPIC address is obtained from the MADT (32-bit value)\n\t * and (optionally) overriden by a LAPIC_ADDR_OVR entry (64-bit value).\n\t */\n\n\tcount =\n\t acpi_table_parse_madt(ACPI_MADT_LAPIC_ADDR_OVR,\n\t\t\t\t acpi_parse_lapic_addr_ovr, 0);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX\n\t\t \"Error parsing LAPIC address override entry\\n\");\n\t\treturn count;\n\t}\n\n\tmp_register_lapic_address(acpi_lapic_addr);\n\n\tcount = acpi_table_parse_madt(ACPI_MADT_LAPIC, acpi_parse_lapic,\n\t\t\t\t MAX_APICS);\n\tif (!count) {\n\t\tprintk(KERN_ERR PREFIX \"No LAPIC entries present\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn -ENODEV;\n\t} else if (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing LAPIC entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\tcount =\n\t acpi_table_parse_madt(ACPI_MADT_LAPIC_NMI, acpi_parse_lapic_nmi, 0);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing LAPIC NMI entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff", "hash": 213721789998004113445496180184575800672, "size": 44, "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin \nSigned-off-by: Andi Kleen ", "dataset": "other", "idx": 499986 }, { "func": "static void __init acpi_process_madt(void)\n{\n#ifdef CONFIG_X86_LOCAL_APIC\n\tint count, error;\n\n\tcount = acpi_table_parse(ACPI_APIC, acpi_parse_madt);\n\tif (count >= 1) {\n\n\t\t/*\n\t\t * Parse MADT LAPIC entries\n\t\t */\n\t\terror = acpi_parse_madt_lapic_entries();\n\t\tif (!error) {\n\t\t\tacpi_lapic = 1;\n\n#ifdef CONFIG_X86_GENERICARCH\n\t\t\tgeneric_bigsmp_probe();\n#endif\n\t\t\t/*\n\t\t\t * Parse MADT IO-APIC entries\n\t\t\t */\n\t\t\terror = acpi_parse_madt_ioapic_entries();\n\t\t\tif (!error) {\n\t\t\t\tacpi_irq_model = ACPI_IRQ_MODEL_IOAPIC;\n\t\t\t\tacpi_irq_balance_set(NULL);\n\t\t\t\tacpi_ioapic = 1;\n\n\t\t\t\tsmp_found_config = 1;\n\t\t\t\tclustered_apic_check();\n\t\t\t}\n\t\t}\n\t\tif (error == -EINVAL) {\n\t\t\t/*\n\t\t\t * Dell Precision Workstation 410, 610 come here.\n\t\t\t */\n\t\t\tprintk(KERN_ERR PREFIX\n\t\t\t \"Invalid BIOS MADT, disabling ACPI\\n\");\n\t\t\tdisable_acpi();\n\t\t}\n\t}\n#endif\n\treturn;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff", "hash": 304853954482509555927863505312876942754, "size": 43, "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin \nSigned-off-by: Andi Kleen ", "dataset": "other", "idx": 500015 }, { "func": "static int __init acpi_parse_madt_ioapic_entries(void)\n{\n\tint count;\n\n\t/*\n\t * ACPI interpreter is required to complete interrupt setup,\n\t * so if it is off, don't enumerate the io-apics with ACPI.\n\t * If MPS is present, it will handle them,\n\t * otherwise the system will stay in PIC mode\n\t */\n\tif (acpi_disabled || acpi_noirq) {\n\t\treturn -ENODEV;\n\t}\n\n\tif (!cpu_has_apic) \n\t\treturn -ENODEV;\n\n\t/*\n\t * if \"noapic\" boot option, don't look for IO-APICs\n\t */\n\tif (skip_ioapic_setup) {\n\t\tprintk(KERN_INFO PREFIX \"Skipping IOAPIC probe \"\n\t\t \"due to 'noapic' option.\\n\");\n\t\treturn -ENODEV;\n\t}\n\n\tcount =\n\t acpi_table_parse_madt(ACPI_MADT_IOAPIC, acpi_parse_ioapic,\n\t\t\t\t MAX_IO_APICS);\n\tif (!count) {\n\t\tprintk(KERN_ERR PREFIX \"No IOAPIC entries present\\n\");\n\t\treturn -ENODEV;\n\t} else if (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing IOAPIC entry\\n\");\n\t\treturn count;\n\t}\n\n\tcount =\n\t acpi_table_parse_madt(ACPI_MADT_INT_SRC_OVR, acpi_parse_int_src_ovr,\n\t\t\t\t NR_IRQ_VECTORS);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX\n\t\t \"Error parsing interrupt source overrides entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\t/*\n\t * If BIOS did not supply an INT_SRC_OVR for the SCI\n\t * pretend we got one so we can set the SCI flags.\n\t */\n\tif (!acpi_sci_override_gsi)\n\t\tacpi_sci_ioapic_setup(acpi_fadt.sci_int, 0, 0);\n\n\t/* Fill in identity legacy mapings where no override */\n\tmp_config_acpi_legacy_irqs();\n\n\tcount =\n\t acpi_table_parse_madt(ACPI_MADT_NMI_SRC, acpi_parse_nmi_src,\n\t\t\t\t NR_IRQ_VECTORS);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing NMI SRC entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff", "hash": 206089872263599311184274569938139731793, "size": 68, "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin \nSigned-off-by: Andi Kleen ", "dataset": "other", "idx": 500001 }, { "func": "int __init acpi_boot_init(void)\n{\n\t/*\n\t * If acpi_disabled, bail out\n\t * One exception: acpi=ht continues far enough to enumerate LAPICs\n\t */\n\tif (acpi_disabled && !acpi_ht)\n\t\treturn 1;\n\n\tacpi_table_parse(ACPI_BOOT, acpi_parse_sbf);\n\n\t/*\n\t * set sci_int and PM timer address\n\t */\n\tacpi_table_parse(ACPI_FADT, acpi_parse_fadt);\n\n\t/*\n\t * Process the Multiple APIC Description Table (MADT), if present\n\t */\n\tacpi_process_madt();\n\n\tacpi_table_parse(ACPI_HPET, acpi_parse_hpet);\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff", "hash": 340091633310638462260892732834527967470, "size": 25, "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin \nSigned-off-by: Andi Kleen ", "dataset": "other", "idx": 499993 }, { "func": "static void acpi_sci_ioapic_setup(u32 gsi, u16 polarity, u16 trigger)\n{\n\tif (trigger == 0)\t/* compatible SCI trigger is level */\n\t\ttrigger = 3;\n\n\tif (polarity == 0)\t/* compatible SCI polarity is low */\n\t\tpolarity = 3;\n\n\t/* Command-line over-ride via acpi_sci= */\n\tif (acpi_sci_flags.trigger)\n\t\ttrigger = acpi_sci_flags.trigger;\n\n\tif (acpi_sci_flags.polarity)\n\t\tpolarity = acpi_sci_flags.polarity;\n\n\t/*\n\t * mp_config_acpi_legacy_irqs() already setup IRQs < 16\n\t * If GSI is < 16, this will update its flags,\n\t * else it will create a new mp_irqs[] entry.\n\t */\n\tmp_override_legacy_irq(gsi, polarity, trigger, gsi);\n\n\t/*\n\t * stash over-ride to indicate we've been here\n\t * and for later update of acpi_fadt\n\t */\n\tacpi_sci_override_gsi = gsi;\n\treturn;\n}", "target": 0, "cwe": [], "project": "linux-2.6", "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff", "hash": 39963657699800888970864861904027485773, "size": 29, "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin \nSigned-off-by: Andi Kleen ", "dataset": "other", "idx": 500002 } ] }, { "call_depth": 4, "longest_call_chain": [ "create_answer", "match_offer", "custom_fmt_match", "pj_assert" ], "group_size": 21, "functions": [ { "func": "static pj_status_t custom_fmt_match(pj_pool_t *pool,\n\t\t\t\t const pj_str_t *fmt_name,\n\t\t\t\t pjmedia_sdp_media *offer,\n\t\t\t\t unsigned o_fmt_idx,\n\t\t\t\t pjmedia_sdp_media *answer,\n\t\t\t\t unsigned a_fmt_idx,\n\t\t\t\t unsigned option)\n{\n unsigned i;\n\n for (i = 0; i < fmt_match_cb_cnt; ++i) {\n\tif (pj_stricmp(fmt_name, &fmt_match_cb[i].fmt_name) == 0) {\n\t pj_assert(fmt_match_cb[i].cb);\n\t return (*fmt_match_cb[i].cb)(pool, offer, o_fmt_idx,\n\t\t\t\t\t answer, a_fmt_idx,\n\t\t\t\t\t option);\n\t}\n }\n\n /* Not customized format matching found, should be matched */\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 41301759871988627482220993993091844415, "size": 22, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449670 }, { "func": "static pj_status_t process_m_answer( pj_pool_t *pool,\n\t\t\t\t pjmedia_sdp_media *offer,\n\t\t\t\t pjmedia_sdp_media *answer,\n\t\t\t\t pj_bool_t allow_asym)\n{\n unsigned i;\n\n /* Check that the media type match our offer. */\n\n if (pj_strcmp(&answer->desc.media, &offer->desc.media)!=0) {\n\t/* The media type in the answer is different than the offer! */\n\treturn PJMEDIA_SDPNEG_EINVANSMEDIA;\n }\n\n\n /* Check that transport in the answer match our offer. */\n\n /* At this point, transport type must be compatible, \n * the transport instance will do more validation later.\n */\n if (pjmedia_sdp_transport_cmp(&answer->desc.transport, \n\t\t\t\t &offer->desc.transport) \n\t!= PJ_SUCCESS)\n {\n\treturn PJMEDIA_SDPNEG_EINVANSTP;\n }\n\n\n /* Check if remote has rejected our offer */\n if (answer->desc.port == 0) {\n\t\n\t/* Remote has rejected our offer. \n\t * Deactivate our media too.\n\t */\n\tpjmedia_sdp_media_deactivate(pool, offer);\n\n\t/* Don't need to proceed */\n\treturn PJ_SUCCESS;\n }\n\n /* Ticket #1148: check if remote answer does not set port to zero when\n * offered with port zero. Let's just tolerate it.\n */\n if (offer->desc.port == 0) {\n\t/* Don't need to proceed */\n\treturn PJ_SUCCESS;\n }\n\n /* Process direction attributes */\n update_media_direction(pool, answer, offer);\n \n /* If asymetric media is allowed, then just check that remote answer has \n * codecs that are within the offer. \n *\n * Otherwise if asymetric media is not allowed, then we will choose only\n * one codec in our initial offer to match the answer.\n */\n if (allow_asym) {\n\tfor (i=0; idesc.fmt_count; ++i) {\n\t unsigned j;\n\t pj_str_t *rem_fmt = &answer->desc.fmt[i];\n\n\t for (j=0; jdesc.fmt_count; ++j) {\n\t\tif (pj_strcmp(rem_fmt, &answer->desc.fmt[j])==0)\n\t\t break;\n\t }\n\n\t if (j != offer->desc.fmt_count) {\n\t\t/* Found at least one common codec. */\n\t\tbreak;\n\t }\n\t}\n\n\tif (i == answer->desc.fmt_count) {\n\t /* No common codec in the answer! */\n\t return PJMEDIA_SDPNEG_EANSNOMEDIA;\n\t}\n\n\tPJ_TODO(CHECK_SDP_NEGOTIATION_WHEN_ASYMETRIC_MEDIA_IS_ALLOWED);\n\n } else {\n\t/* Offer format priority based on answer format index/priority */\n\tunsigned offer_fmt_prior[PJMEDIA_MAX_SDP_FMT];\n\n\t/* Remove all format in the offer that has no matching answer */\n\tfor (i=0; idesc.fmt_count;) {\n\t unsigned pt;\n\t pj_uint32_t j;\n\t pj_str_t *fmt = &offer->desc.fmt[i];\n\t \n\n\t /* Find matching answer */\n\t pt = pj_strtoul(fmt);\n\n\t if (pt < 96) {\n\t\tfor (j=0; jdesc.fmt_count; ++j) {\n\t\t if (pj_strcmp(fmt, &answer->desc.fmt[j])==0)\n\t\t\tbreak;\n\t\t}\n\t } else {\n\t\t/* This is dynamic payload type.\n\t\t * For dynamic payload type, we must look the rtpmap and\n\t\t * compare the encoding name.\n\t\t */\n\t\tconst pjmedia_sdp_attr *a;\n\t\tpjmedia_sdp_rtpmap or_;\n\n\t\t/* Get the rtpmap for the payload type in the offer. */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"rtpmap\", fmt);\n\t\tif (!a) {\n\t\t pj_assert(!\"Bug! Offer should have been validated\");\n\t\t return PJ_EBUG;\n\t\t}\n\t\tpjmedia_sdp_attr_get_rtpmap(a, &or_);\n\n\t\t/* Find paylaod in answer SDP with matching \n\t\t * encoding name and clock rate.\n\t\t */\n\t\tfor (j=0; jdesc.fmt_count; ++j) {\n\t\t a = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", \n\t\t\t\t\t\t &answer->desc.fmt[j]);\n\t\t if (a) {\n\t\t\tpjmedia_sdp_rtpmap ar;\n\t\t\tpjmedia_sdp_attr_get_rtpmap(a, &ar);\n\n\t\t\t/* See if encoding name, clock rate, and channel\n\t\t\t * count match \n\t\t\t */\n\t\t\tif (!pj_stricmp(&or_.enc_name, &ar.enc_name) &&\n\t\t\t or_.clock_rate == ar.clock_rate &&\n\t\t\t (pj_stricmp(&or_.param, &ar.param)==0 ||\n\t\t\t (ar.param.slen==1 && *ar.param.ptr=='1')))\n\t\t\t{\n\t\t\t /* Call custom format matching callbacks */\n\t\t\t if (custom_fmt_match(pool, &or_.enc_name,\n\t\t\t\t\t\t offer, i, answer, j, 0) ==\n\t\t\t\tPJ_SUCCESS)\n\t\t\t {\n\t\t\t\t/* Match! */\n\t\t\t\tbreak;\n\t\t\t }\n\t\t\t}\n\t\t }\n\t\t}\n\t }\n\n\t if (j == answer->desc.fmt_count) {\n\t\t/* This format has no matching answer.\n\t\t * Remove it from our offer.\n\t\t */\n\t\tpjmedia_sdp_attr *a;\n\n\t\t/* Remove rtpmap associated with this format */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"rtpmap\", fmt);\n\t\tif (a)\n\t\t pjmedia_sdp_media_remove_attr(offer, a);\n\n\t\t/* Remove fmtp associated with this format */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"fmtp\", fmt);\n\t\tif (a)\n\t\t pjmedia_sdp_media_remove_attr(offer, a);\n\n\t\t/* Remove this format from offer's array */\n\t\tpj_array_erase(offer->desc.fmt, sizeof(offer->desc.fmt[0]),\n\t\t\t offer->desc.fmt_count, i);\n\t\t--offer->desc.fmt_count;\n\n\t } else {\n\t\toffer_fmt_prior[i] = j;\n\t\t++i;\n\t }\n\t}\n\n\tif (0 == offer->desc.fmt_count) {\n\t /* No common codec in the answer! */\n\t return PJMEDIA_SDPNEG_EANSNOMEDIA;\n\t}\n\n\t/* Post process:\n\t * - Resort offer formats so the order match to the answer.\n\t * - Remove answer formats that unmatches to the offer.\n\t */\n\t\n\t/* Resort offer formats */\n\tfor (i=0; idesc.fmt_count; ++i) {\n\t unsigned j;\n\t for (j=i+1; jdesc.fmt_count; ++j) {\n\t\tif (offer_fmt_prior[i] > offer_fmt_prior[j]) {\n\t\t unsigned tmp = offer_fmt_prior[i];\n\t\t offer_fmt_prior[i] = offer_fmt_prior[j];\n\t\t offer_fmt_prior[j] = tmp;\n\t\t str_swap(&offer->desc.fmt[i], &offer->desc.fmt[j]);\n\t\t}\n\t }\n\t}\n\n\t/* Remove unmatched answer formats */\n\t{\n\t unsigned del_cnt = 0;\n\t for (i=0; idesc.fmt_count;) {\n\t\t/* The offer is ordered now, also the offer_fmt_prior */\n\t\tif (i >= offer->desc.fmt_count || \n\t\t offer_fmt_prior[i]-del_cnt != i)\n\t\t{\n\t\t pj_str_t *fmt = &answer->desc.fmt[i];\n\t\t pjmedia_sdp_attr *a;\n\n\t\t /* Remove rtpmap associated with this format */\n\t\t a = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", fmt);\n\t\t if (a)\n\t\t\tpjmedia_sdp_media_remove_attr(answer, a);\n\n\t\t /* Remove fmtp associated with this format */\n\t\t a = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", fmt);\n\t\t if (a)\n\t\t\tpjmedia_sdp_media_remove_attr(answer, a);\n\n\t\t /* Remove this format from answer's array */\n\t\t pj_array_erase(answer->desc.fmt, \n\t\t\t\t sizeof(answer->desc.fmt[0]),\n\t\t\t\t answer->desc.fmt_count, i);\n\t\t --answer->desc.fmt_count;\n\n\t\t ++del_cnt;\n\t\t} else {\n\t\t ++i;\n\t\t}\n\t }\n\t}\n }\n\n /* Looks okay */\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 306619889036402259679557747540392102694, "size": 234, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449645 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_prefer_remote_codec_order(\n\t\t\t\t\t\tpjmedia_sdp_neg *neg,\n\t\t\t\t\t\tpj_bool_t prefer_remote)\n{\n PJ_ASSERT_RETURN(neg, PJ_EINVAL);\n neg->prefer_remote_codec_order = prefer_remote;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 135161748195259289338417694367735299272, "size": 8, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449648 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_active_local( pjmedia_sdp_neg *neg,\n\t\t\t\t\tconst pjmedia_sdp_session **local)\n{\n PJ_ASSERT_RETURN(neg && local, PJ_EINVAL);\n PJ_ASSERT_RETURN(neg->active_local_sdp, PJMEDIA_SDPNEG_ENOACTIVE);\n\n *local = neg->active_local_sdp;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 247948104735515018551443226478703169078, "size": 9, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449649 }, { "func": "PJ_DEF(pjmedia_sdp_neg_state) pjmedia_sdp_neg_get_state( pjmedia_sdp_neg *neg )\n{\n /* Check arguments are valid. */\n PJ_ASSERT_RETURN(neg != NULL, PJMEDIA_SDP_NEG_STATE_NULL);\n return neg->state;\n}", "project": "pjproject", "hash": 177841916266260096920835567958572204387, "size": 6, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449650 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_active_remote( pjmedia_sdp_neg *neg,\n\t\t\t\t const pjmedia_sdp_session **remote)\n{\n PJ_ASSERT_RETURN(neg && remote, PJ_EINVAL);\n PJ_ASSERT_RETURN(neg->active_remote_sdp, PJMEDIA_SDPNEG_ENOACTIVE);\n\n *remote = neg->active_remote_sdp;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 38478110242827854796437422570723391788, "size": 9, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449654 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_create_w_local_offer( pj_pool_t *pool,\n\t\t\t\t const pjmedia_sdp_session *local,\n\t\t\t\t pjmedia_sdp_neg **p_neg)\n{\n pjmedia_sdp_neg *neg;\n pj_status_t status;\n\n /* Check arguments are valid. */\n PJ_ASSERT_RETURN(pool && local && p_neg, PJ_EINVAL);\n\n *p_neg = NULL;\n\n /* Validate local offer. */\n PJ_ASSERT_RETURN((status=pjmedia_sdp_validate(local))==PJ_SUCCESS, status);\n\n /* Create and initialize negotiator. */\n neg = PJ_POOL_ZALLOC_T(pool, pjmedia_sdp_neg);\n PJ_ASSERT_RETURN(neg != NULL, PJ_ENOMEM);\n\n neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;\n neg->prefer_remote_codec_order = PJMEDIA_SDP_NEG_PREFER_REMOTE_CODEC_ORDER;\n neg->answer_with_multiple_codecs = PJMEDIA_SDP_NEG_ANSWER_MULTIPLE_CODECS;\n neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);\n neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);\n\n *p_neg = neg;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 145282566880350545106204485317244844707, "size": 28, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449656 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_remote_offer( pj_pool_t *pool,\n\t\t\t\t pjmedia_sdp_neg *neg,\n\t\t\t\t const pjmedia_sdp_session *remote)\n{\n /* Check arguments are valid. */\n PJ_ASSERT_RETURN(pool && neg && remote, PJ_EINVAL);\n\n /* Can only do this in STATE_DONE.\n * If we already provide local offer, then rx_remote_answer() should\n * be called instead of this function.\n */\n PJ_ASSERT_RETURN(neg->state == PJMEDIA_SDP_NEG_STATE_DONE, \n\t\t PJMEDIA_SDPNEG_EINSTATE);\n\n /* State now is STATE_REMOTE_OFFER. */\n neg->state = PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER;\n neg->neg_remote_sdp = pjmedia_sdp_session_clone(pool, remote);\n\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 197722992564468219095324708107613173276, "size": 20, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449659 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_neg_remote( pjmedia_sdp_neg *neg,\n\t\t\t\tconst pjmedia_sdp_session **remote)\n{\n PJ_ASSERT_RETURN(neg && remote, PJ_EINVAL);\n PJ_ASSERT_RETURN(neg->neg_remote_sdp, PJMEDIA_SDPNEG_ENONEG);\n\n *remote = neg->neg_remote_sdp;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 319226620947786118332536034092481320195, "size": 9, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449660 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_neg_local( pjmedia_sdp_neg *neg,\n\t\t\t const pjmedia_sdp_session **local)\n{\n PJ_ASSERT_RETURN(neg && local, PJ_EINVAL);\n PJ_ASSERT_RETURN(neg->neg_local_sdp, PJMEDIA_SDPNEG_ENONEG);\n\n *local = neg->neg_local_sdp;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 209072946929116056803334072498425119956, "size": 9, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449662 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_remote_answer( pj_pool_t *pool,\n\t\t\t\t pjmedia_sdp_neg *neg,\n\t\t\t\t const pjmedia_sdp_session *remote)\n{\n /* Check arguments are valid. */\n PJ_ASSERT_RETURN(pool && neg && remote, PJ_EINVAL);\n\n /* Can only do this in STATE_LOCAL_OFFER.\n * If we haven't provided local offer, then rx_remote_offer() should\n * be called instead of this function.\n */\n PJ_ASSERT_RETURN(neg->state == PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER, \n\t\t PJMEDIA_SDPNEG_EINSTATE);\n\n /* We're ready to negotiate. */\n neg->state = PJMEDIA_SDP_NEG_STATE_WAIT_NEGO;\n neg->has_remote_answer = PJ_TRUE;\n neg->neg_remote_sdp = pjmedia_sdp_session_clone(pool, remote);\n \n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 207244314488309070936957062457519591507, "size": 21, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449663 }, { "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_answer_multiple_codecs(\n pjmedia_sdp_neg *neg,\n pj_bool_t answer_multiple)\n{\n PJ_ASSERT_RETURN(neg, PJ_EINVAL);\n neg->answer_with_multiple_codecs = answer_multiple;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 248117092337564478747123098065989074218, "size": 8, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449671 }, { "func": "PJ_DEF(pj_bool_t) pjmedia_sdp_neg_was_answer_remote(pjmedia_sdp_neg *neg)\n{\n PJ_ASSERT_RETURN(neg, PJ_FALSE);\n\n return neg->answer_was_remote;\n}", "project": "pjproject", "hash": 43796122874440838758990969022601113736, "size": 6, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449672 }, { "func": "static pj_status_t process_answer(pj_pool_t *pool,\n\t\t\t\t pjmedia_sdp_session *local_offer,\n\t\t\t\t pjmedia_sdp_session *answer,\n\t\t\t\t pj_bool_t allow_asym,\n\t\t\t\t pjmedia_sdp_session **p_active)\n{\n unsigned omi = 0; /* Offer media index */\n unsigned ami = 0; /* Answer media index */\n pj_bool_t has_active = PJ_FALSE;\n pjmedia_sdp_session *offer;\n pj_status_t status;\n\n /* Check arguments. */\n PJ_ASSERT_RETURN(pool && local_offer && answer && p_active, PJ_EINVAL);\n\n /* Duplicate local offer SDP. */\n offer = pjmedia_sdp_session_clone(pool, local_offer);\n\n /* Check that media count match between offer and answer */\n // Ticket #527, different media count is allowed for more interoperability,\n // however, the media order must be same between offer and answer.\n // if (offer->media_count != answer->media_count)\n //\t return PJMEDIA_SDPNEG_EMISMEDIA;\n\n /* Now update each media line in the offer with the answer. */\n for (; omimedia_count; ++omi) {\n\tif (ami == answer->media_count) {\n\t /* The answer has less media than the offer */\n\t pjmedia_sdp_media *am;\n\n\t /* Generate matching-but-disabled-media for the answer */\n\t am = sdp_media_clone_deactivate(pool, offer->media[omi],\n\t offer->media[omi], offer);\n\t answer->media[answer->media_count++] = am;\n\t ++ami;\n\n\t /* Deactivate our media offer too */\n\t pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\n\t /* No answer media to be negotiated */\n\t continue;\n\t}\n\n\tstatus = process_m_answer(pool, offer->media[omi], answer->media[ami],\n\t\t\t\t allow_asym);\n\n\t/* If media type is mismatched, just disable the media. */\n\tif (status == PJMEDIA_SDPNEG_EINVANSMEDIA) {\n\t pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\t continue;\n\t}\n\t/* No common format in the answer media. */\n\telse if (status == PJMEDIA_SDPNEG_EANSNOMEDIA) {\n\t pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\t pjmedia_sdp_media_deactivate(pool, answer->media[ami]);\n\t} \n\t/* Return the error code, for other errors. */\n\telse if (status != PJ_SUCCESS) {\n\t return status;\n\t}\n\n\tif (offer->media[omi]->desc.port != 0)\n\t has_active = PJ_TRUE;\n\n\t++ami;\n }\n\n *p_active = offer;\n\n return has_active ? PJ_SUCCESS : PJMEDIA_SDPNEG_ENOMEDIA;\n}", "project": "pjproject", "hash": 179732466098847472036252057851522054985, "size": 71, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449669 }, { "func": "static void str_swap(pj_str_t *str1, pj_str_t *str2)\n{\n pj_str_t tmp = *str1;\n *str1 = *str2;\n *str2 = tmp;\n}", "project": "pjproject", "hash": 31071335874861223736375872402192073128, "size": 6, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449665 }, { "func": "static pj_status_t match_offer(pj_pool_t *pool,\n\t\t\t pj_bool_t prefer_remote_codec_order,\n pj_bool_t answer_with_multiple_codecs,\n\t\t\t const pjmedia_sdp_media *offer,\n\t\t\t const pjmedia_sdp_media *preanswer,\n\t\t\t const pjmedia_sdp_session *preanswer_sdp,\n\t\t\t pjmedia_sdp_media **p_answer)\n{\n unsigned i;\n pj_bool_t master_has_codec = 0,\n\t master_has_other = 0,\n\t found_matching_codec = 0,\n\t found_matching_telephone_event = 0,\n\t found_matching_other = 0;\n unsigned pt_answer_count = 0;\n pj_str_t pt_answer[PJMEDIA_MAX_SDP_FMT];\n pj_str_t pt_offer[PJMEDIA_MAX_SDP_FMT];\n pjmedia_sdp_media *answer;\n const pjmedia_sdp_media *master, *slave;\n unsigned nclockrate = 0, clockrate[PJMEDIA_MAX_SDP_FMT];\n unsigned ntel_clockrate = 0, tel_clockrate[PJMEDIA_MAX_SDP_FMT];\n\n /* If offer has zero port, just clone the offer */\n if (offer->desc.port == 0) {\n\tanswer = sdp_media_clone_deactivate(pool, offer, preanswer,\n\t\t\t\t\t preanswer_sdp);\n\t*p_answer = answer;\n\treturn PJ_SUCCESS;\n }\n\n /* If the preanswer define zero port, this media is being rejected,\n * just clone the preanswer.\n */\n if (preanswer->desc.port == 0) {\n\tanswer = pjmedia_sdp_media_clone(pool, preanswer);\n\t*p_answer = answer;\n\treturn PJ_SUCCESS;\n }\n\n /* Set master/slave negotiator based on prefer_remote_codec_order. */\n if (prefer_remote_codec_order) {\n\tmaster = offer;\n\tslave = preanswer;\n } else {\n\tmaster = preanswer;\n\tslave = offer;\n }\n \n /* With the addition of telephone-event and dodgy MS RTC SDP, \n * the answer generation algorithm looks really shitty...\n */\n for (i=0; idesc.fmt_count; ++i) {\n\tunsigned j;\n\t\n\tif (pj_isdigit(*master->desc.fmt[i].ptr)) {\n\t /* This is normal/standard payload type, where it's identified\n\t * by payload number.\n\t */\n\t unsigned pt;\n\n\t pt = pj_strtoul(&master->desc.fmt[i]);\n\t \n\t if (pt < 96) {\n\t\t/* For static payload type, it's enough to compare just\n\t\t * the payload number.\n\t\t */\n\n\t\tmaster_has_codec = 1;\n\n\t\t/* We just need to select one codec if not allowing multiple.\n\t\t * Continue if we have selected matching codec for previous \n\t\t * payload.\n\t\t */\n\t\tif (!answer_with_multiple_codecs && found_matching_codec)\n\t\t continue;\n\n\t\t/* Find matching codec in local descriptor. */\n\t\tfor (j=0; jdesc.fmt_count; ++j) {\n\t\t unsigned p;\n\t\t p = pj_strtoul(&slave->desc.fmt[j]);\n\t\t if (p == pt && pj_isdigit(*slave->desc.fmt[j].ptr)) {\n\t\t\tunsigned k;\n\n\t\t\tfound_matching_codec = 1;\n\t\t\tpt_offer[pt_answer_count] = slave->desc.fmt[j];\n\t\t\tpt_answer[pt_answer_count++] = slave->desc.fmt[j];\n\n\t\t\t/* Take note of clock rate for tel-event. Note: for\n\t\t\t * static PT, we assume the clock rate is 8000.\n\t\t\t */\n\t\t\tfor (k=0; kdesc.fmt[i]);\n\t\tif (!a) {\n\t\t pj_assert(!\"Bug! Offer should have been validated\");\n\t\t return PJMEDIA_SDP_EMISSINGRTPMAP;\n\t\t}\n\t\tpjmedia_sdp_attr_get_rtpmap(a, &or_);\n\n\t\tif (pj_stricmp2(&or_.enc_name, \"telephone-event\")) {\n\t\t master_has_codec = 1;\n\t\t if (!answer_with_multiple_codecs && found_matching_codec)\n\t\t\tcontinue;\n\t\t is_codec = 1;\n\t\t}\n\t\t\n\t\t/* Find paylaod in our initial SDP with matching \n\t\t * encoding name and clock rate.\n\t\t */\n\t\tfor (j=0; jdesc.fmt_count; ++j) {\n\t\t a = pjmedia_sdp_media_find_attr2(slave, \"rtpmap\", \n\t\t\t\t\t\t &slave->desc.fmt[j]);\n\t\t if (a) {\n\t\t\tpjmedia_sdp_rtpmap lr;\n\t\t\tpjmedia_sdp_attr_get_rtpmap(a, &lr);\n\n\t\t\t/* See if encoding name, clock rate, and\n\t\t\t * channel count match \n\t\t\t */\n\t\t\tif (!pj_stricmp(&or_.enc_name, &lr.enc_name) &&\n\t\t\t or_.clock_rate == lr.clock_rate &&\n\t\t\t (pj_stricmp(&or_.param, &lr.param)==0 ||\n\t\t\t (lr.param.slen==0 && or_.param.slen==1 && \n\t\t\t\t\t\t *or_.param.ptr=='1') || \n\t\t\t (or_.param.slen==0 && lr.param.slen==1 && \n\t\t\t\t\t\t *lr.param.ptr=='1'))) \n\t\t\t{\n\t\t\t /* Match! */\n\t\t\t if (is_codec) {\n\t\t\t\tpjmedia_sdp_media *o_med, *a_med;\n\t\t\t\tunsigned o_fmt_idx, a_fmt_idx;\n\t\t\t\tunsigned k;\n\n\t\t\t\to_med = (pjmedia_sdp_media*)offer;\n\t\t\t\ta_med = (pjmedia_sdp_media*)preanswer;\n\t\t\t\to_fmt_idx = prefer_remote_codec_order? i:j;\n\t\t\t\ta_fmt_idx = prefer_remote_codec_order? j:i;\n\n\t\t\t\t/* Call custom format matching callbacks */\n\t\t\t\tif (custom_fmt_match(pool, &or_.enc_name,\n\t\t\t\t\t\t o_med, o_fmt_idx,\n\t\t\t\t\t\t a_med, a_fmt_idx,\n\t\t\t\t\t\t ALLOW_MODIFY_ANSWER) !=\n\t\t\t\t PJ_SUCCESS)\n\t\t\t\t{\n\t\t\t\t continue;\n\t\t\t\t}\n\t\t\t\tfound_matching_codec = 1;\n\n\t\t\t\t/* Take note of clock rate for tel-event */\n\t\t\t\tfor (k=0; kdesc.fmt[i]:\n\t\t\t\t\t\toffer->desc.fmt[j];\n\t\t\t pt_answer[pt_answer_count++] = \n\t\t\t\t\t\tprefer_remote_codec_order? \n\t\t\t\t\t\tpreanswer->desc.fmt[j]:\n\t\t\t\t\t\tpreanswer->desc.fmt[i];\n\t\t\t break;\n\t\t\t}\n\t\t }\n\t\t}\n\t }\n\n\t} else {\n\t /* This is a non-standard, brain damaged SDP where the payload\n\t * type is non-numeric. It exists e.g. in Microsoft RTC based\n\t * UA, to indicate instant messaging capability.\n\t * Example:\n\t *\t- m=x-ms-message 5060 sip null\n\t */\n\t master_has_other = 1;\n\t if (found_matching_other)\n\t\tcontinue;\n\n\t for (j=0; jdesc.fmt_count; ++j) {\n\t\tif (!pj_strcmp(&master->desc.fmt[i], &slave->desc.fmt[j])) {\n\t\t /* Match */\n\t\t found_matching_other = 1;\n\t\t pt_offer[pt_answer_count] = prefer_remote_codec_order?\n\t\t\t\t\t\toffer->desc.fmt[i]:\n\t\t\t\t\t\toffer->desc.fmt[j];\n\t\t pt_answer[pt_answer_count++] = prefer_remote_codec_order? \n\t\t\t\t\t\t preanswer->desc.fmt[j]:\n\t\t\t\t\t\t preanswer->desc.fmt[i];\n\t\t break;\n\t\t}\n\t }\n\t}\n }\n\n /* See if all types of master can be matched. */\n if (master_has_codec && !found_matching_codec) {\n\treturn PJMEDIA_SDPNEG_NOANSCODEC;\n }\n\n /* If this comment is removed, negotiation will fail if remote has offered\n telephone-event and local is not configured with telephone-event\n\n if (offer_has_telephone_event && !found_matching_telephone_event) {\n\treturn PJMEDIA_SDPNEG_NOANSTELEVENT;\n }\n */\n\n if (master_has_other && !found_matching_other) {\n\treturn PJMEDIA_SDPNEG_NOANSUNKNOWN;\n }\n\n /* Seems like everything is in order. */\n\n /* Remove unwanted telephone-event formats. */\n if (found_matching_telephone_event) {\n\tpj_str_t first_televent_offer = {0};\n\tpj_str_t first_televent_answer = {0};\n\tunsigned matched_cnt = 0;\n\n\tfor (i=0; idesc.fmt_count; ++j) {\n\t if (!pj_strcmp(&answer->desc.fmt[j], &pt_answer[i]))\n\t\tbreak;\n\t}\n\tpj_assert(j != answer->desc.fmt_count);\n\tstr_swap(&answer->desc.fmt[i], &answer->desc.fmt[j]);\n }\n \n /* Remove unwanted local formats. */\n for (i=pt_answer_count; idesc.fmt_count; ++i) {\n\tpjmedia_sdp_attr *a;\n\n\t/* Remove rtpmap for this format */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", \n\t\t\t\t\t &answer->desc.fmt[i]);\n\tif (a) {\n\t pjmedia_sdp_media_remove_attr(answer, a);\n\t}\n\n\t/* Remove fmtp for this format */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", \n\t\t\t\t\t &answer->desc.fmt[i]);\n\tif (a) {\n\t pjmedia_sdp_media_remove_attr(answer, a);\n\t}\n }\n answer->desc.fmt_count = pt_answer_count;\n\n#if PJMEDIA_SDP_NEG_ANSWER_SYMMETRIC_PT\n apply_answer_symmetric_pt(pool, answer, pt_answer_count,\n\t\t\t pt_offer, pt_answer);\n#endif\n\n /* Update media direction. */\n update_media_direction(pool, offer, answer);\n\n *p_answer = answer;\n return PJ_SUCCESS;\n}", "project": "pjproject", "hash": 69562952461395558680391602717220036992, "size": 356, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449668 }, { "func": "static void remove_all_media_directions(pjmedia_sdp_media *m)\n{\n pjmedia_sdp_media_remove_all_attr(m, \"inactive\");\n pjmedia_sdp_media_remove_all_attr(m, \"sendrecv\");\n pjmedia_sdp_media_remove_all_attr(m, \"sendonly\");\n pjmedia_sdp_media_remove_all_attr(m, \"recvonly\");\n}", "project": "pjproject", "hash": 159258827173720754826756580001459082748, "size": 7, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449674 }, { "func": "static void apply_answer_symmetric_pt(pj_pool_t *pool,\n\t\t\t\t pjmedia_sdp_media *answer,\n\t\t\t\t unsigned pt_cnt,\n\t\t\t\t const pj_str_t pt_offer[],\n\t\t\t\t const pj_str_t pt_answer[])\n{\n pjmedia_sdp_attr *a_tmp[PJMEDIA_MAX_SDP_ATTR];\n unsigned i, a_tmp_cnt = 0;\n\n /* Rewrite the payload types in the answer if different to\n * the ones in the offer.\n */\n for (i = 0; i < pt_cnt; ++i) {\n\tpjmedia_sdp_attr *a;\n\n\t/* Skip if the PTs are the same already, e.g: static PT. */\n\tif (pj_strcmp(&pt_answer[i], &pt_offer[i]) == 0)\n\t continue;\n\n\t/* Rewrite payload type in the answer to match to the offer */\n\tpj_strdup(pool, &answer->desc.fmt[i], &pt_offer[i]);\n\n\t/* Also update payload type in rtpmap */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", &pt_answer[i]);\n\tif (a) {\n\t rewrite_pt(pool, &a->value, &pt_answer[i], &pt_offer[i]);\n\t /* Temporarily remove the attribute in case the new payload\n\t * type is being used by another format in the media.\n\t */\n\t pjmedia_sdp_media_remove_attr(answer, a);\n\t a_tmp[a_tmp_cnt++] = a;\n\t}\n\n\t/* Also update payload type in fmtp */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", &pt_answer[i]);\n\tif (a) {\n\t rewrite_pt(pool, &a->value, &pt_answer[i], &pt_offer[i]);\n\t /* Temporarily remove the attribute in case the new payload\n\t * type is being used by another format in the media.\n\t */\n\t pjmedia_sdp_media_remove_attr(answer, a);\n\t a_tmp[a_tmp_cnt++] = a;\n\t}\n }\n\n /* Return back 'rtpmap' and 'fmtp' attributes */\n for (i = 0; i < a_tmp_cnt; ++i)\n\tpjmedia_sdp_media_add_attr(answer, a_tmp[i]);\n}", "project": "pjproject", "hash": 94676198818858138948052164899281419766, "size": 49, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449661 }, { "func": "static void update_media_direction(pj_pool_t *pool,\n\t\t\t\t const pjmedia_sdp_media *remote,\n\t\t\t\t pjmedia_sdp_media *local)\n{\n pjmedia_dir old_dir = PJMEDIA_DIR_ENCODING_DECODING,\n\t new_dir;\n\n /* Get the media direction of local SDP */\n if (pjmedia_sdp_media_find_attr2(local, \"sendonly\", NULL))\n\told_dir = PJMEDIA_DIR_ENCODING;\n else if (pjmedia_sdp_media_find_attr2(local, \"recvonly\", NULL))\n\told_dir = PJMEDIA_DIR_DECODING;\n else if (pjmedia_sdp_media_find_attr2(local, \"inactive\", NULL))\n\told_dir = PJMEDIA_DIR_NONE;\n\n new_dir = old_dir;\n\n /* Adjust local media direction based on remote media direction */\n if (pjmedia_sdp_media_find_attr2(remote, \"inactive\", NULL) != NULL) {\n\t/* If remote has \"a=inactive\", then local is inactive too */\n\n\tnew_dir = PJMEDIA_DIR_NONE;\n\n } else if(pjmedia_sdp_media_find_attr2(remote, \"sendonly\", NULL) != NULL) {\n\t/* If remote has \"a=sendonly\", then set local to \"recvonly\" if\n\t * it is currently \"sendrecv\". Otherwise if local is NOT \"recvonly\",\n\t * then set local direction to \"inactive\".\n\t */\n\tswitch (old_dir) {\n\tcase PJMEDIA_DIR_ENCODING_DECODING:\n\t new_dir = PJMEDIA_DIR_DECODING;\n\t break;\n\tcase PJMEDIA_DIR_DECODING:\n\t /* No change */\n\t break;\n\tdefault:\n\t new_dir = PJMEDIA_DIR_NONE;\n\t break;\n\t}\n\n } else if(pjmedia_sdp_media_find_attr2(remote, \"recvonly\", NULL) != NULL) {\n\t/* If remote has \"a=recvonly\", then set local to \"sendonly\" if\n\t * it is currently \"sendrecv\". Otherwise if local is NOT \"sendonly\",\n\t * then set local direction to \"inactive\"\n\t */\n \n\tswitch (old_dir) {\n\tcase PJMEDIA_DIR_ENCODING_DECODING:\n\t new_dir = PJMEDIA_DIR_ENCODING;\n\t break;\n\tcase PJMEDIA_DIR_ENCODING:\n\t /* No change */\n\t break;\n\tdefault:\n\t new_dir = PJMEDIA_DIR_NONE;\n\t break;\n\t}\n\n } else {\n\t/* Remote indicates \"sendrecv\" capability. No change to local \n\t * direction \n\t */\n }\n\n if (new_dir != old_dir) {\n\tpjmedia_sdp_attr *a = NULL;\n\n\tremove_all_media_directions(local);\n\n\tswitch (new_dir) {\n\tcase PJMEDIA_DIR_NONE:\n\t a = pjmedia_sdp_attr_create(pool, \"inactive\", NULL);\n\t break;\n\tcase PJMEDIA_DIR_ENCODING:\n\t a = pjmedia_sdp_attr_create(pool, \"sendonly\", NULL);\n\t break;\n\tcase PJMEDIA_DIR_DECODING:\n\t a = pjmedia_sdp_attr_create(pool, \"recvonly\", NULL);\n\t break;\n\tdefault:\n\t /* sendrecv */\n\t break;\n\t}\n\t\n\tif (a) {\n\t pjmedia_sdp_media_add_attr(local, a);\n\t}\n }\n}", "project": "pjproject", "hash": 247833342213862715264954993641996018166, "size": 89, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449666 }, { "func": "static pj_status_t create_answer( pj_pool_t *pool,\n\t\t\t\t pj_bool_t prefer_remote_codec_order,\n pj_bool_t answer_with_multiple_codecs,\n\t\t\t\t const pjmedia_sdp_session *initial,\n\t\t\t\t const pjmedia_sdp_session *offer,\n\t\t\t\t pjmedia_sdp_session **p_answer)\n{\n pj_status_t status = PJMEDIA_SDPNEG_ENOMEDIA;\n pj_bool_t has_active = PJ_FALSE;\n pjmedia_sdp_session *answer;\n char media_used[PJMEDIA_MAX_SDP_MEDIA];\n unsigned i;\n\n /* Validate remote offer. \n * This should have been validated before.\n */\n PJ_ASSERT_RETURN((status=pjmedia_sdp_validate(offer))==PJ_SUCCESS, status);\n\n /* Create initial answer by duplicating initial SDP,\n * but clear all media lines. The media lines will be filled up later.\n */\n answer = pjmedia_sdp_session_clone(pool, initial);\n PJ_ASSERT_RETURN(answer != NULL, PJ_ENOMEM);\n\n answer->media_count = 0;\n\n pj_bzero(media_used, sizeof(media_used));\n\n /* For each media line, create our answer based on our initial\n * capability.\n */\n for (i=0; imedia_count; ++i) {\n\tconst pjmedia_sdp_media *om;\t/* offer */\n\tconst pjmedia_sdp_media *im;\t/* initial media */\n\tpjmedia_sdp_media *am = NULL;\t/* answer/result */\n\tunsigned j;\n\n\tom = offer->media[i];\n\n\t/* Find media description in our initial capability that matches\n\t * the media type and transport type of offer's media, has\n\t * matching codec, and has not been used to answer other offer.\n\t */\n\tfor (im=NULL, j=0; jmedia_count; ++j) {\n\t im = initial->media[j];\n\t if (pj_strcmp(&om->desc.media, &im->desc.media)==0 &&\n\t\tpj_strcmp(&om->desc.transport, &im->desc.transport)==0 &&\n\t\tmedia_used[j] == 0)\n\t {\n pj_status_t status2;\n\n\t\t/* See if it has matching codec. */\n\t\tstatus2 = match_offer(pool, prefer_remote_codec_order,\n answer_with_multiple_codecs,\n\t\t\t\t om, im, initial, &am);\n\t\tif (status2 == PJ_SUCCESS) {\n\t\t /* Mark media as used. */\n\t\t media_used[j] = 1;\n\t\t break;\n } else {\n status = status2;\n }\n\t }\n\t}\n\n\tif (j==initial->media_count) {\n\t /* No matching media.\n\t * Reject the offer by setting the port to zero in the answer.\n\t */\n\t /* For simplicity in the construction of the answer, we'll\n\t * just clone the media from the offer. Anyway receiver will\n\t * ignore anything in the media once it sees that the port\n\t * number is zero.\n\t */\n\t am = sdp_media_clone_deactivate(pool, om, om, answer);\n\t} else {\n\t /* The answer is in am */\n\t pj_assert(am != NULL);\n\t}\n\n\t/* Add the media answer */\n\tanswer->media[answer->media_count++] = am;\n\n\t/* Check if this media is active.*/\n\tif (am->desc.port != 0)\n\t has_active = PJ_TRUE;\n }\n\n *p_answer = answer;\n\n return has_active ? PJ_SUCCESS : status;\n}", "project": "pjproject", "hash": 236570680447781241801738276633744309107, "size": 92, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449676 }, { "func": "PJ_DEF(pj_bool_t) pjmedia_sdp_neg_has_local_answer(pjmedia_sdp_neg *neg)\n{\n pj_assert(neg && neg->state==PJMEDIA_SDP_NEG_STATE_WAIT_NEGO);\n return !neg->has_remote_answer;\n}", "project": "pjproject", "hash": 108008355913245225190456683013015461598, "size": 5, "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365", "message": "Merge pull request from GHSA-hvq6-f89p-frvp", "target": 0, "dataset": "other", "idx": 449644 } ] }, { "call_depth": 4, "longest_call_chain": [ "ReadJpegFile", "ReadJpegSections", "process_SOFn", "Get16m" ], "group_size": 10, "functions": [ { "func": "static void process_COM (const uchar * Data, int length)\r\n{\r\n int ch;\r\n char Comment[MAX_COMMENT_SIZE+1];\r\n int nch;\r\n int a;\r\n\r\n nch = 0;\r\n\r\n if (length > MAX_COMMENT_SIZE) length = MAX_COMMENT_SIZE; // Truncate if it won't fit in our structure.\r\n\r\n for (a=2;a= 32 || ch == '\\n' || ch == '\\t'){\r\n Comment[nch++] = (char)ch;\r\n }else{\r\n Comment[nch++] = '?';\r\n }\r\n }\r\n\r\n Comment[nch] = '\\0'; // Null terminate\r\n\r\n if (ShowTags){\r\n printf(\"COM marker comment: %s\\n\",Comment);\r\n }\r\n\r\n strcpy(ImageInfo.Comments,Comment);\r\n}\r", "project": "jhead", "hash": 292664364004845683272530709796861522405, "size": 31, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261976 }, { "func": "Section_t * CreateSection(int SectionType, unsigned char * Data, int Size)\r\n{\r\n Section_t * NewSection;\r\n int a;\r\n int NewIndex;\r\n\r\n NewIndex = 0; // Figure out where to put the comment section.\r\n if (SectionType == M_EXIF){\r\n // Exif alwas goes first!\r\n }else{\r\n for (;NewIndex < 3;NewIndex++){ // Maximum fourth position (just for the heck of it)\r\n if (Sections[NewIndex].Type == M_JFIF) continue; // Put it after Jfif\r\n if (Sections[NewIndex].Type == M_EXIF) continue; // Put it after Exif\r\n break;\r\n }\r\n }\r\n\r\n if (SectionsRead < NewIndex){\r\n ErrFatal(\"Too few sections!\");\r\n }\r\n\r\n CheckSectionsAllocated();\r\n for (a=SectionsRead;a>NewIndex;a--){\r\n Sections[a] = Sections[a-1]; \r\n }\r\n SectionsRead += 1;\r\n\r\n NewSection = Sections+NewIndex;\r\n\r\n NewSection->Type = SectionType;\r\n NewSection->Size = Size;\r\n NewSection->Data = Data;\r\n\r\n return NewSection;\r\n}\r", "project": "jhead", "hash": 142414121532161571740607386321509279285, "size": 35, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261975 }, { "func": "static int Get16m(const void * Short)\r\n{\r\n return (((uchar *)Short)[0] << 8) | ((uchar *)Short)[1];\r\n}\r", "project": "jhead", "hash": 224505929614412109203924983268393760920, "size": 4, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261970 }, { "func": "void DiscardAllButExif(void)\r\n{\r\n Section_t ExifKeeper;\r\n Section_t CommentKeeper;\r\n Section_t IptcKeeper;\r\n Section_t XmpKeeper;\r\n int a;\r\n\r\n memset(&ExifKeeper, 0, sizeof(ExifKeeper));\r\n memset(&CommentKeeper, 0, sizeof(CommentKeeper));\r\n memset(&IptcKeeper, 0, sizeof(IptcKeeper));\r\n memset(&XmpKeeper, 0, sizeof(IptcKeeper));\r\n\r\n for (a=0;a SectionsAllocated){\r\n ErrFatal(\"allocation screwup\");\r\n }\r\n if (SectionsRead >= SectionsAllocated){\r\n SectionsAllocated += SectionsAllocated/2;\r\n Sections = (Section_t *)realloc(Sections, sizeof(Section_t)*SectionsAllocated);\r\n if (Sections == NULL){\r\n ErrFatal(\"could not allocate data for entire image\");\r\n }\r\n }\r\n}\r", "project": "jhead", "hash": 198591798752355418002318661649443148034, "size": 13, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261984 }, { "func": "static void process_SOFn (const uchar * Data, int marker)\r\n{\r\n int data_precision, num_components;\r\n\r\n data_precision = Data[2];\r\n ImageInfo.Height = Get16m(Data+3);\r\n ImageInfo.Width = Get16m(Data+5);\r\n num_components = Data[7];\r\n\r\n if (num_components == 3){\r\n ImageInfo.IsColor = 1;\r\n }else{\r\n ImageInfo.IsColor = 0;\r\n }\r\n\r\n ImageInfo.Process = marker;\r\n\r\n if (ShowTags){\r\n printf(\"JPEG image is %uw * %uh, %d color components, %d bits per sample\\n\",\r\n ImageInfo.Width, ImageInfo.Height, num_components, data_precision);\r\n }\r\n}\r", "project": "jhead", "hash": 321479054901529407692575430681343822106, "size": 22, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261981 }, { "func": "int ReadJpegSections (FILE * infile, ReadMode_t ReadMode)\r\n{\r\n int a;\r\n int HaveCom = FALSE;\r\n\r\n a = fgetc(infile);\r\n\r\n if (a != 0xff || fgetc(infile) != M_SOI){\r\n return FALSE;\r\n }\r\n\r\n ImageInfo.JfifHeader.XDensity = ImageInfo.JfifHeader.YDensity = 300;\r\n ImageInfo.JfifHeader.ResolutionUnits = 1;\r\n\r\n for(;;){\r\n int itemlen;\r\n int prev;\r\n int marker = 0;\r\n int ll,lh, got;\r\n uchar * Data;\r\n\r\n CheckSectionsAllocated();\r\n\r\n prev = 0;\r\n for (a=0;;a++){\r\n marker = fgetc(infile);\r\n if (marker != 0xff && prev == 0xff) break;\r\n if (marker == EOF){\r\n ErrFatal(\"Unexpected end of file\");\r\n }\r\n prev = marker;\r\n }\r\n\r\n if (a > 10){\r\n ErrNonfatal(\"Extraneous %d padding bytes before section %02X\",a-1,marker);\r\n }\r\n\r\n Sections[SectionsRead].Type = marker;\r\n \r\n // Read the length of the section.\r\n lh = fgetc(infile);\r\n ll = fgetc(infile);\r\n if (lh == EOF || ll == EOF){\r\n ErrFatal(\"Unexpected end of file\");\r\n }\r\n\r\n itemlen = (lh << 8) | ll;\r\n\r\n if (itemlen < 2){\r\n ErrFatal(\"invalid marker\");\r\n }\r\n\r\n Sections[SectionsRead].Size = itemlen;\r\n\r\n Data = (uchar *)malloc(itemlen);\r\n if (Data == NULL){\r\n ErrFatal(\"Could not allocate memory\");\r\n }\r\n Sections[SectionsRead].Data = Data;\r\n\r\n // Store first two pre-read bytes.\r\n Data[0] = (uchar)lh;\r\n Data[1] = (uchar)ll;\r\n\r\n got = fread(Data+2, 1, itemlen-2, infile); // Read the whole section.\r\n if (got != itemlen-2){\r\n ErrFatal(\"Premature end of file?\");\r\n }\r\n SectionsRead += 1;\r\n\r\n switch(marker){\r\n\r\n case M_SOS: // stop before hitting compressed data \r\n // If reading entire image is requested, read the rest of the data.\r\n if (ReadMode & READ_IMAGE){\r\n int cp, ep, size;\r\n // Determine how much file is left.\r\n cp = ftell(infile);\r\n fseek(infile, 0, SEEK_END);\r\n ep = ftell(infile);\r\n fseek(infile, cp, SEEK_SET);\r\n\r\n size = ep-cp;\r\n Data = (uchar *)malloc(size);\r\n if (Data == NULL){\r\n ErrFatal(\"could not allocate data for entire image\");\r\n }\r\n\r\n got = fread(Data, 1, size, infile);\r\n if (got != size){\r\n ErrFatal(\"could not read the rest of the image\");\r\n }\r\n\r\n CheckSectionsAllocated();\r\n Sections[SectionsRead].Data = Data;\r\n Sections[SectionsRead].Size = size;\r\n Sections[SectionsRead].Type = PSEUDO_IMAGE_MARKER;\r\n SectionsRead ++;\r\n HaveAll = 1;\r\n }\r\n return TRUE;\r\n\r\n case M_DQT:\r\n // Use for jpeg quality guessing\r\n process_DQT(Data, itemlen);\r\n break;\r\n\r\n case M_DHT: \r\n // Use for jpeg quality guessing\r\n process_DHT(Data, itemlen);\r\n break;\r\n\r\n\r\n case M_EOI: // in case it's a tables-only JPEG stream\r\n fprintf(stderr,\"No image in jpeg!\\n\");\r\n return FALSE;\r\n\r\n case M_COM: // Comment section\r\n if (HaveCom || ((ReadMode & READ_METADATA) == 0)){\r\n // Discard this section.\r\n free(Sections[--SectionsRead].Data);\r\n }else{\r\n process_COM(Data, itemlen);\r\n HaveCom = TRUE;\r\n }\r\n break;\r\n\r\n case M_JFIF:\r\n // Regular jpegs always have this tag, exif images have the exif\r\n // marker instead, althogh ACDsee will write images with both markers.\r\n // this program will re-create this marker on absence of exif marker.\r\n // hence no need to keep the copy from the file.\r\n if (itemlen < 16){\r\n fprintf(stderr,\"Jfif header too short\\n\");\r\n goto ignore;\r\n }\r\n if (memcmp(Data+2, \"JFIF\\0\",5)){\r\n fprintf(stderr,\"Header missing JFIF marker\\n\");\r\n }\r\n\r\n ImageInfo.JfifHeader.Present = TRUE;\r\n ImageInfo.JfifHeader.ResolutionUnits = Data[9];\r\n ImageInfo.JfifHeader.XDensity = (Data[10]<<8) | Data[11];\r\n ImageInfo.JfifHeader.YDensity = (Data[12]<<8) | Data[13];\r\n if (ShowTags){\r\n printf(\"JFIF SOI marker: Units: %d \",ImageInfo.JfifHeader.ResolutionUnits);\r\n switch(ImageInfo.JfifHeader.ResolutionUnits){\r\n case 0: printf(\"(aspect ratio)\"); break;\r\n case 1: printf(\"(dots per inch)\"); break;\r\n case 2: printf(\"(dots per cm)\"); break;\r\n default: printf(\"(unknown)\"); break;\r\n }\r\n printf(\" X-density=%d Y-density=%d\\n\",ImageInfo.JfifHeader.XDensity, ImageInfo.JfifHeader.YDensity);\r\n\r\n if (Data[14] || Data[15]){\r\n fprintf(stderr,\"Ignoring jfif header thumbnail\\n\");\r\n }\r\n }\r\n\r\n ignore:\r\n\r\n free(Sections[--SectionsRead].Data);\r\n break;\r\n\r\n case M_EXIF:\r\n // There can be different section using the same marker.\r\n if (ReadMode & READ_METADATA){\r\n if (memcmp(Data+2, \"Exif\", 4) == 0){\r\n process_EXIF(Data, itemlen);\r\n break;\r\n }else if (memcmp(Data+2, \"http:\", 5) == 0){\r\n Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.\r\n if (ShowTags){\r\n printf(\"Image contains XMP section, %d bytes long\\n\", itemlen);\r\n if (ShowTags){\r\n ShowXmp(Sections[SectionsRead-1]);\r\n }\r\n }\r\n break;\r\n }\r\n }\r\n // Oterwise, discard this section.\r\n free(Sections[--SectionsRead].Data);\r\n break;\r\n\r\n case M_IPTC:\r\n if (ReadMode & READ_METADATA){\r\n if (ShowTags){\r\n printf(\"Image contains IPTC section, %d bytes long\\n\", itemlen);\r\n }\r\n // Note: We just store the IPTC section. Its relatively straightforward\r\n // and we don't act on any part of it, so just display it at parse time.\r\n }else{\r\n free(Sections[--SectionsRead].Data);\r\n }\r\n break;\r\n \r\n case M_SOF0: \r\n case M_SOF1: \r\n case M_SOF2: \r\n case M_SOF3: \r\n case M_SOF5: \r\n case M_SOF6: \r\n case M_SOF7: \r\n case M_SOF9: \r\n case M_SOF10:\r\n case M_SOF11:\r\n case M_SOF13:\r\n case M_SOF14:\r\n case M_SOF15:\r\n if (itemlen < 8){\r\n fprintf(stderr,\"Section too short\\n\");\r\n break;\r\n }\r\n process_SOFn(Data, marker);\r\n break;\r\n default:\r\n // Skip any other sections.\r\n if (ShowTags){\r\n printf(\"Jpeg section marker 0x%02x size %d\\n\",marker, itemlen);\r\n }\r\n break;\r\n }\r\n }\r\n return TRUE;\r\n}\r", "project": "jhead", "hash": 109190490159385379929171220952643934796, "size": 226, "commit_id": "5186ddcf9e35a7aa0ff0539489a930434a1325f4", "message": "Just allocate 20 bytes extra at the end of a section. Otherwise, we end\nup with a whole lot of little checks for structures that the file says\nare there but are unexpectedly cut off in fuzz tests", "target": 1, "dataset": "other", "idx": 206412 }, { "func": "int ReadJpegSections (FILE * infile, ReadMode_t ReadMode)\r\n{\r\n int a;\r\n int HaveCom = FALSE;\r\n\r\n a = fgetc(infile);\r\n\r\n if (a != 0xff || fgetc(infile) != M_SOI){\r\n return FALSE;\r\n }\r\n\r\n ImageInfo.JfifHeader.XDensity = ImageInfo.JfifHeader.YDensity = 300;\r\n ImageInfo.JfifHeader.ResolutionUnits = 1;\r\n\r\n for(;;){\r\n int itemlen;\r\n int prev;\r\n int marker = 0;\r\n int ll,lh, got;\r\n uchar * Data;\r\n\r\n CheckSectionsAllocated();\r\n\r\n prev = 0;\r\n for (a=0;;a++){\r\n marker = fgetc(infile);\r\n if (marker != 0xff && prev == 0xff) break;\r\n if (marker == EOF){\r\n ErrFatal(\"Unexpected end of file\");\r\n }\r\n prev = marker;\r\n }\r\n\r\n if (a > 10){\r\n ErrNonfatal(\"Extraneous %d padding bytes before section %02X\",a-1,marker);\r\n }\r\n\r\n Sections[SectionsRead].Type = marker;\r\n \r\n // Read the length of the section.\r\n lh = fgetc(infile);\r\n ll = fgetc(infile);\r\n if (lh == EOF || ll == EOF){\r\n ErrFatal(\"Unexpected end of file\");\r\n }\r\n\r\n itemlen = (lh << 8) | ll;\r\n\r\n if (itemlen < 2){\r\n ErrFatal(\"invalid marker\");\r\n }\r\n\r\n Sections[SectionsRead].Size = itemlen;\r\n\r\n // Allocate an extra 20 bytes more than needed, because sometimes when reading structures,\r\n // if the section erroneously ends before short structures that should be there, that can trip\r\n // memory checkers in combination with fuzzers.\r\n Data = (uchar *)malloc(itemlen+20);\r\n if (Data == NULL){\r\n ErrFatal(\"Could not allocate memory\");\r\n }\r\n Sections[SectionsRead].Data = Data;\r\n\r\n // Store first two pre-read bytes.\r\n Data[0] = (uchar)lh;\r\n Data[1] = (uchar)ll;\r\n\r\n got = fread(Data+2, 1, itemlen-2, infile); // Read the whole section.\r\n if (got != itemlen-2){\r\n ErrFatal(\"Premature end of file?\");\r\n }\r\n SectionsRead += 1;\r\n\r\n switch(marker){\r\n\r\n case M_SOS: // stop before hitting compressed data \r\n // If reading entire image is requested, read the rest of the data.\r\n if (ReadMode & READ_IMAGE){\r\n int cp, ep, size;\r\n // Determine how much file is left.\r\n cp = ftell(infile);\r\n fseek(infile, 0, SEEK_END);\r\n ep = ftell(infile);\r\n fseek(infile, cp, SEEK_SET);\r\n\r\n size = ep-cp;\r\n Data = (uchar *)malloc(size);\r\n if (Data == NULL){\r\n ErrFatal(\"could not allocate data for entire image\");\r\n }\r\n\r\n got = fread(Data, 1, size, infile);\r\n if (got != size){\r\n ErrFatal(\"could not read the rest of the image\");\r\n }\r\n\r\n CheckSectionsAllocated();\r\n Sections[SectionsRead].Data = Data;\r\n Sections[SectionsRead].Size = size;\r\n Sections[SectionsRead].Type = PSEUDO_IMAGE_MARKER;\r\n SectionsRead ++;\r\n HaveAll = 1;\r\n }\r\n return TRUE;\r\n\r\n case M_DQT:\r\n // Use for jpeg quality guessing\r\n process_DQT(Data, itemlen);\r\n break;\r\n\r\n case M_DHT: \r\n // Use for jpeg quality guessing\r\n process_DHT(Data, itemlen);\r\n break;\r\n\r\n\r\n case M_EOI: // in case it's a tables-only JPEG stream\r\n fprintf(stderr,\"No image in jpeg!\\n\");\r\n return FALSE;\r\n\r\n case M_COM: // Comment section\r\n if (HaveCom || ((ReadMode & READ_METADATA) == 0)){\r\n // Discard this section.\r\n free(Sections[--SectionsRead].Data);\r\n }else{\r\n process_COM(Data, itemlen);\r\n HaveCom = TRUE;\r\n }\r\n break;\r\n\r\n case M_JFIF:\r\n // Regular jpegs always have this tag, exif images have the exif\r\n // marker instead, althogh ACDsee will write images with both markers.\r\n // this program will re-create this marker on absence of exif marker.\r\n // hence no need to keep the copy from the file.\r\n if (itemlen < 16){\r\n fprintf(stderr,\"Jfif header too short\\n\");\r\n goto ignore;\r\n }\r\n if (memcmp(Data+2, \"JFIF\\0\",5)){\r\n fprintf(stderr,\"Header missing JFIF marker\\n\");\r\n }\r\n\r\n ImageInfo.JfifHeader.Present = TRUE;\r\n ImageInfo.JfifHeader.ResolutionUnits = Data[9];\r\n ImageInfo.JfifHeader.XDensity = (Data[10]<<8) | Data[11];\r\n ImageInfo.JfifHeader.YDensity = (Data[12]<<8) | Data[13];\r\n if (ShowTags){\r\n printf(\"JFIF SOI marker: Units: %d \",ImageInfo.JfifHeader.ResolutionUnits);\r\n switch(ImageInfo.JfifHeader.ResolutionUnits){\r\n case 0: printf(\"(aspect ratio)\"); break;\r\n case 1: printf(\"(dots per inch)\"); break;\r\n case 2: printf(\"(dots per cm)\"); break;\r\n default: printf(\"(unknown)\"); break;\r\n }\r\n printf(\" X-density=%d Y-density=%d\\n\",ImageInfo.JfifHeader.XDensity, ImageInfo.JfifHeader.YDensity);\r\n\r\n if (Data[14] || Data[15]){\r\n fprintf(stderr,\"Ignoring jfif header thumbnail\\n\");\r\n }\r\n }\r\n\r\n ignore:\r\n\r\n free(Sections[--SectionsRead].Data);\r\n break;\r\n\r\n case M_EXIF:\r\n // There can be different section using the same marker.\r\n if (ReadMode & READ_METADATA){\r\n if (memcmp(Data+2, \"Exif\", 4) == 0){\r\n process_EXIF(Data, itemlen);\r\n break;\r\n }else if (memcmp(Data+2, \"http:\", 5) == 0){\r\n Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.\r\n if (ShowTags){\r\n printf(\"Image contains XMP section, %d bytes long\\n\", itemlen);\r\n if (ShowTags){\r\n ShowXmp(Sections[SectionsRead-1]);\r\n }\r\n }\r\n break;\r\n }\r\n }\r\n // Oterwise, discard this section.\r\n free(Sections[--SectionsRead].Data);\r\n break;\r\n\r\n case M_IPTC:\r\n if (ReadMode & READ_METADATA){\r\n if (ShowTags){\r\n printf(\"Image contains IPTC section, %d bytes long\\n\", itemlen);\r\n }\r\n // Note: We just store the IPTC section. Its relatively straightforward\r\n // and we don't act on any part of it, so just display it at parse time.\r\n }else{\r\n free(Sections[--SectionsRead].Data);\r\n }\r\n break;\r\n \r\n case M_SOF0: \r\n case M_SOF1: \r\n case M_SOF2: \r\n case M_SOF3: \r\n case M_SOF5: \r\n case M_SOF6: \r\n case M_SOF7: \r\n case M_SOF9: \r\n case M_SOF10:\r\n case M_SOF11:\r\n case M_SOF13:\r\n case M_SOF14:\r\n case M_SOF15:\r\n if (itemlen < 8){\r\n fprintf(stderr,\"Section too short\\n\");\r\n break;\r\n }\r\n process_SOFn(Data, marker);\r\n break;\r\n default:\r\n // Skip any other sections.\r\n if (ShowTags){\r\n printf(\"Jpeg section marker 0x%02x size %d\\n\",marker, itemlen);\r\n }\r\n break;\r\n }\r\n }\r\n return TRUE;\r\n}\r", "project": "jhead", "hash": 42724157494429028607325548164811225506, "size": 229, "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea", "message": "Same error as previous checking in different function", "target": 0, "dataset": "other", "idx": 261979 }, { "func": "void DiscardData(void)\r\n{\r\n int a;\r\n\r\n for (a=0;a sizeof(mp4config.asc.buf))\n return ERR_FAIL;\n // get AudioSpecificConfig\n datain(mp4config.asc.buf, mp4config.asc.size);\n\n if (u8in() != TAG_SLC)\n return ERR_FAIL;\n getsize();\n // \"predefined\" (no idea)\n u8in();\n\n return size;\n}", "project": "faad2", "hash": 249840270236166144899568226199914208820, "size": 50, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221441 }, { "func": "static int mp4ain(int size)\n{\n // Reserved (6 bytes)\n u32in();\n u16in();\n // Data reference index\n u16in();\n // Version\n u16in();\n // Revision level\n u16in();\n // Vendor\n u32in();\n // Number of channels\n mp4config.channels = u16in();\n // Sample size (bits)\n mp4config.bits = u16in();\n // Compression ID\n u16in();\n // Packet size\n u16in();\n // Sample rate (16.16)\n // fractional framerate, probably not for audio\n // rate integer part\n u16in();\n // rate reminder part\n u16in();\n\n return size;\n}", "project": "faad2", "hash": 177094373413499688540303899101743171346, "size": 30, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221447 }, { "func": "static uint32_t getsize(void)\n{\n int cnt;\n uint32_t size = 0;\n for (cnt = 0; cnt < 4; cnt++)\n {\n int tmp = u8in();\n\n size <<= 7;\n size |= (tmp & 0x7f);\n if (!(tmp & 0x80))\n break;\n }\n return size;\n}", "project": "faad2", "hash": 67050648525714646687008989580781566943, "size": 15, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221430 }, { "func": "static int stringin(char *txt, int sizemax)\n{\n int size;\n for (size = 0; size < sizemax; size++)\n {\n if (fread(txt + size, 1, 1, g_fin) != 1)\n return ERR_FAIL;\n if (!txt[size])\n break;\n }\n txt[sizemax-1] = '\\0';\n\n return size;\n}", "project": "faad2", "hash": 310710672344492615641722231561510106411, "size": 14, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221444 }, { "func": "static int u8in(void)\n{\n uint8_t u8;\n datain(&u8, 1);\n return u8;\n}", "project": "faad2", "hash": 313092909630100574008088062923509792283, "size": 6, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221439 }, { "func": "static uint32_t u32in(void)\n{\n uint32_t u32;\n datain(&u32, 4);\n u32 = bswap32(u32);\n return u32;\n}", "project": "faad2", "hash": 90610583081550478693284108046074781749, "size": 7, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221454 }, { "func": "static inline uint32_t bswap32(const uint32_t u32)\n{\n#ifndef WORDS_BIGENDIAN\n#if defined (__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 3)))\n return __builtin_bswap32(u32);\n#elif defined (_MSC_VER)\n return _byteswap_ulong(u32);\n#else\n return (u32 << 24) | ((u32 << 8) & 0xFF0000) | ((u32 >> 8) & 0xFF00) | (u32 >> 24);\n#endif\n#else\n return u32;\n#endif\n}", "project": "faad2", "hash": 220379345707008644331573635180825066237, "size": 14, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221431 }, { "func": "static int ilstin(int size)\n{\n enum {NUMSET = 1, GENRE, EXTAG};\n int read = 0;\n\n static struct {\n char *name;\n char *id;\n int flag;\n } tags[] = {\n {\"Album \", \"\\xa9\" \"alb\"},\n {\"Album Artist\", \"aART\"},\n {\"Artist \", \"\\xa9\" \"ART\"},\n {\"Comment \", \"\\xa9\" \"cmt\"},\n {\"Cover image \", \"covr\"},\n {\"Compilation \", \"cpil\"},\n {\"Copyright \", \"cprt\"},\n {\"Date \", \"\\xa9\" \"day\"},\n {\"Disc# \", \"disk\", NUMSET},\n {\"Genre \", \"gnre\", GENRE},\n {\"Grouping \", \"\\xa9\" \"grp\"},\n {\"Lyrics \", \"\\xa9\" \"lyr\"},\n {\"Title \", \"\\xa9\" \"nam\"},\n {\"Rating \", \"rtng\"},\n {\"BPM \", \"tmpo\"},\n {\"Encoder \", \"\\xa9\" \"too\"},\n {\"Track \", \"trkn\", NUMSET},\n {\"Composer \", \"\\xa9\" \"wrt\"},\n {0, \"----\", EXTAG},\n {0},\n };\n\n static const char *genres[] = {\n \"Blues\", \"Classic Rock\", \"Country\", \"Dance\",\n \"Disco\", \"Funk\", \"Grunge\", \"Hip-Hop\",\n \"Jazz\", \"Metal\", \"New Age\", \"Oldies\",\n \"Other\", \"Pop\", \"R&B\", \"Rap\",\n \"Reggae\", \"Rock\", \"Techno\", \"Industrial\",\n \"Alternative\", \"Ska\", \"Death Metal\", \"Pranks\",\n \"Soundtrack\", \"Euro-Techno\", \"Ambient\", \"Trip-Hop\",\n \"Vocal\", \"Jazz+Funk\", \"Fusion\", \"Trance\",\n \"Classical\", \"Instrumental\", \"Acid\", \"House\",\n \"Game\", \"Sound Clip\", \"Gospel\", \"Noise\",\n \"Alternative Rock\", \"Bass\", \"Soul\", \"Punk\",\n \"Space\", \"Meditative\", \"Instrumental Pop\", \"Instrumental Rock\",\n \"Ethnic\", \"Gothic\", \"Darkwave\", \"Techno-Industrial\",\n \"Electronic\", \"Pop-Folk\", \"Eurodance\", \"Dream\",\n \"Southern Rock\", \"Comedy\", \"Cult\", \"Gangsta\",\n \"Top 40\", \"Christian Rap\", \"Pop/Funk\", \"Jungle\",\n \"Native US\", \"Cabaret\", \"New Wave\", \"Psychadelic\",\n \"Rave\", \"Showtunes\", \"Trailer\", \"Lo-Fi\",\n \"Tribal\", \"Acid Punk\", \"Acid Jazz\", \"Polka\",\n \"Retro\", \"Musical\", \"Rock & Roll\", \"Hard Rock\",\n \"Folk\", \"Folk-Rock\", \"National Folk\", \"Swing\",\n \"Fast Fusion\", \"Bebob\", \"Latin\", \"Revival\",\n \"Celtic\", \"Bluegrass\", \"Avantgarde\", \"Gothic Rock\",\n \"Progressive Rock\", \"Psychedelic Rock\", \"Symphonic Rock\", \"Slow Rock\",\n \"Big Band\", \"Chorus\", \"Easy Listening\", \"Acoustic\",\n \"Humour\", \"Speech\", \"Chanson\", \"Opera\",\n \"Chamber Music\", \"Sonata\", \"Symphony\", \"Booty Bass\",\n \"Primus\", \"Porn Groove\", \"Satire\", \"Slow Jam\",\n \"Club\", \"Tango\", \"Samba\", \"Folklore\",\n \"Ballad\", \"Power Ballad\", \"Rhythmic Soul\", \"Freestyle\",\n \"Duet\", \"Punk Rock\", \"Drum Solo\", \"Acapella\",\n \"Euro-House\", \"Dance Hall\", \"Goa\", \"Drum & Bass\",\n \"Club - House\", \"Hardcore\", \"Terror\", \"Indie\",\n \"BritPop\", \"Negerpunk\", \"Polsk Punk\", \"Beat\",\n \"Christian Gangsta Rap\", \"Heavy Metal\", \"Black Metal\", \"Crossover\",\n \"Contemporary Christian\", \"Christian Rock\", \"Merengue\", \"Salsa\",\n \"Thrash Metal\", \"Anime\", \"JPop\", \"Synthpop\",\n \"Unknown\",\n };\n\n fprintf(stderr, \"----------tag list-------------\\n\");\n while(read < size)\n {\n int asize, dsize;\n uint8_t id[5];\n int cnt;\n uint32_t type;\n\n id[4] = 0;\n\n asize = u32in();\n read += asize;\n asize -= 4;\n if (datain(id, 4) < 4)\n return ERR_FAIL;\n asize -= 4;\n\n for (cnt = 0; tags[cnt].id; cnt++)\n {\n if (!memcmp(id, tags[cnt].id, 4))\n break;\n }\n\n if (tags[cnt].name)\n fprintf(stderr, \"%s : \", tags[cnt].name);\n else\n {\n if (tags[cnt].flag != EXTAG)\n fprintf(stderr, \"'%s' : \", id);\n }\n\n dsize = u32in();\n asize -= 4;\n if (datain(id, 4) < 4)\n return ERR_FAIL;\n asize -= 4;\n\n if (tags[cnt].flag != EXTAG)\n {\n if (memcmp(id, \"data\", 4))\n return ERR_FAIL;\n }\n else\n {\n int spc;\n\n if (memcmp(id, \"mean\", 4))\n goto skip;\n dsize -= 8;\n while (dsize > 0)\n {\n u8in();\n asize--;\n dsize--;\n }\n if (asize >= 8)\n {\n dsize = u32in() - 8;\n asize -= 4;\n if (datain(id, 4) < 4)\n return ERR_FAIL;\n asize -= 4;\n if (memcmp(id, \"name\", 4))\n goto skip;\n u32in();\n asize -= 4;\n dsize -= 4;\n }\n spc = 13 - dsize;\n if (spc < 0) spc = 0;\n while (dsize > 0)\n {\n fprintf(stderr, \"%c\",u8in());\n asize--;\n dsize--;\n }\n while (spc--)\n fprintf(stderr, \" \");\n fprintf(stderr, \": \");\n if (asize >= 8)\n {\n dsize = u32in() - 8;\n asize -= 4;\n if (datain(id, 4) < 4)\n return ERR_FAIL;\n asize -= 4;\n if (memcmp(id, \"data\", 4))\n goto skip;\n u32in();\n asize -= 4;\n dsize -= 4;\n }\n while (dsize > 0)\n {\n fprintf(stderr, \"%c\",u8in());\n asize--;\n dsize--;\n }\n fprintf(stderr, \"\\n\");\n\n goto skip;\n }\n type = u32in();\n asize -= 4;\n u32in();\n asize -= 4;\n\n switch(type)\n {\n case 1:\n while (asize > 0)\n {\n fprintf(stderr, \"%c\",u8in());\n asize--;\n }\n break;\n case 0:\n switch(tags[cnt].flag)\n {\n case NUMSET:\n u16in();\n asize -= 2;\n\n fprintf(stderr, \"%d\", u16in());\n asize -= 2;\n fprintf(stderr, \"/%d\", u16in());\n asize -= 2;\n break;\n case GENRE:\n {\n uint8_t gnum = u16in();\n asize -= 2;\n if (!gnum)\n goto skip;\n gnum--;\n if (gnum >= 147)\n gnum = 147;\n fprintf(stderr, \"%s\", genres[gnum]);\n }\n break;\n default:\n while(asize > 0)\n {\n fprintf(stderr, \"%d/\", u16in());\n asize-=2;\n }\n }\n break;\n case 0x15:\n //fprintf(stderr, \"(8bit data)\");\n while(asize > 0)\n {\n fprintf(stderr, \"%d\", u8in());\n asize--;\n if (asize)\n fprintf(stderr, \"/\");\n }\n break;\n case 0xd:\n fprintf(stderr, \"(image data)\");\n break;\n default:\n fprintf(stderr, \"(unknown data type)\");\n break;\n }\n fprintf(stderr, \"\\n\");\n\n skip:\n // skip to the end of atom\n while (asize > 0)\n {\n u8in();\n asize--;\n }\n }\n fprintf(stderr, \"-------------------------------\\n\");\n\n return size;\n};", "project": "faad2", "hash": 270817636775156388719722064958229858604, "size": 252, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221450 }, { "func": "static int hdlr1in(int size)\n{\n uint8_t buf[5];\n\n buf[4] = 0;\n // version/flags\n u32in();\n // pre_defined\n u32in();\n // Component subtype\n datain(buf, 4);\n if (mp4config.verbose.header)\n fprintf(stderr, \"*track media type: '%s': \", buf);\n if (memcmp(\"soun\", buf, 4))\n {\n if (mp4config.verbose.header)\n fprintf(stderr, \"unsupported, skipping\\n\");\n return ERR_UNSUPPORTED;\n }\n else\n {\n if (mp4config.verbose.header)\n fprintf(stderr, \"OK\\n\");\n }\n // reserved\n u32in();\n u32in();\n u32in();\n // name\n // null terminate\n u8in();\n\n return size;\n};", "project": "faad2", "hash": 154591307517079041335713649658869234735, "size": 34, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221445 }, { "func": "static int metain(int size)\n{\n // version/flags\n u32in();\n\n return ERR_OK;\n};", "project": "faad2", "hash": 75324055347829734329165615870439980536, "size": 7, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221455 }, { "func": "static int ftypin(int size)\n{\n enum {BUFSIZE = 40};\n char buf[BUFSIZE];\n uint32_t u32;\n\n buf[4] = 0;\n datain(buf, 4);\n u32 = u32in();\n\n if (mp4config.verbose.header)\n fprintf(stderr, \"Brand:\\t\\t\\t%s(version %d)\\n\", buf, u32);\n\n stringin(buf, BUFSIZE);\n\n if (mp4config.verbose.header)\n fprintf(stderr, \"Compatible brands:\\t%s\\n\", buf);\n\n return size;\n}", "project": "faad2", "hash": 50311746152815412413561320829290338062, "size": 20, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221458 }, { "func": "static int datain(void *data, int size)\n{\n if (fread(data, 1, size, g_fin) != size)\n return ERR_FAIL;\n return size;\n}", "project": "faad2", "hash": 338414385361084113991386902383601496212, "size": 6, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221429 }, { "func": "static uint16_t u16in(void)\n{\n uint16_t u16;\n datain(&u16, 2);\n u16 = bswap16(u16);\n return u16;\n}", "project": "faad2", "hash": 300009682279474729032196346079080354587, "size": 7, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221452 }, { "func": "static inline uint16_t bswap16(const uint16_t u16)\n{\n#ifndef WORDS_BIGENDIAN\n#if defined (__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 8)))\n return __builtin_bswap16(u16);\n#elif defined (_MSC_VER)\n return _byteswap_ushort(u16);\n#else\n return (u16 << 8) | (u16 >> 8);\n#endif\n#else\n return u16;\n#endif\n}", "project": "faad2", "hash": 93752458717884206147046017786973658718, "size": 14, "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24", "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.", "target": 0, "dataset": "other", "idx": 221456 } ] }, { "call_depth": 4, "longest_call_chain": [ "ldapsrv_call_wait_done", "ldapsrv_call_writev_start", "ldapsrv_call_read_next", "ldapsrv_terminate_connection" ], "group_size": 20, "functions": [ { "func": "void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)\n{\n\tstruct ldapsrv_connection *conn = NULL;\n\tstruct timeval retry;\n\tsize_t num_pending = 0;\n\tsize_t num_active = 0;\n\n\tif (force) {\n\t\tTALLOC_FREE(service->notification.retry);\n\t\tservice->notification.generation += 1;\n\t}\n\n\tif (service->notification.retry != NULL) {\n\t\treturn;\n\t}\n\n\tfor (conn = service->connections; conn != NULL; conn = conn->next) {\n\t\tif (conn->pending_calls == NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tnum_pending += 1;\n\n\t\tif (conn->pending_calls->notification.generation !=\n\t\t service->notification.generation)\n\t\t{\n\t\t\tnum_active += 1;\n\t\t}\n\t}\n\n\tif (num_pending == 0) {\n\t\treturn;\n\t}\n\n\tif (num_active != 0) {\n\t\tretry = timeval_current_ofs(0, 100);\n\t} else {\n\t\tretry = timeval_current_ofs(5, 0);\n\t}\n\n\tservice->notification.retry = tevent_wakeup_send(service,\n\t\t\t\t\t\t\t service->task->event_ctx,\n\t\t\t\t\t\t\t retry);\n\tif (service->notification.retry == NULL) {\n\t\t/* retry later */\n\t\treturn;\n\t}\n\n\ttevent_req_set_callback(service->notification.retry,\n\t\t\t\tldapsrv_notification_retry_done,\n\t\t\t\tservice);\n}", "project": "samba", "hash": 164211767725914976735745017379817965043, "size": 52, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274244 }, { "func": "static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tstatus = call->postprocess_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_postprocess_done: \"\n\t\t\t\t\t \"call->postprocess_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (reason == NULL) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tTALLOC_FREE(call);\n\n\tldapsrv_call_read_next(conn);\n}", "project": "samba", "hash": 50898281518744840722080015617681281545, "size": 28, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274258 }, { "func": "static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)\n{\n\tNTSTATUS status;\n\n\tif (tevent_req_is_nterror(req, &status)) {\n\t\ttevent_req_received(req);\n\t\treturn status;\n\t}\n\n\ttevent_req_received(req);\n\treturn NT_STATUS_OK;\n}", "project": "samba", "hash": 131695309655897279135109411774164603380, "size": 12, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274256 }, { "func": "static void ldapsrv_accept_nonpriv(struct stream_connection *c)\n{\n\tstruct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(\n\t\tc->private_data, struct ldapsrv_service);\n\tstruct auth_session_info *session_info;\n\tNTSTATUS status;\n\n\tstatus = auth_anonymous_session_info(\n\t\tc, ldapsrv_service->task->lp_ctx, &session_info);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tstream_terminate_connection(c, \"failed to setup anonymous \"\n\t\t\t\t\t \"session info\");\n\t\treturn;\n\t}\n\tldapsrv_accept(c, session_info, false);\n}", "project": "samba", "hash": 200890418750490307386632058241356591988, "size": 16, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274268 }, { "func": "static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)\n{\n\tstruct tevent_req *subreq;\n\n\tif (conn->pending_calls != NULL) {\n\t\tconn->limits.endtime = timeval_zero();\n\n\t\tldapsrv_notification_retry_setup(conn->service, false);\n\t} else if (timeval_is_zero(&conn->limits.endtime)) {\n\t\tconn->limits.endtime =\n\t\t\ttimeval_current_ofs(conn->limits.initial_timeout, 0);\n\t} else {\n\t\tconn->limits.endtime =\n\t\t\ttimeval_current_ofs(conn->limits.conn_idle_time, 0);\n\t}\n\n\tif (conn->sockets.read_req != NULL) {\n\t\treturn true;\n\t}\n\n\t/*\n\t * The minimum size of a LDAP pdu is 7 bytes\n\t *\n\t * dumpasn1 -hh ldap-unbind-min.dat\n\t *\n\t * <30 05 02 01 09 42 00>\n\t * 0 5: SEQUENCE {\n\t * <02 01 09>\n\t * 2 1: INTEGER 9\n\t * <42 00>\n\t * 5 0: [APPLICATION 2]\n\t * : Error: Object has zero length.\n\t * : }\n\t *\n\t * dumpasn1 -hh ldap-unbind-windows.dat\n\t *\n\t * <30 84 00 00 00 05 02 01 09 42 00>\n\t * 0 5: SEQUENCE {\n\t * <02 01 09>\n\t * 6 1: INTEGER 9\n\t * <42 00>\n\t * 9 0: [APPLICATION 2]\n\t * : Error: Object has zero length.\n\t * : }\n\t *\n\t * This means using an initial read size\n\t * of 7 is ok.\n\t */\n\tsubreq = tstream_read_pdu_blob_send(conn,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.active,\n\t\t\t\t\t 7, /* initial_read_size */\n\t\t\t\t\t ldapsrv_packet_check,\n\t\t\t\t\t conn);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_call_read_next: \"\n\t\t\t\t\"no memory for tstream_read_pdu_blob_send\");\n\t\treturn false;\n\t}\n\tif (!timeval_is_zero(&conn->limits.endtime)) {\n\t\tbool ok;\n\t\tok = tevent_req_set_endtime(subreq,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->limits.endtime);\n\t\tif (!ok) {\n\t\t\tldapsrv_terminate_connection(\n\t\t\t\tconn,\n\t\t\t\t\"ldapsrv_call_read_next: \"\n\t\t\t\t\"no memory for tevent_req_set_endtime\");\n\t\t\treturn false;\n\t\t}\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);\n\tconn->sockets.read_req = subreq;\n\treturn true;\n}", "project": "samba", "hash": 148804764610121926366840016195510941867, "size": 76, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274267 }, { "func": "static void ldapsrv_call_wait_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tconn->active_call = NULL;\n\n\tstatus = call->wait_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_wait_done: \"\n\t\t\t\t\t \"call->wait_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (reason == NULL) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tldapsrv_call_writev_start(call);\n}", "project": "samba", "hash": 245179838042033896261629711516324441256, "size": 28, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274257 }, { "func": "static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,\n\t\t\t\t\t const char *reason)\n{\n\tstruct tevent_req *subreq;\n\n\tif (conn->limits.reason) {\n\t\treturn;\n\t}\n\n\tDLIST_REMOVE(conn->service->connections, conn);\n\n\tconn->limits.endtime = timeval_current_ofs(0, 500);\n\n\ttevent_queue_stop(conn->sockets.send_queue);\n\tTALLOC_FREE(conn->sockets.read_req);\n\tTALLOC_FREE(conn->deferred_expire_disconnect);\n\tif (conn->active_call) {\n\t\ttevent_req_cancel(conn->active_call);\n\t\tconn->active_call = NULL;\n\t}\n\n\tconn->limits.reason = talloc_strdup(conn, reason);\n\tif (conn->limits.reason == NULL) {\n\t\tTALLOC_FREE(conn->sockets.tls);\n\t\tTALLOC_FREE(conn->sockets.sasl);\n\t\tTALLOC_FREE(conn->sockets.raw);\n\t\tstream_terminate_connection(conn->connection, reason);\n\t\treturn;\n\t}\n\n\tsubreq = tstream_disconnect_send(conn,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.active);\n\tif (subreq == NULL) {\n\t\tTALLOC_FREE(conn->sockets.tls);\n\t\tTALLOC_FREE(conn->sockets.sasl);\n\t\tTALLOC_FREE(conn->sockets.raw);\n\t\tstream_terminate_connection(conn->connection, reason);\n\t\treturn;\n\t}\n\ttevent_req_set_endtime(subreq,\n\t\t\t conn->connection->event.ctx,\n\t\t\t conn->limits.endtime);\n\ttevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);\n}", "project": "samba", "hash": 89896492431690803255383534521597584901, "size": 45, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274255 }, { "func": "static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn = tevent_req_callback_data(\n\t\tsubreq, struct ldapsrv_connection);\n\tbool ok;\n\n\tok = tevent_wakeup_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!ok) {\n\t\tDBG_WARNING(\"tevent_wakeup_recv failed\\n\");\n\t}\n\tconn->deferred_expire_disconnect = NULL;\n\tldapsrv_terminate_connection(conn, \"network session expired\");\n}", "project": "samba", "hash": 149216946338093456042738285057139220459, "size": 14, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274260 }, { "func": "static void ldapsrv_accept(struct stream_connection *c,\n\t\t\t struct auth_session_info *session_info,\n\t\t\t bool is_privileged)\n{\n\tstruct ldapsrv_service *ldapsrv_service = \n\t\ttalloc_get_type(c->private_data, struct ldapsrv_service);\n\tstruct ldapsrv_connection *conn;\n\tstruct cli_credentials *server_credentials;\n\tstruct socket_address *socket_address;\n\tNTSTATUS status;\n\tint port;\n\tint ret;\n\tstruct tevent_req *subreq;\n\tstruct timeval endtime;\n\tchar *errstring = NULL;\n\n\tconn = talloc_zero(c, struct ldapsrv_connection);\n\tif (!conn) {\n\t\tstream_terminate_connection(c, \"ldapsrv_accept: out of memory\");\n\t\treturn;\n\t}\n\tconn->is_privileged = is_privileged;\n\n\tconn->sockets.send_queue = tevent_queue_create(conn, \"ldapsev send queue\");\n\tif (conn->sockets.send_queue == NULL) {\n\t\tstream_terminate_connection(c,\n\t\t\t\t\t \"ldapsrv_accept: tevent_queue_create failed\");\n\t\treturn;\n\t}\n\n\tTALLOC_FREE(c->event.fde);\n\n\tret = tstream_bsd_existing_socket(conn,\n\t\t\t\t\t socket_get_fd(c->socket),\n\t\t\t\t\t &conn->sockets.raw);\n\tif (ret == -1) {\n\t\tstream_terminate_connection(c,\n\t\t\t\t\t \"ldapsrv_accept: out of memory\");\n\t\treturn;\n\t}\n\tsocket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);\n\n\tconn->connection = c;\n\tconn->service = ldapsrv_service;\n\tconn->lp_ctx = ldapsrv_service->task->lp_ctx;\n\n\tc->private_data = conn;\n\n\tsocket_address = socket_get_my_addr(c->socket, conn);\n\tif (!socket_address) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_accept: failed to obtain local socket address!\");\n\t\treturn;\n\t}\n\tport = socket_address->port;\n\ttalloc_free(socket_address);\n\tif (port == 3268 || port == 3269) /* Global catalog */ {\n\t\tconn->global_catalog = true;\n\t}\n\n\tserver_credentials = cli_credentials_init(conn);\n\tif (!server_credentials) {\n\t\tstream_terminate_connection(c, \"Failed to init server credentials\\n\");\n\t\treturn;\n\t}\n\n\tcli_credentials_set_conf(server_credentials, conn->lp_ctx);\n\tstatus = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tstream_terminate_connection(c, talloc_asprintf(conn, \"Failed to obtain server credentials, perhaps a standalone server?: %s\\n\", nt_errstr(status)));\n\t\treturn;\n\t}\n\tconn->server_credentials = server_credentials;\n\n\tconn->session_info = session_info;\n\n\tconn->sockets.active = conn->sockets.raw;\n\n\tif (conn->is_privileged) {\n\t\tconn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;\n\t} else {\n\t\tconn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);\n\t}\n\n\tret = ldapsrv_backend_Init(conn, &errstring);\n\tif (ret != LDB_SUCCESS) {\n\t\tchar *reason = talloc_asprintf(conn,\n\t\t\t\t\t \"LDB backend for LDAP Init \"\n\t\t\t\t\t \"failed: %s: %s\",\n\t\t\t\t\t errstring, ldb_strerror(ret));\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\t/* load limits from the conf partition */\n\tldapsrv_load_limits(conn); /* should we fail on error ? */\n\n\t/* register the server */\t\n\tirpc_add_name(c->msg_ctx, \"ldap_server\");\n\n\tDLIST_ADD_END(ldapsrv_service->connections, conn);\n\n\tif (port != 636 && port != 3269) {\n\t\tldapsrv_call_read_next(conn);\n\t\treturn;\n\t}\n\n\tendtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);\n\n\tsubreq = tstream_tls_accept_send(conn,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.raw,\n\t\t\t\t\t conn->service->tls_params);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_accept: \"\n\t\t\t\t\"no memory for tstream_tls_accept_send\");\n\t\treturn;\n\t}\n\ttevent_req_set_endtime(subreq,\n\t\t\t conn->connection->event.ctx,\n\t\t\t endtime);\n\ttevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);\n}", "project": "samba", "hash": 237481986044682052606798819803454206300, "size": 122, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274248 }, { "func": "static void ldapsrv_call_writev_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tint sys_errno;\n\tint rc;\n\n\trc = tstream_writev_queue_recv(subreq, &sys_errno);\n\tTALLOC_FREE(subreq);\n\n\t/* This releases the ASN.1 encoded packets from memory */\n\tTALLOC_FREE(call->out_iov);\n\tif (rc == -1) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_writev_done: \"\n\t\t\t\t\t \"tstream_writev_queue_recv() - %d:%s\",\n\t\t\t\t\t sys_errno, strerror(sys_errno));\n\t\tif (reason == NULL) {\n\t\t\treason = \"ldapsrv_call_writev_done: \"\n\t\t\t\t \"tstream_writev_queue_recv() failed\";\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tif (call->postprocess_send) {\n\t\tsubreq = call->postprocess_send(call,\n\t\t\t\t\t\tconn->connection->event.ctx,\n\t\t\t\t\t\tcall->postprocess_private);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn, \"ldapsrv_call_writev_done: \"\n\t\t\t\t\t\"call->postprocess_send - no memory\");\n\t\t\treturn;\n\t\t}\n\t\ttevent_req_set_callback(subreq,\n\t\t\t\t\tldapsrv_call_postprocess_done,\n\t\t\t\t\tcall);\n\t\treturn;\n\t}\n\n\t/* Perhaps still some more to send */\n\tif (call->replies != NULL) {\n\t\tldapsrv_call_writev_start(call);\n\t\treturn;\n\t}\n\n\tif (!call->notification.busy) {\n\t\tTALLOC_FREE(call);\n\t}\n\n\tldapsrv_call_read_next(conn);\n}", "project": "samba", "hash": 23721395339361040522884503184921195612, "size": 56, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274272 }, { "func": "static void ldapsrv_accept_tls_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_connection);\n\tint ret;\n\tint sys_errno;\n\n\tret = tstream_tls_accept_recv(subreq, &sys_errno,\n\t\t\t\t conn, &conn->sockets.tls);\n\tTALLOC_FREE(subreq);\n\tif (ret == -1) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(conn, \"ldapsrv_accept_tls_loop: \"\n\t\t\t\t\t \"tstream_tls_accept_recv() - %d:%s\",\n\t\t\t\t\t sys_errno, strerror(sys_errno));\n\t\tif (!reason) {\n\t\t\treason = \"ldapsrv_accept_tls_loop: \"\n\t\t\t\t \"tstream_tls_accept_recv() - failed\";\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tconn->sockets.active = conn->sockets.tls;\n\tconn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;\n\tldapsrv_call_read_next(conn);\n}", "project": "samba", "hash": 156007926465375734284255274710207877505, "size": 30, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274266 }, { "func": "static void ldapsrv_notification_retry_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_service *service =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_service);\n\tstruct ldapsrv_connection *conn = NULL;\n\tstruct ldapsrv_connection *conn_next = NULL;\n\tbool ok;\n\n\tservice->notification.retry = NULL;\n\n\tok = tevent_wakeup_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!ok) {\n\t\t/* ignore */\n\t}\n\n\tfor (conn = service->connections; conn != NULL; conn = conn_next) {\n\t\tstruct ldapsrv_call *call = conn->pending_calls;\n\n\t\tconn_next = conn->next;\n\n\t\tif (conn->pending_calls == NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (conn->active_call != NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tDLIST_DEMOTE(conn->pending_calls, call);\n\t\tcall->notification.generation =\n\t\t\t\tservice->notification.generation;\n\n\t\t/* queue the call in the global queue */\n\t\tsubreq = ldapsrv_process_call_send(call,\n\t\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t\t conn->service->call_queue,\n\t\t\t\t\t\t call);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t\"ldapsrv_process_call_send failed\");\n\t\t\tcontinue;\n\t\t}\n\t\ttevent_req_set_callback(subreq, ldapsrv_call_process_done, call);\n\t\tconn->active_call = subreq;\n\t}\n\n\tldapsrv_notification_retry_setup(service, false);\n}", "project": "samba", "hash": 209125356924479592647807381179697027992, "size": 50, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274249 }, { "func": "static int ldapsrv_load_limits(struct ldapsrv_connection *conn)\n{\n\tTALLOC_CTX *tmp_ctx;\n\tconst char *attrs[] = { \"configurationNamingContext\", NULL };\n\tconst char *attrs2[] = { \"lDAPAdminLimits\", NULL };\n\tstruct ldb_message_element *el;\n\tstruct ldb_result *res = NULL;\n\tstruct ldb_dn *basedn;\n\tstruct ldb_dn *conf_dn;\n\tstruct ldb_dn *policy_dn;\n\tunsigned int i;\n\tint ret;\n\n\t/* set defaults limits in case of failure */\n\tconn->limits.initial_timeout = 120;\n\tconn->limits.conn_idle_time = 900;\n\tconn->limits.max_page_size = 1000;\n\tconn->limits.max_notifications = 5;\n\tconn->limits.search_timeout = 120;\n\tconn->limits.expire_time = (struct timeval) {\n\t\t.tv_sec = get_time_t_max(),\n\t};\n\n\n\ttmp_ctx = talloc_new(conn);\n\tif (tmp_ctx == NULL) {\n\t\treturn -1;\n\t}\n\n\tbasedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);\n\tif (basedn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tconf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], \"configurationNamingContext\");\n\tif (conf_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tpolicy_dn = ldb_dn_copy(tmp_ctx, conf_dn);\n\tldb_dn_add_child_fmt(policy_dn, \"CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services\");\n\tif (policy_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tel = ldb_msg_find_element(res->msgs[0], \"lDAPAdminLimits\");\n\tif (el == NULL) {\n\t\tgoto failed;\n\t}\n\n\tfor (i = 0; i < el->num_values; i++) {\n\t\tchar policy_name[256];\n\t\tint policy_value, s;\n\n\t\ts = sscanf((const char *)el->values[i].data, \"%255[^=]=%d\", policy_name, &policy_value);\n\t\tif (s != 2 || policy_value == 0)\n\t\t\tcontinue;\n\t\tif (strcasecmp(\"InitRecvTimeout\", policy_name) == 0) {\n\t\t\tconn->limits.initial_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxConnIdleTime\", policy_name) == 0) {\n\t\t\tconn->limits.conn_idle_time = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxPageSize\", policy_name) == 0) {\n\t\t\tconn->limits.max_page_size = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxNotificationPerConn\", policy_name) == 0) {\n\t\t\tconn->limits.max_notifications = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxQueryDuration\", policy_name) == 0) {\n\t\t\tconn->limits.search_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t}\n\n\treturn 0;\n\nfailed:\n\tDBG_ERR(\"Failed to load ldap server query policies\\n\");\n\ttalloc_free(tmp_ctx);\n\treturn -1;\n}", "project": "samba", "hash": 179110453965118510639557808253855764974, "size": 104, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 1, "dataset": "other", "idx": 198425 }, { "func": "static int ldapsrv_load_limits(struct ldapsrv_connection *conn)\n{\n\tTALLOC_CTX *tmp_ctx;\n\tconst char *attrs[] = { \"configurationNamingContext\", NULL };\n\tconst char *attrs2[] = { \"lDAPAdminLimits\", NULL };\n\tstruct ldb_message_element *el;\n\tstruct ldb_result *res = NULL;\n\tstruct ldb_dn *basedn;\n\tstruct ldb_dn *conf_dn;\n\tstruct ldb_dn *policy_dn;\n\tunsigned int i;\n\tint ret;\n\n\t/* set defaults limits in case of failure */\n\tconn->limits.initial_timeout = 120;\n\tconn->limits.conn_idle_time = 900;\n\tconn->limits.max_page_size = 1000;\n\tconn->limits.max_notifications = 5;\n\tconn->limits.search_timeout = 120;\n\tconn->limits.expire_time = (struct timeval) {\n\t\t.tv_sec = get_time_t_max(),\n\t};\n\n\n\ttmp_ctx = talloc_new(conn);\n\tif (tmp_ctx == NULL) {\n\t\treturn -1;\n\t}\n\n\tbasedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);\n\tif (basedn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tconf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], \"configurationNamingContext\");\n\tif (conf_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tpolicy_dn = ldb_dn_copy(tmp_ctx, conf_dn);\n\tldb_dn_add_child_fmt(policy_dn, \"CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services\");\n\tif (policy_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tel = ldb_msg_find_element(res->msgs[0], \"lDAPAdminLimits\");\n\tif (el == NULL) {\n\t\tgoto failed;\n\t}\n\n\tfor (i = 0; i < el->num_values; i++) {\n\t\tchar policy_name[256];\n\t\tint policy_value, s;\n\n\t\ts = sscanf((const char *)el->values[i].data, \"%255[^=]=%d\", policy_name, &policy_value);\n\t\tif (s != 2 || policy_value == 0)\n\t\t\tcontinue;\n\t\tif (strcasecmp(\"InitRecvTimeout\", policy_name) == 0) {\n\t\t\tconn->limits.initial_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxConnIdleTime\", policy_name) == 0) {\n\t\t\tconn->limits.conn_idle_time = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxPageSize\", policy_name) == 0) {\n\t\t\tconn->limits.max_page_size = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxNotificationPerConn\", policy_name) == 0) {\n\t\t\tconn->limits.max_notifications = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxQueryDuration\", policy_name) == 0) {\n\t\t\tif (policy_value > 0) {\n\t\t\t\tconn->limits.search_timeout = policy_value;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t}\n\n\treturn 0;\n\nfailed:\n\tDBG_ERR(\"Failed to load ldap server query policies\\n\");\n\ttalloc_free(tmp_ctx);\n\treturn -1;\n}", "project": "samba", "hash": 20233092815787754852088965792044905240, "size": 106, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274270 }, { "func": "static NTSTATUS ldapsrv_packet_check(\n\tvoid *private_data,\n\tDATA_BLOB blob,\n\tsize_t *packet_size)\n{\n\tNTSTATUS ret;\n\tstruct ldapsrv_connection *conn = private_data;\n\tint result = LDB_SUCCESS;\n\n\tret = ldap_full_packet(private_data, blob, packet_size);\n\tif (!NT_STATUS_IS_OK(ret)) {\n\t\treturn ret;\n\t}\n\tresult = ldapsrv_check_packet_size(conn, *packet_size);\n\tif (result != LDAP_SUCCESS) {\n\t\treturn NT_STATUS_LDAP(result);\n\t}\n\treturn NT_STATUS_OK;\n}", "project": "samba", "hash": 26391111498996562762649733474230387709, "size": 19, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274263 }, { "func": "static void ldapsrv_call_writev_start(struct ldapsrv_call *call)\n{\n\tstruct ldapsrv_connection *conn = call->conn;\n\tstruct ldapsrv_reply *reply = NULL;\n\tstruct tevent_req *subreq = NULL;\n\tsize_t length = 0;\n\tsize_t i;\n\n\tcall->iov_count = 0;\n\n\t/* build all the replies into an IOV (no copy) */\n\tfor (reply = call->replies;\n\t reply != NULL;\n\t reply = reply->next) {\n\n\t\t/* Cap output at 25MB per writev() */\n\t\tif (length > length + reply->blob.length\n\t\t || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Overflow is harmless here, just used below to\n\t\t * decide if to read or write, but checked above anyway\n\t\t */\n\t\tlength += reply->blob.length;\n\n\t\t/*\n\t\t * At worst an overflow would mean we send less\n\t\t * replies\n\t\t */\n\t\tcall->iov_count++;\n\t}\n\n\tif (length == 0) {\n\t\tif (!call->notification.busy) {\n\t\t\tTALLOC_FREE(call);\n\t\t}\n\n\t\tldapsrv_call_read_next(conn);\n\t\treturn;\n\t}\n\n\t/* Cap call->iov_count at IOV_MAX */\n\tcall->iov_count = MIN(call->iov_count, IOV_MAX);\n\n\tcall->out_iov = talloc_array(call,\n\t\t\t\t struct iovec,\n\t\t\t\t call->iov_count);\n\tif (!call->out_iov) {\n\t\t/* This is not ideal */\n\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t \"failed to allocate \"\n\t\t\t\t\t \"iovec array\");\n\t\treturn;\n\t}\n\n\t/* We may have had to cap the number of replies at IOV_MAX */\n\tfor (i = 0;\n\t i < call->iov_count && call->replies != NULL;\n\t i++) {\n\t\treply = call->replies;\n\t\tcall->out_iov[i].iov_base = reply->blob.data;\n\t\tcall->out_iov[i].iov_len = reply->blob.length;\n\n\t\t/* Keep only the ASN.1 encoded data */\n\t\ttalloc_steal(call->out_iov, reply->blob.data);\n\n\t\tDLIST_REMOVE(call->replies, reply);\n\t\tTALLOC_FREE(reply);\n\t}\n\n\tif (i > call->iov_count) {\n\t\t/* This is not ideal, but also (essentially) impossible */\n\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t \"call list ended\"\n\t\t\t\t\t \"before iov_count\");\n\t\treturn;\n\t}\n\n\tsubreq = tstream_writev_queue_send(call,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.active,\n\t\t\t\t\t conn->sockets.send_queue,\n\t\t\t\t\t call->out_iov, call->iov_count);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"stream_writev_queue_send failed\");\n\t\treturn;\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);\n}", "project": "samba", "hash": 63660284643483350930249543818774251501, "size": 91, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274265 }, { "func": "static void ldapsrv_accept_priv(struct stream_connection *c)\n{\n\tstruct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(\n\t\tc->private_data, struct ldapsrv_service);\n\tstruct auth_session_info *session_info;\n\n\tsession_info = system_session(ldapsrv_service->task->lp_ctx);\n\tif (!session_info) {\n\t\tstream_terminate_connection(c, \"failed to setup system \"\n\t\t\t\t\t \"session info\");\n\t\treturn;\n\t}\n\tldapsrv_accept(c, session_info, true);\n}", "project": "samba", "hash": 248588516067925582677625240081482568956, "size": 14, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274269 }, { "func": "static void ldapsrv_call_read_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_connection);\n\tNTSTATUS status;\n\tstruct ldapsrv_call *call;\n\tstruct asn1_data *asn1;\n\tDATA_BLOB blob;\n\tint ret = LDAP_SUCCESS;\n\tstruct ldap_request_limits limits = {0};\n\n\tconn->sockets.read_req = NULL;\n\n\tcall = talloc_zero(conn, struct ldapsrv_call);\n\tif (!call) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\ttalloc_set_destructor(call, ldapsrv_call_destructor);\n\n\tcall->conn = conn;\n\n\tstatus = tstream_read_pdu_blob_recv(subreq,\n\t\t\t\t\t call,\n\t\t\t\t\t &blob);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_loop: \"\n\t\t\t\t\t \"tstream_read_pdu_blob_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (!reason) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tret = ldapsrv_check_packet_size(conn, blob.length);\n\tif (ret != LDAP_SUCCESS) {\n\t\tldapsrv_terminate_connection(\n\t\t\tconn,\n\t\t\t\"Request packet too large\");\n\t\treturn;\n\t}\n\n\tasn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);\n\tif (asn1 == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\n\tcall->request = talloc(call, struct ldap_message);\n\tif (call->request == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\n\tasn1_load_nocopy(asn1, blob.data, blob.length);\n\n\tlimits.max_search_size =\n\t\tlpcfg_ldap_max_search_request_size(conn->lp_ctx);\n\tstatus = ldap_decode(\n\t\tasn1,\n\t\t&limits,\n\t\tsamba_ldap_control_handlers(),\n\t\tcall->request);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tldapsrv_terminate_connection(conn, nt_errstr(status));\n\t\treturn;\n\t}\n\n\tdata_blob_free(&blob);\n\tTALLOC_FREE(asn1);\n\n\n\t/* queue the call in the global queue */\n\tsubreq = ldapsrv_process_call_send(call,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->service->call_queue,\n\t\t\t\t\t call);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_process_call_send failed\");\n\t\treturn;\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_process_done, call);\n\tconn->active_call = subreq;\n}", "project": "samba", "hash": 83780409077588544429973836003259519563, "size": 91, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274251 }, { "func": "static void ldapsrv_call_process_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tconn->active_call = NULL;\n\n\tstatus = ldapsrv_process_call_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tldapsrv_terminate_connection(conn, nt_errstr(status));\n\t\treturn;\n\t}\n\n\tif (call->wait_send != NULL) {\n\t\tsubreq = call->wait_send(call,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t call->wait_private);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t\"ldapsrv_call_process_done: \"\n\t\t\t\t\t\"call->wait_send - no memory\");\n\t\t\treturn;\n\t\t}\n\t\ttevent_req_set_callback(subreq,\n\t\t\t\t\tldapsrv_call_wait_done,\n\t\t\t\t\tcall);\n\t\tconn->active_call = subreq;\n\t\treturn;\n\t}\n\n\tldapsrv_call_writev_start(call);\n}", "project": "samba", "hash": 91770496350954271773300687472820359720, "size": 36, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274271 }, { "func": "static int ldapsrv_check_packet_size(\n\tstruct ldapsrv_connection *conn,\n\tsize_t size)\n{\n\tbool is_anonymous = false;\n\tsize_t max_size = 0;\n\n\tmax_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);\n\tif (size <= max_size) {\n\t\treturn LDAP_SUCCESS;\n\t}\n\n\t/*\n\t * Request is larger than the maximum unauthenticated request size.\n\t * As this code is called frequently we avoid calling\n\t * security_token_is_anonymous if possible\n\t */\n\tif (conn->session_info != NULL &&\n\t\tconn->session_info->security_token != NULL) {\n\t\tis_anonymous = security_token_is_anonymous(\n\t\t\tconn->session_info->security_token);\n\t}\n\n\tif (is_anonymous) {\n\t\tDBG_WARNING(\n\t\t\t\"LDAP request size (%zu) exceeds (%zu)\\n\",\n\t\t\tsize,\n\t\t\tmax_size);\n\t\treturn LDAP_UNWILLING_TO_PERFORM;\n\t}\n\n\tmax_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);\n\tif (size > max_size) {\n\t\tDBG_WARNING(\n\t\t\t\"LDAP request size (%zu) exceeds (%zu)\\n\",\n\t\t\tsize,\n\t\t\tmax_size);\n\t\treturn LDAP_UNWILLING_TO_PERFORM;\n\t}\n\treturn LDAP_SUCCESS;\n\n}", "project": "samba", "hash": 125310637314983518118518477367507280780, "size": 42, "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79", "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton \nReviewed-by: Douglas Bagnall \n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)", "target": 0, "dataset": "other", "idx": 274252 } ] }, { "call_depth": 4, "longest_call_chain": [ "do_print", "do_show", "show_line", "acl_perm_str" ], "group_size": 8, "functions": [ { "func": "int do_show(FILE *stream, const char *path_p, const struct stat *st,\n acl_t acl, acl_t dacl)\n{\n\tstruct name_list *acl_names = get_list(st, acl),\n\t *first_acl_name = acl_names;\n\tstruct name_list *dacl_names = get_list(st, dacl),\n\t *first_dacl_name = dacl_names;\n\t\n\tint acl_names_width = max_name_length(acl_names);\n\tint dacl_names_width = max_name_length(dacl_names);\n\tacl_entry_t acl_ent;\n\tacl_entry_t dacl_ent;\n\tchar acl_mask[ACL_PERMS+1], dacl_mask[ACL_PERMS+1];\n\tint ret;\n\n\tnames_width = 8;\n\tif (acl_names_width > names_width)\n\t\tnames_width = acl_names_width;\n\tif (dacl_names_width > names_width)\n\t\tnames_width = dacl_names_width;\n\n\tacl_mask[0] = '\\0';\n\tif (acl) {\n\t\tacl_mask_perm_str(acl, acl_mask);\n\t\tret = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_ent);\n\t\tif (ret == 0)\n\t\t\tacl = NULL;\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\tdacl_mask[0] = '\\0';\n\tif (dacl) {\n\t\tacl_mask_perm_str(dacl, dacl_mask);\n\t\tret = acl_get_entry(dacl, ACL_FIRST_ENTRY, &dacl_ent);\n\t\tif (ret == 0)\n\t\t\tdacl = NULL;\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\tfprintf(stream, \"# file: %s\\n\", xquote(path_p, \"\\n\\r\"));\n\twhile (acl_names != NULL || dacl_names != NULL) {\n\t\tacl_tag_t acl_tag, dacl_tag;\n\n\t\tif (acl)\n\t\t\tacl_get_tag_type(acl_ent, &acl_tag);\n\t\tif (dacl)\n\t\t\tacl_get_tag_type(dacl_ent, &dacl_tag);\n\n\t\tif (acl && (!dacl || acl_tag < dacl_tag)) {\n\t\t\tshow_line(stream, &acl_names, acl, &acl_ent, acl_mask,\n\t\t\t NULL, NULL, NULL, NULL);\n\t\t\tcontinue;\n\t\t} else if (dacl && (!acl || dacl_tag < acl_tag)) {\n\t\t\tshow_line(stream, NULL, NULL, NULL, NULL,\n\t\t\t &dacl_names, dacl, &dacl_ent, dacl_mask);\n\t\t\tcontinue;\n\t\t} else {\n\t\t\tif (acl_tag == ACL_USER || acl_tag == ACL_GROUP) {\n\t\t\t\tid_t *acl_id_p = NULL, *dacl_id_p = NULL;\n\t\t\t\tif (acl_ent)\n\t\t\t\t\tacl_id_p = acl_get_qualifier(acl_ent);\n\t\t\t\tif (dacl_ent)\n\t\t\t\t\tdacl_id_p = acl_get_qualifier(dacl_ent);\n\t\t\t\t\n\t\t\t\tif (acl && (!dacl || *acl_id_p < *dacl_id_p)) {\n\t\t\t\t\tshow_line(stream, &acl_names, acl,\n\t\t\t\t\t &acl_ent, acl_mask,\n\t\t\t\t\t\t NULL, NULL, NULL, NULL);\n\t\t\t\t\tcontinue;\n\t\t\t\t} else if (dacl &&\n\t\t\t\t\t(!acl || *dacl_id_p < *acl_id_p)) {\n\t\t\t\t\tshow_line(stream, NULL, NULL, NULL,\n\t\t\t\t\t NULL, &dacl_names, dacl,\n\t\t\t\t\t\t &dacl_ent, dacl_mask);\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t\tshow_line(stream, &acl_names, acl, &acl_ent, acl_mask,\n\t\t\t\t &dacl_names, dacl, &dacl_ent, dacl_mask);\n\t\t}\n\t}\n\n\tfree_list(first_acl_name);\n\tfree_list(first_dacl_name);\n\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 148979610646046169696771366369271425537, "size": 87, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491966 }, { "func": "void acl_mask_perm_str(acl_t acl, char *str)\n{\n\tacl_entry_t entry;\n\n\tstr[0] = '\\0';\n\tif (acl_get_entry(acl, ACL_FIRST_ENTRY, &entry) != 1)\n\t\treturn;\n\tfor(;;) {\n\t\tacl_tag_t tag;\n\n\t\tacl_get_tag_type(entry, &tag);\n\t\tif (tag == ACL_MASK) {\n\t\t\tacl_perm_str(entry, str);\n\t\t\treturn;\n\t\t}\n\t\tif (acl_get_entry(acl, ACL_NEXT_ENTRY, &entry) != 1)\n\t\t\treturn;\n\t}\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 102244957849193618816091429761976899252, "size": 19, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491977 }, { "func": "int do_print(const char *path_p, const struct stat *st, int walk_flags, void *unused)\n{\n\tconst char *default_prefix = NULL;\n\tacl_t acl = NULL, default_acl = NULL;\n\tint error = 0;\n\n\tif (walk_flags & WALK_TREE_FAILED) {\n\t\tfprintf(stderr, \"%s: %s: %s\\n\", progname, xquote(path_p, \"\\n\\r\"),\n\t\t\tstrerror(errno));\n\t\treturn 1;\n\t}\n\n\t/*\n\t * Symlinks can never have ACLs, so when doing a physical walk, we\n\t * skip symlinks altogether, and when doing a half-logical walk, we\n\t * skip all non-toplevel symlinks. \n\t */\n\tif ((walk_flags & WALK_TREE_SYMLINK) &&\n\t ((walk_flags & WALK_TREE_PHYSICAL) ||\n\t !(walk_flags & (WALK_TREE_TOPLEVEL | WALK_TREE_LOGICAL))))\n\t\treturn 0;\n\n\tif (opt_print_acl) {\n\t\tacl = acl_get_file(path_p, ACL_TYPE_ACCESS);\n\t\tif (acl == NULL && (errno == ENOSYS || errno == ENOTSUP))\n\t\t\tacl = acl_get_file_mode(path_p);\n\t\tif (acl == NULL)\n\t\t\tgoto fail;\n\t}\n\n\tif (opt_print_default_acl && S_ISDIR(st->st_mode)) {\n\t\tdefault_acl = acl_get_file(path_p, ACL_TYPE_DEFAULT);\n\t\tif (default_acl == NULL) {\n\t\t\tif (errno != ENOSYS && errno != ENOTSUP)\n\t\t\t\tgoto fail;\n\t\t} else if (acl_entries(default_acl) == 0) {\n\t\t\tacl_free(default_acl);\n\t\t\tdefault_acl = NULL;\n\t\t}\n\t}\n\n\tif (opt_skip_base &&\n\t (!acl || acl_equiv_mode(acl, NULL) == 0) && !default_acl)\n\t\treturn 0;\n\n\tif (opt_print_acl && opt_print_default_acl)\n\t\tdefault_prefix = \"default:\";\n\n\tif (opt_strip_leading_slash) {\n\t\tif (*path_p == '/') {\n\t\t\tif (!absolute_warning) {\n\t\t\t\tfprintf(stderr, _(\"%s: Removing leading \"\n\t\t\t\t\t\"'/' from absolute path names\\n\"),\n\t\t\t\t progname);\n\t\t\t\tabsolute_warning = 1;\n\t\t\t}\n\t\t\twhile (*path_p == '/')\n\t\t\t\tpath_p++;\n\t\t} else if (*path_p == '.' && *(path_p+1) == '/')\n\t\t\twhile (*++path_p == '/')\n\t\t\t\t/* nothing */ ;\n\t\tif (*path_p == '\\0')\n\t\t\tpath_p = \".\";\n\t}\n\n\tif (opt_tabular) {\n\t\tif (do_show(stdout, path_p, st, acl, default_acl) != 0)\n\t\t\tgoto fail;\n\t} else {\n\t\tif (opt_comments) {\n\t\t\tprintf(\"# file: %s\\n\", xquote(path_p, \"\\n\\r\"));\n\t\t\tprintf(\"# owner: %s\\n\",\n\t\t\t xquote(user_name(st->st_uid, opt_numeric), \" \\t\\n\\r\"));\n\t\t\tprintf(\"# group: %s\\n\",\n\t\t\t xquote(group_name(st->st_gid, opt_numeric), \" \\t\\n\\r\"));\n\t\t}\n\t\tif (acl != NULL) {\n\t\t\tchar *acl_text = acl_to_any_text(acl, NULL, '\\n',\n\t\t\t\t\t\t\t print_options);\n\t\t\tif (!acl_text)\n\t\t\t\tgoto fail;\n\t\t\tif (puts(acl_text) < 0) {\n\t\t\t\tacl_free(acl_text);\n\t\t\t\tgoto fail;\n\t\t\t}\n\t\t\tacl_free(acl_text);\n\t\t}\n\t\tif (default_acl != NULL) {\n\t\t\tchar *acl_text = acl_to_any_text(default_acl, \n\t\t\t\t\t\t\t default_prefix, '\\n',\n\t\t\t\t\t\t\t print_options);\n\t\t\tif (!acl_text)\n\t\t\t\tgoto fail;\n\t\t\tif (puts(acl_text) < 0) {\n\t\t\t\tacl_free(acl_text);\n\t\t\t\tgoto fail;\n\t\t\t}\n\t\t\tacl_free(acl_text);\n\t\t}\n\t}\n\tif (acl || default_acl || opt_comments)\n\t\tprintf(\"\\n\");\n\ncleanup:\n\tif (acl)\n\t\tacl_free(acl);\n\tif (default_acl)\n\t\tacl_free(default_acl);\n\treturn error;\n\nfail:\n\tfprintf(stderr, \"%s: %s: %s\\n\", progname, xquote(path_p, \"\\n\\r\"),\n\t\tstrerror(errno));\n\terror = -1;\n\tgoto cleanup;\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 304094450354480469241650128653476885305, "size": 116, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491971 }, { "func": "void free_list(struct name_list *names)\n{\n\tstruct name_list *next;\n\n\twhile (names) {\n\t\tnext = names->next;\n\t\tfree(names);\n\t\tnames = next;\n\t}\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 246378709380030782815618129545973149210, "size": 10, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491972 }, { "func": "int show_line(FILE *stream, struct name_list **acl_names, acl_t acl,\n acl_entry_t *acl_ent, const char *acl_mask,\n struct name_list **dacl_names, acl_t dacl,\n\t acl_entry_t *dacl_ent, const char *dacl_mask)\n{\n\tacl_tag_t tag_type;\n\tconst char *tag, *name;\n\tchar acl_perm[ACL_PERMS+1], dacl_perm[ACL_PERMS+1];\n\n\tif (acl) {\n\t\tacl_get_tag_type(*acl_ent, &tag_type);\n\t\tname = (*acl_names)->name;\n\t} else {\n\t\tacl_get_tag_type(*dacl_ent, &tag_type);\n\t\tname = (*dacl_names)->name;\n\t}\n\n\tswitch(tag_type) {\n\t\tcase ACL_USER_OBJ:\n\t\t\ttag = \"USER\";\n\t\t\tbreak;\n\t\tcase ACL_USER:\n\t\t\ttag = \"user\";\n\t\t\tbreak;\n\t\tcase ACL_GROUP_OBJ:\n\t\t\ttag = \"GROUP\";\n\t\t\tbreak;\n\t\tcase ACL_GROUP:\n\t\t\ttag = \"group\";\n\t\t\tbreak;\n\t\tcase ACL_MASK:\n\t\t\ttag = \"mask\";\n\t\t\tbreak;\n\t\tcase ACL_OTHER:\n\t\t\ttag = \"other\";\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -1;\n\t}\n\n\tmemset(acl_perm, ' ', ACL_PERMS);\n\tacl_perm[ACL_PERMS] = '\\0';\n\tif (acl_ent) {\n\t\tacl_perm_str(*acl_ent, acl_perm);\n\t\tif (tag_type != ACL_USER_OBJ && tag_type != ACL_OTHER &&\n\t\t tag_type != ACL_MASK)\n\t\t\tapply_mask(acl_perm, acl_mask);\n\t}\n\tmemset(dacl_perm, ' ', ACL_PERMS);\n\tdacl_perm[ACL_PERMS] = '\\0';\n\tif (dacl_ent) {\n\t\tacl_perm_str(*dacl_ent, dacl_perm);\n\t\tif (tag_type != ACL_USER_OBJ && tag_type != ACL_OTHER &&\n\t\t tag_type != ACL_MASK)\n\t\t\tapply_mask(dacl_perm, dacl_mask);\n\t}\n\n\tfprintf(stream, \"%-5s %*s %*s %*s\\n\",\n\t tag, -names_width, name,\n\t -(int)ACL_PERMS, acl_perm,\n\t\t-(int)ACL_PERMS, dacl_perm);\n\n\tif (acl_names) {\n\t\tacl_get_entry(acl, ACL_NEXT_ENTRY, acl_ent);\n\t\t(*acl_names) = (*acl_names)->next;\n\t}\n\tif (dacl_names) {\n\t\tacl_get_entry(dacl, ACL_NEXT_ENTRY, dacl_ent);\n\t\t(*dacl_names) = (*dacl_names)->next;\n\t}\n\treturn 0;\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 161065813611095891222693530206636661992, "size": 72, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491974 }, { "func": "void acl_perm_str(acl_entry_t entry, char *str)\n{\n\tacl_permset_t permset;\n\tint n;\n\n\tacl_get_permset(entry, &permset);\n\tfor (n = 0; n < (int) ACL_PERMS; n++) {\n\t\tstr[n] = (acl_get_perm(permset, acl_perm_defs[n].tag) ?\n\t\t acl_perm_defs[n].c : '-');\n\t}\n\tstr[n] = '\\0';\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 240727839017765817104842232036773145645, "size": 12, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491975 }, { "func": "int max_name_length(struct name_list *names)\n{\n\tint max_len = 0;\n\twhile (names != NULL) {\n\t\tstruct name_list *next = names->next;\n\t\tint len = strlen(names->name);\n\n\t\tif (len > max_len)\n\t\t\tmax_len = len;\n\t\tnames = next;\n\t}\n\treturn max_len;\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 236533432565682712712378128349416165826, "size": 13, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491978 }, { "func": "void apply_mask(char *perm, const char *mask)\n{\n\twhile (*perm) {\n\t\tif (*mask == '-' && *perm >= 'a' && *perm <= 'z')\n\t\t\t*perm = *perm - 'a' + 'A';\n\t\tperm++;\n\t\tif (*mask)\n\t\t\tmask++;\n\t}\n}", "target": 0, "cwe": [], "project": "acl", "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5", "hash": 235784037899618074132466825107297440506, "size": 10, "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".", "dataset": "other", "idx": 491968 } ] }, { "call_depth": 4, "longest_call_chain": [ "ntlmssp_append_target_info", "i_zero", "ntlmssp_append_string", "append_string" ], "group_size": 12, "functions": [ { "func": "bool ntlmssp_check_response(const struct ntlmssp_response *response,\n\t\t\t size_t data_size, const char **error)\n{\n\tif (data_size < sizeof(struct ntlmssp_response)) {\n\t\t*error = \"response too short\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le64(&response->magic) != NTLMSSP_MAGIC) {\n\t\t*error = \"signature mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le32(&response->type) != NTLMSSP_MSG_TYPE3) {\n\t\t*error = \"message type mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (!ntlmssp_check_buffer(&response->lm_response, data_size, error) ||\n\t !ntlmssp_check_buffer(&response->ntlm_response, data_size, error) ||\n\t !ntlmssp_check_buffer(&response->domain, data_size, error) ||\n\t !ntlmssp_check_buffer(&response->user, data_size, error) ||\n\t !ntlmssp_check_buffer(&response->workstation, data_size, error))\n\t\treturn FALSE;\n\n\treturn TRUE;\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 308575781816202870018561307819992021820, "size": 27, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506425 }, { "func": "static unsigned int read_le32(const unsigned char *p)\n{\n return ((unsigned int) p[0])\n | ((unsigned int) p[1] << 8)\n | ((unsigned int) p[2] << 16)\n | ((unsigned int) p[3] << 24);\n}", "project": "fluent-bit", "hash": 130456446374820103303280755667404613105, "size": 7, "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af", "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor ", "target": 0, "dataset": "other", "idx": 417947 }, { "func": "static void ntlmssp_append_target_info(buffer_t *buf, size_t buffer_offset, ...)\n{\n\tstruct ntlmssp_v2_target_info info;\n\tstruct ntlmssp_buffer buffer;\n\tva_list args;\n\tunsigned int length, total_length = 0;\n\tint type;\n\n\twrite_le32(&buffer.offset, buf->used);\n\n\tva_start(args, buffer_offset);\n\n\tdo {\n\t\tconst char *data;\n\t\ttype = va_arg(args, int);\n\n\t\ti_zero(&info);\n\t\twrite_le16(&info.type, type);\n\n\t\tswitch (type) {\n\t\t\tcase NTPLMSSP_V2_TARGET_END:\n\t\t\t\tbuffer_append(buf, &info, sizeof(info));\n\t\t\t\tlength = sizeof(info);\n\t\t\t\tbreak;\n\t\t\tcase NTPLMSSP_V2_TARGET_SERVER:\n\t\t\tcase NTPLMSSP_V2_TARGET_DOMAIN:\n\t\t\tcase NTPLMSSP_V2_TARGET_FQDN:\n\t\t\tcase NTPLMSSP_V2_TARGET_DNS:\n\t\t\t\tdata = va_arg(args, const char *);\n\t\t\t\twrite_le16(&info.length,\n\t\t\t\t\t strlen(data) * sizeof(ucs2le_t));\n\t\t\t\tbuffer_append(buf, &info, sizeof(info));\n\t\t\t\tlength = append_string(buf, data, FALSE, TRUE) +\n\t\t\t\t\t sizeof(info);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\ti_panic(\"Invalid NTLM target info block type \"\n\t\t\t\t\t\"%u\", type);\n\t\t}\n\n\t\ttotal_length += length;\n\t\n\t} while (type != NTPLMSSP_V2_TARGET_END);\n\n\tva_end(args);\n\n\twrite_le16(&buffer.length, total_length);\n\twrite_le16(&buffer.space, total_length);\n\tbuffer_write(buf, buffer_offset, &buffer, sizeof(buffer));\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 304744503973824614610420588575244245089, "size": 50, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506419 }, { "func": "static inline uint32_t ntlmssp_flags(uint32_t client_flags)\n{\n\tuint32_t flags = NTLMSSP_NEGOTIATE_NTLM |\n\t\t\t NTLMSSP_NEGOTIATE_TARGET_INFO;\n\n\tif ((client_flags & NTLMSSP_NEGOTIATE_UNICODE) != 0)\n\t\tflags |= NTLMSSP_NEGOTIATE_UNICODE;\n\telse\n\t\tflags |= NTLMSSP_NEGOTIATE_OEM;\n\n\tif ((client_flags & NTLMSSP_NEGOTIATE_NTLM2) != 0)\n\t\tflags |= NTLMSSP_NEGOTIATE_NTLM2;\n\n\tif ((client_flags & NTLMSSP_REQUEST_TARGET) != 0)\n\t\tflags |= NTLMSSP_REQUEST_TARGET | NTLMSSP_TARGET_TYPE_SERVER;\n\n\treturn flags;\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 143518257012832472132156956647676353494, "size": 18, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506422 }, { "func": "int flb_gzip_uncompress(void *in_data, size_t in_len,\n void **out_data, size_t *out_len)\n{\n int status;\n uint8_t *p;\n void *out_buf;\n size_t out_size = 0;\n void *zip_data;\n size_t zip_len;\n unsigned char flg;\n unsigned int xlen, hcrc;\n unsigned int dlen, crc;\n mz_ulong crc_out;\n mz_stream stream;\n const unsigned char *start;\n\n /* Minimal length: header + crc32 */\n if (in_len < 18) {\n flb_error(\"[gzip] unexpected content length\");\n return -1;\n }\n\n /* Magic bytes */\n p = in_data;\n if (p[0] != 0x1F || p[1] != 0x8B) {\n flb_error(\"[gzip] invalid magic bytes\");\n return -1;\n }\n\n if (p[2] != 8) {\n flb_error(\"[gzip] invalid method\");\n return -1;\n }\n\n /* Flag byte */\n flg = p[3];\n\n /* Reserved bits */\n if (flg & 0xE0) {\n flb_error(\"[gzip] invalid flag\");\n return -1;\n }\n\n /* Skip base header of 10 bytes */\n start = p + FLB_GZIP_HEADER_OFFSET;\n\n /* Skip extra data if present */\n if (flg & FEXTRA) {\n xlen = read_le16(start);\n if (xlen > in_len - 12) {\n flb_error(\"[gzip] invalid gzip data\");\n return -1;\n }\n start += xlen + 2;\n }\n\n /* Skip file name if present */\n if (flg & FNAME) {\n do {\n if (start - p >= in_len) {\n flb_error(\"[gzip] invalid gzip data (FNAME)\");\n return -1;\n }\n } while (*start++);\n }\n\n /* Skip file comment if present */\n if (flg & FCOMMENT) {\n do {\n if (start - p >= in_len) {\n flb_error(\"[gzip] invalid gzip data (FCOMMENT)\");\n return -1;\n }\n } while (*start++);\n }\n\n /* Check header crc if present */\n if (flg & FHCRC) {\n if (start - p > in_len - 2) {\n flb_error(\"[gzip] invalid gzip data (FHRC)\");\n return -1;\n }\n\n hcrc = read_le16(start);\n crc = mz_crc32(MZ_CRC32_INIT, p, start - p) & 0x0000FFFF;\n if (hcrc != crc) {\n flb_error(\"[gzip] invalid gzip header CRC\");\n return -1;\n }\n start += 2;\n }\n\n /* Get decompressed length */\n dlen = read_le32(&p[in_len - 4]);\n\n /* Get CRC32 checksum of original data */\n crc = read_le32(&p[in_len - 8]);\n\n /* Decompress data */\n if ((p + in_len) - p < 8) {\n flb_error(\"[gzip] invalid gzip CRC32 checksum\");\n return -1;\n }\n\n /* Allocate outgoing buffer */\n out_buf = flb_malloc(dlen);\n if (!out_buf) {\n flb_errno();\n return -1;\n }\n out_size = dlen;\n\n /* Map zip content */\n zip_data = (uint8_t *) start;\n zip_len = (p + in_len) - start - 8;\n\n memset(&stream, 0, sizeof(stream));\n stream.next_in = zip_data;\n stream.avail_in = zip_len;\n stream.next_out = out_buf;\n stream.avail_out = out_size;\n\n status = mz_inflateInit2(&stream, -Z_DEFAULT_WINDOW_BITS);\n if (status != MZ_OK) {\n flb_free(out_buf);\n return -1;\n }\n\n status = mz_inflate(&stream, MZ_FINISH);\n if (status != MZ_STREAM_END) {\n mz_inflateEnd(&stream);\n flb_free(out_buf);\n return -1;\n }\n\n if (stream.total_out != dlen) {\n mz_inflateEnd(&stream);\n flb_free(out_buf);\n flb_error(\"[gzip] invalid gzip data size\");\n return -1;\n }\n\n /* terminate the stream, it's not longer required */\n mz_inflateEnd(&stream);\n\n /* Validate message CRC vs inflated data CRC */\n crc_out = mz_crc32(MZ_CRC32_INIT, out_buf, dlen);\n if (crc_out != crc) {\n flb_free(out_buf);\n flb_error(\"[gzip] invalid GZip checksum (CRC32)\");\n return -1;\n }\n\n /* set the uncompressed data */\n *out_len = dlen;\n *out_data = out_buf;\n\n return 0;\n}", "project": "fluent-bit", "hash": 86999460491909484734595669886450493823, "size": 159, "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af", "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor ", "target": 0, "dataset": "other", "idx": 417951 }, { "func": "static unsigned int append_string(buffer_t *buf, const char *str, \n\t\t\t\t bool ucase, bool unicode)\n{\n\tunsigned int length = 0;\n\n\tfor ( ; *str != '\\0'; str++) {\n\t\tbuffer_append_c(buf, ucase ? i_toupper(*str) : *str);\n\t\tif (unicode) {\n\t\t\tbuffer_append_c(buf, 0);\n\t\t\tlength++; \n\t\t}\n\t\tlength++;\n\t}\n\n\treturn length;\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 270835728281084741559078096449952534504, "size": 16, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506418 }, { "func": "static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,\n\t\t\t\t size_t data_size, const char **error)\n{\n\tuint32_t offset = read_le32(&buffer->offset);\n\tuint16_t length = read_le16(&buffer->length);\n\tuint16_t space = read_le16(&buffer->space);\n\n\t/* Empty buffer is ok */\n\tif (length == 0 && space == 0)\n\t\treturn TRUE;\n\n\tif (offset >= data_size) {\n\t\t*error = \"buffer offset out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset + space > data_size) {\n\t\t*error = \"buffer end out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "target": 1, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 44503422073269898902321827906643231697, "size": 23, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 216799 }, { "func": "static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,\n\t\t\t\t size_t data_size, const char **error)\n{\n\tuint32_t offset = read_le32(&buffer->offset);\n\tuint16_t length = read_le16(&buffer->length);\n\tuint16_t space = read_le16(&buffer->space);\n\n\t/* Empty buffer is ok */\n\tif (length == 0 && space == 0)\n\t\treturn TRUE;\n\n\tif (length > data_size) {\n\t\t*error = \"buffer length out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset >= data_size) {\n\t\t*error = \"buffer offset out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset + space > data_size) {\n\t\t*error = \"buffer end out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 207567383368999279475384375671028455850, "size": 28, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506421 }, { "func": "static void ntlmssp_append_string(buffer_t *buf, size_t buffer_offset,\n\t\t\t\t const char *str, bool unicode)\n{\n\tstruct ntlmssp_buffer buffer;\n\tunsigned int length;\n\n\twrite_le32(&buffer.offset, buf->used);\n\n\tlength = append_string(buf, str, FALSE, unicode);\n\n\twrite_le16(&buffer.length, length);\n\twrite_le16(&buffer.space, length);\n\tbuffer_write(buf, buffer_offset, &buffer, sizeof(buffer));\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 302108502454610039907347848030792437312, "size": 14, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506420 }, { "func": "ntlmssp_create_challenge(pool_t pool, const struct ntlmssp_request *request,\n\t\t\t size_t *size)\n{\n\tbuffer_t *buf;\n\tuint32_t flags = ntlmssp_flags(read_le32(&request->flags));\n\tbool unicode = (flags & NTLMSSP_NEGOTIATE_UNICODE) != 0;\n\tstruct ntlmssp_challenge c;\n\n\tbuf = buffer_create_dynamic(pool, sizeof(struct ntlmssp_challenge));\n\n\ti_zero(&c);\n\twrite_le64(&c.magic, NTLMSSP_MAGIC);\n\twrite_le32(&c.type, NTLMSSP_MSG_TYPE2);\n\twrite_le32(&c.flags, flags);\n\trandom_fill(c.challenge, sizeof(c.challenge));\n\n\tbuffer_write(buf, 0, &c, sizeof(c));\n\n\tif ((flags & NTLMSSP_TARGET_TYPE_SERVER) != 0)\n\t\tntlmssp_append_string(buf,\n\t\t\toffsetof(struct ntlmssp_challenge, target_name),\n\t\t\tmy_hostname, unicode);\n\n\tntlmssp_append_target_info(buf, offsetof(struct ntlmssp_challenge,\n\t\t\t\t\t\t target_info),\n\t\t\t\t NTPLMSSP_V2_TARGET_FQDN, my_hostname,\n\t\t\t\t NTPLMSSP_V2_TARGET_END);\n\n\t*size = buf->used;\n\treturn buffer_free_without_data(&buf);\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 320103123546302170650251415237215051807, "size": 31, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506423 }, { "func": "static unsigned int read_le16(const unsigned char *p)\n{\n return ((unsigned int) p[0]) | ((unsigned int) p[1] << 8);\n}", "project": "fluent-bit", "hash": 324762848922911257424959728155920709102, "size": 4, "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af", "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor ", "target": 0, "dataset": "other", "idx": 417950 }, { "func": "bool ntlmssp_check_request(const struct ntlmssp_request *request,\n\t\t\t size_t data_size, const char **error)\n{\n\tuint32_t flags;\n\n\tif (data_size < sizeof(struct ntlmssp_request)) {\n\t\t*error = \"request too short\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le64(&request->magic) != NTLMSSP_MAGIC) {\n\t\t*error = \"signature mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le32(&request->type) != NTLMSSP_MSG_TYPE1) {\n\t\t*error = \"message type mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tflags = read_le32(&request->flags);\n\n\tif ((flags & NTLMSSP_NEGOTIATE_NTLM) == 0) {\n\t\t*error = \"client doesn't advertise NTLM support\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}", "target": 0, "cwe": [ "CWE-125" ], "project": "core", "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8", "hash": 259203876739144659665264532647969570099, "size": 29, "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c", "dataset": "other", "idx": 506424 } ] }, { "call_depth": 4, "longest_call_chain": [ "fix_and_set_name_from_value", "fix_from_value", "fix_charset_and_length_from_str_value", "char_length" ], "group_size": 8, "functions": [ { "func": " void fix_charset_and_length_from_str_value(Derivation dv)\n {\n fix_charset_and_length_from_str_value(dv, Metadata(&str_value));\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 154327255266273886720011309447068665016, "size": 4, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509365 }, { "func": " void fix_charset_and_length_from_str_value(Derivation dv, Metadata metadata)\n {\n /*\n We have to have a different max_length than 'length' here to\n ensure that we get the right length if we do use the item\n to create a new table. In this case max_length must be the maximum\n number of chars for a string of this type because we in Create_field::\n divide the max_length with mbmaxlen).\n */\n collation.set(str_value.charset(), dv, metadata.repertoire());\n fix_char_length(metadata.char_length());\n decimals= NOT_FIXED_DEC;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 86150775855358446446247509084940415998, "size": 13, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509395 }, { "func": " DTCollation(CHARSET_INFO *collation_arg,\n Derivation derivation_arg,\n uint repertoire_arg)\n :collation(collation_arg),\n derivation(derivation_arg),\n repertoire(repertoire_arg)\n { }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 28332889171668248265375703857713795156, "size": 7, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508937 }, { "func": " uint repertoire() const { return MY_STRING_METADATA::repertoire; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 120270694217732731454200073771895596300, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509414 }, { "func": " size_t char_length() const { return MY_STRING_METADATA::char_length; }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 56924974304726318879916470792753787357, "size": 1, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 508931 }, { "func": " void fix_and_set_name_from_value(THD *thd, Derivation dv,\n const Metadata metadata)\n {\n fix_from_value(dv, metadata);\n set_name(thd, str_value.ptr(), str_value.length(), str_value.charset());\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 145223923482690028166112356840311921502, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509321 }, { "func": " void fix_char_length(size_t max_char_length_arg)\n {\n max_length= char_to_byte_length_safe(max_char_length_arg,\n collation.collation->mbmaxlen);\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 128055378885442712357673431363026385823, "size": 5, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509276 }, { "func": " void fix_from_value(Derivation dv, const Metadata metadata)\n {\n fix_charset_and_length_from_str_value(dv, metadata);\n // it is constant => can be used without fix_fields (and frequently used)\n fixed= 1;\n }", "target": 0, "cwe": [ "CWE-617" ], "project": "server", "commit_id": "2e7891080667c59ac80f788eef4d59d447595772", "hash": 165902672546454000048602381389207469936, "size": 6, "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya ", "dataset": "other", "idx": 509014 } ] }, { "call_depth": 4, "longest_call_chain": [ "host_callback", "next_lookup", "next_dns_lookup", "as_is_first" ], "group_size": 11, "functions": [ { "func": "static int as_is_first(const struct host_query* hquery)\n{\n char* p;\n int ndots = 0;\n for (p = hquery->name; *p; p++)\n {\n if (*p == '.')\n {\n ndots++;\n }\n }\n return ndots >= hquery->channel->ndots;\n}", "project": "c-ares", "hash": 237346194066420551353335228895255001524, "size": 13, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478390 }, { "func": "struct ares_addrinfo_node *ares__malloc_addrinfo_node()\n{\n struct ares_addrinfo_node *node =\n ares_malloc(sizeof(struct ares_addrinfo_node));\n if (!node)\n return NULL;\n\n *node = empty_addrinfo_node;\n return node;\n}", "project": "c-ares", "hash": 331518379725729988919523964971797931276, "size": 10, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478401 }, { "func": "static void next_lookup(struct host_query *hquery, int status)\n{\n switch (*hquery->remaining_lookups)\n {\n case 'b':\n /* DNS lookup */\n if (next_dns_lookup(hquery))\n break;\n hquery->remaining_lookups++;\n next_lookup(hquery, status);\n break;\n\n case 'f':\n /* Host file lookup */\n if (file_lookup(hquery) == ARES_SUCCESS)\n {\n end_hquery(hquery, ARES_SUCCESS);\n break;\n }\n hquery->remaining_lookups++;\n next_lookup(hquery, status);\n break;\n default:\n /* No lookup left */\n end_hquery(hquery, status);\n break;\n }\n}", "project": "c-ares", "hash": 249579464914117560189654227896029669445, "size": 28, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478393 }, { "func": "static unsigned short lookup_service(const char *service, int flags)\n{\n const char *proto;\n struct servent *sep;\n#ifdef HAVE_GETSERVBYNAME_R\n struct servent se;\n char tmpbuf[4096];\n#endif\n\n if (service)\n {\n if (flags & ARES_NI_UDP)\n proto = \"udp\";\n else if (flags & ARES_NI_SCTP)\n proto = \"sctp\";\n else if (flags & ARES_NI_DCCP)\n proto = \"dccp\";\n else\n proto = \"tcp\";\n#ifdef HAVE_GETSERVBYNAME_R\n memset(&se, 0, sizeof(se));\n sep = &se;\n memset(tmpbuf, 0, sizeof(tmpbuf));\n#if GETSERVBYNAME_R_ARGS == 6\n if (getservbyname_r(service, proto, &se, (void *)tmpbuf, sizeof(tmpbuf),\n &sep) != 0)\n sep = NULL; /* LCOV_EXCL_LINE: buffer large so this never fails */\n#elif GETSERVBYNAME_R_ARGS == 5\n sep =\n getservbyname_r(service, proto, &se, (void *)tmpbuf, sizeof(tmpbuf));\n#elif GETSERVBYNAME_R_ARGS == 4\n if (getservbyname_r(service, proto, &se, (void *)tmpbuf) != 0)\n sep = NULL;\n#else\n /* Lets just hope the OS uses TLS! */\n sep = getservbyname(service, proto);\n#endif\n#else\n /* Lets just hope the OS uses TLS! */\n#if (defined(NETWARE) && !defined(__NOVELL_LIBC__))\n sep = getservbyname(service, (char *)proto);\n#else\n sep = getservbyname(service, proto);\n#endif\n#endif\n return (sep ? ntohs((unsigned short)sep->s_port) : 0);\n }\n return 0;\n}", "project": "c-ares", "hash": 200609651790992095530661424133344557133, "size": 49, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478400 }, { "func": "static void host_callback(void *arg, int status, int timeouts,\n unsigned char *abuf, int alen)\n{\n struct host_query *hquery = (struct host_query*)arg;\n int addinfostatus = ARES_SUCCESS;\n hquery->timeouts += timeouts;\n hquery->remaining--;\n\n if (status == ARES_SUCCESS)\n {\n addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);\n }\n else if (status == ARES_EDESTRUCTION)\n {\n end_hquery(hquery, status);\n }\n\n if (!hquery->remaining)\n {\n if (addinfostatus != ARES_SUCCESS)\n {\n /* error in parsing result e.g. no memory */\n end_hquery(hquery, addinfostatus);\n }\n else if (hquery->ai->nodes)\n {\n /* at least one query ended with ARES_SUCCESS */\n end_hquery(hquery, ARES_SUCCESS);\n }\n else if (status == ARES_ENOTFOUND)\n {\n next_lookup(hquery, status);\n }\n else\n {\n end_hquery(hquery, status);\n }\n }\n\n /* at this point we keep on waiting for the next query to finish */\n}", "project": "c-ares", "hash": 338428520293637615587127648198461687166, "size": 41, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 1, "dataset": "other", "idx": 214405 }, { "func": "static void host_callback(void *arg, int status, int timeouts,\n unsigned char *abuf, int alen)\n{\n struct host_query *hquery = (struct host_query*)arg;\n int addinfostatus = ARES_SUCCESS;\n hquery->timeouts += timeouts;\n hquery->remaining--;\n\n if (status == ARES_SUCCESS)\n {\n addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);\n }\n else if (status == ARES_EDESTRUCTION)\n {\n end_hquery(hquery, status);\n return;\n }\n\n if (!hquery->remaining)\n {\n if (addinfostatus != ARES_SUCCESS)\n {\n /* error in parsing result e.g. no memory */\n end_hquery(hquery, addinfostatus);\n }\n else if (hquery->ai->nodes)\n {\n /* at least one query ended with ARES_SUCCESS */\n end_hquery(hquery, ARES_SUCCESS);\n }\n else if (status == ARES_ENOTFOUND)\n {\n next_lookup(hquery, status);\n }\n else\n {\n end_hquery(hquery, status);\n }\n }\n\n /* at this point we keep on waiting for the next query to finish */\n}", "project": "c-ares", "hash": 65112642692504141750909294658666282062, "size": 42, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478396 }, { "func": "static int fake_addrinfo(const char *name,\n unsigned short port,\n const struct ares_addrinfo_hints *hints,\n struct ares_addrinfo *ai,\n ares_addrinfo_callback callback,\n void *arg)\n{\n struct ares_addrinfo_cname *cname;\n struct ares_addrinfo_node *node;\n ares_sockaddr addr;\n size_t addrlen;\n int result = 0;\n int family = hints->ai_family;\n if (family == AF_INET || family == AF_INET6 || family == AF_UNSPEC)\n {\n /* It only looks like an IP address if it's all numbers and dots. */\n int numdots = 0, valid = 1;\n const char *p;\n for (p = name; *p; p++)\n {\n if (!ISDIGIT(*p) && *p != '.')\n {\n valid = 0;\n break;\n }\n else if (*p == '.')\n {\n numdots++;\n }\n }\n\n memset(&addr, 0, sizeof(addr));\n\n /* if we don't have 3 dots, it is illegal\n * (although inet_pton doesn't think so).\n */\n if (numdots != 3 || !valid)\n result = 0;\n else\n result =\n (ares_inet_pton(AF_INET, name, &addr.sa4.sin_addr) < 1 ? 0 : 1);\n\n if (result)\n {\n family = addr.sa.sa_family = AF_INET;\n addr.sa4.sin_port = htons(port);\n addrlen = sizeof(addr.sa4);\n }\n }\n\n if (family == AF_INET6 || family == AF_UNSPEC)\n {\n result =\n (ares_inet_pton(AF_INET6, name, &addr.sa6.sin6_addr) < 1 ? 0 : 1);\n addr.sa6.sin6_family = AF_INET6;\n addr.sa6.sin6_port = htons(port);\n addrlen = sizeof(addr.sa6);\n }\n\n if (!result)\n return 0;\n\n node = ares__malloc_addrinfo_node();\n if (!node)\n {\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return 1;\n }\n\n ai->nodes = node;\n\n node->ai_addr = ares_malloc(addrlen);\n if (!node->ai_addr)\n {\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return 1;\n }\n\n node->ai_addrlen = (unsigned int)addrlen;\n node->ai_family = addr.sa.sa_family;\n if (addr.sa.sa_family == AF_INET)\n memcpy(node->ai_addr, &addr.sa4, sizeof(addr.sa4));\n else\n memcpy(node->ai_addr, &addr.sa6, sizeof(addr.sa6));\n\n if (hints->ai_flags & ARES_AI_CANONNAME)\n {\n cname = ares__append_addrinfo_cname(&ai->cnames);\n if (!cname)\n {\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return 1;\n }\n\n /* Duplicate the name, to avoid a constness violation. */\n cname->name = ares_strdup(name);\n if (!cname->name)\n {\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return 1;\n }\n }\n\n callback(arg, ARES_SUCCESS, 0, ai);\n return 1;\n}", "project": "c-ares", "hash": 66006611725293027056403245970014345416, "size": 110, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478397 }, { "func": "static int file_lookup(struct host_query *hquery)\n{\n FILE *fp;\n int error;\n int status;\n const char *path_hosts = NULL;\n\n if (hquery->hints.ai_flags & ARES_AI_ENVHOSTS)\n {\n path_hosts = getenv(\"CARES_HOSTS\");\n }\n\n if (!path_hosts)\n {\n#ifdef WIN32\n char PATH_HOSTS[MAX_PATH];\n win_platform platform;\n\n PATH_HOSTS[0] = '\\0';\n\n platform = ares__getplatform();\n\n if (platform == WIN_NT)\n {\n char tmp[MAX_PATH];\n HKEY hkeyHosts;\n\n if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, WIN_NS_NT_KEY, 0, KEY_READ,\n &hkeyHosts) == ERROR_SUCCESS)\n {\n DWORD dwLength = MAX_PATH;\n RegQueryValueExA(hkeyHosts, DATABASEPATH, NULL, NULL, (LPBYTE)tmp,\n &dwLength);\n ExpandEnvironmentStringsA(tmp, PATH_HOSTS, MAX_PATH);\n RegCloseKey(hkeyHosts);\n }\n }\n else if (platform == WIN_9X)\n GetWindowsDirectoryA(PATH_HOSTS, MAX_PATH);\n else\n return ARES_ENOTFOUND;\n\n strcat(PATH_HOSTS, WIN_PATH_HOSTS);\n path_hosts = PATH_HOSTS;\n\n#elif defined(WATT32)\n const char *PATH_HOSTS = _w32_GetHostsFile();\n\n if (!PATH_HOSTS)\n return ARES_ENOTFOUND;\n#endif\n path_hosts = PATH_HOSTS;\n }\n\n fp = fopen(path_hosts, \"r\");\n if (!fp)\n {\n error = ERRNO;\n switch (error)\n {\n case ENOENT:\n case ESRCH:\n return ARES_ENOTFOUND;\n default:\n DEBUGF(fprintf(stderr, \"fopen() failed with error: %d %s\\n\", error,\n strerror(error)));\n DEBUGF(fprintf(stderr, \"Error opening file: %s\\n\", path_hosts));\n return ARES_EFILE;\n }\n }\n status = ares__readaddrinfo(fp, hquery->name, hquery->port, &hquery->hints, hquery->ai);\n fclose(fp);\n return status;\n}", "project": "c-ares", "hash": 91599572035713631136624203713505139306, "size": 74, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478389 }, { "func": "static void end_hquery(struct host_query *hquery, int status)\n{\n struct ares_addrinfo_node sentinel;\n struct ares_addrinfo_node *next;\n if (status == ARES_SUCCESS)\n {\n if (!(hquery->hints.ai_flags & ARES_AI_NOSORT))\n {\n sentinel.ai_next = hquery->ai->nodes;\n ares__sortaddrinfo(hquery->channel, &sentinel);\n hquery->ai->nodes = sentinel.ai_next;\n }\n next = hquery->ai->nodes;\n /* Set port into each address (resolved separately). */\n while (next)\n {\n if (next->ai_family == AF_INET)\n {\n (CARES_INADDR_CAST(struct sockaddr_in *, next->ai_addr))->sin_port = htons(hquery->port);\n }\n else\n {\n (CARES_INADDR_CAST(struct sockaddr_in6 *, next->ai_addr))->sin6_port = htons(hquery->port);\n }\n next = next->ai_next;\n }\n }\n else\n {\n /* Clean up what we have collected by so far. */\n ares_freeaddrinfo(hquery->ai);\n hquery->ai = NULL;\n }\n\n hquery->callback(hquery->arg, status, hquery->timeouts, hquery->ai);\n ares_free(hquery->name);\n ares_free(hquery);\n}", "project": "c-ares", "hash": 71186623123778906237306314660113629765, "size": 38, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478388 }, { "func": "static int next_dns_lookup(struct host_query *hquery)\n{\n char *s = NULL;\n int is_s_allocated = 0;\n int status;\n\n /* if next_domain == -1 and as_is_first is true, try hquery->name */\n if (hquery->next_domain == -1)\n {\n if (as_is_first(hquery))\n {\n s = hquery->name;\n }\n hquery->next_domain = 0;\n }\n\n /* if as_is_first is false, try hquery->name at last */\n if (!s && hquery->next_domain == hquery->channel->ndomains) {\n if (!as_is_first(hquery))\n {\n s = hquery->name;\n }\n hquery->next_domain++;\n }\n\n if (!s && hquery->next_domain < hquery->channel->ndomains)\n {\n status = ares__cat_domain(\n hquery->name,\n hquery->channel->domains[hquery->next_domain++],\n &s);\n if (status == ARES_SUCCESS)\n {\n is_s_allocated = 1;\n }\n }\n\n if (s)\n {\n switch (hquery->hints.ai_family)\n {\n case AF_INET:\n hquery->remaining += 1;\n ares_query(hquery->channel, s, C_IN, T_A, host_callback, hquery);\n break;\n case AF_INET6:\n hquery->remaining += 1;\n ares_query(hquery->channel, s, C_IN, T_AAAA, host_callback, hquery);\n break;\n case AF_UNSPEC:\n hquery->remaining += 2;\n ares_query(hquery->channel, s, C_IN, T_A, host_callback, hquery);\n ares_query(hquery->channel, s, C_IN, T_AAAA, host_callback, hquery);\n break;\n default: break;\n }\n if (is_s_allocated)\n {\n ares_free(s);\n }\n return 1;\n }\n else\n {\n assert(!hquery->ai->nodes);\n return 0;\n }\n}", "project": "c-ares", "hash": 178615620088609344767490760442616582817, "size": 68, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478399 }, { "func": "void ares_getaddrinfo(ares_channel channel,\n const char* name, const char* service,\n const struct ares_addrinfo_hints* hints,\n ares_addrinfo_callback callback, void* arg)\n{\n struct host_query *hquery;\n unsigned short port = 0;\n int family;\n struct ares_addrinfo *ai;\n\n if (!hints)\n {\n hints = &default_hints;\n }\n\n family = hints->ai_family;\n\n /* Right now we only know how to look up Internet addresses\n and unspec means try both basically. */\n if (family != AF_INET &&\n family != AF_INET6 &&\n family != AF_UNSPEC)\n {\n callback(arg, ARES_ENOTIMP, 0, NULL);\n return;\n }\n\n if (ares__is_onion_domain(name))\n {\n callback(arg, ARES_ENOTFOUND, 0, NULL);\n return;\n }\n\n if (service)\n {\n if (hints->ai_flags & ARES_AI_NUMERICSERV)\n {\n port = (unsigned short)strtoul(service, NULL, 0);\n if (!port)\n {\n callback(arg, ARES_ESERVICE, 0, NULL);\n return;\n }\n }\n else\n {\n port = lookup_service(service, 0);\n if (!port)\n {\n port = (unsigned short)strtoul(service, NULL, 0);\n if (!port)\n {\n callback(arg, ARES_ESERVICE, 0, NULL);\n return;\n }\n }\n }\n }\n\n ai = ares__malloc_addrinfo();\n if (!ai)\n {\n callback(arg, ARES_ENOMEM, 0, NULL);\n return;\n }\n\n if (fake_addrinfo(name, port, hints, ai, callback, arg))\n {\n return;\n }\n\n /* Allocate and fill in the host query structure. */\n hquery = ares_malloc(sizeof(struct host_query));\n if (!hquery)\n {\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return;\n }\n\n hquery->name = ares_strdup(name);\n if (!hquery->name)\n {\n ares_free(hquery);\n ares_freeaddrinfo(ai);\n callback(arg, ARES_ENOMEM, 0, NULL);\n return;\n }\n\n hquery->port = port;\n hquery->channel = channel;\n hquery->hints = *hints;\n hquery->sent_family = -1; /* nothing is sent yet */\n hquery->callback = callback;\n hquery->arg = arg;\n hquery->remaining_lookups = channel->lookups;\n hquery->timeouts = 0;\n hquery->ai = ai;\n hquery->next_domain = -1;\n hquery->remaining = 0;\n\n /* Start performing lookups according to channel->lookups. */\n next_lookup(hquery, ARES_ECONNREFUSED /* initial error code */);\n}", "project": "c-ares", "hash": 313928135751897402325324090812725212075, "size": 104, "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e", "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero", "target": 0, "dataset": "other", "idx": 478394 } ] }, { "call_depth": 4, "longest_call_chain": [ "SetExtensionContentSettingFromList", "SetExtensionContentSetting", "GetValueMap", "FindEntry" ], "group_size": 13, "functions": [ { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::SetExtensionContentSetting(\n const std::string& ext_id,\n const ContentSettingsPattern& primary_pattern,\n const ContentSettingsPattern& secondary_pattern,\n ContentSettingsType type,\n const content_settings::ResourceIdentifier& identifier,\n ContentSetting setting,\n ExtensionPrefsScope scope) {\n {\n base::AutoLock lock(lock_);\n OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n if (setting == CONTENT_SETTING_DEFAULT) {\n map->DeleteValue(primary_pattern, secondary_pattern, type, identifier);\n } else {\n map->SetValue(primary_pattern, secondary_pattern, type, identifier,\n base::Value::CreateIntegerValue(setting));\n }\n }\n\n NotifyOfContentSettingChanged(ext_id,\n scope != kExtensionPrefsScopeRegular);\n}\n", "cwe": "", "big_vul_idx": 113813, "idx": 102022, "hash": 84849344927467544405296447728019616117 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "ContentSettingsStore::FindEntry(const std::string& ext_id) {\n ExtensionEntryMap::iterator i;\n for (i = entries_.begin(); i != entries_.end(); ++i) {\n if (i->second->id == ext_id)\n return i;\n }\n return entries_.end();\n}\n", "cwe": "", "big_vul_idx": 113803, "idx": 102013, "hash": 144871821058680461837679452113349635692 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::RegisterExtension(\n const std::string& ext_id,\n const base::Time& install_time,\n bool is_enabled) {\n base::AutoLock lock(lock_);\n ExtensionEntryMap::iterator i = FindEntry(ext_id);\n if (i != entries_.end()) {\n delete i->second;\n entries_.erase(i);\n }\n\n ExtensionEntry* entry = new ExtensionEntry;\n entry->id = ext_id;\n entry->enabled = is_enabled;\n entries_.insert(std::make_pair(install_time, entry));\n}\n", "cwe": "", "big_vul_idx": 113811, "idx": 102020, "hash": 71329738332924000295255173779941553477 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::UnregisterExtension(\n const std::string& ext_id) {\n bool notify = false;\n bool notify_incognito = false;\n {\n base::AutoLock lock(lock_);\n ExtensionEntryMap::iterator i = FindEntry(ext_id);\n if (i == entries_.end())\n return;\n notify = !i->second->settings.empty();\n notify_incognito = !i->second->incognito_persistent_settings.empty() ||\n !i->second->incognito_session_only_settings.empty();\n\n delete i->second;\n entries_.erase(i);\n }\n if (notify)\n NotifyOfContentSettingChanged(ext_id, false);\n if (notify_incognito)\n NotifyOfContentSettingChanged(ext_id, true);\n}\n", "cwe": "", "big_vul_idx": 113816, "idx": 102025, "hash": 253336267348198700968344145950842188022 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 1, "func": "void ContentSettingsStore::ClearContentSettingsForExtension(\n const std::string& ext_id,\n ExtensionPrefsScope scope) {\n bool notify = false;\n {\n base::AutoLock lock(lock_);\n OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n char ext_id_buffer[33];\n base::strlcpy(ext_id_buffer, ext_id.c_str(), sizeof(ext_id_buffer));\n base::debug::Alias(ext_id_buffer);\n CHECK(false);\n }\n notify = !map->empty();\n map->clear();\n }\n if (notify) {\n NotifyOfContentSettingChanged(ext_id, scope != kExtensionPrefsScopeRegular);\n }\n}\n", "cwe": "", "big_vul_idx": 184504, "idx": 5458, "hash": 265797374762752738816496693872000415093 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::ClearContentSettingsForExtension(\n const std::string& ext_id,\n ExtensionPrefsScope scope) {\n bool notify = false;\n {\n base::AutoLock lock(lock_);\n OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n // Fail gracefully in Release builds.\n NOTREACHED();\n return;\n }\n notify = !map->empty();\n map->clear();\n }\n if (notify) {\n NotifyOfContentSettingChanged(ext_id, scope != kExtensionPrefsScopeRegular);\n }\n}\n", "cwe": "", "big_vul_idx": 184504, "idx": 162573, "hash": 12967184921243506354797539177835054040 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::NotifyOfContentSettingChanged(\n const std::string& extension_id,\n bool incognito) {\n FOR_EACH_OBSERVER(\n ContentSettingsStore::Observer,\n observers_,\n OnContentSettingChanged(extension_id, incognito));\n}\n", "cwe": "", "big_vul_idx": 113809, "idx": 102018, "hash": 154976950546548493239244573307163992760 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "OriginIdentifierValueMap* ContentSettingsStore::GetValueMap(\n const std::string& ext_id,\n ExtensionPrefsScope scope) {\n ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n if (i != entries_.end()) {\n switch (scope) {\n case kExtensionPrefsScopeRegular:\n return &(i->second->settings);\n case kExtensionPrefsScopeRegularOnly:\n NOTREACHED();\n return NULL;\n case kExtensionPrefsScopeIncognitoPersistent:\n return &(i->second->incognito_persistent_settings);\n case kExtensionPrefsScopeIncognitoSessionOnly:\n return &(i->second->incognito_session_only_settings);\n }\n }\n return NULL;\n}\n", "cwe": "", "big_vul_idx": 113807, "idx": 102016, "hash": 38362777105571324642739053017074788386 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "const OriginIdentifierValueMap* ContentSettingsStore::GetValueMap(\n const std::string& ext_id,\n ExtensionPrefsScope scope) const {\n ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n if (i == entries_.end())\n return NULL;\n\n switch (scope) {\n case kExtensionPrefsScopeRegular:\n return &(i->second->settings);\n case kExtensionPrefsScopeRegularOnly:\n NOTREACHED();\n return NULL;\n case kExtensionPrefsScopeIncognitoPersistent:\n return &(i->second->incognito_persistent_settings);\n case kExtensionPrefsScopeIncognitoSessionOnly:\n return &(i->second->incognito_session_only_settings);\n }\n\n NOTREACHED();\n return NULL;\n}\n", "cwe": "", "big_vul_idx": 113808, "idx": 102017, "hash": 142418416636862609877378004129025837881 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "base::ListValue* ContentSettingsStore::GetSettingsForExtension(\n const std::string& extension_id,\n ExtensionPrefsScope scope) const {\n base::AutoLock lock(lock_);\n const OriginIdentifierValueMap* map = GetValueMap(extension_id, scope);\n if (!map)\n return NULL;\n base::ListValue* settings = new base::ListValue();\n OriginIdentifierValueMap::EntryMap::const_iterator it;\n for (it = map->begin(); it != map->end(); ++it) {\n scoped_ptr rule_iterator(\n map->GetRuleIterator(it->first.content_type,\n it->first.resource_identifier,\n NULL)); // We already hold the lock.\n while (rule_iterator->HasNext()) {\n const Rule& rule = rule_iterator->Next();\n base::DictionaryValue* setting_dict = new base::DictionaryValue();\n setting_dict->SetString(keys::kPrimaryPatternKey,\n rule.primary_pattern.ToString());\n setting_dict->SetString(keys::kSecondaryPatternKey,\n rule.secondary_pattern.ToString());\n setting_dict->SetString(\n keys::kContentSettingsTypeKey,\n helpers::ContentSettingsTypeToString(it->first.content_type));\n setting_dict->SetString(keys::kResourceIdentifierKey,\n it->first.resource_identifier);\n ContentSetting content_setting = ValueToContentSetting(rule.value.get());\n DCHECK_NE(CONTENT_SETTING_DEFAULT, content_setting);\n setting_dict->SetString(\n keys::kContentSettingKey,\n helpers::ContentSettingToString(content_setting));\n settings->Append(setting_dict);\n }\n }\n return settings;\n}\n", "cwe": "", "big_vul_idx": 113806, "idx": 102015, "hash": 139241730344285891252776837781574289833 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::SetExtensionContentSettingFromList(\n const std::string& extension_id,\n const base::ListValue* list,\n ExtensionPrefsScope scope) {\n for (base::ListValue::const_iterator it = list->begin();\n it != list->end(); ++it) {\n if ((*it)->GetType() != Value::TYPE_DICTIONARY) {\n NOTREACHED();\n continue;\n }\n base::DictionaryValue* dict = static_cast(*it);\n std::string primary_pattern_str;\n dict->GetString(keys::kPrimaryPatternKey, &primary_pattern_str);\n ContentSettingsPattern primary_pattern =\n ContentSettingsPattern::FromString(primary_pattern_str);\n DCHECK(primary_pattern.IsValid());\n\n std::string secondary_pattern_str;\n dict->GetString(keys::kSecondaryPatternKey, &secondary_pattern_str);\n ContentSettingsPattern secondary_pattern =\n ContentSettingsPattern::FromString(secondary_pattern_str);\n DCHECK(secondary_pattern.IsValid());\n\n std::string content_settings_type_str;\n dict->GetString(keys::kContentSettingsTypeKey, &content_settings_type_str);\n ContentSettingsType content_settings_type =\n helpers::StringToContentSettingsType(content_settings_type_str);\n DCHECK_NE(CONTENT_SETTINGS_TYPE_DEFAULT, content_settings_type);\n\n std::string resource_identifier;\n dict->GetString(keys::kResourceIdentifierKey, &resource_identifier);\n\n std::string content_setting_string;\n dict->GetString(keys::kContentSettingKey, &content_setting_string);\n ContentSetting setting = CONTENT_SETTING_DEFAULT;\n bool result =\n helpers::StringToContentSetting(content_setting_string, &setting);\n DCHECK(result);\n\n SetExtensionContentSetting(extension_id,\n primary_pattern,\n secondary_pattern,\n content_settings_type,\n resource_identifier,\n setting,\n scope);\n }\n}\n", "cwe": "", "big_vul_idx": 113814, "idx": 102023, "hash": 70179980667900133818009144382780628834 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "void ContentSettingsStore::SetExtensionState(\n const std::string& ext_id, bool is_enabled) {\n bool notify = false;\n bool notify_incognito = false;\n {\n base::AutoLock lock(lock_);\n ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n if (i == entries_.end())\n return;\n notify = !i->second->settings.empty();\n notify_incognito = !i->second->incognito_persistent_settings.empty() ||\n !i->second->incognito_session_only_settings.empty();\n\n i->second->enabled = is_enabled;\n }\n if (notify)\n NotifyOfContentSettingChanged(ext_id, false);\n if (notify_incognito)\n NotifyOfContentSettingChanged(ext_id, true);\n}\n", "cwe": "", "big_vul_idx": 113815, "idx": 102024, "hash": 20125382622179189208306526857457148182 }, { "project": "Chrome", "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f", "target": 0, "func": "RuleIterator* ContentSettingsStore::GetRuleIterator(\n ContentSettingsType type,\n const content_settings::ResourceIdentifier& identifier,\n bool incognito) const {\n ScopedVector iterators;\n ExtensionEntryMap::const_reverse_iterator entry;\n\n scoped_ptr auto_lock(new base::AutoLock(lock_));\n\n for (entry = entries_.rbegin(); entry != entries_.rend(); ++entry) {\n if (!entry->second->enabled)\n continue;\n\n if (incognito) {\n iterators.push_back(\n entry->second->incognito_session_only_settings.GetRuleIterator(\n type,\n identifier,\n NULL));\n iterators.push_back(\n entry->second->incognito_persistent_settings.GetRuleIterator(\n type,\n identifier,\n NULL));\n } else {\n iterators.push_back(\n entry->second->settings.GetRuleIterator(type, identifier, NULL));\n }\n }\n return new ConcatenationIterator(&iterators, auto_lock.release());\n}\n", "cwe": "", "big_vul_idx": 113805, "idx": 102014, "hash": 89570315413421650235602117772268834038 } ] }, { "call_depth": 4, "longest_call_chain": [ "emac_write", "write_to_phy", "msf2_phy_reset", "msf2_phy_update_link" ], "group_size": 17, "functions": [ { "func": "static void write_to_phy(MSF2EmacState *s)\n{\n uint8_t reg_addr = s->regs[R_MII_ADDR] & R_MII_ADDR_REGADDR_MASK;\n uint8_t phy_addr = (s->regs[R_MII_ADDR] >> R_MII_ADDR_PHYADDR_SHIFT) &\n R_MII_ADDR_REGADDR_MASK;\n uint16_t data = s->regs[R_MII_CTL] & 0xFFFF;\n\n if (phy_addr != PHYADDR) {\n return;\n }\n\n switch (reg_addr) {\n case MII_BMCR:\n if (data & MII_BMCR_RESET) {\n /* Phy reset */\n msf2_phy_reset(s);\n data &= ~MII_BMCR_RESET;\n }\n if (data & MII_BMCR_AUTOEN) {\n /* Complete autonegotiation immediately */\n data &= ~MII_BMCR_AUTOEN;\n s->phy_regs[MII_BMSR] |= MII_BMSR_AN_COMP;\n }\n break;\n }\n\n s->phy_regs[reg_addr] = data;\n}", "project": "qemu", "hash": 2435123177511818004101984301770380239, "size": 28, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408520 }, { "func": "static void emac_write(void *opaque, hwaddr addr, uint64_t val64,\n unsigned int size)\n{\n MSF2EmacState *s = opaque;\n uint32_t value = val64;\n uint32_t enreqbits;\n uint8_t pktcnt;\n\n addr >>= 2;\n switch (addr) {\n case R_DMA_TX_CTL:\n s->regs[addr] = value;\n if (value & R_DMA_TX_CTL_EN_MASK) {\n msf2_dma_tx(s);\n }\n break;\n case R_DMA_RX_CTL:\n s->regs[addr] = value;\n if (value & R_DMA_RX_CTL_EN_MASK) {\n s->rx_desc = s->regs[R_DMA_RX_DESC];\n qemu_flush_queued_packets(qemu_get_queue(s->nic));\n }\n break;\n case R_CFG1:\n s->regs[addr] = value;\n if (value & R_CFG1_RESET_MASK) {\n msf2_emac_do_reset(s);\n }\n break;\n case R_FIFO_CFG0:\n /*\n * For our implementation, turning on modules is instantaneous,\n * so the states requested via the *ENREQ bits appear in the\n * *ENRPLY bits immediately. Also the reset bits to reset PE-MCXMAC\n * module are not emulated here since it deals with start of frames,\n * inter-packet gap and control frames.\n */\n enreqbits = extract32(value, 8, 5);\n s->regs[addr] = deposit32(value, 16, 5, enreqbits);\n break;\n case R_DMA_TX_DESC:\n if (value & 0x3) {\n qemu_log_mask(LOG_GUEST_ERROR, \"Tx Descriptor address should be\"\n \" 32 bit aligned\\n\");\n }\n /* Ignore [1:0] bits */\n s->regs[addr] = value & ~3;\n break;\n case R_DMA_RX_DESC:\n if (value & 0x3) {\n qemu_log_mask(LOG_GUEST_ERROR, \"Rx Descriptor address should be\"\n \" 32 bit aligned\\n\");\n }\n /* Ignore [1:0] bits */\n s->regs[addr] = value & ~3;\n break;\n case R_DMA_TX_STATUS:\n if (value & R_DMA_TX_STATUS_UNDERRUN_MASK) {\n s->regs[addr] &= ~R_DMA_TX_STATUS_UNDERRUN_MASK;\n }\n if (value & R_DMA_TX_STATUS_PKT_SENT_MASK) {\n pktcnt = FIELD_EX32(s->regs[addr], DMA_TX_STATUS, PKTCNT);\n pktcnt--;\n s->regs[addr] = FIELD_DP32(s->regs[addr], DMA_TX_STATUS,\n PKTCNT, pktcnt);\n if (pktcnt == 0) {\n s->regs[addr] &= ~R_DMA_TX_STATUS_PKT_SENT_MASK;\n }\n }\n break;\n case R_DMA_RX_STATUS:\n if (value & R_DMA_RX_STATUS_OVERFLOW_MASK) {\n s->regs[addr] &= ~R_DMA_RX_STATUS_OVERFLOW_MASK;\n }\n if (value & R_DMA_RX_STATUS_PKT_RCVD_MASK) {\n pktcnt = FIELD_EX32(s->regs[addr], DMA_RX_STATUS, PKTCNT);\n pktcnt--;\n s->regs[addr] = FIELD_DP32(s->regs[addr], DMA_RX_STATUS,\n PKTCNT, pktcnt);\n if (pktcnt == 0) {\n s->regs[addr] &= ~R_DMA_RX_STATUS_PKT_RCVD_MASK;\n }\n }\n break;\n case R_DMA_IRQ:\n break;\n case R_MII_CMD:\n if (value & R_MII_CMD_READ_MASK) {\n s->regs[R_MII_STS] = read_from_phy(s);\n }\n break;\n case R_MII_CTL:\n s->regs[addr] = value;\n write_to_phy(s);\n break;\n case R_STA1:\n s->regs[addr] = value;\n /*\n * R_STA1 [31:24] : octet 1 of mac address\n * R_STA1 [23:16] : octet 2 of mac address\n * R_STA1 [15:8] : octet 3 of mac address\n * R_STA1 [7:0] : octet 4 of mac address\n */\n stl_be_p(s->mac_addr, value);\n break;\n case R_STA2:\n s->regs[addr] = value;\n /*\n * R_STA2 [31:24] : octet 5 of mac address\n * R_STA2 [23:16] : octet 6 of mac address\n */\n stw_be_p(s->mac_addr + 4, value >> 16);\n break;\n default:\n if (addr >= ARRAY_SIZE(s->regs)) {\n qemu_log_mask(LOG_GUEST_ERROR,\n \"%s: Bad offset 0x%\" HWADDR_PRIx \"\\n\", __func__,\n addr * 4);\n return;\n }\n s->regs[addr] = value;\n break;\n }\n emac_update_irq(s);\n}", "project": "qemu", "hash": 142627919697664424382763103238155423526, "size": 125, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408531 }, { "func": "static void emac_load_desc(MSF2EmacState *s, EmacDesc *d, hwaddr desc)\n{\n address_space_read(&s->dma_as, desc, MEMTXATTRS_UNSPECIFIED, d, sizeof *d);\n /* Convert from LE into host endianness. */\n d->pktaddr = le32_to_cpu(d->pktaddr);\n d->pktsize = le32_to_cpu(d->pktsize);\n d->next = le32_to_cpu(d->next);\n}", "project": "qemu", "hash": 204187275545666389689651758191500588253, "size": 8, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408535 }, { "func": "static uint16_t read_from_phy(MSF2EmacState *s)\n{\n uint8_t reg_addr = s->regs[R_MII_ADDR] & R_MII_ADDR_REGADDR_MASK;\n uint8_t phy_addr = (s->regs[R_MII_ADDR] >> R_MII_ADDR_PHYADDR_SHIFT) &\n R_MII_ADDR_REGADDR_MASK;\n\n if (phy_addr == PHYADDR) {\n return s->phy_regs[reg_addr];\n } else {\n return 0xFFFF;\n }\n}", "project": "qemu", "hash": 296640283957708942790458729395725489243, "size": 12, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408537 }, { "func": "static ssize_t emac_rx(NetClientState *nc, const uint8_t *buf, size_t size)\n{\n MSF2EmacState *s = qemu_get_nic_opaque(nc);\n EmacDesc d;\n uint8_t pktcnt;\n uint32_t status;\n\n if (size > (s->regs[R_MAX_FRAME_LENGTH] & 0xFFFF)) {\n return size;\n }\n if (!addr_filter_ok(s, buf)) {\n return size;\n }\n\n emac_load_desc(s, &d, s->rx_desc);\n\n if (d.pktsize & EMPTY_MASK) {\n address_space_write(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n buf, size & PKT_SIZE);\n d.pktsize = size & PKT_SIZE;\n emac_store_desc(s, &d, s->rx_desc);\n /* update received packets count */\n status = s->regs[R_DMA_RX_STATUS];\n pktcnt = FIELD_EX32(status, DMA_RX_STATUS, PKTCNT);\n pktcnt++;\n s->regs[R_DMA_RX_STATUS] = FIELD_DP32(status, DMA_RX_STATUS,\n PKTCNT, pktcnt);\n s->regs[R_DMA_RX_STATUS] |= R_DMA_RX_STATUS_PKT_RCVD_MASK;\n s->rx_desc = d.next;\n } else {\n s->regs[R_DMA_RX_CTL] &= ~R_DMA_RX_CTL_EN_MASK;\n s->regs[R_DMA_RX_STATUS] |= R_DMA_RX_STATUS_OVERFLOW_MASK;\n }\n emac_update_irq(s);\n return size;\n}", "project": "qemu", "hash": 145795289411570125648461718405523924905, "size": 36, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408538 }, { "func": "static void msf2_phy_reset(MSF2EmacState *s)\n{\n memset(&s->phy_regs[0], 0, sizeof(s->phy_regs));\n s->phy_regs[MII_BMCR] = 0x1140;\n s->phy_regs[MII_BMSR] = 0x7968;\n s->phy_regs[MII_PHYID1] = 0x0022;\n s->phy_regs[MII_PHYID2] = 0x1550;\n s->phy_regs[MII_ANAR] = 0x01E1;\n s->phy_regs[MII_ANLPAR] = 0xCDE1;\n\n msf2_phy_update_link(s);\n}", "project": "qemu", "hash": 261913340885200105699747283455116435972, "size": 12, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408528 }, { "func": "static void msf2_emac_reset(DeviceState *dev)\n{\n MSF2EmacState *s = MSS_EMAC(dev);\n\n msf2_emac_do_reset(s);\n}", "project": "qemu", "hash": 143395039747611100025821846418462296891, "size": 6, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408530 }, { "func": "static void emac_set_link(NetClientState *nc)\n{\n MSF2EmacState *s = qemu_get_nic_opaque(nc);\n\n msf2_phy_update_link(s);\n}", "project": "qemu", "hash": 134704307068120005767148988481491840933, "size": 6, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408523 }, { "func": "static uint64_t emac_read(void *opaque, hwaddr addr, unsigned int size)\n{\n MSF2EmacState *s = opaque;\n uint32_t r = 0;\n\n addr >>= 2;\n\n switch (addr) {\n case R_DMA_IRQ:\n r = emac_get_isr(s);\n break;\n default:\n if (addr >= ARRAY_SIZE(s->regs)) {\n qemu_log_mask(LOG_GUEST_ERROR,\n \"%s: Bad offset 0x%\" HWADDR_PRIx \"\\n\", __func__,\n addr * 4);\n return r;\n }\n r = s->regs[addr];\n break;\n }\n return r;\n}", "project": "qemu", "hash": 135504479882235916529443679824092130533, "size": 23, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408540 }, { "func": "static bool addr_filter_ok(MSF2EmacState *s, const uint8_t *buf)\n{\n /* The broadcast MAC address: FF:FF:FF:FF:FF:FF */\n const uint8_t broadcast_addr[] = { 0xFF, 0xFF, 0xFF, 0xFF,\n 0xFF, 0xFF };\n bool bcast_en = true;\n bool mcast_en = true;\n\n if (s->regs[R_FIFO_CFG5] & R_FIFO_CFG5_BCAST_MASK) {\n bcast_en = true; /* Broadcast dont care for drop circuitry */\n } else if (s->regs[R_FIFO_CFG4] & R_FIFO_CFG4_BCAST_MASK) {\n bcast_en = false;\n }\n\n if (s->regs[R_FIFO_CFG5] & R_FIFO_CFG5_MCAST_MASK) {\n mcast_en = true; /* Multicast dont care for drop circuitry */\n } else if (s->regs[R_FIFO_CFG4] & R_FIFO_CFG4_MCAST_MASK) {\n mcast_en = false;\n }\n\n if (!memcmp(buf, broadcast_addr, sizeof(broadcast_addr))) {\n return bcast_en;\n }\n\n if (buf[0] & 1) {\n return mcast_en;\n }\n\n return !memcmp(buf, s->mac_addr, sizeof(s->mac_addr));\n}", "project": "qemu", "hash": 271913976529453484580742580817691950705, "size": 30, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408532 }, { "func": "static void msf2_dma_tx(MSF2EmacState *s)\n{\n NetClientState *nc = qemu_get_queue(s->nic);\n hwaddr desc = s->regs[R_DMA_TX_DESC];\n uint8_t buf[MAX_PKT_SIZE];\n EmacDesc d;\n int size;\n uint8_t pktcnt;\n uint32_t status;\n\n if (!(s->regs[R_CFG1] & R_CFG1_TX_EN_MASK)) {\n return;\n }\n\n while (1) {\n emac_load_desc(s, &d, desc);\n if (d.pktsize & EMPTY_MASK) {\n break;\n }\n size = d.pktsize & PKT_SIZE;\n address_space_read(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n buf, size);\n /*\n * This is very basic way to send packets. Ideally there should be\n * a FIFO and packets should be sent out from FIFO only when\n * R_CFG1 bit 0 is set.\n */\n if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {\n nc->info->receive(nc, buf, size);\n } else {\n qemu_send_packet(nc, buf, size);\n }\n d.pktsize |= EMPTY_MASK;\n emac_store_desc(s, &d, desc);\n /* update sent packets count */\n status = s->regs[R_DMA_TX_STATUS];\n pktcnt = FIELD_EX32(status, DMA_TX_STATUS, PKTCNT);\n pktcnt++;\n s->regs[R_DMA_TX_STATUS] = FIELD_DP32(status, DMA_TX_STATUS,\n PKTCNT, pktcnt);\n s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_PKT_SENT_MASK;\n desc = d.next;\n }\n s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_UNDERRUN_MASK;\n s->regs[R_DMA_TX_CTL] &= ~R_DMA_TX_CTL_EN_MASK;\n}", "project": "qemu", "hash": 266996506783650672252406401947191343006, "size": 46, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 1, "dataset": "other", "idx": 208328 }, { "func": "static void msf2_dma_tx(MSF2EmacState *s)\n{\n NetClientState *nc = qemu_get_queue(s->nic);\n hwaddr desc = s->regs[R_DMA_TX_DESC];\n uint8_t buf[MAX_PKT_SIZE];\n EmacDesc d;\n int size;\n uint8_t pktcnt;\n uint32_t status;\n\n if (!(s->regs[R_CFG1] & R_CFG1_TX_EN_MASK)) {\n return;\n }\n\n while (1) {\n emac_load_desc(s, &d, desc);\n if (d.pktsize & EMPTY_MASK) {\n break;\n }\n size = d.pktsize & PKT_SIZE;\n address_space_read(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n buf, size);\n /*\n * This is very basic way to send packets. Ideally there should be\n * a FIFO and packets should be sent out from FIFO only when\n * R_CFG1 bit 0 is set.\n */\n if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {\n qemu_receive_packet(nc, buf, size);\n } else {\n qemu_send_packet(nc, buf, size);\n }\n d.pktsize |= EMPTY_MASK;\n emac_store_desc(s, &d, desc);\n /* update sent packets count */\n status = s->regs[R_DMA_TX_STATUS];\n pktcnt = FIELD_EX32(status, DMA_TX_STATUS, PKTCNT);\n pktcnt++;\n s->regs[R_DMA_TX_STATUS] = FIELD_DP32(status, DMA_TX_STATUS,\n PKTCNT, pktcnt);\n s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_PKT_SENT_MASK;\n desc = d.next;\n }\n s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_UNDERRUN_MASK;\n s->regs[R_DMA_TX_CTL] &= ~R_DMA_TX_CTL_EN_MASK;\n}", "project": "qemu", "hash": 673024745665237607007576976494892674, "size": 46, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408536 }, { "func": "static uint32_t emac_get_isr(MSF2EmacState *s)\n{\n uint32_t ier = s->regs[R_DMA_IRQ_MASK];\n uint32_t tx = s->regs[R_DMA_TX_STATUS] & 0xF;\n uint32_t rx = s->regs[R_DMA_RX_STATUS] & 0xF;\n uint32_t isr = (rx << 4) | tx;\n\n s->regs[R_DMA_IRQ] = ier & isr;\n return s->regs[R_DMA_IRQ];\n}", "project": "qemu", "hash": 76556053197794724458386467208649723546, "size": 10, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408533 }, { "func": "static void emac_store_desc(MSF2EmacState *s, EmacDesc *d, hwaddr desc)\n{\n /* Convert from host endianness into LE. */\n d->pktaddr = cpu_to_le32(d->pktaddr);\n d->pktsize = cpu_to_le32(d->pktsize);\n d->next = cpu_to_le32(d->next);\n\n address_space_write(&s->dma_as, desc, MEMTXATTRS_UNSPECIFIED, d, sizeof *d);\n}", "project": "qemu", "hash": 111735247435558295267087719220167079599, "size": 9, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408525 }, { "func": "static void msf2_emac_do_reset(MSF2EmacState *s)\n{\n memset(&s->regs[0], 0, sizeof(s->regs));\n s->regs[R_CFG1] = 0x80000000;\n s->regs[R_CFG2] = 0x00007000;\n s->regs[R_IFG] = 0x40605060;\n s->regs[R_HALF_DUPLEX] = 0x00A1F037;\n s->regs[R_MAX_FRAME_LENGTH] = 0x00000600;\n s->regs[R_FIFO_CFG5] = 0X3FFFF;\n\n msf2_phy_reset(s);\n}", "project": "qemu", "hash": 301867812472469643451396628674770133451, "size": 12, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408522 }, { "func": "static void emac_update_irq(MSF2EmacState *s)\n{\n bool intr = emac_get_isr(s);\n\n qemu_set_irq(s->irq, intr);\n}", "project": "qemu", "hash": 333172412219392156233285272403604782462, "size": 6, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408539 }, { "func": "static void msf2_phy_update_link(MSF2EmacState *s)\n{\n /* Autonegotiation status mirrors link status. */\n if (qemu_get_queue(s->nic)->link_down) {\n s->phy_regs[MII_BMSR] &= ~(MII_BMSR_AN_COMP |\n MII_BMSR_LINK_ST);\n } else {\n s->phy_regs[MII_BMSR] |= (MII_BMSR_AN_COMP |\n MII_BMSR_LINK_ST);\n }\n}", "project": "qemu", "hash": 21239304882160056911292914400277760247, "size": 11, "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1", "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit \nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé \nSigned-off-by: Jason Wang ", "target": 0, "dataset": "other", "idx": 408529 } ] }, { "call_depth": 4, "longest_call_chain": [ "ff_layout_read_release", "ff_layout_resend_pnfs_read", "ff_layout_choose_any_ds_for_read", "ff_layout_choose_best_ds_for_read" ], "group_size": 9, "functions": [ { "func": "static void ff_layout_resend_pnfs_read(struct nfs_pgio_header *hdr)\n{\n\tu32 idx = hdr->pgio_mirror_idx + 1;\n\tu32 new_idx = 0;\n\n\tif (ff_layout_choose_any_ds_for_read(hdr->lseg, idx, &new_idx))\n\t\tff_layout_send_layouterror(hdr->lseg);\n\telse\n\t\tpnfs_error_mark_layout_for_return(hdr->inode, hdr->lseg);\n\tpnfs_read_resend_pnfs(hdr, new_idx);\n}", "project": "linux", "hash": 221400344490443336390998011943132739130, "size": 11, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234386 }, { "func": "static void ff_layout_read_record_layoutstats_done(struct rpc_task *task,\n\t\tstruct nfs_pgio_header *hdr)\n{\n\tif (!test_and_clear_bit(NFS_IOHDR_STAT, &hdr->flags))\n\t\treturn;\n\tnfs4_ff_layout_stat_io_end_read(task,\n\t\t\tFF_LAYOUT_COMP(hdr->lseg, hdr->pgio_mirror_idx),\n\t\t\thdr->args.count,\n\t\t\thdr->res.count);\n\tset_bit(NFS_LSEG_LAYOUTRETURN, &hdr->lseg->pls_flags);\n}", "project": "linux", "hash": 180815083649218398311438273574541494211, "size": 11, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234432 }, { "func": "ff_layout_get_ds_for_read(struct nfs_pageio_descriptor *pgio,\n\t\t\t u32 *best_idx)\n{\n\tstruct pnfs_layout_segment *lseg = pgio->pg_lseg;\n\tstruct nfs4_pnfs_ds *ds;\n\n\tds = ff_layout_choose_best_ds_for_read(lseg, pgio->pg_mirror_idx,\n\t\t\t\t\t best_idx);\n\tif (ds || !pgio->pg_mirror_idx)\n\t\treturn ds;\n\treturn ff_layout_choose_best_ds_for_read(lseg, 0, best_idx);\n}", "project": "linux", "hash": 254909909558430372208815151322590055598, "size": 12, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234392 }, { "func": "static void ff_layout_read_count_stats(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tff_layout_read_record_layoutstats_done(task, hdr);\n\trpc_count_iostats_metrics(task,\n\t &NFS_CLIENT(hdr->inode)->cl_metrics[NFSPROC4_CLNT_READ]);\n}", "project": "linux", "hash": 111504923297298743059264768804593840040, "size": 8, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234487 }, { "func": "static void ff_layout_reset_read(struct nfs_pgio_header *hdr)\n{\n\tstruct rpc_task *task = &hdr->task;\n\n\tpnfs_layoutcommit_inode(hdr->inode, false);\n\tpnfs_error_mark_layout_for_return(hdr->inode, hdr->lseg);\n\n\tif (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) {\n\t\tdprintk(\"%s Reset task %5u for i/o through MDS \"\n\t\t\t\"(req %s/%llu, %u bytes @ offset %llu)\\n\", __func__,\n\t\t\thdr->task.tk_pid,\n\t\t\thdr->inode->i_sb->s_id,\n\t\t\t(unsigned long long)NFS_FILEID(hdr->inode),\n\t\t\thdr->args.count,\n\t\t\t(unsigned long long)hdr->args.offset);\n\n\t\ttrace_pnfs_mds_fallback_read_done(hdr->inode,\n\t\t\t\thdr->args.offset, hdr->args.count,\n\t\t\t\tIOMODE_READ, NFS_I(hdr->inode)->layout,\n\t\t\t\thdr->lseg);\n\t\ttask->tk_status = pnfs_read_done_resend_to_mds(hdr);\n\t}\n}", "project": "linux", "hash": 165625786622733838658217576364489228194, "size": 23, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234489 }, { "func": "ff_layout_choose_valid_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t u32 start_idx, u32 *best_idx)\n{\n\treturn ff_layout_choose_ds_for_read(lseg, start_idx, best_idx, true);\n}", "project": "linux", "hash": 183358589091286308071765017109110013908, "size": 5, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234413 }, { "func": "ff_layout_choose_any_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t u32 start_idx, u32 *best_idx)\n{\n\treturn ff_layout_choose_ds_for_read(lseg, start_idx, best_idx, false);\n}", "project": "linux", "hash": 265008521026144273299156386349075170732, "size": 5, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234463 }, { "func": "static void ff_layout_read_release(void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tff_layout_read_record_layoutstats_done(&hdr->task, hdr);\n\tif (test_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags))\n\t\tff_layout_resend_pnfs_read(hdr);\n\telse if (test_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags))\n\t\tff_layout_reset_read(hdr);\n\tpnfs_generic_rw_release(data);\n}", "project": "linux", "hash": 8856986107342943583502713801015682015, "size": 11, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234435 }, { "func": "ff_layout_choose_best_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t u32 start_idx, u32 *best_idx)\n{\n\tstruct nfs4_pnfs_ds *ds;\n\n\tds = ff_layout_choose_valid_ds_for_read(lseg, start_idx, best_idx);\n\tif (ds)\n\t\treturn ds;\n\treturn ff_layout_choose_any_ds_for_read(lseg, start_idx, best_idx);\n}", "project": "linux", "hash": 147451117378478970686978877506404847386, "size": 10, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234387 } ] }, { "call_depth": 4, "longest_call_chain": [ "LY_TREE_DFS_BEGIN", "LY_TREE_FOR", "LY_TREE_FOR_SAFE", "LY_CHECK_ERR_RETURN" ], "group_size": 25, "functions": [ { "func": "lyxml_correct_elem_ns(struct ly_ctx *ctx, struct lyxml_elem *elem, struct lyxml_elem *orig, int copy_ns,\n int correct_attrs)\n{\n const struct lyxml_ns *tmp_ns;\n struct lyxml_elem *elem_root, *ns_root, *tmp, *iter;\n struct lyxml_attr *attr;\n\n /* find the root of elem */\n for (elem_root = elem; elem_root->parent; elem_root = elem_root->parent);\n\n LY_TREE_DFS_BEGIN(elem, tmp, iter) {\n if (iter->ns) {\n /* find the root of elem NS */\n for (ns_root = iter->ns->parent; ns_root; ns_root = ns_root->parent);\n\n /* elem NS is defined outside elem subtree */\n if (ns_root != elem_root) {\n if (copy_ns) {\n tmp_ns = iter->ns;\n /* we may have already copied the NS over? */\n iter->ns = lyxml_get_ns(iter, tmp_ns->prefix);\n\n /* we haven't copied it over, copy it now */\n if (!iter->ns) {\n iter->ns = (struct lyxml_ns *)lyxml_dup_attr(ctx, iter, (struct lyxml_attr *)tmp_ns);\n }\n } else {\n iter->ns = NULL;\n }\n }\n }\n if (iter->content && iter->content[0] && copy_ns) {\n lyxml_correct_content_ns(ctx, iter, orig);\n }\n if (correct_attrs) {\n LY_TREE_FOR(iter->attr, attr) {\n lyxml_correct_attr_ns(ctx, attr, elem_root, copy_ns);\n }\n }\n LY_TREE_DFS_END(elem, tmp, iter);\n }\n}", "project": "libyang", "hash": 283162333390592841335093381050743686724, "size": 42, "commit_id": "298b30ea4ebee137226acf9bb38678bd82704582", "message": "common FEATURE add a hard limit for recursion\n\nFixes #1453", "target": 0, "dataset": "other", "idx": 366031 }, { "func": "fill_yin_feature(struct lys_module *module, struct lyxml_elem *yin, struct lys_feature *f, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n const char *value;\n struct lyxml_elem *child, *next;\n int c_ftrs = 0, c_ext = 0, ret;\n void *reallocated;\n\n GETVAL(ctx, value, yin, \"name\");\n if (lyp_check_identifier(ctx, value, LY_IDENT_FEATURE, module, NULL)) {\n goto error;\n }\n f->name = lydict_insert(ctx, value, strlen(value));\n f->module = module;\n\n if (read_yin_common(module, NULL, f, LYEXT_PAR_FEATURE, yin, 0, unres)) {\n goto error;\n }\n\n LY_TREE_FOR(yin->child, child) {\n if (strcmp(child->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, f->ext_size, \"extensions\", \"feature\", error);\n c_ext++;\n } else if (!strcmp(child->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, f->iffeature_size, \"if-feature\", \"feature\", error);\n c_ftrs++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n goto error;\n }\n }\n\n if (c_ftrs) {\n f->iffeature = calloc(c_ftrs, sizeof *f->iffeature);\n LY_CHECK_ERR_GOTO(!f->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(f->ext, (c_ext + f->ext_size) * sizeof *f->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n f->ext = reallocated;\n\n /* init memory */\n memset(&f->ext[f->ext_size], 0, c_ext * sizeof *f->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (strcmp(child->ns->value, LY_NSYIN)) {\n /* extension */\n ret = lyp_yin_fill_ext(f, LYEXT_PAR_FEATURE, 0, 0, module, child, &f->ext, &f->ext_size, unres);\n if (ret) {\n goto error;\n }\n } else { /* if-feature */\n ret = fill_yin_iffeature((struct lys_node *)f, 1, child, &f->iffeature[f->iffeature_size], unres);\n f->iffeature_size++;\n if (ret) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&f->ext, f->ext_size, c_ext + f->ext_size);\n\n /* check for circular dependencies */\n if (f->iffeature_size) {\n if (unres_schema_add_node(module, unres, f, UNRES_FEATURE, NULL) == -1) {\n goto error;\n }\n }\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 23072446618288366163898240985312641642, "size": 77, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336769 }, { "func": "fill_yin_identity(struct lys_module *module, struct lyxml_elem *yin, struct lys_ident *ident, struct unres_schema *unres)\n{\n struct lyxml_elem *node, *next;\n struct ly_ctx *ctx = module->ctx;\n const char *value;\n int rc;\n int c_ftrs = 0, c_base = 0, c_ext = 0;\n void *reallocated;\n\n GETVAL(ctx, value, yin, \"name\");\n ident->name = value;\n\n if (read_yin_common(module, NULL, ident, LYEXT_PAR_IDENT, yin, OPT_IDENT | OPT_MODULE, unres)) {\n goto error;\n }\n\n if (dup_identities_check(ident->name, module)) {\n goto error;\n }\n\n LY_TREE_FOR(yin->child, node) {\n if (strcmp(node->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, ident->ext_size, \"extensions\", \"identity\", error);\n c_ext++;\n } else if (!strcmp(node->name, \"base\")) {\n if (c_base && (module->version < 2)) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, \"base\", \"identity\");\n goto error;\n }\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_base, ident->base_size, \"bases\", \"identity\", error);\n if (lyp_yin_parse_subnode_ext(module, ident, LYEXT_PAR_IDENT, node, LYEXT_SUBSTMT_BASE, c_base, unres)) {\n goto error;\n }\n c_base++;\n\n } else if ((module->version >= 2) && !strcmp(node->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, ident->iffeature_size, \"if-features\", \"identity\", error);\n c_ftrs++;\n\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, node->name, \"identity\");\n goto error;\n }\n }\n\n if (c_base) {\n ident->base_size = 0;\n ident->base = calloc(c_base, sizeof *ident->base);\n LY_CHECK_ERR_GOTO(!ident->base, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n ident->iffeature = calloc(c_ftrs, sizeof *ident->iffeature);\n LY_CHECK_ERR_GOTO(!ident->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(ident->ext, (c_ext + ident->ext_size) * sizeof *ident->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n ident->ext = reallocated;\n\n /* init memory */\n memset(&ident->ext[ident->ext_size], 0, c_ext * sizeof *ident->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, node) {\n if (strcmp(node->ns->value, LY_NSYIN)) {\n /* extension */\n rc = lyp_yin_fill_ext(ident, LYEXT_PAR_IDENT, 0, 0, module, node, &ident->ext, &ident->ext_size, unres);\n if (rc) {\n goto error;\n }\n } else if (!strcmp(node->name, \"base\")) {\n GETVAL(ctx, value, node, \"name\");\n value = transform_schema2json(module, value);\n if (!value) {\n goto error;\n }\n\n if (unres_schema_add_str(module, unres, ident, UNRES_IDENT, value) == -1) {\n lydict_remove(ctx, value);\n goto error;\n }\n lydict_remove(ctx, value);\n } else if (!strcmp(node->name, \"if-feature\")) {\n rc = fill_yin_iffeature((struct lys_node *)ident, 0, node, &ident->iffeature[ident->iffeature_size], unres);\n ident->iffeature_size++;\n if (rc) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&ident->ext, ident->ext_size, c_ext + ident->ext_size);\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 303210407653721522682644813687627927126, "size": 100, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336785 }, { "func": "read_yin_container(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval;\n struct lys_node_container *cont;\n const char *value;\n void *reallocated;\n int r;\n int c_tpdf = 0, c_must = 0, c_ftrs = 0, c_ext = 0;\n\n /* init */\n memset(&root, 0, sizeof root);\n\n cont = calloc(1, sizeof *cont);\n LY_CHECK_ERR_RETURN(!cont, LOGMEM(ctx), NULL);\n\n cont->nodetype = LYS_CONTAINER;\n cont->prev = (struct lys_node *)cont;\n retval = (struct lys_node *)cont;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process container's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"container\", error);\n c_ext++;\n } else if (!strcmp(sub->name, \"presence\")) {\n if (cont->presence) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, sub, \"value\");\n cont->presence = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_PRESENCE, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"when\")) {\n if (cont->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n cont->when = read_yin_when(module, sub, unres);\n if (!cont->when) {\n lyxml_free(ctx, sub);\n goto error;\n }\n lyxml_free(ctx, sub);\n\n /* data statements */\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\") ||\n !strcmp(sub->name, \"action\") ||\n !strcmp(sub->name, \"notification\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, cont->tpdf_size, \"typedefs\", \"container\", error);\n c_tpdf++;\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, cont->must_size, \"musts\", \"container\", error);\n c_must++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"container\", error);\n c_ftrs++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n cont->tpdf = calloc(c_tpdf, sizeof *cont->tpdf);\n LY_CHECK_ERR_GOTO(!cont->tpdf, LOGMEM(ctx), error);\n }\n if (c_must) {\n cont->must = calloc(c_must, sizeof *cont->must);\n LY_CHECK_ERR_GOTO(!cont->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n cont->iffeature = calloc(c_ftrs, sizeof *cont->iffeature);\n LY_CHECK_ERR_GOTO(!cont->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"typedef\")) {\n r = fill_yin_typedef(module, retval, sub, &cont->tpdf[cont->tpdf_size], unres);\n cont->tpdf_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &cont->must[cont->must_size], unres);\n cont->must_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &cont->iffeature[cont->iffeature_size], unres);\n cont->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n } else if (!strcmp(sub->name, \"action\")) {\n node = read_yin_rpc_action(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"notification\")) {\n node = read_yin_notif(module, retval, sub, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (cont->when || cont->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (retval->ext[r]->flags & LYEXT_OPT_VALID) {\n retval->flags |= LYS_VALID_EXT;\n if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n retval->flags |= LYS_VALID_EXT_SUBTREE;\n break;\n }\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 55868768057507781729927570308714603647, "size": 217, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 1, "dataset": "other", "idx": 202684 }, { "func": "read_yin_case(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node_case *cs;\n struct lys_node *retval, *node = NULL;\n int c_ftrs = 0, c_ext = 0, ret;\n void *reallocated;\n\n /* init */\n memset(&root, 0, sizeof root);\n\n cs = calloc(1, sizeof *cs);\n LY_CHECK_ERR_RETURN(!cs, LOGMEM(ctx), NULL);\n cs->nodetype = LYS_CASE;\n cs->prev = (struct lys_node *)cs;\n retval = (struct lys_node *)cs;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | (!(options & LYS_PARSE_OPT_CFG_MASK) ? OPT_CFG_INHERIT : 0), unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process choice's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"case\", error);\n c_ext++;\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\")) {\n\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"case\", error);\n c_ftrs++;\n } else if (!strcmp(sub->name, \"when\")) {\n if (cs->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n cs->when = read_yin_when(module, sub, unres);\n if (!cs->when) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n if (c_ftrs) {\n cs->iffeature = calloc(c_ftrs, sizeof *cs->iffeature);\n LY_CHECK_ERR_GOTO(!cs->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n ret = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (ret) {\n goto error;\n }\n } else {\n /* if-feature */\n ret = fill_yin_iffeature(retval, 0, sub, &cs->iffeature[cs->iffeature_size], unres);\n cs->iffeature_size++;\n if (ret) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && cs->when) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n return retval;\n\nerror:\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n lys_node_free(ctx, retval, NULL, 0);\n\n return NULL;\n}", "project": "libyang", "hash": 263724935681497802127371327965989280613, "size": 151, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336755 }, { "func": "fill_yin_revision(struct lys_module *module, struct lyxml_elem *yin, struct lys_revision *rev,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *next, *child;\n const char *value;\n\n GETVAL(ctx, value, yin, \"date\");\n if (lyp_check_date(ctx, value)) {\n goto error;\n }\n memcpy(rev->date, value, LY_REV_SIZE - 1);\n\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!child->ns) {\n /* garbage */\n continue;\n } else if (strcmp(child->ns->value, LY_NSYIN)) {\n /* possible extension instance */\n if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n child, LYEXT_SUBSTMT_SELF, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(child->name, \"description\")) {\n if (rev->dsc) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n goto error;\n }\n rev->dsc = read_yin_subnode(ctx, child, \"text\");\n if (!rev->dsc) {\n goto error;\n }\n } else if (!strcmp(child->name, \"reference\")) {\n if (rev->ref) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n goto error;\n }\n rev->ref = read_yin_subnode(ctx, child, \"text\");\n if (!rev->ref) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n goto error;\n }\n }\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 29093414042920482668152808587976036431, "size": 60, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336757 }, { "func": "read_yin_rpc_action(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n int options, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval;\n struct lys_node_rpc_action *rpc;\n int r;\n int c_tpdf = 0, c_ftrs = 0, c_input = 0, c_output = 0, c_ext = 0;\n void *reallocated;\n\n if (!strcmp(yin->name, \"action\") && (module->version < 2)) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, parent, \"action\");\n return NULL;\n }\n\n /* init */\n memset(&root, 0, sizeof root);\n\n rpc = calloc(1, sizeof *rpc);\n LY_CHECK_ERR_RETURN(!rpc, LOGMEM(ctx), NULL);\n\n rpc->nodetype = (!strcmp(yin->name, \"rpc\") ? LYS_RPC : LYS_ACTION);\n rpc->prev = (struct lys_node *)rpc;\n retval = (struct lys_node *)rpc;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE, unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process rpc's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\",\n rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n c_ext++;\n continue;\n } else if (!strcmp(sub->name, \"input\")) {\n if (c_input) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n c_input++;\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n } else if (!strcmp(sub->name, \"output\")) {\n if (c_output) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n c_output++;\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* data statements */\n } else if (!strcmp(sub->name, \"grouping\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, rpc->tpdf_size, \"typedefs\",\n rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n c_tpdf++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\",\n rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n c_ftrs++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n rpc->tpdf = calloc(c_tpdf, sizeof *rpc->tpdf);\n LY_CHECK_ERR_GOTO(!rpc->tpdf, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n rpc->iffeature = calloc(c_ftrs, sizeof *rpc->iffeature);\n LY_CHECK_ERR_GOTO(!rpc->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"typedef\")) {\n r = fill_yin_typedef(module, retval, sub, &rpc->tpdf[rpc->tpdf_size], unres);\n rpc->tpdf_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &rpc->iffeature[rpc->iffeature_size], unres);\n rpc->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"input\") || !strcmp(sub->name, \"output\")) {\n node = read_yin_input_output(module, retval, sub, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 59707091107614957838004211761638343213, "size": 149, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336765 }, { "func": "read_sub_module(struct lys_module *module, struct lys_submodule *submodule, struct lyxml_elem *yin,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *next, *child, root, grps, augs, revs, exts;\n struct lys_node *node = NULL;\n struct lys_module *trg;\n const char *value;\n int i, r, ret = -1;\n int version_flag = 0;\n /* (sub)module substatements are ordered in groups, increment this value when moving to another group\n * 0 - header-stmts, 1 - linkage-stmts, 2 - meta-stmts, 3 - revision-stmts, 4 - body-stmts */\n int substmt_group;\n /* just remember last substatement for logging */\n const char *substmt_prev;\n /* counters */\n int c_imp = 0, c_rev = 0, c_tpdf = 0, c_ident = 0, c_inc = 0, c_aug = 0, c_ftrs = 0, c_dev = 0;\n int c_ext = 0, c_extinst = 0;\n void *reallocated;\n\n /* to simplify code, store the module/submodule being processed as trg */\n trg = submodule ? (struct lys_module *)submodule : module;\n\n /* init */\n memset(&root, 0, sizeof root);\n memset(&grps, 0, sizeof grps);\n memset(&augs, 0, sizeof augs);\n memset(&exts, 0, sizeof exts);\n memset(&revs, 0, sizeof revs);\n\n /*\n * in the first run, we process elements with cardinality of 1 or 0..1 and\n * count elements with cardinality 0..n. Data elements (choices, containers,\n * leafs, lists, leaf-lists) are moved aside to be processed last, since we\n * need have all top-level and groupings already prepared at that time. In\n * the middle loop, we process other elements with carinality of 0..n since\n * we need to allocate arrays to store them.\n */\n substmt_group = 0;\n substmt_prev = NULL;\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!child->ns) {\n /* garbage */\n lyxml_free(ctx, child);\n continue;\n } else if (strcmp(child->ns->value, LY_NSYIN)) {\n /* possible extension instance */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_extinst, trg->ext_size, \"extension instances\",\n submodule ? \"submodule\" : \"module\", error);\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &exts, child);\n c_extinst++;\n } else if (!submodule && !strcmp(child->name, \"namespace\")) {\n if (substmt_group > 0) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n\n if (trg->ns) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"uri\");\n trg->ns = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_NAMESPACE, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, child);\n\n substmt_prev = \"namespace\";\n } else if (!submodule && !strcmp(child->name, \"prefix\")) {\n if (substmt_group > 0) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n\n if (trg->prefix) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"value\");\n if (lyp_check_identifier(ctx, value, LY_IDENT_PREFIX, trg, NULL)) {\n goto error;\n }\n trg->prefix = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, child);\n\n substmt_prev = \"prefix\";\n } else if (submodule && !strcmp(child->name, \"belongs-to\")) {\n if (substmt_group > 0) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n\n if (trg->prefix) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"module\");\n if (!ly_strequal(value, submodule->belongsto->name, 1)) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_NONE, NULL, value, child->name);\n goto error;\n }\n\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_BELONGSTO, 0, unres)) {\n goto error;\n }\n\n /* get the prefix substatement, start with checks */\n if (!child->child) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", child->name);\n goto error;\n } else if (strcmp(child->child->name, \"prefix\")) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->child->name);\n goto error;\n } else if (child->child->next) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->child->next->name);\n goto error;\n }\n /* and now finally get the value */\n GETVAL(ctx, value, child->child, \"value\");\n /* check here differs from a generic prefix check, since this prefix\n * don't have to be unique\n */\n if (lyp_check_identifier(ctx, value, LY_IDENT_NAME, NULL, NULL)) {\n goto error;\n }\n submodule->prefix = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child->child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n goto error;\n }\n\n /* we are done with belongs-to */\n lyxml_free(ctx, child);\n\n substmt_prev = \"belongs-to\";\n\n /* counters (statements with n..1 cardinality) */\n } else if (!strcmp(child->name, \"import\")) {\n if (substmt_group > 1) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 1;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_imp, trg->imp_size, \"imports\",\n submodule ? \"submodule\" : \"module\", error);\n c_imp++;\n\n substmt_prev = \"import\";\n } else if (!strcmp(child->name, \"revision\")) {\n if (substmt_group > 3) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 3;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_rev, trg->rev_size, \"revisions\",\n submodule ? \"submodule\" : \"module\", error);\n c_rev++;\n\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &revs, child);\n\n substmt_prev = \"revision\";\n } else if (!strcmp(child->name, \"typedef\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, trg->tpdf_size, \"typedefs\",\n submodule ? \"submodule\" : \"module\", error);\n c_tpdf++;\n\n substmt_prev = \"typedef\";\n } else if (!strcmp(child->name, \"identity\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ident, trg->ident_size, \"identities\",\n submodule ? \"submodule\" : \"module\", error);\n c_ident++;\n\n substmt_prev = \"identity\";\n } else if (!strcmp(child->name, \"include\")) {\n if (substmt_group > 1) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 1;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_inc, trg->inc_size, \"includes\",\n submodule ? \"submodule\" : \"module\", error);\n c_inc++;\n\n substmt_prev = \"include\";\n } else if (!strcmp(child->name, \"augment\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_aug, trg->augment_size, \"augments\",\n submodule ? \"submodule\" : \"module\", error);\n c_aug++;\n /* keep augments separated, processed last */\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &augs, child);\n\n substmt_prev = \"augment\";\n } else if (!strcmp(child->name, \"feature\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, trg->features_size, \"features\",\n submodule ? \"submodule\" : \"module\", error);\n c_ftrs++;\n\n substmt_prev = \"feature\";\n\n /* data statements */\n } else if (!strcmp(child->name, \"container\") ||\n !strcmp(child->name, \"leaf-list\") ||\n !strcmp(child->name, \"leaf\") ||\n !strcmp(child->name, \"list\") ||\n !strcmp(child->name, \"choice\") ||\n !strcmp(child->name, \"uses\") ||\n !strcmp(child->name, \"anyxml\") ||\n !strcmp(child->name, \"anydata\") ||\n !strcmp(child->name, \"rpc\") ||\n !strcmp(child->name, \"notification\")) {\n substmt_group = 4;\n\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &root, child);\n\n substmt_prev = \"data definition\";\n } else if (!strcmp(child->name, \"grouping\")) {\n substmt_group = 4;\n\n /* keep groupings separated and process them before other data statements */\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &grps, child);\n\n substmt_prev = \"grouping\";\n /* optional statements */\n } else if (!strcmp(child->name, \"description\")) {\n if (substmt_group > 2) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 2;\n\n if (trg->dsc) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n goto error;\n }\n trg->dsc = read_yin_subnode(ctx, child, \"text\");\n lyxml_free(ctx, child);\n if (!trg->dsc) {\n goto error;\n }\n\n substmt_prev = \"description\";\n } else if (!strcmp(child->name, \"reference\")) {\n if (substmt_group > 2) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 2;\n\n if (trg->ref) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n goto error;\n }\n trg->ref = read_yin_subnode(ctx, child, \"text\");\n lyxml_free(ctx, child);\n if (!trg->ref) {\n goto error;\n }\n\n substmt_prev = \"reference\";\n } else if (!strcmp(child->name, \"organization\")) {\n if (substmt_group > 2) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 2;\n\n if (trg->org) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_ORGANIZATION, 0, unres)) {\n goto error;\n }\n trg->org = read_yin_subnode(ctx, child, \"text\");\n lyxml_free(ctx, child);\n if (!trg->org) {\n goto error;\n }\n\n substmt_prev = \"organization\";\n } else if (!strcmp(child->name, \"contact\")) {\n if (substmt_group > 2) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n substmt_group = 2;\n\n if (trg->contact) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_CONTACT, 0, unres)) {\n goto error;\n }\n trg->contact = read_yin_subnode(ctx, child, \"text\");\n lyxml_free(ctx, child);\n if (!trg->contact) {\n goto error;\n }\n\n substmt_prev = \"contact\";\n } else if (!strcmp(child->name, \"yang-version\")) {\n if (substmt_group > 0) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n child->name, substmt_prev);\n goto error;\n }\n\n if (version_flag) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"value\");\n if (strcmp(value, \"1\") && strcmp(value, \"1.1\")) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_NONE, NULL, value, \"yang-version\");\n goto error;\n }\n version_flag = 1;\n if (!strcmp(value, \"1\")) {\n if (submodule) {\n if (module->version > 1) {\n LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n goto error;\n }\n submodule->version = 1;\n } else {\n module->version = 1;\n }\n } else {\n if (submodule) {\n if (module->version < 2) {\n LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n goto error;\n }\n submodule->version = 2;\n } else {\n module->version = 2;\n }\n }\n\n if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_VERSION, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, child);\n\n substmt_prev = \"yang-version\";\n } else if (!strcmp(child->name, \"extension\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, trg->extensions_size, \"extensions\",\n submodule ? \"submodule\" : \"module\", error);\n c_ext++;\n\n substmt_prev = \"extension\";\n } else if (!strcmp(child->name, \"deviation\")) {\n substmt_group = 4;\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_dev, trg->deviation_size, \"deviations\",\n submodule ? \"submodule\" : \"module\", error);\n c_dev++;\n\n substmt_prev = \"deviation\";\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n goto error;\n }\n }\n\n /* check for mandatory statements */\n if (submodule) {\n if (!submodule->prefix) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"belongs-to\", \"submodule\");\n goto error;\n }\n if (!version_flag) {\n /* check version compatibility with the main module */\n if (module->version > 1) {\n LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n goto error;\n }\n }\n } else {\n if (!trg->ns) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"namespace\", \"module\");\n goto error;\n }\n if (!trg->prefix) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", \"module\");\n goto error;\n }\n }\n\n /* allocate arrays for elements with cardinality of 0..n */\n if (c_imp) {\n trg->imp = calloc(c_imp, sizeof *trg->imp);\n LY_CHECK_ERR_GOTO(!trg->imp, LOGMEM(ctx), error);\n }\n if (c_rev) {\n trg->rev = calloc(c_rev, sizeof *trg->rev);\n LY_CHECK_ERR_GOTO(!trg->rev, LOGMEM(ctx), error);\n }\n if (c_tpdf) {\n trg->tpdf = calloc(c_tpdf, sizeof *trg->tpdf);\n LY_CHECK_ERR_GOTO(!trg->tpdf, LOGMEM(ctx), error);\n }\n if (c_ident) {\n trg->ident = calloc(c_ident, sizeof *trg->ident);\n LY_CHECK_ERR_GOTO(!trg->ident, LOGMEM(ctx), error);\n }\n if (c_inc) {\n trg->inc = calloc(c_inc, sizeof *trg->inc);\n LY_CHECK_ERR_GOTO(!trg->inc, LOGMEM(ctx), error);\n }\n if (c_aug) {\n trg->augment = calloc(c_aug, sizeof *trg->augment);\n LY_CHECK_ERR_GOTO(!trg->augment, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n trg->features = calloc(c_ftrs, sizeof *trg->features);\n LY_CHECK_ERR_GOTO(!trg->features, LOGMEM(ctx), error);\n }\n if (c_dev) {\n trg->deviation = calloc(c_dev, sizeof *trg->deviation);\n LY_CHECK_ERR_GOTO(!trg->deviation, LOGMEM(ctx), error);\n }\n if (c_ext) {\n trg->extensions = calloc(c_ext, sizeof *trg->extensions);\n LY_CHECK_ERR_GOTO(!trg->extensions, LOGMEM(ctx), error);\n }\n\n /* middle part 1 - process revision and then check whether this (sub)module was not already parsed, add it there */\n LY_TREE_FOR_SAFE(revs.child, next, child) {\n r = fill_yin_revision(trg, child, &trg->rev[trg->rev_size], unres);\n trg->rev_size++;\n if (r) {\n goto error;\n }\n\n /* check uniqueness of the revision date - not required by RFC */\n for (i = 0; i < (trg->rev_size - 1); i++) {\n if (!strcmp(trg->rev[i].date, trg->rev[trg->rev_size - 1].date)) {\n LOGWRN(ctx, \"Module's revisions are not unique (%s).\", trg->rev[trg->rev_size - 1].date);\n break;\n }\n }\n\n lyxml_free(ctx, child);\n }\n\n /* check the module with respect to the context now */\n if (!submodule) {\n switch (lyp_ctx_check_module(module)) {\n case -1:\n goto error;\n case 0:\n break;\n case 1:\n /* it's already there */\n ret = 1;\n goto error;\n }\n }\n\n /* check first definition of extensions */\n if (c_ext) {\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!strcmp(child->name, \"extension\")) {\n r = fill_yin_extension(trg, child, &trg->extensions[trg->extensions_size], unres);\n trg->extensions_size++;\n if (r) {\n goto error;\n }\n\n }\n }\n }\n\n /* middle part 2 - process nodes with cardinality of 0..n except the data nodes and augments */\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!strcmp(child->name, \"import\")) {\n r = fill_yin_import(trg, child, &trg->imp[trg->imp_size], unres);\n trg->imp_size++;\n if (r) {\n goto error;\n }\n\n } else if (!strcmp(child->name, \"include\")) {\n r = fill_yin_include(module, submodule, child, &trg->inc[trg->inc_size], unres);\n trg->inc_size++;\n if (r) {\n goto error;\n }\n\n } else if (!strcmp(child->name, \"typedef\")) {\n r = fill_yin_typedef(trg, NULL, child, &trg->tpdf[trg->tpdf_size], unres);\n trg->tpdf_size++;\n if (r) {\n goto error;\n }\n\n } else if (!strcmp(child->name, \"identity\")) {\n r = fill_yin_identity(trg, child, &trg->ident[trg->ident_size], unres);\n trg->ident_size++;\n if (r) {\n goto error;\n }\n\n } else if (!strcmp(child->name, \"feature\")) {\n r = fill_yin_feature(trg, child, &trg->features[trg->features_size], unres);\n trg->features_size++;\n if (r) {\n goto error;\n }\n\n } else if (!strcmp(child->name, \"deviation\")) {\n /* must be implemented in this case */\n trg->implemented = 1;\n\n r = fill_yin_deviation(trg, child, &trg->deviation[trg->deviation_size], unres);\n trg->deviation_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n /* process extension instances */\n if (c_extinst) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(trg->ext, (c_extinst + trg->ext_size) * sizeof *trg->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n trg->ext = reallocated;\n\n /* init memory */\n memset(&trg->ext[trg->ext_size], 0, c_extinst * sizeof *trg->ext);\n\n LY_TREE_FOR_SAFE(exts.child, next, child) {\n r = lyp_yin_fill_ext(trg, LYEXT_PAR_MODULE, 0, 0, trg, child, &trg->ext, &trg->ext_size, unres);\n if (r) {\n goto error;\n }\n }\n\n lyp_reduce_ext_list(&trg->ext, trg->ext_size, c_ext + trg->ext_size);\n }\n\n /* process data nodes. Start with groupings to allow uses\n * refer to them. Submodule's data nodes are stored in the\n * main module data tree.\n */\n LY_TREE_FOR_SAFE(grps.child, next, child) {\n node = read_yin_grouping(trg, NULL, child, 0, unres);\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, child);\n }\n\n /* parse data nodes, ... */\n LY_TREE_FOR_SAFE(root.child, next, child) {\n\n if (!strcmp(child->name, \"container\")) {\n node = read_yin_container(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"leaf-list\")) {\n node = read_yin_leaflist(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"leaf\")) {\n node = read_yin_leaf(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"list\")) {\n node = read_yin_list(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"choice\")) {\n node = read_yin_choice(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"uses\")) {\n node = read_yin_uses(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"anyxml\")) {\n node = read_yin_anydata(trg, NULL, child, LYS_ANYXML, 0, unres);\n } else if (!strcmp(child->name, \"anydata\")) {\n node = read_yin_anydata(trg, NULL, child, LYS_ANYDATA, 0, unres);\n } else if (!strcmp(child->name, \"rpc\")) {\n node = read_yin_rpc_action(trg, NULL, child, 0, unres);\n } else if (!strcmp(child->name, \"notification\")) {\n node = read_yin_notif(trg, NULL, child, 0, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, child);\n }\n\n /* ... and finally augments (last, so we can augment our data, for instance) */\n LY_TREE_FOR_SAFE(augs.child, next, child) {\n r = fill_yin_augment(trg, NULL, child, &trg->augment[trg->augment_size], 0, unres);\n trg->augment_size++;\n\n if (r) {\n goto error;\n }\n lyxml_free(ctx, child);\n }\n\n return 0;\n\nerror:\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n while (grps.child) {\n lyxml_free(ctx, grps.child);\n }\n while (augs.child) {\n lyxml_free(ctx, augs.child);\n }\n while (revs.child) {\n lyxml_free(ctx, revs.child);\n }\n while (exts.child) {\n lyxml_free(ctx, exts.child);\n }\n\n return ret;\n}", "project": "libyang", "hash": 23864015992641617212461037399150147821, "size": 662, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336766 }, { "func": "fill_yin_typedef(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, struct lys_tpdf *tpdf,\n struct unres_schema *unres)\n{\n const char *value;\n struct lyxml_elem *node, *next;\n struct ly_ctx *ctx = module->ctx;\n int rc, has_type = 0, c_ext = 0, i;\n void *reallocated;\n\n GETVAL(ctx, value, yin, \"name\");\n if (lyp_check_identifier(ctx, value, LY_IDENT_TYPE, module, parent)) {\n goto error;\n }\n tpdf->name = lydict_insert(ctx, value, strlen(value));\n\n /* generic part - status, description, reference */\n if (read_yin_common(module, NULL, tpdf, LYEXT_PAR_TPDF, yin, OPT_MODULE, unres)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, node) {\n if (strcmp(node->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, tpdf->ext_size, \"extensions\", \"typedef\", error);\n c_ext++;\n continue;\n } else if (!strcmp(node->name, \"type\")) {\n if (has_type) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n goto error;\n }\n /* HACK for unres */\n tpdf->type.der = (struct lys_tpdf *)node;\n tpdf->type.parent = tpdf;\n if (unres_schema_add_node(module, unres, &tpdf->type, UNRES_TYPE_DER_TPDF, parent) == -1) {\n goto error;\n }\n has_type = 1;\n\n /* skip lyxml_free() at the end of the loop, node was freed or at least unlinked in unres processing */\n continue;\n } else if (!strcmp(node->name, \"default\")) {\n if (tpdf->dflt) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, node, \"value\");\n tpdf->dflt = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, tpdf, LYEXT_PAR_TPDF, node, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(node->name, \"units\")) {\n if (tpdf->units) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, node, \"name\");\n tpdf->units = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, tpdf, LYEXT_PAR_TPDF, node, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, value);\n goto error;\n }\n\n lyxml_free(ctx, node);\n }\n\n /* check mandatory value */\n if (!has_type) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"type\", yin->name);\n goto error;\n }\n\n /* check default value (if not defined, there still could be some restrictions\n * that need to be checked against a default value from a derived type) */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n unres_schema_add_node(module, unres, &tpdf->type, UNRES_TYPEDEF_DFLT, (struct lys_node *)(&tpdf->dflt)) == -1) {\n goto error;\n }\n\n /* finish extensions parsing */\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(tpdf->ext, (c_ext + tpdf->ext_size) * sizeof *tpdf->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n tpdf->ext = reallocated;\n\n /* init memory */\n memset(&tpdf->ext[tpdf->ext_size], 0, c_ext * sizeof *tpdf->ext);\n\n LY_TREE_FOR_SAFE(yin->child, next, node) {\n rc = lyp_yin_fill_ext(tpdf, LYEXT_PAR_TYPE, 0, 0, module, node, &tpdf->ext, &tpdf->ext_size, unres);\n if (rc) {\n goto error;\n }\n }\n\n lyp_reduce_ext_list(&tpdf->ext, tpdf->ext_size, c_ext + tpdf->ext_size);\n }\n\n for (i = 0; i < tpdf->ext_size; ++i) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (tpdf->ext[i]->flags & LYEXT_OPT_VALID) {\n tpdf->flags |= LYS_VALID_EXT;\n break;\n }\n }\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 29979432700281147848223132432589735934, "size": 117, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336770 }, { "func": "fill_yin_import(struct lys_module *module, struct lyxml_elem *yin, struct lys_import *imp, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *child, *next, exts;\n const char *value;\n int r, c_ext = 0;\n void *reallocated;\n\n /* init */\n memset(&exts, 0, sizeof exts);\n\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!child->ns) {\n /* garbage */\n continue;\n } else if (strcmp(child->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, imp->ext_size, \"extensions\", \"import\", error);\n c_ext++;\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &exts, child);\n } else if (!strcmp(child->name, \"prefix\")) {\n GETVAL(ctx, value, child, \"value\");\n if (lyp_check_identifier(ctx, value, LY_IDENT_PREFIX, module, NULL)) {\n goto error;\n }\n imp->prefix = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(child->name, \"revision-date\")) {\n if (imp->rev[0]) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"date\");\n if (lyp_check_date(ctx, value)) {\n goto error;\n }\n memcpy(imp->rev, value, LY_REV_SIZE - 1);\n\n if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_REVISIONDATE, 0, unres)) {\n goto error;\n }\n } else if ((module->version >= 2) && !strcmp(child->name, \"description\")) {\n if (imp->dsc) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n goto error;\n }\n imp->dsc = read_yin_subnode(ctx, child, \"text\");\n if (!imp->dsc) {\n goto error;\n }\n } else if ((module->version >= 2) && !strcmp(child->name, \"reference\")) {\n if (imp->ref) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n goto error;\n }\n imp->ref = read_yin_subnode(ctx, child, \"text\");\n if (!imp->ref) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n goto error;\n }\n }\n\n /* check mandatory information */\n if (!imp->prefix) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", yin->name);\n goto error;\n }\n\n /* process extensions */\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(imp->ext, (c_ext + imp->ext_size) * sizeof *imp->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n imp->ext = reallocated;\n\n /* init memory */\n memset(&imp->ext[imp->ext_size], 0, c_ext * sizeof *imp->ext);\n\n LY_TREE_FOR_SAFE(exts.child, next, child) {\n /* extension */\n r = lyp_yin_fill_ext(imp, LYEXT_PAR_IMPORT, 0, 0, module, child, &imp->ext, &imp->ext_size, unres);\n if (r) {\n goto error;\n }\n }\n\n lyp_reduce_ext_list(&imp->ext, imp->ext_size, c_ext + imp->ext_size);\n }\n\n GETVAL(ctx, value, yin, \"module\");\n return lyp_check_import(module, value, imp);\n\nerror:\n while (exts.child) {\n lyxml_free(ctx, exts.child);\n }\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 264509654321598332653299108821426852308, "size": 111, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336771 }, { "func": "read_yin_uses(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n int options, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next;\n struct lys_node *retval;\n struct lys_node_uses *uses;\n const char *value;\n int c_ref = 0, c_aug = 0, c_ftrs = 0, c_ext = 0;\n int r;\n void *reallocated;\n\n uses = calloc(1, sizeof *uses);\n LY_CHECK_ERR_RETURN(!uses, LOGMEM(ctx), NULL);\n\n uses->nodetype = LYS_USES;\n uses->prev = (struct lys_node *)uses;\n retval = (struct lys_node *)uses;\n\n GETVAL(ctx, value, yin, \"name\");\n uses->name = lydict_insert(ctx, value, 0);\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_MODULE, unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* get other properties of uses */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"uses\", error);\n c_ext++;\n continue;\n } else if (!strcmp(sub->name, \"refine\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ref, uses->refine_size, \"refines\", \"uses\", error);\n c_ref++;\n } else if (!strcmp(sub->name, \"augment\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_aug, uses->augment_size, \"augments\", \"uses\", error);\n c_aug++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"uses\", error);\n c_ftrs++;\n } else if (!strcmp(sub->name, \"when\")) {\n if (uses->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n uses->when = read_yin_when(module, sub, unres);\n if (!uses->when) {\n lyxml_free(ctx, sub);\n goto error;\n }\n lyxml_free(ctx, sub);\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* process properties with cardinality 0..n */\n if (c_ref) {\n uses->refine = calloc(c_ref, sizeof *uses->refine);\n LY_CHECK_ERR_GOTO(!uses->refine, LOGMEM(ctx), error);\n }\n if (c_aug) {\n uses->augment = calloc(c_aug, sizeof *uses->augment);\n LY_CHECK_ERR_GOTO(!uses->augment, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n uses->iffeature = calloc(c_ftrs, sizeof *uses->iffeature);\n LY_CHECK_ERR_GOTO(!uses->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"refine\")) {\n r = fill_yin_refine(retval, sub, &uses->refine[uses->refine_size], unres);\n uses->refine_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"augment\")) {\n r = fill_yin_augment(module, retval, sub, &uses->augment[uses->augment_size], options, unres);\n uses->augment_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &uses->iffeature[uses->iffeature_size], unres);\n uses->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n if (unres_schema_add_node(module, unres, uses, UNRES_USES, NULL) == -1) {\n goto error;\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && uses->when) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n return NULL;\n}", "project": "libyang", "hash": 285004860863246809372138985468028712083, "size": 143, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336772 }, { "func": "read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lys_node *retval;\n struct lys_node_leaflist *llist;\n struct lyxml_elem *sub, *next;\n const char *value;\n char *endptr;\n unsigned long val;\n int r, has_type = 0;\n int c_must = 0, c_ftrs = 0, c_dflt = 0, c_ext = 0;\n int f_ordr = 0, f_min = 0, f_max = 0;\n void *reallocated;\n\n llist = calloc(1, sizeof *llist);\n LY_CHECK_ERR_RETURN(!llist, LOGMEM(ctx), NULL);\n\n llist->nodetype = LYS_LEAFLIST;\n llist->prev = (struct lys_node *)llist;\n retval = (struct lys_node *)llist;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"leaf-list\", error);\n c_ext++;\n continue;\n } else if (!strcmp(sub->name, \"type\")) {\n if (has_type) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* HACK for unres */\n llist->type.der = (struct lys_tpdf *)sub;\n llist->type.parent = (struct lys_tpdf *)llist;\n /* postpone type resolution when if-feature parsing is done since we need\n * if-feature for check_leafref_features() */\n has_type = 1;\n } else if (!strcmp(sub->name, \"units\")) {\n if (llist->units) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, sub, \"name\");\n llist->units = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"ordered-by\")) {\n if (f_ordr) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* just checking the flags in llist is not sufficient, we would\n * allow multiple ordered-by statements with the \"system\" value\n */\n f_ordr = 1;\n\n if (llist->flags & LYS_CONFIG_R) {\n /* RFC 6020, 7.7.5 - ignore ordering when the list represents\n * state data\n */\n lyxml_free(ctx, sub);\n continue;\n }\n\n GETVAL(ctx, value, sub, \"value\");\n if (!strcmp(value, \"user\")) {\n llist->flags |= LYS_USERORDERED;\n } else if (strcmp(value, \"system\")) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n } /* else system is the default value, so we can ignore it */\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_ORDEREDBY, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, llist->must_size, \"musts\", \"leaf-list\", error);\n c_must++;\n continue;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"leaf-list\", error);\n c_ftrs++;\n continue;\n } else if ((module->version >= 2) && !strcmp(sub->name, \"default\")) {\n /* read the default's extension instances */\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, c_dflt, unres)) {\n goto error;\n }\n\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_dflt, llist->dflt_size, \"defaults\", \"leaf-list\", error);\n c_dflt++;\n continue;\n\n } else if (!strcmp(sub->name, \"min-elements\")) {\n if (f_min) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n f_min = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n while (isspace(value[0])) {\n value++;\n }\n\n /* convert it to uint32_t */\n errno = 0;\n endptr = NULL;\n val = strtoul(value, &endptr, 10);\n if (*endptr || value[0] == '-' || errno || val > UINT32_MAX) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n }\n llist->min = (uint32_t) val;\n if (llist->max && (llist->min > llist->max)) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"min-elements\\\" is bigger than \\\"max-elements\\\".\");\n goto error;\n }\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MIN, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"max-elements\")) {\n if (f_max) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n f_max = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n while (isspace(value[0])) {\n value++;\n }\n\n if (!strcmp(value, \"unbounded\")) {\n llist->max = 0;\n } else {\n /* convert it to uint32_t */\n errno = 0;\n endptr = NULL;\n val = strtoul(value, &endptr, 10);\n if (*endptr || value[0] == '-' || errno || val == 0 || val > UINT32_MAX) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n }\n llist->max = (uint32_t) val;\n if (llist->min > llist->max) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"max-elements\\\" is smaller than \\\"min-elements\\\".\");\n goto error;\n }\n }\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MAX, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"when\")) {\n if (llist->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n llist->when = read_yin_when(module, sub, unres);\n if (!llist->when) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n\n /* do not free sub, it could have been unlinked and stored in unres */\n }\n\n /* check constraints */\n if (!has_type) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"type\", yin->name);\n goto error;\n }\n\n /* middle part - process nodes with cardinality of 0..n */\n if (c_must) {\n llist->must = calloc(c_must, sizeof *llist->must);\n LY_CHECK_ERR_GOTO(!llist->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n llist->iffeature = calloc(c_ftrs, sizeof *llist->iffeature);\n LY_CHECK_ERR_GOTO(!llist->iffeature, LOGMEM(ctx), error);\n }\n if (c_dflt) {\n llist->dflt = calloc(c_dflt, sizeof *llist->dflt);\n LY_CHECK_ERR_GOTO(!llist->dflt, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &llist->must[llist->must_size], unres);\n llist->must_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &llist->iffeature[llist->iffeature_size], unres);\n llist->iffeature_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"default\")) {\n GETVAL(ctx, value, sub, \"value\");\n\n /* check for duplicity in case of configuration data,\n * in case of status data duplicities are allowed */\n if (llist->flags & LYS_CONFIG_W) {\n for (r = 0; r < llist->dflt_size; r++) {\n if (ly_strequal(llist->dflt[r], value, 1)) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, \"default\");\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"Duplicated default value \\\"%s\\\".\", value);\n goto error;\n }\n }\n }\n llist->dflt[llist->dflt_size++] = lydict_insert(ctx, value, strlen(value));\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* finalize type parsing */\n if (unres_schema_add_node(module, unres, &llist->type, UNRES_TYPE_DER, retval) == -1) {\n llist->type.der = NULL;\n goto error;\n }\n\n if (llist->dflt_size && llist->min) {\n LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"min-elements\", \"leaf-list\");\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL,\n \"The \\\"min-elements\\\" statement with non-zero value is forbidden on leaf-lists with the \\\"default\\\" statement.\");\n goto error;\n }\n\n /* check default value (if not defined, there still could be some restrictions\n * that need to be checked against a default value from a derived type) */\n for (r = 0; r < llist->dflt_size; r++) {\n if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n (unres_schema_add_node(module, unres, &llist->type, UNRES_TYPE_DFLT,\n (struct lys_node *)(&llist->dflt[r])) == -1)) {\n goto error;\n }\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (llist->when || llist->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n retval->flags |= LYS_VALID_EXT;\n break;\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n return NULL;\n}", "project": "libyang", "hash": 47871158716956981093659887429750913688, "size": 311, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336774 }, { "func": "read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lys_node *retval, *node;\n struct lys_node_list *list;\n struct lyxml_elem *sub, *next, root, uniq;\n int r;\n int c_tpdf = 0, c_must = 0, c_uniq = 0, c_ftrs = 0, c_ext = 0;\n int f_ordr = 0, f_max = 0, f_min = 0;\n const char *value;\n char *auxs;\n unsigned long val;\n void *reallocated;\n\n /* init */\n memset(&root, 0, sizeof root);\n memset(&uniq, 0, sizeof uniq);\n\n list = calloc(1, sizeof *list);\n LY_CHECK_ERR_RETURN(!list, LOGMEM(ctx), NULL);\n\n list->nodetype = LYS_LIST;\n list->prev = (struct lys_node *)list;\n retval = (struct lys_node *)list;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process list's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"list\", error);\n c_ext++;\n continue;\n\n /* data statements */\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\") ||\n !strcmp(sub->name, \"action\") ||\n !strcmp(sub->name, \"notification\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"key\")) {\n /* check cardinality 0..1 */\n if (list->keys_size) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, list->name);\n goto error;\n }\n\n /* count the number of keys */\n GETVAL(ctx, value, sub, \"value\");\n list->keys_str = lydict_insert(ctx, value, 0);\n while ((value = strpbrk(value, \" \\t\\n\"))) {\n list->keys_size++;\n while (isspace(*value)) {\n value++;\n }\n }\n list->keys_size++;\n list->keys = calloc(list->keys_size, sizeof *list->keys);\n LY_CHECK_ERR_GOTO(!list->keys, LOGMEM(ctx), error);\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_KEY, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"unique\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_uniq, list->unique_size, \"uniques\", \"list\", error);\n c_uniq++;\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &uniq, sub);\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, list->tpdf_size, \"typedefs\", \"list\", error);\n c_tpdf++;\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, list->must_size, \"musts\", \"list\", error);\n c_must++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"list\", error);\n c_ftrs++;\n\n /* optional stetments */\n } else if (!strcmp(sub->name, \"ordered-by\")) {\n if (f_ordr) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* just checking the flags in llist is not sufficient, we would\n * allow multiple ordered-by statements with the \"system\" value\n */\n f_ordr = 1;\n\n if (list->flags & LYS_CONFIG_R) {\n /* RFC 6020, 7.7.5 - ignore ordering when the list represents\n * state data\n */\n lyxml_free(ctx, sub);\n continue;\n }\n\n GETVAL(ctx, value, sub, \"value\");\n if (!strcmp(value, \"user\")) {\n list->flags |= LYS_USERORDERED;\n } else if (strcmp(value, \"system\")) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n } /* else system is the default value, so we can ignore it */\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_ORDEREDBY, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"min-elements\")) {\n if (f_min) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n f_min = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n while (isspace(value[0])) {\n value++;\n }\n\n /* convert it to uint32_t */\n errno = 0;\n auxs = NULL;\n val = strtoul(value, &auxs, 10);\n if (*auxs || value[0] == '-' || errno || val > UINT32_MAX) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n }\n list->min = (uint32_t) val;\n if (list->max && (list->min > list->max)) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"min-elements\\\" is bigger than \\\"max-elements\\\".\");\n lyxml_free(ctx, sub);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MIN, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"max-elements\")) {\n if (f_max) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n f_max = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n while (isspace(value[0])) {\n value++;\n }\n\n if (!strcmp(value, \"unbounded\")) {\n list->max = 0;;\n } else {\n /* convert it to uint32_t */\n errno = 0;\n auxs = NULL;\n val = strtoul(value, &auxs, 10);\n if (*auxs || value[0] == '-' || errno || val == 0 || val > UINT32_MAX) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n }\n list->max = (uint32_t) val;\n if (list->min > list->max) {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"max-elements\\\" is smaller than \\\"min-elements\\\".\");\n goto error;\n }\n }\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MAX, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"when\")) {\n if (list->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n list->when = read_yin_when(module, sub, unres);\n if (!list->when) {\n lyxml_free(ctx, sub);\n goto error;\n }\n lyxml_free(ctx, sub);\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* check - if list is configuration, key statement is mandatory\n * (but only if we are not in a grouping or augment, then the check is deferred) */\n for (node = retval; node && !(node->nodetype & (LYS_GROUPING | LYS_AUGMENT | LYS_EXT)); node = node->parent);\n if (!node && (list->flags & LYS_CONFIG_W) && !list->keys_str) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"key\", \"list\");\n goto error;\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n list->tpdf = calloc(c_tpdf, sizeof *list->tpdf);\n LY_CHECK_ERR_GOTO(!list->tpdf, LOGMEM(ctx), error);\n }\n if (c_must) {\n list->must = calloc(c_must, sizeof *list->must);\n LY_CHECK_ERR_GOTO(!list->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n list->iffeature = calloc(c_ftrs, sizeof *list->iffeature);\n LY_CHECK_ERR_GOTO(!list->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"typedef\")) {\n r = fill_yin_typedef(module, retval, sub, &list->tpdf[list->tpdf_size], unres);\n list->tpdf_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &list->iffeature[list->iffeature_size], unres);\n list->iffeature_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &list->must[list->must_size], unres);\n list->must_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n } else if (!strcmp(sub->name, \"action\")) {\n node = read_yin_rpc_action(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"notification\")) {\n node = read_yin_notif(module, retval, sub, options, unres);\n } else {\n LOGINT(ctx);\n goto error;\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n if (list->keys_str) {\n if (unres_schema_add_node(module, unres, list, UNRES_LIST_KEYS, NULL) == -1) {\n goto error;\n }\n } /* else config false list without a key, key_str presence in case of config true is checked earlier */\n\n /* process unique statements */\n if (c_uniq) {\n list->unique = calloc(c_uniq, sizeof *list->unique);\n LY_CHECK_ERR_GOTO(!list->unique, LOGMEM(ctx), error);\n\n LY_TREE_FOR_SAFE(uniq.child, next, sub) {\n r = fill_yin_unique(module, retval, sub, &list->unique[list->unique_size], unres);\n list->unique_size++;\n if (r) {\n goto error;\n }\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub,\n LYEXT_SUBSTMT_UNIQUE, list->unique_size - 1, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n }\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (list->when || list->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n retval->flags |= LYS_VALID_EXT;\n if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n retval->flags |= LYS_VALID_EXT_SUBTREE;\n break;\n }\n }\n }\n\n return retval;\n\nerror:\n\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n while (uniq.child) {\n lyxml_free(ctx, uniq.child);\n }\n\n return NULL;\n}", "project": "libyang", "hash": 115335602041432819983754005856712723739, "size": 377, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336776 }, { "func": "fill_yin_extension(struct lys_module *module, struct lyxml_elem *yin, struct lys_ext *ext, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n const char *value;\n struct lyxml_elem *child, *node, *next, *next2;\n int c_ext = 0, rc;\n void *reallocated;\n\n GETVAL(ctx, value, yin, \"name\");\n\n if (lyp_check_identifier(ctx, value, LY_IDENT_EXTENSION, module, NULL)) {\n goto error;\n }\n ext->name = lydict_insert(ctx, value, strlen(value));\n\n if (read_yin_common(module, NULL, ext, LYEXT_PAR_EXT, yin, OPT_MODULE, unres)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, node) {\n if (strcmp(node->ns->value, LY_NSYIN)) {\n /* possible extension instance */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, ext->ext_size, \"extensions\", \"extension\", error);\n c_ext++;\n } else if (!strcmp(node->name, \"argument\")) {\n /* argument */\n GETVAL(ctx, value, node, \"name\");\n ext->argument = lydict_insert(ctx, value, strlen(value));\n if (lyp_yin_parse_subnode_ext(module, ext, LYEXT_PAR_EXT, node, LYEXT_SUBSTMT_ARGUMENT, 0, unres)) {\n goto error;\n }\n\n /* yin-element */\n LY_TREE_FOR_SAFE(node->child, next2, child) {\n if (child->ns == node->ns && !strcmp(child->name, \"yin-element\")) {\n GETVAL(ctx, value, child, \"value\");\n if (ly_strequal(value, \"true\", 0)) {\n ext->flags |= LYS_YINELEM;\n }\n\n if (lyp_yin_parse_subnode_ext(module, ext, LYEXT_PAR_EXT, child, LYEXT_SUBSTMT_YINELEM, 0, unres)) {\n goto error;\n }\n } else if (child->ns) {\n /* unexpected YANG statement */\n LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_NONE, NULL, child->name, child->name);\n goto error;\n } /* else garbage, but save resource needed for unlinking */\n }\n\n lyxml_free(ctx, node);\n } else {\n /* unexpected YANG statement */\n LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_NONE, NULL, node->name, node->name);\n goto error;\n }\n }\n\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(ext->ext, (c_ext + ext->ext_size) * sizeof *ext->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n ext->ext = reallocated;\n\n /* init memory */\n memset(&ext->ext[ext->ext_size], 0, c_ext * sizeof *ext->ext);\n\n /* process the extension instances of the extension itself */\n LY_TREE_FOR_SAFE(yin->child, next, node) {\n rc = lyp_yin_fill_ext(ext, LYEXT_PAR_EXT, 0, 0, module, node, &ext->ext, &ext->ext_size, unres);\n if (rc) {\n goto error;\n }\n }\n\n lyp_reduce_ext_list(&ext->ext, ext->ext_size, c_ext + ext->ext_size);\n }\n\n /* search for plugin */\n ext->plugin = ext_get_plugin(ext->name, ext->module->name, ext->module->rev ? ext->module->rev[0].date : NULL);\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 286134204984875195300411165637507195251, "size": 86, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336777 }, { "func": "read_yin_input_output(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n int options, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval = NULL;\n struct lys_node_inout *inout;\n int r;\n int c_tpdf = 0, c_must = 0, c_ext = 0;\n\n /* init */\n memset(&root, 0, sizeof root);\n\n inout = calloc(1, sizeof *inout);\n LY_CHECK_ERR_RETURN(!inout, LOGMEM(ctx), NULL);\n inout->prev = (struct lys_node *)inout;\n\n if (!strcmp(yin->name, \"input\")) {\n inout->nodetype = LYS_INPUT;\n inout->name = lydict_insert(ctx, \"input\", 0);\n } else if (!strcmp(yin->name, \"output\")) {\n inout->nodetype = LYS_OUTPUT;\n inout->name = lydict_insert(ctx, \"output\", 0);\n } else {\n LOGINT(ctx);\n free(inout);\n goto error;\n }\n\n retval = (struct lys_node *)inout;\n retval->module = module;\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* data statements */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (!sub->ns) {\n /* garbage */\n lyxml_free(ctx, sub);\n } else if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\",\n inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n c_ext++;\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, inout->tpdf_size, \"typedefs\",\n inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n c_tpdf++;\n\n } else if ((module->version >= 2) && !strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, inout->must_size, \"musts\",\n inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n c_must++;\n\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n if (!root.child) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"schema-node\", strnodetype(retval->nodetype));\n goto error;\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n inout->tpdf = calloc(c_tpdf, sizeof *inout->tpdf);\n LY_CHECK_ERR_GOTO(!inout->tpdf, LOGMEM(ctx), error);\n }\n if (c_must) {\n inout->must = calloc(c_must, sizeof *inout->must);\n LY_CHECK_ERR_GOTO(!inout->must, LOGMEM(ctx), error);\n }\n if (c_ext) {\n inout->ext = calloc(c_ext, sizeof *inout->ext);\n LY_CHECK_ERR_GOTO(!inout->ext, LOGMEM(ctx), error);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &inout->must[inout->must_size], unres);\n inout->must_size++;\n if (r) {\n goto error;\n }\n } else { /* typedef */\n r = fill_yin_typedef(module, retval, sub, &inout->tpdf[inout->tpdf_size], unres);\n inout->tpdf_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n options |= LYS_PARSE_OPT_CFG_IGNORE;\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && inout->must) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 307597432580069249223182367673754240947, "size": 173, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336779 }, { "func": "read_yin_choice(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct lyxml_elem *sub, *next, *dflt = NULL;\n struct ly_ctx *const ctx = module->ctx;\n struct lys_node *retval, *node = NULL;\n struct lys_node_choice *choice;\n const char *value;\n int f_mand = 0, c_ftrs = 0, c_ext = 0, ret;\n void *reallocated;\n\n choice = calloc(1, sizeof *choice);\n LY_CHECK_ERR_RETURN(!choice, LOGMEM(ctx), NULL);\n\n choice->nodetype = LYS_CHOICE;\n choice->prev = (struct lys_node *)choice;\n retval = (struct lys_node *)choice;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process choice's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"choice\", error);\n c_ext++;\n /* keep it for later processing, skip lyxml_free() */\n continue;\n } else if (!strcmp(sub->name, \"container\")) {\n if (!(node = read_yin_container(module, retval, sub, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n if (!(node = read_yin_leaflist(module, retval, sub, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"leaf\")) {\n if (!(node = read_yin_leaf(module, retval, sub, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"list\")) {\n if (!(node = read_yin_list(module, retval, sub, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"case\")) {\n if (!(node = read_yin_case(module, retval, sub, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"anyxml\")) {\n if (!(node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"anydata\")) {\n if (!(node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres))) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"default\")) {\n if (dflt) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n goto error;\n }\n\n dflt = sub;\n lyxml_unlink_elem(ctx, dflt, 0);\n continue;\n /* skip lyxml_free() at the end of the loop, the sub node is processed later as dflt */\n\n } else if (!strcmp(sub->name, \"mandatory\")) {\n if (f_mand) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* just checking the flags in leaf is not sufficient, we would allow\n * multiple mandatory statements with the \"false\" value\n */\n f_mand = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n if (!strcmp(value, \"true\")) {\n choice->flags |= LYS_MAND_TRUE;\n } else if (!strcmp(value, \"false\")) {\n choice->flags |= LYS_MAND_FALSE;\n } else {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n } /* else false is the default value, so we can ignore it */\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"when\")) {\n if (choice->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n choice->when = read_yin_when(module, sub, unres);\n if (!choice->when) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"choice\", error);\n c_ftrs++;\n\n /* skip lyxml_free() at the end of the loop, the sub node is processed later */\n continue;\n } else if (module->version >= 2 && !strcmp(sub->name, \"choice\")) {\n if (!(node = read_yin_choice(module, retval, sub, options, unres))) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n\n node = NULL;\n lyxml_free(ctx, sub);\n }\n\n if (c_ftrs) {\n choice->iffeature = calloc(c_ftrs, sizeof *choice->iffeature);\n LY_CHECK_ERR_GOTO(!choice->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n ret = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (ret) {\n goto error;\n }\n } else {\n ret = fill_yin_iffeature(retval, 0, sub, &choice->iffeature[choice->iffeature_size], unres);\n choice->iffeature_size++;\n if (ret) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* check - default is prohibited in combination with mandatory */\n if (dflt && (choice->flags & LYS_MAND_TRUE)) {\n LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"default\", \"choice\");\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"The \\\"default\\\" statement is forbidden on choices with \\\"mandatory\\\".\");\n goto error;\n }\n\n /* link default with the case */\n if (dflt) {\n GETVAL(ctx, value, dflt, \"value\");\n if (unres_schema_add_str(module, unres, choice, UNRES_CHOICE_DFLT, value) == -1) {\n goto error;\n }\n lyxml_free(ctx, dflt);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && choice->when) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n return retval;\n\nerror:\n lyxml_free(ctx, dflt);\n lys_node_free(ctx, retval, NULL, 0);\n return NULL;\n}", "project": "libyang", "hash": 315797547351147599913771454392714186138, "size": 203, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336780 }, { "func": "read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, LYS_NODE type,\n int options, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lys_node *retval;\n struct lys_node_anydata *anyxml;\n struct lyxml_elem *sub, *next;\n const char *value;\n int r;\n int f_mand = 0;\n int c_must = 0, c_ftrs = 0, c_ext = 0;\n void *reallocated;\n\n anyxml = calloc(1, sizeof *anyxml);\n LY_CHECK_ERR_RETURN(!anyxml, LOGMEM(ctx), NULL);\n\n anyxml->nodetype = type;\n anyxml->prev = (struct lys_node *)anyxml;\n retval = (struct lys_node *)anyxml;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT), unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"anydata\", error);\n c_ext++;\n } else if (!strcmp(sub->name, \"mandatory\")) {\n if (f_mand) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* just checking the flags in leaf is not sufficient, we would allow\n * multiple mandatory statements with the \"false\" value\n */\n f_mand = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n if (!strcmp(value, \"true\")) {\n anyxml->flags |= LYS_MAND_TRUE;\n } else if (!strcmp(value, \"false\")) {\n anyxml->flags |= LYS_MAND_FALSE;\n } else {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n }\n /* else false is the default value, so we can ignore it */\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"when\")) {\n if (anyxml->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n anyxml->when = read_yin_when(module, sub, unres);\n if (!anyxml->when) {\n lyxml_free(ctx, sub);\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, anyxml->must_size, \"musts\", \"anydata\", error);\n c_must++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"anydata\", error);\n c_ftrs++;\n\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n */\n if (c_must) {\n anyxml->must = calloc(c_must, sizeof *anyxml->must);\n LY_CHECK_ERR_GOTO(!anyxml->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n anyxml->iffeature = calloc(c_ftrs, sizeof *anyxml->iffeature);\n LY_CHECK_ERR_GOTO(!anyxml->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &anyxml->must[anyxml->must_size], unres);\n anyxml->must_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &anyxml->iffeature[anyxml->iffeature_size], unres);\n anyxml->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (anyxml->when || anyxml->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n retval->flags |= LYS_VALID_EXT;\n break;\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n return NULL;\n}", "project": "libyang", "hash": 190407262843483632675530669528518292129, "size": 158, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336782 }, { "func": "read_yin_container(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval;\n struct lys_node_container *cont;\n const char *value;\n void *reallocated;\n int r;\n int c_tpdf = 0, c_must = 0, c_ftrs = 0, c_ext = 0;\n\n /* init */\n memset(&root, 0, sizeof root);\n\n cont = calloc(1, sizeof *cont);\n LY_CHECK_ERR_RETURN(!cont, LOGMEM(ctx), NULL);\n\n cont->nodetype = LYS_CONTAINER;\n cont->prev = (struct lys_node *)cont;\n retval = (struct lys_node *)cont;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process container's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"container\", error);\n c_ext++;\n } else if (!strcmp(sub->name, \"presence\")) {\n if (cont->presence) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, sub, \"value\");\n cont->presence = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_PRESENCE, 0, unres)) {\n goto error;\n }\n lyxml_free(ctx, sub);\n } else if (!strcmp(sub->name, \"when\")) {\n if (cont->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n cont->when = read_yin_when(module, sub, unres);\n if (!cont->when) {\n lyxml_free(ctx, sub);\n goto error;\n }\n lyxml_free(ctx, sub);\n\n /* data statements */\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\") ||\n !strcmp(sub->name, \"action\") ||\n !strcmp(sub->name, \"notification\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, cont->tpdf_size, \"typedefs\", \"container\", error);\n c_tpdf++;\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, cont->must_size, \"musts\", \"container\", error);\n c_must++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"container\", error);\n c_ftrs++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n cont->tpdf = calloc(c_tpdf, sizeof *cont->tpdf);\n LY_CHECK_ERR_GOTO(!cont->tpdf, LOGMEM(ctx), error);\n }\n if (c_must) {\n cont->must = calloc(c_must, sizeof *cont->must);\n LY_CHECK_ERR_GOTO(!cont->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n cont->iffeature = calloc(c_ftrs, sizeof *cont->iffeature);\n LY_CHECK_ERR_GOTO(!cont->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"typedef\")) {\n r = fill_yin_typedef(module, retval, sub, &cont->tpdf[cont->tpdf_size], unres);\n cont->tpdf_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &cont->must[cont->must_size], unres);\n cont->must_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &cont->iffeature[cont->iffeature_size], unres);\n cont->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n } else if (!strcmp(sub->name, \"action\")) {\n node = read_yin_rpc_action(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"notification\")) {\n node = read_yin_notif(module, retval, sub, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (cont->when || cont->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* extension instance may not yet be resolved */\n if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n /* set flag, which represent LYEXT_OPT_VALID */\n retval->flags |= LYS_VALID_EXT;\n if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n retval->flags |= LYS_VALID_EXT_SUBTREE;\n break;\n }\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 336173865557448454715868745869729551732, "size": 218, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336786 }, { "func": "read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lys_node *retval;\n struct lys_node_leaf *leaf;\n struct lyxml_elem *sub, *next;\n const char *value;\n int r, has_type = 0;\n int c_must = 0, c_ftrs = 0, f_mand = 0, c_ext = 0;\n void *reallocated;\n\n leaf = calloc(1, sizeof *leaf);\n LY_CHECK_ERR_RETURN(!leaf, LOGMEM(ctx), NULL);\n\n leaf->nodetype = LYS_LEAF;\n leaf->prev = (struct lys_node *)leaf;\n retval = (struct lys_node *)leaf;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"leaf\", error);\n c_ext++;\n continue;\n } else if (!strcmp(sub->name, \"type\")) {\n if (has_type) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* HACK for unres */\n leaf->type.der = (struct lys_tpdf *)sub;\n leaf->type.parent = (struct lys_tpdf *)leaf;\n /* postpone type resolution when if-feature parsing is done since we need\n * if-feature for check_leafref_features() */\n has_type = 1;\n } else if (!strcmp(sub->name, \"default\")) {\n if (leaf->dflt) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, sub, \"value\");\n leaf->dflt = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"units\")) {\n if (leaf->units) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n GETVAL(ctx, value, sub, \"name\");\n leaf->units = lydict_insert(ctx, value, strlen(value));\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"mandatory\")) {\n if (f_mand) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n /* just checking the flags in leaf is not sufficient, we would allow\n * multiple mandatory statements with the \"false\" value\n */\n f_mand = 1;\n\n GETVAL(ctx, value, sub, \"value\");\n if (!strcmp(value, \"true\")) {\n leaf->flags |= LYS_MAND_TRUE;\n } else if (!strcmp(value, \"false\")) {\n leaf->flags |= LYS_MAND_FALSE;\n } else {\n LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n goto error;\n } /* else false is the default value, so we can ignore it */\n\n if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"when\")) {\n if (leaf->when) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n goto error;\n }\n\n leaf->when = read_yin_when(module, sub, unres);\n if (!leaf->when) {\n goto error;\n }\n\n } else if (!strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, leaf->must_size, \"musts\", \"leaf\", error);\n c_must++;\n continue;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"musts\", \"leaf\", error);\n c_ftrs++;\n continue;\n\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n\n /* do not free sub, it could have been unlinked and stored in unres */\n }\n\n /* check mandatory parameters */\n if (!has_type) {\n LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"type\", yin->name);\n goto error;\n }\n if (leaf->dflt && (leaf->flags & LYS_MAND_TRUE)) {\n LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"mandatory\", \"leaf\");\n LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL,\n \"The \\\"mandatory\\\" statement is forbidden on leaf with the \\\"default\\\" statement.\");\n goto error;\n }\n\n /* middle part - process nodes with cardinality of 0..n */\n if (c_must) {\n leaf->must = calloc(c_must, sizeof *leaf->must);\n LY_CHECK_ERR_GOTO(!leaf->must, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n leaf->iffeature = calloc(c_ftrs, sizeof *leaf->iffeature);\n LY_CHECK_ERR_GOTO(!leaf->iffeature, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, &leaf->must[leaf->must_size], unres);\n leaf->must_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, &leaf->iffeature[leaf->iffeature_size], unres);\n leaf->iffeature_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* finalize type parsing */\n if (unres_schema_add_node(module, unres, &leaf->type, UNRES_TYPE_DER, retval) == -1) {\n leaf->type.der = NULL;\n goto error;\n }\n\n /* check default value (if not defined, there still could be some restrictions\n * that need to be checked against a default value from a derived type) */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n (unres_schema_add_node(module, unres, &leaf->type, UNRES_TYPE_DFLT,\n (struct lys_node *)(&leaf->dflt)) == -1)) {\n goto error;\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && (leaf->when || leaf->must)) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n for (r = 0; r < retval->ext_size; ++r) {\n /* set flag, which represent LYEXT_OPT_VALID */\n if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n retval->flags |= LYS_VALID_EXT;\n break;\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n return NULL;\n}", "project": "libyang", "hash": 112837442562867612790477931862043988586, "size": 219, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336787 }, { "func": "read_yin_grouping(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval;\n struct lys_node_grp *grp;\n int r;\n int c_tpdf = 0, c_ext = 0;\n void *reallocated;\n\n /* init */\n memset(&root, 0, sizeof root);\n\n grp = calloc(1, sizeof *grp);\n LY_CHECK_ERR_RETURN(!grp, LOGMEM(ctx), NULL);\n\n grp->nodetype = LYS_GROUPING;\n grp->prev = (struct lys_node *)grp;\n retval = (struct lys_node *)grp;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE , unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"grouping\", error);\n c_ext++;\n\n /* data statements */\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\") ||\n !strcmp(sub->name, \"action\") ||\n !strcmp(sub->name, \"notification\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, grp->tpdf_size, \"typedefs\", \"grouping\", error);\n c_tpdf++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n grp->tpdf = calloc(c_tpdf, sizeof *grp->tpdf);\n LY_CHECK_ERR_GOTO(!grp->tpdf, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else {\n /* typedef */\n r = fill_yin_typedef(module, retval, sub, &grp->tpdf[grp->tpdf_size], unres);\n grp->tpdf_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n if (!root.child) {\n LOGWRN(ctx, \"Grouping \\\"%s\\\" without children.\", retval->name);\n }\n options |= LYS_PARSE_OPT_INGRP;\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n } else if (!strcmp(sub->name, \"action\")) {\n node = read_yin_rpc_action(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"notification\")) {\n node = read_yin_notif(module, retval, sub, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 15413466291165177767871103584060305603, "size": 142, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336790 }, { "func": "read_restr_substmt(struct lys_module *module, struct lys_restr *restr, struct lyxml_elem *yin,\n struct unres_schema *unres)\n{\n struct lyxml_elem *child, *next;\n const char *value;\n struct ly_ctx *ctx = module->ctx;\n\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!child->ns) {\n /* garbage */\n continue;\n } else if (strcmp(child->ns->value, LY_NSYIN)) {\n /* extension */\n if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_SELF, 0, unres)) {\n return EXIT_FAILURE;\n }\n } else if (!strcmp(child->name, \"description\")) {\n if (restr->dsc) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n return EXIT_FAILURE;\n }\n if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n return EXIT_FAILURE;\n }\n restr->dsc = read_yin_subnode(ctx, child, \"text\");\n if (!restr->dsc) {\n return EXIT_FAILURE;\n }\n } else if (!strcmp(child->name, \"reference\")) {\n if (restr->ref) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n return EXIT_FAILURE;\n }\n if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n return EXIT_FAILURE;\n }\n restr->ref = read_yin_subnode(ctx, child, \"text\");\n if (!restr->ref) {\n return EXIT_FAILURE;\n }\n } else if (!strcmp(child->name, \"error-app-tag\")) {\n if (restr->eapptag) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n return EXIT_FAILURE;\n }\n if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_ERRTAG, 0, unres)) {\n return EXIT_FAILURE;\n }\n GETVAL(ctx, value, child, \"value\");\n restr->eapptag = lydict_insert(ctx, value, 0);\n } else if (!strcmp(child->name, \"error-message\")) {\n if (restr->emsg) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n return EXIT_FAILURE;\n }\n if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_ERRMSG, 0, unres)) {\n return EXIT_FAILURE;\n }\n restr->emsg = read_yin_subnode(ctx, child, \"value\");\n if (!restr->emsg) {\n return EXIT_FAILURE;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n return EXIT_FAILURE;\n }\n }\n\n return EXIT_SUCCESS;\n\nerror:\n return EXIT_FAILURE;\n}", "project": "libyang", "hash": 93354852469643142055828412969936608221, "size": 73, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336793 }, { "func": "fill_yin_include(struct lys_module *module, struct lys_submodule *submodule, struct lyxml_elem *yin,\n struct lys_include *inc, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *child, *next, exts;\n const char *value;\n int r, c_ext = 0;\n void *reallocated;\n\n /* init */\n memset(&exts, 0, sizeof exts);\n\n LY_TREE_FOR_SAFE(yin->child, next, child) {\n if (!child->ns) {\n /* garbage */\n continue;\n } else if (strcmp(child->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, inc->ext_size, \"extensions\", \"include\", error);\n c_ext++;\n lyxml_unlink_elem(ctx, child, 2);\n lyxml_add_child(ctx, &exts, child);\n } else if (!strcmp(child->name, \"revision-date\")) {\n if (inc->rev[0]) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, \"revision-date\", yin->name);\n goto error;\n }\n GETVAL(ctx, value, child, \"date\");\n if (lyp_check_date(ctx, value)) {\n goto error;\n }\n memcpy(inc->rev, value, LY_REV_SIZE - 1);\n\n if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_REVISIONDATE, 0, unres)) {\n goto error;\n }\n } else if ((module->version >= 2) && !strcmp(child->name, \"description\")) {\n if (inc->dsc) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n goto error;\n }\n inc->dsc = read_yin_subnode(ctx, child, \"text\");\n if (!inc->dsc) {\n goto error;\n }\n } else if ((module->version >= 2) && !strcmp(child->name, \"reference\")) {\n if (inc->ref) {\n LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n goto error;\n }\n if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n goto error;\n }\n inc->ref = read_yin_subnode(ctx, child, \"text\");\n if (!inc->ref) {\n goto error;\n }\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n goto error;\n }\n }\n\n /* process extensions */\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(inc->ext, (c_ext + inc->ext_size) * sizeof *inc->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n inc->ext = reallocated;\n\n /* init memory */\n memset(&inc->ext[inc->ext_size], 0, c_ext * sizeof *inc->ext);\n\n LY_TREE_FOR_SAFE(exts.child, next, child) {\n /* extension */\n r = lyp_yin_fill_ext(inc, LYEXT_PAR_INCLUDE, 0, 0, module, child, &inc->ext, &inc->ext_size, unres);\n if (r) {\n goto error;\n }\n }\n\n lyp_reduce_ext_list(&inc->ext, inc->ext_size, c_ext + inc->ext_size);\n }\n\n GETVAL(ctx, value, yin, \"module\");\n return lyp_check_include(submodule ? (struct lys_module *)submodule : module, value, inc, unres);\n\nerror:\n return -1;\n}", "project": "libyang", "hash": 275328397526231724343075461502239926647, "size": 93, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336795 }, { "func": "read_yin_notif(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n int options, struct unres_schema *unres)\n{\n struct ly_ctx *ctx = module->ctx;\n struct lyxml_elem *sub, *next, root;\n struct lys_node *node = NULL;\n struct lys_node *retval;\n struct lys_node_notif *notif;\n int r;\n int c_tpdf = 0, c_ftrs = 0, c_must = 0, c_ext = 0;\n void *reallocated;\n\n if (parent && (module->version < 2)) {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, parent, \"notification\");\n return NULL;\n }\n\n memset(&root, 0, sizeof root);\n\n notif = calloc(1, sizeof *notif);\n LY_CHECK_ERR_RETURN(!notif, LOGMEM(ctx), NULL);\n\n notif->nodetype = LYS_NOTIF;\n notif->prev = (struct lys_node *)notif;\n retval = (struct lys_node *)notif;\n\n if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE, unres)) {\n goto error;\n }\n\n LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n /* insert the node into the schema tree */\n if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n goto error;\n }\n\n /* process rpc's specific children */\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"notification\", error);\n c_ext++;\n continue;\n\n /* data statements */\n } else if (!strcmp(sub->name, \"container\") ||\n !strcmp(sub->name, \"leaf-list\") ||\n !strcmp(sub->name, \"leaf\") ||\n !strcmp(sub->name, \"list\") ||\n !strcmp(sub->name, \"choice\") ||\n !strcmp(sub->name, \"uses\") ||\n !strcmp(sub->name, \"grouping\") ||\n !strcmp(sub->name, \"anyxml\") ||\n !strcmp(sub->name, \"anydata\")) {\n lyxml_unlink_elem(ctx, sub, 2);\n lyxml_add_child(ctx, &root, sub);\n\n /* array counters */\n } else if (!strcmp(sub->name, \"typedef\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, notif->tpdf_size, \"typedefs\", \"notification\", error);\n c_tpdf++;\n } else if (!strcmp(sub->name, \"if-feature\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"notification\", error);\n c_ftrs++;\n } else if ((module->version >= 2) && !strcmp(sub->name, \"must\")) {\n YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, notif->must_size, \"musts\", \"notification\", error);\n c_must++;\n } else {\n LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n goto error;\n }\n }\n\n /* middle part - process nodes with cardinality of 0..n except the data nodes */\n if (c_tpdf) {\n notif->tpdf = calloc(c_tpdf, sizeof *notif->tpdf);\n LY_CHECK_ERR_GOTO(!notif->tpdf, LOGMEM(ctx), error);\n }\n if (c_ftrs) {\n notif->iffeature = calloc(c_ftrs, sizeof *notif->iffeature);\n LY_CHECK_ERR_GOTO(!notif->iffeature, LOGMEM(ctx), error);\n }\n if (c_must) {\n notif->must = calloc(c_must, sizeof *notif->must);\n LY_CHECK_ERR_GOTO(!notif->must, LOGMEM(ctx), error);\n }\n if (c_ext) {\n /* some extensions may be already present from the substatements */\n reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n retval->ext = reallocated;\n\n /* init memory */\n memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n }\n\n LY_TREE_FOR_SAFE(yin->child, next, sub) {\n if (strcmp(sub->ns->value, LY_NSYIN)) {\n /* extension */\n r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"typedef\")) {\n r = fill_yin_typedef(module, retval, sub, ¬if->tpdf[notif->tpdf_size], unres);\n notif->tpdf_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"if-feature\")) {\n r = fill_yin_iffeature(retval, 0, sub, ¬if->iffeature[notif->iffeature_size], unres);\n notif->iffeature_size++;\n if (r) {\n goto error;\n }\n } else if (!strcmp(sub->name, \"must\")) {\n r = fill_yin_must(module, sub, ¬if->must[notif->must_size], unres);\n notif->must_size++;\n if (r) {\n goto error;\n }\n }\n }\n\n lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n /* last part - process data nodes */\n options |= LYS_PARSE_OPT_CFG_IGNORE;\n LY_TREE_FOR_SAFE(root.child, next, sub) {\n if (!strcmp(sub->name, \"container\")) {\n node = read_yin_container(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf-list\")) {\n node = read_yin_leaflist(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"leaf\")) {\n node = read_yin_leaf(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"list\")) {\n node = read_yin_list(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"choice\")) {\n node = read_yin_choice(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"uses\")) {\n node = read_yin_uses(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"grouping\")) {\n node = read_yin_grouping(module, retval, sub, options, unres);\n } else if (!strcmp(sub->name, \"anyxml\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n } else if (!strcmp(sub->name, \"anydata\")) {\n node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n }\n if (!node) {\n goto error;\n }\n\n lyxml_free(ctx, sub);\n }\n\n /* check XPath dependencies */\n if (!(ctx->models.flags & LY_CTX_TRUSTED) && notif->must) {\n if (options & LYS_PARSE_OPT_INGRP) {\n if (lyxp_node_check_syntax(retval)) {\n goto error;\n }\n } else {\n if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n goto error;\n }\n }\n }\n\n return retval;\n\nerror:\n lys_node_free(ctx, retval, NULL, 0);\n while (root.child) {\n lyxml_free(ctx, root.child);\n }\n return NULL;\n}", "project": "libyang", "hash": 194930711234157440117714933618475949815, "size": 178, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336796 }, { "func": "lyp_yin_fill_ext(void *parent, LYEXT_PAR parent_type, LYEXT_SUBSTMT substmt, uint8_t substmt_index,\n struct lys_module *module, struct lyxml_elem *yin, struct lys_ext_instance ***ext,\n uint8_t *ext_size, struct unres_schema *unres)\n{\n struct unres_ext *info;\n int rc;\n\n info = malloc(sizeof *info);\n LY_CHECK_ERR_RETURN(!info, LOGMEM(module->ctx), EXIT_FAILURE);\n lyxml_unlink(module->ctx, yin);\n info->data.yin = yin;\n info->datatype = LYS_IN_YIN;\n info->parent = parent;\n info->mod = module;\n info->parent_type = parent_type;\n info->substmt = substmt;\n info->substmt_index = substmt_index;\n info->ext_index = *ext_size;\n\n rc = unres_schema_add_node(module, unres, ext, UNRES_EXT, (struct lys_node *)info);\n if (!rc && !(*ext)[*ext_size]) {\n /* extension instance is skipped */\n } else {\n ++(*ext_size);\n }\n\n return rc == -1 ? EXIT_FAILURE : EXIT_SUCCESS;\n}", "project": "libyang", "hash": 288373933368995538789084507090978474894, "size": 28, "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777", "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455", "target": 0, "dataset": "other", "idx": 336759 }, { "func": "ly_add_loaded_plugin(char *name)\n{\n loaded_plugins = ly_realloc(loaded_plugins, (loaded_plugins_count + 2) * sizeof *loaded_plugins);\n LY_CHECK_ERR_RETURN(!loaded_plugins, free(name); LOGMEM(NULL), );\n ++loaded_plugins_count;\n\n loaded_plugins[loaded_plugins_count - 1] = name;\n loaded_plugins[loaded_plugins_count] = NULL;\n}", "project": "libyang", "hash": 124770143019807796430683696017842707483, "size": 9, "commit_id": "59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d", "message": "plugins BUGFIX handle empty revision correctly\n\nFixes #1451", "target": 0, "dataset": "other", "idx": 413420 } ] }, { "call_depth": 4, "longest_call_chain": [ "test_r_str_ansi_len", "r_str_ansi_len", "r_str_ansi_nlen", "__str_ansi_length" ], "group_size": 12, "functions": [ { "func": "R_API int r_str_bounds(const char *_str, int *h) {\n\tconst char *str, *ptr;\n\tint W = 0, H = 0;\n\tint cw = 0;\n\n\tif (_str) {\n\t\tptr = str = _str;\n\t\twhile (*str) {\n\t\t\tif (*str == '\\n') {\n\t\t\t\tH++;\n\t\t\t\tcw = r_str_ansi_nlen (ptr, (size_t)(str - ptr));\n\t\t\t\tif (cw > W) {\n\t\t\t\t\tW = cw;\n\t\t\t\t}\n\t\t\t\tcw = 0;\n\t\t\t\tptr = str + 1;\n\t\t\t}\n\t\t\tstr++;\n\t\t\tcw++;\n\t\t}\n\t\tif (*str == '\\n') {// skip last newline\n\t\t\tH--;\n\t\t}\n\t\tif (h) {\n\t\t\t*h = H;\n\t\t}\n\t}\n\treturn W;\n}", "project": "radare2", "hash": 172961371563676163614597385006965488211, "size": 29, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269020 }, { "func": "R_API size_t r_str_utf8_codepoint(const char* s, size_t left) {\n\tif ((*s & 0x80) != 0x80) {\n\t\treturn 0;\n\t} else if ((*s & 0xe0) == 0xc0 && left >= 1) {\n\t\treturn ((*s & 0x1f) << 6) + (*(s + 1) & 0x3f);\n\t} else if ((*s & 0xf0) == 0xe0 && left >= 2) {\n\t\treturn ((*s & 0xf) << 12) + ((*(s + 1) & 0x3f) << 6) + (*(s + 2) & 0x3f);\n\t} else if ((*s & 0xf8) == 0xf0 && left >= 3) {\n\t\treturn ((*s & 0x7) << 18) + ((*(s + 1) & 0x3f) << 12) + ((*(s + 2) & 0x3f) << 6) + (*(s + 3) & 0x3f);\n\t}\n\treturn 0;\n}", "project": "radare2", "hash": 82642143776190898523180011603148462796, "size": 12, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269075 }, { "func": "bool test_r_str_ansi_len(void) {\n\tint len;\n\n\tlen = r_str_ansi_len (\"radare2\");\n\tmu_assert_eq (len, 7, \"len(ascii only)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[38;2;208;80;0madare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with m)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[0Jadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with J)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[42;42Hadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with H)\");\n\n\tlen = r_str_ansi_len (\"r\\xc3\\xa4\"\"dare2\");\n\tmu_assert_eq (len, 8, \"len(ascii + 2 byte utf-8 counted as 2 chars)\");\n\n\tlen = r_str_ansi_len (\"radar\\xe2\\x82\\xac\"\"2\");\n\tmu_assert_eq (len, 9, \"len(ascii + 3 byte utf-8 counted as 3 chars)\");\n\n\tlen = r_str_ansi_len (\"radar\\xf0\\x9d\\x84\\x9e\"\"2\");\n\tmu_assert_eq (len, 10, \"len(ascii + 4 byte utf-8 counted as 4 chars)\");\n\n\tmu_end;\n}", "project": "radare2", "hash": 245129988670048831657085626011348857996, "size": 26, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268963 }, { "func": "R_API size_t r_str_len_utf8_ansi(const char *str) {\n\tint i = 0, len = 0, fullwidths = 0;\n\twhile (str[i]) {\n\t\tchar ch = str[i];\n\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\tif (chlen > 1) {\n\t\t\ti += chlen - 1;\n\t\t} else if ((ch & 0xc0) != 0x80) { // utf8\n\t\t\tlen++;\n\t\t\tif (r_str_char_fullwidth (str + i, 4)) {\n\t\t\t\tfullwidths++;\n\t\t\t}\n\t\t}\n\t\ti++;\n\t}\n\treturn len + fullwidths;\n}", "project": "radare2", "hash": 246882952988880531618945286284081071080, "size": 17, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268864 }, { "func": "R_API size_t r_str_len_utf8(const char *s) {\n\tsize_t i = 0, j = 0, fullwidths = 0;\n\twhile (s[i]) {\n\t\tif ((s[i] & 0xc0) != 0x80) {\n\t\t\tj++;\n\t\t\tif (r_str_char_fullwidth (s + i, 4)) {\n\t\t\t\tfullwidths++;\n\t\t\t}\n\t\t}\n\t\ti++;\n\t}\n\treturn j + fullwidths;\n}", "project": "radare2", "hash": 316503508038150507658967101271731313672, "size": 13, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268842 }, { "func": "bool test_r_str_len_utf8_ansi(void) {\n\tint len;\n\n\tlen = r_str_len_utf8_ansi (\"radare2\");\n\tmu_assert_eq (len, 7, \"len(ascii only)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[38;2;208;80;0madare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with m)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[0Jadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with J)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[42;42Hadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with H)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\xc3\\xa4\"\"dare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 2 byte utf-8 counted as 1 char)\");\n\n\tlen = r_str_len_utf8_ansi (\"radar\\xe2\\x82\\xac\"\"2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 3 byte utf-8 counted as 1 char)\");\n\n\tlen = r_str_len_utf8_ansi (\"radar\\xf0\\x9d\\x84\\x9e\"\"2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 4 byte utf-8 counted as 1 char)\");\n\n\tmu_end;\n}", "project": "radare2", "hash": 300615110034844303206843893313033797781, "size": 26, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268885 }, { "func": "static size_t __str_ansi_length(char const *str) {\n\tsize_t i = 1;\n\tif (str[0] == 0x1b) {\n\t\tif (str[1] == '[') {\n\t\t\ti++;\n\t\t\twhile (str[i] && str[i] != 'J' && str[i] != 'm' && str[i] != 'H' && str[i] != 'K') {\n\t\t\t\ti++;\n\t\t\t}\n\t\t} else if (str[1] == '#') {\n\t\t\twhile (str[i] && str[i] != 'q') {\n\t\t\t\ti++;\n\t\t\t}\n\t\t}\n\t\tif (str[i]) {\n\t\t\ti++;\n\t\t}\n\t}\n\treturn i;\n}", "project": "radare2", "hash": 200895843150089395620465295524191413400, "size": 19, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268870 }, { "func": "R_API bool r_str_char_fullwidth (const char* s, size_t left) {\n\tsize_t codepoint = r_str_utf8_codepoint (s, left);\n\treturn (codepoint >= 0x1100 &&\n\t\t (codepoint <= 0x115f || /* Hangul Jamo init. consonants */\n\t\t\t codepoint == 0x2329 || codepoint == 0x232a ||\n\t\t (R_BETWEEN (0x2e80, codepoint, 0xa4cf)\n\t\t\t&& codepoint != 0x303f) || /* CJK ... Yi */\n\t\t R_BETWEEN (0xac00, codepoint, 0xd7a3) || /* Hangul Syllables */\n\t\t R_BETWEEN (0xf900, codepoint, 0xfaff) || /* CJK Compatibility Ideographs */\n\t\t R_BETWEEN (0xfe10, codepoint, 0xfe19) || /* Vertical forms */\n\t\t R_BETWEEN (0xfe30, codepoint, 0xfe6f) || /* CJK Compatibility Forms */\n\t\t R_BETWEEN (0xff00, codepoint, 0xff60) || /* Fullwidth Forms */\n\t\t R_BETWEEN (0xffe0, codepoint, 0xffe6) ||\n\t\t R_BETWEEN (0x20000, codepoint, 0x2fffd) ||\n\t\t R_BETWEEN (0x30000, codepoint, 0x3fffd)));\n\n}", "project": "radare2", "hash": 151893148021945223497863263296321387586, "size": 17, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269038 }, { "func": "R_API size_t r_str_ansi_len(const char *str) {\n\treturn r_str_ansi_nlen (str, 0);\n}", "project": "radare2", "hash": 58897733689454207834188866702317919166, "size": 3, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268835 }, { "func": "R_API size_t r_str_ansi_nlen(const char *str, size_t slen) {\n\tsize_t i = 0, len = 0;\n\tif (slen > 0) {\n\t\twhile (str[i] && i < slen) {\n\t\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\t\tif (chlen == 1) {\n\t\t\t\tlen ++;\n\t\t\t}\n\t\t\ti += chlen;\n\t\t}\n\t\treturn len > 0 ? len: 1;\n\t}\n\twhile (str[i]) {\n\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\tif (chlen == 1) {\n\t\t\tlen ++;\n\t\t}\n\t\ti += chlen;\n\t}\n\treturn len > 0 ? len: 1;\n}", "project": "radare2", "hash": 87218290180537692850025468704473713796, "size": 21, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268881 }, { "func": "R_API int r_str_ansi_filter(char *str, char **out, int **cposs, int len) {\n\tint i, j, *cps;\n\n\tif (len == 0) {\n\t\treturn 0;\n\t}\n\tif (len < 0) {\n\t\tlen = strlen (str);\n\t}\n\tchar *tmp = malloc (len + 1);\n\tif (!tmp) {\n\t\treturn -1;\n\t}\n\tmemcpy (tmp, str, len + 1);\n\tcps = calloc (len + 1, sizeof (int));\n\tif (!cps) {\n\t\tfree (tmp);\n\t\treturn -1;\n\t}\n\n\tfor (i = j = 0; i < len; i++) {\n\t\tif (tmp[i] == 0x1b) {\n\t\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\t\tif (chlen > 1) {\n\t\t\t\ti += chlen;\n\t\t\t\ti--;\n\t\t\t}\n\t\t} else {\n\t\t\tstr[j] = tmp[i];\n\t\t\tcps[j] = i;\n\t\t\tj++;\n\t\t}\n\t}\n\tstr[j] = tmp[i];\n\n\tif (out) {\n\t\t*out = tmp;\n\t} else {\n\t\tfree (tmp);\n\t}\n\n\tif (cposs) {\n\t\t*cposs = cps;\n\t} else {\n\t\tfree (cps);\n\t}\n\n\treturn j;\n}", "project": "radare2", "hash": 84547543664250501063876670059002389663, "size": 49, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 269037 }, { "func": "R_API char* r_str_replace_thunked(char *str, char *clean, int *thunk, int clen,\n\t\t\t\t const char *key, const char *val, int g) {\n\tint i, klen, vlen, slen, delta = 0, bias;\n\tchar *newstr, *scnd, *p = clean, *str_p;\n\n\tif (!str || !key || !val || !clean || !thunk) {\n\t\treturn NULL;\n\t}\n\tklen = strlen (key);\n\tvlen = strlen (val);\n\tif (klen == vlen && !strcmp (key, val)) {\n\t\treturn str;\n\t}\n\tslen = strlen (str) + 1;\n\n\tfor (i = 0; i < clen; ) {\n\t\tp = (char *)r_mem_mem (\n\t\t\t(const ut8*)clean + i, clen - i,\n\t\t\t(const ut8*)key, klen);\n\t\tif (!p) {\n\t\t\tbreak;\n\t\t}\n\t\ti = (int)(size_t)(p - clean);\n\t\t/* as the original string changes size during replacement\n\t\t * we need delta to keep track of it*/\n\t\tstr_p = str + thunk[i] + delta;\n\n\t\tint newo = thunk[i + klen] - thunk[i];\n\t\tr_str_ansi_filter (str_p, NULL, NULL, newo);\n\t\tscnd = strdup (str_p + newo);\n\t\tbias = vlen - newo;\n\n\t\tslen += bias;\n\t\t// HACK: this 32 avoids overwrites wtf\n\t\tnewstr = realloc (str, slen + klen);\n\t\tif (!newstr) {\n\t\t\teprintf (\"realloc fail\\n\");\n\t\t\tR_FREE (str);\n\t\t\tfree (scnd);\n\t\t\tbreak;\n\t\t}\n\t\tstr = newstr;\n\t\tstr_p = str + thunk[i] + delta;\n\t\tmemcpy (str_p, val, vlen);\n\t\tmemcpy (str_p + vlen, scnd, strlen (scnd) + 1);\n\t\ti += klen;\n\t\tdelta += bias;\n\t\tfree (scnd);\n\t\tif (!g) {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn str;\n}", "project": "radare2", "hash": 45113790991075915971260591637914211342, "size": 54, "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9", "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments", "target": 0, "dataset": "other", "idx": 268912 } ] }, { "call_depth": 4, "longest_call_chain": [ "do_tune", "gch_build", "gch_transpose", "gch_tr1" ], "group_size": 7, "functions": [ { "func": "static void get_over(struct SYMBOL *s)\n{\n\tstruct VOICE_S *p_voice, *p_voice2, *p_voice3;\n\tint range, voice, voice2, voice3;\nstatic char tx_wrong_dur[] = \"Wrong duration in voice overlay\";\nstatic char txt_no_note[] = \"No note in voice overlay\";\n\n\t/* treat the end of overlay */\n\tp_voice = curvoice;\n\tif (p_voice->ignore)\n\t\treturn;\n\tif (s->abc_type == ABC_T_BAR\n\t || s->u.v_over.type == V_OVER_E) {\n\t\tif (!p_voice->last_sym) {\n\t\t\terror(1, s, txt_no_note);\n\t\t\treturn;\n\t\t}\n\t\tp_voice->last_sym->sflags |= S_BEAM_END;\n\t\tover_bar = 0;\n\t\tif (over_time < 0) {\n\t\t\terror(1, s, \"Erroneous end of voice overlap\");\n\t\t\treturn;\n\t\t}\n\t\tif (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t\tcurvoice = &voice_tb[over_voice];\n\t\tover_mxtime = 0;\n\t\tover_voice = -1;\n\t\tover_time = -1;\n\t\treturn;\n\t}\n\n\t/* treat the full overlay start */\n\tif (s->u.v_over.type == V_OVER_S) {\n\t\tover_voice = p_voice - voice_tb;\n\t\tover_time = p_voice->time;\n\t\treturn;\n\t}\n\n\t/* (here is treated a new overlay - '&') */\n\t/* create the extra voice if not done yet */\n\tif (!p_voice->last_sym) {\n\t\terror(1, s, txt_no_note);\n\t\treturn;\n\t}\n\tp_voice->last_sym->sflags |= S_BEAM_END;\n\tvoice2 = s->u.v_over.voice;\n\tp_voice2 = &voice_tb[voice2];\n\tif (parsys->voice[voice2].range < 0) {\n\t\tint clone;\n\n\t\tif (cfmt.abc2pscompat) {\n\t\t\terror(1, s, \"Cannot have %%%%abc2pscompat\");\n\t\t\tcfmt.abc2pscompat = 0;\n\t\t}\n\t\tclone = p_voice->clone >= 0;\n\t\tp_voice2->id[0] = '&';\n\t\tp_voice2->id[1] = '\\0';\n\t\tp_voice2->second = 1;\n\t\tparsys->voice[voice2].second = 1;\n\t\tp_voice2->scale = p_voice->scale;\n\t\tp_voice2->octave = p_voice->octave;\n\t\tp_voice2->transpose = p_voice->transpose;\n\t\tmemcpy(&p_voice2->key, &p_voice->key,\n\t\t\t\t\tsizeof p_voice2->key);\n\t\tmemcpy(&p_voice2->ckey, &p_voice->ckey,\n\t\t\t\t\tsizeof p_voice2->ckey);\n\t\tmemcpy(&p_voice2->okey, &p_voice->okey,\n\t\t\t\t\tsizeof p_voice2->okey);\n\t\tp_voice2->posit = p_voice->posit;\n\t\tp_voice2->staff = p_voice->staff;\n\t\tp_voice2->cstaff = p_voice->cstaff;\n\t\tp_voice2->color = p_voice->color;\n\t\tp_voice2->map_name = p_voice->map_name;\n\t\trange = parsys->voice[p_voice - voice_tb].range;\n\t\tfor (voice = 0; voice < MAXVOICE; voice++) {\n\t\t\tif (parsys->voice[voice].range > range)\n\t\t\t\tparsys->voice[voice].range += clone + 1;\n\t\t}\n\t\tparsys->voice[voice2].range = range + 1;\n\t\tvoice_link(p_voice2);\n\t\tif (clone) {\n\t\t\tfor (voice3 = MAXVOICE; --voice3 >= 0; ) {\n\t\t\t\tif (parsys->voice[voice3].range < 0)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (voice3 > 0) {\n\t\t\t\tp_voice3 = &voice_tb[voice3];\n\t\t\t\tstrcpy(p_voice3->id, p_voice2->id);\n\t\t\t\tp_voice3->second = 1;\n\t\t\t\tparsys->voice[voice3].second = 1;\n\t\t\t\tp_voice3->scale = voice_tb[p_voice->clone].scale;\n\t\t\t\tparsys->voice[voice3].range = range + 2;\n\t\t\t\tvoice_link(p_voice3);\n\t\t\t\tp_voice2->clone = voice3;\n\t\t\t} else {\n\t\t\t\terror(1, s,\n\t\t\t\t \"Too many voices for overlay cloning\");\n\t\t\t}\n\t\t}\n\t}\n\tvoice = p_voice - voice_tb;\n//\tp_voice2->cstaff = p_voice2->staff = parsys->voice[voice2].staff\n//\t\t\t= parsys->voice[voice].staff;\n//\tif ((voice3 = p_voice2->clone) >= 0) {\n//\t\tp_voice3 = &voice_tb[voice3];\n//\t\tp_voice3->cstaff = p_voice3->staff\n//\t\t\t\t= parsys->voice[voice3].staff\n//\t\t\t\t= parsys->voice[p_voice->clone].staff;\n//\t}\n\n\tif (over_time < 0) {\t\t\t/* first '&' in a measure */\n\t\tint time;\n\n\t\tover_bar = 1;\n\t\tover_mxtime = p_voice->time;\n\t\tover_voice = voice;\n\t\ttime = p_voice2->time;\n\t\tfor (s = p_voice->last_sym; /*s*/; s = s->prev) {\n\t\t\tif (s->type == BAR\n\t\t\t || s->time <= time)\t/* (if start of tune) */\n\t\t\t\tbreak;\n\t\t}\n\t\tover_time = s->time;\n\t} else {\n\t\tif (over_mxtime == 0)\n\t\t\tover_mxtime = p_voice->time;\n\t\telse if (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t}\n\tp_voice2->time = over_time;\n\tcurvoice = p_voice2;\n}", "project": "abcm2ps", "hash": 89478143332361880739890507095670885956, "size": 133, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 1, "dataset": "other", "idx": 215165 }, { "func": "static void get_over(struct SYMBOL *s)\n{\n\tstruct VOICE_S *p_voice, *p_voice2, *p_voice3;\n\tint range, voice, voice2, voice3;\nstatic char tx_wrong_dur[] = \"Wrong duration in voice overlay\";\nstatic char txt_no_note[] = \"No note in voice overlay\";\n\n\t/* treat the end of overlay */\n\tp_voice = curvoice;\n\tif (p_voice->ignore)\n\t\treturn;\n\tif (s->abc_type == ABC_T_BAR\n\t || s->u.v_over.type == V_OVER_E) {\n\t\tif (!p_voice->last_sym) {\n\t\t\terror(1, s, txt_no_note);\n\t\t\treturn;\n\t\t}\n\t\tp_voice->last_sym->sflags |= S_BEAM_END;\n\t\tover_bar = 0;\n\t\tif (over_time < 0) {\n\t\t\terror(1, s, \"Erroneous end of voice overlap\");\n\t\t\treturn;\n\t\t}\n\t\tcurvoice = &voice_tb[over_voice];\n\t\tif (p_voice->time != over_mxtime) {\n\t\t\terror(1, s, tx_wrong_dur);\n\t\t\tif (p_voice->time > over_mxtime)\n\t\t\t\tcurvoice->time = p_voice->time;\n\t\t\telse\n\t\t\t\tp_voice->time = curvoice->time;\n\t\t}\n\t\tover_mxtime = 0;\n\t\tover_voice = -1;\n\t\tover_time = -1;\n\t\treturn;\n\t}\n\n\t/* treat the full overlay start */\n\tif (s->u.v_over.type == V_OVER_S) {\n\t\tover_voice = p_voice - voice_tb;\n\t\tover_time = p_voice->time;\n\t\treturn;\n\t}\n\n\t/* (here is treated a new overlay - '&') */\n\t/* create the extra voice if not done yet */\n\tif (!p_voice->last_sym) {\n\t\terror(1, s, txt_no_note);\n\t\treturn;\n\t}\n\tp_voice->last_sym->sflags |= S_BEAM_END;\n\tvoice2 = s->u.v_over.voice;\n\tp_voice2 = &voice_tb[voice2];\n\tif (parsys->voice[voice2].range < 0) {\n\t\tint clone;\n\n\t\tif (cfmt.abc2pscompat) {\n\t\t\terror(1, s, \"Cannot have %%%%abc2pscompat\");\n\t\t\tcfmt.abc2pscompat = 0;\n\t\t}\n\t\tclone = p_voice->clone >= 0;\n\t\tp_voice2->id[0] = '&';\n\t\tp_voice2->id[1] = '\\0';\n\t\tp_voice2->second = 1;\n\t\tparsys->voice[voice2].second = 1;\n\t\tp_voice2->scale = p_voice->scale;\n\t\tp_voice2->octave = p_voice->octave;\n\t\tp_voice2->transpose = p_voice->transpose;\n\t\tmemcpy(&p_voice2->key, &p_voice->key,\n\t\t\t\t\tsizeof p_voice2->key);\n\t\tmemcpy(&p_voice2->ckey, &p_voice->ckey,\n\t\t\t\t\tsizeof p_voice2->ckey);\n\t\tmemcpy(&p_voice2->okey, &p_voice->okey,\n\t\t\t\t\tsizeof p_voice2->okey);\n\t\tp_voice2->posit = p_voice->posit;\n\t\tp_voice2->staff = p_voice->staff;\n\t\tp_voice2->cstaff = p_voice->cstaff;\n\t\tp_voice2->color = p_voice->color;\n\t\tp_voice2->map_name = p_voice->map_name;\n\t\trange = parsys->voice[p_voice - voice_tb].range;\n\t\tfor (voice = 0; voice < MAXVOICE; voice++) {\n\t\t\tif (parsys->voice[voice].range > range)\n\t\t\t\tparsys->voice[voice].range += clone + 1;\n\t\t}\n\t\tparsys->voice[voice2].range = range + 1;\n\t\tvoice_link(p_voice2);\n\t\tif (clone) {\n\t\t\tfor (voice3 = MAXVOICE; --voice3 >= 0; ) {\n\t\t\t\tif (parsys->voice[voice3].range < 0)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (voice3 > 0) {\n\t\t\t\tp_voice3 = &voice_tb[voice3];\n\t\t\t\tstrcpy(p_voice3->id, p_voice2->id);\n\t\t\t\tp_voice3->second = 1;\n\t\t\t\tparsys->voice[voice3].second = 1;\n\t\t\t\tp_voice3->scale = voice_tb[p_voice->clone].scale;\n\t\t\t\tparsys->voice[voice3].range = range + 2;\n\t\t\t\tvoice_link(p_voice3);\n\t\t\t\tp_voice2->clone = voice3;\n\t\t\t} else {\n\t\t\t\terror(1, s,\n\t\t\t\t \"Too many voices for overlay cloning\");\n\t\t\t}\n\t\t}\n\t}\n\tvoice = p_voice - voice_tb;\n//\tp_voice2->cstaff = p_voice2->staff = parsys->voice[voice2].staff\n//\t\t\t= parsys->voice[voice].staff;\n//\tif ((voice3 = p_voice2->clone) >= 0) {\n//\t\tp_voice3 = &voice_tb[voice3];\n//\t\tp_voice3->cstaff = p_voice3->staff\n//\t\t\t\t= parsys->voice[voice3].staff\n//\t\t\t\t= parsys->voice[p_voice->clone].staff;\n//\t}\n\n\tif (over_time < 0) {\t\t\t/* first '&' in a measure */\n\t\tint time;\n\n\t\tover_bar = 1;\n\t\tover_mxtime = p_voice->time;\n\t\tover_voice = voice;\n\t\ttime = p_voice2->time;\n\t\tfor (s = p_voice->last_sym; /*s*/; s = s->prev) {\n\t\t\tif (s->type == BAR\n\t\t\t || s->time <= time)\t/* (if start of tune) */\n\t\t\t\tbreak;\n\t\t}\n\t\tover_time = s->time;\n\t} else {\n\t\tif (over_mxtime == 0)\n\t\t\tover_mxtime = p_voice->time;\n\t\telse if (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t}\n\tp_voice2->time = over_time;\n\tcurvoice = p_voice2;\n}", "project": "abcm2ps", "hash": 106849796852152645656287252191337327464, "size": 138, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484351 }, { "func": "static void gch_build(struct SYMBOL *s)\n{\n\tstruct gch *gch;\n\tchar *p, *q, antype, sep;\n\tfloat w, h_ann, h_gch, y_above, y_below, y_left, y_right;\n\tfloat xspc;\n\tint l, ix, box, gch_place;\n\n\tif (s->posit.gch == SL_HIDDEN)\n\t\treturn;\n\ts->gch = getarena(sizeof *s->gch * MAXGCH);\n\tmemset(s->gch, 0, sizeof *s->gch * MAXGCH);\n\n\tif (curvoice->transpose != 0)\n\t\tgch_transpose(s);\n\tif (cfmt.capo)\n\t\tgch_capo(s);\n\n\t/* split the guitar chords / annotations\n\t * and initialize their vertical offsets */\n\tgch_place = s->posit.gch == SL_BELOW ? -1 : 1;\n\th_gch = cfmt.font_tb[cfmt.gcf].size;\n\th_ann = cfmt.font_tb[cfmt.anf].size;\n\ty_above = y_below = y_left = y_right = 0;\n\tbox = cfmt.gchordbox;\n\tp = s->text;\n\tgch = s->gch;\n\tsep = '\\n';\n\tantype = 'g';\t\t\t/* (compiler warning) */\n\tfor (;;) {\n\t\tif (sep != 'n' && strchr(\"^_<>@\", *p)) {\n\t\t\tgch->font = cfmt.anf;\n\t\t\tantype = *p++;\n\t\t\tif (antype == '@') {\n\t\t\t\tint n;\n\t\t\t\tfloat xo, yo;\n\n\t\t\t\tif (sscanf(p, \"%f,%f%n\", &xo, &yo, &n) != 2) {\n\t\t\t\t\terror(1, s, \"Error in annotation \\\"@\\\"\");\n\t\t\t\t} else {\n\t\t\t\t\tp += n;\n\t\t\t\t\tif (*p == ' ')\n\t\t\t\t\t\tp++;\n\t\t\t\t\tgch->x = xo;\n\t\t\t\t\tgch->y = yo;\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (sep == '\\n') {\n\t\t\tgch->font = cfmt.gcf;\n\t\t\tgch->box = box;\n\t\t\tantype = 'g';\n\t\t} else {\n\t\t\tgch->font = (gch - 1)->font;\n\t\t\tgch->box = (gch - 1)->box;\n\t\t}\n\t\tgch->type = antype;\n\t\tswitch (antype) {\n\t\tdefault:\t\t\t\t/* guitar chord */\n\t\t\tif (gch_place < 0)\n\t\t\t\tbreak;\t\t\t/* below */\n\t\t\ty_above += h_gch;\n\t\t\tif (box)\n\t\t\t\ty_above += 2;\n\t\t\tbreak;\n\t\tcase '^':\t\t\t\t/* above */\n\t\t\ty_above += h_ann;\n\t\t\tbreak;\n\t\tcase '_':\t\t\t\t/* below */\n\t\t\tbreak;\n\t\tcase '<':\t\t\t\t/* left */\n\t\t\ty_left += h_ann * 0.5;\n\t\t\tbreak;\n\t\tcase '>':\t\t\t\t/* right */\n\t\t\ty_right += h_ann * 0.5;\n\t\t\tbreak;\n\t\tcase '@':\t\t\t\t/* absolute */\n\t\t\tif (gch->x == 0 && gch->y == 0\n\t\t\t && gch != s->gch\n\t\t\t && s->gch->type == '@') {\t/* if not 1st line */\n\t\t\t\tgch->x = (gch - 1)->x;\n\t\t\t\tgch->y = (gch - 1)->y - h_ann;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tgch->idx = p - s->text;\n\t\tfor (;;) {\n\t\t\tswitch (*p) {\n\t\t\tdefault:\n\t\t\t\tp++;\n\t\t\t\tcontinue;\n\t\t\tcase '\\\\':\n\t\t\t\tp++;\n\t\t\t\tif (*p == 'n') {\n\t\t\t\t\tp[-1] = '\\0';\n\t\t\t\t\tbreak;\t\t/* sep = 'n' */\n\t\t\t\t}\n\t\t\t\tp++;\n\t\t\t\tcontinue;\n\t\t\tcase '&':\t\t\t/* skip \"&xxx;\" */\n\t\t\t\tfor (;;) {\n\t\t\t\t\tswitch (*p) {\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tp++;\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\tcase ';':\n\t\t\t\t\t\tp++;\n\t\t\t\t\tcase '\\0':\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\tcase '\\\\':\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\tcase '\\0':\n\t\t\tcase ';':\n\t\t\tcase '\\n':\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tsep = *p;\n\t\tif (sep == '\\0')\n\t\t\tbreak;\n\t\t*p++ = '\\0';\n\t\tgch++;\n\t\tif (gch - s->gch >= MAXGCH) {\n\t\t\terror(1, s, \"Too many guitar chords / annotations\");\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* change the accidentals in the guitar chords */\n\tfor (ix = 0, gch = s->gch; ix < MAXGCH; ix++, gch++) {\n\t\tif (gch->type == '\\0')\n\t\t\tbreak;\n\t\tif (gch->type != 'g')\n\t\t\tcontinue;\n\t\tp = s->text + gch->idx;\n\t\tq = p;\n\t\tfor (; *p != '\\0'; p++) {\n\t\t\tswitch (*p) {\n\t\t\tcase '#':\n\t\t\tcase 'b':\n\t\t\tcase '=':\n\t\t\t\tif (p == q\t/* 1st char or after a slash */\n\t\t\t\t || (p != q + 1\t/* or invert '\\' behaviour */\n\t\t\t\t && p[-1] == '\\\\'))\n\t\t\t\t\tbreak;\n\n\t\t\t\t/* set the accidentals as unused utf-8 values\n\t\t\t\t * (see subs.c) */\n\t\t\t\tswitch (*p) {\n\t\t\t\tcase '#':\n\t\t\t\t\t*p = 0x01;\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'b':\n\t\t\t\t\t*p = 0x02;\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n/*\t\t\t\tcase '=': */\n\t\t\t\t\t*p = 0x03;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (p[-1] == '\\\\') {\n\t\t\t\t\tp--;\n\t\t\t\t\tl = strlen(p);\n\t\t\t\t\tmemmove(p, p + 1, l);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase ' ':\n\t\t\tcase '/':\n\t\t\t\tq = p + 1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* set the offsets and widths */\n/*fixme:utf8*/\n\tfor (ix = 0, gch = s->gch; ix < MAXGCH; ix++, gch++) {\n\t\tif (gch->type == '\\0')\n\t\t\tbreak;\n\t\tif (gch->type == '@')\n\t\t\tcontinue;\t\t/* no width */\n\t\tp = s->text + gch->idx;\n\t\tstr_font(gch->font);\n\t\tw = tex_str(p);\n\t\tgch->w = w; // + 4;\n\t\tswitch (gch->type) {\n\t\tcase '_':\t\t\t/* below */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\ty_below -= h_ann;\n\t\t\tgch->y = y_below;\n\t\t\tbreak;\n\t\tcase '^':\t\t\t/* above */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\ty_above -= h_ann;\n\t\t\tgch->y = y_above;\n\t\t\tbreak;\n\t\tdefault:\t\t\t/* guitar chord */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\tif (gch_place < 0) {\t/* below */\n\t\t\t\ty_below -= h_gch;\n\t\t\t\tgch->y = y_below;\n\t\t\t\tif (box) {\n\t\t\t\t\ty_below -= 2;\n\t\t\t\t\tgch->y -= 1;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\ty_above -= h_gch;\n\t\t\t\tgch->y = y_above;\n\t\t\t\tif (box) {\n\t\t\t\t\ty_above -= 2;\n\t\t\t\t\tgch->y -= 1;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase '<':\t\t/* left */\n\t\t\tgch->x = -(w + 6);\n\t\t\ty_left -= h_ann;\n\t\t\tgch->y = y_left;\n\t\t\tbreak;\n\t\tcase '>':\t\t/* right */\n\t\t\tgch->x = 6;\n\t\t\ty_right -= h_ann;\n\t\t\tgch->y = y_right;\n\t\t\tbreak;\n\t\t}\n\t}\n}", "project": "abcm2ps", "hash": 198904723762461782356983904298016550837, "size": 240, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484347 }, { "func": "void do_tune(void)\n{\n\tstruct VOICE_S *p_voice;\n\tstruct SYMBOL *s, *s1, *s2;\n\tint i;\n\n\t/* initialize */\n\tlvlarena(0);\n\tnstaff = 0;\n\tstaves_found = -1;\n\tfor (i = 0; i < MAXVOICE; i++) {\n\t\tp_voice = &voice_tb[i];\n\t\ts1 = (struct SYMBOL *) getarena(sizeof *s1);\n\t\tmemset(s1, 0, sizeof *s1);\n\t\ts1->type = CLEF;\n\t\ts1->voice = i;\n\t\tif (cfmt.autoclef) {\n\t\t\ts1->u.clef.type = AUTOCLEF;\n\t\t\ts1->sflags = S_CLEF_AUTO;\n\t\t} else {\n\t\t\ts1->u.clef.type = TREBLE;\n\t\t}\n\t\ts1->u.clef.line = 2;\t\t/* treble clef on 2nd line */\n\t\tp_voice->s_clef = s1;\n\t\tp_voice->meter.wmeasure = 1;\t// M:none\n\t\tp_voice->wmeasure = 1;\n\t\tp_voice->scale = 1;\n\t\tp_voice->clone = -1;\n\t\tp_voice->over = -1;\n\t\tp_voice->posit = cfmt.posit;\n\t\tp_voice->stafflines = NULL;\n//\t\tp_voice->staffscale = 0;\n\t}\n\tcurvoice = first_voice = voice_tb;\n\treset_deco();\n\tabc2win = 0;\n\tclip_start.bar = -1;\n\tclip_end.bar = (short unsigned) ~0 >> 1;\n\n\tparsys = NULL;\n\tsystem_new();\t\t\t/* create the 1st staff system */\n\tparsys->top_voice = parsys->voice[0].range = 0;\t/* implicit voice */\n\n\tif (!epsf) {\n//fixme: 8.6.2\n#if 1\n// fixme: should already be 0\n\t\tuse_buffer = 0;\n#else\n\t\tif (cfmt.oneperpage) {\n\t\t\tuse_buffer = 0;\n\t\t\tclose_page();\n\t\t} else {\n\t\t\tif (in_page)\t\t// ??\n\t\t\t\tuse_buffer = cfmt.splittune != 1;\n\t\t}\n#endif\n\t} else {\n\t\tuse_buffer = 1;\n\t\tmarg_init();\n\t}\n\n\t/* set the duration of all notes/rests\n\t *\t(this is needed for tuplets and the feathered beams) */\n\tfor (s = parse.first_sym; s; s = s->abc_next) {\n\t\tswitch (s->abc_type) {\n\t\tcase ABC_T_EOLN:\n\t\t\tif (s->u.eoln.type == 2)\n\t\t\t\tabc2win = 1;\n\t\t\tbreak;\n\t\tcase ABC_T_NOTE:\n\t\tcase ABC_T_REST:\n\t\t\ts->dur = s->u.note.notes[0].len;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (voice_tb[0].id[0] == '\\0') {\t/* single voice */\n\t\tvoice_tb[0].id[0] = '1';\t/* implicit V:1 */\n\t\tvoice_tb[0].id[1] = '\\0';\n\t}\n\n\t/* scan the tune */\n\tfor (s = parse.first_sym; s; s = s->abc_next) {\n\t\tif (s->flags & ABC_F_LYRIC_START)\n\t\t\tcurvoice->lyric_start = curvoice->last_sym;\n\t\tswitch (s->abc_type) {\n\t\tcase ABC_T_INFO:\n\t\t\ts = get_info(s);\n\t\t\tbreak;\n\t\tcase ABC_T_PSCOM:\n\t\t\ts = process_pscomment(s);\n\t\t\tbreak;\n\t\tcase ABC_T_NOTE:\n\t\tcase ABC_T_REST:\n\t\t\tif (curvoice->space\n\t\t\t && !(s->flags & ABC_F_GRACE)) {\n\t\t\t\tcurvoice->space = 0;\n\t\t\t\ts->flags |= ABC_F_SPACE;\n\t\t\t}\n\t\t\tget_note(s);\n\t\t\tbreak;\n\t\tcase ABC_T_BAR:\n\t\t\tif (over_bar)\n\t\t\t\tget_over(s);\n\t\t\tget_bar(s);\n\t\t\tbreak;\n\t\tcase ABC_T_CLEF:\n\t\t\tget_clef(s);\n\t\t\tbreak;\n\t\tcase ABC_T_EOLN:\n\t\t\tif (cfmt.breakoneoln\n\t\t\t || (s->flags & ABC_F_SPACE))\n\t\t\t\tcurvoice->space = 1;\n\t\t\tif (cfmt.continueall || cfmt.barsperstaff\n\t\t\t || s->u.eoln.type == 1)\t/* if '\\' */\n\t\t\t\tcontinue;\n\t\t\tif (s->u.eoln.type == 0\t\t/* if normal eoln */\n\t\t\t && abc2win\n\t\t\t && parse.abc_vers != (2 << 16))\n\t\t\t\tcontinue;\n\t\t\tif (parsys->voice[curvoice - voice_tb].range == 0\n\t\t\t && curvoice->last_sym)\n\t\t\t\tcurvoice->last_sym->sflags |= S_EOLN;\n\t\t\tif (!cfmt.alignbars)\n\t\t\t\tcontinue;\t\t/* normal */\n\n\t\t\t/* align bars */\n\t\t\twhile (s->abc_next) {\t\t/* treat the lyrics */\n\t\t\t\tif (s->abc_next->abc_type != ABC_T_INFO)\n\t\t\t\t\tbreak;\n\t\t\t\tswitch (s->abc_next->text[0]) {\n\t\t\t\tcase 'w':\n\t\t\t\t\ts = get_info(s->abc_next);\n\t\t\t\t\tcontinue;\n\t\t\t\tcase 'd':\n\t\t\t\tcase 's':\n\t\t\t\t\ts = s->abc_next;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ti = (curvoice - voice_tb) + 1;\n\t\t\tif (i < cfmt.alignbars) {\n\t\t\t\tcurvoice = &voice_tb[i];\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tgenerate();\n\t\t\tbuffer_eob(0);\n\t\t\tcurvoice = &voice_tb[0];\n\t\t\tcontinue;\n\t\tcase ABC_T_MREST: {\n\t\t\tint dur;\n\n\t\t\tdur = curvoice->wmeasure * s->u.bar.len;\n\t\t\tif (curvoice->second) {\n\t\t\t\tcurvoice->time += dur;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tsym_link(s, MREST);\n\t\t\ts->dur = dur;\n\t\t\tcurvoice->time += dur;\n\t\t\tif (s->text)\n\t\t\t\tgch_build(s);\t/* build the guitar chords */\n\t\t\tif (s->u.bar.dc.n > 0)\n\t\t\t\tdeco_cnv(&s->u.bar.dc, s, NULL);\n\t\t\tbreak;\n\t\t }\n\t\tcase ABC_T_MREP: {\n\t\t\tint n;\n\n\t\t\ts2 = curvoice->last_sym;\n\t\t\tif (!s2 || s2->type != BAR) {\n\t\t\t\terror(1, s,\n\t\t\t\t \"No bar before measure repeat\");\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (curvoice->ignore)\n\t\t\t\tbreak;\n\t\t\tn = s->u.bar.len;\n\t\t\tif (curvoice->second) {\n\t\t\t\tcurvoice->time += curvoice->wmeasure * n;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ts2 = sym_add(curvoice, NOTEREST);\n\t\t\ts2->abc_type = ABC_T_REST;\n\t\t\ts2->flags |= ABC_F_INVIS;\n\t\t\ts2->dur = curvoice->wmeasure;\n\t\t\tcurvoice->time += s2->dur;\n\t\t\tif (n == 1) {\n\t\t\t\ts->abc_next->u.bar.len = n; /* in the next bar */\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\twhile (--n > 0) {\n\t\t\t\ts2 = sym_add(curvoice, BAR);\n\t\t\t\ts2->u.bar.type = B_SINGLE;\n\t\t\t\tif (n == s->u.bar.len - 1)\n\t\t\t\t\ts2->u.bar.len = s->u.bar.len;\n\t\t\t\ts2 = sym_add(curvoice, NOTEREST);\n\t\t\t\ts2->abc_type = ABC_T_REST;\n\t\t\t\ts2->flags |= ABC_F_INVIS;\n\t\t\t\ts2->dur = curvoice->wmeasure;\n\t\t\t\tcurvoice->time += s2->dur;\n\t\t\t}\n\t\t\tbreak;\n\t\t }\n\t\tcase ABC_T_V_OVER:\n\t\t\tget_over(s);\n\t\t\tcontinue;\n\t\tcase ABC_T_TUPLET:\n\t\t\tset_tuplet(s);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\t\tif (s->type == 0)\n\t\t\tcontinue;\n\t\tif (curvoice->second)\n\t\t\ts->sflags |= S_SECOND;\n\t\tif (curvoice->floating)\n\t\t\ts->sflags |= S_FLOATING;\n\t}\n\n\tgen_ly(0);\n\tput_history();\n\tbuffer_eob(1);\n\tif (epsf) {\n\t\twrite_eps();\n\t} else {\n\t\twrite_buffer();\n//\t\tif (!cfmt.oneperpage && in_page)\n//\t\t\tuse_buffer = cfmt.splittune != 1;\n\t}\n\n\tif (info['X' - 'A']) {\n\t\tmemcpy(&cfmt, &dfmt, sizeof cfmt); /* restore global values */\n\t\tmemcpy(&info, &info_glob, sizeof info);\n\t\tmemcpy(deco, deco_glob, sizeof deco);\n\t\tmaps = maps_glob;\n\t\tinfo['X' - 'A'] = NULL;\n\t}\n\n\t/* free the parsing resources */\n\t{\n\t\tstruct brk_s *brk, *brk2;\n\n\t\tbrk = brks;\n\t\twhile (brk) {\n\t\t\tbrk2 = brk->next;\n\t\t\tfree(brk);\n\t\t\tbrk = brk2;\n\t\t}\n\t\tbrks = brk;\t\t/* (NULL) */\n\t}\n}", "project": "abcm2ps", "hash": 10286452578274153484723719583151117351, "size": 255, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484344 }, { "func": "static void gch_capo(struct SYMBOL *s)\n{\n\tchar *p = s->text, *q, *r;\n\tint i, l, li = 0;\n\tstatic const char *capo_txt = \" (capo: %d)\";\n\tstatic signed char cap_trans[] =\n\t\t{0, 5, -2, 3, -4, 1, -6, -1, 4, -3, 2, -5};\n\n\t// search the chord symbols\n\tfor (;;) {\n\t\tif (!strchr(\"^_<>@\", *p))\n\t\t\tbreak;\n\t\tp = strchr(p, '\\n');\n\t\tif (!p)\n\t\t\treturn;\n\t\tp++;\n\t}\n\n\t// add a capo chord symbol\n\ti = p - s->text;\n\tq = strchr(p + 1, '\\n');\n\tif (q)\n\t\tl = q - p;\n\telse\n\t\tl = strlen(p);\n\tif (!capo) {\n\t\tcapo = 1;\n\t\tli = strlen(capo_txt);\n\t}\n\tr = (char *) getarena(strlen(s->text) + l + li + 1);\n\ti += l;\n\tstrncpy(r, s->text, i);\t\t// annotations + chord symbol\n\tr[i++] = '\\n';\n\tstrncpy(r + i, p, l);\t\t// capo\n\tif (li) {\n\t\tsprintf(r + i + l, capo_txt, cfmt.capo);\n\t\tl += li;\n\t}\n\tif (q)\n\t\tstrcpy(r + i + l, q);\t// ending annotations\n\ts->text = r;\n\tgch_tr1(s, i, cap_trans[cfmt.capo % 12]);\n}", "project": "abcm2ps", "hash": 297571697935838391035188625332640156407, "size": 43, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484342 }, { "func": "static void gch_transpose(struct SYMBOL *s)\n{\n\tint in_ch = 0;\n\tint i2 = curvoice->ckey.sf - curvoice->okey.sf;\n\tchar *o = s->text, *p = o;\n\n\t// search the chord symbols\n\tfor (;;) {\n\t\tif (in_ch || !strchr(\"^_<>@\", *p)) {\n\t\t\tgch_tr1(s, p - s->text, i2);\n\t\t\tp = s->text + (p - o);\n\t\t\to = s->text;\n\t\t\tfor (p++; *p; p++) {\n\t\t\t\tif (strchr(\"\\t;\\n\", *p))\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (!*p)\n\t\t\t\tbreak;\n\t\t\tswitch (*p) {\n\t\t\tcase '\\t':\n\t\t\t\tin_ch = 1;\n\t\t\t\tbreak;\n\t\t\tcase ';':\n\t\t\t\tin_ch = !strchr(\"^_<>@\", p[1]);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tin_ch = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t\tp = strchr(p, '\\n');\n\t\t\tif (!p)\n\t\t\t\tbreak;\n\t\t}\n\t\tp++;\n\t}\n}", "project": "abcm2ps", "hash": 197089611282988920788858462297844536403, "size": 37, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484350 }, { "func": "static void gch_tr1(struct SYMBOL *s, int i, int i2)\n{\n\tchar *p = &s->text[i],\n\t\t*q = p + 1,\n\t\t*new_txt;\n\tint l, latin;\n\tint n, a, i1, i3, i4;\n\tstatic const char note_names[] = \"CDEFGAB\";\n\tstatic const char *latin_names[7] =\n\t\t\t{ \"Do\", \"Ré\", \"Mi\", \"Fa\", \"Sol\", \"La\", \"Si\" };\n\tstatic const char *acc_name[5] = {\"bb\", \"b\", \"\", \"#\", \"##\"};\n\n\t/* main chord */\n\tlatin = 0;\n\tswitch (*p) {\n\tcase 'A':\n\tcase 'B':\n\t\tn = *p - 'A' + 5;\n\t\tbreak;\n\tcase 'C':\n\tcase 'E':\n\tcase 'G':\n\t\tn = *p - 'C';\n\t\tbreak;\n\tcase 'D':\n\t\tif (p[1] == 'o') {\n\t\t\tlatin++;\n\t\t\tn = 0;\t\t/* Do */\n\t\t\tbreak;\n\t\t}\n\t\tn = 1;\n\t\tbreak;\n\tcase 'F':\n\t\tif (p[1] == 'a')\n\t\t\tlatin++;\t/* Fa */\n\t\tn = 3;\n\t\tbreak;\n\tcase 'L':\n\t\tlatin++;\t\t/* La */\n\t\tn = 5;\n\t\tbreak;\n\tcase 'M':\n\t\tlatin++;\t\t/* Mi */\n\t\tn = 2;\n\t\tbreak;\n\tcase 'R':\n\t\tlatin++;\n\t\tif (p[1] != 'e')\n\t\t\tlatin++;\t/* Ré */\n\t\tn = 1;\t\t\t/* Re */\n\t\tbreak;\n\tcase 'S':\n\t\tlatin++;\n\t\tif (p[1] == 'o') {\n\t\t\tlatin++;\n\t\t\tn = 4;\t\t/* Sol */\n\t\t} else {\n\t\t\tn = 6;\t\t/* Si */\n\t\t}\n\t\tbreak;\n\tcase '/':\t\t\t// bass only\n\t\tlatin--;\n\t\tbreak;\n\tdefault:\n\t\treturn;\n\t}\n\tq += latin;\n\n\t/* allocate a new string */\n\tnew_txt = getarena(strlen(s->text) + 6);\n\tl = p - s->text;\n\tmemcpy(new_txt, s->text, l);\n\ts->text = new_txt;\n\tnew_txt += l;\n\tp = q;\n\n\tif (latin >= 0) {\t\t\t// if some chord\n\t\ta = 0;\n\t\twhile (*p == '#') {\n\t\t\ta++;\n\t\t\tp++;\n\t\t}\n\t\twhile (*p == 'b') {\n\t\t\ta--;\n\t\t\tp++;\n\t\t}\n//\t\tif (*p == '=')\n//\t\t\tp++;\n\t\ti3 = cde2fcg[n] + i2 + a * 7;\n\t\ti4 = cgd2cde[(unsigned) ((i3 + 16 * 7) % 7)];\n\t\ti1 = ((i3 + 1 + 21) / 7 + 2 - 3 + 32 * 5) % 5;\n\t\t\t\t\t\t\t/* accidental */\n\t\tif (latin == 0)\n\t\t\t*new_txt++ = note_names[i4];\n\t\telse\n\t\t\tnew_txt += sprintf(new_txt, \"%s\", latin_names[i4]);\n\t\tnew_txt += sprintf(new_txt, \"%s\", acc_name[i1]);\n\t}\n\n\t/* bass */\n\twhile (*p != '\\0' && *p != '\\n' && *p != '/')\t// skip 'm'/'dim'..\n\t\t*new_txt++ = *p++;\n\tif (*p == '/') {\n\t\t*new_txt++ = *p++;\n//fixme: latin names not treated\n\t\tq = strchr(note_names, *p);\n\t\tif (q) {\n\t\t\tp++;\n\t\t\tn = q - note_names;\n\t\t\tif (*p == '#') {\n\t\t\t\ta = 1;\n\t\t\t\tp++;\n\t\t\t} else if (*p == 'b') {\n\t\t\t\ta = -1;\n\t\t\t\tp++;\n\t\t\t} else {\n\t\t\t\ta = 0;\n\t\t\t}\n\t\t\ti3 = cde2fcg[n] + i2 + a * 7;\n\t\t\ti4 = cgd2cde[(unsigned) ((i3 + 16 * 7) % 7)];\n\t\t\ti1 = ((i3 + 1 + 21) / 7 + 2 - 3 + 32 * 5) % 5;\n\t\t\t*new_txt++ = note_names[i4];\n\t\t\tnew_txt += sprintf(new_txt, \"%s\", acc_name[i1]);\n\t\t}\n\t}\n\tstrcpy(new_txt, p);\n}", "project": "abcm2ps", "hash": 224800842001487088171705246081088169612, "size": 127, "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3", "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,", "target": 0, "dataset": "other", "idx": 484345 } ] }, { "call_depth": 4, "longest_call_chain": [ "vgacon_blank", "vgacon_set_origin", "vga_set_mem_top", "write_vga" ], "group_size": 15, "functions": [ { "func": "static void vga_set_palette(struct vc_data *vc, const unsigned char *table)\n{\n\tint i, j;\n\n\tvga_w(vgastate.vgabase, VGA_PEL_MSK, 0xff);\n\tfor (i = j = 0; i < 16; i++) {\n\t\tvga_w(vgastate.vgabase, VGA_PEL_IW, table[i]);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t}\n}", "project": "linux", "hash": 69161396085857593232027150743840926718, "size": 12, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380799 }, { "func": "static void vga_vesa_unblank(struct vgastate *state)\n{\n\t/* restore original values of VGA controller registers */\n\traw_spin_lock_irq(&vga_lock);\n\tvga_w(state->vgabase, VGA_MIS_W, vga_state.CrtMiscIO);\n\n\toutb_p(0x00, vga_video_port_reg);\t/* HorizontalTotal */\n\toutb_p(vga_state.HorizontalTotal, vga_video_port_val);\n\toutb_p(0x01, vga_video_port_reg);\t/* HorizDisplayEnd */\n\toutb_p(vga_state.HorizDisplayEnd, vga_video_port_val);\n\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\toutb_p(vga_state.StartHorizRetrace, vga_video_port_val);\n\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\toutb_p(vga_state.EndHorizRetrace, vga_video_port_val);\n\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\toutb_p(vga_state.Overflow, vga_video_port_val);\n\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\toutb_p(vga_state.StartVertRetrace, vga_video_port_val);\n\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\toutb_p(vga_state.EndVertRetrace, vga_video_port_val);\n\toutb_p(0x17, vga_video_port_reg);\t/* ModeControl */\n\toutb_p(vga_state.ModeControl, vga_video_port_val);\n\t/* ClockingMode */\n\tvga_wseq(state->vgabase, VGA_SEQ_CLOCK_MODE, vga_state.ClockingMode);\n\n\t/* restore index/control registers */\n\tvga_w(state->vgabase, VGA_SEQ_I, vga_state.SeqCtrlIndex);\n\toutb_p(vga_state.CrtCtrlIndex, vga_video_port_reg);\n\traw_spin_unlock_irq(&vga_lock);\n}", "project": "linux", "hash": 184406626081864079170054080672675019143, "size": 30, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380779 }, { "func": "static void vgacon_cursor(struct vc_data *c, int mode)\n{\n\tif (c->vc_mode != KD_TEXT)\n\t\treturn;\n\n\tvgacon_restore_screen(c);\n\n\tswitch (mode) {\n\tcase CM_ERASE:\n\t\twrite_vga(14, (c->vc_pos - vga_vram_base) / 2);\n\t if (vga_video_type >= VIDEO_TYPE_VGAC)\n\t\t\tvgacon_set_cursor_size(c->state.x, 31, 30);\n\t\telse\n\t\t\tvgacon_set_cursor_size(c->state.x, 31, 31);\n\t\tbreak;\n\n\tcase CM_MOVE:\n\tcase CM_DRAW:\n\t\twrite_vga(14, (c->vc_pos - vga_vram_base) / 2);\n\t\tswitch (CUR_SIZE(c->vc_cursor_type)) {\n\t\tcase CUR_UNDERLINE:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t c->vc_font.height -\n\t\t\t\t\t (c->vc_font.height <\n\t\t\t\t\t\t10 ? 2 : 3),\n\t\t\t\t\t c->vc_font.height -\n\t\t\t\t\t (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_TWO_THIRDS:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t c->vc_font.height / 3,\n\t\t\t\t\t c->vc_font.height -\n\t\t\t\t\t (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_LOWER_THIRD:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t (c->vc_font.height * 2) / 3,\n\t\t\t\t\t c->vc_font.height -\n\t\t\t\t\t (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_LOWER_HALF:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t c->vc_font.height / 2,\n\t\t\t\t\t c->vc_font.height -\n\t\t\t\t\t (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_NONE:\n\t\t\tif (vga_video_type >= VIDEO_TYPE_VGAC)\n\t\t\t\tvgacon_set_cursor_size(c->state.x, 31, 30);\n\t\t\telse\n\t\t\t\tvgacon_set_cursor_size(c->state.x, 31, 31);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tvgacon_set_cursor_size(c->state.x, 1,\n\t\t\t\t\t c->vc_font.height);\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 264369143806320210804445688532246786005, "size": 64, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380777 }, { "func": "static void vgacon_set_palette(struct vc_data *vc, const unsigned char *table)\n{\n\tif (vga_video_type != VIDEO_TYPE_VGAC || vga_palette_blanked\n\t || !con_is_visible(vc))\n\t\treturn;\n\tvga_set_palette(vc, table);\n}", "project": "linux", "hash": 284953449934519854768778320975724655644, "size": 7, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380801 }, { "func": "static void vgacon_scrolldelta(struct vc_data *c, int lines)\n{\n\tint start, end, count, soff;\n\n\tif (!lines) {\n\t\tvgacon_restore_screen(c);\n\t\treturn;\n\t}\n\n\tif (!vgacon_scrollback_cur->data)\n\t\treturn;\n\n\tif (!vgacon_scrollback_cur->save) {\n\t\tvgacon_cursor(c, CM_ERASE);\n\t\tvgacon_save_screen(c);\n\t\tc->vc_origin = (unsigned long)c->vc_screenbuf;\n\t\tvgacon_scrollback_cur->save = 1;\n\t}\n\n\tvgacon_scrollback_cur->restore = 0;\n\tstart = vgacon_scrollback_cur->cur + lines;\n\tend = start + abs(lines);\n\n\tif (start < 0)\n\t\tstart = 0;\n\n\tif (start > vgacon_scrollback_cur->cnt)\n\t\tstart = vgacon_scrollback_cur->cnt;\n\n\tif (end < 0)\n\t\tend = 0;\n\n\tif (end > vgacon_scrollback_cur->cnt)\n\t\tend = vgacon_scrollback_cur->cnt;\n\n\tvgacon_scrollback_cur->cur = start;\n\tcount = end - start;\n\tsoff = vgacon_scrollback_cur->tail -\n\t\t((vgacon_scrollback_cur->cnt - end) * c->vc_size_row);\n\tsoff -= count * c->vc_size_row;\n\n\tif (soff < 0)\n\t\tsoff += vgacon_scrollback_cur->size;\n\n\tcount = vgacon_scrollback_cur->cnt - start;\n\n\tif (count > c->vc_rows)\n\t\tcount = c->vc_rows;\n\n\tif (count) {\n\t\tint copysize;\n\n\t\tint diff = c->vc_rows - count;\n\t\tvoid *d = (void *) c->vc_visible_origin;\n\t\tvoid *s = (void *) c->vc_screenbuf;\n\n\t\tcount *= c->vc_size_row;\n\t\t/* how much memory to end of buffer left? */\n\t\tcopysize = min(count, vgacon_scrollback_cur->size - soff);\n\t\tscr_memcpyw(d, vgacon_scrollback_cur->data + soff, copysize);\n\t\td += copysize;\n\t\tcount -= copysize;\n\n\t\tif (count) {\n\t\t\tscr_memcpyw(d, vgacon_scrollback_cur->data, count);\n\t\t\td += count;\n\t\t}\n\n\t\tif (diff)\n\t\t\tscr_memcpyw(d, s, diff * c->vc_size_row);\n\t} else\n\t\tvgacon_cursor(c, CM_MOVE);\n}", "project": "linux", "hash": 64966259810882479597972966756653255745, "size": 73, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 1, "dataset": "other", "idx": 206374 }, { "func": "static void vga_vesa_blank(struct vgastate *state, int mode)\n{\n\t/* save original values of VGA controller registers */\n\tif (!vga_vesa_blanked) {\n\t\traw_spin_lock_irq(&vga_lock);\n\t\tvga_state.SeqCtrlIndex = vga_r(state->vgabase, VGA_SEQ_I);\n\t\tvga_state.CrtCtrlIndex = inb_p(vga_video_port_reg);\n\t\tvga_state.CrtMiscIO = vga_r(state->vgabase, VGA_MIS_R);\n\t\traw_spin_unlock_irq(&vga_lock);\n\n\t\toutb_p(0x00, vga_video_port_reg);\t/* HorizontalTotal */\n\t\tvga_state.HorizontalTotal = inb_p(vga_video_port_val);\n\t\toutb_p(0x01, vga_video_port_reg);\t/* HorizDisplayEnd */\n\t\tvga_state.HorizDisplayEnd = inb_p(vga_video_port_val);\n\t\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\t\tvga_state.StartHorizRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\t\tvga_state.EndHorizRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\t\tvga_state.Overflow = inb_p(vga_video_port_val);\n\t\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\t\tvga_state.StartVertRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\t\tvga_state.EndVertRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x17, vga_video_port_reg);\t/* ModeControl */\n\t\tvga_state.ModeControl = inb_p(vga_video_port_val);\n\t\tvga_state.ClockingMode = vga_rseq(state->vgabase, VGA_SEQ_CLOCK_MODE);\n\t}\n\n\t/* assure that video is enabled */\n\t/* \"0x20\" is VIDEO_ENABLE_bit in register 01 of sequencer */\n\traw_spin_lock_irq(&vga_lock);\n\tvga_wseq(state->vgabase, VGA_SEQ_CLOCK_MODE, vga_state.ClockingMode | 0x20);\n\n\t/* test for vertical retrace in process.... */\n\tif ((vga_state.CrtMiscIO & 0x80) == 0x80)\n\t\tvga_w(state->vgabase, VGA_MIS_W, vga_state.CrtMiscIO & 0xEF);\n\n\t/*\n\t * Set to minimum (0) and\n\t * to maximum (incl. overflow)\n\t * Result: turn off vertical sync (VSync) pulse.\n\t */\n\tif (mode & VESA_VSYNC_SUSPEND) {\n\t\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\t\toutb_p(0xff, vga_video_port_val);\t/* maximum value */\n\t\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\t\toutb_p(0x40, vga_video_port_val);\t/* minimum (bits 0..3) */\n\t\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\t\toutb_p(vga_state.Overflow | 0x84, vga_video_port_val);\t/* bits 9,10 of vert. retrace */\n\t}\n\n\tif (mode & VESA_HSYNC_SUSPEND) {\n\t\t/*\n\t\t * Set to minimum (0) and\n\t\t * to maximum\n\t\t * Result: turn off horizontal sync (HSync) pulse.\n\t\t */\n\t\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\t\toutb_p(0xff, vga_video_port_val);\t/* maximum */\n\t\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\t\toutb_p(0x00, vga_video_port_val);\t/* minimum (0) */\n\t}\n\n\t/* restore both index registers */\n\tvga_w(state->vgabase, VGA_SEQ_I, vga_state.SeqCtrlIndex);\n\toutb_p(vga_state.CrtCtrlIndex, vga_video_port_reg);\n\traw_spin_unlock_irq(&vga_lock);\n}", "project": "linux", "hash": 169205194386474999338498297236531359746, "size": 69, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380793 }, { "func": "static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b,\n\t\tenum con_scroll dir, unsigned int lines)\n{\n\tunsigned long oldo;\n\tunsigned int delta;\n\n\tif (t || b != c->vc_rows || vga_is_gfx || c->vc_mode != KD_TEXT)\n\t\treturn false;\n\n\tif (!vga_hardscroll_enabled || lines >= c->vc_rows / 2)\n\t\treturn false;\n\n\tvgacon_restore_screen(c);\n\toldo = c->vc_origin;\n\tdelta = lines * c->vc_size_row;\n\tif (dir == SM_UP) {\n\t\tif (c->vc_scr_end + delta >= vga_vram_end) {\n\t\t\tscr_memcpyw((u16 *) vga_vram_base,\n\t\t\t\t (u16 *) (oldo + delta),\n\t\t\t\t c->vc_screenbuf_size - delta);\n\t\t\tc->vc_origin = vga_vram_base;\n\t\t\tvga_rolled_over = oldo - vga_vram_base;\n\t\t} else\n\t\t\tc->vc_origin += delta;\n\t\tscr_memsetw((u16 *) (c->vc_origin + c->vc_screenbuf_size -\n\t\t\t\t delta), c->vc_video_erase_char,\n\t\t\t delta);\n\t} else {\n\t\tif (oldo - delta < vga_vram_base) {\n\t\t\tscr_memmovew((u16 *) (vga_vram_end -\n\t\t\t\t\t c->vc_screenbuf_size +\n\t\t\t\t\t delta), (u16 *) oldo,\n\t\t\t\t c->vc_screenbuf_size - delta);\n\t\t\tc->vc_origin = vga_vram_end - c->vc_screenbuf_size;\n\t\t\tvga_rolled_over = 0;\n\t\t} else\n\t\t\tc->vc_origin -= delta;\n\t\tc->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;\n\t\tscr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,\n\t\t\t delta);\n\t}\n\tc->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;\n\tc->vc_visible_origin = c->vc_origin;\n\tvga_set_mem_top(c);\n\tc->vc_pos = (c->vc_pos - oldo) + c->vc_origin;\n\treturn true;\n}", "project": "linux", "hash": 6422331725750285546258064518217604095, "size": 47, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380794 }, { "func": "static void vgacon_set_cursor_size(int xpos, int from, int to)\n{\n\tunsigned long flags;\n\tint curs, cure;\n\n\tif ((from == cursor_size_lastfrom) && (to == cursor_size_lastto))\n\t\treturn;\n\tcursor_size_lastfrom = from;\n\tcursor_size_lastto = to;\n\n\traw_spin_lock_irqsave(&vga_lock, flags);\n\tif (vga_video_type >= VIDEO_TYPE_VGAC) {\n\t\toutb_p(VGA_CRTC_CURSOR_START, vga_video_port_reg);\n\t\tcurs = inb_p(vga_video_port_val);\n\t\toutb_p(VGA_CRTC_CURSOR_END, vga_video_port_reg);\n\t\tcure = inb_p(vga_video_port_val);\n\t} else {\n\t\tcurs = 0;\n\t\tcure = 0;\n\t}\n\n\tcurs = (curs & 0xc0) | from;\n\tcure = (cure & 0xe0) | to;\n\n\toutb_p(VGA_CRTC_CURSOR_START, vga_video_port_reg);\n\toutb_p(curs, vga_video_port_val);\n\toutb_p(VGA_CRTC_CURSOR_END, vga_video_port_reg);\n\toutb_p(cure, vga_video_port_val);\n\traw_spin_unlock_irqrestore(&vga_lock, flags);\n}", "project": "linux", "hash": 98023379548510040458660830909970450666, "size": 30, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380789 }, { "func": "static int vgacon_blank(struct vc_data *c, int blank, int mode_switch)\n{\n\tswitch (blank) {\n\tcase 0:\t\t/* Unblank */\n\t\tif (vga_vesa_blanked) {\n\t\t\tvga_vesa_unblank(&vgastate);\n\t\t\tvga_vesa_blanked = 0;\n\t\t}\n\t\tif (vga_palette_blanked) {\n\t\t\tvga_set_palette(c, color_table);\n\t\t\tvga_palette_blanked = false;\n\t\t\treturn 0;\n\t\t}\n\t\tvga_is_gfx = false;\n\t\t/* Tell console.c that it has to restore the screen itself */\n\t\treturn 1;\n\tcase 1:\t\t/* Normal blanking */\n\tcase -1:\t/* Obsolete */\n\t\tif (!mode_switch && vga_video_type == VIDEO_TYPE_VGAC) {\n\t\t\tvga_pal_blank(&vgastate);\n\t\t\tvga_palette_blanked = true;\n\t\t\treturn 0;\n\t\t}\n\t\tvgacon_set_origin(c);\n\t\tscr_memsetw((void *) vga_vram_base, BLANK,\n\t\t\t c->vc_screenbuf_size);\n\t\tif (mode_switch)\n\t\t\tvga_is_gfx = true;\n\t\treturn 1;\n\tdefault:\t\t/* VESA blanking */\n\t\tif (vga_video_type == VIDEO_TYPE_VGAC) {\n\t\t\tvga_vesa_blank(&vgastate, blank - 1);\n\t\t\tvga_vesa_blanked = blank;\n\t\t}\n\t\treturn 0;\n\t}\n}", "project": "linux", "hash": 313472742106039195020032312511805944801, "size": 37, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380780 }, { "func": "static void vgacon_deinit(struct vc_data *c)\n{\n\t/* When closing the active console, reset video origin */\n\tif (con_is_visible(c)) {\n\t\tc->vc_visible_origin = vga_vram_base;\n\t\tvga_set_mem_top(c);\n\t}\n\n\tif (!--vgacon_refcount)\n\t\tcon_free_unimap(c);\n\tc->vc_uni_pagedir_loc = &c->vc_uni_pagedir;\n\tcon_set_default_unimap(c);\n}", "project": "linux", "hash": 233161550231503558770393112479094393957, "size": 13, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380791 }, { "func": "static inline void write_vga(unsigned char reg, unsigned int val)\n{\n\tunsigned int v1, v2;\n\tunsigned long flags;\n\n\t/*\n\t * ddprintk might set the console position from interrupt\n\t * handlers, thus the write has to be IRQ-atomic.\n\t */\n\traw_spin_lock_irqsave(&vga_lock, flags);\n\tv1 = reg + (val & 0xff00);\n\tv2 = reg + 1 + ((val << 8) & 0xff00);\n\toutw(v1, vga_video_port_reg);\n\toutw(v2, vga_video_port_reg);\n\traw_spin_unlock_irqrestore(&vga_lock, flags);\n}", "project": "linux", "hash": 86666845087505016899583039047087987511, "size": 16, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380804 }, { "func": "static inline void vga_set_mem_top(struct vc_data *c)\n{\n\twrite_vga(12, (c->vc_visible_origin - vga_vram_base) / 2);\n}", "project": "linux", "hash": 234695802227779534616768870462737489924, "size": 4, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380785 }, { "func": "static int vgacon_set_origin(struct vc_data *c)\n{\n\tif (vga_is_gfx ||\t/* We don't play origin tricks in graphic modes */\n\t (console_blanked && !vga_palette_blanked))\t/* Nor we write to blanked screens */\n\t\treturn 0;\n\tc->vc_origin = c->vc_visible_origin = vga_vram_base;\n\tvga_set_mem_top(c);\n\tvga_rolled_over = 0;\n\treturn 1;\n}", "project": "linux", "hash": 76221709976647395378566495189091919731, "size": 10, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380798 }, { "func": "static void vgacon_save_screen(struct vc_data *c)\n{\n\tstatic int vga_bootup_console = 0;\n\n\tif (!vga_bootup_console) {\n\t\t/* This is a gross hack, but here is the only place we can\n\t\t * set bootup console parameters without messing up generic\n\t\t * console initialization routines.\n\t\t */\n\t\tvga_bootup_console = 1;\n\t\tc->state.x = screen_info.orig_x;\n\t\tc->state.y = screen_info.orig_y;\n\t}\n\n\t/* We can't copy in more than the size of the video buffer,\n\t * or we'll be copying in VGA BIOS */\n\n\tif (!vga_is_gfx)\n\t\tscr_memcpyw((u16 *) c->vc_screenbuf, (u16 *) c->vc_origin,\n\t\t\t c->vc_screenbuf_size > vga_vram_size ? vga_vram_size : c->vc_screenbuf_size);\n}", "project": "linux", "hash": 119602094871467323630347578381677778314, "size": 21, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380800 }, { "func": "static void vga_pal_blank(struct vgastate *state)\n{\n\tint i;\n\n\tvga_w(state->vgabase, VGA_PEL_MSK, 0xff);\n\tfor (i = 0; i < 16; i++) {\n\t\tvga_w(state->vgabase, VGA_PEL_IW, i);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t}\n}", "project": "linux", "hash": 203400436583029701202633738517513553529, "size": 12, "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45", "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more. Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices. Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad. And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop \nTested-by: Willy Tarreau \nCc: 张云海 \nAcked-by: Andy Lutomirski \nAcked-by: Willy Tarreau \nReviewed-by: Greg Kroah-Hartman \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 380778 } ] }, { "call_depth": 4, "longest_call_chain": [ "dissect_dvb_s2_modeadapt", "dissect_dvb_s2_bb", "dissect_dvb_s2_gse", "proto_tree_add_item" ], "group_size": 23, "functions": [ { "func": "static int dissect_dvb_s2_gse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n int new_off = 0;\n int frag_len;\n guint16 gse_hdr, data_len, padding_len, gse_proto = 0;\n\n proto_item *ti;\n proto_item *ttf;\n proto_tree *dvb_s2_gse_tree, *dvb_s2_gse_ncr_tree;\n\n tvbuff_t *next_tvb, *data_tvb;\n gboolean dissected = FALSE;\n gboolean update_col_info = TRUE;\n\n static int * const gse_header_bitfields[] = {\n &hf_dvb_s2_gse_hdr_start,\n &hf_dvb_s2_gse_hdr_stop,\n &hf_dvb_s2_gse_hdr_labeltype,\n &hf_dvb_s2_gse_hdr_length,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_INFO, \" GSE\");\n\n /* get the GSE header */\n gse_hdr = tvb_get_ntohs(tvb, DVB_S2_GSE_OFFS_HDR);\n\n /* check if this is just padding, which takes up the rest of the frame */\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) &&\n BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS) &&\n BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n\n padding_len = tvb_reported_length(tvb);\n proto_tree_add_uint_format(tree, hf_dvb_s2_gse_padding, tvb, new_off, padding_len, padding_len,\n \"DVB-S2 GSE Padding, Length: %d\", padding_len);\n col_append_str(pinfo->cinfo, COL_INFO, \" pad\");\n new_off += padding_len;\n\n return new_off;\n } else {\n /* Not padding, parse as a GSE Header */\n new_off += 2;\n frag_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK)+2;\n ti = proto_tree_add_item(tree, proto_dvb_s2_gse, tvb, 0, frag_len, ENC_NA);\n dvb_s2_gse_tree = proto_item_add_subtree(ti, ett_dvb_s2_gse);\n\n proto_tree_add_bitmask_with_flags(dvb_s2_gse_tree, tvb, DVB_S2_GSE_OFFS_HDR, hf_dvb_s2_gse_hdr,\n ett_dvb_s2_gse_hdr, gse_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_TFS);\n\n /* Get the fragment ID for reassembly */\n guint8 fragid = tvb_get_guint8(tvb, new_off);\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n /* Not a start or end packet, add only the fragid */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_fragid, tvb, new_off, 1, ENC_BIG_ENDIAN);\n\n new_off += 1;\n }\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n /* Start packet, add the fragment size */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_totlength, tvb, new_off, 2, ENC_BIG_ENDIAN);\n col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n\n new_off += 2;\n }\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n /* Start packet, decode the header */\n gse_proto = tvb_get_ntohs(tvb, new_off);\n\n /* Protocol Type */\n if (gse_proto <= 1535) {\n /* Type 1 (Next-Header Type field) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_next_header, tvb, new_off, 2, ENC_BIG_ENDIAN);\n }\n else {\n /* Type 2 (EtherType compatible Type Fields) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_ethertype, tvb, new_off, 2, ENC_BIG_ENDIAN);\n }\n new_off += 2;\n\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n /* 6 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"6 \");\n\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label6, tvb, new_off, 6, ENC_NA);\n\n new_off += 6;\n } else if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) &&\n BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n /* 3 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"3 \");\n\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label3, tvb, new_off, 3, ENC_BIG_ENDIAN);\n\n new_off += 3;\n } else {\n /* 0 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"0 \");\n }\n if (gse_proto < 0x0600 && gse_proto >= 0x100) {\n /* Only display optional extension headers */\n /* TODO: needs to be tested */\n\n /* TODO: implementation needs to be checked (len of ext-header??) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_exthdr, tvb, new_off, 1, ENC_BIG_ENDIAN);\n\n new_off += 1;\n }\n }\n else\n {\n /* correct cinfo */\n col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n }\n\n next_tvb = tvb_new_subset_remaining(tvb, new_off);\n\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE) - DVB_S2_GSE_CRC32_LEN;\n } else {\n data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE);\n }\n\n data_tvb = NULL;\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n fragment_head *dvbs2_frag_head = NULL;\n int offset = new_off;\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n offset -= 2; /* re-include GSE type in reassembled data */\n data_len += 2;\n }\n dvbs2_frag_head = fragment_add_seq_next(&dvbs2_reassembly_table, tvb, offset,\n pinfo, fragid, NULL, data_len, BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS));\n\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n dvbs2_frag_head = fragment_end_seq_next(&dvbs2_reassembly_table, pinfo, fragid, NULL);\n\n data_tvb = process_reassembled_data(tvb, new_off, pinfo, \"Reassembled DVB-S2\",\n dvbs2_frag_head, &dvbs2_frag_items, &update_col_info, tree);\n }\n\n if (data_tvb != NULL) {\n /* We have a reassembled packet. Extract the gse_proto from it. */\n gse_proto = tvb_get_ntohs(data_tvb, 0);\n /* And then remove it from the reassembled data */\n data_tvb = tvb_new_subset_remaining(data_tvb, 2);\n } else {\n data_tvb = tvb_new_subset_length(tvb, new_off, data_len);\n }\n\n switch (gse_proto) {\n case ETHERTYPE_IP:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(ip_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case ETHERTYPE_IPv6:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(ipv6_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case ETHERTYPE_VLAN:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case DVB_RCS2_SIGNAL_TABLE:\n call_dissector(dvb_s2_table_handle, data_tvb, pinfo, tree);\n new_off += data_len;\n dissected = TRUE;\n break;\n\n case DVB_RCS2_NCR:\n ttf = proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_ncr, tvb, new_off, data_len, ENC_NA);\n dvb_s2_gse_ncr_tree = proto_item_add_subtree(ttf, ett_dvb_s2_gse_ncr);\n proto_tree_add_item(dvb_s2_gse_ncr_tree, hf_dvb_s2_gse_data, tvb, new_off, data_len, ENC_NA);\n new_off += data_len;\n dissected = TRUE;\n break;\n\n default:\n /* Not handled! TODO: expert info? */\n break;\n }\n\n if (!dissected) {\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_data, tvb, new_off, data_len, ENC_NA);\n new_off += data_len;\n }\n\n /* add crc32 if last fragment */\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_crc32, tvb, new_off, DVB_S2_GSE_CRC32_LEN, ENC_BIG_ENDIAN);\n new_off += DVB_S2_GSE_CRC32_LEN;\n }\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 332483595863232337377912983497727022384, "size": 210, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283347 }, { "func": "static int dissect_dvb_s2_gse(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo, int bytes_available)\n{\n int new_off = 0;\n int frag_len;\n guint16 gse_hdr, data_len, padding_len, gse_proto = 0;\n\n proto_item *ti;\n proto_item *ttf;\n proto_tree *dvb_s2_gse_tree, *dvb_s2_gse_ncr_tree;\n\n tvbuff_t *next_tvb, *data_tvb;\n gboolean dissected = FALSE;\n gboolean update_col_info = TRUE;\n\n static int * const gse_header_bitfields[] = {\n &hf_dvb_s2_gse_hdr_start,\n &hf_dvb_s2_gse_hdr_stop,\n &hf_dvb_s2_gse_hdr_labeltype,\n &hf_dvb_s2_gse_hdr_length,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_INFO, \" GSE\");\n\n /* get the GSE header */\n gse_hdr = tvb_get_ntohs(tvb, cur_off + DVB_S2_GSE_OFFS_HDR);\n\n /* check if this is just padding, which takes up the rest of the frame */\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) &&\n BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS) &&\n BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n\n padding_len = bytes_available;\n proto_tree_add_uint_format(tree, hf_dvb_s2_gse_padding, tvb, cur_off + new_off, padding_len, padding_len,\n \"DVB-S2 GSE Padding, Length: %d\", padding_len);\n col_append_str(pinfo->cinfo, COL_INFO, \" pad\");\n new_off += padding_len;\n\n return new_off;\n } else {\n /* Not padding, parse as a GSE Header */\n new_off += 2;\n frag_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK)+2;\n ti = proto_tree_add_item(tree, proto_dvb_s2_gse, tvb, cur_off, frag_len, ENC_NA);\n dvb_s2_gse_tree = proto_item_add_subtree(ti, ett_dvb_s2_gse);\n\n proto_tree_add_bitmask_with_flags(dvb_s2_gse_tree, tvb, cur_off + DVB_S2_GSE_OFFS_HDR, hf_dvb_s2_gse_hdr,\n ett_dvb_s2_gse_hdr, gse_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_TFS);\n\n /* Get the fragment ID for reassembly */\n guint8 fragid = tvb_get_guint8(tvb, cur_off + new_off);\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n /* Not a start or end packet, add only the fragid */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_fragid, tvb, cur_off + new_off, 1, ENC_BIG_ENDIAN);\n\n new_off += 1;\n }\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n /* Start packet, add the fragment size */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_totlength, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n\n new_off += 2;\n }\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n /* Start packet, decode the header */\n gse_proto = tvb_get_ntohs(tvb, cur_off + new_off);\n\n /* Protocol Type */\n if (gse_proto <= 1535) {\n /* Type 1 (Next-Header Type field) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_next_header, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n }\n else {\n /* Type 2 (EtherType compatible Type Fields) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_ethertype, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n }\n new_off += 2;\n\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n /* 6 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"6 \");\n\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label6, tvb, cur_off + new_off, 6, ENC_NA);\n\n new_off += 6;\n } else if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) &&\n BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n /* 3 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"3 \");\n\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label3, tvb, cur_off + new_off, 3, ENC_BIG_ENDIAN);\n\n new_off += 3;\n } else {\n /* 0 byte label */\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n col_append_str(pinfo->cinfo, COL_INFO, \"0 \");\n }\n if (gse_proto < 0x0600 && gse_proto >= 0x100) {\n /* Only display optional extension headers */\n /* TODO: needs to be tested */\n\n /* TODO: implementation needs to be checked (len of ext-header??) */\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_exthdr, tvb, cur_off + new_off, 1, ENC_BIG_ENDIAN);\n\n new_off += 1;\n }\n }\n else\n {\n /* correct cinfo */\n col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n }\n\n next_tvb = tvb_new_subset_remaining(tvb, cur_off + new_off);\n\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE) - DVB_S2_GSE_CRC32_LEN;\n } else {\n data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE);\n }\n\n data_tvb = NULL;\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n fragment_head *dvbs2_frag_head = NULL;\n int offset = cur_off + new_off;\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n offset -= 2; /* re-include GSE type in reassembled data */\n data_len += 2;\n }\n dvbs2_frag_head = fragment_add_seq_next(&dvbs2_reassembly_table, tvb, offset,\n pinfo, fragid, NULL, data_len, BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS));\n\n if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n dvbs2_frag_head = fragment_end_seq_next(&dvbs2_reassembly_table, pinfo, fragid, NULL);\n\n data_tvb = process_reassembled_data(tvb, cur_off + new_off, pinfo, \"Reassembled DVB-S2\",\n dvbs2_frag_head, &dvbs2_frag_items, &update_col_info, tree);\n }\n\n if (data_tvb != NULL) {\n /* We have a reassembled packet. Extract the gse_proto from it. */\n gse_proto = tvb_get_ntohs(data_tvb, 0);\n /* And then remove it from the reassembled data */\n data_tvb = tvb_new_subset_remaining(data_tvb, 2);\n } else {\n data_tvb = tvb_new_subset_length(tvb, cur_off + new_off, data_len);\n }\n\n switch (gse_proto) {\n case ETHERTYPE_IP:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(ip_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case ETHERTYPE_IPv6:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(ipv6_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case ETHERTYPE_VLAN:\n if (dvb_s2_full_dissection)\n {\n new_off += call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);\n dissected = TRUE;\n }\n break;\n\n case DVB_RCS2_SIGNAL_TABLE:\n call_dissector(dvb_s2_table_handle, data_tvb, pinfo, tree);\n new_off += data_len;\n dissected = TRUE;\n break;\n\n case DVB_RCS2_NCR:\n ttf = proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_ncr, tvb, cur_off + new_off, data_len, ENC_NA);\n dvb_s2_gse_ncr_tree = proto_item_add_subtree(ttf, ett_dvb_s2_gse_ncr);\n proto_tree_add_item(dvb_s2_gse_ncr_tree, hf_dvb_s2_gse_data, tvb, cur_off + new_off, data_len, ENC_NA);\n new_off += data_len;\n dissected = TRUE;\n break;\n\n default:\n /* Not handled! TODO: expert info? */\n break;\n }\n\n if (!dissected) {\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_data, tvb, cur_off + new_off, data_len, ENC_NA);\n new_off += data_len;\n }\n\n /* add crc32 if last fragment */\n if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_crc32, tvb, cur_off + new_off, DVB_S2_GSE_CRC32_LEN, ENC_BIG_ENDIAN);\n new_off += DVB_S2_GSE_CRC32_LEN;\n }\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 239216512787203232815472442179418930376, "size": 210, "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)", "target": 0, "dataset": "other", "idx": 475260 }, { "func": "mptcp_analysis_add_subflows(packet_info *pinfo _U_, tvbuff_t *tvb,\n proto_tree *parent_tree, struct mptcp_analysis* mptcpd)\n{\n wmem_list_frame_t *it;\n proto_tree *tree;\n proto_item *item;\n\n item=proto_tree_add_item(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, ENC_NA);\n PROTO_ITEM_SET_GENERATED(item);\n\n tree=proto_item_add_subtree(item, ett_mptcp_analysis_subflows);\n\n /* for the analysis, we set each subflow tcp stream id */\n for(it = wmem_list_head(mptcpd->subflows); it != NULL; it = wmem_list_frame_next(it)) {\n struct tcp_analysis *sf = (struct tcp_analysis *)wmem_list_frame_data(it);\n proto_item *subflow_item;\n subflow_item=proto_tree_add_uint(tree, hf_mptcp_analysis_subflows_stream_id, tvb, 0, 0, sf->stream);\n PROTO_ITEM_SET_HIDDEN(subflow_item);\n\n proto_item_append_text(item, \" %d\", sf->stream);\n }\n\n PROTO_ITEM_SET_GENERATED(item);\n}", "project": "wireshark", "hash": 229540375069498975967414832924739189284, "size": 24, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385204 }, { "func": "static guint8 compute_crc8(tvbuff_t *p, guint8 len, guint8 offset)\n{\n int i;\n guint8 crc = 0, tmp;\n\n for (i = 0; i < len; i++) {\n tmp = tvb_get_guint8(p, offset++);\n crc = crc8_table[crc ^ tmp];\n }\n return crc;\n}", "project": "wireshark", "hash": 86277274294827179960284729000500653909, "size": 11, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283345 }, { "func": "dissect_tcpopt_md5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_tree *field_tree;\n proto_item *item;\n proto_item *length_item;\n int offset = 0, optlen = tvb_reported_length(tvb);\n\n item = proto_tree_add_item(tree, proto_tcp_option_md5, tvb, offset, -1, ENC_NA);\n field_tree = proto_item_add_subtree(item, ett_tcp_opt_md5);\n\n col_append_lstr(pinfo->cinfo, COL_INFO, \" MD5\", COL_ADD_LSTR_TERMINATOR);\n proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, optlen, TCPOLEN_MD5))\n return tvb_captured_length(tvb);\n\n proto_tree_add_item(field_tree, hf_tcp_option_md5_digest, tvb,\n offset + 2, optlen - 2, ENC_NA);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 229530356732808834061798770817848972068, "size": 24, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385186 }, { "func": "dnp3_append_2item_text(proto_item *item1, proto_item *item2, const gchar *text)\n{\n proto_item_append_text(item1, \"%s\", text);\n proto_item_append_text(item2, \"%s\", text);\n}", "project": "wireshark", "hash": 172275225429037143393024449344197922195, "size": 5, "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba", "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.", "target": 0, "dataset": "other", "idx": 335505 }, { "func": "rvbd_probe_resp_add_info(proto_item *pitem, packet_info *pinfo, tvbuff_t *tvb, int ip_offset, guint16 port)\n{\n proto_item_append_text(pitem, \", Server Steelhead: %s:%u\", tvb_ip_to_str(tvb, ip_offset), port);\n\n col_prepend_fstr(pinfo->cinfo, COL_INFO, \"SA+, \");\n}", "project": "wireshark", "hash": 35361955294164077367943438059540926693, "size": 6, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385198 }, { "func": "static gboolean test_dvb_s2_crc(tvbuff_t *tvb, guint offset) {\n\n guint8 input8;\n\n /* only check BB Header and return */\n if (tvb_captured_length(tvb) < (offset + DVB_S2_BB_HEADER_LEN))\n return FALSE;\n\n input8 = tvb_get_guint8(tvb, offset + DVB_S2_BB_OFFS_CRC);\n\n if (compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, offset) != input8)\n return FALSE;\n else\n return TRUE;\n}", "project": "wireshark", "hash": 178223073981686552311440261799744038755, "size": 15, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283343 }, { "func": "print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)\n{\n proto_item *item;\n\n col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, \"[Continuation to #%u] \", msp->first_frame);\n item=proto_tree_add_uint(tcp_tree, hf_tcp_continuation_to,\n tvb, 0, 0, msp->first_frame);\n PROTO_ITEM_SET_GENERATED(item);\n}", "project": "wireshark", "hash": 317886403689526237342760239131645238935, "size": 9, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385185 }, { "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n proto_item *ti;\n proto_tree *dvb_s2_bb_tree;\n\n guint8 input8, matype1;\n guint8 sync_flag = 0;\n guint16 input16, bb_data_len = 0, user_packet_length;\n\n int sub_dissected = 0, flag_is_ms = 0, new_off = 0;\n\n static int * const bb_header_bitfields[] = {\n &hf_dvb_s2_bb_matype1_gs,\n &hf_dvb_s2_bb_matype1_mis,\n &hf_dvb_s2_bb_matype1_acm,\n &hf_dvb_s2_bb_matype1_issyi,\n &hf_dvb_s2_bb_matype1_npd,\n &hf_dvb_s2_bb_matype1_low_ro,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n /* create display subtree for the protocol */\n ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, 0, DVB_S2_BB_HEADER_LEN, ENC_NA);\n dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n matype1 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n new_off += 1;\n\n if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n flag_is_ms = 1;\n\n proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n\n if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n _use_low_rolloff_value = 0;\n }\n if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n _use_low_rolloff_value = 1;\n }\n if (_use_low_rolloff_value) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n }\n\n input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE2);\n new_off += 1;\n if (flag_is_ms) {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n input8);\n } else {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n }\n\n user_packet_length = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_UPL);\n new_off += 2;\n\n proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n (guint16) input16, (guint16) input16 / 8);\n\n bb_data_len = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_DFL);\n bb_data_len /= 8;\n new_off += 2;\n\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n new_off += 1;\n sync_flag = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_SYNC);\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n new_off += 2;\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n new_off += 1;\n proto_tree_add_checksum(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, 0), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n }\n if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n }\n if (user_packet_length != 0x0000) {\n expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n }\n\n\n if (dvb_s2_df_dissection) {\n while (bb_data_len) {\n if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, new_off, bb_data_len, ENC_NA);\n bb_data_len = 0;\n new_off += DVB_S2_BB_EIP_CRC32_LEN;\n } else {\n /* start DVB-GSE dissector */\n sub_dissected = dissect_dvb_s2_gse(tvb_new_subset_length(tvb, new_off, bb_data_len), pinfo, tree, NULL);\n new_off += sub_dissected;\n\n if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n bb_data_len -= sub_dissected;\n if (bb_data_len < DVB_S2_GSE_MINSIZE)\n bb_data_len = 0;\n }\n }\n }\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n }\n break;\n\n case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n default:\n proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n break;\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 210796043791253976716955079241114200072, "size": 147, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 1, "dataset": "other", "idx": 198763 }, { "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo)\n{\n proto_item *ti;\n proto_tree *dvb_s2_bb_tree;\n\n guint8 input8, matype1;\n guint8 sync_flag = 0;\n guint16 input16, bb_data_len = 0, user_packet_length;\n\n int sub_dissected = 0, flag_is_ms = 0, new_off = 0;\n\n static int * const bb_header_bitfields[] = {\n &hf_dvb_s2_bb_matype1_gs,\n &hf_dvb_s2_bb_matype1_mis,\n &hf_dvb_s2_bb_matype1_acm,\n &hf_dvb_s2_bb_matype1_issyi,\n &hf_dvb_s2_bb_matype1_npd,\n &hf_dvb_s2_bb_matype1_low_ro,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n /* create display subtree for the protocol */\n ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, cur_off, DVB_S2_BB_HEADER_LEN, ENC_NA);\n dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n matype1 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n new_off += 1;\n\n if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n flag_is_ms = 1;\n\n proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n\n if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n _use_low_rolloff_value = 0;\n }\n if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n _use_low_rolloff_value = 1;\n }\n if (_use_low_rolloff_value) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n }\n\n input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE2);\n new_off += 1;\n if (flag_is_ms) {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n input8);\n } else {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n }\n\n user_packet_length = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_UPL);\n new_off += 2;\n\n proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n cur_off + DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n (guint16) input16, (guint16) input16 / 8);\n\n bb_data_len = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_DFL);\n bb_data_len /= 8;\n new_off += 2;\n\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n cur_off + DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n new_off += 1;\n sync_flag = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_SYNC);\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, cur_off + DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n new_off += 2;\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, cur_off + DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n new_off += 1;\n proto_tree_add_checksum(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, cur_off), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n }\n if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n }\n if (user_packet_length != 0x0000) {\n expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n }\n\n\n if (dvb_s2_df_dissection) {\n while (bb_data_len) {\n if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n bb_data_len = 0;\n new_off += DVB_S2_BB_EIP_CRC32_LEN;\n } else {\n /* start DVB-GSE dissector */\n sub_dissected = dissect_dvb_s2_gse(tvb, cur_off + new_off, tree, pinfo, bb_data_len);\n new_off += sub_dissected;\n\n if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n bb_data_len -= sub_dissected;\n if (bb_data_len < DVB_S2_GSE_MINSIZE)\n bb_data_len = 0;\n }\n }\n }\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n }\n break;\n\n case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n default:\n proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, cur_off + new_off,bb_data_len, ENC_NA);\n new_off += bb_data_len;\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n break;\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 308318766763033510949212779797367389554, "size": 147, "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)", "target": 1, "dataset": "other", "idx": 214056 }, { "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n proto_item *ti;\n proto_tree *dvb_s2_bb_tree;\n\n guint8 input8, matype1;\n guint8 sync_flag = 0;\n guint16 input16, bb_data_len = 0, user_packet_length;\n\n int sub_dissected = 0, flag_is_ms = 0, new_off = 0;\n\n static int * const bb_header_bitfields[] = {\n &hf_dvb_s2_bb_matype1_gs,\n &hf_dvb_s2_bb_matype1_mis,\n &hf_dvb_s2_bb_matype1_acm,\n &hf_dvb_s2_bb_matype1_issyi,\n &hf_dvb_s2_bb_matype1_npd,\n &hf_dvb_s2_bb_matype1_low_ro,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n /* create display subtree for the protocol */\n ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, 0, DVB_S2_BB_HEADER_LEN, ENC_NA);\n dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n matype1 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n new_off += 1;\n\n if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n flag_is_ms = 1;\n\n proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n\n if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n _use_low_rolloff_value = 0;\n }\n if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n _use_low_rolloff_value = 1;\n }\n if (_use_low_rolloff_value) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n }\n\n input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE2);\n new_off += 1;\n if (flag_is_ms) {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n input8);\n } else {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n }\n\n user_packet_length = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_UPL);\n new_off += 2;\n\n proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n (guint16) input16, (guint16) input16 / 8);\n\n bb_data_len = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_DFL);\n bb_data_len /= 8;\n new_off += 2;\n\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n new_off += 1;\n sync_flag = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_SYNC);\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n new_off += 2;\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n new_off += 1;\n proto_tree_add_checksum(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, 0), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n }\n if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n }\n if (user_packet_length != 0x0000) {\n expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n }\n\n\n if (dvb_s2_df_dissection) {\n while (bb_data_len) {\n if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, new_off, bb_data_len, ENC_NA);\n bb_data_len = 0;\n new_off += DVB_S2_BB_EIP_CRC32_LEN;\n } else {\n /* start DVB-GSE dissector */\n sub_dissected = dissect_dvb_s2_gse(tvb_new_subset_length(tvb, new_off, bb_data_len), pinfo, tree, NULL);\n new_off += sub_dissected;\n\n if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n bb_data_len -= sub_dissected;\n if (bb_data_len < DVB_S2_GSE_MINSIZE)\n bb_data_len = 0;\n } else {\n bb_data_len = 0;\n }\n }\n }\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n }\n break;\n\n case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n default:\n proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n break;\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 330364968381030963517562341505385463003, "size": 149, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283344 }, { "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo)\n{\n proto_item *ti;\n proto_tree *dvb_s2_bb_tree;\n\n guint8 input8, matype1;\n guint8 sync_flag = 0;\n guint16 input16, bb_data_len = 0, user_packet_length;\n\n int sub_dissected = 0, flag_is_ms = 0, new_off = 0;\n\n static int * const bb_header_bitfields[] = {\n &hf_dvb_s2_bb_matype1_gs,\n &hf_dvb_s2_bb_matype1_mis,\n &hf_dvb_s2_bb_matype1_acm,\n &hf_dvb_s2_bb_matype1_issyi,\n &hf_dvb_s2_bb_matype1_npd,\n &hf_dvb_s2_bb_matype1_low_ro,\n NULL\n };\n\n col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n /* create display subtree for the protocol */\n ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, cur_off, DVB_S2_BB_HEADER_LEN, ENC_NA);\n dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n matype1 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n new_off += 1;\n\n if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n flag_is_ms = 1;\n\n proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n\n if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n _use_low_rolloff_value = 0;\n }\n if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n _use_low_rolloff_value = 1;\n }\n if (_use_low_rolloff_value) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n }\n\n input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE2);\n new_off += 1;\n if (flag_is_ms) {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n input8);\n } else {\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n }\n\n user_packet_length = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_UPL);\n new_off += 2;\n\n proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n cur_off + DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n (guint16) input16, (guint16) input16 / 8);\n\n bb_data_len = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_DFL);\n bb_data_len /= 8;\n new_off += 2;\n\n proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n cur_off + DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n new_off += 1;\n sync_flag = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_SYNC);\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, cur_off + DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n new_off += 2;\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, cur_off + DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n new_off += 1;\n proto_tree_add_checksum(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, cur_off), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n }\n if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n }\n if (user_packet_length != 0x0000) {\n expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n }\n\n\n if (dvb_s2_df_dissection) {\n while (bb_data_len) {\n if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n bb_data_len = 0;\n new_off += DVB_S2_BB_EIP_CRC32_LEN;\n } else {\n /* start DVB-GSE dissector */\n sub_dissected = dissect_dvb_s2_gse(tvb, cur_off + new_off, tree, pinfo, bb_data_len);\n new_off += sub_dissected;\n\n if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n bb_data_len -= sub_dissected;\n if (bb_data_len < DVB_S2_GSE_MINSIZE)\n bb_data_len = 0;\n } else {\n bb_data_len = 0;\n }\n }\n }\n } else {\n proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n }\n break;\n\n case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n new_off += bb_data_len;\n break;\n\n default:\n proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, cur_off + new_off,bb_data_len, ENC_NA);\n new_off += bb_data_len;\n expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n break;\n }\n\n return new_off;\n}", "project": "wireshark", "hash": 292878332668751229125261027041642584721, "size": 149, "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)", "target": 0, "dataset": "other", "idx": 475261 }, { "func": "dissect_tcpopt_mss(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_item *item;\n proto_tree *exp_tree;\n proto_item *length_item;\n int offset = 0;\n guint32 mss;\n\n item = proto_tree_add_item(tree, proto_tcp_option_mss, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett_tcp_option_mss);\n\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_MSS))\n return tvb_captured_length(tvb);\n\n proto_tree_add_item_ret_uint(exp_tree, hf_tcp_option_mss_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN, &mss);\n proto_item_append_text(item, \": %u bytes\", mss);\n tcp_info_append_uint(pinfo, \"MSS\", mss);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 232438216178225219490428027693659376926, "size": 23, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385178 }, { "func": "dissect_tcpopt_echo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_tree *field_tree;\n proto_item *item;\n proto_item *length_item;\n guint32 echo;\n int offset = 0;\n\n item = proto_tree_add_item(tree, proto_tcp_option_echo, tvb, offset, -1, ENC_NA);\n field_tree = proto_item_add_subtree(item, ett_tcp_opt_echo);\n\n proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_ECHO))\n return tvb_captured_length(tvb);\n\n proto_tree_add_item_ret_uint(field_tree, hf_tcp_option_echo, tvb,\n offset + 2, 4, ENC_BIG_ENDIAN, &echo);\n\n proto_item_append_text(item, \": %u\", echo);\n tcp_info_append_uint(pinfo, \"ECHO\", echo);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 90281857778135584085831143555859834102, "size": 27, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385182 }, { "func": "dissect_tcpopt_cc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_tree *field_tree;\n proto_item *item;\n proto_item *length_item;\n int offset = 0;\n guint32 cc;\n\n item = proto_tree_add_item(tree, proto_tcp_option_cc, tvb, offset, -1, ENC_NA);\n field_tree = proto_item_add_subtree(item, ett_tcp_opt_cc);\n\n proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_CC))\n return tvb_captured_length(tvb);\n\n proto_tree_add_item_ret_uint(field_tree, hf_tcp_option_cc, tvb,\n offset + 2, 4, ENC_BIG_ENDIAN, &cc);\n\n tcp_info_append_uint(pinfo, \"CC\", cc);\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 310857710779264305685913829554533078653, "size": 25, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385190 }, { "func": "dissect_tcpopt_sack_perm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_item *item;\n proto_tree *exp_tree;\n proto_item *length_item;\n int offset = 0;\n\n item = proto_tree_add_item(tree, proto_tcp_option_sack_perm, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett_tcp_option_sack_perm);\n\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n tcp_info_append_uint(pinfo, \"SACK_PERM\", TRUE);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_SACK_PERM))\n return tvb_captured_length(tvb);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 37583654037644651258534690389342268178, "size": 20, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385218 }, { "func": "dissect_tcpopt_user_to(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_item *tf;\n proto_tree *field_tree;\n proto_item *length_item;\n guint16 to;\n int offset = 0;\n\n tf = proto_tree_add_item(tree, proto_tcp_option_user_to, tvb, offset, -1, ENC_NA);\n field_tree = proto_item_add_subtree(tf, ett_tcp_option_user_to);\n\n proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_USER_TO))\n return tvb_captured_length(tvb);\n\n proto_tree_add_item(field_tree, hf_tcp_option_user_to_granularity, tvb, offset + 2, 2, ENC_BIG_ENDIAN);\n to = tvb_get_ntohs(tvb, offset + 2) & 0x7FFF;\n proto_tree_add_item(field_tree, hf_tcp_option_user_to_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN);\n\n tcp_info_append_uint(pinfo, \"USER_TO\", to);\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 57629197246312946152418648770168822844, "size": 26, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385222 }, { "func": "dissect_tcpopt_qs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_tree *field_tree;\n proto_item *item;\n proto_item *length_item;\n guint8 rate;\n int offset = 0;\n\n item = proto_tree_add_item(tree, proto_tcp_option_qs, tvb, offset, -1, ENC_NA);\n field_tree = proto_item_add_subtree(item, ett_tcp_opt_qs);\n\n proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_QS))\n return tvb_captured_length(tvb);\n\n rate = tvb_get_guint8(tvb, offset + 2) & 0x0f;\n col_append_lstr(pinfo->cinfo, COL_INFO,\n \" QSresp=\", val_to_str_ext_const(rate, &qs_rate_vals_ext, \"Unknown\"),\n COL_ADD_LSTR_TERMINATOR);\n proto_tree_add_item(field_tree, hf_tcp_option_qs_rate, tvb,\n offset + 2, 1, ENC_BIG_ENDIAN);\n proto_tree_add_item(field_tree, hf_tcp_option_qs_ttl_diff, tvb,\n offset + 3, 1, ENC_BIG_ENDIAN);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 102026317412875715497011472030359010166, "size": 30, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385229 }, { "func": "dissect_tcpopt_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)\n{\n proto_item *item;\n proto_tree *exp_tree;\n int offset = 0, optlen = tvb_reported_length(tvb);\n\n item = proto_tree_add_item(tree, proto_tcp_option_unknown, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett_tcp_unknown_opt);\n\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n if (optlen > 2)\n proto_tree_add_item(exp_tree, hf_tcp_option_unknown_payload, tvb, offset + 2, optlen - 2, ENC_NA);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 59727358969455991189456479393865057491, "size": 16, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385240 }, { "func": "dissect_tcpopt_default_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, int ett)\n{\n proto_item *item;\n proto_tree *exp_tree;\n proto_item *length_item;\n int offset = 0;\n\n item = proto_tree_add_item(tree, proto, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett);\n\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), 2))\n return tvb_captured_length(tvb);\n\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 238363883239916033955174161570019592520, "size": 18, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385244 }, { "func": "dissect_tcpopt_tfo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n proto_item *item;\n proto_tree *exp_tree;\n int offset = 0;\n\n item = proto_tree_add_item(tree, proto_tcp_option_tfo, tvb, offset, -1, ENC_NA);\n exp_tree = proto_item_add_subtree(item, ett_tcp_option_exp);\n proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n dissect_tcpopt_tfo_payload(tvb, offset, tvb_reported_length(tvb), pinfo, exp_tree, data);\n return tvb_captured_length(tvb);\n}", "project": "wireshark", "hash": 27277478292117465627477490514233762438, "size": 14, "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753", "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c", "target": 0, "dataset": "other", "idx": 385265 }, { "func": "static int dissect_dvb_s2_modeadapt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n int cur_off = 0, modeadapt_len, modeadapt_type, matched_headers = 0;\n\n proto_item *ti, *tf;\n proto_tree *dvb_s2_modeadapt_tree;\n proto_tree *dvb_s2_modeadapt_acm_tree;\n\n unsigned int modcod, mc;\n static int * const modeadapt_acm_bitfields[] = {\n &hf_dvb_s2_modeadapt_acm_fecframe,\n &hf_dvb_s2_modeadapt_acm_pilot,\n &hf_dvb_s2_modeadapt_acm_modcod,\n NULL\n };\n\n /* Check that there's enough data */\n if (tvb_captured_length(tvb) < DVB_S2_MODEADAPT_MINSIZE)\n return 0;\n\n /* There are four different mode adaptation formats, with different\n length headers. Two of them have a sync byte at the beginning, but\n the other two do not. In every case, the mode adaptation header is\n followed by the baseband header, which is protected by a CRC-8.\n The CRC-8 is weak protection, so it can match by accident, leading\n to an ambiguity in identifying which format is in use. We will\n check for ambiguity and report it. */\n /* Try L.1 format: no header. */\n if (test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L1SIZE)) {\n matched_headers++;\n modeadapt_type = DVB_S2_MODEADAPT_TYPE_L1;\n modeadapt_len = DVB_S2_MODEADAPT_L1SIZE;\n }\n\n /* Try L.2 format: header includes sync byte */\n if ((tvb_get_guint8(tvb, DVB_S2_MODEADAPT_OFFS_SYNCBYTE) == DVB_S2_MODEADAPT_SYNCBYTE) &&\n test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L2SIZE)) {\n matched_headers++;\n modeadapt_type = DVB_S2_MODEADAPT_TYPE_L2;\n modeadapt_len = DVB_S2_MODEADAPT_L2SIZE;\n }\n\n /* Try L.3 format: header includes sync byte */\n if ((tvb_get_guint8(tvb, DVB_S2_MODEADAPT_OFFS_SYNCBYTE) == DVB_S2_MODEADAPT_SYNCBYTE) &&\n test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L3SIZE)) {\n matched_headers++;\n modeadapt_type = DVB_S2_MODEADAPT_TYPE_L3;\n modeadapt_len = DVB_S2_MODEADAPT_L3SIZE;\n }\n\n /* Try L.4 format: header does not include sync byte */\n if (test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L4SIZE)) {\n matched_headers++;\n modeadapt_type = DVB_S2_MODEADAPT_TYPE_L4;\n modeadapt_len = DVB_S2_MODEADAPT_L4SIZE;\n }\n\n if (matched_headers == 0) {\n /* This does not look like a DVB-S2-BB frame at all. We are a\n heuristic dissector, so we should just punt and let another\n dissector have a try at this one. */\n return 0;\n }\n\n col_set_str(pinfo->cinfo, COL_PROTOCOL, \"DVB-S2 \");\n col_set_str(pinfo->cinfo, COL_INFO, \"DVB-S2 \");\n\n /* If there's a mode adaptation header, create display subtree for it */\n if (modeadapt_len > 0) {\n /* ti = proto_tree_add_item(tree, proto_dvb_s2_modeadapt, tvb, 0, modeadapt_len, ENC_NA); */\n ti = proto_tree_add_protocol_format(tree, proto_dvb_s2_modeadapt, tvb, 0, modeadapt_len,\n \"DVB-S2 Mode Adaptation Header L.%d\", modeadapt_type);\n dvb_s2_modeadapt_tree = proto_item_add_subtree(ti, ett_dvb_s2_modeadapt);\n\n if (matched_headers > 1) {\n expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_header_ambiguous,\n \"Mode adaptation header format is ambiguous. Assuming L.%d\", modeadapt_type);\n }\n\n /* SYNC byte if used in this header format; value has already been checked */\n if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L2 ||\n modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3) {\n proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_sync, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n cur_off++;\n }\n\n /* ACM byte and subfields if used in this header format */\n if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L2 ||\n modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3 ||\n modeadapt_type == DVB_S2_MODEADAPT_TYPE_L4) {\n mc = tvb_get_guint8(tvb, 1);\n //mc = tvb_get_letohs(tvb, 0);\n if (mc & 0x80) {\n modcod = 0x80;\n modcod |= ((mc & 0x1F) << 2);\n modcod |= ((mc & 0x40) >> 5);\n tf = proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_acm, tvb,\n DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, ENC_BIG_ENDIAN);\n\n dvb_s2_modeadapt_acm_tree = proto_item_add_subtree(tf, ett_dvb_s2_modeadapt_acm);\n\n proto_tree_add_item(dvb_s2_modeadapt_acm_tree, hf_dvb_s2_modeadapt_acm_pilot, tvb,\n DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, ENC_BIG_ENDIAN);\n proto_tree_add_uint_format_value(dvb_s2_modeadapt_acm_tree, hf_dvb_s2_modeadapt_acm_modcod_s2x, tvb,\n DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, mc, \"DVBS2X %s(%d)\", modeadapt_modcods[modcod].strptr, modcod);\n } else {\n proto_tree_add_bitmask_with_flags(dvb_s2_modeadapt_tree, tvb, DVB_S2_MODEADAPT_OFFS_ACMBYTE, hf_dvb_s2_modeadapt_acm,\n ett_dvb_s2_modeadapt_acm, modeadapt_acm_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n }\n cur_off++;\n }\n\n /* CNI and Frame No if used in this header format */\n if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3 ||\n modeadapt_type == DVB_S2_MODEADAPT_TYPE_L4) {\n proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_cni, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n cur_off++;\n\n proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_frameno, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n cur_off++;\n }\n }\n\n /* start DVB-BB dissector */\n cur_off += dissect_dvb_s2_bb(tvb_new_subset_remaining(tvb, cur_off), pinfo, tree, NULL);\n\n return cur_off;\n}", "project": "wireshark", "hash": 242884105123716874533443846056283316493, "size": 128, "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de", "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.", "target": 0, "dataset": "other", "idx": 283342 } ] }, { "call_depth": 4, "longest_call_chain": [ "find_impl", "xmlXPathEval", "xmlXPathEvalExpr", "xmlXPathOptimizeExpression" ], "group_size": 8, "functions": [ { "func": " */\nxmlXPathObjectPtr\nxmlXPathEval(const xmlChar *str, xmlXPathContextPtr ctx) {\n xmlXPathParserContextPtr ctxt;\n xmlXPathObjectPtr res;\n\n CHECK_CTXT(ctx)\n\n xmlXPathInit();\n\n ctxt = xmlXPathNewParserContext(str, ctx);\n if (ctxt == NULL)\n return NULL;\n xmlXPathEvalExpr(ctxt);\n\n if (ctxt->error != XPATH_EXPRESSION_OK) {\n\tres = NULL;\n } else {\n\tres = valuePop(ctxt);\n if (res == NULL) {\n xmlGenericError(xmlGenericErrorContext,\n \"xmlXPathCompiledEval: No result on the stack.\\n\");\n } else if (ctxt->valueNr > 0) {\n xmlGenericError(xmlGenericErrorContext,\n \"xmlXPathCompiledEval: %d object(s) left on the stack.\\n\",\n ctxt->valueNr);\n }\n }\n\n xmlXPathFreeParserContext(ctxt);", "project": "libxml2", "hash": 15397346949911455492662650263481010792, "size": 30, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385350 }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 1, "func": "static XMLSharedNodeList* find_impl(xmlXPathContext* ctxt, const string& xpath)\n{\n\txmlXPathObject* result = xmlXPathEval((const xmlChar*)xpath.c_str(), ctxt);\n\n\tif (!result) {\n\t\txmlXPathFreeContext(ctxt);\n\t\txmlFreeDoc(ctxt->doc);\n\n\t\tthrow XMLException(\"Invalid XPath: \" + xpath);\n\t}\n\n\tif (result->type != XPATH_NODESET) {\n\t\txmlXPathFreeObject(result);\n\t\txmlXPathFreeContext(ctxt);\n\t\txmlFreeDoc(ctxt->doc);\n\n\t\tthrow XMLException(\"Only nodeset result types are supported.\");\n\t}\n\n\txmlNodeSet* nodeset = result->nodesetval;\n\tXMLSharedNodeList* nodes = new XMLSharedNodeList();\n\tif (nodeset) {\n\t\tfor (int i = 0; i < nodeset->nodeNr; ++i) {\n\t\t\tXMLNode* node = readnode(nodeset->nodeTab[i]);\n\t\t\tnodes->push_back(boost::shared_ptr(node));\n\t\t}\n\t} else {\n\t\t// return empty set\n\t}\n\n\txmlXPathFreeObject(result);\n\n\treturn nodes;\n}", "idx": 217254, "cwe": "CWE-416", "hash": 54268186819182218721269174810414224706, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "static XMLSharedNodeList* find_impl(xmlXPathContext* ctxt, const string& xpath)\n{\n\txmlXPathObject* result = xmlXPathEval((const xmlChar*)xpath.c_str(), ctxt);\n\n\tif (!result) {\n\t\txmlFreeDoc(ctxt->doc);\n\t\txmlXPathFreeContext(ctxt);\n\n\t\tthrow XMLException(\"Invalid XPath: \" + xpath);\n\t}\n\n\tif (result->type != XPATH_NODESET) {\n\t\txmlXPathFreeObject(result);\n\t\txmlFreeDoc(ctxt->doc);\n\t\txmlXPathFreeContext(ctxt);\n\n\t\tthrow XMLException(\"Only nodeset result types are supported.\");\n\t}\n\n\txmlNodeSet* nodeset = result->nodesetval;\n\tXMLSharedNodeList* nodes = new XMLSharedNodeList();\n\tif (nodeset) {\n\t\tfor (int i = 0; i < nodeset->nodeNr; ++i) {\n\t\t\tXMLNode* node = readnode(nodeset->nodeTab[i]);\n\t\t\tnodes->push_back(boost::shared_ptr(node));\n\t\t}\n\t} else {\n\t\t// return empty set\n\t}\n\n\txmlXPathFreeObject(result);\n\n\treturn nodes;\n}", "idx": 519644, "cwe": "CWE-416", "hash": 16148318620035569612064845448555816656, "dataset": "other" }, { "func": "\nstatic void\nxmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op)\n{\n /*\n * Try to rewrite \"descendant-or-self::node()/foo\" to an optimized\n * internal representation.\n */\n\n if ((op->op == XPATH_OP_COLLECT /* 11 */) &&\n (op->ch1 != -1) &&\n (op->ch2 == -1 /* no predicate */))\n {\n xmlXPathStepOpPtr prevop = &comp->steps[op->ch1];\n\n if ((prevop->op == XPATH_OP_COLLECT /* 11 */) &&\n ((xmlXPathAxisVal) prevop->value ==\n AXIS_DESCENDANT_OR_SELF) &&\n (prevop->ch2 == -1) &&\n ((xmlXPathTestVal) prevop->value2 == NODE_TEST_TYPE) &&\n ((xmlXPathTypeVal) prevop->value3 == NODE_TYPE_NODE))\n {\n /*\n * This is a \"descendant-or-self::node()\" without predicates.\n * Try to eliminate it.\n */\n\n switch ((xmlXPathAxisVal) op->value) {\n case AXIS_CHILD:\n case AXIS_DESCENDANT:\n /*\n * Convert \"descendant-or-self::node()/child::\" or\n * \"descendant-or-self::node()/descendant::\" to\n * \"descendant::\"\n */\n op->ch1 = prevop->ch1;\n op->value = AXIS_DESCENDANT;\n break;\n case AXIS_SELF:\n case AXIS_DESCENDANT_OR_SELF:\n /*\n * Convert \"descendant-or-self::node()/self::\" or\n * \"descendant-or-self::node()/descendant-or-self::\" to\n * to \"descendant-or-self::\"\n */\n op->ch1 = prevop->ch1;\n op->value = AXIS_DESCENDANT_OR_SELF;\n break;\n default:\n break;\n }\n\t}\n }\n\n /* OP_VALUE has invalid ch1. */\n if (op->op == XPATH_OP_VALUE)\n return;\n\n /* Recurse */\n if (op->ch1 != -1)\n xmlXPathOptimizeExpression(comp, &comp->steps[op->ch1]);\n if (op->ch2 != -1)", "project": "libxml2", "hash": 217837651282250935525823086582739608231, "size": 62, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385372 }, { "func": " */\nstatic int\nxmlXPathCompiledEvalInternal(xmlXPathCompExprPtr comp,\n\t\t\t xmlXPathContextPtr ctxt,\n\t\t\t xmlXPathObjectPtr *resObjPtr,\n\t\t\t int toBool)\n{\n xmlXPathParserContextPtr pctxt;\n xmlXPathObjectPtr resObj;\n#ifndef LIBXML_THREAD_ENABLED\n static int reentance = 0;\n#endif\n int res;\n\n CHECK_CTXT_NEG(ctxt)\n\n if (comp == NULL)\n\treturn(-1);\n xmlXPathInit();\n\n#ifndef LIBXML_THREAD_ENABLED\n reentance++;\n if (reentance > 1)\n\txmlXPathDisableOptimizer = 1;\n#endif\n\n#ifdef DEBUG_EVAL_COUNTS\n comp->nb++;\n if ((comp->string != NULL) && (comp->nb > 100)) {\n\tfprintf(stderr, \"100 x %s\\n\", comp->string);\n\tcomp->nb = 0;\n }\n#endif\n pctxt = xmlXPathCompParserContext(comp, ctxt);\n res = xmlXPathRunEval(pctxt, toBool);\n\n if (pctxt->error != XPATH_EXPRESSION_OK) {\n resObj = NULL;\n } else {\n resObj = valuePop(pctxt);\n if (resObj == NULL) {\n if (!toBool)\n xmlGenericError(xmlGenericErrorContext,\n \"xmlXPathCompiledEval: No result on the stack.\\n\");\n } else if (pctxt->valueNr > 0) {\n xmlGenericError(xmlGenericErrorContext,\n \"xmlXPathCompiledEval: %d object(s) left on the stack.\\n\",\n pctxt->valueNr);\n }\n }\n\n if (resObjPtr)\n *resObjPtr = resObj;\n else\n xmlXPathReleaseObject(ctxt, resObj);\n\n pctxt->comp = NULL;\n xmlXPathFreeParserContext(pctxt);\n#ifndef LIBXML_THREAD_ENABLED\n reentance--;\n#endif\n", "project": "libxml2", "hash": 23977613311806536704883727357632897099, "size": 62, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385366 }, { "func": " */\nxmlXPathCompExprPtr\nxmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {\n xmlXPathParserContextPtr pctxt;\n xmlXPathCompExprPtr comp;\n\n#ifdef XPATH_STREAMING\n comp = xmlXPathTryStreamCompile(ctxt, str);\n if (comp != NULL)\n return(comp);\n#endif\n\n xmlXPathInit();\n\n pctxt = xmlXPathNewParserContext(str, ctxt);\n if (pctxt == NULL)\n return NULL;\n xmlXPathCompileExpr(pctxt, 1);\n\n if( pctxt->error != XPATH_EXPRESSION_OK )\n {\n xmlXPathFreeParserContext(pctxt);\n return(NULL);\n }\n\n if (*pctxt->cur != 0) {\n\t/*\n\t * aleksey: in some cases this line prints *second* error message\n\t * (see bug #78858) and probably this should be fixed.\n\t * However, we are not sure that all error messages are printed\n\t * out in other places. It's not critical so we leave it as-is for now\n\t */\n\txmlXPatherror(pctxt, __FILE__, __LINE__, XPATH_EXPR_ERROR);\n\tcomp = NULL;\n } else {\n\tcomp = pctxt->comp;\n\tpctxt->comp = NULL;\n }\n xmlXPathFreeParserContext(pctxt);\n\n if (comp != NULL) {\n\tcomp->expr = xmlStrdup(str);\n#ifdef DEBUG_EVAL_COUNTS\n\tcomp->string = xmlStrdup(str);\n\tcomp->nb = 0;\n#endif\n\tif ((comp->nbStep > 1) && (comp->last >= 0)) {\n\t xmlXPathOptimizeExpression(comp, &comp->steps[comp->last]);\n\t}\n }", "project": "libxml2", "hash": 146219488063183863687061976661089820292, "size": 50, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385358 }, { "func": " */\nvoid\nxmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {\n#ifdef XPATH_STREAMING\n xmlXPathCompExprPtr comp;\n#endif\n\n if (ctxt == NULL) return;\n\n#ifdef XPATH_STREAMING\n comp = xmlXPathTryStreamCompile(ctxt->context, ctxt->base);\n if (comp != NULL) {\n if (ctxt->comp != NULL)\n\t xmlXPathFreeCompExpr(ctxt->comp);\n ctxt->comp = comp;\n } else\n#endif\n {\n\txmlXPathCompileExpr(ctxt, 1);\n CHECK_ERROR;\n\n /* Check for trailing characters. */\n if (*ctxt->cur != 0)\n XP_ERROR(XPATH_EXPR_ERROR);\n\n\tif ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0))\n\t xmlXPathOptimizeExpression(ctxt->comp,\n\t\t&ctxt->comp->steps[ctxt->comp->last]);\n }\n", "project": "libxml2", "hash": 61204497316746030956175928442524571737, "size": 30, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385322 }, { "func": " */\nvoid\nxmlXPathFreeParserContext(xmlXPathParserContextPtr ctxt) {\n int i;\n\n if (ctxt->valueTab != NULL) {\n for (i = 0; i < ctxt->valueNr; i++) {\n if (ctxt->context)\n xmlXPathReleaseObject(ctxt->context, ctxt->valueTab[i]);\n else\n xmlXPathFreeObject(ctxt->valueTab[i]);\n }\n xmlFree(ctxt->valueTab);\n }\n if (ctxt->comp != NULL) {\n#ifdef XPATH_STREAMING\n\tif (ctxt->comp->stream != NULL) {\n\t xmlFreePatternList(ctxt->comp->stream);\n\t ctxt->comp->stream = NULL;\n\t}\n#endif\n\txmlXPathFreeCompExpr(ctxt->comp);\n }", "project": "libxml2", "hash": 313070256777369079216055804346982777932, "size": 23, "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73", "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.", "target": 0, "dataset": "other", "idx": 385368 } ] }, { "call_depth": 4, "longest_call_chain": [ "random_big_prime", "is_probably_prime", "MR_primality_test", "ModularPower" ], "group_size": 6, "functions": [ { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 0, "func": "UnsignedBigInteger random_number(const UnsignedBigInteger& min, const UnsignedBigInteger& max_excluded)\n{\n ASSERT(min < max_excluded);\n auto range = max_excluded.minus(min);\n UnsignedBigInteger base;\n auto size = range.trimmed_length() * sizeof(u32) + 2;\n // \"+2\" is intentional (see below).\n // Also, if we're about to crash anyway, at least produce a nice error:\n ASSERT(size < 8 * MiB);\n u8 buf[size];\n AK::fill_with_random(buf, size);\n UnsignedBigInteger random { buf, size };\n // At this point, `random` is a large number, in the range [0, 256^size).\n // To get down to the actual range, we could just compute random % range.\n // This introduces \"modulo bias\". However, since we added 2 to `size`,\n // we know that the generated range is at least 65536 times as large as the\n // required range! This means that the modulo bias is only 0.0015%, if all\n // inputs are chosen adversarially. Let's hope this is good enough.\n auto divmod = random.divided_by(range);\n // The proper way to fix this is to restart if `divmod.quotient` is maximal.\n return divmod.remainder.plus(min);\n}", "idx": 519158, "cwe": "CWE-120", "hash": 318674707994639862887917054544112435500, "dataset": "other" }, { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 1, "func": "static bool MR_primality_test(UnsignedBigInteger n, const Vector& tests)\n{\n // Written using Wikipedia:\n // https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test#Miller%E2%80%93Rabin_test\n ASSERT(!(n < 4));\n auto predecessor = n.minus({ 1 });\n auto d = predecessor;\n size_t r = 0;\n\n {\n auto div_result = d.divided_by(2);\n while (div_result.remainder == 0) {\n d = div_result.quotient;\n div_result = d.divided_by(2);\n ++r;\n }\n }\n if (r == 0) {\n // n - 1 is odd, so n was even. But there is only one even prime:\n return n == 2;\n }\n\n for (auto a : tests) {\n // Technically: ASSERT(2 <= a && a <= n - 2)\n ASSERT(a < n);\n auto x = ModularPower(a, d, n);\n if (x == 1 || x == predecessor)\n continue;\n bool skip_this_witness = false;\n // r − 1 iterations.\n for (size_t i = 0; i < r - 1; ++i) {\n x = ModularPower(x, 2, n);\n if (x == predecessor) {\n skip_this_witness = true;\n break;\n }\n }\n if (skip_this_witness)\n continue;\n return false; // \"composite\"\n }\n\n return true; // \"probably prime\"\n}", "idx": 217238, "cwe": "CWE-120", "hash": 179391134827512981723637669244439395484, "dataset": "other" }, { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 0, "func": "static bool MR_primality_test(UnsignedBigInteger n, const Vector& tests)\n{\n // Written using Wikipedia:\n // https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test#Miller%E2%80%93Rabin_test\n ASSERT(!(n < 4));\n auto predecessor = n.minus({ 1 });\n auto d = predecessor;\n size_t r = 0;\n\n {\n auto div_result = d.divided_by(2);\n while (div_result.remainder == 0) {\n d = div_result.quotient;\n div_result = d.divided_by(2);\n ++r;\n }\n }\n if (r == 0) {\n // n - 1 is odd, so n was even. But there is only one even prime:\n return n == 2;\n }\n\n for (auto& a : tests) {\n // Technically: ASSERT(2 <= a && a <= n - 2)\n ASSERT(a < n);\n auto x = ModularPower(a, d, n);\n if (x == 1 || x == predecessor)\n continue;\n bool skip_this_witness = false;\n // r − 1 iterations.\n for (size_t i = 0; i < r - 1; ++i) {\n x = ModularPower(x, 2, n);\n if (x == predecessor) {\n skip_this_witness = true;\n break;\n }\n }\n if (skip_this_witness)\n continue;\n return false; // \"composite\"\n }\n\n return true; // \"probably prime\"\n}", "idx": 519155, "cwe": "CWE-120", "hash": 295059986924029830016313633716285228943, "dataset": "other" }, { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 0, "func": "bool is_probably_prime(const UnsignedBigInteger& p)\n{\n // Is it a small number?\n if (p < 49) {\n u32 p_value = p.words()[0];\n // Is it a very small prime?\n if (p_value == 2 || p_value == 3 || p_value == 5 || p_value == 7)\n return true;\n // Is it the multiple of a very small prime?\n if (p_value % 2 == 0 || p_value % 3 == 0 || p_value % 5 == 0 || p_value % 7 == 0)\n return false;\n // Then it must be a prime, but not a very small prime, like 37.\n return true;\n }\n\n Vector tests;\n // Make some good initial guesses that are guaranteed to find all primes < 2^64.\n tests.append(UnsignedBigInteger(2));\n tests.append(UnsignedBigInteger(3));\n tests.append(UnsignedBigInteger(5));\n tests.append(UnsignedBigInteger(7));\n tests.append(UnsignedBigInteger(11));\n tests.append(UnsignedBigInteger(13));\n UnsignedBigInteger seventeen { 17 };\n for (size_t i = tests.size(); i < 256; ++i) {\n tests.append(random_number(seventeen, p.minus(2)));\n }\n // Miller-Rabin's \"error\" is 8^-k. In adversarial cases, it's 4^-k.\n // With 200 random numbers, this would mean an error of about 2^-400.\n // So we don't need to worry too much about the quality of the random numbers.\n\n return MR_primality_test(p, tests);\n}", "idx": 519157, "cwe": "CWE-120", "hash": 303144258765638568217567976170648422907, "dataset": "other" }, { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 0, "func": "UnsignedBigInteger random_big_prime(size_t bits)\n{\n ASSERT(bits >= 33);\n UnsignedBigInteger min = UnsignedBigInteger::from_base10(\"6074001000\").shift_left(bits - 33);\n UnsignedBigInteger max = UnsignedBigInteger { 1 }.shift_left(bits).minus(1);\n for (;;) {\n auto p = random_number(min, max);\n if ((p.words()[0] & 1) == 0) {\n // An even number is definitely not a large prime.\n continue;\n }\n if (is_probably_prime(p))\n return p;\n }\n}", "idx": 519162, "cwe": "CWE-120", "hash": 15687903180148109465653092026404669397, "dataset": "other" }, { "project": "serenity", "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1", "target": 0, "func": "UnsignedBigInteger ModularPower(const UnsignedBigInteger& b, const UnsignedBigInteger& e, const UnsignedBigInteger& m)\n{\n if (m == 1)\n return 0;\n\n UnsignedBigInteger ep { e };\n UnsignedBigInteger base { b };\n UnsignedBigInteger exp { 1 };\n\n UnsignedBigInteger temp_1;\n UnsignedBigInteger temp_2;\n UnsignedBigInteger temp_3;\n UnsignedBigInteger temp_4;\n UnsignedBigInteger temp_multiply;\n UnsignedBigInteger temp_quotient;\n UnsignedBigInteger temp_remainder;\n\n while (!(ep < 1)) {\n if (ep.words()[0] % 2 == 1) {\n // exp = (exp * base) % m;\n UnsignedBigInteger::multiply_without_allocation(exp, base, temp_1, temp_2, temp_3, temp_4, temp_multiply);\n UnsignedBigInteger::divide_without_allocation(temp_multiply, m, temp_1, temp_2, temp_3, temp_4, temp_quotient, temp_remainder);\n exp.set_to(temp_remainder);\n }\n\n // ep = ep / 2;\n UnsignedBigInteger::divide_u16_without_allocation(ep, 2, temp_quotient, temp_remainder);\n ep.set_to(temp_quotient);\n\n // base = (base * base) % m;\n UnsignedBigInteger::multiply_without_allocation(base, base, temp_1, temp_2, temp_3, temp_4, temp_multiply);\n UnsignedBigInteger::divide_without_allocation(temp_multiply, m, temp_1, temp_2, temp_3, temp_4, temp_quotient, temp_remainder);\n base.set_to(temp_remainder);\n }\n return exp;\n}", "idx": 519156, "cwe": "CWE-120", "hash": 323652663057392381248334462293780609113, "dataset": "other" } ] }, { "call_depth": 4, "longest_call_chain": [ "__delayed_free_task", "free_task", "release_task_stack", "free_thread_stack" ], "group_size": 14, "functions": [ { "func": "void __weak arch_release_task_struct(struct task_struct *tsk)\n{\n}", "project": "linux", "hash": 178878164510362685562963763581695892096, "size": 3, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293717 }, { "func": "void free_task(struct task_struct *tsk)\n{\n\tscs_release(tsk);\n\n#ifndef CONFIG_THREAD_INFO_IN_TASK\n\t/*\n\t * The task is finally done with both the stack and thread_info,\n\t * so free both.\n\t */\n\trelease_task_stack(tsk);\n#else\n\t/*\n\t * If the task had a separate stack allocation, it should be gone\n\t * by now.\n\t */\n\tWARN_ON_ONCE(refcount_read(&tsk->stack_refcount) != 0);\n#endif\n\trt_mutex_debug_task_free(tsk);\n\tftrace_graph_exit_task(tsk);\n\tarch_release_task_struct(tsk);\n\tif (tsk->flags & PF_KTHREAD)\n\t\tfree_kthread_struct(tsk);\n\tfree_task_struct(tsk);\n}", "project": "linux", "hash": 204860648129297551546894762060680524874, "size": 24, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293705 }, { "func": "void put_task_stack(struct task_struct *tsk)\n{\n\tif (refcount_dec_and_test(&tsk->stack_refcount))\n\t\trelease_task_stack(tsk);\n}", "project": "linux", "hash": 47375553025110082232307730801809545754, "size": 5, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293716 }, { "func": "static inline void free_task_struct(struct task_struct *tsk)\n{\n\tkmem_cache_free(task_struct_cachep, tsk);\n}", "project": "linux", "hash": 240269885863574603491225126330427503157, "size": 4, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293673 }, { "func": "void __put_task_struct(struct task_struct *tsk)\n{\n\tWARN_ON(!tsk->exit_state);\n\tWARN_ON(refcount_read(&tsk->usage));\n\tWARN_ON(tsk == current);\n\n\tio_uring_free(tsk);\n\tcgroup_free(tsk);\n\ttask_numa_free(tsk, true);\n\tsecurity_task_free(tsk);\n\texit_creds(tsk);\n\tdelayacct_tsk_free(tsk);\n\tput_signal_struct(tsk->signal);\n\n\tif (!profile_handoff_task(tsk))\n\t\tfree_task(tsk);\n}", "project": "linux", "hash": 219873827166979006101262636184699260463, "size": 17, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293664 }, { "func": "static void mmdrop_async(struct mm_struct *mm)\n{\n\tif (unlikely(atomic_dec_and_test(&mm->mm_count))) {\n\t\tINIT_WORK(&mm->async_put_work, mmdrop_async_fn);\n\t\tschedule_work(&mm->async_put_work);\n\t}\n}", "project": "linux", "hash": 48640535268283294199782867056893964272, "size": 7, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293668 }, { "func": "static void free_thread_stack(struct task_struct *tsk)\n{\n\tkmem_cache_free(thread_stack_cache, tsk->stack);\n}", "project": "linux", "hash": 312303175618061311683749964165846341822, "size": 4, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293659 }, { "func": "static inline void free_thread_stack(struct task_struct *tsk)\n{\n#ifdef CONFIG_VMAP_STACK\n\tstruct vm_struct *vm = task_stack_vm_area(tsk);\n\n\tif (vm) {\n\t\tint i;\n\n\t\tfor (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)\n\t\t\tmemcg_kmem_uncharge_page(vm->pages[i], 0);\n\n\t\tfor (i = 0; i < NR_CACHED_STACKS; i++) {\n\t\t\tif (this_cpu_cmpxchg(cached_stacks[i],\n\t\t\t\t\tNULL, tsk->stack_vm_area) != NULL)\n\t\t\t\tcontinue;\n\n\t\t\treturn;\n\t\t}\n\n\t\tvfree_atomic(tsk->stack);\n\t\treturn;\n\t}\n#endif\n\n\t__free_pages(virt_to_page(tsk->stack), THREAD_SIZE_ORDER);\n}", "project": "linux", "hash": 237378295918759014443437886979064401756, "size": 26, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293694 }, { "func": "static void release_task_stack(struct task_struct *tsk)\n{\n\tif (WARN_ON(tsk->state != TASK_DEAD))\n\t\treturn; /* Better to leak the stack than to free prematurely */\n\n\taccount_kernel_stack(tsk, -1);\n\tfree_thread_stack(tsk);\n\ttsk->stack = NULL;\n#ifdef CONFIG_VMAP_STACK\n\ttsk->stack_vm_area = NULL;\n#endif\n}", "project": "linux", "hash": 312699088568944488479292764031952936873, "size": 12, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293696 }, { "func": "static void account_kernel_stack(struct task_struct *tsk, int account)\n{\n\tvoid *stack = task_stack_page(tsk);\n\tstruct vm_struct *vm = task_stack_vm_area(tsk);\n\n\n\t/* All stack pages are in the same node. */\n\tif (vm)\n\t\tmod_lruvec_page_state(vm->pages[0], NR_KERNEL_STACK_KB,\n\t\t\t\t account * (THREAD_SIZE / 1024));\n\telse\n\t\tmod_lruvec_slab_state(stack, NR_KERNEL_STACK_KB,\n\t\t\t\t account * (THREAD_SIZE / 1024));\n}", "project": "linux", "hash": 257916025676168192754527698101924183339, "size": 14, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293686 }, { "func": "static void __delayed_free_task(struct rcu_head *rhp)\n{\n\tstruct task_struct *tsk = container_of(rhp, struct task_struct, rcu);\n\n\tfree_task(tsk);\n}", "project": "linux", "hash": 96633240730792133603587881814603945289, "size": 6, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293638 }, { "func": "static __always_inline void delayed_free_task(struct task_struct *tsk)\n{\n\tif (IS_ENABLED(CONFIG_MEMCG))\n\t\tcall_rcu(&tsk->rcu, __delayed_free_task);\n\telse\n\t\tfree_task(tsk);\n}", "project": "linux", "hash": 246231539372659290208161012985748615737, "size": 7, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293672 }, { "func": "static inline void put_signal_struct(struct signal_struct *sig)\n{\n\tif (refcount_dec_and_test(&sig->sigcnt))\n\t\tfree_signal_struct(sig);\n}", "project": "linux", "hash": 230873831481255496698657162843354998495, "size": 5, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293663 }, { "func": "static inline void free_signal_struct(struct signal_struct *sig)\n{\n\ttaskstats_tgid_free(sig);\n\tsched_autogroup_exit(sig);\n\t/*\n\t * __mmdrop is not safe to call from softirq context on x86 due to\n\t * pgd_dtor so postpone it to the async context\n\t */\n\tif (sig->oom_mm)\n\t\tmmdrop_async(sig->oom_mm);\n\tkmem_cache_free(signal_cachep, sig);\n}", "project": "linux", "hash": 63807950727592270091592729976286542850, "size": 12, "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948", "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu \nAcked-by: Oleg Nesterov \nSigned-off-by: Linus Torvalds ", "target": 0, "dataset": "other", "idx": 293658 } ] }, { "call_depth": 4, "longest_call_chain": [ "nfs4_proc_create_session", "_nfs4_proc_create_session", "nfs4_verify_channel_attrs", "nfs4_verify_back_channel_attrs" ], "group_size": 7, "functions": [ { "func": "static int nfs4_verify_channel_attrs(struct nfs41_create_session_args *args,\n\t\t\t\t struct nfs41_create_session_res *res)\n{\n\tint ret;\n\n\tret = nfs4_verify_fore_channel_attrs(args, res);\n\tif (ret)\n\t\treturn ret;\n\treturn nfs4_verify_back_channel_attrs(args, res);\n}", "project": "linux", "hash": 266510953336912229479592963968256532827, "size": 10, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431361 }, { "func": "static int _nfs4_proc_create_session(struct nfs_client *clp,\n\t\tconst struct cred *cred)\n{\n\tstruct nfs4_session *session = clp->cl_session;\n\tstruct nfs41_create_session_args args = {\n\t\t.client = clp,\n\t\t.clientid = clp->cl_clientid,\n\t\t.seqid = clp->cl_seqid,\n\t\t.cb_program = NFS4_CALLBACK,\n\t};\n\tstruct nfs41_create_session_res res;\n\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CREATE_SESSION],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t\t.rpc_cred = cred,\n\t};\n\tint status;\n\n\tnfs4_init_channel_attrs(&args, clp->cl_rpcclient);\n\targs.flags = (SESSION4_PERSIST | SESSION4_BACK_CHAN);\n\n\tstatus = rpc_call_sync(session->clp->cl_rpcclient, &msg,\n\t\t\t RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN);\n\ttrace_nfs4_create_session(clp, status);\n\n\tswitch (status) {\n\tcase -NFS4ERR_STALE_CLIENTID:\n\tcase -NFS4ERR_DELAY:\n\tcase -ETIMEDOUT:\n\tcase -EACCES:\n\tcase -EAGAIN:\n\t\tgoto out;\n\t}\n\n\tclp->cl_seqid++;\n\tif (!status) {\n\t\t/* Verify the session's negotiated channel_attrs values */\n\t\tstatus = nfs4_verify_channel_attrs(&args, &res);\n\t\t/* Increment the clientid slot sequence id */\n\t\tif (status)\n\t\t\tgoto out;\n\t\tnfs4_update_session(session, &res);\n\t}\nout:\n\treturn status;\n}", "project": "linux", "hash": 133204535520018525969067538801389583522, "size": 48, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 430993 }, { "func": "static int nfs4_verify_fore_channel_attrs(struct nfs41_create_session_args *args,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tstruct nfs4_channel_attrs *sent = &args->fc_attrs;\n\tstruct nfs4_channel_attrs *rcvd = &res->fc_attrs;\n\n\tif (rcvd->max_resp_sz > sent->max_resp_sz)\n\t\treturn -EINVAL;\n\t/*\n\t * Our requested max_ops is the minimum we need; we're not\n\t * prepared to break up compounds into smaller pieces than that.\n\t * So, no point even trying to continue if the server won't\n\t * cooperate:\n\t */\n\tif (rcvd->max_ops < sent->max_ops)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs == 0)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs > NFS4_MAX_SLOT_TABLE)\n\t\trcvd->max_reqs = NFS4_MAX_SLOT_TABLE;\n\treturn 0;\n}", "project": "linux", "hash": 38463496589113317805269675468759555652, "size": 22, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431035 }, { "func": "static void nfs4_init_channel_attrs(struct nfs41_create_session_args *args,\n\t\t\t\t struct rpc_clnt *clnt)\n{\n\tunsigned int max_rqst_sz, max_resp_sz;\n\tunsigned int max_bc_payload = rpc_max_bc_payload(clnt);\n\tunsigned int max_bc_slots = rpc_num_bc_slots(clnt);\n\n\tmax_rqst_sz = NFS_MAX_FILE_IO_SIZE + nfs41_maxwrite_overhead;\n\tmax_resp_sz = NFS_MAX_FILE_IO_SIZE + nfs41_maxread_overhead;\n\n\t/* Fore channel attributes */\n\targs->fc_attrs.max_rqst_sz = max_rqst_sz;\n\targs->fc_attrs.max_resp_sz = max_resp_sz;\n\targs->fc_attrs.max_ops = NFS4_MAX_OPS;\n\targs->fc_attrs.max_reqs = max_session_slots;\n\n\tdprintk(\"%s: Fore Channel : max_rqst_sz=%u max_resp_sz=%u \"\n\t\t\"max_ops=%u max_reqs=%u\\n\",\n\t\t__func__,\n\t\targs->fc_attrs.max_rqst_sz, args->fc_attrs.max_resp_sz,\n\t\targs->fc_attrs.max_ops, args->fc_attrs.max_reqs);\n\n\t/* Back channel attributes */\n\targs->bc_attrs.max_rqst_sz = max_bc_payload;\n\targs->bc_attrs.max_resp_sz = max_bc_payload;\n\targs->bc_attrs.max_resp_sz_cached = 0;\n\targs->bc_attrs.max_ops = NFS4_MAX_BACK_CHANNEL_OPS;\n\targs->bc_attrs.max_reqs = max_t(unsigned short, max_session_cb_slots, 1);\n\tif (args->bc_attrs.max_reqs > max_bc_slots)\n\t\targs->bc_attrs.max_reqs = max_bc_slots;\n\n\tdprintk(\"%s: Back Channel : max_rqst_sz=%u max_resp_sz=%u \"\n\t\t\"max_resp_sz_cached=%u max_ops=%u max_reqs=%u\\n\",\n\t\t__func__,\n\t\targs->bc_attrs.max_rqst_sz, args->bc_attrs.max_resp_sz,\n\t\targs->bc_attrs.max_resp_sz_cached, args->bc_attrs.max_ops,\n\t\targs->bc_attrs.max_reqs);\n}", "project": "linux", "hash": 18210667889500818106398555889191412805, "size": 38, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431071 }, { "func": "static int nfs4_verify_back_channel_attrs(struct nfs41_create_session_args *args,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tstruct nfs4_channel_attrs *sent = &args->bc_attrs;\n\tstruct nfs4_channel_attrs *rcvd = &res->bc_attrs;\n\n\tif (!(res->flags & SESSION4_BACK_CHAN))\n\t\tgoto out;\n\tif (rcvd->max_rqst_sz > sent->max_rqst_sz)\n\t\treturn -EINVAL;\n\tif (rcvd->max_resp_sz < sent->max_resp_sz)\n\t\treturn -EINVAL;\n\tif (rcvd->max_resp_sz_cached > sent->max_resp_sz_cached)\n\t\treturn -EINVAL;\n\tif (rcvd->max_ops > sent->max_ops)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs > sent->max_reqs)\n\t\treturn -EINVAL;\nout:\n\treturn 0;\n}", "project": "linux", "hash": 86134186865172260243225302940714184311, "size": 21, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431362 }, { "func": "int nfs4_proc_create_session(struct nfs_client *clp, const struct cred *cred)\n{\n\tint status;\n\tunsigned *ptr;\n\tstruct nfs4_session *session = clp->cl_session;\n\n\tdprintk(\"--> %s clp=%p session=%p\\n\", __func__, clp, session);\n\n\tstatus = _nfs4_proc_create_session(clp, cred);\n\tif (status)\n\t\tgoto out;\n\n\t/* Init or reset the session slot tables */\n\tstatus = nfs4_setup_session_slot_tables(session);\n\tdprintk(\"slot table setup returned %d\\n\", status);\n\tif (status)\n\t\tgoto out;\n\n\tptr = (unsigned *)&session->sess_id.data[0];\n\tdprintk(\"%s client>seqid %d sessionid %u:%u:%u:%u\\n\", __func__,\n\t\tclp->cl_seqid, ptr[0], ptr[1], ptr[2], ptr[3]);\nout:\n\tdprintk(\"<-- %s\\n\", __func__);\n\treturn status;\n}", "project": "linux", "hash": 277132752299906564156097443324441133079, "size": 25, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431497 }, { "func": "static void nfs4_update_session(struct nfs4_session *session,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tnfs4_copy_sessionid(&session->sess_id, &res->sessionid);\n\t/* Mark client id and session as being confirmed */\n\tsession->clp->cl_exchange_flags |= EXCHGID4_FLAG_CONFIRMED_R;\n\tset_bit(NFS4_SESSION_ESTABLISHED, &session->session_state);\n\tsession->flags = res->flags;\n\tmemcpy(&session->fc_attrs, &res->fc_attrs, sizeof(session->fc_attrs));\n\tif (res->flags & SESSION4_BACK_CHAN)\n\t\tmemcpy(&session->bc_attrs, &res->bc_attrs,\n\t\t\t\tsizeof(session->bc_attrs));\n}", "project": "linux", "hash": 74970151861589890047695037603655286360, "size": 13, "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21", "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell \n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 431408 } ] }, { "call_depth": 4, "longest_call_chain": [ "ctnetlink_nlmsg_size", "ctnetlink_timestamp_size", "nla_total_size", "ctnetlink_secctx_size" ], "group_size": 7, "functions": [ { "func": "static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)\n{\n\treturn NLMSG_ALIGN(sizeof(struct nfgenmsg))\n\t + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */\n\t + 3 * nla_total_size(0) /* CTA_TUPLE_IP */\n\t + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */\n\t + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */\n\t + ctnetlink_acct_size(ct)\n\t + ctnetlink_timestamp_size(ct)\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */\n\t + nla_total_size(0) /* CTA_PROTOINFO */\n\t + nla_total_size(0) /* CTA_HELP */\n\t + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */\n\t + ctnetlink_secctx_size(ct)\n#if IS_ENABLED(CONFIG_NF_NAT)\n\t + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */\n\t + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_ZONES\n\t + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */\n#endif\n\t + ctnetlink_proto_size(ct)\n\t + ctnetlink_label_size(ct)\n\t ;\n}", "project": "linux", "hash": 10508667409239925453713131944438936864, "size": 30, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394192 }, { "func": "static inline int ctnetlink_secctx_size(const struct nf_conn *ct)\n{\n#ifdef CONFIG_NF_CONNTRACK_SECMARK\n\tint len, ret;\n\n\tret = security_secid_to_secctx(ct->secmark, NULL, &len);\n\tif (ret)\n\t\treturn 0;\n\n\treturn nla_total_size(0) /* CTA_SECCTX */\n\t + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */\n#else\n\treturn 0;\n#endif\n}", "project": "linux", "hash": 120117122907379011975926738167909948965, "size": 15, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394256 }, { "func": "static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)\n{\n\tif (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))\n\t\treturn 0;\n\treturn 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */\n\t + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */\n\t + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */\n\t ;\n}", "project": "linux", "hash": 209742134164270150457682267534773323570, "size": 9, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394157 }, { "func": "ctnetlink_glue_build_size(const struct nf_conn *ct)\n{\n\treturn 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */\n\t + 3 * nla_total_size(0) /* CTA_TUPLE_IP */\n\t + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */\n\t + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */\n\t + nla_total_size(0) /* CTA_PROTOINFO */\n\t + nla_total_size(0) /* CTA_HELP */\n\t + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */\n\t + ctnetlink_secctx_size(ct)\n#if IS_ENABLED(CONFIG_NF_NAT)\n\t + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */\n\t + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\t + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_ZONES\n\t + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */\n#endif\n\t + ctnetlink_proto_size(ct)\n\t ;\n}", "project": "linux", "hash": 11624736612410175409698437205778309312, "size": 26, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394229 }, { "func": "static inline int ctnetlink_label_size(const struct nf_conn *ct)\n{\n\tstruct nf_conn_labels *labels = nf_ct_labels_find(ct);\n\n\tif (!labels)\n\t\treturn 0;\n\treturn nla_total_size(sizeof(labels->bits));\n}", "project": "linux", "hash": 100893474637785996937883921194205667491, "size": 8, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394249 }, { "func": "static size_t ctnetlink_proto_size(const struct nf_conn *ct)\n{\n\tconst struct nf_conntrack_l4proto *l4proto;\n\tsize_t len, len4 = 0;\n\n\tlen = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);\n\tlen *= 3u; /* ORIG, REPLY, MASTER */\n\n\tl4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));\n\tlen += l4proto->nlattr_size;\n\tif (l4proto->nlattr_tuple_size) {\n\t\tlen4 = l4proto->nlattr_tuple_size();\n\t\tlen4 *= 3u; /* ORIG, REPLY, MASTER */\n\t}\n\n\treturn len + len4;\n}", "project": "linux", "hash": 147783029463433981062373150270326550127, "size": 17, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394196 }, { "func": "static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)\n{\n#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP\n\tif (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))\n\t\treturn 0;\n\treturn nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));\n#else\n\treturn 0;\n#endif\n}", "project": "linux", "hash": 258757370984477944418178129779359369313, "size": 10, "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6", "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup. Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker \n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso ", "target": 0, "dataset": "other", "idx": 394198 } ] }, { "call_depth": 4, "longest_call_chain": [ "reoptimize", "sort_and_filter_keyuse", "generate_derived_keys", "generate_derived_keys_for_table" ], "group_size": 7, "functions": [ { "func": "void JOIN::save_query_plan(Join_plan_state *save_to)\n{\n DYNAMIC_ARRAY tmp_keyuse;\n /* Swap the current and the backup keyuse internal arrays. */\n tmp_keyuse= keyuse;\n keyuse= save_to->keyuse; /* keyuse is reset to an empty array. */\n save_to->keyuse= tmp_keyuse;\n\n for (uint i= 0; i < table_count; i++)\n {\n save_to->join_tab_keyuse[i]= join_tab[i].keyuse;\n join_tab[i].keyuse= NULL;\n save_to->join_tab_checked_keys[i]= join_tab[i].checked_keys;\n join_tab[i].checked_keys.clear_all();\n }\n memcpy((uchar*) save_to->best_positions, (uchar*) best_positions,\n sizeof(POSITION) * (table_count + 1));\n memset((uchar*) best_positions, 0, sizeof(POSITION) * (table_count + 1));\n \n /* Save SJM nests */\n List_iterator it(select_lex->sj_nests);\n TABLE_LIST *tlist;\n SJ_MATERIALIZATION_INFO **p_info= save_to->sj_mat_info;\n while ((tlist= it++))\n {\n *(p_info++)= tlist->sj_mat_info;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 162011539998697303733224577679114086727, "size": 28, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508603 }, { "func": "void optimize_keyuse(JOIN *join, DYNAMIC_ARRAY *keyuse_array)\n{\n KEYUSE *end,*keyuse= dynamic_element(keyuse_array, 0, KEYUSE*);\n\n for (end= keyuse+ keyuse_array->elements ; keyuse < end ; keyuse++)\n {\n table_map map;\n /*\n If we find a ref, assume this table matches a proportional\n part of this table.\n For example 100 records matching a table with 5000 records\n gives 5000/100 = 50 records per key\n Constant tables are ignored.\n To avoid bad matches, we don't make ref_table_rows less than 100.\n */\n keyuse->ref_table_rows= ~(ha_rows) 0;\t// If no ref\n if (keyuse->used_tables &\n\t(map= (keyuse->used_tables & ~join->const_table_map &\n\t ~OUTER_REF_TABLE_BIT)))\n {\n uint n_tables= my_count_bits(map);\n if (n_tables == 1)\t\t\t// Only one table\n {\n DBUG_ASSERT(!(map & PSEUDO_TABLE_BITS)); // Must be a real table\n Table_map_iterator it(map);\n int tablenr= it.next_bit();\n DBUG_ASSERT(tablenr != Table_map_iterator::BITMAP_END);\n\tTABLE *tmp_table=join->table[tablenr];\n if (tmp_table) // already created\n keyuse->ref_table_rows= MY_MAX(tmp_table->file->stats.records, 100);\n }\n }\n /*\n Outer reference (external field) is constant for single executing\n of subquery\n */\n if (keyuse->used_tables == OUTER_REF_TABLE_BIT)\n keyuse->ref_table_rows= 1;\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 120929170831977725675266114752273713348, "size": 40, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508690 }, { "func": "void JOIN::reset_query_plan()\n{\n for (uint i= 0; i < table_count; i++)\n {\n join_tab[i].keyuse= NULL;\n join_tab[i].checked_keys.clear_all();\n }\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 261841307357917191129910538949682751948, "size": 8, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508466 }, { "func": "bool generate_derived_keys_for_table(KEYUSE *keyuse, uint count, uint keys)\n{\n TABLE *table= keyuse->table;\n if (table->alloc_keys(keys))\n return TRUE;\n uint key_count= 0;\n KEYUSE *first_keyuse= keyuse;\n uint prev_part= keyuse->keypart;\n uint parts= 0;\n uint i= 0;\n\n for ( ; i < count && key_count < keys; )\n {\n do\n {\n keyuse->key= table->s->keys;\n keyuse->keypart_map= (key_part_map) (1 << parts); \n keyuse++;\n i++;\n } \n while (i < count && keyuse->used_tables == first_keyuse->used_tables &&\n keyuse->keypart == prev_part);\n parts++;\n if (i < count && keyuse->used_tables == first_keyuse->used_tables)\n {\n prev_part= keyuse->keypart;\n }\n else\n {\n KEYUSE *save_first_keyuse= first_keyuse;\n if (table->check_tmp_key(table->s->keys, parts,\n get_next_field_for_derived_key_simple,\n (uchar *) &first_keyuse))\n\n {\n first_keyuse= save_first_keyuse;\n if (table->add_tmp_key(table->s->keys, parts, \n get_next_field_for_derived_key, \n (uchar *) &first_keyuse,\n FALSE))\n return TRUE;\n table->reginfo.join_tab->keys.set_bit(table->s->keys);\n }\n else\n {\n /* Mark keyuses for this key to be excluded */\n for (KEYUSE *curr=save_first_keyuse; curr < keyuse; curr++)\n\t{\n curr->key= MAX_KEY;\n }\n }\n first_keyuse= keyuse;\n key_count++;\n parts= 0;\n prev_part= keyuse->keypart;\n }\n } \n\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 230294648487314583666233567836385950967, "size": 60, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508604 }, { "func": "JOIN::reoptimize(Item *added_where, table_map join_tables,\n Join_plan_state *save_to)\n{\n DYNAMIC_ARRAY added_keyuse;\n SARGABLE_PARAM *sargables= 0; /* Used only as a dummy parameter. */\n uint org_keyuse_elements;\n\n /* Re-run the REF optimizer to take into account the new conditions. */\n if (update_ref_and_keys(thd, &added_keyuse, join_tab, table_count, added_where,\n ~outer_join, select_lex, &sargables))\n {\n delete_dynamic(&added_keyuse);\n return REOPT_ERROR;\n }\n\n if (!added_keyuse.elements)\n {\n delete_dynamic(&added_keyuse);\n return REOPT_OLD_PLAN;\n }\n\n if (save_to)\n save_query_plan(save_to);\n else\n reset_query_plan();\n\n if (!keyuse.buffer &&\n my_init_dynamic_array(&keyuse, sizeof(KEYUSE), 20, 64,\n MYF(MY_THREAD_SPECIFIC)))\n {\n delete_dynamic(&added_keyuse);\n return REOPT_ERROR;\n }\n\n org_keyuse_elements= save_to ? save_to->keyuse.elements : keyuse.elements;\n allocate_dynamic(&keyuse, org_keyuse_elements + added_keyuse.elements);\n\n /* If needed, add the access methods from the original query plan. */\n if (save_to)\n {\n DBUG_ASSERT(!keyuse.elements);\n keyuse.elements= save_to->keyuse.elements;\n if (size_t e= keyuse.elements)\n memcpy(keyuse.buffer,\n save_to->keyuse.buffer, e * keyuse.size_of_element);\n }\n\n /* Add the new access methods to the keyuse array. */\n memcpy(keyuse.buffer + keyuse.elements * keyuse.size_of_element,\n added_keyuse.buffer,\n (size_t) added_keyuse.elements * added_keyuse.size_of_element);\n keyuse.elements+= added_keyuse.elements;\n /* added_keyuse contents is copied, and it is no longer needed. */\n delete_dynamic(&added_keyuse);\n\n if (sort_and_filter_keyuse(thd, &keyuse, true))\n return REOPT_ERROR;\n optimize_keyuse(this, &keyuse);\n\n if (optimize_semijoin_nests(this, join_tables))\n return REOPT_ERROR;\n\n /* Re-run the join optimizer to compute a new query plan. */\n if (choose_plan(this, join_tables))\n return REOPT_ERROR;\n\n return REOPT_NEW_PLAN;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 75666197854928182620552515543537699218, "size": 68, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508423 }, { "func": "bool sort_and_filter_keyuse(THD *thd, DYNAMIC_ARRAY *keyuse,\n bool skip_unprefixed_keyparts)\n{\n KEYUSE key_end, *prev, *save_pos, *use;\n uint found_eq_constant, i;\n\n DBUG_ASSERT(keyuse->elements);\n\n my_qsort(keyuse->buffer, keyuse->elements, sizeof(KEYUSE),\n (qsort_cmp) sort_keyuse);\n\n bzero((char*) &key_end, sizeof(key_end)); /* Add for easy testing */\n if (insert_dynamic(keyuse, (uchar*) &key_end))\n return TRUE;\n\n if (optimizer_flag(thd, OPTIMIZER_SWITCH_DERIVED_WITH_KEYS))\n generate_derived_keys(keyuse);\n\n use= save_pos= dynamic_element(keyuse,0,KEYUSE*);\n prev= &key_end;\n found_eq_constant= 0;\n for (i=0 ; i < keyuse->elements-1 ; i++,use++)\n {\n if (!use->is_for_hash_join())\n {\n if (!(use->used_tables & ~OUTER_REF_TABLE_BIT) && \n use->optimize != KEY_OPTIMIZE_REF_OR_NULL)\n use->table->const_key_parts[use->key]|= use->keypart_map;\n if (use->keypart != FT_KEYPART)\n {\n if (use->key == prev->key && use->table == prev->table)\n {\n if ((prev->keypart+1 < use->keypart && skip_unprefixed_keyparts) ||\n (prev->keypart == use->keypart && found_eq_constant))\n continue;\t\t\t\t/* remove */\n }\n else if (use->keypart != 0 && skip_unprefixed_keyparts)\n continue; /* remove - first found must be 0 */\n }\n\n prev= use;\n found_eq_constant= !use->used_tables;\n use->table->reginfo.join_tab->checked_keys.set_bit(use->key);\n }\n /*\n Old gcc used a memcpy(), which is undefined if save_pos==use:\n http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19410\n http://gcc.gnu.org/bugzilla/show_bug.cgi?id=39480\n This also disables a valgrind warning, so better to have the test.\n */\n if (save_pos != use)\n *save_pos= *use;\n /* Save ptr to first use */\n if (!use->table->reginfo.join_tab->keyuse)\n use->table->reginfo.join_tab->keyuse= save_pos;\n save_pos++;\n }\n i= (uint) (save_pos-(KEYUSE*) keyuse->buffer);\n (void) set_dynamic(keyuse,(uchar*) &key_end,i);\n keyuse->elements= i;\n\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 270395890466385312065376189926284758775, "size": 63, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508612 }, { "func": "bool generate_derived_keys(DYNAMIC_ARRAY *keyuse_array)\n{\n KEYUSE *keyuse= dynamic_element(keyuse_array, 0, KEYUSE*);\n uint elements= keyuse_array->elements;\n TABLE *prev_table= 0;\n for (uint i= 0; i < elements; i++, keyuse++)\n {\n if (!keyuse->table)\n break;\n KEYUSE *first_table_keyuse= NULL;\n table_map last_used_tables= 0;\n uint count= 0;\n uint keys= 0;\n TABLE_LIST *derived= NULL;\n if (keyuse->table != prev_table)\n derived= keyuse->table->pos_in_table_list;\n while (derived && derived->is_materialized_derived())\n {\n if (keyuse->table != prev_table)\n {\n prev_table= keyuse->table;\n while (keyuse->table == prev_table && keyuse->key != MAX_KEY)\n\t{\n keyuse++;\n i++;\n }\n if (keyuse->table != prev_table)\n\t{\n keyuse--;\n i--;\n derived= NULL;\n continue;\n }\n first_table_keyuse= keyuse;\n last_used_tables= keyuse->used_tables;\n count= 0;\n keys= 0;\n }\n else if (keyuse->used_tables != last_used_tables)\n {\n keys++;\n last_used_tables= keyuse->used_tables;\n }\n count++;\n keyuse++;\n i++;\n if (keyuse->table != prev_table)\n {\n if (generate_derived_keys_for_table(first_table_keyuse, count, ++keys))\n return TRUE;\n keyuse--;\n i--;\n\tderived= NULL;\n }\n }\n }\n return FALSE;\n}", "target": 0, "cwe": [], "project": "server", "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b", "hash": 297768314615660910310727454257539309288, "size": 58, "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list. mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n --error ER_BAD_FIELD_ERROR\n update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n --error ER_SUBQUERY_NO_1_ROW\n select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.", "dataset": "other", "idx": 508639 } ] }, { "call_depth": 4, "longest_call_chain": [ "resumeContext", "startRendering", "setContextState", "executionContext" ], "group_size": 22, "functions": [ { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::resume()\n{\n if (!currentSpeechUtterance())\n return;\n m_platformSpeechSynthesizer->resume();\n}\n", "cwe": "", "big_vul_idx": 129900, "idx": 116225, "hash": 211830265481063403535988771688867702984 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::resolvePromisesForSuspendOnMainThread()\n{\n ASSERT(isMainThread());\n AutoLocker locker(this);\n\n if (m_destinationNode)\n stopRendering();\n\n for (auto& resolver : m_suspendResolvers) {\n if (m_contextState == Closed) {\n resolver->reject(\n DOMException::create(InvalidStateError, \"Cannot suspend a context that has been closed\"));\n } else {\n resolver->resolve();\n }\n }\n\n m_suspendResolvers.clear();\n}\n", "cwe": "", "big_vul_idx": 139685, "idx": 124833, "hash": 118943594186034240752100234636332638888 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 1, "func": "void SpeechSynthesis::handleSpeakingCompleted(SpeechSynthesisUtterance* utterance, bool errorOccurred)\n {\n ASSERT(utterance);\n \n bool didJustFinishCurrentUtterance = false;\n if (utterance == currentSpeechUtterance()) {\n m_utteranceQueue.removeFirst();\n didJustFinishCurrentUtterance = true;\n }\n\n fireEvent(errorOccurred ? EventTypeNames::error : EventTypeNames::end, utterance, 0, String());\n\n if (didJustFinishCurrentUtterance && !m_utteranceQueue.isEmpty())\n startSpeakingImmediately();\n}\n", "cwe": "", "big_vul_idx": 185386, "idx": 6244, "hash": 51064366369637881630682008748783014232 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::handleSpeakingCompleted(SpeechSynthesisUtterance* utterance, bool errorOccurred)\n {\n ASSERT(utterance);\n \n // Keep the utterance around long enough to fire an event on it in case m_utteranceQueue\n // is holding the last reference to it.\n RefPtrWillBeRawPtr protect(utterance);\n\n bool didJustFinishCurrentUtterance = false;\n if (utterance == currentSpeechUtterance()) {\n m_utteranceQueue.removeFirst();\n didJustFinishCurrentUtterance = true;\n }\n\n fireEvent(errorOccurred ? EventTypeNames::error : EventTypeNames::end, utterance, 0, String());\n\n if (didJustFinishCurrentUtterance && !m_utteranceQueue.isEmpty())\n startSpeakingImmediately();\n}\n", "cwe": "", "big_vul_idx": 185386, "idx": 163331, "hash": 23380105532145118333362184433256570897 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::boundaryEventOccurred(PassRefPtr utterance, SpeechBoundary boundary, unsigned charIndex)\n{\n DEFINE_STATIC_LOCAL(const String, wordBoundaryString, (\"word\"));\n DEFINE_STATIC_LOCAL(const String, sentenceBoundaryString, (\"sentence\"));\n\n switch (boundary) {\n case SpeechWordBoundary:\n fireEvent(EventTypeNames::boundary, static_cast(utterance->client()), charIndex, wordBoundaryString);\n break;\n case SpeechSentenceBoundary:\n fireEvent(EventTypeNames::boundary, static_cast(utterance->client()), charIndex, sentenceBoundaryString);\n break;\n default:\n ASSERT_NOT_REACHED();\n }\n}\n", "cwe": "", "big_vul_idx": 129886, "idx": 116211, "hash": 99679462228640680760071758425709711418 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::startRendering()\n{\n ASSERT(isMainThread());\n ASSERT(m_destinationNode);\n\n if (m_contextState == Suspended) {\n destination()->startRendering();\n setContextState(Running);\n }\n}\n", "cwe": "", "big_vul_idx": 139688, "idx": 124836, "hash": 142662764461032600377284385191665947202 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::fireEvent(const AtomicString& type, SpeechSynthesisUtterance* utterance, unsigned long charIndex, const String& name)\n{\n if (!executionContext()->activeDOMObjectsAreStopped())\n utterance->dispatchEvent(SpeechSynthesisEvent::create(type, charIndex, (currentTime() - utterance->startTime()), name));\n}\n", "cwe": "", "big_vul_idx": 129894, "idx": 116219, "hash": 332886004579278944427313270883617145253 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::speakingErrorOccurred(PassRefPtr utterance)\n{\n if (utterance->client())\n handleSpeakingCompleted(static_cast(utterance->client()), true);\n}\n", "cwe": "", "big_vul_idx": 129904, "idx": 116229, "hash": 231677242442625066328288469107298179746 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::didStartSpeaking(PassRefPtr utterance)\n{\n if (utterance->client())\n fireEvent(EventTypeNames::start, static_cast(utterance->client()), 0, String());\n}\n", "cwe": "", "big_vul_idx": 129892, "idx": 116217, "hash": 9214081021639232300638298244261428429 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ScriptPromise AudioContext::resumeContext(ScriptState* scriptState)\n{\n ASSERT(isMainThread());\n AutoLocker locker(this);\n\n if (isOfflineContext()) {\n return ScriptPromise::rejectWithDOMException(\n scriptState,\n DOMException::create(\n InvalidStateError,\n \"cannot resume an OfflineAudioContext\"));\n }\n\n RefPtrWillBeRawPtr resolver = ScriptPromiseResolver::create(scriptState);\n ScriptPromise promise = resolver->promise();\n\n if (m_destinationNode)\n startRendering();\n\n m_resumeResolvers.append(resolver);\n\n return promise;\n}\n", "cwe": "", "big_vul_idx": 139686, "idx": 124834, "hash": 318570413813050108211516841774464416601 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "SpeechSynthesisUtterance* SpeechSynthesis::currentSpeechUtterance() const\n{\n if (!m_utteranceQueue.isEmpty())\n return m_utteranceQueue.first().get();\n return 0;\n}\n", "cwe": "", "big_vul_idx": 129889, "idx": 116214, "hash": 168156307974646343211506977179694426483 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::setContextState(AudioContextState newState)\n{\n ASSERT(isMainThread());\n\n switch (newState) {\n case Suspended:\n ASSERT(m_contextState == Running);\n break;\n case Running:\n ASSERT(m_contextState == Suspended);\n break;\n case Closed:\n ASSERT(m_contextState != Closed);\n break;\n }\n\n if (newState == m_contextState) {\n return;\n }\n\n m_contextState = newState;\n\n if (executionContext())\n executionContext()->postTask(createSameThreadTask(&AudioContext::notifyStateChange, this));\n}\n", "cwe": "", "big_vul_idx": 139687, "idx": 124835, "hash": 287189053384613982133619486169028517125 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::stopRendering()\n{\n ASSERT(isMainThread());\n ASSERT(m_destinationNode);\n ASSERT(!isOfflineContext());\n\n if (m_contextState == Running) {\n destination()->stopRendering();\n setContextState(Suspended);\n }\n}\n", "cwe": "", "big_vul_idx": 139691, "idx": 124839, "hash": 21252299144639789814578235777964790818 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "ExecutionContext* SpeechSynthesis::executionContext() const\n{\n return ContextLifecycleObserver::executionContext();\n}\n", "cwe": "", "big_vul_idx": 129893, "idx": 116218, "hash": 333478678279043922693098382899862568553 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "ExecutionContext* AudioContext::executionContext() const\n{\n return m_isStopScheduled ? 0 : ActiveDOMObject::executionContext();\n}\n", "cwe": "", "big_vul_idx": 139655, "idx": 124805, "hash": 184737248806572005970236803996746836487 }, { "project": "Chrome", "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3", "target": 0, "func": "void AudioContext::fireCompletionEvent()\n{\n ASSERT(isMainThread());\n if (!isMainThread())\n return;\n\n AudioBuffer* renderedBuffer = m_renderTarget.get();\n\n setContextState(Closed);\n\n ASSERT(renderedBuffer);\n if (!renderedBuffer)\n return;\n\n if (executionContext()) {\n dispatchEvent(OfflineAudioCompletionEvent::create(renderedBuffer));\n m_offlineResolver->resolve(renderedBuffer);\n }\n}\n", "cwe": "", "big_vul_idx": 139656, "idx": 124806, "hash": 152452498610149100042179351223628836058 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::speak(SpeechSynthesisUtterance* utterance, ExceptionState& exceptionState)\n{\n if (!utterance) {\n exceptionState.throwTypeError(\"Invalid utterance argument\");\n return;\n }\n\n m_utteranceQueue.append(utterance);\n\n if (m_utteranceQueue.size() == 1)\n startSpeakingImmediately();\n}\n", "cwe": "", "big_vul_idx": 129902, "idx": 116227, "hash": 334525451552508820490739815215112912633 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "bool SpeechSynthesis::speaking() const\n{\n return currentSpeechUtterance();\n}\n", "cwe": "", "big_vul_idx": 129903, "idx": 116228, "hash": 264136037019701147145396860730088626650 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::startSpeakingImmediately()\n{\n SpeechSynthesisUtterance* utterance = currentSpeechUtterance();\n ASSERT(utterance);\n\n utterance->setStartTime(monotonicallyIncreasingTime());\n m_isPaused = false;\n m_platformSpeechSynthesizer->speak(utterance->platformUtterance());\n}\n", "cwe": "", "big_vul_idx": 129905, "idx": 116230, "hash": 272953521684895724697749690104131444667 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::didFinishSpeaking(PassRefPtr utterance)\n{\n if (utterance->client())\n handleSpeakingCompleted(static_cast(utterance->client()), false);\n}\n", "cwe": "", "big_vul_idx": 129890, "idx": 116215, "hash": 336613363302777058118338465950575464528 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::voicesDidChange()\n{\n m_voiceList.clear();\n if (!executionContext()->activeDOMObjectsAreStopped())\n dispatchEvent(Event::create(EventTypeNames::voiceschanged));\n}\n", "cwe": "", "big_vul_idx": 129907, "idx": 116232, "hash": 206142822381456278081516244950130128741 }, { "project": "Chrome", "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f", "target": 0, "func": "void SpeechSynthesis::didResumeSpeaking(PassRefPtr utterance)\n{\n m_isPaused = false;\n if (utterance->client())\n fireEvent(EventTypeNames::resume, static_cast(utterance->client()), 0, String());\n}\n", "cwe": "", "big_vul_idx": 129891, "idx": 116216, "hash": 99913652828689165379332448190660030838 } ] }, { "call_depth": 4, "longest_call_chain": [ "_ff_layout_free_lseg", "ff_layout_free_mirror_array", "ff_layout_put_mirror", "ff_layout_free_mirror" ], "group_size": 5, "functions": [ { "func": "static void ff_layout_free_mirror_array(struct nfs4_ff_layout_segment *fls)\n{\n\tu32 i;\n\n\tfor (i = 0; i < fls->mirror_array_cnt; i++)\n\t\tff_layout_put_mirror(fls->mirror_array[i]);\n}", "project": "linux", "hash": 202853652078142817100138280602868936903, "size": 7, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234393 }, { "func": "ff_layout_free_layoutstats(struct nfs4_xdr_opaque_data *opaque)\n{\n\tstruct nfs4_ff_layout_mirror *mirror = opaque->data;\n\n\tff_layout_put_mirror(mirror);\n}", "project": "linux", "hash": 41022782296286178043257841028601189437, "size": 6, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234438 }, { "func": "static void ff_layout_put_mirror(struct nfs4_ff_layout_mirror *mirror)\n{\n\tif (mirror != NULL && refcount_dec_and_test(&mirror->ref))\n\t\tff_layout_free_mirror(mirror);\n}", "project": "linux", "hash": 331231389817443296763726719989660248577, "size": 5, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234467 }, { "func": "static void _ff_layout_free_lseg(struct nfs4_ff_layout_segment *fls)\n{\n\tif (fls) {\n\t\tff_layout_free_mirror_array(fls);\n\t\tkfree(fls);\n\t}\n}", "project": "linux", "hash": 286331158025702105393697719811112058889, "size": 7, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234454 }, { "func": "static void ff_layout_free_mirror(struct nfs4_ff_layout_mirror *mirror)\n{\n\tconst struct cred\t*cred;\n\n\tff_layout_remove_mirror(mirror);\n\tkfree(mirror->fh_versions);\n\tcred = rcu_access_pointer(mirror->ro_cred);\n\tput_cred(cred);\n\tcred = rcu_access_pointer(mirror->rw_cred);\n\tput_cred(cred);\n\tnfs4_ff_layout_put_deviceid(mirror->mirror_ds);\n\tkfree(mirror);\n}", "project": "linux", "hash": 320275016961296103626526590820150554159, "size": 13, "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925", "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short size;\n\tunsigned char data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination. The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic \nSigned-off-by: Dan Carpenter \nSigned-off-by: Trond Myklebust ", "target": 0, "dataset": "other", "idx": 234444 } ] }, { "call_depth": 4, "longest_call_chain": [ "rtsx_usb_ms_handle_req", "rtsx_usb_ms_issue_cmd", "ms_transfer_data", "ms_clear_error" ], "group_size": 8, "functions": [ { "func": "static void ms_print_debug_regs(struct rtsx_usb_ms *host)\n{\n}", "project": "linux", "hash": 176400605400045756040048099491150353938, "size": 3, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386056 }, { "func": "static void ms_print_debug_regs(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tu16 i;\n\tu8 *ptr;\n\n\t/* Print MS host internal registers */\n\trtsx_usb_init_cmd(ucr);\n\n\t/* MS_CFG to MS_INT_REG */\n\tfor (i = 0xFD40; i <= 0xFD44; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_SHARE_MODE to CARD_GPIO */\n\tfor (i = 0xFD51; i <= 0xFD56; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_PULL_CTLx */\n\tfor (i = 0xFD60; i <= 0xFD65; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_DATA_SOURCE, CARD_SELECT, CARD_CLK_EN, CARD_PWR_CTL */\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_DATA_SOURCE, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_SELECT, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_CLK_EN, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_PWR_CTL, 0, 0);\n\n\trtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\trtsx_usb_get_rsp(ucr, 21, 100);\n\n\tptr = ucr->rsp_buf;\n\tfor (i = 0xFD40; i <= 0xFD44; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\tfor (i = 0xFD51; i <= 0xFD56; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\tfor (i = 0xFD60; i <= 0xFD65; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_DATA_SOURCE, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_SELECT, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_CLK_EN, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_PWR_CTL, *(ptr++));\n}", "project": "linux", "hash": 326803931574304168358292052953432330419, "size": 43, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386058 }, { "func": "static int rtsx_usb_ms_issue_cmd(struct rtsx_usb_ms *host)\n{\n\tstruct memstick_request *req = host->req;\n\tint err = 0;\n\tu8 cfg = 0, int_reg;\n\n\tdev_dbg(ms_dev(host), \"%s\\n\", __func__);\n\n\tif (req->need_card_int) {\n\t\tif (host->ifmode != MEMSTICK_SERIAL)\n\t\t\tcfg = WAIT_INT;\n\t}\n\n\tif (req->long_data) {\n\t\terr = ms_transfer_data(host, req->data_dir,\n\t\t\t\treq->tpc, cfg, &(req->sg));\n\t} else {\n\t\tif (req->data_dir == READ)\n\t\t\terr = ms_read_bytes(host, req->tpc, cfg,\n\t\t\t\t\treq->data_len, req->data, &int_reg);\n\t\telse\n\t\t\terr = ms_write_bytes(host, req->tpc, cfg,\n\t\t\t\t\treq->data_len, req->data, &int_reg);\n\t}\n\tif (err < 0)\n\t\treturn err;\n\n\tif (req->need_card_int) {\n\t\tif (host->ifmode == MEMSTICK_SERIAL) {\n\t\t\terr = ms_read_bytes(host, MS_TPC_GET_INT,\n\t\t\t\t\tNO_WAIT_INT, 1, &req->int_reg, NULL);\n\t\t\tif (err < 0)\n\t\t\t\treturn err;\n\t\t} else {\n\n\t\t\tif (int_reg & MS_INT_CMDNK)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_CMDNAK;\n\t\t\tif (int_reg & MS_INT_BREQ)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_BREQ;\n\t\t\tif (int_reg & MS_INT_ERR)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_ERR;\n\t\t\tif (int_reg & MS_INT_CED)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_CED;\n\t\t}\n\t\tdev_dbg(ms_dev(host), \"int_reg: 0x%02x\\n\", req->int_reg);\n\t}\n\n\treturn 0;\n}", "project": "linux", "hash": 169539839505914735375447515182540820783, "size": 49, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386061 }, { "func": "static int ms_write_bytes(struct rtsx_usb_ms *host, u8 tpc,\n\t\tu8 cfg, u8 cnt, u8 *data, u8 *int_reg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err, i;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x\\n\", __func__, tpc);\n\n\trtsx_usb_init_cmd(ucr);\n\n\tfor (i = 0; i < cnt; i++)\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + i, 0xFF, data[i]);\n\n\tif (cnt % 2)\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + i, 0xFF, 0xFF);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, PINGPONG_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | MS_TM_WRITE_BYTES);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, MS_TRANS_CFG, 0, 0);\n\n\terr = rtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_get_rsp(ucr, 2, 5000);\n\tif (err || (ucr->rsp_buf[0] & MS_TRANSFER_ERR)) {\n\t\tu8 val;\n\n\t\trtsx_usb_ep0_read_register(ucr, MS_TRANS_CFG, &val);\n\t\tdev_dbg(ms_dev(host), \"MS_TRANS_CFG: 0x%02x\\n\", val);\n\n\t\tif (int_reg)\n\t\t\t*int_reg = val & 0x0F;\n\n\t\tms_print_debug_regs(host);\n\n\t\tms_clear_error(host);\n\n\t\tif (!(tpc & 0x08)) {\n\t\t\tif (val & MS_CRC16_ERR)\n\t\t\t\treturn -EIO;\n\t\t} else {\n\t\t\tif (!(val & 0x80)) {\n\t\t\t\tif (val & (MS_INT_ERR | MS_INT_CMDNK))\n\t\t\t\t\treturn -EIO;\n\t\t\t}\n\t\t}\n\n\t\treturn -ETIMEDOUT;\n\t}\n\n\tif (int_reg)\n\t\t*int_reg = ucr->rsp_buf[1] & 0x0F;\n\n\treturn 0;\n}", "project": "linux", "hash": 43064859218006336972034644189664040268, "size": 66, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386059 }, { "func": "static inline void ms_clear_error(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\trtsx_usb_ep0_write_register(ucr, CARD_STOP,\n\t\t\t\t MS_STOP | MS_CLR_ERR,\n\t\t\t\t MS_STOP | MS_CLR_ERR);\n\n\trtsx_usb_clear_dma_err(ucr);\n\trtsx_usb_clear_fsm_err(ucr);\n}", "project": "linux", "hash": 184168621941908989210848212393875143513, "size": 10, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386067 }, { "func": "static int ms_transfer_data(struct rtsx_usb_ms *host, unsigned char data_dir,\n\t\tu8 tpc, u8 cfg, struct scatterlist *sg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err;\n\tunsigned int length = sg->length;\n\tu16 sec_cnt = (u16)(length / 512);\n\tu8 trans_mode, dma_dir, flag;\n\tunsigned int pipe;\n\tstruct memstick_dev *card = host->msh->card;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x, data_dir = %s, length = %d\\n\",\n\t\t\t__func__, tpc, (data_dir == READ) ? \"READ\" : \"WRITE\",\n\t\t\tlength);\n\n\tif (data_dir == READ) {\n\t\tflag = MODE_CDIR;\n\t\tdma_dir = DMA_DIR_FROM_CARD;\n\t\tif (card->id.type != MEMSTICK_TYPE_PRO)\n\t\t\ttrans_mode = MS_TM_NORMAL_READ;\n\t\telse\n\t\t\ttrans_mode = MS_TM_AUTO_READ;\n\t\tpipe = usb_rcvbulkpipe(ucr->pusb_dev, EP_BULK_IN);\n\t} else {\n\t\tflag = MODE_CDOR;\n\t\tdma_dir = DMA_DIR_TO_CARD;\n\t\tif (card->id.type != MEMSTICK_TYPE_PRO)\n\t\t\ttrans_mode = MS_TM_NORMAL_WRITE;\n\t\telse\n\t\t\ttrans_mode = MS_TM_AUTO_WRITE;\n\t\tpipe = usb_sndbulkpipe(ucr->pusb_dev, EP_BULK_OUT);\n\t}\n\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\tif (card->id.type == MEMSTICK_TYPE_PRO) {\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_SECTOR_CNT_H,\n\t\t\t\t0xFF, (u8)(sec_cnt >> 8));\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_SECTOR_CNT_L,\n\t\t\t\t0xFF, (u8)sec_cnt);\n\t}\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC3,\n\t\t\t0xFF, (u8)(length >> 24));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC2,\n\t\t\t0xFF, (u8)(length >> 16));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC1,\n\t\t\t0xFF, (u8)(length >> 8));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC0, 0xFF,\n\t\t\t(u8)length);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_CTL,\n\t\t\t0x03 | DMA_PACK_SIZE_MASK, dma_dir | DMA_EN | DMA_512);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, RING_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | trans_mode);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\n\terr = rtsx_usb_send_cmd(ucr, flag | STAGE_MS_STATUS, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_transfer_data(ucr, pipe, sg, length,\n\t\t\t1, NULL, 10000);\n\tif (err)\n\t\tgoto err_out;\n\n\terr = rtsx_usb_get_rsp(ucr, 3, 15000);\n\tif (err)\n\t\tgoto err_out;\n\n\tif (ucr->rsp_buf[0] & MS_TRANSFER_ERR ||\n\t ucr->rsp_buf[1] & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) {\n\t\terr = -EIO;\n\t\tgoto err_out;\n\t}\n\treturn 0;\nerr_out:\n\tms_clear_error(host);\n\treturn err;\n}", "project": "linux", "hash": 230127094400080261160329003204111452297, "size": 85, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386055 }, { "func": "static int ms_read_bytes(struct rtsx_usb_ms *host, u8 tpc,\n\t\tu8 cfg, u8 cnt, u8 *data, u8 *int_reg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err, i;\n\tu8 *ptr;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x\\n\", __func__, tpc);\n\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, PINGPONG_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | MS_TM_READ_BYTES);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\tfor (i = 0; i < cnt - 1; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, PPBUF_BASE2 + i, 0, 0);\n\tif (cnt % 2)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, PPBUF_BASE2 + cnt, 0, 0);\n\telse\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + cnt - 1, 0, 0);\n\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, MS_TRANS_CFG, 0, 0);\n\n\terr = rtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_get_rsp(ucr, cnt + 2, 5000);\n\tif (err || (ucr->rsp_buf[0] & MS_TRANSFER_ERR)) {\n\t\tu8 val;\n\n\t\trtsx_usb_ep0_read_register(ucr, MS_TRANS_CFG, &val);\n\t\tdev_dbg(ms_dev(host), \"MS_TRANS_CFG: 0x%02x\\n\", val);\n\n\t\tif (int_reg && (host->ifmode != MEMSTICK_SERIAL))\n\t\t\t*int_reg = val & 0x0F;\n\n\t\tms_print_debug_regs(host);\n\n\t\tms_clear_error(host);\n\n\t\tif (!(tpc & 0x08)) {\n\t\t\tif (val & MS_CRC16_ERR)\n\t\t\t\treturn -EIO;\n\t\t} else {\n\t\t\tif (!(val & 0x80)) {\n\t\t\t\tif (val & (MS_INT_ERR | MS_INT_CMDNK))\n\t\t\t\t\treturn -EIO;\n\t\t\t}\n\t\t}\n\n\t\treturn -ETIMEDOUT;\n\t}\n\n\tptr = ucr->rsp_buf + 1;\n\tfor (i = 0; i < cnt; i++)\n\t\tdata[i] = *ptr++;\n\n\n\tif (int_reg && (host->ifmode != MEMSTICK_SERIAL))\n\t\t*int_reg = *ptr & 0x0F;\n\n\treturn 0;\n}", "project": "linux", "hash": 258735760856662779335532937746038298034, "size": 72, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386073 }, { "func": "static void rtsx_usb_ms_handle_req(struct work_struct *work)\n{\n\tstruct rtsx_usb_ms *host = container_of(work,\n\t\t\tstruct rtsx_usb_ms, handle_req);\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tstruct memstick_host *msh = host->msh;\n\tint rc;\n\n\tif (!host->req) {\n\t\tpm_runtime_get_sync(ms_dev(host));\n\t\tdo {\n\t\t\trc = memstick_next_req(msh, &host->req);\n\t\t\tdev_dbg(ms_dev(host), \"next req %d\\n\", rc);\n\n\t\t\tif (!rc) {\n\t\t\t\tmutex_lock(&ucr->dev_mutex);\n\n\t\t\t\tif (rtsx_usb_card_exclusive_check(ucr,\n\t\t\t\t\t\t\tRTSX_USB_MS_CARD))\n\t\t\t\t\thost->req->error = -EIO;\n\t\t\t\telse\n\t\t\t\t\thost->req->error =\n\t\t\t\t\t\trtsx_usb_ms_issue_cmd(host);\n\n\t\t\t\tmutex_unlock(&ucr->dev_mutex);\n\n\t\t\t\tdev_dbg(ms_dev(host), \"req result %d\\n\",\n\t\t\t\t\t\thost->req->error);\n\t\t\t}\n\t\t} while (!rc);\n\t\tpm_runtime_put_sync(ms_dev(host));\n\t}\n\n}", "project": "linux", "hash": 175247277736640744572955526817545119083, "size": 34, "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39", "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[ 11.357376] platform_remove+0x2a/0x50\n[ 11.367531] Freed by task 298:\n[ 11.368537] kfree+0xa4/0x2a0\n[ 11.368711] device_release+0x51/0xe0\n[ 11.368905] kobject_put+0xa2/0x120\n[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[ 11.369386] platform_remove+0x2a/0x50\n\n[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[ 12.045432] mutex_lock+0xc9/0xd0\n[ 12.046080] memstick_check+0x6a/0x578 [memstick]\n[ 12.046509] process_one_work+0x46d/0x750\n[ 12.052107] Freed by task 297:\n[ 12.053115] kfree+0xa4/0x2a0\n[ 12.053272] device_release+0x51/0xe0\n[ 12.053463] kobject_put+0xa2/0x120\n[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[ 12.053939] platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang \nCo-developed-by: Ulf Hansson \nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson ", "target": 0, "dataset": "other", "idx": 386066 } ] }, { "call_depth": 4, "longest_call_chain": [ "_gnutls_x509_get_time", "utcTime2gtime", "time2gtime", "mktime_utc" ], "group_size": 5, "functions": [ { "func": "static time_t mktime_utc(const struct fake_tm *tm)\n{\n\ttime_t result = 0;\n\tint i;\n\n/* We do allow some ill-formed dates, but we don't do anything special\n * with them and our callers really shouldn't pass them to us. Do\n * explicitly disallow the ones that would cause invalid array accesses\n * or other algorithm problems. \n */\n\tif (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970)\n\t\treturn (time_t) - 1;\n\n/* Convert to a time_t. \n */\n\tfor (i = 1970; i < tm->tm_year; i++)\n\t\tresult += 365 + ISLEAP(i);\n\tfor (i = 0; i < tm->tm_mon; i++)\n\t\tresult += MONTHDAYS[i];\n\tif (tm->tm_mon > 1 && ISLEAP(tm->tm_year))\n\t\tresult++;\n\tresult = 24 * (result + tm->tm_mday - 1) + tm->tm_hour;\n\tresult = 60 * result + tm->tm_min;\n\tresult = 60 * result + tm->tm_sec;\n\treturn result;\n}", "project": "gnutls", "hash": 255583354875587551064427115420146067224, "size": 26, "commit_id": "272854367efc130fbd4f1a51840d80c630214e12", "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.", "target": 0, "dataset": "other", "idx": 462692 }, { "func": "static time_t utcTime2gtime(const char *ttime)\n{\n\tchar xx[3];\n\tint year;\n\n\tif (strlen(ttime) < 10) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\txx[2] = 0;\n/* get the year\n */\n\tmemcpy(xx, ttime, 2);\t/* year */\n\tyear = atoi(xx);\n\tttime += 2;\n\n\tif (year > 49)\n\t\tyear += 1900;\n\telse\n\t\tyear += 2000;\n\n\treturn time2gtime(ttime, year);\n}", "project": "gnutls", "hash": 305444558622662156229039864608137356411, "size": 23, "commit_id": "272854367efc130fbd4f1a51840d80c630214e12", "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.", "target": 0, "dataset": "other", "idx": 462700 }, { "func": "time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when, int nochoice)\n{\n\tchar ttime[MAX_TIME];\n\tchar name[128];\n\ttime_t c_time = (time_t) - 1;\n\tint len, result;\n\n\tlen = sizeof(ttime) - 1;\n\tresult = asn1_read_value(c2, when, ttime, &len);\n\tif (result != ASN1_SUCCESS) {\n\t\tgnutls_assert();\n\t\treturn (time_t) (-1);\n\t}\n\n\tif (nochoice != 0) {\n\t\tc_time = _gnutls_x509_generalTime2gtime(ttime);\n\t} else {\n\t\t_gnutls_str_cpy(name, sizeof(name), when);\n\n\t\t/* choice */\n\t\tif (strcmp(ttime, \"generalTime\") == 0) {\n\t\t\t_gnutls_str_cat(name, sizeof(name),\n\t\t\t\t\t\".generalTime\");\n\t\t\tlen = sizeof(ttime) - 1;\n\t\t\tresult = asn1_read_value(c2, name, ttime, &len);\n\t\t\tif (result == ASN1_SUCCESS)\n\t\t\t\tc_time =\n\t\t\t\t _gnutls_x509_generalTime2gtime(ttime);\n\t\t} else {\t/* UTCTIME */\n\t\t\t_gnutls_str_cat(name, sizeof(name), \".utcTime\");\n\t\t\tlen = sizeof(ttime) - 1;\n\t\t\tresult = asn1_read_value(c2, name, ttime, &len);\n\t\t\tif (result == ASN1_SUCCESS)\n\t\t\t\tc_time = utcTime2gtime(ttime);\n\t\t}\n\n\t\t/* We cannot handle dates after 2031 in 32 bit machines.\n\t\t * a time_t of 64bits has to be used.\n\t\t */\n\t\tif (result != ASN1_SUCCESS) {\n\t\t\tgnutls_assert();\n\t\t\treturn (time_t) (-1);\n\t\t}\n\t}\n\n\treturn c_time;\n}", "project": "gnutls", "hash": 222057145187227737041406586357311452460, "size": 47, "commit_id": "272854367efc130fbd4f1a51840d80c630214e12", "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.", "target": 0, "dataset": "other", "idx": 462694 }, { "func": "time_t _gnutls_x509_generalTime2gtime(const char *ttime)\n{\n\tchar xx[5];\n\tint year;\n\n\tif (strlen(ttime) < 12) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\n\tif (strchr(ttime, 'Z') == 0) {\n\t\tgnutls_assert();\n\t\t/* sorry we don't support it yet\n\t\t */\n\t\treturn (time_t) - 1;\n\t}\n\txx[4] = 0;\n\n/* get the year\n */\n\tmemcpy(xx, ttime, 4);\t/* year */\n\tyear = atoi(xx);\n\tttime += 4;\n\n\treturn time2gtime(ttime, year);\n}", "project": "gnutls", "hash": 259945156522401648247067488269809219355, "size": 26, "commit_id": "272854367efc130fbd4f1a51840d80c630214e12", "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.", "target": 0, "dataset": "other", "idx": 462711 }, { "func": "static time_t time2gtime(const char *ttime, int year)\n{\n\tchar xx[4];\n\tstruct fake_tm etime;\n\n\tif (strlen(ttime) < 8) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\n\tetime.tm_year = year;\n\n\t/* In order to work with 32 bit\n\t * time_t.\n\t */\n\tif (sizeof(time_t) <= 4 && etime.tm_year >= 2038)\n\t\treturn (time_t) 2145914603;\t/* 2037-12-31 23:23:23 */\n\n\tif (etime.tm_year < 1970)\n\t\treturn (time_t) 0;\n\n\txx[2] = 0;\n\n/* get the month\n */\n\tmemcpy(xx, ttime, 2);\t/* month */\n\tetime.tm_mon = atoi(xx) - 1;\n\tttime += 2;\n\n/* get the day\n */\n\tmemcpy(xx, ttime, 2);\t/* day */\n\tetime.tm_mday = atoi(xx);\n\tttime += 2;\n\n/* get the hour\n */\n\tmemcpy(xx, ttime, 2);\t/* hour */\n\tetime.tm_hour = atoi(xx);\n\tttime += 2;\n\n/* get the minutes\n */\n\tmemcpy(xx, ttime, 2);\t/* minutes */\n\tetime.tm_min = atoi(xx);\n\tttime += 2;\n\n\tif (strlen(ttime) >= 2) {\n\t\tmemcpy(xx, ttime, 2);\n\t\tetime.tm_sec = atoi(xx);\n\t} else\n\t\tetime.tm_sec = 0;\n\n\treturn mktime_utc(&etime);\n}", "project": "gnutls", "hash": 193396090484000543539033958433909418524, "size": 55, "commit_id": "272854367efc130fbd4f1a51840d80c630214e12", "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.", "target": 0, "dataset": "other", "idx": 462733 } ] }, { "call_depth": 4, "longest_call_chain": [ "dw_spi_transfer_one", "poll_transfer", "dw_reader", "rx_max" ], "group_size": 9, "functions": [ { "func": "static inline u32 rx_max(struct dw_spi *dws)\n{\n\tu32 rx_left = (dws->rx_end - dws->rx) / dws->n_bytes;\n\n\treturn min_t(u32, rx_left, dw_readl(dws, DW_SPI_RXFLR));\n}", "project": "linux", "hash": 28861315435500243985574094629287346337, "size": 6, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462460 }, { "func": "static inline u32 tx_max(struct dw_spi *dws)\n{\n\tu32 tx_left, tx_room, rxtx_gap;\n\n\ttx_left = (dws->tx_end - dws->tx) / dws->n_bytes;\n\ttx_room = dws->fifo_len - dw_readl(dws, DW_SPI_TXFLR);\n\n\t/*\n\t * Another concern is about the tx/rx mismatch, we\n\t * though to use (dws->fifo_len - rxflr - txflr) as\n\t * one maximum value for tx, but it doesn't cover the\n\t * data which is out of tx/rx fifo and inside the\n\t * shift registers. So a control from sw point of\n\t * view is taken.\n\t */\n\trxtx_gap = ((dws->rx_end - dws->rx) - (dws->tx_end - dws->tx))\n\t\t\t/ dws->n_bytes;\n\n\treturn min3(tx_left, tx_room, (u32) (dws->fifo_len - rxtx_gap));\n}", "project": "linux", "hash": 213183701304300001146036022339693894975, "size": 20, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462444 }, { "func": "static void dw_reader(struct dw_spi *dws)\n{\n\tu32 max;\n\tu16 rxw;\n\n\tspin_lock(&dws->buf_lock);\n\tmax = rx_max(dws);\n\twhile (max--) {\n\t\trxw = dw_read_io_reg(dws, DW_SPI_DR);\n\t\t/* Care rx only if the transfer's original \"rx\" is not null */\n\t\tif (dws->rx_end - dws->len) {\n\t\t\tif (dws->n_bytes == 1)\n\t\t\t\t*(u8 *)(dws->rx) = rxw;\n\t\t\telse\n\t\t\t\t*(u16 *)(dws->rx) = rxw;\n\t\t}\n\t\tdws->rx += dws->n_bytes;\n\t}\n\tspin_unlock(&dws->buf_lock);\n}", "project": "linux", "hash": 43175951923458851445352561349773373287, "size": 20, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462449 }, { "func": "static irqreturn_t interrupt_transfer(struct dw_spi *dws)\n{\n\tu16 irq_status = dw_readl(dws, DW_SPI_ISR);\n\n\t/* Error handling */\n\tif (irq_status & (SPI_INT_TXOI | SPI_INT_RXOI | SPI_INT_RXUI)) {\n\t\tdw_readl(dws, DW_SPI_ICR);\n\t\tint_error_stop(dws, \"interrupt_transfer: fifo overrun/underrun\");\n\t\treturn IRQ_HANDLED;\n\t}\n\n\tdw_reader(dws);\n\tif (dws->rx_end == dws->rx) {\n\t\tspi_mask_intr(dws, SPI_INT_TXEI);\n\t\tspi_finalize_current_transfer(dws->master);\n\t\treturn IRQ_HANDLED;\n\t}\n\tif (irq_status & SPI_INT_TXEI) {\n\t\tspi_mask_intr(dws, SPI_INT_TXEI);\n\t\tdw_writer(dws);\n\t\t/* Enable TX irq always, it will be disabled when RX finished */\n\t\tspi_umask_intr(dws, SPI_INT_TXEI);\n\t}\n\n\treturn IRQ_HANDLED;\n}", "project": "linux", "hash": 329394486355196072499215754377682953976, "size": 26, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462455 }, { "func": "static void int_error_stop(struct dw_spi *dws, const char *msg)\n{\n\tspi_reset_chip(dws);\n\n\tdev_err(&dws->master->dev, \"%s\\n\", msg);\n\tdws->master->cur_msg->status = -EIO;\n\tspi_finalize_current_transfer(dws->master);\n}", "project": "linux", "hash": 51366913899485688758339908551603046061, "size": 8, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462445 }, { "func": "static int poll_transfer(struct dw_spi *dws)\n{\n\tdo {\n\t\tdw_writer(dws);\n\t\tdw_reader(dws);\n\t\tcpu_relax();\n\t} while (dws->rx_end > dws->rx);\n\n\treturn 0;\n}", "project": "linux", "hash": 223794499753899155092530499212227087021, "size": 10, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462447 }, { "func": "static void dw_writer(struct dw_spi *dws)\n{\n\tu32 max;\n\tu16 txw = 0;\n\n\tspin_lock(&dws->buf_lock);\n\tmax = tx_max(dws);\n\twhile (max--) {\n\t\t/* Set the tx word if the transfer's original \"tx\" is not null */\n\t\tif (dws->tx_end - dws->len) {\n\t\t\tif (dws->n_bytes == 1)\n\t\t\t\ttxw = *(u8 *)(dws->tx);\n\t\t\telse\n\t\t\t\ttxw = *(u16 *)(dws->tx);\n\t\t}\n\t\tdw_write_io_reg(dws, DW_SPI_DR, txw);\n\t\tdws->tx += dws->n_bytes;\n\t}\n\tspin_unlock(&dws->buf_lock);\n}", "project": "linux", "hash": 175439461371127859720464846166133329580, "size": 20, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462463 }, { "func": "static int dw_spi_transfer_one(struct spi_controller *master,\n\t\tstruct spi_device *spi, struct spi_transfer *transfer)\n{\n\tstruct dw_spi *dws = spi_controller_get_devdata(master);\n\tstruct chip_data *chip = spi_get_ctldata(spi);\n\tu8 imask = 0;\n\tu16 txlevel = 0;\n\tu32 cr0;\n\tint ret;\n\n\tdws->dma_mapped = 0;\n\n\tdws->tx = (void *)transfer->tx_buf;\n\tdws->tx_end = dws->tx + transfer->len;\n\tdws->rx = transfer->rx_buf;\n\tdws->rx_end = dws->rx + transfer->len;\n\tdws->len = transfer->len;\n\n\tspi_enable_chip(dws, 0);\n\n\t/* Handle per transfer options for bpw and speed */\n\tif (transfer->speed_hz != dws->current_freq) {\n\t\tif (transfer->speed_hz != chip->speed_hz) {\n\t\t\t/* clk_div doesn't support odd number */\n\t\t\tchip->clk_div = (DIV_ROUND_UP(dws->max_freq, transfer->speed_hz) + 1) & 0xfffe;\n\t\t\tchip->speed_hz = transfer->speed_hz;\n\t\t}\n\t\tdws->current_freq = transfer->speed_hz;\n\t\tspi_set_clk(dws, chip->clk_div);\n\t}\n\n\tdws->n_bytes = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\tdws->dma_width = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\n\t/* Default SPI mode is SCPOL = 0, SCPH = 0 */\n\tcr0 = (transfer->bits_per_word - 1)\n\t\t| (chip->type << SPI_FRF_OFFSET)\n\t\t| ((((spi->mode & SPI_CPOL) ? 1 : 0) << SPI_SCOL_OFFSET) |\n\t\t\t(((spi->mode & SPI_CPHA) ? 1 : 0) << SPI_SCPH_OFFSET))\n\t\t| (chip->tmode << SPI_TMOD_OFFSET);\n\n\t/*\n\t * Adjust transfer mode if necessary. Requires platform dependent\n\t * chipselect mechanism.\n\t */\n\tif (chip->cs_control) {\n\t\tif (dws->rx && dws->tx)\n\t\t\tchip->tmode = SPI_TMOD_TR;\n\t\telse if (dws->rx)\n\t\t\tchip->tmode = SPI_TMOD_RO;\n\t\telse\n\t\t\tchip->tmode = SPI_TMOD_TO;\n\n\t\tcr0 &= ~SPI_TMOD_MASK;\n\t\tcr0 |= (chip->tmode << SPI_TMOD_OFFSET);\n\t}\n\n\tdw_writel(dws, DW_SPI_CTRL0, cr0);\n\n\t/* Check if current transfer is a DMA transaction */\n\tif (master->can_dma && master->can_dma(master, spi, transfer))\n\t\tdws->dma_mapped = master->cur_msg_mapped;\n\n\t/* For poll mode just disable all interrupts */\n\tspi_mask_intr(dws, 0xff);\n\n\t/*\n\t * Interrupt mode\n\t * we only need set the TXEI IRQ, as TX/RX always happen syncronizely\n\t */\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_setup(dws, transfer);\n\t\tif (ret < 0) {\n\t\t\tspi_enable_chip(dws, 1);\n\t\t\treturn ret;\n\t\t}\n\t} else if (!chip->poll_mode) {\n\t\ttxlevel = min_t(u16, dws->fifo_len / 2, dws->len / dws->n_bytes);\n\t\tdw_writel(dws, DW_SPI_TXFLTR, txlevel);\n\n\t\t/* Set the interrupt mask */\n\t\timask |= SPI_INT_TXEI | SPI_INT_TXOI |\n\t\t\t SPI_INT_RXUI | SPI_INT_RXOI;\n\t\tspi_umask_intr(dws, imask);\n\n\t\tdws->transfer_handler = interrupt_transfer;\n\t}\n\n\tspi_enable_chip(dws, 1);\n\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_transfer(dws, transfer);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\tif (chip->poll_mode)\n\t\treturn poll_transfer(dws);\n\n\treturn 1;\n}", "project": "linux", "hash": 191752239953234250352277066792734233491, "size": 101, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 1, "dataset": "other", "idx": 212837 }, { "func": "static int dw_spi_transfer_one(struct spi_controller *master,\n\t\tstruct spi_device *spi, struct spi_transfer *transfer)\n{\n\tstruct dw_spi *dws = spi_controller_get_devdata(master);\n\tstruct chip_data *chip = spi_get_ctldata(spi);\n\tunsigned long flags;\n\tu8 imask = 0;\n\tu16 txlevel = 0;\n\tu32 cr0;\n\tint ret;\n\n\tdws->dma_mapped = 0;\n\tspin_lock_irqsave(&dws->buf_lock, flags);\n\tdws->tx = (void *)transfer->tx_buf;\n\tdws->tx_end = dws->tx + transfer->len;\n\tdws->rx = transfer->rx_buf;\n\tdws->rx_end = dws->rx + transfer->len;\n\tdws->len = transfer->len;\n\tspin_unlock_irqrestore(&dws->buf_lock, flags);\n\n\tspi_enable_chip(dws, 0);\n\n\t/* Handle per transfer options for bpw and speed */\n\tif (transfer->speed_hz != dws->current_freq) {\n\t\tif (transfer->speed_hz != chip->speed_hz) {\n\t\t\t/* clk_div doesn't support odd number */\n\t\t\tchip->clk_div = (DIV_ROUND_UP(dws->max_freq, transfer->speed_hz) + 1) & 0xfffe;\n\t\t\tchip->speed_hz = transfer->speed_hz;\n\t\t}\n\t\tdws->current_freq = transfer->speed_hz;\n\t\tspi_set_clk(dws, chip->clk_div);\n\t}\n\n\tdws->n_bytes = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\tdws->dma_width = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\n\t/* Default SPI mode is SCPOL = 0, SCPH = 0 */\n\tcr0 = (transfer->bits_per_word - 1)\n\t\t| (chip->type << SPI_FRF_OFFSET)\n\t\t| ((((spi->mode & SPI_CPOL) ? 1 : 0) << SPI_SCOL_OFFSET) |\n\t\t\t(((spi->mode & SPI_CPHA) ? 1 : 0) << SPI_SCPH_OFFSET))\n\t\t| (chip->tmode << SPI_TMOD_OFFSET);\n\n\t/*\n\t * Adjust transfer mode if necessary. Requires platform dependent\n\t * chipselect mechanism.\n\t */\n\tif (chip->cs_control) {\n\t\tif (dws->rx && dws->tx)\n\t\t\tchip->tmode = SPI_TMOD_TR;\n\t\telse if (dws->rx)\n\t\t\tchip->tmode = SPI_TMOD_RO;\n\t\telse\n\t\t\tchip->tmode = SPI_TMOD_TO;\n\n\t\tcr0 &= ~SPI_TMOD_MASK;\n\t\tcr0 |= (chip->tmode << SPI_TMOD_OFFSET);\n\t}\n\n\tdw_writel(dws, DW_SPI_CTRL0, cr0);\n\n\t/* Check if current transfer is a DMA transaction */\n\tif (master->can_dma && master->can_dma(master, spi, transfer))\n\t\tdws->dma_mapped = master->cur_msg_mapped;\n\n\t/* For poll mode just disable all interrupts */\n\tspi_mask_intr(dws, 0xff);\n\n\t/*\n\t * Interrupt mode\n\t * we only need set the TXEI IRQ, as TX/RX always happen syncronizely\n\t */\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_setup(dws, transfer);\n\t\tif (ret < 0) {\n\t\t\tspi_enable_chip(dws, 1);\n\t\t\treturn ret;\n\t\t}\n\t} else if (!chip->poll_mode) {\n\t\ttxlevel = min_t(u16, dws->fifo_len / 2, dws->len / dws->n_bytes);\n\t\tdw_writel(dws, DW_SPI_TXFLTR, txlevel);\n\n\t\t/* Set the interrupt mask */\n\t\timask |= SPI_INT_TXEI | SPI_INT_TXOI |\n\t\t\t SPI_INT_RXUI | SPI_INT_RXOI;\n\t\tspi_umask_intr(dws, imask);\n\n\t\tdws->transfer_handler = interrupt_transfer;\n\t}\n\n\tspi_enable_chip(dws, 1);\n\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_transfer(dws, transfer);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\tif (chip->poll_mode)\n\t\treturn poll_transfer(dws);\n\n\treturn 1;\n}", "project": "linux", "hash": 323360310926930360690361021045187060996, "size": 103, "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d", "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319] __crash_kexec+0x98/0x148\n\t[ 1025.321323] panic+0x17c/0x314\n\t[ 1025.321329] die+0x29c/0x2e8\n\t[ 1025.321334] die_kernel_fault+0x68/0x78\n\t[ 1025.321337] __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346] do_page_fault+0x88/0x500\n\t[ 1025.321347] do_translation_fault+0xa8/0xb8\n\t[ 1025.321349] do_mem_abort+0x68/0x118\n\t[ 1025.321351] el1_da+0x20/0x8c\n\t[ 1025.321362] dw_writer+0xc8/0xd0\n\t[ 1025.321364] interrupt_transfer+0x60/0x110\n\t[ 1025.321365] dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu \nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown ", "target": 0, "dataset": "other", "idx": 462461 } ] }, { "call_depth": 4, "longest_call_chain": [ "x25_destroy_timer", "x25_destroy_socket_from_timer", "__x25_destroy_socket", "x25_remove_socket" ], "group_size": 5, "functions": [ { "func": "static void x25_remove_socket(struct sock *sk)\n{\n\twrite_lock_bh(&x25_list_lock);\n\tsk_del_node_init(sk);\n\twrite_unlock_bh(&x25_list_lock);\n}", "project": "net", "hash": 211674392058988057045161520587012124519, "size": 6, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449185 }, { "func": "static int x25_release(struct socket *sock)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25;\n\n\tif (!sk)\n\t\treturn 0;\n\n\tx25 = x25_sk(sk);\n\n\tsock_hold(sk);\n\tlock_sock(sk);\n\tswitch (x25->state) {\n\n\t\tcase X25_STATE_0:\n\t\tcase X25_STATE_2:\n\t\t\tx25_disconnect(sk, 0, 0, 0);\n\t\t\t__x25_destroy_socket(sk);\n\t\t\tgoto out;\n\n\t\tcase X25_STATE_1:\n\t\tcase X25_STATE_3:\n\t\tcase X25_STATE_4:\n\t\t\tx25_clear_queues(sk);\n\t\t\tx25_write_internal(sk, X25_CLEAR_REQUEST);\n\t\t\tx25_start_t23timer(sk);\n\t\t\tx25->state = X25_STATE_2;\n\t\t\tsk->sk_state\t= TCP_CLOSE;\n\t\t\tsk->sk_shutdown\t|= SEND_SHUTDOWN;\n\t\t\tsk->sk_state_change(sk);\n\t\t\tsock_set_flag(sk, SOCK_DEAD);\n\t\t\tsock_set_flag(sk, SOCK_DESTROY);\n\t\t\tbreak;\n\n\t\tcase X25_STATE_5:\n\t\t\tx25_write_internal(sk, X25_CLEAR_REQUEST);\n\t\t\tx25_disconnect(sk, 0, 0, 0);\n\t\t\t__x25_destroy_socket(sk);\n\t\t\tgoto out;\n\t}\n\n\tsock_orphan(sk);\nout:\n\trelease_sock(sk);\n\tsock_put(sk);\n\treturn 0;\n}", "project": "net", "hash": 68953831480784744166510465628527507952, "size": 47, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449167 }, { "func": "void x25_destroy_socket_from_timer(struct sock *sk)\n{\n\tsock_hold(sk);\n\tbh_lock_sock(sk);\n\t__x25_destroy_socket(sk);\n\tbh_unlock_sock(sk);\n\tsock_put(sk);\n}", "project": "net", "hash": 107285315962177851069016575084912150380, "size": 8, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449174 }, { "func": "static void x25_destroy_timer(struct timer_list *t)\n{\n\tstruct sock *sk = from_timer(sk, t, sk_timer);\n\n\tx25_destroy_socket_from_timer(sk);\n}", "project": "net", "hash": 9533324264508029075556357866838344897, "size": 6, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449172 }, { "func": "static void __x25_destroy_socket(struct sock *sk)\n{\n\tstruct sk_buff *skb;\n\n\tx25_stop_heartbeat(sk);\n\tx25_stop_timer(sk);\n\n\tx25_remove_socket(sk);\n\tx25_clear_queues(sk);\t\t/* Flush the queues */\n\n\twhile ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {\n\t\tif (skb->sk != sk) {\t\t/* A pending connection */\n\t\t\t/*\n\t\t\t * Queue the unaccepted socket for death\n\t\t\t */\n\t\t\tskb->sk->sk_state = TCP_LISTEN;\n\t\t\tsock_set_flag(skb->sk, SOCK_DEAD);\n\t\t\tx25_start_heartbeat(skb->sk);\n\t\t\tx25_sk(skb->sk)->state = X25_STATE_0;\n\t\t}\n\n\t\tkfree_skb(skb);\n\t}\n\n\tif (sk_has_allocations(sk)) {\n\t\t/* Defer: outstanding buffers */\n\t\tsk->sk_timer.expires = jiffies + 10 * HZ;\n\t\tsk->sk_timer.function = x25_destroy_timer;\n\t\tadd_timer(&sk->sk_timer);\n\t} else {\n\t\t/* drop last reference so sock_put will free */\n\t\t__sock_put(sk);\n\t}\n}", "project": "net", "hash": 37876805302312188033380640487351936531, "size": 34, "commit_id": "7781607938c8371d4c2b243527430241c62e39c2", "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n (Thread 1) | (Thread 2)\nx25_link_terminated() | x25_recvmsg()\n x25_kill_by_neigh() | ...\n x25_disconnect() | lock_sock(sk)\n ... | ...\n x25->neighbour = NULL //(1) |\n ... | x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou \nReviewed-by: Lin Ma \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 449165 } ] }, { "call_depth": 4, "longest_call_chain": [ "ip6_push_pending_frames", "ip6_send_skb", "ip6_local_out", "__ip6_local_out" ], "group_size": 4, "functions": [ { "func": "int ip6_push_pending_frames(struct sock *sk)\n{\n\tstruct sk_buff *skb;\n\n\tskb = ip6_finish_skb(sk);\n\tif (!skb)\n\t\treturn 0;\n\n\treturn ip6_send_skb(skb);\n}", "project": "net", "hash": 98437086620911532825825118994734352049, "size": 10, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 468936 }, { "func": "int ip6_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint err;\n\n\terr = __ip6_local_out(net, sk, skb);\n\tif (likely(err == 1))\n\t\terr = dst_output(net, sk, skb);\n\n\treturn err;\n}", "project": "linux", "hash": 52771529644351032790260622560929239956, "size": 10, "commit_id": "62f20e068ccc50d6ab66fdb72ba90da2b9418c99", "message": "ipv6: use prandom_u32() for ID generation\n\nThis is a complement to commit aa6dd211e4b1 (\"inet: use bigger hash\ntable for IP ID generation\"), but focusing on some specific aspects\nof IPv6.\n\nContary to IPv4, IPv6 only uses packet IDs with fragments, and with a\nminimum MTU of 1280, it's much less easy to force a remote peer to\nproduce many fragments to explore its ID sequence. In addition packet\nIDs are 32-bit in IPv6, which further complicates their analysis. On\nthe other hand, it is often easier to choose among plenty of possible\nsource addresses and partially work around the bigger hash table the\ncommit above permits, which leaves IPv6 partially exposed to some\npossibilities of remote analysis at the risk of weakening some\nprotocols like DNS if some IDs can be predicted with a good enough\nprobability.\n\nGiven the wide range of permitted IDs, the risk of collision is extremely\nlow so there's no need to rely on the positive increment algorithm that\nis shared with the IPv4 code via ip_idents_reserve(). We have a fast\nPRNG, so let's simply call prandom_u32() and be done with it.\n\nPerformance measurements at 10 Gbps couldn't show any difference with\nthe previous code, even when using a single core, because due to the\nlarge fragments, we're limited to only ~930 kpps at 10 Gbps and the cost\nof the random generation is completely offset by other operations and by\nthe network transfer time. In addition, this change removes the need to\nupdate a shared entry in the idents table so it may even end up being\nslightly faster on large scale systems where this matters.\n\nThe risk of at least one collision here is about 1/80 million among\n10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,\nwhich remains very low compared to IPv4 where all IDs are reused\nevery 4 to 80ms on a 10 Gbps flow depending on packet sizes.\n\nReported-by: Amit Klein \nSigned-off-by: Willy Tarreau \nReviewed-by: Eric Dumazet \nLink: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 318497 }, { "func": "int __ip6_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint len;\n\n\tlen = skb->len - sizeof(struct ipv6hdr);\n\tif (len > IPV6_MAXPLEN)\n\t\tlen = 0;\n\tipv6_hdr(skb)->payload_len = htons(len);\n\tIP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);\n\n\t/* if egress device is enslaved to an L3 master device pass the\n\t * skb to its handler for processing\n\t */\n\tskb = l3mdev_ip6_out(sk, skb);\n\tif (unlikely(!skb))\n\t\treturn 0;\n\n\tskb->protocol = htons(ETH_P_IPV6);\n\n\treturn nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT,\n\t\t net, sk, skb, NULL, skb_dst(skb)->dev,\n\t\t dst_output);\n}", "project": "linux", "hash": 65323340548815789678720155397800993393, "size": 23, "commit_id": "62f20e068ccc50d6ab66fdb72ba90da2b9418c99", "message": "ipv6: use prandom_u32() for ID generation\n\nThis is a complement to commit aa6dd211e4b1 (\"inet: use bigger hash\ntable for IP ID generation\"), but focusing on some specific aspects\nof IPv6.\n\nContary to IPv4, IPv6 only uses packet IDs with fragments, and with a\nminimum MTU of 1280, it's much less easy to force a remote peer to\nproduce many fragments to explore its ID sequence. In addition packet\nIDs are 32-bit in IPv6, which further complicates their analysis. On\nthe other hand, it is often easier to choose among plenty of possible\nsource addresses and partially work around the bigger hash table the\ncommit above permits, which leaves IPv6 partially exposed to some\npossibilities of remote analysis at the risk of weakening some\nprotocols like DNS if some IDs can be predicted with a good enough\nprobability.\n\nGiven the wide range of permitted IDs, the risk of collision is extremely\nlow so there's no need to rely on the positive increment algorithm that\nis shared with the IPv4 code via ip_idents_reserve(). We have a fast\nPRNG, so let's simply call prandom_u32() and be done with it.\n\nPerformance measurements at 10 Gbps couldn't show any difference with\nthe previous code, even when using a single core, because due to the\nlarge fragments, we're limited to only ~930 kpps at 10 Gbps and the cost\nof the random generation is completely offset by other operations and by\nthe network transfer time. In addition, this change removes the need to\nupdate a shared entry in the idents table so it may even end up being\nslightly faster on large scale systems where this matters.\n\nThe risk of at least one collision here is about 1/80 million among\n10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,\nwhich remains very low compared to IPv4 where all IDs are reused\nevery 4 to 80ms on a 10 Gbps flow depending on packet sizes.\n\nReported-by: Amit Klein \nSigned-off-by: Willy Tarreau \nReviewed-by: Eric Dumazet \nLink: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu\nSigned-off-by: Jakub Kicinski ", "target": 0, "dataset": "other", "idx": 318496 }, { "func": "int ip6_send_skb(struct sk_buff *skb)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tstruct rt6_info *rt = (struct rt6_info *)skb_dst(skb);\n\tint err;\n\n\terr = ip6_local_out(net, skb->sk, skb);\n\tif (err) {\n\t\tif (err > 0)\n\t\t\terr = net_xmit_errno(err);\n\t\tif (err)\n\t\t\tIP6_INC_STATS(net, rt->rt6i_idev,\n\t\t\t\t IPSTATS_MIB_OUTDISCARDS);\n\t}\n\n\treturn err;\n}", "project": "net", "hash": 168395828033328433995927207072894963468, "size": 17, "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa", "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov \nSigned-off-by: Willem de Bruijn \nSigned-off-by: David S. Miller ", "target": 0, "dataset": "other", "idx": 469001 } ] }, { "call_depth": 4, "longest_call_chain": [ "mcba_usb_read_bulk_callback", "mcba_usb_process_rx", "mcba_usb_process_ka_can", "convert_can2host_bitrate" ], "group_size": 6, "functions": [ { "func": "static void mcba_usb_process_ka_can(struct mcba_priv *priv,\n\t\t\t\t struct mcba_usb_msg_ka_can *msg)\n{\n\tif (unlikely(priv->can_ka_first_pass)) {\n\t\tnetdev_info(priv->netdev, \"PIC CAN version %hhu.%hhu\\n\",\n\t\t\t msg->soft_ver_major, msg->soft_ver_minor);\n\n\t\tpriv->can_ka_first_pass = false;\n\t}\n\n\tif (unlikely(priv->can_speed_check)) {\n\t\tconst u32 bitrate = convert_can2host_bitrate(msg);\n\n\t\tpriv->can_speed_check = false;\n\n\t\tif (bitrate != priv->can.bittiming.bitrate)\n\t\t\tnetdev_err(\n\t\t\t priv->netdev,\n\t\t\t \"Wrong bitrate reported by the device (%u). Expected %u\",\n\t\t\t bitrate, priv->can.bittiming.bitrate);\n\t}\n\n\tpriv->bec.txerr = msg->tx_err_cnt;\n\tpriv->bec.rxerr = msg->rx_err_cnt;\n\n\tif (msg->tx_bus_off)\n\t\tpriv->can.state = CAN_STATE_BUS_OFF;\n\n\telse if ((priv->bec.txerr > MCBA_CAN_STATE_ERR_PSV_TH) ||\n\t\t (priv->bec.rxerr > MCBA_CAN_STATE_ERR_PSV_TH))\n\t\tpriv->can.state = CAN_STATE_ERROR_PASSIVE;\n\n\telse if ((priv->bec.txerr > MCBA_CAN_STATE_WRN_TH) ||\n\t\t (priv->bec.rxerr > MCBA_CAN_STATE_WRN_TH))\n\t\tpriv->can.state = CAN_STATE_ERROR_WARNING;\n}", "project": "linux", "hash": 140170198980991463076052245356814298617, "size": 36, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398315 }, { "func": "static void mcba_usb_process_rx(struct mcba_priv *priv,\n\t\t\t\tstruct mcba_usb_msg *msg)\n{\n\tswitch (msg->cmd_id) {\n\tcase MBCA_CMD_I_AM_ALIVE_FROM_CAN:\n\t\tmcba_usb_process_ka_can(priv,\n\t\t\t\t\t(struct mcba_usb_msg_ka_can *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_I_AM_ALIVE_FROM_USB:\n\t\tmcba_usb_process_ka_usb(priv,\n\t\t\t\t\t(struct mcba_usb_msg_ka_usb *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_RECEIVE_MESSAGE:\n\t\tmcba_usb_process_can(priv, (struct mcba_usb_msg_can *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_NOTHING_TO_SEND:\n\t\t/* Side effect of communication between PIC_USB and PIC_CAN.\n\t\t * PIC_CAN is telling us that it has nothing to send\n\t\t */\n\t\tbreak;\n\n\tcase MBCA_CMD_TRANSMIT_MESSAGE_RSP:\n\t\t/* Transmission response from the device containing timestamp */\n\t\tbreak;\n\n\tdefault:\n\t\tnetdev_warn(priv->netdev, \"Unsupported msg (0x%hhX)\",\n\t\t\t msg->cmd_id);\n\t\tbreak;\n\t}\n}", "project": "linux", "hash": 189816485004301915432920510029586829831, "size": 34, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398312 }, { "func": "static u32 convert_can2host_bitrate(struct mcba_usb_msg_ka_can *msg)\n{\n\tconst u32 bitrate = get_unaligned_be16(&msg->can_bitrate);\n\n\tif ((bitrate == 33) || (bitrate == 83))\n\t\treturn bitrate * 1000 + 333;\n\telse\n\t\treturn bitrate * 1000;\n}", "project": "linux", "hash": 43142121438217021989434137757153490953, "size": 9, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398316 }, { "func": "static void mcba_usb_process_ka_usb(struct mcba_priv *priv,\n\t\t\t\t struct mcba_usb_msg_ka_usb *msg)\n{\n\tif (unlikely(priv->usb_ka_first_pass)) {\n\t\tnetdev_info(priv->netdev, \"PIC USB version %hhu.%hhu\\n\",\n\t\t\t msg->soft_ver_major, msg->soft_ver_minor);\n\n\t\tpriv->usb_ka_first_pass = false;\n\t}\n\n\tif (msg->termination_state)\n\t\tpriv->can.termination = MCBA_TERMINATION_ENABLED;\n\telse\n\t\tpriv->can.termination = MCBA_TERMINATION_DISABLED;\n}", "project": "linux", "hash": 257496963091891816110649854790532425699, "size": 15, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398317 }, { "func": "static void mcba_usb_read_bulk_callback(struct urb *urb)\n{\n\tstruct mcba_priv *priv = urb->context;\n\tstruct net_device *netdev;\n\tint retval;\n\tint pos = 0;\n\n\tnetdev = priv->netdev;\n\n\tif (!netif_device_present(netdev))\n\t\treturn;\n\n\tswitch (urb->status) {\n\tcase 0: /* success */\n\t\tbreak;\n\n\tcase -ENOENT:\n\tcase -EPIPE:\n\tcase -EPROTO:\n\tcase -ESHUTDOWN:\n\t\treturn;\n\n\tdefault:\n\t\tnetdev_info(netdev, \"Rx URB aborted (%d)\\n\", urb->status);\n\n\t\tgoto resubmit_urb;\n\t}\n\n\twhile (pos < urb->actual_length) {\n\t\tstruct mcba_usb_msg *msg;\n\n\t\tif (pos + sizeof(struct mcba_usb_msg) > urb->actual_length) {\n\t\t\tnetdev_err(priv->netdev, \"format error\\n\");\n\t\t\tbreak;\n\t\t}\n\n\t\tmsg = (struct mcba_usb_msg *)(urb->transfer_buffer + pos);\n\t\tmcba_usb_process_rx(priv, msg);\n\n\t\tpos += sizeof(struct mcba_usb_msg);\n\t}\n\nresubmit_urb:\n\n\tusb_fill_bulk_urb(urb, priv->udev,\n\t\t\t usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_OUT),\n\t\t\t urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,\n\t\t\t mcba_usb_read_bulk_callback, priv);\n\n\tretval = usb_submit_urb(urb, GFP_ATOMIC);\n\n\tif (retval == -ENODEV)\n\t\tnetif_device_detach(netdev);\n\telse if (retval)\n\t\tnetdev_err(netdev, \"failed resubmitting read bulk urb: %d\\n\",\n\t\t\t retval);\n}", "project": "linux", "hash": 208190292833943165204243409532616932390, "size": 57, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398319 }, { "func": "static void mcba_usb_process_can(struct mcba_priv *priv,\n\t\t\t\t struct mcba_usb_msg_can *msg)\n{\n\tstruct can_frame *cf;\n\tstruct sk_buff *skb;\n\tstruct net_device_stats *stats = &priv->netdev->stats;\n\tu16 sid;\n\n\tskb = alloc_can_skb(priv->netdev, &cf);\n\tif (!skb)\n\t\treturn;\n\n\tsid = get_unaligned_be16(&msg->sid);\n\n\tif (sid & MCBA_SIDL_EXID_MASK) {\n\t\t/* SIDH | SIDL | EIDH | EIDL\n\t\t * 28 - 21 | 20 19 18 x x x 17 16 | 15 - 8 | 7 - 0\n\t\t */\n\t\tcf->can_id = CAN_EFF_FLAG;\n\n\t\t/* store 28-18 bits */\n\t\tcf->can_id |= (sid & 0xffe0) << 13;\n\t\t/* store 17-16 bits */\n\t\tcf->can_id |= (sid & 3) << 16;\n\t\t/* store 15-0 bits */\n\t\tcf->can_id |= get_unaligned_be16(&msg->eid);\n\t} else {\n\t\t/* SIDH | SIDL\n\t\t * 10 - 3 | 2 1 0 x x x x x\n\t\t */\n\t\tcf->can_id = (sid & 0xffe0) >> 5;\n\t}\n\n\tif (msg->dlc & MCBA_DLC_RTR_MASK)\n\t\tcf->can_id |= CAN_RTR_FLAG;\n\n\tcf->can_dlc = get_can_dlc(msg->dlc & MCBA_DLC_MASK);\n\n\tmemcpy(cf->data, msg->data, cf->can_dlc);\n\n\tstats->rx_packets++;\n\tstats->rx_bytes += cf->can_dlc;\n\n\tcan_led_event(priv->netdev, CAN_LED_EVENT_RX);\n\tnetif_rx(skb);\n}", "project": "linux", "hash": 23500088538058214849151320036811999510, "size": 46, "commit_id": "4d6636498c41891d0482a914dd570343a838ad79", "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable # 4.12\nCc: Remigiusz Kołłątaj \nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold \nSigned-off-by: Marc Kleine-Budde ", "target": 0, "dataset": "other", "idx": 398309 } ] }, { "call_depth": 4, "longest_call_chain": [ "~XMLTree", "XMLTree", "read_internal", "xmlKeepBlanksDefault" ], "group_size": 7, "functions": [ { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::read_internal(bool validate)\n{\n\t//shouldnt be used anywhere ATM, remove if so!\n\tassert(!validate);\n\n\tdelete _root;\n\t_root = 0;\n\n\tif (_doc) {\n\t\txmlFreeDoc (_doc);\n\t\t_doc = 0;\n\t}\n\n\t/* Calling this prevents libxml2 from treating whitespace as active\n\t nodes. It needs to be called before we create a parser context.\n\t*/\n\txmlKeepBlanksDefault(0);\n\n\t/* create a parser context */\n\txmlParserCtxtPtr ctxt = xmlNewParserCtxt();\n\tif (ctxt == NULL) {\n\t\treturn false;\n\t}\n\n\t/* parse the file, activating the DTD validation option */\n\tif (validate) {\n\t\t_doc = xmlCtxtReadFile(ctxt, _filename.c_str(), NULL, XML_PARSE_DTDVALID);\n\t} else {\n\t\t_doc = xmlCtxtReadFile(ctxt, _filename.c_str(), NULL, XML_PARSE_HUGE);\n\t}\n\n\t/* check if parsing suceeded */\n\tif (_doc == NULL) {\n\t\txmlFreeParserCtxt(ctxt);\n\t\treturn false;\n\t} else {\n\t\t/* check if validation suceeded */\n\t\tif (validate && ctxt->valid == 0) {\n\t\t\txmlFreeParserCtxt(ctxt);\n\t\t\tthrow XMLException(\"Failed to validate document \" + _filename);\n\t\t}\n\t}\n\n\t_root = readnode(xmlDocGetRootElement(_doc));\n\n\t/* free up the parser context */\n\txmlFreeParserCtxt(ctxt);\n\n\treturn true;\n}", "idx": 519661, "cwe": "CWE-416", "hash": 282602577873513987866733808663469843847, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::debug(FILE* out) const\n{\n#ifdef LIBXML_DEBUG_ENABLED\n\txmlDocPtr doc;\n\tXMLNodeList children;\n\n\txmlKeepBlanksDefault(0);\n\tdoc = xmlNewDoc(xml_version);\n\txmlSetDocCompressMode(doc, _compression);\n\twritenode(doc, _root, doc->children, 1);\n\txmlDebugDumpDocument (out, doc);\n\txmlFreeDoc(doc);\n#endif\n}", "idx": 519654, "cwe": "CWE-416", "hash": 334502150140909691035425169234400980067, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::write_buffer() const\n{\n\tstatic string retval;\n\tchar* ptr;\n\tint len;\n\txmlDocPtr doc;\n\tXMLNodeList children;\n\n\txmlKeepBlanksDefault(0);\n\tdoc = xmlNewDoc(xml_version);\n\txmlSetDocCompressMode(doc, _compression);\n\twritenode(doc, _root, doc->children, 1);\n\txmlDocDumpMemory(doc, (xmlChar **) & ptr, &len);\n\txmlFreeDoc(doc);\n\n\tretval = ptr;\n\n\tfree(ptr);\n\n\treturn retval;\n}", "idx": 519660, "cwe": "CWE-416", "hash": 171301428596270439461533586536560582745, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::XMLTree(const XMLTree* from)\n\t: _filename(from->filename())\n\t, _root(new XMLNode(*from->root()))\n\t, _doc (xmlCopyDoc (from->_doc, 1))\n\t, _compression(from->compression())\n{\n\n}", "idx": 519655, "cwe": "CWE-416", "hash": 53368891784882751795675731221455930302, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::XMLTree()\n\t: _filename()\n\t, _root(0)\n\t, _doc (0)\n\t, _compression(0)\n{\n}", "idx": 519659, "cwe": "CWE-416", "hash": 224251866575809493380432123093044529933, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::XMLTree(const string& fn, bool validate)\n\t: _filename(fn)\n\t, _root(0)\n\t, _doc (0)\n\t, _compression(0)\n{\n\tread_internal(validate);\n}", "idx": 519685, "cwe": "CWE-416", "hash": 91833938841644286003486411581296346487, "dataset": "other" }, { "project": "ardour", "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6", "target": 0, "func": "XMLTree::~XMLTree()\n{\n\tdelete _root;\n\n\tif (_doc) {\n\t\txmlFreeDoc (_doc);\n\t}\n}", "idx": 519662, "cwe": "CWE-416", "hash": 148186101253235417727159463539179719047, "dataset": "other" } ] }, { "call_depth": 4, "longest_call_chain": [ "TracePath", "TraceArcPath", "TraceBezier", "CheckPrimitiveExtent" ], "group_size": 4, "functions": [ { "func": "static MagickBooleanType TraceBezier(MVGInfo *mvg_info,\n const size_t number_coordinates)\n{\n double\n alpha,\n *coefficients,\n weight;\n\n PointInfo\n end,\n point,\n *points;\n\n PrimitiveInfo\n *primitive_info;\n\n PrimitiveInfo\n *p;\n\n ssize_t\n i,\n j;\n\n size_t\n control_points,\n quantum;\n\n /*\n Allocate coefficients.\n */\n primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n quantum=number_coordinates;\n for (i=0; i < (ssize_t) number_coordinates; i++)\n {\n for (j=i+1; j < (ssize_t) number_coordinates; j++)\n {\n alpha=fabs(primitive_info[j].point.x-primitive_info[i].point.x);\n if (alpha > (double) MAGICK_SSIZE_MAX)\n {\n (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n return(MagickFalse);\n }\n if (alpha > (double) quantum)\n quantum=(size_t) alpha;\n alpha=fabs(primitive_info[j].point.y-primitive_info[i].point.y);\n if (alpha > (double) MAGICK_SSIZE_MAX)\n {\n (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n return(MagickFalse);\n }\n if (alpha > (double) quantum)\n quantum=(size_t) alpha;\n }\n }\n coefficients=(double *) AcquireQuantumMemory(number_coordinates,\n sizeof(*coefficients));\n quantum=MagickMin(quantum/number_coordinates,BezierQuantum);\n points=(PointInfo *) AcquireQuantumMemory(quantum,number_coordinates*\n sizeof(*points));\n if ((coefficients == (double *) NULL) || (points == (PointInfo *) NULL))\n {\n if (points != (PointInfo *) NULL)\n points=(PointInfo *) RelinquishMagickMemory(points);\n if (coefficients != (double *) NULL)\n coefficients=(double *) RelinquishMagickMemory(coefficients);\n (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n return(MagickFalse);\n }\n control_points=quantum*number_coordinates;\n if (CheckPrimitiveExtent(mvg_info,(double) control_points+1) == MagickFalse)\n {\n points=(PointInfo *) RelinquishMagickMemory(points);\n coefficients=(double *) RelinquishMagickMemory(coefficients);\n return(MagickFalse);\n }\n primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n /*\n Compute bezier points.\n */\n end=primitive_info[number_coordinates-1].point;\n for (i=0; i < (ssize_t) number_coordinates; i++)\n coefficients[i]=Permutate((ssize_t) number_coordinates-1,i);\n weight=0.0;\n for (i=0; i < (ssize_t) control_points; i++)\n {\n p=primitive_info;\n point.x=0.0;\n point.y=0.0;\n alpha=pow((double) (1.0-weight),(double) number_coordinates-1.0);\n for (j=0; j < (ssize_t) number_coordinates; j++)\n {\n point.x+=alpha*coefficients[j]*p->point.x;\n point.y+=alpha*coefficients[j]*p->point.y;\n alpha*=weight/(1.0-weight);\n p++;\n }\n points[i]=point;\n weight+=1.0/control_points;\n }\n /*\n Bezier curves are just short segmented polys.\n */\n p=primitive_info;\n for (i=0; i < (ssize_t) control_points; i++)\n {\n if (TracePoint(p,points[i]) == MagickFalse)\n {\n points=(PointInfo *) RelinquishMagickMemory(points);\n coefficients=(double *) RelinquishMagickMemory(coefficients);\n return(MagickFalse);\n }\n p+=p->coordinates;\n }\n if (TracePoint(p,end) == MagickFalse)\n {\n points=(PointInfo *) RelinquishMagickMemory(points);\n coefficients=(double *) RelinquishMagickMemory(coefficients);\n return(MagickFalse);\n }\n p+=p->coordinates;\n primitive_info->coordinates=(size_t) (p-primitive_info);\n primitive_info->closed_subpath=MagickFalse;\n for (i=0; i < (ssize_t) primitive_info->coordinates; i++)\n {\n p->primitive=primitive_info->primitive;\n p--;\n }\n points=(PointInfo *) RelinquishMagickMemory(points);\n coefficients=(double *) RelinquishMagickMemory(coefficients);\n return(MagickTrue);\n}", "project": "ImageMagick6", "hash": 253553152437105555548461944081055352860, "size": 134, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316674 }, { "func": "static ssize_t TracePath(Image *image,MVGInfo *mvg_info,const char *path)\n{\n char\n *next_token,\n token[MaxTextExtent];\n\n const char\n *p;\n\n double\n x,\n y;\n\n int\n attribute,\n last_attribute;\n\n MagickStatusType\n status;\n\n PointInfo\n end = {0.0, 0.0},\n points[4] = { {0.0, 0.0}, {0.0, 0.0}, {0.0, 0.0}, {0.0, 0.0} },\n point = {0.0, 0.0},\n start = {0.0, 0.0};\n\n PrimitiveInfo\n *primitive_info;\n\n PrimitiveType\n primitive_type;\n\n PrimitiveInfo\n *q;\n\n ssize_t\n i;\n\n size_t\n number_coordinates,\n z_count;\n\n ssize_t\n subpath_offset;\n\n subpath_offset=mvg_info->offset;\n primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n status=MagickTrue;\n attribute=0;\n number_coordinates=0;\n z_count=0;\n primitive_type=primitive_info->primitive;\n q=primitive_info;\n for (p=path; *p != '\\0'; )\n {\n if (status == MagickFalse)\n break;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == '\\0')\n break;\n last_attribute=attribute;\n attribute=(int) (*p++);\n switch (attribute)\n {\n case 'a':\n case 'A':\n {\n double\n angle = 0.0;\n\n MagickBooleanType\n large_arc = MagickFalse,\n sweep = MagickFalse;\n\n PointInfo\n arc = {0.0, 0.0};\n\n /*\n Elliptical arc.\n */\n do\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n arc.x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n arc.y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n angle=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n large_arc=StringToLong(token) != 0 ? MagickTrue : MagickFalse;\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n sweep=StringToLong(token) != 0 ? MagickTrue : MagickFalse;\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n end.x=(double) (attribute == (int) 'A' ? x : point.x+x);\n end.y=(double) (attribute == (int) 'A' ? y : point.y+y);\n status&=TraceArcPath(mvg_info,point,end,arc,angle,large_arc,sweep);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n point=end;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'c':\n case 'C':\n {\n /*\n Cubic Bézier curve.\n */\n do\n {\n points[0]=point;\n for (i=1; i < 4; i++)\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n end.x=(double) (attribute == (int) 'C' ? x : point.x+x);\n end.y=(double) (attribute == (int) 'C' ? y : point.y+y);\n points[i]=end;\n }\n for (i=0; i < 4; i++)\n (q+i)->point=points[i];\n if (TraceBezier(mvg_info,4) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n point=end;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'H':\n case 'h':\n {\n do\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n point.x=(double) (attribute == (int) 'H' ? x: point.x+x);\n if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n if (TracePoint(q,point) == MagickFalse)\n return(-1);\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'l':\n case 'L':\n {\n /*\n Line to.\n */\n do\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n point.x=(double) (attribute == (int) 'L' ? x : point.x+x);\n point.y=(double) (attribute == (int) 'L' ? y : point.y+y);\n if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n if (TracePoint(q,point) == MagickFalse)\n return(-1);\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'M':\n case 'm':\n {\n /*\n Move to.\n */\n if (mvg_info->offset != subpath_offset)\n {\n primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n primitive_info->coordinates=(size_t) (q-primitive_info);\n number_coordinates+=primitive_info->coordinates;\n primitive_info=q;\n subpath_offset=mvg_info->offset;\n }\n i=0;\n do\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n point.x=(double) (attribute == (int) 'M' ? x : point.x+x);\n point.y=(double) (attribute == (int) 'M' ? y : point.y+y);\n if (i == 0)\n start=point;\n i++;\n if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n if (TracePoint(q,point) == MagickFalse)\n return(-1);\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'q':\n case 'Q':\n {\n /*\n Quadratic Bézier curve.\n */\n do\n {\n points[0]=point;\n for (i=1; i < 3; i++)\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n if (*p == ',')\n p++;\n end.x=(double) (attribute == (int) 'Q' ? x : point.x+x);\n end.y=(double) (attribute == (int) 'Q' ? y : point.y+y);\n points[i]=end;\n }\n for (i=0; i < 3; i++)\n (q+i)->point=points[i];\n if (TraceBezier(mvg_info,3) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n point=end;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 's':\n case 'S':\n {\n /*\n Cubic Bézier curve.\n */\n do\n {\n points[0]=points[3];\n points[1].x=2.0*points[3].x-points[2].x;\n points[1].y=2.0*points[3].y-points[2].y;\n for (i=2; i < 4; i++)\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n if (*p == ',')\n p++;\n end.x=(double) (attribute == (int) 'S' ? x : point.x+x);\n end.y=(double) (attribute == (int) 'S' ? y : point.y+y);\n points[i]=end;\n }\n if (strchr(\"CcSs\",last_attribute) == (char *) NULL)\n {\n points[0]=point;\n points[1]=point;\n }\n for (i=0; i < 4; i++)\n (q+i)->point=points[i];\n if (TraceBezier(mvg_info,4) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n point=end;\n last_attribute=attribute;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 't':\n case 'T':\n {\n /*\n Quadratic Bézier curve.\n */\n do\n {\n points[0]=points[2];\n points[1].x=2.0*points[2].x-points[1].x;\n points[1].y=2.0*points[2].y-points[1].y;\n for (i=2; i < 3; i++)\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n x=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n end.x=(double) (attribute == (int) 'T' ? x : point.x+x);\n end.y=(double) (attribute == (int) 'T' ? y : point.y+y);\n points[i]=end;\n }\n if (status == MagickFalse)\n break;\n if (strchr(\"QqTt\",last_attribute) == (char *) NULL)\n {\n points[0]=point;\n points[1]=point;\n }\n for (i=0; i < 3; i++)\n (q+i)->point=points[i];\n if (TraceBezier(mvg_info,3) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n point=end;\n last_attribute=attribute;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'v':\n case 'V':\n {\n /*\n Line to.\n */\n do\n {\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n if (*token == ',')\n (void) GetNextToken(p,&p,MaxTextExtent,token);\n y=GetDrawValue(token,&next_token);\n if (token == next_token)\n ThrowPointExpectedException(image,token);\n point.y=(double) (attribute == (int) 'V' ? y : point.y+y);\n if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n if (TracePoint(q,point) == MagickFalse)\n return(-1);\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n while (isspace((int) ((unsigned char) *p)) != 0)\n p++;\n if (*p == ',')\n p++;\n } while (IsPoint(p) != MagickFalse);\n break;\n }\n case 'z':\n case 'Z':\n {\n /*\n Close path.\n */\n point=start;\n if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n return(-1);\n q=(*mvg_info->primitive_info)+mvg_info->offset;\n if (TracePoint(q,point) == MagickFalse)\n return(-1);\n mvg_info->offset+=q->coordinates;\n q+=q->coordinates;\n primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n primitive_info->coordinates=(size_t) (q-primitive_info);\n primitive_info->closed_subpath=MagickTrue;\n number_coordinates+=primitive_info->coordinates;\n primitive_info=q;\n subpath_offset=mvg_info->offset;\n z_count++;\n break;\n }\n default:\n {\n ThrowPointExpectedException(image,token);\n break;\n }\n }\n }\n if (status == MagickFalse)\n return(-1);\n primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n primitive_info->coordinates=(size_t) (q-primitive_info);\n number_coordinates+=primitive_info->coordinates;\n for (i=0; i < (ssize_t) number_coordinates; i++)\n {\n q--;\n q->primitive=primitive_type;\n if (z_count > 1)\n q->method=FillToBorderMethod;\n }\n q=primitive_info;\n return((ssize_t) number_coordinates);\n}", "project": "ImageMagick6", "hash": 62329487104930950764409643756974280736, "size": 511, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316671 }, { "func": "static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info,\n const double pad)\n{\n double\n extent;\n\n size_t\n quantum;\n\n /*\n Check if there is enough storage for drawing pimitives.\n */\n quantum=sizeof(**mvg_info->primitive_info);\n extent=(double) mvg_info->offset+pad+PrimitiveExtentPad*quantum+1.0;\n if (extent <= (double) *mvg_info->extent)\n return(MagickTrue);\n if (extent == (double) CastDoubleToLong(extent))\n {\n *mvg_info->primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(\n *mvg_info->primitive_info,(size_t) extent,quantum);\n if (*mvg_info->primitive_info != (PrimitiveInfo *) NULL)\n {\n ssize_t\n i;\n\n *mvg_info->extent=(size_t) extent;\n for (i=mvg_info->offset+1; i < (ssize_t) extent; i++)\n (*mvg_info->primitive_info)[i].primitive=UndefinedPrimitive;\n return(MagickTrue);\n }\n }\n /*\n Reallocation failed, allocate a primitive to facilitate unwinding.\n */\n if (*mvg_info->primitive_info != (PrimitiveInfo *) NULL)\n *mvg_info->primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(\n *mvg_info->primitive_info);\n (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n *mvg_info->primitive_info=(PrimitiveInfo *) AcquireCriticalMemory(\n (size_t) (PrimitiveExtentPad*quantum));\n (void) memset(*mvg_info->primitive_info,0,(size_t)\n (PrimitiveExtentPad*quantum));\n *mvg_info->extent=1;\n return(MagickFalse);\n}", "project": "ImageMagick6", "hash": 255673321032456110218431166205636735831, "size": 46, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316684 }, { "func": "static MagickBooleanType TraceArcPath(MVGInfo *mvg_info,const PointInfo start,\n const PointInfo end,const PointInfo arc,const double angle,\n const MagickBooleanType large_arc,const MagickBooleanType sweep)\n{\n double\n alpha,\n beta,\n delta,\n factor,\n gamma,\n theta;\n\n MagickStatusType\n status;\n\n PointInfo\n center,\n points[3],\n radii;\n\n double\n cosine,\n sine;\n\n PrimitiveInfo\n *primitive_info;\n\n PrimitiveInfo\n *p;\n\n ssize_t\n i;\n\n size_t\n arc_segments;\n\n ssize_t\n offset;\n\n offset=mvg_info->offset;\n primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n primitive_info->coordinates=0;\n if ((fabs(start.x-end.x) < MagickEpsilon) &&\n (fabs(start.y-end.y) < MagickEpsilon))\n return(TracePoint(primitive_info,end));\n radii.x=fabs(arc.x);\n radii.y=fabs(arc.y);\n if ((radii.x < MagickEpsilon) || (radii.y < MagickEpsilon))\n return(TraceLine(primitive_info,start,end));\n cosine=cos(DegreesToRadians(fmod((double) angle,360.0)));\n sine=sin(DegreesToRadians(fmod((double) angle,360.0)));\n center.x=(double) (cosine*(end.x-start.x)/2+sine*(end.y-start.y)/2);\n center.y=(double) (cosine*(end.y-start.y)/2-sine*(end.x-start.x)/2);\n delta=(center.x*center.x)/(radii.x*radii.x)+(center.y*center.y)/\n (radii.y*radii.y);\n if (delta < MagickEpsilon)\n return(TraceLine(primitive_info,start,end));\n if (delta > 1.0)\n {\n radii.x*=sqrt((double) delta);\n radii.y*=sqrt((double) delta);\n }\n points[0].x=(double) (cosine*start.x/radii.x+sine*start.y/radii.x);\n points[0].y=(double) (cosine*start.y/radii.y-sine*start.x/radii.y);\n points[1].x=(double) (cosine*end.x/radii.x+sine*end.y/radii.x);\n points[1].y=(double) (cosine*end.y/radii.y-sine*end.x/radii.y);\n alpha=points[1].x-points[0].x;\n beta=points[1].y-points[0].y;\n if (fabs(alpha*alpha+beta*beta) < MagickEpsilon)\n return(TraceLine(primitive_info,start,end));\n factor=PerceptibleReciprocal(alpha*alpha+beta*beta)-0.25;\n if (factor <= 0.0)\n factor=0.0;\n else\n {\n factor=sqrt((double) factor);\n if (sweep == large_arc)\n factor=(-factor);\n }\n center.x=(double) ((points[0].x+points[1].x)/2-factor*beta);\n center.y=(double) ((points[0].y+points[1].y)/2+factor*alpha);\n alpha=atan2(points[0].y-center.y,points[0].x-center.x);\n theta=atan2(points[1].y-center.y,points[1].x-center.x)-alpha;\n if ((theta < 0.0) && (sweep != MagickFalse))\n theta+=2.0*MagickPI;\n else\n if ((theta > 0.0) && (sweep == MagickFalse))\n theta-=2.0*MagickPI;\n arc_segments=(size_t) CastDoubleToLong(ceil(fabs((double) (theta/(0.5*\n MagickPI+MagickEpsilon)))));\n p=primitive_info;\n status=MagickTrue;\n for (i=0; i < (ssize_t) arc_segments; i++)\n {\n beta=0.5*((alpha+(i+1)*theta/arc_segments)-(alpha+i*theta/arc_segments));\n gamma=(8.0/3.0)*sin(fmod((double) (0.5*beta),DegreesToRadians(360.0)))*\n sin(fmod((double) (0.5*beta),DegreesToRadians(360.0)))/\n sin(fmod((double) beta,DegreesToRadians(360.0)));\n points[0].x=(double) (center.x+cos(fmod((double) (alpha+(double) i*theta/\n arc_segments),DegreesToRadians(360.0)))-gamma*sin(fmod((double) (alpha+\n (double) i*theta/arc_segments),DegreesToRadians(360.0))));\n points[0].y=(double) (center.y+sin(fmod((double) (alpha+(double) i*theta/\n arc_segments),DegreesToRadians(360.0)))+gamma*cos(fmod((double) (alpha+\n (double) i*theta/arc_segments),DegreesToRadians(360.0))));\n points[2].x=(double) (center.x+cos(fmod((double) (alpha+(double) (i+1)*\n theta/arc_segments),DegreesToRadians(360.0))));\n points[2].y=(double) (center.y+sin(fmod((double) (alpha+(double) (i+1)*\n theta/arc_segments),DegreesToRadians(360.0))));\n points[1].x=(double) (points[2].x+gamma*sin(fmod((double) (alpha+(double)\n (i+1)*theta/arc_segments),DegreesToRadians(360.0))));\n points[1].y=(double) (points[2].y-gamma*cos(fmod((double) (alpha+(double)\n (i+1)*theta/arc_segments),DegreesToRadians(360.0))));\n p->point.x=(p == primitive_info) ? start.x : (p-1)->point.x;\n p->point.y=(p == primitive_info) ? start.y : (p-1)->point.y;\n (p+1)->point.x=(double) (cosine*radii.x*points[0].x-sine*radii.y*\n points[0].y);\n (p+1)->point.y=(double) (sine*radii.x*points[0].x+cosine*radii.y*\n points[0].y);\n (p+2)->point.x=(double) (cosine*radii.x*points[1].x-sine*radii.y*\n points[1].y);\n (p+2)->point.y=(double) (sine*radii.x*points[1].x+cosine*radii.y*\n points[1].y);\n (p+3)->point.x=(double) (cosine*radii.x*points[2].x-sine*radii.y*\n points[2].y);\n (p+3)->point.y=(double) (sine*radii.x*points[2].x+cosine*radii.y*\n points[2].y);\n if (i == (ssize_t) (arc_segments-1))\n (p+3)->point=end;\n status&=TraceBezier(mvg_info,4);\n if (status == 0)\n break;\n p=(*mvg_info->primitive_info)+mvg_info->offset;\n mvg_info->offset+=p->coordinates;\n p+=p->coordinates;\n }\n if (status == 0)\n return(MagickFalse);\n mvg_info->offset=offset;\n primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n primitive_info->coordinates=(size_t) (p-primitive_info);\n primitive_info->closed_subpath=MagickFalse;\n for (i=0; i < (ssize_t) primitive_info->coordinates; i++)\n {\n p->primitive=primitive_info->primitive;\n p--;\n }\n return(MagickTrue);\n}", "project": "ImageMagick6", "hash": 73304484946342503190438339501963101627, "size": 148, "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89", "message": "https://github.com/ImageMagick/ImageMagick/issues/3339", "target": 0, "dataset": "other", "idx": 316677 } ] }, { "call_depth": 4, "longest_call_chain": [ "LookupMapping", "Is", "LookupPredicate", "GetEntry" ], "group_size": 12, "functions": [ { "func": "bool ConnectorPunctuation::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kConnectorPunctuationTable0,\n kConnectorPunctuationTable0Size,\n c);\n case 1: return LookupPredicate(kConnectorPunctuationTable1,\n kConnectorPunctuationTable1Size,\n c);\n case 7: return LookupPredicate(kConnectorPunctuationTable7,\n kConnectorPunctuationTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 202309568264926344252895605229406286309, "size": 15, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385615 }, { "func": "bool LineTerminator::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kLineTerminatorTable0,\n kLineTerminatorTable0Size,\n c);\n case 1: return LookupPredicate(kLineTerminatorTable1,\n kLineTerminatorTable1Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 306437122167880868973874944545895682089, "size": 12, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385617 }, { "func": "bool CombiningMark::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kCombiningMarkTable0,\n kCombiningMarkTable0Size,\n c);\n case 1: return LookupPredicate(kCombiningMarkTable1,\n kCombiningMarkTable1Size,\n c);\n case 5: return LookupPredicate(kCombiningMarkTable5,\n kCombiningMarkTable5Size,\n c);\n case 7: return LookupPredicate(kCombiningMarkTable7,\n kCombiningMarkTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 328032147315409575724163176042780543029, "size": 18, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385621 }, { "func": "bool Letter::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kLetterTable0,\n kLetterTable0Size,\n c);\n case 1: return LookupPredicate(kLetterTable1,\n kLetterTable1Size,\n c);\n case 2: return LookupPredicate(kLetterTable2,\n kLetterTable2Size,\n c);\n case 3: return LookupPredicate(kLetterTable3,\n kLetterTable3Size,\n c);\n case 4: return LookupPredicate(kLetterTable4,\n kLetterTable4Size,\n c);\n case 5: return LookupPredicate(kLetterTable5,\n kLetterTable5Size,\n c);\n case 6: return LookupPredicate(kLetterTable6,\n kLetterTable6Size,\n c);\n case 7: return LookupPredicate(kLetterTable7,\n kLetterTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 261501930601033643558167397141148141264, "size": 30, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385624 }, { "func": "bool WhiteSpace::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kWhiteSpaceTable0,\n kWhiteSpaceTable0Size,\n c);\n case 1: return LookupPredicate(kWhiteSpaceTable1,\n kWhiteSpaceTable1Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 28982256808811187234009115524577390228, "size": 12, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385625 }, { "func": "bool Lowercase::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kLowercaseTable0,\n kLowercaseTable0Size,\n c);\n case 1: return LookupPredicate(kLowercaseTable1,\n kLowercaseTable1Size,\n c);\n case 5: return LookupPredicate(kLowercaseTable5,\n kLowercaseTable5Size,\n c);\n case 7: return LookupPredicate(kLowercaseTable7,\n kLowercaseTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 306415318189567837801821641777240489698, "size": 18, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385634 }, { "func": "bool Uppercase::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kUppercaseTable0,\n kUppercaseTable0Size,\n c);\n case 1: return LookupPredicate(kUppercaseTable1,\n kUppercaseTable1Size,\n c);\n case 5: return LookupPredicate(kUppercaseTable5,\n kUppercaseTable5Size,\n c);\n case 7: return LookupPredicate(kUppercaseTable7,\n kUppercaseTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 198484716824470869928393300848719870852, "size": 18, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385641 }, { "func": "bool Number::Is(uchar c) {\n int chunk_index = c >> 13;\n switch (chunk_index) {\n case 0: return LookupPredicate(kNumberTable0,\n kNumberTable0Size,\n c);\n case 5: return LookupPredicate(kNumberTable5,\n kNumberTable5Size,\n c);\n case 7: return LookupPredicate(kNumberTable7,\n kNumberTable7Size,\n c);\n default: return false;\n }\n}", "project": "node", "hash": 194474308187196058350851767952097962021, "size": 15, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385642 }, { "func": "static inline bool IsStart(int32_t entry) {\n return (entry & kStartBit) != 0;\n}", "project": "node", "hash": 315163817663965948278730766709240714257, "size": 3, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385607 }, { "func": "static int LookupMapping(const int32_t* table,\n uint16_t size,\n const MultiCharacterSpecialCase* multi_chars,\n uchar chr,\n uchar next,\n uchar* result,\n bool* allow_caching_ptr) {\n static const int kEntryDist = 2;\n uint16_t key = chr & (kChunkBits - 1);\n uint16_t chunk_start = chr - key;\n unsigned int low = 0;\n unsigned int high = size - 1;\n while (high != low) {\n unsigned int mid = low + ((high - low) >> 1);\n uchar current_value = GetEntry(TableGet(table, mid));\n // If we've found an entry less than or equal to this one, and the next one\n // is not also less than this one, we've arrived.\n if ((current_value <= key) &&\n (mid + 1 == size ||\n GetEntry(TableGet(table, mid + 1)) > key)) {\n low = mid;\n break;\n } else if (current_value < key) {\n low = mid + 1;\n } else if (current_value > key) {\n // If we've just checked the bottom-most value and it's not\n // the one we're looking for, we're done.\n if (mid == 0) break;\n high = mid - 1;\n }\n }\n int32_t field = TableGet(table, low);\n uchar entry = GetEntry(field);\n bool is_start = IsStart(field);\n bool found = (entry == key) || (entry < key && is_start);\n if (found) {\n int32_t value = table[2 * low + 1];\n if (value == 0) {\n // 0 means not present\n return 0;\n } else if ((value & 3) == 0) {\n // Low bits 0 means a constant offset from the given character.\n if (ranges_are_linear) {\n result[0] = chr + (value >> 2);\n } else {\n result[0] = entry + chunk_start + (value >> 2);\n }\n return 1;\n } else if ((value & 3) == 1) {\n // Low bits 1 means a special case mapping\n if (allow_caching_ptr) *allow_caching_ptr = false;\n const MultiCharacterSpecialCase& mapping = multi_chars[value >> 2];\n int length = 0;\n for (length = 0; length < kW; length++) {\n uchar mapped = mapping.chars[length];\n if (mapped == MultiCharacterSpecialCase::kEndOfEncoding) break;\n if (ranges_are_linear) {\n result[length] = mapped + (key - entry);\n } else {\n result[length] = mapped;\n }\n }\n return length;\n } else {\n // Low bits 2 means a really really special case\n if (allow_caching_ptr) *allow_caching_ptr = false;\n // The cases of this switch are defined in unicode.py in the\n // really_special_cases mapping.\n switch (value >> 2) {\n case 1:\n // Really special case 1: upper case sigma. This letter\n // converts to two different lower case sigmas depending on\n // whether or not it occurs at the end of a word.\n if (next != 0 && Letter::Is(next)) {\n result[0] = 0x03C3;\n } else {\n result[0] = 0x03C2;\n }\n return 1;\n default:\n return 0;\n }\n return -1;\n }\n } else {\n return 0;\n }\n}", "project": "node", "hash": 168409440951517601081803230671729981840, "size": 88, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385609 }, { "func": "static bool LookupPredicate(const int32_t* table, uint16_t size, uchar chr) {\n static const int kEntryDist = 1;\n uint16_t value = chr & (kChunkBits - 1);\n unsigned int low = 0;\n unsigned int high = size - 1;\n while (high != low) {\n unsigned int mid = low + ((high - low) >> 1);\n uchar current_value = GetEntry(TableGet(table, mid));\n // If we've found an entry less than or equal to this one, and the\n // next one is not also less than this one, we've arrived.\n if ((current_value <= value) &&\n (mid + 1 == size ||\n GetEntry(TableGet(table, mid + 1)) > value)) {\n low = mid;\n break;\n } else if (current_value < value) {\n low = mid + 1;\n } else if (current_value > value) {\n // If we've just checked the bottom-most value and it's not\n // the one we're looking for, we're done.\n if (mid == 0) break;\n high = mid - 1;\n }\n }\n int32_t field = TableGet(table, low);\n uchar entry = GetEntry(field);\n bool is_start = IsStart(field);\n return (entry == value) || (entry < value && is_start);\n}", "project": "node", "hash": 242960315321535601813901942046283298330, "size": 29, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385635 }, { "func": "static inline uchar GetEntry(int32_t entry) {\n return entry & (kStartBit - 1);\n}", "project": "node", "hash": 249940707140760292065099100293212879734, "size": 3, "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6", "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves \n\nReviewed-By: Trevor Norris ", "target": 0, "dataset": "other", "idx": 385628 } ] }, { "call_depth": 4, "longest_call_chain": [ "ReadAnimatedWEBPImage", "ReadSingleWEBPImage", "IsWEBPImageLossless", "ReadWebPLSBWord" ], "group_size": 6, "functions": [ { "func": "static int ReadAnimatedWEBPImage(const ImageInfo *image_info,Image *image,\n uint8_t *stream,size_t length,WebPDecoderConfig *configure,\n ExceptionInfo *exception)\n{\n Image\n *original_image;\n\n int\n image_count,\n webp_status;\n\n size_t\n canvas_width,\n canvas_height;\n\n WebPData\n data;\n\n WebPDemuxer\n *demux;\n\n WebPIterator\n iter;\n\n image_count=0;\n webp_status=0;\n original_image=image;\n webp_status=FillBasicWEBPInfo(image,stream,length,configure);\n canvas_width=image->columns;\n canvas_height=image->rows;\n data.bytes=stream;\n data.size=length;\n {\n WebPMux\n *mux;\n\n WebPMuxAnimParams\n params;\n\n WebPMuxError\n status;\n\n mux=WebPMuxCreate(&data,0);\n status=WebPMuxGetAnimationParams(mux,¶ms);\n if (status >= 0)\n image->iterations=params.loop_count;\n WebPMuxDelete(mux);\n }\n demux=WebPDemux(&data);\n if (WebPDemuxGetFrame(demux,1,&iter)) {\n do {\n if (image_count != 0)\n {\n AcquireNextImage(image_info,image);\n if (GetNextImageInList(image) == (Image *) NULL)\n break;\n image=SyncNextImageInList(image);\n CloneImageProperties(image, original_image);\n image->page.x=iter.x_offset;\n image->page.y=iter.y_offset;\n webp_status=ReadSingleWEBPImage(image,iter.fragment.bytes,\n iter.fragment.size,configure,exception,MagickFalse);\n }\n else\n {\n image->page.x=iter.x_offset;\n image->page.y=iter.y_offset;\n webp_status=ReadSingleWEBPImage(image,iter.fragment.bytes,\n iter.fragment.size,configure,exception,MagickTrue);\n }\n if (webp_status != VP8_STATUS_OK)\n break;\n\n image->page.width=canvas_width;\n image->page.height=canvas_height;\n image->ticks_per_second=100;\n image->delay=iter.duration/10;\n image->dispose=NoneDispose;\n if (iter.dispose_method == WEBP_MUX_DISPOSE_BACKGROUND)\n image->dispose=BackgroundDispose;\n image_count++;\n } while (WebPDemuxNextFrame(&iter));\n WebPDemuxReleaseIterator(&iter);\n }\n WebPDemuxDelete(demux);\n return(webp_status);\n}", "project": "ImageMagick6", "hash": 289808360935285124131109024761867440086, "size": 87, "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca", "message": "https://github.com/ImageMagick/ImageMagick/issues/3176", "target": 0, "dataset": "other", "idx": 370810 }, { "func": "static int ReadSingleWEBPImage(Image *image,const uint8_t *stream,\n size_t length,WebPDecoderConfig *configure,ExceptionInfo *exception,\n MagickBooleanType is_first)\n{\n int\n webp_status;\n\n unsigned char\n *p;\n\n size_t\n canvas_width,\n canvas_height,\n image_width,\n image_height;\n\n ssize_t\n x_offset,\n y_offset,\n y;\n\n WebPDecBuffer\n *magick_restrict webp_image = &configure->output;\n\n MagickBooleanType\n status;\n\n if (is_first)\n {\n canvas_width=image->columns;\n canvas_height=image->rows;\n x_offset=image->page.x;\n y_offset=image->page.y;\n image->page.x=0;\n image->page.y=0;\n }\n else\n {\n x_offset=0;\n y_offset=0;\n }\n webp_status=FillBasicWEBPInfo(image,stream,length,configure);\n image_width=image->columns;\n image_height=image->rows;\n if (is_first)\n {\n image->columns=canvas_width;\n image->rows=canvas_height;\n }\n\n if (webp_status != VP8_STATUS_OK)\n return(webp_status);\n\n if (IsWEBPImageLossless(stream,length) != MagickFalse)\n image->quality=100;\n\n webp_status=WebPDecode(stream,length,configure);\n if (webp_status != VP8_STATUS_OK)\n return(webp_status);\n\n p=(unsigned char *) webp_image->u.RGBA.rgba;\n for (y=0; y < (ssize_t) image->rows; y++)\n {\n PixelPacket\n *q;\n\n ssize_t\n x;\n\n q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);\n if (q == (PixelPacket *) NULL)\n break;\n for (x=0; x < (ssize_t) image->columns; x++)\n {\n if ((x >= x_offset && x < (ssize_t) (x_offset+image_width)) &&\n (y >= y_offset && y < (ssize_t) (y_offset+image_height)))\n {\n SetPixelRed(q,ScaleCharToQuantum(*p++));\n SetPixelGreen(q,ScaleCharToQuantum(*p++));\n SetPixelBlue(q,ScaleCharToQuantum(*p++));\n SetPixelAlpha(q,ScaleCharToQuantum(*p++));\n }\n else\n {\n SetPixelRed(q,0);\n SetPixelGreen(q,0);\n SetPixelBlue(q,0);\n SetPixelAlpha(q,0);\n }\n q++;\n }\n if (SyncAuthenticPixels(image,exception) == MagickFalse)\n break;\n status=SetImageProgress(image,LoadImageTag,(MagickOffsetType) y,\n image->rows);\n if (status == MagickFalse)\n break;\n }\n WebPFreeDecBuffer(webp_image);\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n {\n StringInfo\n *profile;\n\n uint32_t\n webp_flags = 0;\n\n WebPData\n chunk,\n content;\n\n WebPMux\n *mux;\n\n /*\n Extract any profiles:\n https://developers.google.com/speed/webp/docs/container-api.\n */\n content.bytes=stream;\n content.size=length;\n mux=WebPMuxCreate(&content,0);\n (void) memset(&chunk,0,sizeof(chunk));\n WebPMuxGetFeatures(mux,&webp_flags);\n if (webp_flags & ICCP_FLAG)\n {\n WebPMuxGetChunk(mux,\"ICCP\",&chunk);\n profile=BlobToStringInfo(chunk.bytes,chunk.size);\n if (profile != (StringInfo *) NULL)\n {\n SetImageProfile(image,\"ICC\",profile);\n profile=DestroyStringInfo(profile);\n }\n }\n if (webp_flags & EXIF_FLAG)\n {\n WebPMuxGetChunk(mux,\"EXIF\",&chunk);\n profile=BlobToStringInfo(chunk.bytes,chunk.size);\n if (profile != (StringInfo *) NULL)\n {\n SetImageProfile(image,\"EXIF\",profile);\n profile=DestroyStringInfo(profile);\n }\n }\n if (webp_flags & XMP_FLAG)\n {\n WebPMuxGetChunk(mux,\"XMP\",&chunk);\n profile=BlobToStringInfo(chunk.bytes,chunk.size);\n if (profile != (StringInfo *) NULL)\n {\n SetImageProfile(image,\"XMP\",profile);\n profile=DestroyStringInfo(profile);\n }\n }\n WebPMuxDelete(mux);\n }\n#endif\n return(webp_status);\n}", "project": "ImageMagick6", "hash": 12820978203361235442107047469631362612, "size": 158, "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca", "message": "https://github.com/ImageMagick/ImageMagick/issues/3176", "target": 0, "dataset": "other", "idx": 370819 }, { "func": "static MagickBooleanType IsWEBPImageLossless(const unsigned char *stream,\n const size_t length)\n{\n#define VP8_CHUNK_INDEX 15\n#define LOSSLESS_FLAG 'L'\n#define EXTENDED_HEADER 'X'\n#define VP8_CHUNK_HEADER \"VP8\"\n#define VP8_CHUNK_HEADER_SIZE 3\n#define RIFF_HEADER_SIZE 12\n#define VP8X_CHUNK_SIZE 10\n#define TAG_SIZE 4\n#define CHUNK_SIZE_BYTES 4\n#define CHUNK_HEADER_SIZE 8\n#define MAX_CHUNK_PAYLOAD (~0U-CHUNK_HEADER_SIZE-1)\n\n size_t\n offset;\n\n /*\n Read simple header.\n */\n if (length <= VP8_CHUNK_INDEX)\n return(MagickFalse);\n if (stream[VP8_CHUNK_INDEX] != EXTENDED_HEADER)\n return(stream[VP8_CHUNK_INDEX] == LOSSLESS_FLAG ? MagickTrue : MagickFalse);\n /*\n Read extended header.\n */\n offset=RIFF_HEADER_SIZE+TAG_SIZE+CHUNK_SIZE_BYTES+VP8X_CHUNK_SIZE;\n while (offset <= (length-TAG_SIZE-TAG_SIZE-4))\n {\n uint32_t\n chunk_size,\n chunk_size_pad;\n\n chunk_size=ReadWebPLSBWord(stream+offset+TAG_SIZE);\n if (chunk_size > MAX_CHUNK_PAYLOAD)\n break;\n chunk_size_pad=(CHUNK_HEADER_SIZE+chunk_size+1) & ~1;\n if (memcmp(stream+offset,VP8_CHUNK_HEADER,VP8_CHUNK_HEADER_SIZE) == 0)\n return(*(stream+offset+VP8_CHUNK_HEADER_SIZE) == LOSSLESS_FLAG ?\n MagickTrue : MagickFalse);\n offset+=chunk_size_pad;\n }\n return(MagickFalse);\n}", "project": "ImageMagick6", "hash": 249079409081482155472943587192510982574, "size": 46, "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca", "message": "https://github.com/ImageMagick/ImageMagick/issues/3176", "target": 0, "dataset": "other", "idx": 370807 }, { "func": "static inline uint32_t ReadWebPLSBWord(\n const unsigned char *magick_restrict data)\n{\n const unsigned char\n *p;\n\n uint32_t\n value;\n\n p=data;\n value=(uint32_t) (*p++);\n value|=((uint32_t) (*p++)) << 8;\n value|=((uint32_t) (*p++)) << 16;\n value|=((uint32_t) (*p++)) << 24;\n return(value);\n}", "project": "ImageMagick6", "hash": 129894979533153289444697853065786467565, "size": 16, "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca", "message": "https://github.com/ImageMagick/ImageMagick/issues/3176", "target": 0, "dataset": "other", "idx": 370812 }, { "func": "static int FillBasicWEBPInfo(Image *image,const uint8_t *stream,size_t length,\n WebPDecoderConfig *configure)\n{\n WebPBitstreamFeatures\n *magick_restrict features = &configure->input;\n\n int\n webp_status;\n\n webp_status=WebPGetFeatures(stream,length,features);\n\n if (webp_status != VP8_STATUS_OK)\n return(webp_status);\n\n image->columns=(size_t) features->width;\n image->rows=(size_t) features->height;\n image->depth=8;\n image->matte=features->has_alpha != 0 ? MagickTrue : MagickFalse;\n\n return(webp_status);\n}", "project": "ImageMagick6", "hash": 88954484969752509702488546595380577529, "size": 21, "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca", "message": "https://github.com/ImageMagick/ImageMagick/issues/3176", "target": 0, "dataset": "other", "idx": 370815 }, { "func": "MagickExport void AcquireNextImage(const ImageInfo *image_info,Image *image)\n{\n /*\n Allocate image structure.\n */\n assert(image != (Image *) NULL);\n assert(image->signature == MagickCoreSignature);\n if (image->debug != MagickFalse)\n (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n image->next=AcquireImage(image_info);\n if (GetNextImageInList(image) == (Image *) NULL)\n return;\n (void) CopyMagickString(GetNextImageInList(image)->filename,image->filename,\n MaxTextExtent);\n if (image_info != (ImageInfo *) NULL)\n (void) CopyMagickString(GetNextImageInList(image)->filename,\n image_info->filename,MaxTextExtent);\n DestroyBlob(GetNextImageInList(image));\n image->next->blob=ReferenceBlob(image->blob);\n image->next->endian=image->endian;\n image->next->scene=image->scene+1;\n image->next->previous=image;\n}", "project": "ImageMagick6", "hash": 93917763940631088934569245499727034858, "size": 23, "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805", "message": "https://github.com/ImageMagick/ImageMagick/issues/1522", "target": 0, "dataset": "other", "idx": 438543 } ] }, { "call_depth": 4, "longest_call_chain": [ "uv__idna_toascii", "uv__idna_toascii_label", "uv__utf8_decode1", "uv__utf8_decode1_slow" ], "group_size": 5, "functions": [ { "func": "unsigned uv__utf8_decode1(const char** p, const char* pe) {\n unsigned a;\n\n assert(*p < pe);\n\n a = (unsigned char) *(*p)++;\n\n if (a < 128)\n return a; /* ASCII, common case. */\n\n return uv__utf8_decode1_slow(p, pe, a);\n}", "project": "libuv", "hash": 260002193897560539801354049804924733762, "size": 12, "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae", "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn \nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig \nReviewed-By: Richard Lau ", "target": 0, "dataset": "other", "idx": 326147 }, { "func": "static unsigned uv__utf8_decode1_slow(const char** p,\n const char* pe,\n unsigned a) {\n unsigned b;\n unsigned c;\n unsigned d;\n unsigned min;\n\n if (a > 0xF7)\n return -1;\n\n switch (pe - *p) {\n default:\n if (a > 0xEF) {\n min = 0x10000;\n a = a & 7;\n b = (unsigned char) *(*p)++;\n c = (unsigned char) *(*p)++;\n d = (unsigned char) *(*p)++;\n break;\n }\n /* Fall through. */\n case 2:\n if (a > 0xDF) {\n min = 0x800;\n b = 0x80 | (a & 15);\n c = (unsigned char) *(*p)++;\n d = (unsigned char) *(*p)++;\n a = 0;\n break;\n }\n /* Fall through. */\n case 1:\n if (a > 0xBF) {\n min = 0x80;\n b = 0x80;\n c = 0x80 | (a & 31);\n d = (unsigned char) *(*p)++;\n a = 0;\n break;\n }\n /* Fall through. */\n case 0:\n return -1; /* Invalid continuation byte. */\n }\n\n if (0x80 != (0xC0 & (b ^ c ^ d)))\n return -1; /* Invalid sequence. */\n\n b &= 63;\n c &= 63;\n d &= 63;\n a = (a << 18) | (b << 12) | (c << 6) | d;\n\n if (a < min)\n return -1; /* Overlong sequence. */\n\n if (a > 0x10FFFF)\n return -1; /* Four-byte sequence > U+10FFFF. */\n\n if (a >= 0xD800 && a <= 0xDFFF)\n return -1; /* Surrogate pair. */\n\n return a;\n}", "project": "libuv", "hash": 72519685169788066819829832758156410439, "size": 65, "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae", "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn \nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig \nReviewed-By: Richard Lau ", "target": 0, "dataset": "other", "idx": 326144 }, { "func": "long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {\n const char* si;\n const char* st;\n unsigned c;\n char* ds;\n int rc;\n\n ds = d;\n\n for (si = s; si < se; /* empty */) {\n st = si;\n c = uv__utf8_decode1(&si, se);\n\n if (c != '.')\n if (c != 0x3002) /* 。 */\n if (c != 0xFF0E) /* . */\n if (c != 0xFF61) /* 。 */\n continue;\n\n rc = uv__idna_toascii_label(s, st, &d, de);\n\n if (rc < 0)\n return rc;\n\n if (d < de)\n *d++ = '.';\n\n s = si;\n }\n\n if (s < se) {\n rc = uv__idna_toascii_label(s, se, &d, de);\n\n if (rc < 0)\n return rc;\n }\n\n if (d < de)\n *d++ = '\\0';\n\n return d - ds; /* Number of bytes written. */\n}", "project": "libuv", "hash": 330726136045724320865601654107082283716, "size": 42, "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae", "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn \nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig \nReviewed-By: Richard Lau ", "target": 1, "dataset": "other", "idx": 201892 }, { "func": "long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {\n const char* si;\n const char* st;\n unsigned c;\n char* ds;\n int rc;\n\n ds = d;\n\n si = s;\n while (si < se) {\n st = si;\n c = uv__utf8_decode1(&si, se);\n\n if (c == -1u)\n return UV_EINVAL;\n\n if (c != '.')\n if (c != 0x3002) /* 。 */\n if (c != 0xFF0E) /* . */\n if (c != 0xFF61) /* 。 */\n continue;\n\n rc = uv__idna_toascii_label(s, st, &d, de);\n\n if (rc < 0)\n return rc;\n\n if (d < de)\n *d++ = '.';\n\n s = si;\n }\n\n if (s < se) {\n rc = uv__idna_toascii_label(s, se, &d, de);\n\n if (rc < 0)\n return rc;\n }\n\n if (d < de)\n *d++ = '\\0';\n\n return d - ds; /* Number of bytes written. */\n}", "project": "libuv", "hash": 143364374050282701014374410463146753253, "size": 46, "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae", "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn \nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig \nReviewed-By: Richard Lau ", "target": 0, "dataset": "other", "idx": 326145 }, { "func": "static int uv__idna_toascii_label(const char* s, const char* se,\n char** d, char* de) {\n static const char alphabet[] = \"abcdefghijklmnopqrstuvwxyz0123456789\";\n const char* ss;\n unsigned c;\n unsigned h;\n unsigned k;\n unsigned n;\n unsigned m;\n unsigned q;\n unsigned t;\n unsigned x;\n unsigned y;\n unsigned bias;\n unsigned delta;\n unsigned todo;\n int first;\n\n h = 0;\n ss = s;\n todo = 0;\n\n /* Note: after this loop we've visited all UTF-8 characters and know\n * they're legal so we no longer need to check for decode errors.\n */\n while (s < se) {\n c = uv__utf8_decode1(&s, se);\n\n if (c == -1u)\n return UV_EINVAL;\n\n if (c < 128)\n h++;\n else\n todo++;\n }\n\n /* Only write \"xn--\" when there are non-ASCII characters. */\n if (todo > 0) {\n if (*d < de) *(*d)++ = 'x';\n if (*d < de) *(*d)++ = 'n';\n if (*d < de) *(*d)++ = '-';\n if (*d < de) *(*d)++ = '-';\n }\n\n /* Write ASCII characters. */\n x = 0;\n s = ss;\n while (s < se) {\n c = uv__utf8_decode1(&s, se);\n assert(c != -1u);\n\n if (c > 127)\n continue;\n\n if (*d < de)\n *(*d)++ = c;\n\n if (++x == h)\n break; /* Visited all ASCII characters. */\n }\n\n if (todo == 0)\n return h;\n\n /* Only write separator when we've written ASCII characters first. */\n if (h > 0)\n if (*d < de)\n *(*d)++ = '-';\n\n n = 128;\n bias = 72;\n delta = 0;\n first = 1;\n\n while (todo > 0) {\n m = -1;\n s = ss;\n\n while (s < se) {\n c = uv__utf8_decode1(&s, se);\n assert(c != -1u);\n\n if (c >= n)\n if (c < m)\n m = c;\n }\n\n x = m - n;\n y = h + 1;\n\n if (x > ~delta / y)\n return UV_E2BIG; /* Overflow. */\n\n delta += x * y;\n n = m;\n\n s = ss;\n while (s < se) {\n c = uv__utf8_decode1(&s, se);\n assert(c != -1u);\n\n if (c < n)\n if (++delta == 0)\n return UV_E2BIG; /* Overflow. */\n\n if (c != n)\n continue;\n\n for (k = 36, q = delta; /* empty */; k += 36) {\n t = 1;\n\n if (k > bias)\n t = k - bias;\n\n if (t > 26)\n t = 26;\n\n if (q < t)\n break;\n\n /* TODO(bnoordhuis) Since 1 <= t <= 26 and therefore\n * 10 <= y <= 35, we can optimize the long division\n * into a table-based reciprocal multiplication.\n */\n x = q - t;\n y = 36 - t; /* 10 <= y <= 35 since 1 <= t <= 26. */\n q = x / y;\n t = t + x % y; /* 1 <= t <= 35 because of y. */\n\n if (*d < de)\n *(*d)++ = alphabet[t];\n }\n\n if (*d < de)\n *(*d)++ = alphabet[q];\n\n delta /= 2;\n\n if (first) {\n delta /= 350;\n first = 0;\n }\n\n /* No overflow check is needed because |delta| was just\n * divided by 2 and |delta+delta >= delta + delta/h|.\n */\n h++;\n delta += delta / h;\n\n for (bias = 0; delta > 35 * 26 / 2; bias += 36)\n delta /= 35;\n\n bias += 36 * delta / (delta + 38);\n delta = 0;\n todo--;\n }\n\n delta++;\n n++;\n }\n\n return 0;\n}", "project": "libuv", "hash": 310982531914031347427892235781871884660, "size": 164, "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae", "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn \nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig \nReviewed-By: Richard Lau ", "target": 0, "dataset": "other", "idx": 326143 } ] } ] }