SliceFusion-LLM/output/primevul_valid_grouped_depth_3-5.json

{
  "metadata": {
    "source_file": "primevul_valid_grouped.json",
    "filter_min_depth": 3,
    "filter_max_depth": 5,
    "original_groups": 4777,
    "filtered_groups": 198,
    "total_functions": 2181,
    "depth_distribution": {
      "25": 1,
      "1": 4057,
      "14": 3,
      "13": 1,
      "5": 13,
      "2": 489,
      "6": 16,
      "3": 135,
      "4": 50,
      "7": 6,
      "8": 2,
      "12": 2,
      "11": 1,
      "10": 1
    }
  },
  "groups": [
    {
      "call_depth": 5,
      "longest_call_chain": [
        "msusb_msconfig_read",
        "msusb_msinterface_read_list",
        "msusb_msinterface_read",
        "msusb_mspipes_read",
        "msusb_mspipe_new"
      ],
      "group_size": 14,
      "functions": [
        {
          "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) < 12 * NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t        MsPipe->PipeHandle\t   = 0;\n\t\t        MsPipe->bEndpointAddress = 0;\n\t\t        MsPipe->bInterval\t\t= 0;\n\t\t        MsPipe->PipeType\t\t = 0;\n\t\t        MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 43522950749896036127664697861930743417,
          "size": 43,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 1,
          "dataset": "other",
          "idx": 205671
        },
        {
          "func": "static MSUSB_PIPE_DESCRIPTOR** msusb_mspipes_read(wStream* s, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum;\n\tMSUSB_PIPE_DESCRIPTOR** MsPipes;\n\n\tif (Stream_GetRemainingCapacity(s) / 12 < NumberOfPipes)\n\t\treturn NULL;\n\n\tMsPipes = (MSUSB_PIPE_DESCRIPTOR**)calloc(NumberOfPipes, sizeof(MSUSB_PIPE_DESCRIPTOR*));\n\n\tif (!MsPipes)\n\t\treturn NULL;\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t{\n\t\tMSUSB_PIPE_DESCRIPTOR* MsPipe = msusb_mspipe_new();\n\n\t\tif (!MsPipe)\n\t\t\tgoto out_error;\n\n\t\tStream_Read_UINT16(s, MsPipe->MaximumPacketSize);\n\t\tStream_Seek(s, 2);\n\t\tStream_Read_UINT32(s, MsPipe->MaximumTransferSize);\n\t\tStream_Read_UINT32(s, MsPipe->PipeFlags);\n\t\t/* Already set to zero by memset\n\t\t        MsPipe->PipeHandle\t   = 0;\n\t\t        MsPipe->bEndpointAddress = 0;\n\t\t        MsPipe->bInterval\t\t= 0;\n\t\t        MsPipe->PipeType\t\t = 0;\n\t\t        MsPipe->InitCompleted\t= 0;\n\t\t*/\n\t\tMsPipes[pnum] = MsPipe;\n\t}\n\n\treturn MsPipes;\nout_error:\n\n\tfor (pnum = 0; pnum < NumberOfPipes; pnum++)\n\t\tfree(MsPipes[pnum]);\n\n\tfree(MsPipes);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 327097256253608261746407166636662999864,
          "size": 43,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370198
        },
        {
          "func": "static void msusb_msinterface_free(MSUSB_INTERFACE_DESCRIPTOR* MsInterface)\n{\n\tif (MsInterface)\n\t{\n\t\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t\tMsInterface->MsPipes = NULL;\n\t\tfree(MsInterface);\n\t}\n}",
          "project": "FreeRDP",
          "hash": 111719313818634845962432534061650784720,
          "size": 9,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370195
        },
        {
          "func": "static MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_new()\n{\n\treturn (MSUSB_INTERFACE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_INTERFACE_DESCRIPTOR));\n}",
          "project": "FreeRDP",
          "hash": 195102358277270166636371095078324614685,
          "size": 4,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370190
        },
        {
          "func": "static MSUSB_PIPE_DESCRIPTOR* msusb_mspipe_new()\n{\n\treturn (MSUSB_PIPE_DESCRIPTOR*)calloc(1, sizeof(MSUSB_PIPE_DESCRIPTOR));\n}",
          "project": "FreeRDP",
          "hash": 286269363881544208550715036997896416778,
          "size": 4,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370185
        },
        {
          "func": "static void msusb_mspipes_free(MSUSB_PIPE_DESCRIPTOR** MsPipes, UINT32 NumberOfPipes)\n{\n\tUINT32 pnum = 0;\n\n\tif (MsPipes)\n\t{\n\t\tfor (pnum = 0; pnum < NumberOfPipes && MsPipes[pnum]; pnum++)\n\t\t\tfree(MsPipes[pnum]);\n\n\t\tfree(MsPipes);\n\t}\n}",
          "project": "FreeRDP",
          "hash": 298850235727179719739936200735090397102,
          "size": 12,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370194
        },
        {
          "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_new(void)\n{\n\treturn (MSUSB_CONFIG_DESCRIPTOR*)calloc(1, sizeof(MSUSB_CONFIG_DESCRIPTOR));\n}",
          "project": "FreeRDP",
          "hash": 116475666787466662372093513378582272026,
          "size": 4,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370189
        },
        {
          "func": "BOOL msusb_msinterface_replace(MSUSB_CONFIG_DESCRIPTOR* MsConfig, BYTE InterfaceNumber,\n                               MSUSB_INTERFACE_DESCRIPTOR* NewMsInterface)\n{\n\tif (!MsConfig || !MsConfig->MsInterfaces)\n\t\treturn FALSE;\n\n\tmsusb_msinterface_free(MsConfig->MsInterfaces[InterfaceNumber]);\n\tMsConfig->MsInterfaces[InterfaceNumber] = NewMsInterface;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 163043333955182832460253605601479340365,
          "size": 10,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370192
        },
        {
          "func": "static MSUSB_INTERFACE_DESCRIPTOR** msusb_msinterface_read_list(wStream* s, UINT32 NumInterfaces)\n{\n\tUINT32 inum;\n\tMSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;\n\tMsInterfaces =\n\t    (MSUSB_INTERFACE_DESCRIPTOR**)calloc(NumInterfaces, sizeof(MSUSB_INTERFACE_DESCRIPTOR*));\n\n\tif (!MsInterfaces)\n\t\treturn NULL;\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t{\n\t\tMsInterfaces[inum] = msusb_msinterface_read(s);\n\n\t\tif (!MsInterfaces[inum])\n\t\t\tgoto fail;\n\t}\n\n\treturn MsInterfaces;\nfail:\n\n\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\n\tfree(MsInterfaces);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 301570211779473080394701095071166755889,
          "size": 27,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370184
        },
        {
          "func": "static void msusb_msinterface_free_list(MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces,\n                                        UINT32 NumInterfaces)\n{\n\tUINT32 inum = 0;\n\n\tif (MsInterfaces)\n\t{\n\t\tfor (inum = 0; inum < NumInterfaces; inum++)\n\t\t{\n\t\t\tmsusb_msinterface_free(MsInterfaces[inum]);\n\t\t}\n\n\t\tfree(MsInterfaces);\n\t}\n}",
          "project": "FreeRDP",
          "hash": 255545382072794521231443556625399604321,
          "size": 15,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370196
        },
        {
          "func": "void msusb_msconfig_free(MSUSB_CONFIG_DESCRIPTOR* MsConfig)\n{\n\tif (MsConfig)\n\t{\n\t\tmsusb_msinterface_free_list(MsConfig->MsInterfaces, MsConfig->NumInterfaces);\n\t\tMsConfig->MsInterfaces = NULL;\n\t\tfree(MsConfig);\n\t}\n}",
          "project": "FreeRDP",
          "hash": 247496999087104528986755682952452432422,
          "size": 9,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370186
        },
        {
          "func": "BOOL msusb_mspipes_replace(MSUSB_INTERFACE_DESCRIPTOR* MsInterface,\n                           MSUSB_PIPE_DESCRIPTOR** NewMsPipes, UINT32 NewNumberOfPipes)\n{\n\tif (!MsInterface || !NewMsPipes)\n\t\treturn FALSE;\n\n\t/* free orignal MsPipes */\n\tmsusb_mspipes_free(MsInterface->MsPipes, MsInterface->NumberOfPipes);\n\t/* And replace it */\n\tMsInterface->MsPipes = NewMsPipes;\n\tMsInterface->NumberOfPipes = NewNumberOfPipes;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 272826545862192184139368934588135834022,
          "size": 13,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370188
        },
        {
          "func": "MSUSB_INTERFACE_DESCRIPTOR* msusb_msinterface_read(wStream* s)\n{\n\tMSUSB_INTERFACE_DESCRIPTOR* MsInterface;\n\n\tif (Stream_GetRemainingCapacity(s) < 12)\n\t\treturn NULL;\n\n\tMsInterface = msusb_msinterface_new();\n\n\tif (!MsInterface)\n\t\treturn NULL;\n\n\tStream_Read_UINT16(s, MsInterface->Length);\n\tStream_Read_UINT16(s, MsInterface->NumberOfPipesExpected);\n\tStream_Read_UINT8(s, MsInterface->InterfaceNumber);\n\tStream_Read_UINT8(s, MsInterface->AlternateSetting);\n\tStream_Seek(s, 2);\n\tStream_Read_UINT32(s, MsInterface->NumberOfPipes);\n\tMsInterface->InterfaceHandle = 0;\n\tMsInterface->bInterfaceClass = 0;\n\tMsInterface->bInterfaceSubClass = 0;\n\tMsInterface->bInterfaceProtocol = 0;\n\tMsInterface->InitCompleted = 0;\n\tMsInterface->MsPipes = NULL;\n\n\tif (MsInterface->NumberOfPipes > 0)\n\t{\n\t\tMsInterface->MsPipes = msusb_mspipes_read(s, MsInterface->NumberOfPipes);\n\n\t\tif (!MsInterface->MsPipes)\n\t\t\tgoto out_error;\n\t}\n\n\treturn MsInterface;\nout_error:\n\tmsusb_msinterface_free(MsInterface);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 315713004236029849064051996144827842346,
          "size": 38,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370197
        },
        {
          "func": "MSUSB_CONFIG_DESCRIPTOR* msusb_msconfig_read(wStream* s, UINT32 NumInterfaces)\n{\n\tMSUSB_CONFIG_DESCRIPTOR* MsConfig;\n\tBYTE lenConfiguration, typeConfiguration;\n\n\tif (Stream_GetRemainingCapacity(s) < 6ULL + NumInterfaces * 2ULL)\n\t\treturn NULL;\n\n\tMsConfig = msusb_msconfig_new();\n\n\tif (!MsConfig)\n\t\tgoto fail;\n\n\tMsConfig->MsInterfaces = msusb_msinterface_read_list(s, NumInterfaces);\n\n\tif (!MsConfig->MsInterfaces)\n\t\tgoto fail;\n\n\tStream_Read_UINT8(s, lenConfiguration);\n\tStream_Read_UINT8(s, typeConfiguration);\n\n\tif (lenConfiguration != 0x9 || typeConfiguration != 0x2)\n\t{\n\t\tWLog_ERR(TAG, \"len and type must be 0x9 and 0x2 , but it is 0x%\" PRIx8 \" and 0x%\" PRIx8 \"\",\n\t\t         lenConfiguration, typeConfiguration);\n\t\tgoto fail;\n\t}\n\n\tStream_Read_UINT16(s, MsConfig->wTotalLength);\n\tStream_Seek(s, 1);\n\tStream_Read_UINT8(s, MsConfig->bConfigurationValue);\n\tMsConfig->NumInterfaces = NumInterfaces;\n\treturn MsConfig;\nfail:\n\tmsusb_msconfig_free(MsConfig);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 5241623909507677207100469971939005727,
          "size": 37,
          "commit_id": "9f77fc3dd2394373e1be753952b00dafa1a9b7da",
          "message": "Fixed int overflow in msusb_mspipes_read\n\nThanks to hac425",
          "target": 0,
          "dataset": "other",
          "idx": 370187
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "rdp_send_confirm_active",
        "rdp_write_confirm_active",
        "rdp_print_capability_sets",
        "rdp_print_bitmap_codecs_capability_set",
        "rdp_read_bitmap_codec_guid"
      ],
      "group_size": 112,
      "functions": [
        {
          "func": "static BOOL rdp_write_remote_programs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 railSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\trailSupportLevel = RAIL_LEVEL_SUPPORTED;\n\n\tif (settings->RemoteApplicationSupportLevel & RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED)\n\t{\n\t\tif (settings->RemoteAppLanguageBarSupported)\n\t\t\trailSupportLevel |= RAIL_LEVEL_DOCKED_LANGBAR_SUPPORTED;\n\t}\n\n\trailSupportLevel |= RAIL_LEVEL_SHELL_INTEGRATION_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_LANGUAGE_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_SERVER_TO_CLIENT_IME_SYNC_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HIDE_MINIMIZED_APPS_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_WINDOW_CLOAKING_SUPPORTED;\n\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\t/* Mask out everything the server does not support. */\n\trailSupportLevel &= settings->RemoteApplicationSupportLevel;\n\tStream_Write_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_RAIL);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 193709063470865603451783243875991335784,
          "size": 29,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409659
        },
        {
          "func": "static BOOL rdp_print_font_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 fontSupportFlags = 0;\n\tUINT16 pad2Octets = 0;\n\tWLog_INFO(TAG, \"FontCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length > 4)\n\t\tStream_Read_UINT16(s, fontSupportFlags); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\n\tWLog_INFO(TAG, \"\\tfontSupportFlags: 0x%04\" PRIX16 \"\", fontSupportFlags);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 287219390919017726670088650927058088376,
          "size": 16,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409619
        },
        {
          "func": "static BOOL rdp_read_glyph_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, settings->FragCache);        /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, settings->GlyphSupportLevel);       /* glyphSupportLevel (2 bytes) */\n\tStream_Seek_UINT16(s);                                    /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 290575542386525663549333405388088029038,
          "size": 21,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409625
        },
        {
          "func": "static BOOL rdp_read_capability_sets(wStream* s, rdpSettings* settings, UINT16 numberCapabilities,\n                                     UINT16 totalLength)\n{\n\tBOOL treated;\n\tsize_t start, end, len;\n\tUINT16 count = numberCapabilities;\n\n\tstart = Stream_GetPosition(s);\n\twhile (numberCapabilities > 0 && Stream_GetRemainingLength(s) >= 4)\n\t{\n\t\tUINT16 type;\n\t\tUINT16 length;\n\t\tBYTE* em;\n\t\tBYTE* bm = Stream_Pointer(s);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\n\t\tif (type < 32)\n\t\t{\n\t\t\tsettings->ReceivedCapabilities[type] = TRUE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tWLog_WARN(TAG, \"not handling capability type %\" PRIu16 \" yet\", type);\n\t\t}\n\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) + 4 < ((size_t)length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\ttreated = TRUE;\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_read_general_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_read_bitmap_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_read_order_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_read_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_read_input_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_read_virtual_channel_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_read_share_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_read_color_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_read_font_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_read_draw_gdiplus_cache_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_read_remote_programs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_read_window_list_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_read_multifragment_update_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_read_large_pointer_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_read_desktop_composition_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_read_surface_commands_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_read_bitmap_codecs_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_read_frame_acknowledge_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_read_bitmap_cache_v3_codec_id_capability_set(s, length, settings))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\ttreated = FALSE;\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (!treated)\n\t\t{\n\t\t\tif (settings->ServerMode)\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the client */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_v2_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\t\t\tif (!rdp_read_brush_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\t\t\tif (!rdp_read_glyph_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\t\t\tif (!rdp_read_offscreen_bitmap_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\t\t\tif (!rdp_read_sound_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\t\t\tif (!rdp_read_control_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\t\t\tif (!rdp_read_window_activation_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\t\t\tif (!rdp_read_draw_nine_grid_cache_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from client\",\n\t\t\t\t\t\t         get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* treating capabilities that are supposed to be send only from the server */\n\t\t\t\tswitch (type)\n\t\t\t\t{\n\t\t\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\t\t\tif (!rdp_read_bitmap_cache_host_support_capability_set(s, length, settings))\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tWLog_ERR(TAG, \"capability %s(%\" PRIu16 \") not expected from server\",\n\t\t\t\t\t\t         get_capability_name(type), type);\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t         type, Stream_Pointer(s) - bm, em - bm);\n\t\t\tStream_SetPointer(s, em);\n\t\t}\n\n\t\tnumberCapabilities--;\n\t}\n\n\tend = Stream_GetPosition(s);\n\tlen = end - start;\n\n\tif (numberCapabilities)\n\t{\n\t\tWLog_ERR(TAG,\n\t\t         \"strange we haven't read the number of announced capacity sets, read=%d \"\n\t\t         \"expected=%\" PRIu16 \"\",\n\t\t         count - numberCapabilities, count);\n\t}\n\n#ifdef WITH_DEBUG_CAPABILITIES\n\t{\n\t\tStream_SetPosition(s, start);\n\t\tnumberCapabilities = count;\n\t\trdp_print_capability_sets(s, numberCapabilities, TRUE);\n\t\tStream_SetPosition(s, end);\n\t}\n#endif\n\n\tif (len > totalLength)\n\t{\n\t\tWLog_ERR(TAG, \"Capability length expected %\" PRIu16 \", actual %\" PRIdz, totalLength, len);\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 67779701891338520668353647467913614405,
          "size": 280,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409685
        },
        {
          "func": "static BOOL rdp_read_color_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* colorTableCacheSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 170743954534991278023661558618450335809,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409683
        },
        {
          "func": "static void rdp_write_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tinfo = (cellInfo->numEntries | (cellInfo->persistent << 31));\n\tStream_Write_UINT32(s, info);\n}",
          "project": "FreeRDP",
          "hash": 315141264147868383992564277570837036722,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409626
        },
        {
          "func": "static BOOL rdp_read_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length,\n                                                           rdpSettings* settings)\n{\n\tUINT32 offscreenSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel);           /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheSize);    /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\n\tif (offscreenSupportLevel & TRUE)\n\t\tsettings->OffscreenSupportLevel = TRUE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 62983332440671309324742543335528050053,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409615
        },
        {
          "func": "static BOOL rdp_write_color_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 6); /* colorTableCacheSize (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_COLOR_CACHE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 278164959863837085932912697446259628534,
          "size": 16,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409652
        },
        {
          "func": "static BOOL rdp_print_window_activation_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 helpKeyFlag;\n\tUINT16 helpKeyIndexFlag;\n\tUINT16 helpExtendedKeyFlag;\n\tUINT16 windowManagerKeyFlag;\n\tWLog_INFO(TAG, \"WindowActivationCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, helpKeyFlag);          /* helpKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpKeyIndexFlag);     /* helpKeyIndexFlag (2 bytes) */\n\tStream_Read_UINT16(s, helpExtendedKeyFlag);  /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Read_UINT16(s, windowManagerKeyFlag); /* windowManagerKeyFlag (2 bytes) */\n\tWLog_INFO(TAG, \"\\thelpKeyFlag: 0x%04\" PRIX16 \"\", helpKeyFlag);\n\tWLog_INFO(TAG, \"\\thelpKeyIndexFlag: 0x%04\" PRIX16 \"\", helpKeyIndexFlag);\n\tWLog_INFO(TAG, \"\\thelpExtendedKeyFlag: 0x%04\" PRIX16 \"\", helpExtendedKeyFlag);\n\tWLog_INFO(TAG, \"\\twindowManagerKeyFlag: 0x%04\" PRIX16 \"\", windowManagerKeyFlag);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 153479571757899139175602773326518312374,
          "size": 21,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409628
        },
        {
          "func": "static BOOL rdp_print_remote_programs_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 railSupportLevel;\n\tWLog_INFO(TAG, \"RemoteProgramsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\trailSupportLevel: 0x%08\" PRIX32 \"\", railSupportLevel);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 72639172899165116266830345752544775949,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409587
        },
        {
          "func": "BOOL rdp_send_demand_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\trdp->settings->ShareId = 0x10000 + rdp->mcs->userId;\n\tstatus = rdp_write_demand_active(s, rdp->settings) &&\n\t         rdp_send_pdu(rdp, s, PDU_TYPE_DEMAND_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}",
          "project": "FreeRDP",
          "hash": 205696353185449835056499661961516775413,
          "size": 14,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409586
        },
        {
          "func": "static BOOL rdp_read_window_list_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s,\n\t                   settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 67896909242570986520479535524505651635,
          "size": 11,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409665
        },
        {
          "func": "static BOOL rdp_write_rfx_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 captureFlags;\n\tBYTE codecMode;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tcaptureFlags = settings->RemoteFxOnly ? 0 : CARDP_CAPS_CAPTURE_NON_CAC;\n\tcodecMode = settings->RemoteFxCodecMode;\n\tStream_Write_UINT16(s, 49); /* codecPropertiesLength */\n\t/* TS_RFX_CLNT_CAPS_CONTAINER */\n\tStream_Write_UINT32(s, 49);           /* length */\n\tStream_Write_UINT32(s, captureFlags); /* captureFlags */\n\tStream_Write_UINT32(s, 37);           /* capsLength */\n\t/* TS_RFX_CAPS */\n\tStream_Write_UINT16(s, CBY_CAPS); /* blockType */\n\tStream_Write_UINT32(s, 8);        /* blockLen */\n\tStream_Write_UINT16(s, 1);        /* numCapsets */\n\t/* TS_RFX_CAPSET */\n\tStream_Write_UINT16(s, CBY_CAPSET); /* blockType */\n\tStream_Write_UINT32(s, 29);         /* blockLen */\n\tStream_Write_UINT8(s, 0x01);        /* codecId (MUST be set to 0x01) */\n\tStream_Write_UINT16(s, CLY_CAPSET); /* capsetType */\n\tStream_Write_UINT16(s, 2);          /* numIcaps */\n\tStream_Write_UINT16(s, 8);          /* icapLen */\n\t/* TS_RFX_ICAP (RLGR1) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0);   /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64);     /* tileSize */\n\tStream_Write_UINT8(s, codecMode);          /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT);   /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR1);  /* entropyBits */\n\t/* TS_RFX_ICAP (RLGR3) */\n\tStream_Write_UINT16(s, CLW_VERSION_1_0);   /* version */\n\tStream_Write_UINT16(s, CT_TILE_64x64);     /* tileSize */\n\tStream_Write_UINT8(s, codecMode);          /* flags */\n\tStream_Write_UINT8(s, CLW_COL_CONV_ICT);   /* colConvBits */\n\tStream_Write_UINT8(s, CLW_XFORM_DWT_53_A); /* transformBits */\n\tStream_Write_UINT8(s, CLW_ENTROPY_RLGR3);  /* entropyBits */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 200878113568940200705345537700818220319,
          "size": 42,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409602
        },
        {
          "func": "BOOL rdp_send_confirm_active(rdpRdp* rdp)\n{\n\twStream* s = rdp_send_stream_pdu_init(rdp);\n\tBOOL status;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tstatus = rdp_write_confirm_active(s, rdp->settings) &&\n\t         rdp_send_pdu(rdp, s, PDU_TYPE_CONFIRM_ACTIVE, rdp->mcs->userId);\n\tStream_Release(s);\n\treturn status;\n}",
          "project": "FreeRDP",
          "hash": 303361272103618703355733933078905733598,
          "size": 13,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409681
        },
        {
          "func": "static BOOL rdp_write_virtual_channel_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 flags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tflags = VCCAPS_NO_COMPR;\n\tStream_Write_UINT32(s, flags);                             /* flags (4 bytes) */\n\tStream_Write_UINT32(s, settings->VirtualChannelChunkSize); /* VCChunkSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_VIRTUAL_CHANNEL);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 307084930192072983573817185031030778059,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409688
        },
        {
          "func": "BOOL rdp_recv_confirm_active(rdpRdp* rdp, wStream* s, UINT16 pduLength)\n{\n\trdpSettings* settings;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\tUINT16 numberCapabilities;\n\tsettings = rdp->settings;\n\n\tif (Stream_GetRemainingLength(s) < 10)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s);                             /* shareId (4 bytes) */\n\tStream_Seek_UINT16(s);                             /* originatorId (2 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor);     /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (Stream_GetRemainingLength(s) < lengthSourceDescriptor + 4U)\n\t\treturn FALSE;\n\n\tStream_Seek(s, lengthSourceDescriptor);    /* sourceDescriptor */\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2);                         /* pad2Octets (2 bytes) */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t\treturn FALSE;\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\t/* client does not support surface commands */\n\t\tsettings->SurfaceCommandsEnabled = FALSE;\n\t\tsettings->SurfaceFrameMarkerEnabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t{\n\t\t/* client does not support frame acks */\n\t\tsettings->FrameAcknowledge = 0;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\t/* client does not support bitmap cache v3 */\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\t/* client does not support bitmap codecs */\n\t\tsettings->RemoteFxCodec = FALSE;\n\t\tsettings->NSCodec = FALSE;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\t/* client does not support multi fragment updates - make sure packages are not fragmented */\n\t\tsettings->MultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\t/* client does not support large pointers */\n\t\tsettings->LargePointerFlag = 0;\n\t}\n\n\treturn tpkt_ensure_stream_consumed(s, pduLength);\n}",
          "project": "FreeRDP",
          "hash": 91493289017108646570943692625390752372,
          "size": 66,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409640
        },
        {
          "func": "static BOOL rdp_write_large_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 largePointerSupportFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tlargePointerSupportFlags =\n\t    settings->LargePointerFlag & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tStream_Write_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_LARGE_POINTER);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 109685188564620579761907320676178023525,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409616
        },
        {
          "func": "static BOOL rdp_write_frame_acknowledge_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FRAME_ACKNOWLEDGE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 191472304007744135114926456006727424452,
          "size": 14,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409591
        },
        {
          "func": "static BOOL rdp_print_sound_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 soundFlags;\n\tUINT16 pad2OctetsA;\n\tWLog_INFO(TAG, \"SoundCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags);  /* soundFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA); /* pad2OctetsA (2 bytes) */\n\tWLog_INFO(TAG, \"\\tsoundFlags: 0x%04\" PRIX16 \"\", soundFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 270468318396106321627842466475171868710,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409690
        },
        {
          "func": "static BOOL rdp_print_offscreen_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 offscreenSupportLevel;\n\tUINT16 offscreenCacheSize;\n\tUINT16 offscreenCacheEntries;\n\tWLog_INFO(TAG, \"OffscreenBitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, offscreenSupportLevel); /* offscreenSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheSize);    /* offscreenCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, offscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\toffscreenSupportLevel: 0x%08\" PRIX32 \"\", offscreenSupportLevel);\n\tWLog_INFO(TAG, \"\\toffscreenCacheSize: 0x%04\" PRIX16 \"\", offscreenCacheSize);\n\tWLog_INFO(TAG, \"\\toffscreenCacheEntries: 0x%04\" PRIX16 \"\", offscreenCacheEntries);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 52430610983265653194826083004421839498,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409663
        },
        {
          "func": "static void rdp_read_bitmap_codec_guid(wStream* s, GUID* guid)\n{\n\tBYTE g[16];\n\tStream_Read(s, g, 16);\n\tguid->Data1 = (g[3] << 24) | (g[2] << 16) | (g[1] << 8) | g[0];\n\tguid->Data2 = (g[5] << 8) | g[4];\n\tguid->Data3 = (g[7] << 8) | g[6];\n\tguid->Data4[0] = g[8];\n\tguid->Data4[1] = g[9];\n\tguid->Data4[2] = g[10];\n\tguid->Data4[3] = g[11];\n\tguid->Data4[4] = g[12];\n\tguid->Data4[5] = g[13];\n\tguid->Data4[6] = g[14];\n\tguid->Data4[7] = g[15];\n}",
          "project": "FreeRDP",
          "hash": 4886774312460546608647694875224936828,
          "size": 16,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409620
        },
        {
          "func": "static BOOL rdp_print_frame_acknowledge_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 frameAcknowledge;\n\tWLog_INFO(TAG, \"FrameAcknowledgeCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, frameAcknowledge); /* frameAcknowledge (4 bytes) */\n\tWLog_INFO(TAG, \"\\tframeAcknowledge: 0x%08\" PRIX32 \"\", frameAcknowledge);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 160917538292160124231779813896302866645,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409678
        },
        {
          "func": "static void rdp_write_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Write_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Write_UINT16(\n\t    s, cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}",
          "project": "FreeRDP",
          "hash": 242617420166332381831381736771931983231,
          "size": 6,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409593
        },
        {
          "func": "static BOOL rdp_write_confirm_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tsize_t lengthCombinedCapabilities;\n\tBOOL ret;\n\tlengthSourceDescriptor = sizeof(SOURCE_DESCRIPTOR);\n\tStream_Write_UINT32(s, settings->ShareId);      /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 0x03EA);                 /* originatorId (2 bytes) */\n\tStream_Write_UINT16(s, lengthSourceDescriptor); /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s); /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, SOURCE_DESCRIPTOR, lengthSourceDescriptor); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s);     /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\t/* Capability Sets */\n\tnumberCapabilities = 15;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t    !rdp_write_bitmap_capability_set(s, settings) ||\n\t    !rdp_write_order_capability_set(s, settings))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tret = rdp_write_bitmap_cache_v2_capability_set(s, settings);\n\telse\n\t\tret = rdp_write_bitmap_cache_capability_set(s, settings);\n\n\tif (!ret)\n\t\treturn FALSE;\n\n\tif (!rdp_write_pointer_capability_set(s, settings) ||\n\t    !rdp_write_input_capability_set(s, settings) ||\n\t    !rdp_write_brush_capability_set(s, settings) ||\n\t    !rdp_write_glyph_cache_capability_set(s, settings) ||\n\t    !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t    !rdp_write_sound_capability_set(s, settings) ||\n\t    !rdp_write_share_capability_set(s, settings) ||\n\t    !rdp_write_font_capability_set(s, settings) ||\n\t    !rdp_write_control_capability_set(s, settings) ||\n\t    !rdp_write_color_cache_capability_set(s, settings) ||\n\t    !rdp_write_window_activation_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_offscreen_bitmap_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->DrawNineGridEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_draw_nine_grid_cache_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_LARGE_POINTER])\n\t{\n\t\tif (settings->LargePointerFlag)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_large_pointer_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t    !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_MULTI_FRAGMENT_UPDATE])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_multifragment_update_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_SURFACE_COMMANDS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_surface_commands_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CODECS])\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_codecs_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (!settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])\n\t\tsettings->FrameAcknowledge = 0;\n\n\tif (settings->FrameAcknowledge)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_frame_acknowledge_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->ReceivedCapabilities[CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID])\n\t{\n\t\tif (settings->BitmapCacheV3CodecId != 0)\n\t\t{\n\t\t\tnumberCapabilities++;\n\n\t\t\tif (!rdp_write_bitmap_cache_v3_codec_id_capability_set(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t    s, (UINT16)lengthCombinedCapabilities);         /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm);                          /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities);         /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 327946317814750375154764007246473998380,
          "size": 149,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409592
        },
        {
          "func": "static BOOL rdp_write_surface_commands_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 cmdFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcmdFlags = SURFCMDS_SET_SURFACE_BITS | SURFCMDS_STREAM_SURFACE_BITS;\n\n\tif (settings->SurfaceFrameMarkerEnabled)\n\t\tcmdFlags |= SURFCMDS_FRAME_MARKER;\n\n\tStream_Write_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Write_UINT32(s, 0);        /* reserved (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_SURFACE_COMMANDS);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 265887635769419825443180195929426885533,
          "size": 19,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409621
        },
        {
          "func": "static char* rdp_get_bitmap_codec_guid_name(const GUID* guid)\n{\n\tRPC_STATUS rpc_status;\n\n\tif (UuidEqual(guid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_REMOTEFX\";\n\telse if (UuidEqual(guid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\treturn \"CODEC_GUID_NSCODEC\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\treturn \"CODEC_GUID_IGNORE\";\n\telse if (UuidEqual(guid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\treturn \"CODEC_GUID_IMAGE_REMOTEFX\";\n\n#if defined(WITH_JPEG)\n\telse if (UuidEqual(guid, &CODEC_GUID_JPEG, &rpc_status))\n\t\treturn \"CODEC_GUID_JPEG\";\n\n#endif\n\treturn \"CODEC_GUID_UNKNOWN\";\n}",
          "project": "FreeRDP",
          "hash": 155254763281841975956016535383696375092,
          "size": 20,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409680
        },
        {
          "func": "static BOOL rdp_read_control_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* controlFlags (2 bytes) */\n\tStream_Seek_UINT16(s); /* remoteDetachFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* controlInterest (2 bytes) */\n\tStream_Seek_UINT16(s); /* detachInterest (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 246788064512336968283169931181073093043,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409614
        },
        {
          "func": "static BOOL rdp_print_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawNineGridSupportLevel;\n\tUINT16 DrawNineGridCacheSize;\n\tUINT16 DrawNineGridCacheEntries;\n\tWLog_INFO(TAG, \"DrawNineGridCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheSize);    /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 99697391840067480834853895868286238230,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409579
        },
        {
          "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 4)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 6)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 63945765978373457675419959857261610616,
          "size": 11,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 1,
          "dataset": "other",
          "idx": 208417
        },
        {
          "func": "static BOOL rdp_read_font_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length > 5)\n\t\tStream_Seek_UINT16(s); /* fontSupportFlags (2 bytes) */\n\n\tif (length > 7)\n\t\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 92561895110037279576315503246460434637,
          "size": 11,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409646
        },
        {
          "func": "static BOOL rdp_print_large_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 largePointerSupportFlags;\n\tWLog_INFO(TAG, \"LargePointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tWLog_INFO(TAG, \"\\tlargePointerSupportFlags: 0x%04\" PRIX16 \"\", largePointerSupportFlags);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 339958623772639294175049811240387745622,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409623
        },
        {
          "func": "static BOOL rdp_read_window_activation_capability_set(wStream* s, UINT16 length,\n                                                      rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* helpKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Seek_UINT16(s); /* windowManagerKeyFlag (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 92929385624240835162166734974587379320,
          "size": 13,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409684
        },
        {
          "func": "static void rdp_print_bitmap_codec_guid(const GUID* guid)\n{\n\tWLog_INFO(TAG,\n\t          \"%08\" PRIX32 \"%04\" PRIX16 \"%04\" PRIX16 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8\n\t          \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"%02\" PRIX8 \"\",\n\t          guid->Data1, guid->Data2, guid->Data3, guid->Data4[0], guid->Data4[1], guid->Data4[2],\n\t          guid->Data4[3], guid->Data4[4], guid->Data4[5], guid->Data4[6], guid->Data4[7]);\n}",
          "project": "FreeRDP",
          "hash": 77099897294778299773712257711439024635,
          "size": 8,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409651
        },
        {
          "func": "static BOOL rdp_print_window_list_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 wndSupportLevel;\n\tBYTE numIconCaches;\n\tUINT16 numIconCacheEntries;\n\tWLog_INFO(TAG, \"WindowListCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 11)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, wndSupportLevel);     /* wndSupportLevel (4 bytes) */\n\tStream_Read_UINT8(s, numIconCaches);        /* numIconCaches (1 byte) */\n\tStream_Read_UINT16(s, numIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\tWLog_INFO(TAG, \"\\twndSupportLevel: 0x%08\" PRIX32 \"\", wndSupportLevel);\n\tWLog_INFO(TAG, \"\\tnumIconCaches: 0x%02\" PRIX8 \"\", numIconCaches);\n\tWLog_INFO(TAG, \"\\tnumIconCacheEntries: 0x%04\" PRIX16 \"\", numIconCacheEntries);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 56084745407537054957836216665066621553,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409638
        },
        {
          "func": "static BOOL rdp_write_share_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 nodeId;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tnodeId = (settings->ServerMode) ? 0x03EA : 0;\n\tStream_Write_UINT16(s, nodeId); /* nodeId (2 bytes) */\n\tStream_Write_UINT16(s, 0);      /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SHARE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 26910384615262271113922396983420701080,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409596
        },
        {
          "func": "static BOOL rdp_print_brush_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 brushSupportLevel;\n\tWLog_INFO(TAG, \"BrushCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, brushSupportLevel); /* brushSupportLevel (4 bytes) */\n\tWLog_INFO(TAG, \"\\tbrushSupportLevel: 0x%08\" PRIX32 \"\", brushSupportLevel);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 285436586425045297137013893498254341233,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409581
        },
        {
          "func": "static BOOL rdp_read_desktop_composition_capability_set(wStream* s, UINT16 length,\n                                                        rdpSettings* settings)\n{\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* compDeskSupportLevel (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 257896305155583954962696210326662575434,
          "size": 9,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409612
        },
        {
          "func": "static BOOL rdp_write_offscreen_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 offscreenSupportLevel = 0x00;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->OffscreenSupportLevel)\n\t{\n\t\toffscreenSupportLevel = 0x01;\n\t\tStream_Write_UINT32(s, offscreenSupportLevel);        /* offscreenSupportLevel (4 bytes) */\n\t\tStream_Write_UINT16(s, settings->OffscreenCacheSize); /* offscreenCacheSize (2 bytes) */\n\t\tStream_Write_UINT16(s,\n\t\t                    settings->OffscreenCacheEntries); /* offscreenCacheEntries (2 bytes) */\n\t}\n\telse\n\t\tStream_Zero(s, 8);\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_OFFSCREEN_CACHE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 34976567181626346706020341189913124378,
          "size": 25,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409672
        },
        {
          "func": "static BOOL rdp_print_bitmap_cache_v2_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 cacheFlags;\n\tBYTE pad2;\n\tBYTE numCellCaches;\n\tBITMAP_CACHE_V2_CELL_INFO bitmapCacheV2CellInfo[5];\n\tWLog_INFO(TAG, \"BitmapCacheV2CapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, cacheFlags);   /* cacheFlags (2 bytes) */\n\tStream_Read_UINT8(s, pad2);          /* pad2 (1 byte) */\n\tStream_Read_UINT8(s, numCellCaches); /* numCellCaches (1 byte) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t                                &bitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t                                &bitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t                                &bitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t                                &bitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_read_bitmap_cache_cell_info(s,\n\t                                &bitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12);                                         /* pad3 (12 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheFlags: 0x%04\" PRIX16 \"\", cacheFlags);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%02\" PRIX8 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tnumCellCaches: 0x%02\" PRIX8 \"\", numCellCaches);\n\tWLog_INFO(TAG, \"\\tbitmapCache0CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t          bitmapCacheV2CellInfo[0].numEntries, bitmapCacheV2CellInfo[0].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache1CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t          bitmapCacheV2CellInfo[1].numEntries, bitmapCacheV2CellInfo[1].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache2CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t          bitmapCacheV2CellInfo[2].numEntries, bitmapCacheV2CellInfo[2].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache3CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t          bitmapCacheV2CellInfo[3].numEntries, bitmapCacheV2CellInfo[3].persistent);\n\tWLog_INFO(TAG, \"\\tbitmapCache4CellInfo: numEntries: %\" PRIu32 \" persistent: %\" PRId32 \"\",\n\t          bitmapCacheV2CellInfo[4].numEntries, bitmapCacheV2CellInfo[4].persistent);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 296655781578711417366859937464765040063,
          "size": 40,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409608
        },
        {
          "func": "static BOOL rdp_read_general_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 extraFlags;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT16(s, settings->OsMajorType); /* osMajorType (2 bytes) */\n\t\tStream_Read_UINT16(s, settings->OsMinorType); /* osMinorType (2 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT16(s); /* osMajorType (2 bytes) */\n\t\tStream_Seek_UINT16(s); /* osMinorType (2 bytes) */\n\t}\n\n\tStream_Seek_UINT16(s);                       /* protocolVersion (2 bytes) */\n\tStream_Seek_UINT16(s);                       /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s);                       /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags);           /* extraFlags (2 bytes) */\n\tStream_Seek_UINT16(s);                       /* updateCapabilityFlag (2 bytes) */\n\tStream_Seek_UINT16(s);                       /* remoteUnshareFlag (2 bytes) */\n\tStream_Seek_UINT16(s);                       /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport);    /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport); /* suppressOutputSupport (1 byte) */\n\tsettings->NoBitmapCompressionHeader = (extraFlags & NO_BITMAP_COMPRESSION_HDR) ? TRUE : FALSE;\n\tsettings->LongCredentialsSupported = (extraFlags & LONG_CREDENTIALS_SUPPORTED) ? TRUE : FALSE;\n\n\tif (!(extraFlags & FASTPATH_OUTPUT_SUPPORTED))\n\t\tsettings->FastPathOutput = FALSE;\n\n\tif (!(extraFlags & ENC_SALTED_CHECKSUM))\n\t\tsettings->SaltedChecksum = FALSE;\n\n\tif (!settings->ServerMode)\n\t{\n\t\t/**\n\t\t * Note: refreshRectSupport and suppressOutputSupport are\n\t\t * server-only flags indicating to the client weather the\n\t\t * respective PDUs are supported. See MS-RDPBCGR 2.2.7.1.1\n\t\t */\n\t\tif (!refreshRectSupport)\n\t\t\tsettings->RefreshRect = FALSE;\n\n\t\tif (!suppressOutputSupport)\n\t\t\tsettings->SuppressOutput = FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 849871180783904750462910493265742730,
          "size": 54,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409649
        },
        {
          "func": "static BOOL rdp_write_rfx_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 30381998541812809023414048959611680622,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409647
        },
        {
          "func": "static BOOL rdp_print_color_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorTableCacheSize;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ColorCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorTableCacheSize); /* colorTableCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets);          /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorTableCacheSize: 0x%04\" PRIX16 \"\", colorTableCacheSize);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 147412173596886311190003265789714347848,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409682
        },
        {
          "func": "static BOOL rdp_read_virtual_channel_capability_set(wStream* s, UINT16 length,\n                                                    rdpSettings* settings)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tif (settings->ServerMode != TRUE)\n\t\tsettings->VirtualChannelChunkSize = VCChunkSize;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 290598108437996799579687211407031343101,
          "size": 21,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409597
        },
        {
          "func": "static BOOL rdp_read_order_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tint i;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 orderSupportExFlags;\n\tBOOL BitmapCacheV3Enabled = FALSE;\n\tBOOL FrameMarkerCommandEnabled = FALSE;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Seek(s, 16);                         /* terminalDescriptor (16 bytes) */\n\tStream_Seek_UINT32(s);                      /* pad4OctetsA (4 bytes) */\n\tStream_Seek_UINT16(s);                      /* desktopSaveXGranularity (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* desktopSaveYGranularity (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* pad2OctetsA (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* maximumOrderLevel (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags);          /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32);           /* orderSupport (32 bytes) */\n\tStream_Seek_UINT16(s);                      /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Seek_UINT32(s);                      /* pad4OctetsB (4 bytes) */\n\tStream_Seek_UINT32(s);                      /* desktopSaveSize (4 bytes) */\n\tStream_Seek_UINT16(s);                      /* pad2OctetsC (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* pad2OctetsD (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* textANSICodePage (2 bytes) */\n\tStream_Seek_UINT16(s);                      /* pad2OctetsE (2 bytes) */\n\n\tfor (i = 0; i < 32; i++)\n\t{\n\t\tif (orderSupport[i] == FALSE)\n\t\t\tsettings->OrderSupport[i] = FALSE;\n\t}\n\n\tif (orderFlags & ORDER_FLAGS_EXTRA_SUPPORT)\n\t{\n\t\tif (orderSupportExFlags & CACHE_BITMAP_V3_SUPPORT)\n\t\t\tBitmapCacheV3Enabled = TRUE;\n\n\t\tif (orderSupportExFlags & ALTSEC_FRAME_MARKER_SUPPORT)\n\t\t\tFrameMarkerCommandEnabled = TRUE;\n\t}\n\n\tif (settings->BitmapCacheV3Enabled && BitmapCacheV3Enabled)\n\t\tsettings->BitmapCacheVersion = 3;\n\telse\n\t\tsettings->BitmapCacheV3Enabled = FALSE;\n\n\tif (settings->FrameMarkerCommandEnabled && !FrameMarkerCommandEnabled)\n\t\tsettings->FrameMarkerCommandEnabled = FALSE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 189672869918992028391314712470791613301,
          "size": 55,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409676
        },
        {
          "func": "static BOOL rdp_write_nsc_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 4); /* codecPropertiesLength */\n\tStream_Write_UINT32(s, 0); /* reserved */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 60725325689248985919258800414909485501,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409601
        },
        {
          "func": "static BOOL rdp_write_bitmap_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tUINT32 bpp;\n\tsize_t header;\n\tUINT32 size;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tbpp = (settings->ColorDepth + 7) / 8;\n\tif (bpp > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, 0); /* pad1 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad2 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad3 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad4 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad5 (4 bytes) */\n\tStream_Write_UINT32(s, 0); /* pad6 (4 bytes) */\n\tsize = bpp * 256;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 200);  /* Cache0Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache0MaximumCellSize (2 bytes) */\n\tsize = bpp * 1024;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 600);  /* Cache1Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache1MaximumCellSize (2 bytes) */\n\tsize = bpp * 4096;\n\tif (size > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 1000); /* Cache2Entries (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)size); /* Cache2MaximumCellSize (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 121157721180275409455921259823027389764,
          "size": 39,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409648
        },
        {
          "func": "static BOOL rdp_read_brush_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* brushSupportLevel (4 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 201932960273049902456905707665273606852,
          "size": 9,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409603
        },
        {
          "func": "static BOOL rdp_write_nsc_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tBYTE colorLossLevel;\n\tBYTE fAllowSubsampling;\n\tBYTE fAllowDynamicFidelity;\n\tfAllowDynamicFidelity = settings->NSCodecAllowDynamicColorFidelity;\n\tfAllowSubsampling = settings->NSCodecAllowSubsampling;\n\tcolorLossLevel = settings->NSCodecColorLossLevel;\n\n\tif (colorLossLevel < 1)\n\t\tcolorLossLevel = 1;\n\n\tif (colorLossLevel > 7)\n\t\tcolorLossLevel = 7;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 3); /* codecPropertiesLength */\n\t/* TS_NSCODEC_CAPABILITYSET */\n\tStream_Write_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\tStream_Write_UINT8(s, fAllowSubsampling);     /* fAllowSubsampling (1 byte) */\n\tStream_Write_UINT8(s, colorLossLevel);        /* colorLossLevel (1 byte) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 42897287390959164091468957982836296378,
          "size": 25,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409657
        },
        {
          "func": "static BOOL rdp_print_input_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 inputFlags;\n\tUINT16 pad2OctetsA;\n\tUINT32 keyboardLayout;\n\tUINT32 keyboardType;\n\tUINT32 keyboardSubType;\n\tUINT32 keyboardFunctionKey;\n\tWLog_INFO(TAG, \"InputCapabilitySet (length %\" PRIu16 \")\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags);          /* inputFlags (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA);         /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT32(s, keyboardLayout);      /* keyboardLayout (4 bytes) */\n\tStream_Read_UINT32(s, keyboardType);        /* keyboardType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardSubType);     /* keyboardSubType (4 bytes) */\n\tStream_Read_UINT32(s, keyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Seek(s, 64);                         /* imeFileName (64 bytes) */\n\tWLog_INFO(TAG, \"\\tinputFlags: 0x%04\" PRIX16 \"\", inputFlags);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tkeyboardLayout: 0x%08\" PRIX32 \"\", keyboardLayout);\n\tWLog_INFO(TAG, \"\\tkeyboardType: 0x%08\" PRIX32 \"\", keyboardType);\n\tWLog_INFO(TAG, \"\\tkeyboardSubType: 0x%08\" PRIX32 \"\", keyboardSubType);\n\tWLog_INFO(TAG, \"\\tkeyboardFunctionKey: 0x%08\" PRIX32 \"\", keyboardFunctionKey);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 92834056900707877098460532450876414616,
          "size": 28,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409650
        },
        {
          "func": "static BOOL rdp_write_pointer_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 colorPointerFlag;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->PointerCacheSize > UINT16_MAX)\n\t\treturn FALSE;\n\n\tcolorPointerFlag = (settings->ColorPointerFlag) ? 1 : 0;\n\tStream_Write_UINT16(s, colorPointerFlag);           /* colorPointerFlag (2 bytes) */\n\tStream_Write_UINT16(s,\n\t                    (UINT16)settings->PointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\tif (settings->LargePointerFlag)\n\t{\n\t\tStream_Write_UINT16(s, (UINT16)settings->PointerCacheSize); /* pointerCacheSize (2 bytes) */\n\t}\n\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_POINTER);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 149417436358850467055827054446942927975,
          "size": 27,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409610
        },
        {
          "func": "static BOOL rdp_write_desktop_composition_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 compDeskSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcompDeskSupportLevel =\n\t    (settings->AllowDesktopComposition) ? COMPDESK_SUPPORTED : COMPDESK_NOT_SUPPORTED;\n\tStream_Write_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_COMP_DESK);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 273318921816338668560055755973757610116,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409643
        },
        {
          "func": "static BOOL rdp_write_bitmap_cache_host_support_capability_set(wStream* s,\n                                                               const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, BITMAP_CACHE_V2); /* cacheVersion (1 byte) */\n\tStream_Write_UINT8(s, 0);               /* pad1 (1 byte) */\n\tStream_Write_UINT16(s, 0);              /* pad2 (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 135633036669097795306427700527407315652,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409673
        },
        {
          "func": "static BOOL rdp_write_bitmap_cache_v3_codec_id_capability_set(wStream* s,\n                                                              const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->BitmapCacheV3CodecId > UINT8_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT8(s, (UINT8)settings->BitmapCacheV3CodecId);\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 10452923046637731164141377400720189331,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409624
        },
        {
          "func": "static BOOL rdp_read_bitmap_codecs_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE codecId;\n\tGUID codecGuid;\n\tRPC_STATUS rpc_status;\n\tBYTE bitmapCodecCount;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tBOOL guidNSCodec = FALSE;\n\tBOOL guidRemoteFx = FALSE;\n\tBOOL guidRemoteFxImage = FALSE;\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid);    /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId);                /* codecId (1 byte) */\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tUINT32 beg;\n\t\t\tUINT32 end;\n\t\t\tbeg = (UINT32)Stream_GetPosition(s);\n\t\t\tend = beg + codecPropertiesLength;\n\n\t\t\tif (UuidEqual(&codecGuid, &CODEC_GUID_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\tUINT32 rfxCapsLength;\n\t\t\t\tUINT32 rfxPropsLength;\n\t\t\t\tUINT32 captureFlags;\n\t\t\t\tguidRemoteFx = TRUE;\n\t\t\t\tsettings->RemoteFxCodecId = codecId;\n\t\t\t\tStream_Read_UINT32(s, rfxPropsLength); /* length (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, captureFlags);   /* captureFlags (4 bytes) */\n\t\t\t\tStream_Read_UINT32(s, rfxCapsLength);  /* capsLength (4 bytes) */\n\t\t\t\tsettings->RemoteFxCaptureFlags = captureFlags;\n\t\t\t\tsettings->RemoteFxOnly = (captureFlags & CARDP_CAPS_CAPTURE_NON_CAC) ? TRUE : FALSE;\n\n\t\t\t\tif (rfxCapsLength)\n\t\t\t\t{\n\t\t\t\t\tUINT16 blockType;\n\t\t\t\t\tUINT32 blockLen;\n\t\t\t\t\tUINT16 numCapsets;\n\t\t\t\t\tBYTE rfxCodecId;\n\t\t\t\t\tUINT16 capsetType;\n\t\t\t\t\tUINT16 numIcaps;\n\t\t\t\t\tUINT16 icapLen;\n\t\t\t\t\t/* TS_RFX_CAPS */\n\t\t\t\t\tStream_Read_UINT16(s, blockType);  /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen);   /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numCapsets); /* numCapsets (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (blockLen != 8)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (numCapsets != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t/* TS_RFX_CAPSET */\n\t\t\t\t\tStream_Read_UINT16(s, blockType);  /* blockType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT32(s, blockLen);   /* blockLen (4 bytes) */\n\t\t\t\t\tStream_Read_UINT8(s, rfxCodecId);  /* codecId (1 byte) */\n\t\t\t\t\tStream_Read_UINT16(s, capsetType); /* capsetType (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, numIcaps);   /* numIcaps (2 bytes) */\n\t\t\t\t\tStream_Read_UINT16(s, icapLen);    /* icapLen (2 bytes) */\n\n\t\t\t\t\tif (blockType != 0xCBC1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (rfxCodecId != 1)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tif (capsetType != 0xCFC0)\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\twhile (numIcaps--)\n\t\t\t\t\t{\n\t\t\t\t\t\tUINT16 version;\n\t\t\t\t\t\tUINT16 tileSize;\n\t\t\t\t\t\tBYTE codecFlags;\n\t\t\t\t\t\tBYTE colConvBits;\n\t\t\t\t\t\tBYTE transformBits;\n\t\t\t\t\t\tBYTE entropyBits;\n\t\t\t\t\t\t/* TS_RFX_ICAP */\n\t\t\t\t\t\tStream_Read_UINT16(s, version);      /* version (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT16(s, tileSize);     /* tileSize (2 bytes) */\n\t\t\t\t\t\tStream_Read_UINT8(s, codecFlags);    /* flags (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, colConvBits);   /* colConvBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, transformBits); /* transformBits (1 byte) */\n\t\t\t\t\t\tStream_Read_UINT8(s, entropyBits);   /* entropyBits (1 byte) */\n\n\t\t\t\t\t\tif (version == 0x0009)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 0.9 */\n\t\t\t\t\t\t\tif (tileSize != 0x0080)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse if (version == 0x0100)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t/* Version 1.0 */\n\t\t\t\t\t\t\tif (tileSize != 0x0040)\n\t\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (colConvBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\t\tif (transformBits != 1)\n\t\t\t\t\t\t\treturn FALSE;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IMAGE_REMOTEFX, &rpc_status))\n\t\t\t{\n\t\t\t\t/* Microsoft RDP servers ignore CODEC_GUID_IMAGE_REMOTEFX codec properties */\n\t\t\t\tguidRemoteFxImage = TRUE;\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_NSCODEC, &rpc_status))\n\t\t\t{\n\t\t\t\tBYTE colorLossLevel;\n\t\t\t\tBYTE fAllowSubsampling;\n\t\t\t\tBYTE fAllowDynamicFidelity;\n\t\t\t\tguidNSCodec = TRUE;\n\t\t\t\tsettings->NSCodecId = codecId;\n\t\t\t\tStream_Read_UINT8(s, fAllowDynamicFidelity); /* fAllowDynamicFidelity (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, fAllowSubsampling);     /* fAllowSubsampling (1 byte) */\n\t\t\t\tStream_Read_UINT8(s, colorLossLevel);        /* colorLossLevel (1 byte) */\n\n\t\t\t\tif (colorLossLevel < 1)\n\t\t\t\t\tcolorLossLevel = 1;\n\n\t\t\t\tif (colorLossLevel > 7)\n\t\t\t\t\tcolorLossLevel = 7;\n\n\t\t\t\tsettings->NSCodecAllowDynamicColorFidelity = fAllowDynamicFidelity;\n\t\t\t\tsettings->NSCodecAllowSubsampling = fAllowSubsampling;\n\t\t\t\tsettings->NSCodecColorLossLevel = colorLossLevel;\n\t\t\t}\n\t\t\telse if (UuidEqual(&codecGuid, &CODEC_GUID_IGNORE, &rpc_status))\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\t}\n\n\t\t\tif (Stream_GetPosition(s) != end)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG,\n\t\t\t\t         \"error while reading codec properties: actual offset: %\" PRIuz\n\t\t\t\t         \" expected offset: %\" PRIu32 \"\",\n\t\t\t\t         Stream_GetPosition(s), end);\n\t\t\t\tStream_SetPosition(s, end);\n\t\t\t}\n\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\t\tremainingLength -= codecPropertiesLength;\n\t\t}\n\n\t\tbitmapCodecCount--;\n\t}\n\n\tif (settings->ServerMode)\n\t{\n\t\t/* only enable a codec if we've announced/enabled it before */\n\t\tsettings->RemoteFxCodec = settings->RemoteFxCodec && guidRemoteFx;\n\t\tsettings->RemoteFxImageCodec = settings->RemoteFxImageCodec && guidRemoteFxImage;\n\t\tsettings->NSCodec = settings->NSCodec && guidNSCodec;\n\t\tsettings->JpegCodec = FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 211558337571308508511556254604496342865,
          "size": 197,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409580
        },
        {
          "func": "static BOOL rdp_write_input_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 inputFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 128))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tinputFlags = INPUT_FLAG_SCANCODES;\n\n\tif (settings->FastPathInput)\n\t{\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT;\n\t\tinputFlags |= INPUT_FLAG_FASTPATH_INPUT2;\n\t}\n\n\tif (settings->HasHorizontalWheel)\n\t\tinputFlags |= TS_INPUT_FLAG_MOUSE_HWHEEL;\n\n\tif (settings->UnicodeInput)\n\t\tinputFlags |= INPUT_FLAG_UNICODE;\n\n\tif (settings->HasExtendedMouseEvent)\n\t\tinputFlags |= INPUT_FLAG_MOUSEX;\n\n\tStream_Write_UINT16(s, inputFlags);                    /* inputFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0);                             /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardLayout);      /* keyboardLayout (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardType);        /* keyboardType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardSubType);     /* keyboardSubType (4 bytes) */\n\tStream_Write_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\tStream_Zero(s, 64);                                    /* imeFileName (64 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_INPUT);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 338872550335327331413384147382884031144,
          "size": 38,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409679
        },
        {
          "func": "BOOL rdp_recv_get_active_header(rdpRdp* rdp, wStream* s, UINT16* pChannelId, UINT16* length)\n{\n\tUINT16 securityFlags = 0;\n\n\tif (!rdp_read_header(rdp, s, length, pChannelId))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (rdp->settings->UseRdpSecurityLayer)\n\t{\n\t\tif (!rdp_read_security_header(s, &securityFlags, length))\n\t\t\treturn FALSE;\n\n\t\tif (securityFlags & SEC_ENCRYPT)\n\t\t{\n\t\t\tif (!rdp_decrypt(rdp, s, length, securityFlags))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"rdp_decrypt failed\");\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (*pChannelId != MCS_GLOBAL_CHANNEL_ID)\n\t{\n\t\tUINT16 mcsMessageChannelId = rdp->mcs->messageChannelId;\n\n\t\tif ((mcsMessageChannelId == 0) || (*pChannelId != mcsMessageChannelId))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"unexpected MCS channel id %04\" PRIx16 \" received\", *pChannelId);\n\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 69761426746625133711469800190507649484,
          "size": 38,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409606
        },
        {
          "func": "static BOOL rdp_print_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE bitmapCacheV3CodecId;\n\tWLog_INFO(TAG, \"BitmapCacheV3CodecIdCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\tWLog_INFO(TAG, \"\\tbitmapCacheV3CodecId: 0x%02\" PRIX8 \"\", bitmapCacheV3CodecId);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 200222901722079828895109214050225335139,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409618
        },
        {
          "func": "static BOOL rdp_read_surface_commands_capability_set(wStream* s, UINT16 length,\n                                                     rdpSettings* settings)\n{\n\tUINT32 cmdFlags;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Seek_UINT32(s);           /* reserved (4 bytes) */\n\tsettings->SurfaceCommandsEnabled = TRUE;\n\tsettings->SurfaceFrameMarkerEnabled = (cmdFlags & SURFCMDS_FRAME_MARKER) ? TRUE : FALSE;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 63310942064729278467171666552306282666,
          "size": 14,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409656
        },
        {
          "func": "static BOOL rdp_write_window_list_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->RemoteWndSupportLevel); /* wndSupportLevel (4 bytes) */\n\tStream_Write_UINT8(s, settings->RemoteAppNumIconCaches); /* numIconCaches (1 byte) */\n\tStream_Write_UINT16(s,\n\t                    settings->RemoteAppNumIconCacheEntries); /* numIconCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_WINDOW);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 269751178337665990773470592456743275364,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409675
        },
        {
          "func": "static BOOL rdp_read_bitmap_cache_v2_capability_set(wStream* s, UINT16 length,\n                                                    rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* cacheFlags (2 bytes) */\n\tStream_Seek_UINT8(s);  /* pad2 (1 byte) */\n\tStream_Seek_UINT8(s);  /* numCellCaches (1 byte) */\n\tStream_Seek(s, 4);     /* bitmapCache0CellInfo (4 bytes) */\n\tStream_Seek(s, 4);     /* bitmapCache1CellInfo (4 bytes) */\n\tStream_Seek(s, 4);     /* bitmapCache2CellInfo (4 bytes) */\n\tStream_Seek(s, 4);     /* bitmapCache3CellInfo (4 bytes) */\n\tStream_Seek(s, 4);     /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Seek(s, 12);    /* pad3 (12 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 263490146809338800269291031396967779750,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409636
        },
        {
          "func": "static BOOL rdp_write_sound_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 soundFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tsoundFlags = (settings->SoundBeepsEnabled) ? SOUND_BEEPS_FLAG : 0;\n\tStream_Write_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0);          /* pad2OctetsA (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_SOUND);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 158780408568565551652650021789085155322,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409677
        },
        {
          "func": "static BOOL rdp_write_bitmap_cache_v2_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 cacheFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tcacheFlags = ALLOW_CACHE_WAITING_LIST_FLAG;\n\n\tif (settings->BitmapCachePersistEnabled)\n\t\tcacheFlags |= PERSISTENT_KEYS_EXPECTED_FLAG;\n\n\tStream_Write_UINT16(s, cacheFlags);                     /* cacheFlags (2 bytes) */\n\tStream_Write_UINT8(s, 0);                               /* pad2 (1 byte) */\n\tStream_Write_UINT8(s, settings->BitmapCacheV2NumCells); /* numCellCaches (1 byte) */\n\trdp_write_bitmap_cache_cell_info(\n\t    s, &settings->BitmapCacheV2CellInfo[0]); /* bitmapCache0CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t    s, &settings->BitmapCacheV2CellInfo[1]); /* bitmapCache1CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t    s, &settings->BitmapCacheV2CellInfo[2]); /* bitmapCache2CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t    s, &settings->BitmapCacheV2CellInfo[3]); /* bitmapCache3CellInfo (4 bytes) */\n\trdp_write_bitmap_cache_cell_info(\n\t    s, &settings->BitmapCacheV2CellInfo[4]); /* bitmapCache4CellInfo (4 bytes) */\n\tStream_Zero(s, 12);                          /* pad3 (12 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CACHE_V2);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 7403566936328765357261527626239563020,
          "size": 31,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409671
        },
        {
          "func": "static BOOL rdp_write_control_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* controlFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* remoteDetachFlag (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* controlInterest (2 bytes) */\n\tStream_Write_UINT16(s, 2); /* detachInterest (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_CONTROL);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 135483827949982748357864462755091453961,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409645
        },
        {
          "func": "static BOOL rdp_read_frame_acknowledge_capability_set(wStream* s, UINT16 length,\n                                                      rdpSettings* settings)\n{\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->FrameAcknowledge); /* (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* (4 bytes) */\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 284070112210894721326557355488230804603,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409627
        },
        {
          "func": "static BOOL rdp_write_brush_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT32(s, settings->BrushSupportLevel); /* brushSupportLevel (4 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BRUSH);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 93963722394653772517521252922174557981,
          "size": 14,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409599
        },
        {
          "func": "static BOOL rdp_read_multifragment_update_capability_set(wStream* s, UINT16 length,\n                                                         rdpSettings* settings)\n{\n\tUINT32 multifragMaxRequestSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, multifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\t/*\n\t\t * Special case: The client announces multifragment update support but sets the maximum\n\t\t * request size to something smaller than maximum size for *one* fast-path PDU. In this case\n\t\t * behave like no multifragment updates were supported and make sure no fragmentation\n\t\t * happens by setting FASTPATH_FRAGMENT_SAFE_SIZE.\n\t\t *\n\t\t * This behaviour was observed with some windows ce rdp clients.\n\t\t */\n\t\tif (multifragMaxRequestSize < FASTPATH_MAX_PACKET_SIZE)\n\t\t\tmultifragMaxRequestSize = FASTPATH_FRAGMENT_SAFE_SIZE;\n\n\t\tif (settings->RemoteFxCodec)\n\t\t{\n\t\t\t/**\n\t\t\t * If we are using RemoteFX the client MUST use a value greater\n\t\t\t * than or equal to the value we've previously sent in the server to\n\t\t\t * client multi-fragment update capability set (MS-RDPRFX 1.5)\n\t\t\t */\n\t\t\tif (multifragMaxRequestSize < settings->MultifragMaxRequestSize)\n\t\t\t{\n\t\t\t\t/**\n\t\t\t\t * If it happens to be smaller we honor the client's value but\n\t\t\t\t * have to disable RemoteFX\n\t\t\t\t */\n\t\t\t\tsettings->RemoteFxCodec = FALSE;\n\t\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t/* no need to increase server's max request size setting here */\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t\t}\n\t}\n\telse\n\t{\n\t\t/**\n\t\t * In client mode we keep up with the server's capabilites.\n\t\t * In RemoteFX mode we MUST do this but it might also be useful to\n\t\t * receive larger related bitmap updates.\n\t\t */\n\t\tif (multifragMaxRequestSize > settings->MultifragMaxRequestSize)\n\t\t\tsettings->MultifragMaxRequestSize = multifragMaxRequestSize;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 37401917209807069896060133616819073503,
          "size": 62,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409584
        },
        {
          "func": "static const char* get_capability_name(UINT16 type)\n{\n\tif (type > CAPSET_TYPE_FRAME_ACKNOWLEDGE)\n\t\treturn \"<unknown>\";\n\n\treturn CAPSET_TYPE_STRINGS[type];\n}",
          "project": "FreeRDP",
          "hash": 16777793439146057316455334333971045236,
          "size": 7,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409629
        },
        {
          "func": "static BOOL rdp_write_draw_nine_grid_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tdrawNineGridSupportLevel =\n\t    (settings->DrawNineGridEnabled) ? DRAW_NINEGRID_SUPPORTED_V2 : DRAW_NINEGRID_NO_SUPPORT;\n\tStream_Write_UINT32(s, drawNineGridSupportLevel); /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Write_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Write_UINT16(\n\t    s, settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_DRAW_NINE_GRID_CACHE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 35511811275078158737832815679711271274,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409674
        },
        {
          "func": "static BOOL rdp_write_demand_active(wStream* s, rdpSettings* settings)\n{\n\tsize_t bm, em, lm;\n\tUINT16 numberCapabilities;\n\tsize_t lengthCombinedCapabilities;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\tStream_Write_UINT32(s, settings->ShareId); /* shareId (4 bytes) */\n\tStream_Write_UINT16(s, 4);                 /* lengthSourceDescriptor (2 bytes) */\n\tlm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s);     /* lengthCombinedCapabilities (2 bytes) */\n\tStream_Write(s, \"RDP\", 4); /* sourceDescriptor */\n\tbm = Stream_GetPosition(s);\n\tStream_Seek_UINT16(s);     /* numberCapabilities (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* pad2Octets (2 bytes) */\n\tnumberCapabilities = 14;\n\n\tif (!rdp_write_general_capability_set(s, settings) ||\n\t    !rdp_write_bitmap_capability_set(s, settings) ||\n\t    !rdp_write_order_capability_set(s, settings) ||\n\t    !rdp_write_pointer_capability_set(s, settings) ||\n\t    !rdp_write_input_capability_set(s, settings) ||\n\t    !rdp_write_virtual_channel_capability_set(s, settings) ||\n\t    !rdp_write_share_capability_set(s, settings) ||\n\t    !rdp_write_font_capability_set(s, settings) ||\n\t    !rdp_write_multifragment_update_capability_set(s, settings) ||\n\t    !rdp_write_large_pointer_capability_set(s, settings) ||\n\t    !rdp_write_desktop_composition_capability_set(s, settings) ||\n\t    !rdp_write_surface_commands_capability_set(s, settings) ||\n\t    !rdp_write_bitmap_codecs_capability_set(s, settings) ||\n\t    !rdp_write_frame_acknowledge_capability_set(s, settings))\n\t{\n\t\treturn FALSE;\n\t}\n\n\tif (settings->BitmapCachePersistEnabled)\n\t{\n\t\tnumberCapabilities++;\n\n\t\tif (!rdp_write_bitmap_cache_host_support_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tif (settings->RemoteApplicationMode)\n\t{\n\t\tnumberCapabilities += 2;\n\n\t\tif (!rdp_write_remote_programs_capability_set(s, settings) ||\n\t\t    !rdp_write_window_list_capability_set(s, settings))\n\t\t\treturn FALSE;\n\t}\n\n\tem = Stream_GetPosition(s);\n\tStream_SetPosition(s, lm); /* go back to lengthCombinedCapabilities */\n\tlengthCombinedCapabilities = (em - bm);\n\tif (lengthCombinedCapabilities > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(\n\t    s, (UINT16)lengthCombinedCapabilities);         /* lengthCombinedCapabilities (2 bytes) */\n\tStream_SetPosition(s, bm);                          /* go back to numberCapabilities */\n\tStream_Write_UINT16(s, numberCapabilities);         /* numberCapabilities (2 bytes) */\n#ifdef WITH_DEBUG_CAPABILITIES\n\tStream_Seek_UINT16(s);\n\trdp_print_capability_sets(s, numberCapabilities, FALSE);\n\tStream_SetPosition(s, bm);\n\tStream_Seek_UINT16(s);\n#endif\n\tStream_SetPosition(s, em);\n\tStream_Write_UINT32(s, 0); /* sessionId */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 200964485296716695117994736252941627244,
          "size": 73,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409689
        },
        {
          "func": "static BOOL rdp_read_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length,\n                                                              rdpSettings* settings)\n{\n\tBYTE cacheVersion;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Seek_UINT8(s);               /* pad1 (1 byte) */\n\tStream_Seek_UINT16(s);              /* pad2 (2 bytes) */\n\n\tif (cacheVersion & BITMAP_CACHE_V2)\n\t\tsettings->BitmapCachePersistEnabled = TRUE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 194862320568674981995591289915994818222,
          "size": 17,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409654
        },
        {
          "func": "static BOOL rdp_read_input_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 inputFlags;\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, inputFlags); /* inputFlags (2 bytes) */\n\tStream_Seek_UINT16(s);             /* pad2OctetsA (2 bytes) */\n\n\tif (settings->ServerMode)\n\t{\n\t\tStream_Read_UINT32(s, settings->KeyboardLayout);      /* keyboardLayout (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardType);        /* keyboardType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardSubType);     /* keyboardSubType (4 bytes) */\n\t\tStream_Read_UINT32(s, settings->KeyboardFunctionKey); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\telse\n\t{\n\t\tStream_Seek_UINT32(s); /* keyboardLayout (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardSubType (4 bytes) */\n\t\tStream_Seek_UINT32(s); /* keyboardFunctionKeys (4 bytes) */\n\t}\n\n\tStream_Seek(s, 64); /* imeFileName (64 bytes) */\n\n\tif (!settings->ServerMode)\n\t{\n\t\tif (inputFlags & INPUT_FLAG_FASTPATH_INPUT)\n\t\t{\n\t\t\t/* advertised by RDP 5.0 and 5.1 servers */\n\t\t}\n\t\telse if (inputFlags & INPUT_FLAG_FASTPATH_INPUT2)\n\t\t{\n\t\t\t/* advertised by RDP 5.2, 6.0, 6.1 and 7.0 servers */\n\t\t}\n\t\telse\n\t\t{\n\t\t\t/* server does not support fastpath input */\n\t\t\tsettings->FastPathInput = FALSE;\n\t\t}\n\n\t\tif (inputFlags & TS_INPUT_FLAG_MOUSE_HWHEEL)\n\t\t\tsettings->HasHorizontalWheel = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_UNICODE)\n\t\t\tsettings->UnicodeInput = TRUE;\n\n\t\tif (inputFlags & INPUT_FLAG_MOUSEX)\n\t\t\tsettings->HasExtendedMouseEvent = TRUE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 126033178202274719085086663919529272091,
          "size": 55,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409609
        },
        {
          "func": "static BOOL rdp_print_bitmap_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 preferredBitsPerPixel;\n\tUINT16 receive1BitPerPixel;\n\tUINT16 receive4BitsPerPixel;\n\tUINT16 receive8BitsPerPixel;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 pad2Octets;\n\tUINT16 desktopResizeFlag;\n\tUINT16 bitmapCompressionFlag;\n\tBYTE highColorFlags;\n\tBYTE drawingFlags;\n\tUINT16 multipleRectangleSupport;\n\tUINT16 pad2OctetsB;\n\tWLog_INFO(TAG, \"BitmapCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel);    /* preferredBitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive1BitPerPixel);      /* receive1BitPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive4BitsPerPixel);     /* receive4BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, receive8BitsPerPixel);     /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth);             /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight);            /* desktopHeight (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets);               /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag);        /* desktopResizeFlag (2 bytes) */\n\tStream_Read_UINT16(s, bitmapCompressionFlag);    /* bitmapCompressionFlag (2 bytes) */\n\tStream_Read_UINT8(s, highColorFlags);            /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags);              /* drawingFlags (1 byte) */\n\tStream_Read_UINT16(s, multipleRectangleSupport); /* multipleRectangleSupport (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsB);              /* pad2OctetsB (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpreferredBitsPerPixel: 0x%04\" PRIX16 \"\", preferredBitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive1BitPerPixel: 0x%04\" PRIX16 \"\", receive1BitPerPixel);\n\tWLog_INFO(TAG, \"\\treceive4BitsPerPixel: 0x%04\" PRIX16 \"\", receive4BitsPerPixel);\n\tWLog_INFO(TAG, \"\\treceive8BitsPerPixel: 0x%04\" PRIX16 \"\", receive8BitsPerPixel);\n\tWLog_INFO(TAG, \"\\tdesktopWidth: 0x%04\" PRIX16 \"\", desktopWidth);\n\tWLog_INFO(TAG, \"\\tdesktopHeight: 0x%04\" PRIX16 \"\", desktopHeight);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\tWLog_INFO(TAG, \"\\tdesktopResizeFlag: 0x%04\" PRIX16 \"\", desktopResizeFlag);\n\tWLog_INFO(TAG, \"\\tbitmapCompressionFlag: 0x%04\" PRIX16 \"\", bitmapCompressionFlag);\n\tWLog_INFO(TAG, \"\\thighColorFlags: 0x%02\" PRIX8 \"\", highColorFlags);\n\tWLog_INFO(TAG, \"\\tdrawingFlags: 0x%02\" PRIX8 \"\", drawingFlags);\n\tWLog_INFO(TAG, \"\\tmultipleRectangleSupport: 0x%04\" PRIX16 \"\", multipleRectangleSupport);\n\tWLog_INFO(TAG, \"\\tpad2OctetsB: 0x%04\" PRIX16 \"\", pad2OctetsB);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 126081365899131686923850704232043707399,
          "size": 48,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409585
        },
        {
          "func": "static BOOL rdp_print_capability_sets(wStream* s, UINT16 numberCapabilities, BOOL receiving)\n{\n\tUINT16 type;\n\tUINT16 length;\n\tBYTE *bm, *em;\n\n\twhile (numberCapabilities > 0)\n\t{\n\t\tStream_GetPointer(s, bm);\n\t\trdp_read_capability_set_header(s, &length, &type);\n\t\tWLog_INFO(TAG, \"%s \", receiving ? \"Receiving\" : \"Sending\");\n\t\tem = bm + length;\n\n\t\tif (Stream_GetRemainingLength(s) < (size_t)(length - 4))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"error processing stream\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tswitch (type)\n\t\t{\n\t\t\tcase CAPSET_TYPE_GENERAL:\n\t\t\t\tif (!rdp_print_general_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP:\n\t\t\t\tif (!rdp_print_bitmap_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ORDER:\n\t\t\t\tif (!rdp_print_order_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE:\n\t\t\t\tif (!rdp_print_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_CONTROL:\n\t\t\t\tif (!rdp_print_control_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_ACTIVATION:\n\t\t\t\tif (!rdp_print_window_activation_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_POINTER:\n\t\t\t\tif (!rdp_print_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SHARE:\n\t\t\t\tif (!rdp_print_share_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COLOR_CACHE:\n\t\t\t\tif (!rdp_print_color_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SOUND:\n\t\t\t\tif (!rdp_print_sound_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_INPUT:\n\t\t\t\tif (!rdp_print_input_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FONT:\n\t\t\t\tif (!rdp_print_font_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BRUSH:\n\t\t\t\tif (!rdp_print_brush_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_GLYPH_CACHE:\n\t\t\t\tif (!rdp_print_glyph_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_OFFSCREEN_CACHE:\n\t\t\t\tif (!rdp_print_offscreen_bitmap_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_HOST_SUPPORT:\n\t\t\t\tif (!rdp_print_bitmap_cache_host_support_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V2:\n\t\t\t\tif (!rdp_print_bitmap_cache_v2_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_VIRTUAL_CHANNEL:\n\t\t\t\tif (!rdp_print_virtual_channel_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_NINE_GRID_CACHE:\n\t\t\t\tif (!rdp_print_draw_nine_grid_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_DRAW_GDI_PLUS:\n\t\t\t\tif (!rdp_print_draw_gdiplus_cache_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_RAIL:\n\t\t\t\tif (!rdp_print_remote_programs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_WINDOW:\n\t\t\t\tif (!rdp_print_window_list_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_COMP_DESK:\n\t\t\t\tif (!rdp_print_desktop_composition_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_MULTI_FRAGMENT_UPDATE:\n\t\t\t\tif (!rdp_print_multifragment_update_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_LARGE_POINTER:\n\t\t\t\tif (!rdp_print_large_pointer_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_SURFACE_COMMANDS:\n\t\t\t\tif (!rdp_print_surface_commands_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CODECS:\n\t\t\t\tif (!rdp_print_bitmap_codecs_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_FRAME_ACKNOWLEDGE:\n\t\t\t\tif (!rdp_print_frame_acknowledge_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase CAPSET_TYPE_BITMAP_CACHE_V3_CODEC_ID:\n\t\t\t\tif (!rdp_print_bitmap_cache_v3_codec_id_capability_set(s, length))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tWLog_ERR(TAG, \"unknown capability type %\" PRIu16 \"\", type);\n\t\t\t\tbreak;\n\t\t}\n\n\t\tif (Stream_Pointer(s) != em)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"incorrect offset, type:0x%04\" PRIX16 \" actual:%\" PRIuz \" expected:%\" PRIuz \"\",\n\t\t\t         type, Stream_Pointer(s) - bm, em - bm);\n\t\t}\n\n\t\tStream_SetPointer(s, em);\n\t\tnumberCapabilities--;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 105372768838707288001971402184306047802,
          "size": 213,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409611
        },
        {
          "func": "static BOOL rdp_print_share_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 nodeId;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"ShareCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, nodeId);     /* nodeId (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets); /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tnodeId: 0x%04\" PRIX16 \"\", nodeId);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 82707890459590975223038772323618896983,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409635
        },
        {
          "func": "static BOOL rdp_write_order_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 orderFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT16 textANSICodePage = 0;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\t/* see [MSDN-CP]: http://msdn.microsoft.com/en-us/library/dd317756 */\n\tif (!settings->ServerMode)\n\t\ttextANSICodePage = CP_UTF8; /* Unicode (UTF-8) */\n\n\torderSupportExFlags = 0;\n\torderFlags = NEGOTIATE_ORDER_SUPPORT | ZERO_BOUNDS_DELTA_SUPPORT | COLOR_INDEX_SUPPORT;\n\n\tif (settings->BitmapCacheV3Enabled)\n\t{\n\t\torderSupportExFlags |= CACHE_BITMAP_V3_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tif (settings->FrameMarkerCommandEnabled)\n\t{\n\t\torderSupportExFlags |= ALTSEC_FRAME_MARKER_SUPPORT;\n\t\torderFlags |= ORDER_FLAGS_EXTRA_SUPPORT;\n\t}\n\n\tStream_Zero(s, 16);                          /* terminalDescriptor (16 bytes) */\n\tStream_Write_UINT32(s, 0);                   /* pad4OctetsA (4 bytes) */\n\tStream_Write_UINT16(s, 1);                   /* desktopSaveXGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 20);                  /* desktopSaveYGranularity (2 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 1);                   /* maximumOrderLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* numberFonts (2 bytes) */\n\tStream_Write_UINT16(s, orderFlags);          /* orderFlags (2 bytes) */\n\tStream_Write(s, settings->OrderSupport, 32); /* orderSupport (32 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* textFlags (2 bytes) */\n\tStream_Write_UINT16(s, orderSupportExFlags); /* orderSupportExFlags (2 bytes) */\n\tStream_Write_UINT32(s, 0);                   /* pad4OctetsB (4 bytes) */\n\tStream_Write_UINT32(s, 230400);              /* desktopSaveSize (4 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* pad2OctetsC (2 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* pad2OctetsD (2 bytes) */\n\tStream_Write_UINT16(s, textANSICodePage);    /* textANSICodePage (2 bytes) */\n\tStream_Write_UINT16(s, 0);                   /* pad2OctetsE (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ORDER);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 62966291564570637375163967456258879772,
          "size": 52,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409577
        },
        {
          "func": "static BOOL rdp_write_general_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tUINT16 extraFlags;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\textraFlags = 0;\n\n\tif (settings->LongCredentialsSupported)\n\t\textraFlags |= LONG_CREDENTIALS_SUPPORTED;\n\n\tif (settings->NoBitmapCompressionHeader)\n\t\textraFlags |= NO_BITMAP_COMPRESSION_HDR;\n\n\tif (settings->AutoReconnectionEnabled)\n\t\textraFlags |= AUTORECONNECT_SUPPORTED;\n\n\tif (settings->FastPathOutput)\n\t\textraFlags |= FASTPATH_OUTPUT_SUPPORTED;\n\n\tif (settings->SaltedChecksum)\n\t\textraFlags |= ENC_SALTED_CHECKSUM;\n\n\tif ((settings->OsMajorType > UINT16_MAX) || (settings->OsMinorType > UINT16_MAX))\n\t{\n\t\tWLog_ERR(TAG,\n\t\t         \"OsMajorType=%08\" PRIx32 \", OsMinorType=%08\" PRIx32\n\t\t         \" they need to be smaller %04\" PRIx16,\n\t\t         settings->OsMajorType, settings->OsMinorType, UINT16_MAX);\n\t\treturn FALSE;\n\t}\n\tStream_Write_UINT16(s, (UINT16)settings->OsMajorType); /* osMajorType (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->OsMinorType); /* osMinorType (2 bytes) */\n\tStream_Write_UINT16(s, CAPS_PROTOCOL_VERSION);   /* protocolVersion (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* pad2OctetsA (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* generalCompressionTypes (2 bytes) */\n\tStream_Write_UINT16(s, extraFlags);              /* extraFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* updateCapabilityFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* remoteUnshareFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* generalCompressionLevel (2 bytes) */\n\tStream_Write_UINT8(s, settings->RefreshRect ? 1 : 0);    /* refreshRectSupport (1 byte) */\n\tStream_Write_UINT8(s, settings->SuppressOutput ? 1 : 0); /* suppressOutputSupport (1 byte) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GENERAL);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 73312758503643501467084662633560847526,
          "size": 50,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409637
        },
        {
          "func": "static BOOL rdp_print_bitmap_cache_host_support_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE cacheVersion;\n\tBYTE pad1;\n\tUINT16 pad2;\n\tWLog_INFO(TAG, \"BitmapCacheHostSupportCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, cacheVersion); /* cacheVersion (1 byte) */\n\tStream_Read_UINT8(s, pad1);         /* pad1 (1 byte) */\n\tStream_Read_UINT16(s, pad2);        /* pad2 (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcacheVersion: 0x%02\" PRIX8 \"\", cacheVersion);\n\tWLog_INFO(TAG, \"\\tpad1: 0x%02\" PRIX8 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%04\" PRIX16 \"\", pad2);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 160808522847092520296495320523643539377,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409575
        },
        {
          "func": "static BOOL rdp_write_jpeg_server_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, 75);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 333617504875696343154040639255234735592,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409600
        },
        {
          "func": "static BOOL rdp_read_sound_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 soundFlags;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, soundFlags); /* soundFlags (2 bytes) */\n\tStream_Seek_UINT16(s);             /* pad2OctetsA (2 bytes) */\n\tsettings->SoundBeepsEnabled = (soundFlags & SOUND_BEEPS_FLAG) ? TRUE : FALSE;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 168130594877741834723027781386436848480,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409613
        },
        {
          "func": "static BOOL rdp_write_window_activation_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, 0); /* helpKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpKeyIndexFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* helpExtendedKeyFlag (2 bytes) */\n\tStream_Write_UINT16(s, 0); /* windowManagerKeyFlag (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_ACTIVATION);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 39519253932521963435868974399763685508,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409639
        },
        {
          "func": "static BOOL rdp_print_general_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 osMajorType;\n\tUINT16 osMinorType;\n\tUINT16 protocolVersion;\n\tUINT16 pad2OctetsA;\n\tUINT16 generalCompressionTypes;\n\tUINT16 extraFlags;\n\tUINT16 updateCapabilityFlag;\n\tUINT16 remoteUnshareFlag;\n\tUINT16 generalCompressionLevel;\n\tBYTE refreshRectSupport;\n\tBYTE suppressOutputSupport;\n\n\tif (length < 24)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"GeneralCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, osMajorType);             /* osMajorType (2 bytes) */\n\tStream_Read_UINT16(s, osMinorType);             /* osMinorType (2 bytes) */\n\tStream_Read_UINT16(s, protocolVersion);         /* protocolVersion (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA);             /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionTypes); /* generalCompressionTypes (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags);              /* extraFlags (2 bytes) */\n\tStream_Read_UINT16(s, updateCapabilityFlag);    /* updateCapabilityFlag (2 bytes) */\n\tStream_Read_UINT16(s, remoteUnshareFlag);       /* remoteUnshareFlag (2 bytes) */\n\tStream_Read_UINT16(s, generalCompressionLevel); /* generalCompressionLevel (2 bytes) */\n\tStream_Read_UINT8(s, refreshRectSupport);       /* refreshRectSupport (1 byte) */\n\tStream_Read_UINT8(s, suppressOutputSupport);    /* suppressOutputSupport (1 byte) */\n\tWLog_INFO(TAG, \"\\tosMajorType: 0x%04\" PRIX16 \"\", osMajorType);\n\tWLog_INFO(TAG, \"\\tosMinorType: 0x%04\" PRIX16 \"\", osMinorType);\n\tWLog_INFO(TAG, \"\\tprotocolVersion: 0x%04\" PRIX16 \"\", protocolVersion);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionTypes: 0x%04\" PRIX16 \"\", generalCompressionTypes);\n\tWLog_INFO(TAG, \"\\textraFlags: 0x%04\" PRIX16 \"\", extraFlags);\n\tWLog_INFO(TAG, \"\\tupdateCapabilityFlag: 0x%04\" PRIX16 \"\", updateCapabilityFlag);\n\tWLog_INFO(TAG, \"\\tremoteUnshareFlag: 0x%04\" PRIX16 \"\", remoteUnshareFlag);\n\tWLog_INFO(TAG, \"\\tgeneralCompressionLevel: 0x%04\" PRIX16 \"\", generalCompressionLevel);\n\tWLog_INFO(TAG, \"\\trefreshRectSupport: 0x%02\" PRIX8 \"\", refreshRectSupport);\n\tWLog_INFO(TAG, \"\\tsuppressOutputSupport: 0x%02\" PRIX8 \"\", suppressOutputSupport);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 5500072580712139778494173931145880946,
          "size": 42,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409631
        },
        {
          "func": "static BOOL rdp_read_remote_programs_capability_set(wStream* s, UINT16 length,\n                                                    rdpSettings* settings)\n{\n\tUINT32 railSupportLevel;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, railSupportLevel); /* railSupportLevel (4 bytes) */\n\n\tif ((railSupportLevel & RAIL_LEVEL_SUPPORTED) == 0)\n\t{\n\t\tif (settings->RemoteApplicationMode == TRUE)\n\t\t{\n\t\t\t/* RemoteApp Failure! */\n\t\t\tsettings->RemoteApplicationMode = FALSE;\n\t\t}\n\t}\n\n\t/* 2.2.2.2.3 HandshakeEx PDU (TS_RAIL_ORDER_HANDSHAKE_EX)\n\t * the handshake ex pdu is supported when both, client and server announce\n\t * it OR if we are ready to begin enhanced remoteAPP mode. */\n\tif (settings->RemoteApplicationMode)\n\t\trailSupportLevel |= RAIL_LEVEL_HANDSHAKE_EX_SUPPORTED;\n\n\tsettings->RemoteApplicationSupportLevel =\n\t    railSupportLevel & settings->RemoteApplicationSupportMask;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 133850945589594759190444119473191077444,
          "size": 29,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409595
        },
        {
          "func": "static BOOL rdp_print_multifragment_update_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 maxRequestSize;\n\tWLog_INFO(TAG, \"MultifragmentUpdateCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, maxRequestSize); /* maxRequestSize (4 bytes) */\n\tWLog_INFO(TAG, \"\\tmaxRequestSize: 0x%08\" PRIX32 \"\", maxRequestSize);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 249919513915138150249317489840873024684,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409691
        },
        {
          "func": "static BOOL rdp_print_bitmap_codecs_capability_set(wStream* s, UINT16 length)\n{\n\tGUID codecGuid;\n\tBYTE bitmapCodecCount;\n\tBYTE codecId;\n\tUINT16 codecPropertiesLength;\n\tUINT16 remainingLength;\n\tWLog_INFO(TAG, \"BitmapCodecsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCodecCount); /* bitmapCodecCount (1 byte) */\n\tremainingLength = length - 5;\n\tWLog_INFO(TAG, \"\\tbitmapCodecCount: %\" PRIu8 \"\", bitmapCodecCount);\n\n\twhile (bitmapCodecCount > 0)\n\t{\n\t\tif (remainingLength < 19)\n\t\t\treturn FALSE;\n\n\t\trdp_read_bitmap_codec_guid(s, &codecGuid); /* codecGuid (16 bytes) */\n\t\tStream_Read_UINT8(s, codecId);             /* codecId (1 byte) */\n\t\tWLog_INFO(TAG, \"\\tcodecGuid: 0x\");\n\t\trdp_print_bitmap_codec_guid(&codecGuid);\n\t\tWLog_INFO(TAG, \" (%s)\", rdp_get_bitmap_codec_guid_name(&codecGuid));\n\t\tWLog_INFO(TAG, \"\\tcodecId: %\" PRIu8 \"\", codecId);\n\t\tStream_Read_UINT16(s, codecPropertiesLength); /* codecPropertiesLength (2 bytes) */\n\t\tWLog_INFO(TAG, \"\\tcodecPropertiesLength: %\" PRIu16 \"\", codecPropertiesLength);\n\t\tremainingLength -= 19;\n\n\t\tif (remainingLength < codecPropertiesLength)\n\t\t\treturn FALSE;\n\n\t\tStream_Seek(s, codecPropertiesLength); /* codecProperties */\n\t\tremainingLength -= codecPropertiesLength;\n\t\tbitmapCodecCount--;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 24114546032535399803500638112004720719,
          "size": 41,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409582
        },
        {
          "func": "static BOOL rdp_print_order_capability_set(wStream* s, UINT16 length)\n{\n\tBYTE terminalDescriptor[16];\n\tUINT32 pad4OctetsA;\n\tUINT16 desktopSaveXGranularity;\n\tUINT16 desktopSaveYGranularity;\n\tUINT16 pad2OctetsA;\n\tUINT16 maximumOrderLevel;\n\tUINT16 numberFonts;\n\tUINT16 orderFlags;\n\tBYTE orderSupport[32];\n\tUINT16 textFlags;\n\tUINT16 orderSupportExFlags;\n\tUINT32 pad4OctetsB;\n\tUINT32 desktopSaveSize;\n\tUINT16 pad2OctetsC;\n\tUINT16 pad2OctetsD;\n\tUINT16 textANSICodePage;\n\tUINT16 pad2OctetsE;\n\tWLog_INFO(TAG, \"OrderCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 88)\n\t\treturn FALSE;\n\n\tStream_Read(s, terminalDescriptor, 16);         /* terminalDescriptor (16 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsA);             /* pad4OctetsA (4 bytes) */\n\tStream_Read_UINT16(s, desktopSaveXGranularity); /* desktopSaveXGranularity (2 bytes) */\n\tStream_Read_UINT16(s, desktopSaveYGranularity); /* desktopSaveYGranularity (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsA);             /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, maximumOrderLevel);       /* maximumOrderLevel (2 bytes) */\n\tStream_Read_UINT16(s, numberFonts);             /* numberFonts (2 bytes) */\n\tStream_Read_UINT16(s, orderFlags);              /* orderFlags (2 bytes) */\n\tStream_Read(s, orderSupport, 32);               /* orderSupport (32 bytes) */\n\tStream_Read_UINT16(s, textFlags);               /* textFlags (2 bytes) */\n\tStream_Read_UINT16(s, orderSupportExFlags);     /* orderSupportExFlags (2 bytes) */\n\tStream_Read_UINT32(s, pad4OctetsB);             /* pad4OctetsB (4 bytes) */\n\tStream_Read_UINT32(s, desktopSaveSize);         /* desktopSaveSize (4 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsC);             /* pad2OctetsC (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsD);             /* pad2OctetsD (2 bytes) */\n\tStream_Read_UINT16(s, textANSICodePage);        /* textANSICodePage (2 bytes) */\n\tStream_Read_UINT16(s, pad2OctetsE);             /* pad2OctetsE (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad4OctetsA: 0x%08\" PRIX32 \"\", pad4OctetsA);\n\tWLog_INFO(TAG, \"\\tdesktopSaveXGranularity: 0x%04\" PRIX16 \"\", desktopSaveXGranularity);\n\tWLog_INFO(TAG, \"\\tdesktopSaveYGranularity: 0x%04\" PRIX16 \"\", desktopSaveYGranularity);\n\tWLog_INFO(TAG, \"\\tpad2OctetsA: 0x%04\" PRIX16 \"\", pad2OctetsA);\n\tWLog_INFO(TAG, \"\\tmaximumOrderLevel: 0x%04\" PRIX16 \"\", maximumOrderLevel);\n\tWLog_INFO(TAG, \"\\tnumberFonts: 0x%04\" PRIX16 \"\", numberFonts);\n\tWLog_INFO(TAG, \"\\torderFlags: 0x%04\" PRIX16 \"\", orderFlags);\n\tWLog_INFO(TAG, \"\\torderSupport:\");\n\tWLog_INFO(TAG, \"\\t\\tDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_DSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPATBLT: %\" PRIu8 \"\", orderSupport[NEG_PATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSCRBLT: %\" PRIu8 \"\", orderSupport[NEG_SCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tATEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_ATEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tAEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_AEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tDRAWNINEGRID: %\" PRIu8 \"\", orderSupport[NEG_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tLINETO: %\" PRIu8 \"\", orderSupport[NEG_LINETO_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTI_DRAWNINEGRID: %\" PRIu8 \"\",\n\t          orderSupport[NEG_MULTI_DRAWNINEGRID_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tOPAQUE_RECT: %\" PRIu8 \"\", orderSupport[NEG_OPAQUE_RECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tSAVEBITMAP: %\" PRIu8 \"\", orderSupport[NEG_SAVEBITMAP_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tWTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_WTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEMBLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEMBLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMEM3BLT_V2: %\" PRIu8 \"\", orderSupport[NEG_MEM3BLT_V2_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIDSTBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIDSTBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIPATBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTIPATBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTISCRBLT: %\" PRIu8 \"\", orderSupport[NEG_MULTISCRBLT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tMULTIOPAQUERECT: %\" PRIu8 \"\", orderSupport[NEG_MULTIOPAQUERECT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_INDEX: %\" PRIu8 \"\", orderSupport[NEG_FAST_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_SC: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYGON_CB: %\" PRIu8 \"\", orderSupport[NEG_POLYGON_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tPOLYLINE: %\" PRIu8 \"\", orderSupport[NEG_POLYLINE_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED23: %\" PRIu8 \"\", orderSupport[NEG_UNUSED23_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tFAST_GLYPH: %\" PRIu8 \"\", orderSupport[NEG_FAST_GLYPH_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_SC: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_SC_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tELLIPSE_CB: %\" PRIu8 \"\", orderSupport[NEG_ELLIPSE_CB_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_INDEX: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_INDEX_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WEXTTEXTOUT: %\" PRIu8 \"\", orderSupport[NEG_GLYPH_WEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGTEXTOUT: %\" PRIu8 \"\",\n\t          orderSupport[NEG_GLYPH_WLONGTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tGLYPH_WLONGEXTTEXTOUT: %\" PRIu8 \"\",\n\t          orderSupport[NEG_GLYPH_WLONGEXTTEXTOUT_INDEX]);\n\tWLog_INFO(TAG, \"\\t\\tUNUSED31: %\" PRIu8 \"\", orderSupport[NEG_UNUSED31_INDEX]);\n\tWLog_INFO(TAG, \"\\ttextFlags: 0x%04\" PRIX16 \"\", textFlags);\n\tWLog_INFO(TAG, \"\\torderSupportExFlags: 0x%04\" PRIX16 \"\", orderSupportExFlags);\n\tWLog_INFO(TAG, \"\\tpad4OctetsB: 0x%08\" PRIX32 \"\", pad4OctetsB);\n\tWLog_INFO(TAG, \"\\tdesktopSaveSize: 0x%08\" PRIX32 \"\", desktopSaveSize);\n\tWLog_INFO(TAG, \"\\tpad2OctetsC: 0x%04\" PRIX16 \"\", pad2OctetsC);\n\tWLog_INFO(TAG, \"\\tpad2OctetsD: 0x%04\" PRIX16 \"\", pad2OctetsD);\n\tWLog_INFO(TAG, \"\\ttextANSICodePage: 0x%04\" PRIX16 \"\", textANSICodePage);\n\tWLog_INFO(TAG, \"\\tpad2OctetsE: 0x%04\" PRIX16 \"\", pad2OctetsE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 314984488369612595242281546417973409324,
          "size": 94,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409634
        },
        {
          "func": "static BOOL rdp_write_bitmap_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE drawingFlags = 0;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->DrawAllowSkipAlpha)\n\t\tdrawingFlags |= DRAW_ALLOW_SKIP_ALPHA;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tdrawingFlags |= DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tdrawingFlags |= DRAW_ALLOW_COLOR_SUBSAMPLING; /* currently unimplemented */\n\n\t/* While bitmap_decode.c now implements YCoCg, in turning it\n\t * on we have found Microsoft is inconsistent on whether to invert R & B.\n\t * And it's not only from one server to another; on Win7/2008R2, it appears\n\t * to send the main content with a different inversion than the Windows\n\t * button!  So... don't advertise that we support YCoCg and the server\n\t * will not send it.  YCoCg is still needed for EGFX, but it at least\n\t * appears consistent in its use.\n\t */\n\n\tif ((settings->ColorDepth > UINT16_MAX) || (settings->DesktopWidth > UINT16_MAX) ||\n\t    (settings->DesktopHeight > UINT16_MAX) || (settings->DesktopResize > UINT16_MAX))\n\t\treturn FALSE;\n\n\tif (settings->RdpVersion >= RDP_VERSION_5_PLUS)\n\t\tpreferredBitsPerPixel = (UINT16)settings->ColorDepth;\n\telse\n\t\tpreferredBitsPerPixel = 8;\n\n\tStream_Write_UINT16(s, preferredBitsPerPixel);   /* preferredBitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1);                       /* receive1BitPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1);                       /* receive4BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, 1);                       /* receive8BitsPerPixel (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopWidth);  /* desktopWidth (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopHeight); /* desktopHeight (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* pad2Octets (2 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->DesktopResize); /* desktopResizeFlag (2 bytes) */\n\tStream_Write_UINT16(s, 1);                       /* bitmapCompressionFlag (2 bytes) */\n\tStream_Write_UINT8(s, 0);                        /* highColorFlags (1 byte) */\n\tStream_Write_UINT8(s, drawingFlags);             /* drawingFlags (1 byte) */\n\tStream_Write_UINT16(s, 1);                       /* multipleRectangleSupport (2 bytes) */\n\tStream_Write_UINT16(s, 0);                       /* pad2OctetsB (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_BITMAP);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 214825058683404299590112235974415655493,
          "size": 55,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409633
        },
        {
          "func": "static void rdp_read_capability_set_header(wStream* s, UINT16* length, UINT16* type)\n{\n\tStream_Read_UINT16(s, *type);   /* capabilitySetType */\n\tStream_Read_UINT16(s, *length); /* lengthCapability */\n}",
          "project": "FreeRDP",
          "hash": 80707266597010700872327549120082707400,
          "size": 5,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409594
        },
        {
          "func": "static BOOL rdp_write_bitmap_codecs_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\tBYTE bitmapCodecCount;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tbitmapCodecCount = 0;\n\n\tif (settings->RemoteFxCodec)\n\t\tbitmapCodecCount++;\n\n\tif (settings->NSCodec)\n\t\tbitmapCodecCount++;\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t\tbitmapCodecCount++;\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t\tbitmapCodecCount++;\n\n\tStream_Write_UINT8(s, bitmapCodecCount);\n\n\tif (settings->RemoteFxCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\tif (settings->NSCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_NSCODEC); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_nsc_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_NSCODEC); /* codecID */\n\n\t\t\tif (!rdp_write_nsc_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#if defined(WITH_JPEG)\n\n\tif (settings->JpegCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_JPEG); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_jpeg_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_JPEG); /* codecID */\n\n\t\t\tif (!rdp_write_jpeg_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n#endif\n\n\tif (settings->RemoteFxImageCodec)\n\t{\n\t\trdp_write_bitmap_codec_guid(s, &CODEC_GUID_IMAGE_REMOTEFX); /* codecGUID */\n\n\t\tif (settings->ServerMode)\n\t\t{\n\t\t\tStream_Write_UINT8(s, 0); /* codecID is defined by the client */\n\n\t\t\tif (!rdp_write_rfx_server_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tStream_Write_UINT8(s, RDP_CODEC_ID_IMAGE_REMOTEFX); /* codecID */\n\n\t\t\tif (!rdp_write_rfx_client_capability_container(s, settings))\n\t\t\t\treturn FALSE;\n\t\t}\n\t}\n\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_BITMAP_CODECS);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 332928462654213428990596858954074010072,
          "size": 116,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409660
        },
        {
          "func": "static BOOL rdp_write_jpeg_client_capability_container(wStream* s, const rdpSettings* settings)\n{\n\tif (!Stream_EnsureRemainingCapacity(s, 8))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, 1); /* codecPropertiesLength */\n\tStream_Write_UINT8(s, settings->JpegQuality);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 230066296694265455843662918473236864709,
          "size": 9,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409664
        },
        {
          "func": "static void rdp_read_cache_definition(wStream* s, GLYPH_CACHE_DEFINITION* cache_definition)\n{\n\tStream_Read_UINT16(s, cache_definition->cacheEntries); /* cacheEntries (2 bytes) */\n\tStream_Read_UINT16(s,\n\t                   cache_definition->cacheMaximumCellSize); /* cacheMaximumCellSize (2 bytes) */\n}",
          "project": "FreeRDP",
          "hash": 45805913852648643995751491508146469984,
          "size": 6,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409666
        },
        {
          "func": "static BOOL rdp_read_draw_nine_grid_cache_capability_set(wStream* s, UINT16 length,\n                                                         rdpSettings* settings)\n{\n\tUINT32 drawNineGridSupportLevel;\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawNineGridSupportLevel);        /* drawNineGridSupportLevel (4 bytes) */\n\tStream_Read_UINT16(s, settings->DrawNineGridCacheSize); /* drawNineGridCacheSize (2 bytes) */\n\tStream_Read_UINT16(s,\n\t                   settings->DrawNineGridCacheEntries); /* drawNineGridCacheEntries (2 bytes) */\n\n\tif ((drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED) ||\n\t    (drawNineGridSupportLevel & DRAW_NINEGRID_SUPPORTED_V2))\n\t\tsettings->DrawNineGridEnabled = TRUE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 40633978534520824703644583410869744929,
          "size": 19,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409632
        },
        {
          "func": "static BOOL rdp_print_desktop_composition_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 compDeskSupportLevel;\n\tWLog_INFO(TAG, \"DesktopCompositionCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, compDeskSupportLevel); /* compDeskSupportLevel (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcompDeskSupportLevel: 0x%04\" PRIX16 \"\", compDeskSupportLevel);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 210379168711159173994520293055281545595,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409641
        },
        {
          "func": "static void rdp_write_bitmap_codec_guid(wStream* s, const GUID* guid)\n{\n\tBYTE g[16];\n\tg[0] = guid->Data1 & 0xFF;\n\tg[1] = (guid->Data1 >> 8) & 0xFF;\n\tg[2] = (guid->Data1 >> 16) & 0xFF;\n\tg[3] = (guid->Data1 >> 24) & 0xFF;\n\tg[4] = (guid->Data2) & 0xFF;\n\tg[5] = (guid->Data2 >> 8) & 0xFF;\n\tg[6] = (guid->Data3) & 0xFF;\n\tg[7] = (guid->Data3 >> 8) & 0xFF;\n\tg[8] = guid->Data4[0];\n\tg[9] = guid->Data4[1];\n\tg[10] = guid->Data4[2];\n\tg[11] = guid->Data4[3];\n\tg[12] = guid->Data4[4];\n\tg[13] = guid->Data4[5];\n\tg[14] = guid->Data4[6];\n\tg[15] = guid->Data4[7];\n\tStream_Write(s, g, 16);\n}",
          "project": "FreeRDP",
          "hash": 325767040754059587070181348175035488638,
          "size": 21,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409668
        },
        {
          "func": "static BOOL rdp_print_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 drawGdiPlusSupportLevel;\n\tUINT32 GdipVersion;\n\tUINT32 drawGdiplusCacheLevel;\n\tWLog_INFO(TAG, \"DrawGdiPlusCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGdiPlusSupportLevel); /* drawGdiPlusSupportLevel (4 bytes) */\n\tStream_Read_UINT32(s, GdipVersion);             /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel);   /* drawGdiPlusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10);                             /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8);                              /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6);                              /* GdipImageCacheProperties (6 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 2012687523423089845955647994143606739,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409644
        },
        {
          "func": "static BOOL rdp_write_glyph_cache_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 64))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tif (settings->GlyphSupportLevel > UINT16_MAX)\n\t\treturn FALSE;\n\t/* glyphCache (40 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[0])); /* glyphCache0 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[1])); /* glyphCache1 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[2])); /* glyphCache2 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[3])); /* glyphCache3 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[4])); /* glyphCache4 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[5])); /* glyphCache5 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[6])); /* glyphCache6 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[7])); /* glyphCache7 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[8])); /* glyphCache8 (4 bytes) */\n\trdp_write_cache_definition(s, &(settings->GlyphCache[9])); /* glyphCache9 (4 bytes) */\n\trdp_write_cache_definition(s, settings->FragCache);        /* fragCache (4 bytes) */\n\tStream_Write_UINT16(s, (UINT16)settings->GlyphSupportLevel); /* glyphSupportLevel (2 bytes) */\n\tStream_Write_UINT16(s, 0);                                 /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_GLYPH_CACHE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 147467838726629004619531519247747352656,
          "size": 29,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409653
        },
        {
          "func": "BOOL rdp_recv_demand_active(rdpRdp* rdp, wStream* s)\n{\n\tUINT16 channelId;\n\tUINT16 pduType;\n\tUINT16 pduLength;\n\tUINT16 pduSource;\n\tUINT16 length;\n\tUINT16 numberCapabilities;\n\tUINT16 lengthSourceDescriptor;\n\tUINT16 lengthCombinedCapabilities;\n\n\tif (!rdp_recv_get_active_header(rdp, s, &channelId, &length))\n\t\treturn FALSE;\n\n\tif (freerdp_shall_disconnect(rdp->instance))\n\t\treturn TRUE;\n\n\tif (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_share_control_header failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (pduType == PDU_TYPE_DATA)\n\t{\n\t\t/**\n\t\t * We can receive a Save Session Info Data PDU containing a LogonErrorInfo\n\t\t * structure at this point from the server to indicate a connection error.\n\t\t */\n\t\tif (rdp_recv_data_pdu(rdp, s) < 0)\n\t\t\treturn FALSE;\n\n\t\treturn FALSE;\n\t}\n\n\tif (pduType != PDU_TYPE_DEMAND_ACTIVE)\n\t{\n\t\tif (pduType != PDU_TYPE_SERVER_REDIRECTION)\n\t\t\tWLog_ERR(TAG, \"expected PDU_TYPE_DEMAND_ACTIVE %04x, got %04\" PRIx16 \"\",\n\t\t\t         PDU_TYPE_DEMAND_ACTIVE, pduType);\n\n\t\treturn FALSE;\n\t}\n\n\trdp->settings->PduSource = pduSource;\n\n\tif (Stream_GetRemainingLength(s) < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, rdp->settings->ShareId);     /* shareId (4 bytes) */\n\tStream_Read_UINT16(s, lengthSourceDescriptor);     /* lengthSourceDescriptor (2 bytes) */\n\tStream_Read_UINT16(s, lengthCombinedCapabilities); /* lengthCombinedCapabilities (2 bytes) */\n\n\tif (!Stream_SafeSeek(s, lengthSourceDescriptor) ||\n\t    Stream_GetRemainingLength(s) < 4) /* sourceDescriptor */\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, numberCapabilities); /* numberCapabilities (2 bytes) */\n\tStream_Seek(s, 2);                         /* pad2Octets (2 bytes) */\n\n\t/* capabilitySets */\n\tif (!rdp_read_capability_sets(s, rdp->settings, numberCapabilities, lengthCombinedCapabilities))\n\t{\n\t\tWLog_ERR(TAG, \"rdp_read_capability_sets failed\");\n\t\treturn FALSE;\n\t}\n\n\tif (!Stream_SafeSeek(s, 4)) /* SessionId */\n\t\treturn FALSE;\n\n\trdp->update->secondary->glyph_v2 = (rdp->settings->GlyphSupportLevel > GLYPH_SUPPORT_FULL);\n\treturn tpkt_ensure_stream_consumed(s, length);\n}",
          "project": "FreeRDP",
          "hash": 44339431169826735119172547471406906347,
          "size": 73,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409604
        },
        {
          "func": "static BOOL rdp_read_bitmap_cache_v3_codec_id_capability_set(wStream* s, UINT16 length,\n                                                             rdpSettings* settings)\n{\n\tBYTE bitmapCacheV3CodecId;\n\n\tWINPR_UNUSED(settings);\n\tif (length < 5)\n\t\treturn FALSE;\n\n\tStream_Read_UINT8(s, bitmapCacheV3CodecId); /* bitmapCacheV3CodecId (1 byte) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 86826559054972396148544906904831060639,
          "size": 12,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409658
        },
        {
          "func": "static BOOL rdp_print_glyph_cache_capability_set(wStream* s, UINT16 length)\n{\n\tGLYPH_CACHE_DEFINITION glyphCache[10];\n\tGLYPH_CACHE_DEFINITION fragCache;\n\tUINT16 glyphSupportLevel;\n\tUINT16 pad2Octets;\n\tWLog_INFO(TAG, \"GlyphCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 52)\n\t\treturn FALSE;\n\n\t/* glyphCache (40 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[0]); /* glyphCache0 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[1]); /* glyphCache1 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[2]); /* glyphCache2 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[3]); /* glyphCache3 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[4]); /* glyphCache4 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[5]); /* glyphCache5 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[6]); /* glyphCache6 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[7]); /* glyphCache7 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[8]); /* glyphCache8 (4 bytes) */\n\trdp_read_cache_definition(s, &glyphCache[9]); /* glyphCache9 (4 bytes) */\n\trdp_read_cache_definition(s, &fragCache);     /* fragCache (4 bytes) */\n\tStream_Read_UINT16(s, glyphSupportLevel);     /* glyphSupportLevel (2 bytes) */\n\tStream_Read_UINT16(s, pad2Octets);            /* pad2Octets (2 bytes) */\n\tWLog_INFO(TAG, \"\\tglyphCache0: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[0].cacheEntries, glyphCache[0].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache1: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[1].cacheEntries, glyphCache[1].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache2: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[2].cacheEntries, glyphCache[2].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache3: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[3].cacheEntries, glyphCache[3].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache4: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[4].cacheEntries, glyphCache[4].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache5: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[5].cacheEntries, glyphCache[5].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache6: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[6].cacheEntries, glyphCache[6].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache7: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[7].cacheEntries, glyphCache[7].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache8: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[8].cacheEntries, glyphCache[8].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphCache9: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          glyphCache[9].cacheEntries, glyphCache[9].cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tfragCache: Entries: %\" PRIu16 \" MaximumCellSize: %\" PRIu16 \"\",\n\t          fragCache.cacheEntries, fragCache.cacheMaximumCellSize);\n\tWLog_INFO(TAG, \"\\tglyphSupportLevel: 0x%04\" PRIX16 \"\", glyphSupportLevel);\n\tWLog_INFO(TAG, \"\\tpad2Octets: 0x%04\" PRIX16 \"\", pad2Octets);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 327012898936376103726124817366633874691,
          "size": 51,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409630
        },
        {
          "func": "static BOOL rdp_print_pointer_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 10)\n\t\treturn FALSE;\n\n\tWLog_INFO(TAG, \"PointerCapabilitySet (length %\" PRIu16 \"):\", length);\n\tStream_Read_UINT16(s, colorPointerFlag);      /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\tStream_Read_UINT16(s, pointerCacheSize);      /* pointerCacheSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcolorPointerFlag: 0x%04\" PRIX16 \"\", colorPointerFlag);\n\tWLog_INFO(TAG, \"\\tcolorPointerCacheSize: 0x%04\" PRIX16 \"\", colorPointerCacheSize);\n\tWLog_INFO(TAG, \"\\tpointerCacheSize: 0x%04\" PRIX16 \"\", pointerCacheSize);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 303759523317706528285641459907488762007,
          "size": 18,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409662
        },
        {
          "func": "static BOOL rdp_write_font_capability_set(wStream* s, const rdpSettings* settings)\n{\n\tsize_t header;\n\n\tWINPR_UNUSED(settings);\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\theader = rdp_capability_set_start(s);\n\tif (header > UINT16_MAX)\n\t\treturn FALSE;\n\tStream_Write_UINT16(s, FONTSUPPORT_FONTLIST); /* fontSupportFlags (2 bytes) */\n\tStream_Write_UINT16(s, 0);                    /* pad2Octets (2 bytes) */\n\trdp_capability_set_finish(s, (UINT16)header, CAPSET_TYPE_FONT);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 77739938369199003807908763104333147952,
          "size": 16,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409669
        },
        {
          "func": "static BOOL rdp_read_share_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT16(s); /* nodeId (2 bytes) */\n\tStream_Seek_UINT16(s); /* pad2Octets (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 110630546321384895699149838140537479494,
          "size": 10,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409686
        },
        {
          "func": "static void rdp_read_bitmap_cache_cell_info(wStream* s, BITMAP_CACHE_V2_CELL_INFO* cellInfo)\n{\n\tUINT32 info;\n\t/**\n\t * numEntries is in the first 31 bits, while the last bit (k)\n\t * is used to indicate a persistent bitmap cache.\n\t */\n\tStream_Read_UINT32(s, info);\n\tcellInfo->numEntries = (info & 0x7FFFFFFF);\n\tcellInfo->persistent = (info & 0x80000000) ? 1 : 0;\n}",
          "project": "FreeRDP",
          "hash": 243003567530089132513265118318891886949,
          "size": 11,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409578
        },
        {
          "func": "static BOOL rdp_print_control_capability_set(wStream* s, UINT16 length)\n{\n\tUINT16 controlFlags;\n\tUINT16 remoteDetachFlag;\n\tUINT16 controlInterest;\n\tUINT16 detachInterest;\n\tWLog_INFO(TAG, \"ControlCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, controlFlags);     /* controlFlags (2 bytes) */\n\tStream_Read_UINT16(s, remoteDetachFlag); /* remoteDetachFlag (2 bytes) */\n\tStream_Read_UINT16(s, controlInterest);  /* controlInterest (2 bytes) */\n\tStream_Read_UINT16(s, detachInterest);   /* detachInterest (2 bytes) */\n\tWLog_INFO(TAG, \"\\tcontrolFlags: 0x%04\" PRIX16 \"\", controlFlags);\n\tWLog_INFO(TAG, \"\\tremoteDetachFlag: 0x%04\" PRIX16 \"\", remoteDetachFlag);\n\tWLog_INFO(TAG, \"\\tcontrolInterest: 0x%04\" PRIX16 \"\", controlInterest);\n\tWLog_INFO(TAG, \"\\tdetachInterest: 0x%04\" PRIX16 \"\", detachInterest);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 112568296590823747751147846820589701696,
          "size": 21,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409670
        },
        {
          "func": "static BOOL rdp_write_multifragment_update_capability_set(wStream* s, rdpSettings* settings)\n{\n\tsize_t header;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\tif (settings->ServerMode && settings->MultifragMaxRequestSize == 0)\n\t{\n\t\t/**\n\t\t * In server mode we prefer to use the highest useful request size that\n\t\t * will allow us to pack a complete screen update into a single fast\n\t\t * path PDU using any of the supported codecs.\n\t\t * However, the client is completely free to accept our proposed\n\t\t * max request size or send a different value in the client-to-server\n\t\t * multi-fragment update capability set and we have to accept that,\n\t\t * unless we are using RemoteFX where the client MUST announce a value\n\t\t * greater than or equal to the value we're sending here.\n\t\t * See [MS-RDPRFX 1.5 capability #2]\n\t\t */\n\t\tUINT32 tileNumX = (settings->DesktopWidth + 63) / 64;\n\t\tUINT32 tileNumY = (settings->DesktopHeight + 63) / 64;\n\t\tsettings->MultifragMaxRequestSize = tileNumX * tileNumY * 16384;\n\t\t/* and add room for headers, regions, frame markers, etc. */\n\t\tsettings->MultifragMaxRequestSize += 16384;\n\t}\n\n\theader = rdp_capability_set_start(s);\n\tStream_Write_UINT32(s, settings->MultifragMaxRequestSize); /* MaxRequestSize (4 bytes) */\n\trdp_capability_set_finish(s, header, CAPSET_TYPE_MULTI_FRAGMENT_UPDATE);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 284673504598250299343184535298414746342,
          "size": 32,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409667
        },
        {
          "func": "static BOOL rdp_read_draw_gdiplus_cache_capability_set(wStream* s, UINT16 length,\n                                                       rdpSettings* settings)\n{\n\tUINT32 drawGDIPlusSupportLevel;\n\tUINT32 drawGdiplusCacheLevel;\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, drawGDIPlusSupportLevel); /* drawGDIPlusSupportLevel (4 bytes) */\n\tStream_Seek_UINT32(s);                          /* GdipVersion (4 bytes) */\n\tStream_Read_UINT32(s, drawGdiplusCacheLevel);   /* drawGdiplusCacheLevel (4 bytes) */\n\tStream_Seek(s, 10);                             /* GdipCacheEntries (10 bytes) */\n\tStream_Seek(s, 8);                              /* GdipCacheChunkSize (8 bytes) */\n\tStream_Seek(s, 6);                              /* GdipImageCacheProperties (6 bytes) */\n\n\tif (drawGDIPlusSupportLevel & DRAW_GDIPLUS_SUPPORTED)\n\t\tsettings->DrawGdiPlusEnabled = TRUE;\n\n\tif (drawGdiplusCacheLevel & DRAW_GDIPLUS_CACHE_LEVEL_ONE)\n\t\tsettings->DrawGdiPlusCacheEnabled = TRUE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 234991757575908276803722590129707796626,
          "size": 24,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409590
        },
        {
          "func": "static BOOL rdp_print_bitmap_cache_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 pad1, pad2, pad3;\n\tUINT32 pad4, pad5, pad6;\n\tUINT16 Cache0Entries;\n\tUINT16 Cache0MaximumCellSize;\n\tUINT16 Cache1Entries;\n\tUINT16 Cache1MaximumCellSize;\n\tUINT16 Cache2Entries;\n\tUINT16 Cache2MaximumCellSize;\n\tWLog_INFO(TAG, \"BitmapCacheCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, pad1);                  /* pad1 (4 bytes) */\n\tStream_Read_UINT32(s, pad2);                  /* pad2 (4 bytes) */\n\tStream_Read_UINT32(s, pad3);                  /* pad3 (4 bytes) */\n\tStream_Read_UINT32(s, pad4);                  /* pad4 (4 bytes) */\n\tStream_Read_UINT32(s, pad5);                  /* pad5 (4 bytes) */\n\tStream_Read_UINT32(s, pad6);                  /* pad6 (4 bytes) */\n\tStream_Read_UINT16(s, Cache0Entries);         /* Cache0Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache0MaximumCellSize); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache1Entries);         /* Cache1Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache1MaximumCellSize); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Read_UINT16(s, Cache2Entries);         /* Cache2Entries (2 bytes) */\n\tStream_Read_UINT16(s, Cache2MaximumCellSize); /* Cache2MaximumCellSize (2 bytes) */\n\tWLog_INFO(TAG, \"\\tpad1: 0x%08\" PRIX32 \"\", pad1);\n\tWLog_INFO(TAG, \"\\tpad2: 0x%08\" PRIX32 \"\", pad2);\n\tWLog_INFO(TAG, \"\\tpad3: 0x%08\" PRIX32 \"\", pad3);\n\tWLog_INFO(TAG, \"\\tpad4: 0x%08\" PRIX32 \"\", pad4);\n\tWLog_INFO(TAG, \"\\tpad5: 0x%08\" PRIX32 \"\", pad5);\n\tWLog_INFO(TAG, \"\\tpad6: 0x%08\" PRIX32 \"\", pad6);\n\tWLog_INFO(TAG, \"\\tCache0Entries: 0x%04\" PRIX16 \"\", Cache0Entries);\n\tWLog_INFO(TAG, \"\\tCache0MaximumCellSize: 0x%04\" PRIX16 \"\", Cache0MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache1Entries: 0x%04\" PRIX16 \"\", Cache1Entries);\n\tWLog_INFO(TAG, \"\\tCache1MaximumCellSize: 0x%04\" PRIX16 \"\", Cache1MaximumCellSize);\n\tWLog_INFO(TAG, \"\\tCache2Entries: 0x%04\" PRIX16 \"\", Cache2Entries);\n\tWLog_INFO(TAG, \"\\tCache2MaximumCellSize: 0x%04\" PRIX16 \"\", Cache2MaximumCellSize);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 263214705750533080366269336572526014100,
          "size": 41,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409574
        },
        {
          "func": "static BOOL rdp_read_bitmap_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tBYTE drawingFlags;\n\tUINT16 desktopWidth;\n\tUINT16 desktopHeight;\n\tUINT16 desktopResizeFlag;\n\tUINT16 preferredBitsPerPixel;\n\n\tif (length < 28)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, preferredBitsPerPixel); /* preferredBitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* receive1BitPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* receive4BitsPerPixel (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* receive8BitsPerPixel (2 bytes) */\n\tStream_Read_UINT16(s, desktopWidth);          /* desktopWidth (2 bytes) */\n\tStream_Read_UINT16(s, desktopHeight);         /* desktopHeight (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* pad2Octets (2 bytes) */\n\tStream_Read_UINT16(s, desktopResizeFlag);     /* desktopResizeFlag (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* bitmapCompressionFlag (2 bytes) */\n\tStream_Seek_UINT8(s);                         /* highColorFlags (1 byte) */\n\tStream_Read_UINT8(s, drawingFlags);           /* drawingFlags (1 byte) */\n\tStream_Seek_UINT16(s);                        /* multipleRectangleSupport (2 bytes) */\n\tStream_Seek_UINT16(s);                        /* pad2OctetsB (2 bytes) */\n\n\tif (!settings->ServerMode && (preferredBitsPerPixel != settings->ColorDepth))\n\t{\n\t\t/* The client must respect the actual color depth used by the server */\n\t\tsettings->ColorDepth = preferredBitsPerPixel;\n\t}\n\n\tif (desktopResizeFlag == FALSE)\n\t\tsettings->DesktopResize = FALSE;\n\n\tif (!settings->ServerMode && settings->DesktopResize)\n\t{\n\t\t/* The server may request a different desktop size during Deactivation-Reactivation sequence\n\t\t */\n\t\tsettings->DesktopWidth = desktopWidth;\n\t\tsettings->DesktopHeight = desktopHeight;\n\t}\n\n\tif (settings->DrawAllowSkipAlpha)\n\t\tsettings->DrawAllowSkipAlpha = (drawingFlags & DRAW_ALLOW_SKIP_ALPHA) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowDynamicColorFidelity)\n\t\tsettings->DrawAllowDynamicColorFidelity =\n\t\t    (drawingFlags & DRAW_ALLOW_DYNAMIC_COLOR_FIDELITY) ? TRUE : FALSE;\n\n\tif (settings->DrawAllowColorSubsampling)\n\t\tsettings->DrawAllowColorSubsampling =\n\t\t    (drawingFlags & DRAW_ALLOW_COLOR_SUBSAMPLING) ? TRUE : FALSE;\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 32241820168842739652588766287689298066,
          "size": 55,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409605
        },
        {
          "func": "static BOOL rdp_read_large_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 largePointerSupportFlags;\n\n\tif (length < 6)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, largePointerSupportFlags); /* largePointerSupportFlags (2 bytes) */\n\tsettings->LargePointerFlag =\n\t    largePointerSupportFlags & (LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384);\n\tif ((largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384)) != 0)\n\t{\n\t\tWLog_WARN(\n\t\t    TAG,\n\t\t    \"TS_LARGE_POINTER_CAPABILITYSET with unsupported flags %04X (all flags %04X) received\",\n\t\t    largePointerSupportFlags & ~(LARGE_POINTER_FLAG_96x96 | LARGE_POINTER_FLAG_384x384),\n\t\t    largePointerSupportFlags);\n\t}\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 31411261199554286081134639045069445801,
          "size": 20,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409617
        },
        {
          "func": "static BOOL rdp_print_virtual_channel_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 flags;\n\tUINT32 VCChunkSize;\n\tWLog_INFO(TAG, \"VirtualChannelCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, flags); /* flags (4 bytes) */\n\n\tif (length > 8)\n\t\tStream_Read_UINT32(s, VCChunkSize); /* VCChunkSize (4 bytes) */\n\telse\n\t\tVCChunkSize = 1600;\n\n\tWLog_INFO(TAG, \"\\tflags: 0x%08\" PRIX32 \"\", flags);\n\tWLog_INFO(TAG, \"\\tVCChunkSize: 0x%08\" PRIX32 \"\", VCChunkSize);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 284706245349848953715070998125660485821,
          "size": 20,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409583
        },
        {
          "func": "static BOOL rdp_print_surface_commands_capability_set(wStream* s, UINT16 length)\n{\n\tUINT32 cmdFlags;\n\tUINT32 reserved;\n\tWLog_INFO(TAG, \"SurfaceCommandsCapabilitySet (length %\" PRIu16 \"):\", length);\n\n\tif (length < 12)\n\t\treturn FALSE;\n\n\tStream_Read_UINT32(s, cmdFlags); /* cmdFlags (4 bytes) */\n\tStream_Read_UINT32(s, reserved); /* reserved (4 bytes) */\n\tWLog_INFO(TAG, \"\\tcmdFlags: 0x%08\" PRIX32 \"\", cmdFlags);\n\tWLog_INFO(TAG, \"\\treserved: 0x%08\" PRIX32 \"\", reserved);\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 201233689125804826922744190824697797071,
          "size": 15,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409607
        },
        {
          "func": "static BOOL rdp_read_pointer_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tUINT16 colorPointerFlag;\n\tUINT16 colorPointerCacheSize;\n\tUINT16 pointerCacheSize;\n\n\tif (length < 8)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, colorPointerFlag);      /* colorPointerFlag (2 bytes) */\n\tStream_Read_UINT16(s, colorPointerCacheSize); /* colorPointerCacheSize (2 bytes) */\n\n\t/* pointerCacheSize is optional */\n\tif (length >= 10)\n\t\tStream_Read_UINT16(s, pointerCacheSize); /* pointerCacheSize (2 bytes) */\n\telse\n\t\tpointerCacheSize = 0;\n\n\tif (colorPointerFlag == FALSE)\n\t\tsettings->ColorPointerFlag = FALSE;\n\n\tif (settings->ServerMode)\n\t{\n\t\tsettings->PointerCacheSize = pointerCacheSize;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 298168098402171989438387105409127129458,
          "size": 28,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409622
        },
        {
          "func": "static BOOL rdp_read_bitmap_cache_capability_set(wStream* s, UINT16 length, rdpSettings* settings)\n{\n\tWINPR_UNUSED(settings);\n\tif (length < 40)\n\t\treturn FALSE;\n\n\tStream_Seek_UINT32(s); /* pad1 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad2 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad3 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad4 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad5 (4 bytes) */\n\tStream_Seek_UINT32(s); /* pad6 (4 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache0MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache1MaximumCellSize (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2Entries (2 bytes) */\n\tStream_Seek_UINT16(s); /* Cache2MaximumCellSize (2 bytes) */\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 126632303879958348471370508278569584777,
          "size": 20,
          "commit_id": "3627aaf7d289315b614a584afb388f04abfb5bbf",
          "message": "Fixed #6011: Bounds check in rdp_read_font_capability_set",
          "target": 0,
          "dataset": "other",
          "idx": 409687
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "irda_connect",
        "irda_discover_daddr_and_lsap_sel",
        "irda_find_lsap_sel"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int irda_connect(struct socket *sock, struct sockaddr *uaddr,\n\t\t\tint addr_len, int flags)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct sockaddr_irda *addr = (struct sockaddr_irda *) uaddr;\n\tstruct irda_sock *self = irda_sk(sk);\n\tint err;\n\n\tIRDA_DEBUG(2, \"%s(%p)\\n\", __func__, self);\n\n\t/* Don't allow connect for Ultra sockets */\n\tif ((sk->sk_type == SOCK_DGRAM) && (sk->sk_protocol == IRDAPROTO_ULTRA))\n\t\treturn -ESOCKTNOSUPPORT;\n\n\tif (sk->sk_state == TCP_ESTABLISHED && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_CONNECTED;\n\t\treturn 0;   /* Connect completed during a ERESTARTSYS event */\n\t}\n\n\tif (sk->sk_state == TCP_CLOSE && sock->state == SS_CONNECTING) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\treturn -ECONNREFUSED;\n\t}\n\n\tif (sk->sk_state == TCP_ESTABLISHED)\n\t\treturn -EISCONN;      /* No reconnect on a seqpacket socket */\n\n\tsk->sk_state   = TCP_CLOSE;\n\tsock->state = SS_UNCONNECTED;\n\n\tif (addr_len != sizeof(struct sockaddr_irda))\n\t\treturn -EINVAL;\n\n\t/* Check if user supplied any destination device address */\n\tif ((!addr->sir_addr) || (addr->sir_addr == DEV_ADDR_ANY)) {\n\t\t/* Try to find one suitable */\n\t\terr = irda_discover_daddr_and_lsap_sel(self, addr->sir_name);\n\t\tif (err) {\n\t\t\tIRDA_DEBUG(0, \"%s(), auto-connect failed!\\n\", __func__);\n\t\t\treturn err;\n\t\t}\n\t} else {\n\t\t/* Use the one provided by the user */\n\t\tself->daddr = addr->sir_addr;\n\t\tIRDA_DEBUG(1, \"%s(), daddr = %08x\\n\", __func__, self->daddr);\n\n\t\t/* If we don't have a valid service name, we assume the\n\t\t * user want to connect on a specific LSAP. Prevent\n\t\t * the use of invalid LSAPs (IrLMP 1.1 p10). Jean II */\n\t\tif((addr->sir_name[0] != '\\0') ||\n\t\t   (addr->sir_lsap_sel >= 0x70)) {\n\t\t\t/* Query remote LM-IAS using service name */\n\t\t\terr = irda_find_lsap_sel(self, addr->sir_name);\n\t\t\tif (err) {\n\t\t\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\t\t\treturn err;\n\t\t\t}\n\t\t} else {\n\t\t\t/* Directly connect to the remote LSAP\n\t\t\t * specified by the sir_lsap field.\n\t\t\t * Please use with caution, in IrDA LSAPs are\n\t\t\t * dynamic and there is no \"well-known\" LSAP. */\n\t\t\tself->dtsap_sel = addr->sir_lsap_sel;\n\t\t}\n\t}\n\n\t/* Check if we have opened a local TSAP */\n\tif (!self->tsap)\n\t\tirda_open_tsap(self, LSAP_ANY, addr->sir_name);\n\n\t/* Move to connecting socket, start sending Connect Requests */\n\tsock->state = SS_CONNECTING;\n\tsk->sk_state   = TCP_SYN_SENT;\n\n\t/* Connect to remote device */\n\terr = irttp_connect_request(self->tsap, self->dtsap_sel,\n\t\t\t\t    self->saddr, self->daddr, NULL,\n\t\t\t\t    self->max_sdu_size_rx, NULL);\n\tif (err) {\n\t\tIRDA_DEBUG(0, \"%s(), connect failed!\\n\", __func__);\n\t\treturn err;\n\t}\n\n\t/* Now the loop */\n\tif (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))\n\t\treturn -EINPROGRESS;\n\n\tif (wait_event_interruptible(*(sk->sk_sleep),\n\t\t\t\t     (sk->sk_state != TCP_SYN_SENT)))\n\t\treturn -ERESTARTSYS;\n\n\tif (sk->sk_state != TCP_ESTABLISHED) {\n\t\tsock->state = SS_UNCONNECTED;\n\t\terr = sock_error(sk);\n\t\treturn err? err : -ECONNRESET;\n\t}\n\n\tsock->state = SS_CONNECTED;\n\n\t/* At this point, IrLMP has assigned our source address */\n\tself->saddr = irttp_get_saddr(self->tsap);\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-200"
          ],
          "project": "linux-2.6",
          "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c",
          "hash": 178099908447917320051948600173125641407,
          "size": 104,
          "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 490851
        },
        {
          "func": "static int irda_discover_daddr_and_lsap_sel(struct irda_sock *self, char *name)\n{\n\tdiscinfo_t *discoveries;\t/* Copy of the discovery log */\n\tint\tnumber;\t\t\t/* Number of nodes in the log */\n\tint\ti;\n\tint\terr = -ENETUNREACH;\n\t__u32\tdaddr = DEV_ADDR_ANY;\t/* Address we found the service on */\n\t__u8\tdtsap_sel = 0x0;\t/* TSAP associated with it */\n\n\tIRDA_DEBUG(2, \"%s(), name=%s\\n\", __func__, name);\n\n\t/* Ask lmp for the current discovery log\n\t * Note : we have to use irlmp_get_discoveries(), as opposed\n\t * to play with the cachelog directly, because while we are\n\t * making our ias query, le log might change... */\n\tdiscoveries = irlmp_get_discoveries(&number, self->mask.word,\n\t\t\t\t\t    self->nslots);\n\t/* Check if the we got some results */\n\tif (discoveries == NULL)\n\t\treturn -ENETUNREACH;\t/* No nodes discovered */\n\n\t/*\n\t * Now, check all discovered devices (if any), and connect\n\t * client only about the services that the client is\n\t * interested in...\n\t */\n\tfor(i = 0; i < number; i++) {\n\t\t/* Try the address in the log */\n\t\tself->daddr = discoveries[i].daddr;\n\t\tself->saddr = 0x0;\n\t\tIRDA_DEBUG(1, \"%s(), trying daddr = %08x\\n\",\n\t\t\t   __func__, self->daddr);\n\n\t\t/* Query remote LM-IAS for this service */\n\t\terr = irda_find_lsap_sel(self, name);\n\t\tswitch (err) {\n\t\tcase 0:\n\t\t\t/* We found the requested service */\n\t\t\tif(daddr != DEV_ADDR_ANY) {\n\t\t\t\tIRDA_DEBUG(1, \"%s(), discovered service ''%s'' in two different devices !!!\\n\",\n\t\t\t\t\t   __func__, name);\n\t\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\t\tkfree(discoveries);\n\t\t\t\treturn(-ENOTUNIQ);\n\t\t\t}\n\t\t\t/* First time we found that one, save it ! */\n\t\t\tdaddr = self->daddr;\n\t\t\tdtsap_sel = self->dtsap_sel;\n\t\t\tbreak;\n\t\tcase -EADDRNOTAVAIL:\n\t\t\t/* Requested service simply doesn't exist on this node */\n\t\t\tbreak;\n\t\tdefault:\n\t\t\t/* Something bad did happen :-( */\n\t\t\tIRDA_DEBUG(0, \"%s(), unexpected IAS query failure\\n\", __func__);\n\t\t\tself->daddr = DEV_ADDR_ANY;\n\t\t\tkfree(discoveries);\n\t\t\treturn(-EHOSTUNREACH);\n\t\t\tbreak;\n\t\t}\n\t}\n\t/* Cleanup our copy of the discovery log */\n\tkfree(discoveries);\n\n\t/* Check out what we found */\n\tif(daddr == DEV_ADDR_ANY) {\n\t\tIRDA_DEBUG(1, \"%s(), cannot discover service ''%s'' in any device !!!\\n\",\n\t\t\t   __func__, name);\n\t\tself->daddr = DEV_ADDR_ANY;\n\t\treturn(-EADDRNOTAVAIL);\n\t}\n\n\t/* Revert back to discovered device & service */\n\tself->daddr = daddr;\n\tself->saddr = 0x0;\n\tself->dtsap_sel = dtsap_sel;\n\n\tIRDA_DEBUG(1, \"%s(), discovered requested service ''%s'' at address %08x\\n\",\n\t\t   __func__, name, self->daddr);\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-200"
          ],
          "project": "linux-2.6",
          "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c",
          "hash": 318581748965276480005084377565136724550,
          "size": 82,
          "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 490850
        },
        {
          "func": "static int irda_find_lsap_sel(struct irda_sock *self, char *name)\n{\n\tIRDA_DEBUG(2, \"%s(%p, %s)\\n\", __func__, self, name);\n\n\tif (self->iriap) {\n\t\tIRDA_WARNING(\"%s(): busy with a previous query\\n\",\n\t\t\t     __func__);\n\t\treturn -EBUSY;\n\t}\n\n\tself->iriap = iriap_open(LSAP_ANY, IAS_CLIENT, self,\n\t\t\t\t irda_getvalue_confirm);\n\tif(self->iriap == NULL)\n\t\treturn -ENOMEM;\n\n\t/* Treat unexpected wakeup as disconnect */\n\tself->errno = -EHOSTUNREACH;\n\n\t/* Query remote LM-IAS */\n\tiriap_getvaluebyclass_request(self->iriap, self->saddr, self->daddr,\n\t\t\t\t      name, \"IrDA:TinyTP:LsapSel\");\n\n\t/* Wait for answer, if not yet finished (or failed) */\n\tif (wait_event_interruptible(self->query_wait, (self->iriap==NULL)))\n\t\t/* Treat signals as disconnect */\n\t\treturn -EHOSTUNREACH;\n\n\t/* Check what happened */\n\tif (self->errno)\n\t{\n\t\t/* Requested object/attribute doesn't exist */\n\t\tif((self->errno == IAS_CLASS_UNKNOWN) ||\n\t\t   (self->errno == IAS_ATTRIB_UNKNOWN))\n\t\t\treturn (-EADDRNOTAVAIL);\n\t\telse\n\t\t\treturn (-EHOSTUNREACH);\n\t}\n\n\t/* Get the remote TSAP selector */\n\tswitch (self->ias_result->type) {\n\tcase IAS_INTEGER:\n\t\tIRDA_DEBUG(4, \"%s() int=%d\\n\",\n\t\t\t   __func__, self->ias_result->t.integer);\n\n\t\tif (self->ias_result->t.integer != -1)\n\t\t\tself->dtsap_sel = self->ias_result->t.integer;\n\t\telse\n\t\t\tself->dtsap_sel = 0;\n\t\tbreak;\n\tdefault:\n\t\tself->dtsap_sel = 0;\n\t\tIRDA_DEBUG(0, \"%s(), bad type!\\n\", __func__);\n\t\tbreak;\n\t}\n\tif (self->ias_result)\n\t\tirias_delete_value(self->ias_result);\n\n\tif (self->dtsap_sel)\n\t\treturn 0;\n\n\treturn -EADDRNOTAVAIL;\n}",
          "target": 0,
          "cwe": [
            "CWE-200"
          ],
          "project": "linux-2.6",
          "commit_id": "09384dfc76e526c3993c09c42e016372dc9dd22c",
          "hash": 165698805698786493552979841809667640579,
          "size": 62,
          "message": "irda: Fix irda_getname() leak\n\nirda_getname() can leak kernel memory to user.\n\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 490844
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "php_openssl_csr_free",
        "X509_REQ_free",
        "CSRequest"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void php_openssl_csr_free(zend_resource *rsrc)\n{\n\tX509_REQ * csr = (X509_REQ*)rsrc->ptr;\n\tX509_REQ_free(csr);\n}",
          "project": "php-src",
          "hash": 203588433657896308178929799818659920108,
          "size": 5,
          "commit_id": "0216630ea2815a5789a24279a1211ac398d4de79",
          "message": "Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV)",
          "target": 0,
          "dataset": "other",
          "idx": 291401
        },
        {
          "func": "  explicit CSRequest(X509_REQ *csr) : m_csr(csr) {\n    assertx(m_csr);\n  }",
          "project": "hhvm",
          "hash": 185152408263537532527205151501544474583,
          "size": 3,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219423
        },
        {
          "func": "  ~CSRequest() override {\n    // X509_REQ_free(nullptr) is a no-op\n    X509_REQ_free(m_csr);\n  }",
          "project": "hhvm",
          "hash": 172788866518608369448304811034265826884,
          "size": 4,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219893
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "crypto_get_certificate_data",
        "crypto_cert_fingerprint",
        "crypto_cert_fingerprint_by_hash",
        "crypto_cert_hash"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "char* crypto_cert_issuer(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_issuer_name(xcert));\n}",
          "project": "FreeRDP",
          "hash": 205497471462573990909815156371579244197,
          "size": 4,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473452
        },
        {
          "func": "char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)\n{\n\tUINT32 fp_len, i;\n\tBYTE* fp;\n\tchar* p;\n\tchar* fp_buffer;\n\n\tfp = crypto_cert_hash(xcert, hash, &fp_len);\n\tif (!fp)\n\t\treturn NULL;\n\n\tfp_buffer = calloc(fp_len * 3 + 1, sizeof(char));\n\tif (!fp_buffer)\n\t\tgoto fail;\n\n\tp = fp_buffer;\n\n\tfor (i = 0; i < (fp_len - 1); i++)\n\t{\n\t\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \":\", fp[i]);\n\t\tp = &fp_buffer[(i + 1) * 3];\n\t}\n\n\tsprintf_s(p, (fp_len - i) * 3, \"%02\" PRIx8 \"\", fp[i]);\nfail:\n\tfree(fp);\n\n\treturn fp_buffer;\n}",
          "project": "FreeRDP",
          "hash": 137722397787957957021174819917513700282,
          "size": 29,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473456
        },
        {
          "func": "char* crypto_cert_fingerprint(X509* xcert)\n{\n\treturn crypto_cert_fingerprint_by_hash(xcert, \"sha256\");\n}",
          "project": "FreeRDP",
          "hash": 115650122252764947943603801708902861010,
          "size": 4,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473462
        },
        {
          "func": "static int verify_cb(int ok, X509_STORE_CTX* csc)\n{\n\tif (ok != 1)\n\t{\n\t\tint err = X509_STORE_CTX_get_error(csc);\n\t\tint derr = X509_STORE_CTX_get_error_depth(csc);\n\t\tX509* where = X509_STORE_CTX_get_current_cert(csc);\n\t\tconst char* what = X509_verify_cert_error_string(err);\n\t\tchar* name = crypto_cert_subject(where);\n\n\t\tWLog_WARN(TAG, \"Certificate verification failure '%s (%d)' at stack position %d\", what, err,\n\t\t          derr);\n\t\tWLog_WARN(TAG, \"%s\", name);\n\n\t\tfree(name);\n\t}\n\treturn ok;\n}",
          "project": "FreeRDP",
          "hash": 75265801506247543146779012995879849204,
          "size": 18,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473427
        },
        {
          "func": "void crypto_cert_print_info(X509* xcert)\n{\n\tchar* fp;\n\tchar* issuer;\n\tchar* subject;\n\tsubject = crypto_cert_subject(xcert);\n\tissuer = crypto_cert_issuer(xcert);\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t{\n\t\tWLog_ERR(TAG, \"error computing fingerprint\");\n\t\tgoto out_free_issuer;\n\t}\n\n\tWLog_INFO(TAG, \"Certificate details:\");\n\tWLog_INFO(TAG, \"\\tSubject: %s\", subject);\n\tWLog_INFO(TAG, \"\\tIssuer: %s\", issuer);\n\tWLog_INFO(TAG, \"\\tThumbprint: %s\", fp);\n\tWLog_INFO(TAG,\n\t          \"The above X.509 certificate could not be verified, possibly because you do not have \"\n\t          \"the CA certificate in your certificate store, or the certificate has expired. \"\n\t          \"Please look at the OpenSSL documentation on how to add a private CA to the store.\");\n\tfree(fp);\nout_free_issuer:\n\tfree(issuer);\n\tfree(subject);\n}",
          "project": "FreeRDP",
          "hash": 64076208521481089131010558823372035251,
          "size": 28,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473432
        },
        {
          "func": "char* crypto_cert_subject(X509* xcert)\n{\n\treturn crypto_print_name(X509_get_subject_name(xcert));\n}",
          "project": "FreeRDP",
          "hash": 177180604460491566370377171358096486095,
          "size": 4,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473454
        },
        {
          "func": "rdpCertificateData* crypto_get_certificate_data(X509* xcert, const char* hostname, UINT16 port)\n{\n\tchar* issuer;\n\tchar* subject;\n\tchar* fp;\n\trdpCertificateData* certdata;\n\tfp = crypto_cert_fingerprint(xcert);\n\n\tif (!fp)\n\t\treturn NULL;\n\n\tissuer = crypto_cert_issuer(xcert);\n\tsubject = crypto_cert_subject(xcert);\n\tcertdata = certificate_data_new(hostname, port, issuer, subject, fp);\n\tfree(subject);\n\tfree(issuer);\n\tfree(fp);\n\treturn certdata;\n}",
          "project": "FreeRDP",
          "hash": 170554719668291881438898249097327745004,
          "size": 19,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473455
        },
        {
          "func": "BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)\n{\n\tUINT32 fp_len = EVP_MAX_MD_SIZE;\n\tBYTE* fp;\n\tconst EVP_MD* md = EVP_get_digestbyname(hash);\n\tif (!md)\n\t\treturn NULL;\n\tif (!length)\n\t\treturn NULL;\n\tif (!xcert)\n\t\treturn NULL;\n\n\tfp = calloc(fp_len, sizeof(BYTE));\n\tif (!fp)\n\t\treturn NULL;\n\n\tif (X509_digest(xcert, md, fp, &fp_len) != 1)\n\t{\n\t\tfree(fp);\n\t\treturn NULL;\n\t}\n\n\t*length = fp_len;\n\treturn fp;\n}",
          "project": "FreeRDP",
          "hash": 258407869867369743474326334091914072928,
          "size": 25,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473451
        },
        {
          "func": "static char* crypto_print_name(X509_NAME* name)\n{\n\tchar* buffer = NULL;\n\tBIO* outBIO = BIO_new(BIO_s_mem());\n\n\tif (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)\n\t{\n\t\tunsigned long size = BIO_number_written(outBIO);\n\t\tbuffer = calloc(1, size + 1);\n\n\t\tif (!buffer)\n\t\t\treturn NULL;\n\n\t\tBIO_read(outBIO, buffer, size);\n\t}\n\n\tBIO_free_all(outBIO);\n\treturn buffer;\n}",
          "project": "FreeRDP",
          "hash": 89260255256165807681288006501973762861,
          "size": 19,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473437
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "parallel_thread_func",
        "parallel_process_irp",
        "parallel_process_irp_close"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static UINT parallel_process_irp_device_control(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tStream_Write_UINT32(irp->output, 0); /* OutputBufferLength */\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 50777945177459684828193623428436628095,
          "size": 5,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403463
        },
        {
          "func": "static UINT parallel_process_irp_close(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tif (close(parallel->file) < 0)\n\t{\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Zero(irp->output, 5); /* Padding(5) */\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 229960397322034469489633522376896104471,
          "size": 12,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403460
        },
        {
          "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tUINT32 PathLength;\n\tStream_Seek(irp->input, 28);\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tStream_Read_UINT32(irp->input, PathLength);\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, (WCHAR*)Stream_Pointer(irp->input), PathLength / 2,\n\t                            &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 91654068438972054959889615095747233707,
          "size": 40,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 1,
          "dataset": "other",
          "idx": 207960
        },
        {
          "func": "static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tchar* path = NULL;\n\tint status;\n\tWCHAR* ptr;\n\tUINT32 PathLength;\n\tif (!Stream_SafeSeek(irp->input, 28))\n\t\treturn ERROR_INVALID_DATA;\n\t/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */\n\t/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */\n\tif (Stream_GetRemainingLength(irp->input) < 4)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, PathLength);\n\tptr = (WCHAR*)Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, PathLength))\n\t\treturn ERROR_INVALID_DATA;\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, ptr, PathLength / 2, &path, 0, NULL, NULL);\n\n\tif (status < 1)\n\t\tif (!(path = (char*)calloc(1, 1)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"calloc failed!\");\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\tparallel->id = irp->devman->id_sequence++;\n\tparallel->file = open(parallel->path, O_RDWR);\n\n\tif (parallel->file < 0)\n\t{\n\t\tirp->IoStatus = STATUS_ACCESS_DENIED;\n\t\tparallel->id = 0;\n\t}\n\telse\n\t{\n\t\t/* all read and write operations should be non-blocking */\n\t\tif (fcntl(parallel->file, F_SETFL, O_NONBLOCK) == -1)\n\t\t{\n\t\t}\n\t}\n\n\tStream_Write_UINT32(irp->output, parallel->id);\n\tStream_Write_UINT8(irp->output, 0);\n\tfree(path);\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 213401734041482676778583216895571372326,
          "size": 46,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403469
        },
        {
          "func": "static UINT parallel_process_irp_write(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 len;\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tvoid* ptr;\n\tif (Stream_GetRemainingLength(irp->input) > 12)\n\t\treturn ERROR_INVALID_DATA;\n\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tif (!Stream_SafeSeek(irp->input, 20)) /* Padding */\n\t\treturn ERROR_INVALID_DATA;\n\tptr = Stream_Pointer(irp->input);\n\tif (!Stream_SafeSeek(irp->input, Length))\n\t\treturn ERROR_INVALID_DATA;\n\tlen = Length;\n\n\twhile (len > 0)\n\t{\n\t\tstatus = write(parallel->file, ptr, len);\n\n\t\tif (status < 0)\n\t\t{\n\t\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\t\tLength = 0;\n\t\t\tbreak;\n\t\t}\n\n\t\tStream_Seek(irp->input, status);\n\t\tlen -= status;\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\tStream_Write_UINT8(irp->output, 0); /* Padding */\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 124029001936116716333431833342807537455,
          "size": 38,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403462
        },
        {
          "func": "static DWORD WINAPI parallel_thread_func(LPVOID arg)\n{\n\tIRP* irp;\n\twMessage message;\n\tPARALLEL_DEVICE* parallel = (PARALLEL_DEVICE*)arg;\n\tUINT error = CHANNEL_RC_OK;\n\n\twhile (1)\n\t{\n\t\tif (!MessageQueue_Wait(parallel->queue))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Wait failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (!MessageQueue_Peek(parallel->queue, &message, TRUE))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"MessageQueue_Peek failed!\");\n\t\t\terror = ERROR_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (message.id == WMQ_QUIT)\n\t\t\tbreak;\n\n\t\tirp = (IRP*)message.wParam;\n\n\t\tif ((error = parallel_process_irp(parallel, irp)))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"parallel_process_irp failed with error %\" PRIu32 \"!\", error);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (error && parallel->rdpcontext)\n\t\tsetChannelError(parallel->rdpcontext, error, \"parallel_thread_func reported an error\");\n\n\tExitThread(error);\n\treturn error;\n}",
          "project": "FreeRDP",
          "hash": 175202737362833470892243463098338728512,
          "size": 41,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403464
        },
        {
          "func": "static UINT parallel_process_irp(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT error;\n\n\tswitch (irp->MajorFunction)\n\t{\n\t\tcase IRP_MJ_CREATE:\n\t\t\tif ((error = parallel_process_irp_create(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_create failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_CLOSE:\n\t\t\tif ((error = parallel_process_irp_close(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_close failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_READ:\n\t\t\tif ((error = parallel_process_irp_read(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_read failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_WRITE:\n\t\t\tif ((error = parallel_process_irp_write(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_write failed with error %\" PRIu32 \"!\", error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tcase IRP_MJ_DEVICE_CONTROL:\n\t\t\tif ((error = parallel_process_irp_device_control(parallel, irp)))\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"parallel_process_irp_device_control failed with error %\" PRIu32 \"!\",\n\t\t\t\t         error);\n\t\t\t\treturn error;\n\t\t\t}\n\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tirp->IoStatus = STATUS_NOT_SUPPORTED;\n\t\t\treturn irp->Complete(irp);\n\t\t\tbreak;\n\t}\n\n\treturn CHANNEL_RC_OK;\n}",
          "project": "FreeRDP",
          "hash": 152328085319883643300033889459899429830,
          "size": 60,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403465
        },
        {
          "func": "static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)\n{\n\tUINT32 Length;\n\tUINT64 Offset;\n\tssize_t status;\n\tBYTE* buffer = NULL;\n\tif (Stream_GetRemainingLength(irp->input) < 12)\n\t\treturn ERROR_INVALID_DATA;\n\tStream_Read_UINT32(irp->input, Length);\n\tStream_Read_UINT64(irp->input, Offset);\n\tbuffer = (BYTE*)malloc(Length);\n\n\tif (!buffer)\n\t{\n\t\tWLog_ERR(TAG, \"malloc failed!\");\n\t\treturn CHANNEL_RC_NO_MEMORY;\n\t}\n\n\tstatus = read(parallel->file, buffer, Length);\n\n\tif (status < 0)\n\t{\n\t\tirp->IoStatus = STATUS_UNSUCCESSFUL;\n\t\tfree(buffer);\n\t\tbuffer = NULL;\n\t\tLength = 0;\n\t}\n\telse\n\t{\n\t}\n\n\tStream_Write_UINT32(irp->output, Length);\n\n\tif (Length > 0)\n\t{\n\t\tif (!Stream_EnsureRemainingCapacity(irp->output, Length))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"Stream_EnsureRemainingCapacity failed!\");\n\t\t\tfree(buffer);\n\t\t\treturn CHANNEL_RC_NO_MEMORY;\n\t\t}\n\n\t\tStream_Write(irp->output, buffer, Length);\n\t}\n\n\tfree(buffer);\n\treturn irp->Complete(irp);\n}",
          "project": "FreeRDP",
          "hash": 325410391065857413900691400019655670752,
          "size": 48,
          "commit_id": "795842f4096501fcefc1a7f535ccc8132feb31d7",
          "message": "Fixed oob read in parallel_process_irp_create",
          "target": 0,
          "dataset": "other",
          "idx": 403468
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rsi_indicate_pkt_to_os",
        "rsi_fill_rx_status",
        "rsi_perform_cqm"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void rsi_perform_cqm(struct rsi_common *common,\n\t\t\t    u8 *bssid,\n\t\t\t    s8 rssi,\n\t\t\t    struct ieee80211_vif *vif)\n{\n\ts8 last_event = common->cqm_info.last_cqm_event_rssi;\n\tint thold = common->cqm_info.rssi_thold;\n\tu32 hyst = common->cqm_info.rssi_hyst;\n\tenum nl80211_cqm_rssi_threshold_event event;\n\n\tif (rssi < thold && (last_event == 0 || rssi < (last_event - hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW;\n\telse if (rssi > thold &&\n\t\t (last_event == 0 || rssi > (last_event + hyst)))\n\t\tevent = NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH;\n\telse\n\t\treturn;\n\n\tcommon->cqm_info.last_cqm_event_rssi = rssi;\n\trsi_dbg(INFO_ZONE, \"CQM: Notifying event: %d\\n\", event);\n\tieee80211_cqm_rssi_notify(vif, event, rssi, GFP_KERNEL);\n\n\treturn;\n}",
          "project": "linux",
          "hash": 114860442925680819795552771010927514880,
          "size": 24,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461645
        },
        {
          "func": "bool rsi_is_cipher_wep(struct rsi_common *common)\n{\n\tif (((common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP104) ||\n\t     (common->secinfo.gtk_cipher == WLAN_CIPHER_SUITE_WEP40)) &&\n\t    (!common->secinfo.ptk_cipher))\n\t\treturn true;\n\telse\n\t\treturn false;\n}",
          "project": "linux",
          "hash": 338508583178677526423454936430516132884,
          "size": 9,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461648
        },
        {
          "func": "static void rsi_fill_rx_status(struct ieee80211_hw *hw,\n\t\t\t       struct sk_buff *skb,\n\t\t\t       struct rsi_common *common,\n\t\t\t       struct ieee80211_rx_status *rxs)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_vif *vif;\n\tstruct ieee80211_bss_conf *bss = NULL;\n\tstruct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);\n\tstruct skb_info *rx_params = (struct skb_info *)info->driver_data;\n\tstruct ieee80211_hdr *hdr;\n\tchar rssi = rx_params->rssi;\n\tu8 hdrlen = 0;\n\tu8 channel = rx_params->channel;\n\ts32 freq;\n\tint i;\n\n\thdr = ((struct ieee80211_hdr *)(skb->data));\n\thdrlen = ieee80211_hdrlen(hdr->frame_control);\n\n\tmemset(info, 0, sizeof(struct ieee80211_tx_info));\n\n\trxs->signal = -(rssi);\n\n\trxs->band = common->band;\n\n\tfreq = ieee80211_channel_to_frequency(channel, rxs->band);\n\n\tif (freq)\n\t\trxs->freq = freq;\n\n\tif (ieee80211_has_protected(hdr->frame_control)) {\n\t\tif (rsi_is_cipher_wep(common)) {\n\t\t\tmemmove(skb->data + 4, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 4);\n\t\t} else {\n\t\t\tmemmove(skb->data + 8, skb->data, hdrlen);\n\t\t\tskb_pull(skb, 8);\n\t\t\trxs->flag |= RX_FLAG_MMIC_STRIPPED;\n\t\t}\n\t\trxs->flag |= RX_FLAG_DECRYPTED;\n\t\trxs->flag |= RX_FLAG_IV_STRIPPED;\n\t}\n\n\tfor (i = 0; i < RSI_MAX_VIFS; i++) {\n\t\tvif = adapter->vifs[i];\n\t\tif (!vif)\n\t\t\tcontinue;\n\t\tif (vif->type == NL80211_IFTYPE_STATION) {\n\t\t\tbss = &vif->bss_conf;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!bss)\n\t\treturn;\n\t/* CQM only for connected AP beacons, the RSSI is a weighted avg */\n\tif (bss->assoc && !(memcmp(bss->bssid, hdr->addr2, ETH_ALEN))) {\n\t\tif (ieee80211_is_beacon(hdr->frame_control))\n\t\t\trsi_perform_cqm(common, hdr->addr2, rxs->signal, vif);\n\t}\n\n\treturn;\n}",
          "project": "linux",
          "hash": 233364692912996660136397716324401509067,
          "size": 63,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461634
        },
        {
          "func": "void rsi_indicate_pkt_to_os(struct rsi_common *common,\n\t\t\t    struct sk_buff *skb)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_hw *hw = adapter->hw;\n\tstruct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);\n\n\tif ((common->iface_down) || (!adapter->sc_nvifs)) {\n\t\tdev_kfree_skb(skb);\n\t\treturn;\n\t}\n\n\t/* filling in the ieee80211_rx_status flags */\n\trsi_fill_rx_status(hw, skb, common, rx_status);\n\n\tieee80211_rx_irqsafe(hw, skb);\n}",
          "project": "linux",
          "hash": 258292985604746670436233766317101138975,
          "size": 17,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461655
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "usb_host_handle_packet",
        "do_token_in",
        "usb_host_handle_control",
        "usb_host_set_config",
        "usb_host_claim_interfaces"
      ],
      "group_size": 24,
      "functions": [
        {
          "func": "static int usb_linux_update_endp_table(USBHostDevice *s)\n{\n    uint8_t *descriptors;\n    uint8_t devep, type, configuration, alt_interface;\n    struct usb_ctrltransfer ct;\n    int interface, ret, length, i;\n\n    ct.bRequestType = USB_DIR_IN;\n    ct.bRequest = USB_REQ_GET_CONFIGURATION;\n    ct.wValue = 0;\n    ct.wIndex = 0;\n    ct.wLength = 1;\n    ct.data = &configuration;\n    ct.timeout = 50;\n\n    ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n    if (ret < 0) {\n        perror(\"usb_linux_update_endp_table\");\n        return 1;\n    }\n\n    /* in address state */\n    if (configuration == 0)\n        return 1;\n\n    /* get the desired configuration, interface, and endpoint descriptors\n     * from device description */\n    descriptors = &s->descr[18];\n    length = s->descr_len - 18;\n    i = 0;\n\n    if (descriptors[i + 1] != USB_DT_CONFIG ||\n        descriptors[i + 5] != configuration) {\n        dprintf(\"invalid descriptor data - configuration\\n\");\n        return 1;\n    }\n    i += descriptors[i];\n\n    while (i < length) {\n        if (descriptors[i + 1] != USB_DT_INTERFACE ||\n            (descriptors[i + 1] == USB_DT_INTERFACE &&\n             descriptors[i + 4] == 0)) {\n            i += descriptors[i];\n            continue;\n        }\n\n        interface = descriptors[i + 2];\n\n        ct.bRequestType = USB_DIR_IN | USB_RECIP_INTERFACE;\n        ct.bRequest = USB_REQ_GET_INTERFACE;\n        ct.wValue = 0;\n        ct.wIndex = interface;\n        ct.wLength = 1;\n        ct.data = &alt_interface;\n        ct.timeout = 50;\n\n        ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);\n        if (ret < 0) {\n            alt_interface = interface;\n        }\n\n        /* the current interface descriptor is the active interface\n         * and has endpoints */\n        if (descriptors[i + 3] != alt_interface) {\n            i += descriptors[i];\n            continue;\n        }\n\n        /* advance to the endpoints */\n        while (i < length && descriptors[i +1] != USB_DT_ENDPOINT)\n            i += descriptors[i];\n\n        if (i >= length)\n            break;\n\n        while (i < length) {\n            if (descriptors[i + 1] != USB_DT_ENDPOINT)\n                break;\n\n            devep = descriptors[i + 2];\n            switch (descriptors[i + 3] & 0x3) {\n            case 0x00:\n                type = USBDEVFS_URB_TYPE_CONTROL;\n                break;\n            case 0x01:\n                type = USBDEVFS_URB_TYPE_ISO;\n                break;\n            case 0x02:\n                type = USBDEVFS_URB_TYPE_BULK;\n                break;\n            case 0x03:\n                type = USBDEVFS_URB_TYPE_INTERRUPT;\n                break;\n            default:\n                dprintf(\"usb_host: malformed endpoint type\\n\");\n                type = USBDEVFS_URB_TYPE_BULK;\n            }\n            s->endp_table[(devep & 0xf) - 1].type = type;\n            s->endp_table[(devep & 0xf) - 1].halted = 0;\n\n            i += descriptors[i];\n        }\n    }\n    return 0;\n}",
          "project": "qemu",
          "hash": 294133560509132520784444631812479704822,
          "size": 105,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346310
        },
        {
          "func": "static int usb_host_claim_interfaces(USBHostDevice *dev, int configuration)\n{\n    int dev_descr_len, config_descr_len;\n    int interface, nb_interfaces, nb_configurations;\n    int ret, i;\n\n    if (configuration == 0) /* address state - ignore */\n        return 1;\n\n    dprintf(\"husb: claiming interfaces. config %d\\n\", configuration);\n\n    i = 0;\n    dev_descr_len = dev->descr[0];\n    if (dev_descr_len > dev->descr_len)\n        goto fail;\n    nb_configurations = dev->descr[17];\n\n    i += dev_descr_len;\n    while (i < dev->descr_len) {\n        dprintf(\"husb: i is %d, descr_len is %d, dl %d, dt %d\\n\", i, dev->descr_len,\n               dev->descr[i], dev->descr[i+1]);\n\n        if (dev->descr[i+1] != USB_DT_CONFIG) {\n            i += dev->descr[i];\n            continue;\n        }\n        config_descr_len = dev->descr[i];\n\n\tprintf(\"husb: config #%d need %d\\n\", dev->descr[i + 5], configuration); \n\n        if (configuration < 0 || configuration == dev->descr[i + 5]) {\n            configuration = dev->descr[i + 5];\n            break;\n        }\n\n        i += config_descr_len;\n    }\n\n    if (i >= dev->descr_len) {\n        fprintf(stderr, \"husb: update iface failed. no matching configuration\\n\");\n        goto fail;\n    }\n    nb_interfaces = dev->descr[i + 4];\n\n#ifdef USBDEVFS_DISCONNECT\n    /* earlier Linux 2.4 do not support that */\n    {\n        struct usbdevfs_ioctl ctrl;\n        for (interface = 0; interface < nb_interfaces; interface++) {\n            ctrl.ioctl_code = USBDEVFS_DISCONNECT;\n            ctrl.ifno = interface;\n            ret = ioctl(dev->fd, USBDEVFS_IOCTL, &ctrl);\n            if (ret < 0 && errno != ENODATA) {\n                perror(\"USBDEVFS_DISCONNECT\");\n                goto fail;\n            }\n        }\n    }\n#endif\n\n    /* XXX: only grab if all interfaces are free */\n    for (interface = 0; interface < nb_interfaces; interface++) {\n        ret = ioctl(dev->fd, USBDEVFS_CLAIMINTERFACE, &interface);\n        if (ret < 0) {\n            if (errno == EBUSY) {\n                printf(\"husb: update iface. device already grabbed\\n\");\n            } else {\n                perror(\"husb: failed to claim interface\");\n            }\n        fail:\n            return 0;\n        }\n    }\n\n    printf(\"husb: %d interfaces claimed for configuration %d\\n\",\n           nb_interfaces, configuration);\n\n    dev->ninterfaces   = nb_interfaces;\n    dev->configuration = configuration;\n    return 1;\n}",
          "project": "qemu",
          "hash": 153735582378435081792665043612689386780,
          "size": 81,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346283
        },
        {
          "func": "static void set_halt(USBHostDevice *s, int ep)\n{\n    s->endp_table[ep - 1].halted = 1;\n}",
          "project": "qemu",
          "hash": 247708798741636311330547718736677043664,
          "size": 4,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346295
        },
        {
          "func": "static int usb_host_handle_packet(USBDevice *s, USBPacket *p)\n{\n    switch(p->pid) {\n    case USB_MSG_ATTACH:\n        s->state = USB_STATE_ATTACHED;\n        return 0;\n\n    case USB_MSG_DETACH:\n        s->state = USB_STATE_NOTATTACHED;\n        return 0;\n\n    case USB_MSG_RESET:\n        s->remote_wakeup = 0;\n        s->addr = 0;\n        s->state = USB_STATE_DEFAULT;\n        s->handle_reset(s);\n        return 0;\n    }\n\n    /* Rest of the PIDs must match our address */\n    if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)\n        return USB_RET_NODEV;\n\n    switch (p->pid) {\n    case USB_TOKEN_SETUP:\n        return do_token_setup(s, p);\n\n    case USB_TOKEN_IN:\n        return do_token_in(s, p);\n\n    case USB_TOKEN_OUT:\n        return do_token_out(s, p);\n \n    default:\n        return USB_RET_STALL;\n    }\n}",
          "project": "qemu",
          "hash": 337945081411076701300585326701484725167,
          "size": 37,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346317
        },
        {
          "func": "static int do_token_setup(USBDevice *dev, USBPacket *p)\n{\n    USBHostDevice *s = (USBHostDevice *) dev;\n    int ret = 0;\n\n    if (p->len != 8)\n        return USB_RET_STALL;\n \n    memcpy(&s->ctrl.req, p->data, 8);\n    s->ctrl.len    = le16_to_cpu(s->ctrl.req.wLength);\n    s->ctrl.offset = 0;\n    s->ctrl.state  = CTRL_STATE_SETUP;\n\n    if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n        ret = usb_host_handle_control(s, p);\n        if (ret < 0)\n            return ret;\n\n        if (ret < s->ctrl.len)\n            s->ctrl.len = ret;\n        s->ctrl.state = CTRL_STATE_DATA;\n    } else {\n        if (s->ctrl.len == 0)\n            s->ctrl.state = CTRL_STATE_ACK;\n        else\n            s->ctrl.state = CTRL_STATE_DATA;\n    }\n\n    return ret;\n}",
          "project": "qemu",
          "hash": 183077943275491077374975960370940318614,
          "size": 30,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346300
        },
        {
          "func": "static void async_complete(void *opaque)\n{\n    USBHostDevice *s = opaque;\n    AsyncURB *aurb;\n\n    while (1) {\n    \tUSBPacket *p;\n\n\tint r = ioctl(s->fd, USBDEVFS_REAPURBNDELAY, &aurb);\n        if (r < 0) {\n            if (errno == EAGAIN)\n                return;\n\n            if (errno == ENODEV && !s->closing) {\n                printf(\"husb: device %d.%d disconnected\\n\", s->bus_num, s->addr);\n\t        usb_device_del_addr(0, s->dev.addr);\n                return;\n            }\n\n            dprintf(\"husb: async. reap urb failed errno %d\\n\", errno);\n            return;\n        }\n\n        p = aurb->packet;\n\n\tdprintf(\"husb: async completed. aurb %p status %d alen %d\\n\", \n                aurb, aurb->urb.status, aurb->urb.actual_length);\n\n\tif (p) {\n            switch (aurb->urb.status) {\n            case 0:\n                p->len = aurb->urb.actual_length;\n                if (aurb->urb.type == USBDEVFS_URB_TYPE_CONTROL)\n                    async_complete_ctrl(s, p);\n                break;\n\n            case -EPIPE:\n                set_halt(s, p->devep);\n                /* fall through */\n            default:\n                p->len = USB_RET_NAK;\n                break;\n            }\n\n            usb_packet_complete(p);\n\t}\n\n        async_free(aurb);\n    }\n}",
          "project": "qemu",
          "hash": 307285342249293311693830213041718549309,
          "size": 50,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346323
        },
        {
          "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n    struct usbdevfs_urb *urb;\n    AsyncURB *aurb;\n    int ret, value, index;\n\n    /* \n     * Process certain standard device requests.\n     * These are infrequent and are processed synchronously.\n     */\n    value = le16_to_cpu(s->ctrl.req.wValue);\n    index = le16_to_cpu(s->ctrl.req.wIndex);\n\n    dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n        s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n        s->ctrl.len);\n\n    if (s->ctrl.req.bRequestType == 0) {\n        switch (s->ctrl.req.bRequest) {\n        case USB_REQ_SET_ADDRESS:\n            return usb_host_set_address(s, value);\n\n        case USB_REQ_SET_CONFIGURATION:\n            return usb_host_set_config(s, value & 0xff);\n        }\n    }\n\n    if (s->ctrl.req.bRequestType == 1 &&\n                  s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n        return usb_host_set_interface(s, index, value);\n\n    /* The rest are asynchronous */\n\n    aurb = async_alloc();\n    aurb->hdev   = s;\n    aurb->packet = p;\n\n    /* \n     * Setup ctrl transfer.\n     *\n     * s->ctrl is layed out such that data buffer immediately follows\n     * 'req' struct which is exactly what usbdevfs expects.\n     */ \n    urb = &aurb->urb;\n\n    urb->type     = USBDEVFS_URB_TYPE_CONTROL;\n    urb->endpoint = p->devep;\n\n    urb->buffer        = &s->ctrl.req;\n    urb->buffer_length = 8 + s->ctrl.len;\n\n    urb->usercontext = s;\n\n    ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n    dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n    if (ret < 0) {\n        dprintf(\"husb: submit failed. errno %d\\n\", errno);\n        async_free(aurb);\n\n        switch(errno) {\n        case ETIMEDOUT:\n            return USB_RET_NAK;\n        case EPIPE:\n        default:\n            return USB_RET_STALL;\n        }\n    }\n\n    usb_defer_packet(p, async_cancel, aurb);\n    return USB_RET_ASYNC;\n}",
          "project": "qemu",
          "hash": 312416163750000928776897162836846138475,
          "size": 73,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 1,
          "dataset": "other",
          "idx": 203887
        },
        {
          "func": "static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)\n{\n    struct usbdevfs_urb *urb;\n    AsyncURB *aurb;\n    int ret, value, index;\n    int buffer_len;\n\n    /* \n     * Process certain standard device requests.\n     * These are infrequent and are processed synchronously.\n     */\n    value = le16_to_cpu(s->ctrl.req.wValue);\n    index = le16_to_cpu(s->ctrl.req.wIndex);\n\n    dprintf(\"husb: ctrl type 0x%x req 0x%x val 0x%x index %u len %u\\n\",\n        s->ctrl.req.bRequestType, s->ctrl.req.bRequest, value, index, \n        s->ctrl.len);\n\n    if (s->ctrl.req.bRequestType == 0) {\n        switch (s->ctrl.req.bRequest) {\n        case USB_REQ_SET_ADDRESS:\n            return usb_host_set_address(s, value);\n\n        case USB_REQ_SET_CONFIGURATION:\n            return usb_host_set_config(s, value & 0xff);\n        }\n    }\n\n    if (s->ctrl.req.bRequestType == 1 &&\n                  s->ctrl.req.bRequest == USB_REQ_SET_INTERFACE)\n        return usb_host_set_interface(s, index, value);\n\n    /* The rest are asynchronous */\n\n    buffer_len = 8 + s->ctrl.len;\n    if (buffer_len > sizeof(s->ctrl.buffer)) {\n\t    fprintf(stderr, \"husb: ctrl buffer too small (%u > %lu)\\n\",\n\t\t    buffer_len, sizeof(s->ctrl.buffer));\n\t    return USB_RET_STALL;\n    }\n\n    aurb = async_alloc();\n    aurb->hdev   = s;\n    aurb->packet = p;\n\n    /* \n     * Setup ctrl transfer.\n     *\n     * s->ctrl is layed out such that data buffer immediately follows\n     * 'req' struct which is exactly what usbdevfs expects.\n     */ \n    urb = &aurb->urb;\n\n    urb->type     = USBDEVFS_URB_TYPE_CONTROL;\n    urb->endpoint = p->devep;\n\n    urb->buffer        = &s->ctrl.req;\n    urb->buffer_length = buffer_len;\n\n    urb->usercontext = s;\n\n    ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n    dprintf(\"husb: submit ctrl. len %u aurb %p\\n\", urb->buffer_length, aurb);\n\n    if (ret < 0) {\n        dprintf(\"husb: submit failed. errno %d\\n\", errno);\n        async_free(aurb);\n\n        switch(errno) {\n        case ETIMEDOUT:\n            return USB_RET_NAK;\n        case EPIPE:\n        default:\n            return USB_RET_STALL;\n        }\n    }\n\n    usb_defer_packet(p, async_cancel, aurb);\n    return USB_RET_ASYNC;\n}",
          "project": "qemu",
          "hash": 135771876040172573855391231658010318081,
          "size": 81,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346299
        },
        {
          "func": "static int usb_host_set_address(USBHostDevice *s, int addr)\n{\n    dprintf(\"husb: ctrl set addr %u\\n\", addr);\n    s->dev.addr = addr;\n    return 0;\n}",
          "project": "qemu",
          "hash": 113370853030229899911807824336189717767,
          "size": 6,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346285
        },
        {
          "func": "static int is_isoc(USBHostDevice *s, int ep)\n{\n    return s->endp_table[ep - 1].type == USBDEVFS_URB_TYPE_ISO;\n}",
          "project": "qemu",
          "hash": 245743564542705731360863902738396199787,
          "size": 4,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346309
        },
        {
          "func": "static void clear_halt(USBHostDevice *s, int ep)\n{\n    s->endp_table[ep - 1].halted = 0;\n}",
          "project": "qemu",
          "hash": 155880021257183729490116277729697816473,
          "size": 4,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346297
        },
        {
          "func": "static int is_halted(USBHostDevice *s, int ep)\n{\n    return s->endp_table[ep - 1].halted;\n}",
          "project": "qemu",
          "hash": 11767855805536563648164313742639211905,
          "size": 4,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346305
        },
        {
          "func": "static int ctrl_error(void)\n{\n    if (errno == ETIMEDOUT)\n        return USB_RET_NAK;\n    else \n        return USB_RET_STALL;\n}",
          "project": "qemu",
          "hash": 272773737625285826548635814501419541680,
          "size": 7,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346301
        },
        {
          "func": "static void async_free(AsyncURB *aurb)\n{\n    qemu_free(aurb);\n}",
          "project": "qemu",
          "hash": 89699221103379724954608670537657524735,
          "size": 4,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346313
        },
        {
          "func": "static void usb_host_handle_reset(USBDevice *dev)\n{\n    USBHostDevice *s = (USBHostDevice *) dev;\n\n    dprintf(\"husb: reset device %u.%u\\n\", s->bus_num, s->addr);\n\n    ioctl(s->fd, USBDEVFS_RESET);\n\n    usb_host_claim_interfaces(s, s->configuration);\n}",
          "project": "qemu",
          "hash": 302977581251084120225864181457936049770,
          "size": 10,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346298
        },
        {
          "func": "static int usb_host_set_interface(USBHostDevice *s, int iface, int alt)\n{\n    struct usbdevfs_setinterface si;\n    int ret;\n\n    si.interface  = iface;\n    si.altsetting = alt;\n    ret = ioctl(s->fd, USBDEVFS_SETINTERFACE, &si);\n    \n    dprintf(\"husb: ctrl set iface %d altset %d ret %d errno %d\\n\", \n    \tiface, alt, ret, errno);\n    \n    if (ret < 0)\n        return ctrl_error();\n\n    usb_linux_update_endp_table(s);\n    return 0;\n}",
          "project": "qemu",
          "hash": 230817216566451332220731094414568773639,
          "size": 18,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346306
        },
        {
          "func": "static int do_token_in(USBDevice *dev, USBPacket *p)\n{\n    USBHostDevice *s = (USBHostDevice *) dev;\n    int ret = 0;\n\n    if (p->devep != 0)\n        return usb_host_handle_data(s, p);\n\n    switch(s->ctrl.state) {\n    case CTRL_STATE_ACK:\n        if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n            ret = usb_host_handle_control(s, p);\n            if (ret == USB_RET_ASYNC)\n                return USB_RET_ASYNC;\n\n            s->ctrl.state = CTRL_STATE_IDLE;\n            return ret > 0 ? 0 : ret;\n        }\n\n        return 0;\n\n    case CTRL_STATE_DATA:\n        if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n            int len = s->ctrl.len - s->ctrl.offset;\n            if (len > p->len)\n                len = p->len;\n            memcpy(p->data, s->ctrl.buffer + s->ctrl.offset, len);\n            s->ctrl.offset += len;\n            if (s->ctrl.offset >= s->ctrl.len)\n                s->ctrl.state = CTRL_STATE_ACK;\n            return len;\n        }\n\n        s->ctrl.state = CTRL_STATE_IDLE;\n        return USB_RET_STALL;\n\n    default:\n        return USB_RET_STALL;\n    }\n}",
          "project": "qemu",
          "hash": 274624244059630894410186848673918387785,
          "size": 40,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346280
        },
        {
          "func": "static void async_complete_ctrl(USBHostDevice *s, USBPacket *p)\n{\n    switch(s->ctrl.state) {\n    case CTRL_STATE_SETUP:\n        if (p->len < s->ctrl.len)\n            s->ctrl.len = p->len;\n        s->ctrl.state = CTRL_STATE_DATA;\n        p->len = 8;\n        break;\n\n    case CTRL_STATE_ACK:\n        s->ctrl.state = CTRL_STATE_IDLE;\n        p->len = 0;\n        break;\n\n    default:\n        break;\n    }\n}",
          "project": "qemu",
          "hash": 87659848107630241316717948393842358765,
          "size": 19,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346321
        },
        {
          "func": "static int usb_host_release_interfaces(USBHostDevice *s)\n{\n    int ret, i;\n\n    dprintf(\"husb: releasing interfaces\\n\");\n\n    for (i = 0; i < s->ninterfaces; i++) {\n        ret = ioctl(s->fd, USBDEVFS_RELEASEINTERFACE, &i);\n        if (ret < 0) {\n            perror(\"husb: failed to release interface\");\n            return 0;\n        }\n    }\n\n    return 1;\n}",
          "project": "qemu",
          "hash": 265975219865408593507728601152949169306,
          "size": 16,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346312
        },
        {
          "func": "static void hostdev_unlink(USBHostDevice *dev)\n{\n    USBHostDevice *pdev = hostdev_list;\n    USBHostDevice **prev = &hostdev_list;\n\n    while (pdev) {\n\tif (pdev == dev) {\n            *prev = dev->next;\n            return;\n        }\n\n        prev = &pdev->next;\n        pdev = pdev->next;\n    }\n}",
          "project": "qemu",
          "hash": 77907681220802418117040092144753015476,
          "size": 15,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346302
        },
        {
          "func": "static int usb_host_set_config(USBHostDevice *s, int config)\n{\n    usb_host_release_interfaces(s);\n\n    int ret = ioctl(s->fd, USBDEVFS_SETCONFIGURATION, &config);\n \n    dprintf(\"husb: ctrl set config %d ret %d errno %d\\n\", config, ret, errno);\n    \n    if (ret < 0)\n        return ctrl_error();\n \n    usb_host_claim_interfaces(s, config);\n    return 0;\n}",
          "project": "qemu",
          "hash": 77581754423656411130094475642397550764,
          "size": 14,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346294
        },
        {
          "func": "static int usb_host_handle_data(USBHostDevice *s, USBPacket *p)\n{\n    struct usbdevfs_urb *urb;\n    AsyncURB *aurb;\n    int ret;\n\n    aurb = async_alloc();\n    aurb->hdev   = s;\n    aurb->packet = p;\n\n    urb = &aurb->urb;\n\n    if (p->pid == USB_TOKEN_IN)\n    \turb->endpoint = p->devep | 0x80;\n    else\n    \turb->endpoint = p->devep;\n\n    if (is_halted(s, p->devep)) {\n\tret = ioctl(s->fd, USBDEVFS_CLEAR_HALT, &urb->endpoint);\n        if (ret < 0) {\n            dprintf(\"husb: failed to clear halt. ep 0x%x errno %d\\n\", \n                   urb->endpoint, errno);\n            return USB_RET_NAK;\n        }\n        clear_halt(s, p->devep);\n    }\n\n    urb->buffer        = p->data;\n    urb->buffer_length = p->len;\n\n    if (is_isoc(s, p->devep)) {\n        /* Setup ISOC transfer */\n        urb->type     = USBDEVFS_URB_TYPE_ISO;\n        urb->flags    = USBDEVFS_URB_ISO_ASAP;\n        urb->number_of_packets = 1;\n        urb->iso_frame_desc[0].length = p->len;\n    } else {\n        /* Setup bulk transfer */\n        urb->type     = USBDEVFS_URB_TYPE_BULK;\n    }\n\n    urb->usercontext = s;\n\n    ret = ioctl(s->fd, USBDEVFS_SUBMITURB, urb);\n\n    dprintf(\"husb: data submit. ep 0x%x len %u aurb %p\\n\", urb->endpoint, p->len, aurb);\n\n    if (ret < 0) {\n        dprintf(\"husb: submit failed. errno %d\\n\", errno);\n        async_free(aurb);\n\n        switch(errno) {\n        case ETIMEDOUT:\n            return USB_RET_NAK;\n        case EPIPE:\n        default:\n            return USB_RET_STALL;\n        }\n    }\n\n    usb_defer_packet(p, async_cancel, aurb);\n    return USB_RET_ASYNC;\n}",
          "project": "qemu",
          "hash": 260559233680984221214785940519308902612,
          "size": 63,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346278
        },
        {
          "func": "static void usb_host_handle_destroy(USBDevice *dev)\n{\n    USBHostDevice *s = (USBHostDevice *)dev;\n\n    s->closing = 1;\n\n    qemu_set_fd_handler(s->fd, NULL, NULL, NULL);\n\n    hostdev_unlink(s);\n\n    async_complete(s);\n\n    if (s->fd >= 0)\n        close(s->fd);\n\n    qemu_free(s);\n}",
          "project": "qemu",
          "hash": 331783873263838536495355729159893109559,
          "size": 17,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346276
        },
        {
          "func": "static int do_token_out(USBDevice *dev, USBPacket *p)\n{\n    USBHostDevice *s = (USBHostDevice *) dev;\n\n    if (p->devep != 0)\n        return usb_host_handle_data(s, p);\n\n    switch(s->ctrl.state) {\n    case CTRL_STATE_ACK:\n        if (s->ctrl.req.bRequestType & USB_DIR_IN) {\n            s->ctrl.state = CTRL_STATE_IDLE;\n            /* transfer OK */\n        } else {\n            /* ignore additional output */\n        }\n        return 0;\n\n    case CTRL_STATE_DATA:\n        if (!(s->ctrl.req.bRequestType & USB_DIR_IN)) {\n            int len = s->ctrl.len - s->ctrl.offset;\n            if (len > p->len)\n                len = p->len;\n            memcpy(s->ctrl.buffer + s->ctrl.offset, p->data, len);\n            s->ctrl.offset += len;\n            if (s->ctrl.offset >= s->ctrl.len)\n                s->ctrl.state = CTRL_STATE_ACK;\n            return len;\n        }\n\n        s->ctrl.state = CTRL_STATE_IDLE;\n        return USB_RET_STALL;\n\n    default:\n        return USB_RET_STALL;\n    }\n}",
          "project": "qemu",
          "hash": 102876530187197055695706708439996412226,
          "size": 36,
          "commit_id": "babd03fde68093482528010a5435c14ce9128e3f",
          "message": "usb-linux.c: fix buffer overflow\n\nIn usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and\nlength to the kernel.  However, the length was provided by the caller\nof dev->handle_packet, and is not checked, so the kernel might provide\ntoo much data and overflow our buffer.\n\nFor example, hw/usb-uhci.c could set the length to 2047.\nhw/usb-ohci.c looks like it might go up to 4096 or 8192.\n\nThis causes a qemu crash, as reported here:\n  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html\n\nThis patch increases the usb-linux.c buffer size to 2048 to fix the\nspecific device reported, and adds a check to avoid the overflow in\nany case.\n\nSigned-off-by: Jim Paris <jim@jtan.com>\nSigned-off-by: Anthony Liguori <aliguori@us.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 346282
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "log",
        "active",
        "isXenonActive"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "void onStrobelightSignal(int signo) {\n  if (!RuntimeOption::StrobelightEnabled) {\n    // Handle the signal so we don't crash, but do nothing.\n    return;\n  }\n\n  if (signo == strobelight::kSignumCurrent) {\n    // sets on only current thread\n    if (rds::isFullyInitialized()) {\n      // Ignore threads that are not serving requests, otherwise this segfaults\n      if (!Strobelight::isXenonActive()) {\n        // Do not set the flag if Xenon is actively profiling this request\n        setSurpriseFlag(XenonSignalFlag);\n      }\n    }\n  }\n\n  // surpriseAll currently has an issue where the isXenonActive() check will\n  // try to access s_xenonData->getIsProfiledRequest() to check if the current\n  // request is profiling. The problem is that you really want to check if the\n  // request t is profiling. The current thread may not even be a request thread.\n  // If we ever want to start using this signal for profiling,\n  // we will need to figure out how to work around that problem.\n  // if (signo == strobelight::kSignumAll) {\n  //  // sets on ALL threads\n  //  Strobelight::getInstance().surpriseAll();\n  // }\n}",
          "project": "hhvm",
          "hash": 275356761552801735383089492999709697288,
          "size": 28,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219168
        },
        {
          "func": "void Strobelight::surpriseAll() {\n  RequestInfo::ExecutePerRequest(\n    [] (RequestInfo* t) {\n      // TODO: get a dedicated surprise flag to avoid colliding with xenon\n      // Set the strobelight flag to collect a sample\n      // TODO: isXenonActive() needs to check the request thread and not the\n      // current thread (which may not even be a request)\n      if (!isXenonActive()) {\n        // Xenon has first crack at profiling requests. If a request\n        // is marked as being profiled, we do not allow strobelight to\n        // interfere with Xenon's profiling. In practice, collisions\n        // should be extremely rare.\n        t->m_reqInjectionData.setFlag(XenonSignalFlag);\n      }\n    }\n  );\n}",
          "project": "hhvm",
          "hash": 297838356118481566379107800693703058065,
          "size": 17,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219308
        },
        {
          "func": "bool Strobelight::isXenonActive() {\n  if (RuntimeOption::XenonForceAlwaysOn) {\n    return true;\n  }\n\n  bool xenonProfiled = Xenon::getInstance().getIsProfiledRequest();\n  if (xenonProfiled) {\n    return true;\n  }\n\n  return false;\n}",
          "project": "hhvm",
          "hash": 297123363444453326010313011470616629324,
          "size": 12,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219684
        },
        {
          "func": "void Strobelight::log(c_WaitableWaitHandle* wh) const {\n  if (RuntimeOption::XenonForceAlwaysOn) {\n    // Disable strobelight if Xenon forced on\n    // TODO remove this when strobelight has its own surpriseFlag\n    return;\n  }\n\n  if (getSurpriseFlag(XenonSignalFlag)) {\n    // TODO remove this when strobelight has its own surpriseFlag\n    clearSurpriseFlag(XenonSignalFlag);\n  }\n\n  TRACE(1, \"Strobelight::log\\n\");\n  if (active()) {\n    // TODO We should filter only to hhvm samples which directly\n    // caused a PMU event to fire. This is doable by storing hhvm\n    // request IDs in a bpf map and checking for an entry here.\n    auto bt = createBacktrace(BacktraceArgs()\n                              .fromWaitHandle(wh)\n                              // TODO\n                              // .withMetadata()\n                              .ignoreArgs());\n    logToUSDT(bt);\n  }\n}",
          "project": "hhvm",
          "hash": 65802561629527027805702110319424733976,
          "size": 25,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219486
        },
        {
          "func": "bool Strobelight::active() {\n  if (rds::isFullyInitialized() && isXenonActive()) {\n    // if Xenon owns this request, back off\n    return false;\n  }\n\n  // return true if a USDT probe function is listening\n  return FOLLY_SDT_IS_ENABLED(hhvm, hhvm_stack);\n}",
          "project": "hhvm",
          "hash": 237208956696650508551097277908650710808,
          "size": 9,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219288
        },
        {
          "func": "bool logToUSDT(const Array& bt) {\n  std::lock_guard<std::mutex> lock(usdt_mutex);\n\n  memset(&bt_slab, 0, sizeof(bt_slab));\n\n  int i = 0;\n  IterateVNoInc(\n    bt.get(),\n    [&](TypedValue tv) -> bool {\n\n      if (i >= strobelight::kMaxStackframes) {\n        return true;\n      }\n\n      assertx(isArrayLikeType(type(tv)));\n      ArrayData* bt_frame = val(tv).parr;\n      strobelight::backtrace_frame_t* frame = &bt_slab.frames[i];\n\n      auto const line = bt_frame->get(s_line.get());\n      if (line.is_init()) {\n        assertx(isIntType(type(line)));\n        frame->line = val(line).num;\n      }\n\n      auto const file_name = bt_frame->get(s_file.get());\n      if (file_name.is_init()) {\n        assertx(isStringType(type(file_name)));\n        strncpy(frame->file_name,\n                val(file_name).pstr->data(),\n                std::min<int64_t>(\n                  val(file_name).pstr->size(),\n                  strobelight::kFileNameMax\n                ));\n        frame->file_name[strobelight::kFileNameMax - 1] = '\\0';\n      }\n\n      auto const class_name = bt_frame->get(s_class.get());\n      if (class_name.is_init()) {\n        assertx(isStringType(type(class_name)));\n        strncpy(frame->class_name,\n                val(class_name).pstr->data(),\n                std::min<int64_t>(\n                  val(class_name).pstr->size(),\n                  strobelight::kClassNameMax\n                ));\n        frame->class_name[strobelight::kClassNameMax - 1] = '\\0';\n      }\n\n      auto const function_name = bt_frame->get(s_function.get());\n      if (function_name.is_init()) {\n        assertx(isStringType(type(function_name)));\n        strncpy(frame->function,\n                val(function_name).pstr->data(),\n                std::min<int64_t>(\n                  val(function_name).pstr->size(),\n                  strobelight::kFunctionMax\n                ));\n        frame->function[strobelight::kFunctionMax - 1] = '\\0';\n      }\n\n      i++;\n      return false;\n    }\n  );\n  bt_slab.len = i;\n\n  // Allow BPF to read the now-formatted stacktrace\n  FOLLY_SDT_WITH_SEMAPHORE(hhvm, hhvm_stack, &bt_slab);\n\n  return true;\n}",
          "project": "hhvm",
          "hash": 255038990099362447895056929601605394109,
          "size": 71,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219687
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "zend_throw_exception_object",
        "zend_throw_exception_internal",
        "zend_exception_error",
        "zend_error_va"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *ce_exception = Z_OBJCE_P(exception);\n\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\tzval *str, *file, *line;\n\n\t\tEG(exception) = NULL;\n\n\t\tzend_call_method_with_0_params(&exception, ce_exception, NULL, \"__tostring\", &str);\n\t\tif (!EG(exception)) {\n\t\t\tif (Z_TYPE_P(str) != IS_STRING) {\n\t\t\t\tzend_error(E_WARNING, \"%s::__toString() must return a string\", ce_exception->name);\n\t\t\t} else {\n\t\t\t\tzend_update_property_string(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, EG(exception) ? ce_exception->name : Z_STRVAL_P(str) TSRMLS_CC);\n\t\t\t}\n\t\t}\n\t\tzval_ptr_dtor(&str);\n\n\t\tif (EG(exception)) {\n\t\t\t/* do the best we can to inform about the inner exception */\n\t\t\tif (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {\n\t\t\t\tfile = zend_read_property(default_exception_ce, EG(exception), \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\t\t\tline = zend_read_property(default_exception_ce, EG(exception), \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\t\t\tconvert_to_string(file);\n\t\t\t\tfile = (Z_STRLEN_P(file) > 0) ? file : NULL;\n\t\t\t\tline = (Z_TYPE_P(line) == IS_LONG) ? line : NULL;\n\t\t\t} else {\n\t\t\t\tfile = NULL;\n\t\t\t\tline = NULL;\n\t\t\t}\n\t\t\tzend_error_va(E_WARNING, file ? Z_STRVAL_P(file) : NULL, line ? Z_LVAL_P(line) : 0, \"Uncaught %s in exception handling during call to %s::__tostring()\", Z_OBJCE_P(EG(exception))->name, ce_exception->name);\n\t\t}\n\n\t\tstr = zend_read_property(default_exception_ce, exception, \"string\", sizeof(\"string\")-1, 1 TSRMLS_CC);\n\t\tfile = zend_read_property(default_exception_ce, exception, \"file\", sizeof(\"file\")-1, 1 TSRMLS_CC);\n\t\tline = zend_read_property(default_exception_ce, exception, \"line\", sizeof(\"line\")-1, 1 TSRMLS_CC);\n\n\t\tconvert_to_string(str);\n\t\tconvert_to_string(file);\n\t\tconvert_to_long(line);\n\n\t\tzend_error_va(severity, (Z_STRLEN_P(file) > 0) ? Z_STRVAL_P(file) : NULL, Z_LVAL_P(line), \"Uncaught %s\\n  thrown\", Z_STRVAL_P(str));\n\t} else {\n\t\tzend_error(severity, \"Uncaught exception '%s'\", ce_exception->name);\n\t}\n}",
          "project": "php-src",
          "hash": 233019637263204593162642334084906168743,
          "size": 47,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374469
        },
        {
          "func": "ZEND_API void zend_throw_exception_object(zval *exception TSRMLS_DC) /* {{{ */\n{\n\tzend_class_entry *exception_ce;\n\n\tif (exception == NULL || Z_TYPE_P(exception) != IS_OBJECT) {\n\t\tzend_error(E_ERROR, \"Need to supply an object when throwing an exception\");\n\t}\n\n\texception_ce = Z_OBJCE_P(exception);\n\n\tif (!exception_ce || !instanceof_function(exception_ce, default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Exceptions must be valid objects derived from the Exception base class\");\n\t}\n\tzend_throw_exception_internal(exception TSRMLS_CC);\n}",
          "project": "php-src",
          "hash": 168358188494444651132316427800666457773,
          "size": 15,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374451
        },
        {
          "func": "static void zend_error_va(int type, const char *file, uint lineno, const char *format, ...) /* {{{ */\n{\n\tva_list args;\n\n\tva_start(args, format);\n\tzend_error_cb(type, file, lineno, format, args);\n\tva_end(args);\n}",
          "project": "php-src",
          "hash": 313633724532951233240989058937036034067,
          "size": 8,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374463
        },
        {
          "func": "void zend_exception_restore(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tif (EG(exception)) {\n\t\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t\t} else {\n\t\t\tEG(exception) = EG(prev_exception);\n\t\t}\n\t\tEG(prev_exception) = NULL;\n\t}\n}",
          "project": "php-src",
          "hash": 65940455749340376476088943638997947991,
          "size": 11,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374462
        },
        {
          "func": "void zend_exception_set_previous(zval *exception, zval *add_previous TSRMLS_DC)\n{\n\tzval *previous;\n\n\tif (exception == add_previous || !add_previous || !exception) {\n\t\treturn;\n\t}\n\tif (Z_TYPE_P(add_previous) != IS_OBJECT && !instanceof_function(Z_OBJCE_P(add_previous), default_exception_ce TSRMLS_CC)) {\n\t\tzend_error(E_ERROR, \"Cannot set non exception as previous exception\");\n\t\treturn;\n\t}\n\twhile (exception && exception != add_previous && Z_OBJ_HANDLE_P(exception) != Z_OBJ_HANDLE_P(add_previous)) {\n\t\tprevious = zend_read_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, 1 TSRMLS_CC);\n\t\tif (Z_TYPE_P(previous) == IS_NULL) {\n\t\t\tzend_update_property(default_exception_ce, exception, \"previous\", sizeof(\"previous\")-1, add_previous TSRMLS_CC);\n\t\t\tZ_DELREF_P(add_previous);\n\t\t\treturn;\n\t\t}\n\t\texception = previous;\n\t}\n}",
          "project": "php-src",
          "hash": 159666285129417513959591408876495337624,
          "size": 21,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374466
        },
        {
          "func": "void zend_throw_exception_internal(zval *exception TSRMLS_DC) /* {{{ */\n{\n#ifdef HAVE_DTRACE\n\tif (DTRACE_EXCEPTION_THROWN_ENABLED()) {\n\t\tconst char *classname;\n\t\tzend_uint name_len;\n\n\t\tif (exception != NULL) {\n\t\t\tzend_get_object_classname(exception, &classname, &name_len TSRMLS_CC);\n\t\t\tDTRACE_EXCEPTION_THROWN((char *)classname);\n\t\t} else {\n\t\t\tDTRACE_EXCEPTION_THROWN(NULL);\n\t\t}\n\t}\n#endif /* HAVE_DTRACE */\n\n\tif (exception != NULL) {\n\t\tzval *previous = EG(exception);\n\t\tzend_exception_set_previous(exception, EG(exception) TSRMLS_CC);\n\t\tEG(exception) = exception;\n\t\tif (previous) {\n\t\t\treturn;\n\t\t}\n\t}\n\tif (!EG(current_execute_data)) {\n\t\tif(EG(exception)) {\n\t\t\tzend_exception_error(EG(exception), E_ERROR TSRMLS_CC);\n\t\t}\n\t\tzend_error(E_ERROR, \"Exception thrown without a stack frame\");\n\t}\n\n\tif (zend_throw_exception_hook) {\n\t\tzend_throw_exception_hook(exception TSRMLS_CC);\n\t}\n\n\tif (EG(current_execute_data)->opline == NULL ||\n\t    (EG(current_execute_data)->opline+1)->opcode == ZEND_HANDLE_EXCEPTION) {\n\t\t/* no need to rethrow the exception */\n\t\treturn;\n\t}\n\tEG(opline_before_exception) = EG(current_execute_data)->opline;\n\tEG(current_execute_data)->opline = EG(exception_op);\n}",
          "project": "php-src",
          "hash": 247917911400170479938783393940056166910,
          "size": 43,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374455
        },
        {
          "func": "void zend_exception_save(TSRMLS_D) /* {{{ */\n{\n\tif (EG(prev_exception)) {\n\t\tzend_exception_set_previous(EG(exception), EG(prev_exception) TSRMLS_CC);\n\t}\n\tif (EG(exception)) {\n\t\tEG(prev_exception) = EG(exception);\n\t}\n\tEG(exception) = NULL;\n}",
          "project": "php-src",
          "hash": 116066607902918107578657479066223949823,
          "size": 10,
          "commit_id": "a894a8155fab068d68a04bf181dbaddfa01ccbb0",
          "message": "More fixes for bug #69152",
          "target": 0,
          "dataset": "other",
          "idx": 374448
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "Open_table_context",
        "m_flags",
        "Profiler",
        "BindToCPU"
      ],
      "group_size": 13,
      "functions": [
        {
          "func": "static long get_us_interval(struct timeval *start, struct timeval *end) {\n  return (((end->tv_sec - start->tv_sec) * 1000000)\n          + (end->tv_usec - start->tv_usec));\n}",
          "project": "hhvm",
          "hash": 226869654135616472232911777556010156798,
          "size": 4,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219250
        },
        {
          "func": "  MachineInfo() {\n    m_cpu_num = sysconf(_SC_NPROCESSORS_CONF);\n    m_cpu_frequencies = get_cpu_frequency_from_file(\"/proc/cpuinfo\", m_cpu_num);\n\n    if (m_cpu_frequencies)\n      return;\n\n    m_cpu_frequencies = new int64_t[m_cpu_num];\n    for (int i = 0; i < m_cpu_num; i++) {\n      cpu_set_t prev_mask;\n      GET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n      BindToCPU(i);\n      // Make sure the current process gets scheduled to the target cpu. This\n      // might not be necessary though.\n      usleep(0);\n      m_cpu_frequencies[i] = get_cpu_frequency();\n      SET_AFFINITY(0, sizeof(cpu_set_t), &prev_mask);\n    }\n  }",
          "project": "hhvm",
          "hash": 180263000948610311410935395853679103945,
          "size": 19,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219057
        },
        {
          "func": "static int64_t* get_cpu_frequency_from_file(const char *file, int ncpus)\n{\n  std::ifstream cpuinfo(file);\n  if (cpuinfo.fail()) {\n    return nullptr;\n  }\n  char line[MAX_LINELENGTH];\n  int64_t* freqs = new int64_t[ncpus];\n  for (int i = 0; i < ncpus; ++i) {\n    freqs[i] = 0;\n  }\n  int processor = -1;\n\n  while (cpuinfo.getline(line, sizeof(line))) {\n    if (sscanf(line, \"processor : %d\", &processor) == 1) {\n      continue;\n    }\n    float freq;\n    if ((sscanf(line, \"cpu MHz : %f\", &freq) == 1) ||\n        (sscanf(line, \"clock         : %f\", &freq) == 1)) {\n      if (processor != -1 && processor < ncpus) {\n         freqs[processor] = nearbyint(freq);\n         processor = -1;\n      }\n    }\n  }\n  for (int i = 0; i < ncpus; ++i) {\n    if (freqs[i] == 0) {\n      delete[] freqs;\n      return nullptr;\n    }\n  }\n  return freqs;\n}",
          "project": "hhvm",
          "hash": 248085455882707873436144105338088029488,
          "size": 34,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219292
        },
        {
          "func": "  static void BindToCPU(uint32_t cpu_id) {\n    cpu_set_t new_mask;\n    CPU_ZERO(&new_mask);\n    CPU_SET(cpu_id, &new_mask);\n    SET_AFFINITY(0, sizeof(cpu_set_t), &new_mask);\n  }",
          "project": "hhvm",
          "hash": 252561999300798108266609964241078876025,
          "size": 6,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219879
        },
        {
          "func": "  explicit TraceProfiler(int flags)\n    : Profiler(true)\n    , m_traceBuffer(nullptr)\n    , m_traceBufferSize(0)\n    , m_nextTraceEntry(0)\n    , m_traceBufferFilled(false)\n    , m_maxTraceBuffer(0)\n    , m_overflowCalls(0)\n    , m_flags(flags)\n  {\n    if (!(m_flags & IHaveInfiniteMemory) && pthread_mutex_trylock(&s_inUse)) {\n      // This profiler uses a very large amount of memory. Only allow\n      // one in the process at any time.\n      m_successful = false;\n    } else {\n      m_maxTraceBuffer = RuntimeOption::ProfilerMaxTraceBuffer;\n      Extension* ext = ExtensionRegistry::get(s_hotprofiler);\n      assertx(ext);\n      IniSetting::Bind(ext, IniSetting::PHP_INI_ALL,\n                       \"profiler.max_trace_buffer\",\n                       &m_maxTraceBuffer);\n    }\n  }",
          "project": "hhvm",
          "hash": 97949173461319208565106839514492844861,
          "size": 23,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219466
        },
        {
          "func": "  explicit HierarchicalProfiler(int flags) : Profiler(true), m_flags(flags) {\n  }",
          "project": "hhvm",
          "hash": 56700908204766941970227207576771894312,
          "size": 2,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219660
        },
        {
          "func": "void Profiler::endAllFrames() {\n    while (m_stack) {\n      endFrame(nullptr, nullptr, true);\n    }\n}",
          "project": "hhvm",
          "hash": 245415849160079604862531924084058340861,
          "size": 5,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219314
        },
        {
          "func": "  void endAllFrames() override {\n    // Nothing to do for this profiler since all work is done as we go.\n  }",
          "project": "hhvm",
          "hash": 150441449384399467871760114204802685380,
          "size": 3,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219864
        },
        {
          "func": "Profiler::~Profiler() {\n    if (m_has_affinity) {\n      SET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n    }\n\n    endAllFrames();\n    for (Frame *p = m_frame_free_list; p;) {\n      Frame *cur = p;\n      p = p->m_parent;\n      delete cur;\n    }\n}",
          "project": "hhvm",
          "hash": 218080934643076592466588935207842016775,
          "size": 12,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219479
        },
        {
          "func": "  explicit MemoProfiler(int /*flags*/) : Profiler(true) {}",
          "project": "hhvm",
          "hash": 76196938429753322405609073721382273498,
          "size": 1,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219768
        },
        {
          "func": "static int64_t get_cpu_frequency() {\n  struct timeval start;\n  struct timeval end;\n\n  if (gettimeofday(&start, 0)) {\n    perror(\"gettimeofday\");\n    return 0.0;\n  }\n  uint64_t tsc_start = cpuCycles();\n  uint64_t tsc_end;\n  volatile int i;\n  // Busy loop for 5 miliseconds. Don't use usleep() here since it causes the\n  // CPU to halt which will generate meaningless results.\n  do {\n    for (i = 0; i < 1000000; i++);\n    if (gettimeofday(&end, 0)) {\n      perror(\"gettimeofday\");\n      return 0.0;\n    }\n    tsc_end = cpuCycles();\n  } while (get_us_interval(&start, &end) < 5000);\n\n  return nearbyint((tsc_end - tsc_start) * 1.0\n                                   / (get_us_interval(&start, &end)));\n}",
          "project": "hhvm",
          "hash": 82995547803504983128639277702102155539,
          "size": 25,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219071
        },
        {
          "func": "Profiler::Profiler(bool needCPUAffinity) : m_successful(true),\n                                           m_stack(nullptr),\n                                           m_frame_free_list(nullptr),\n                                           m_has_affinity(needCPUAffinity) {\n    if (!s_rand_initialized) {\n      s_rand_initialized = true;\n      srand(math_generate_seed());\n    }\n\n    if (m_has_affinity) {\n      //\n      // Bind to a random cpu so that we can use rdtsc instruction.\n      //\n      int cur_cpu_id = rand() % s_machine.m_cpu_num;\n      GET_AFFINITY(0, sizeof(cpu_set_t), &m_prev_mask);\n      MachineInfo::BindToCPU(cur_cpu_id);\n      m_MHz = s_machine.m_cpu_frequencies[cur_cpu_id];\n    } else {\n      //\n      // Take cpu0's speed as a proxy for all cpus.\n      //\n      m_MHz = s_machine.m_cpu_frequencies[0];\n    }\n\n    memset(m_func_hash_counters, 0, sizeof(m_func_hash_counters));\n}",
          "project": "hhvm",
          "hash": 228890197525810853672696827937472522779,
          "size": 26,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219669
        },
        {
          "func": "Open_table_context::Open_table_context(THD *thd, uint flags)\n  :m_thd(thd),\n   m_failed_table(NULL),\n   m_start_of_statement_svp(thd->mdl_context.mdl_savepoint()),\n   m_timeout(flags & MYSQL_LOCK_IGNORE_TIMEOUT ?\n             LONG_TIMEOUT : thd->variables.lock_wait_timeout),\n   m_flags(flags),\n   m_action(OT_NO_ACTION),\n   m_has_locks(thd->mdl_context.has_locks()),\n   m_has_protection_against_grl(0)\n{}",
          "target": 0,
          "cwe": [
            "CWE-416"
          ],
          "project": "server",
          "commit_id": "0beed9b5e933f0ff79b3bb346524f7a451d14e38",
          "hash": 231716104947654513237673151084075997257,
          "size": 11,
          "message": "MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING\n\nwhen resolving WHERE and ON clauses, do not look in\nSELECT list/aliases.",
          "dataset": "other",
          "idx": 514562
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "latm_dmx_process",
        "latm_dmx_check_pid",
        "latm_dmx_check_dur",
        "latm_dmx_sync_frame_bs"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static void latm_dmx_check_pid(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tu8 *dsi_b;\n\tu32 dsi_s, sr, timescale=0;\n\tu32 codecid;\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\t\tlatm_dmx_check_dur(filter, ctx);\n\t}\n\tif (!GF_M4ASampleRates[ctx->acfg.base_sr_index]) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[LATMDmx] Wrong sample rate in audio config, broken stream\\n\"));\n\t\tctx->in_error = GF_NON_COMPLIANT_BITSTREAM;\n\t\treturn;\n\t}\n\n\tif ((ctx->sr_idx == ctx->acfg.base_sr_index) && (ctx->nb_ch == ctx->acfg.nb_chan )\n\t\t&& (ctx->base_object_type == ctx->acfg.base_object_type) ) return;\n\n\tif (ctx->acfg.base_object_type==GF_M4A_USAC)\n\t\tcodecid = GF_CODECID_USAC;\n\telse\n\t\tcodecid = GF_CODECID_AAC_MPEG4;\n\t//copy properties at init or reconfig\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT( GF_STREAM_AUDIO));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT( codecid));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLES_PER_FRAME, & PROP_UINT(ctx->frame_size) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_UNFRAMED, & PROP_BOOL(GF_FALSE) );\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\n\tctx->nb_ch = ctx->acfg.nb_chan;\n\tctx->base_object_type = ctx->acfg.base_object_type;\n\n\tsr = GF_M4ASampleRates[ctx->acfg.base_sr_index];\n\tif (!ctx->timescale) {\n\t\t//we change sample rate, change cts\n\t\tif (ctx->cts && (ctx->sr_idx != ctx->acfg.base_sr_index)) {\n\t\t\tctx->cts *= sr;\n\t\t\tctx->cts /= GF_M4ASampleRates[ctx->sr_idx];\n\t\t}\n\t}\n\tctx->sr_idx = ctx->acfg.base_sr_index;\n\n\tctx->dts_inc = ctx->frame_size;\n\tgf_m4a_write_config(&ctx->acfg, &dsi_b, &dsi_s);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA_NO_COPY(dsi_b, dsi_s) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PROFILE_LEVEL, & PROP_UINT (ctx->acfg.audioPL) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(sr));\n\n\ttimescale = sr;\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->timescale ? ctx->timescale : timescale));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_NUM_CHANNELS, & PROP_UINT(ctx->nb_ch) );\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n}",
          "project": "gpac",
          "hash": 165495346712678193500478445775721262302,
          "size": 63,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 0,
          "dataset": "other",
          "idx": 271472
        },
        {
          "func": "static GFINLINE void latm_dmx_update_cts(GF_LATMDmxCtx *ctx)\n{\n\tassert(ctx->dts_inc);\n\n\tif (ctx->timescale) {\n\t\tu64 inc = ctx->dts_inc;\n\t\tinc *= ctx->timescale;\n\t\tinc /= GF_M4ASampleRates[ctx->sr_idx];\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += ctx->dts_inc;\n\t}\n}",
          "project": "gpac",
          "hash": 326400713483767484341063456654570434654,
          "size": 13,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 0,
          "dataset": "other",
          "idx": 271475
        },
        {
          "func": "static void latm_dmx_check_dur(GF_Filter *filter, GF_LATMDmxCtx *ctx)\n{\n\tFILE *stream;\n\tGF_BitStream *bs;\n\tGF_M4ADecSpecInfo acfg;\n\tu64 duration, cur_dur, cur_pos, rate;\n\ts32 sr_idx = -1;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tif (ctx->index<=0) {\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tctx->is_file = GF_TRUE;\n\n\tstream = gf_fopen(p->value.string, \"rb\");\n\tif (!stream) return;\n\n\tctx->index_size = 0;\n\n\tmemset(&acfg, 0, sizeof(GF_M4ADecSpecInfo));\n\n\n\tbs = gf_bs_from_file(stream, GF_BITSTREAM_READ);\n\tduration = 0;\n\tcur_dur = 0;\n\tcur_pos = gf_bs_get_position(bs);\n\twhile (latm_dmx_sync_frame_bs(bs, &acfg, 0, NULL, NULL)) {\n\t\tif ((sr_idx>=0) && (sr_idx != acfg.base_sr_index)) {\n\t\t\tduration *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tduration /= GF_M4ASampleRates[sr_idx];\n\n\t\t\tcur_dur *= GF_M4ASampleRates[acfg.base_sr_index];\n\t\t\tcur_dur /= GF_M4ASampleRates[sr_idx];\n\t\t}\n\t\tsr_idx = acfg.base_sr_index;\n\t\tduration += ctx->frame_size;\n\t\tcur_dur += ctx->frame_size;\n\t\tif (cur_dur > ctx->index * GF_M4ASampleRates[sr_idx]) {\n\t\t\tif (!ctx->index_alloc_size) ctx->index_alloc_size = 10;\n\t\t\telse if (ctx->index_alloc_size == ctx->index_size) ctx->index_alloc_size *= 2;\n\t\t\tctx->indexes = gf_realloc(ctx->indexes, sizeof(LATMIdx)*ctx->index_alloc_size);\n\t\t\tctx->indexes[ctx->index_size].pos = cur_pos;\n\t\t\tctx->indexes[ctx->index_size].duration = (Double) duration;\n\t\t\tctx->indexes[ctx->index_size].duration /= GF_M4ASampleRates[sr_idx];\n\t\t\tctx->index_size ++;\n\t\t\tcur_dur = 0;\n\t\t}\n\n\t\tcur_pos = gf_bs_get_position(bs);\n\t}\n\trate = gf_bs_get_position(bs);\n\tgf_bs_del(bs);\n\tgf_fclose(stream);\n\n\tif (sr_idx>=0) {\n\t\tif (!ctx->duration.num || (ctx->duration.num  * GF_M4ASampleRates[sr_idx] != duration * ctx->duration.den)) {\n\t\t\tctx->duration.num = (s32) duration;\n\t\t\tctx->duration.den = GF_M4ASampleRates[sr_idx];\n\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\t\t\tif (duration && !gf_sys_is_test_mode() ) {\n\t\t\t\trate *= 8 * ctx->duration.den;\n\t\t\t\trate /= ctx->duration.num;\n\t\t\t\tctx->bitrate = (u32) rate;\n\t\t\t}\n\t\t}\n\t}\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );\n}",
          "project": "gpac",
          "hash": 268079972344018463318373147938902590521,
          "size": 81,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 0,
          "dataset": "other",
          "idx": 271469
        },
        {
          "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data, *output;\n\tu32 pck_size, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 129393460693122238437209841613363417813,
          "size": 138,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 1,
          "dataset": "other",
          "idx": 198278
        },
        {
          "func": "GF_Err latm_dmx_process(GF_Filter *filter)\n{\n\tGF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu32 pos;\n\tu8 *data=NULL, *output;\n\tu32 pck_size=0, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\n\tif (ctx->in_error)\n\t\treturn ctx->in_error;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tlatm_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->latm_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t} else {\n\t\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tprev_pck_size = ctx->latm_buffer_size;\n\n\tif (pck && !ctx->resume_from) {\n\t\tif (ctx->latm_buffer_size + pck_size > ctx->latm_buffer_alloc) {\n\t\t\tctx->latm_buffer_alloc = ctx->latm_buffer_size + pck_size;\n\t\t\tctx->latm_buffer = gf_realloc(ctx->latm_buffer, ctx->latm_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->latm_buffer + ctx->latm_buffer_size, data, pck_size);\n\t\tctx->latm_buffer_size += pck_size;\n\t}\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(ctx->latm_buffer, ctx->latm_buffer_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, ctx->latm_buffer, ctx->latm_buffer_size);\n\n\tif (ctx->resume_from) {\n\t\tgf_bs_seek(ctx->bs, ctx->resume_from-1);\n\t\tctx->resume_from = 0;\n\t}\n\n\tif (cts == GF_FILTER_NO_TS)\n\t\tprev_pck_size = 0;\n\n\n\twhile (1) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tu8 latm_buffer[4096];\n\t\tu32 latm_frame_size = 4096;\n\t\tif (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * GF_M4ASampleRates[ctx->sr_idx]);\n\t\t\tif (ctx->cts + ctx->dts_inc >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + ctx->dts_inc) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tlatm_dmx_check_pid(filter, ctx);\n\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->resume_from = pos+1;\n\t\t\treturn GF_OK;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tGF_FilterSAPType sap = GF_FILTER_SAP_1;\n\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, latm_frame_size, &output);\n\t\t\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);\n\n\t\t\tmemcpy(output, latm_buffer, latm_frame_size);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tgf_filter_pck_set_duration(dst_pck, ctx->dts_inc);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\t/*xHE-AAC, check RAP*/\n\t\t\tif (ctx->acfg.base_object_type==GF_CODECID_USAC) {\n\t\t\t\tif (latm_frame_size && (output[0] & 0x80) && !ctx->prev_sap) {\n\t\t\t\t\tsap = GF_FILTER_SAP_1;\n\t\t\t\t\tctx->prev_sap = GF_TRUE;\n\t\t\t\t} else {\n\t\t\t\t\tsap = GF_FILTER_SAP_NONE;\n\t\t\t\t\tctx->prev_sap = GF_FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, sap);\n\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tlatm_dmx_update_cts(ctx);\n\n\t\tif (prev_pck_size) {\n\t\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\t\tif (prev_pck_size<=pos) {\n\t\t\t\tprev_pck_size=0;\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = pck;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (pck) {\n\t\tpos = (u32) gf_bs_get_position(ctx->bs);\n\t\tassert(ctx->latm_buffer_size >= pos);\n\t\tmemmove(ctx->latm_buffer, ctx->latm_buffer+pos, ctx->latm_buffer_size - pos);\n\t\tctx->latm_buffer_size -= pos;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\tassert(!ctx->resume_from);\n\t} else {\n\t\tctx->latm_buffer_size = 0;\n\t\treturn latm_dmx_process(filter);\n\t}\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 10482263121380563115286320698149929915,
          "size": 138,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 0,
          "dataset": "other",
          "idx": 271474
        },
        {
          "func": "static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u32 *nb_bytes, u8 *buffer, u32 *nb_skipped)\n{\n\tu32 val, size;\n\tu64 pos, mux_size;\n\tif (nb_skipped) *nb_skipped = 0;\n\tif (!acfg) return 0;\n\n\twhile (gf_bs_available(bs)>3) {\n\t\tval = gf_bs_read_u8(bs);\n\t\tif (val!=0x56) {\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tval = gf_bs_read_int(bs, 3);\n\t\tif (val != 0x07) {\n\t\t\tgf_bs_read_int(bs, 5);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\t\tmux_size = gf_bs_read_int(bs, 13);\n\t\tpos = gf_bs_get_position(bs);\n\t\tif (mux_size>gf_bs_available(bs) ) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\t/*use same stream mux*/\n\t\tif (!gf_bs_read_int(bs, 1)) {\n\t\t\tBool amux_version, amux_versionA;\n\n\t\t\tamux_version = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tamux_versionA = GF_FALSE;\n\t\t\tif (amux_version) amux_versionA = (Bool)gf_bs_read_int(bs, 1);\n\t\t\tif (!amux_versionA) {\n\t\t\t\tu32 i, allStreamsSameTimeFraming, numProgram;\n\t\t\t\tif (amux_version) gf_latm_get_value(bs);\n\n\t\t\t\tallStreamsSameTimeFraming = gf_bs_read_int(bs, 1);\n\t\t\t\t/*numSubFrames = */gf_bs_read_int(bs, 6);\n\t\t\t\tnumProgram = gf_bs_read_int(bs, 4);\n\t\t\t\tfor (i=0; i<=numProgram; i++) {\n\t\t\t\t\tu32 j, num_lay;\n\t\t\t\t\tnum_lay = gf_bs_read_int(bs, 3);\n\t\t\t\t\tfor (j=0; j<=num_lay; j++) {\n\t\t\t\t\t\tu32 frameLengthType;\n\t\t\t\t\t\tBool same_cfg = GF_FALSE;\n\t\t\t\t\t\tif (i || j) same_cfg = (Bool)gf_bs_read_int(bs, 1);\n\n\t\t\t\t\t\tif (!same_cfg) {\n\t\t\t\t\t\t\tif (amux_version==1) gf_latm_get_value(bs);\n\t\t\t\t\t\t\tgf_m4a_parse_config(bs, acfg, GF_FALSE);\n\t\t\t\t\t\t}\n\t\t\t\t\t\tframeLengthType = gf_bs_read_int(bs, 3);\n\t\t\t\t\t\tif (!frameLengthType) {\n\t\t\t\t\t\t\t/*latmBufferFullness = */gf_bs_read_int(bs, 8);\n\t\t\t\t\t\t\tif (!allStreamsSameTimeFraming) {\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t/*not supported*/\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\t/*other data present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n//\t\t\t\t\tu32 k = 0;\n\t\t\t\t}\n\t\t\t\t/*CRCcheck present*/\n\t\t\t\tif (gf_bs_read_int(bs, 1)) {\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tsize = 0;\n\t\twhile (1) {\n\t\t\tu32 tmp = gf_bs_read_int(bs, 8);\n\t\t\tsize += tmp;\n\t\t\tif (tmp!=255) break;\n\t\t}\n\t\tif (gf_bs_available(bs) < size) {\n\t\t\tgf_bs_seek(bs, pos-3);\n\t\t\treturn GF_FALSE;\n\t\t}\n\n\t\tif (nb_bytes) {\n\t\t\t*nb_bytes = (u32) size;\n\t\t}\n\n\t\tif (buffer) {\n\t\t\tgf_bs_read_data(bs, (char *) buffer, size);\n\t\t} else {\n\t\t\twhile (size) {\n\t\t\t\tgf_bs_read_int(bs, 8);\n\t\t\t\tsize--;\n\t\t\t}\n\t\t}\n\n\t\t/*parse amux*/\n\t\tgf_bs_seek(bs, pos + mux_size);\n\n\t\tif ((gf_bs_available(bs)>2) && gf_bs_peek_bits(bs, 11, 0) != 0x2B7) {\n\t\t\tgf_bs_seek(bs, pos + 1);\n\t\t\tif (nb_skipped) (*nb_skipped) ++;\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn GF_TRUE;\n\t}\n\treturn GF_FALSE;\n}",
          "project": "gpac",
          "hash": 156960673027032244624743319408540723268,
          "size": 110,
          "commit_id": "b2db2f99b4c30f96e17b9a14537c776da6cb5dca",
          "message": "fixed #1728",
          "target": 0,
          "dataset": "other",
          "idx": 271470
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "mariadb_get_info",
        "mariadb_get_infov",
        "mariadb_connection"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "my_bool STDCALL mariadb_get_info(MYSQL *mysql, enum mariadb_value value, void *arg)\n{\n  return mariadb_get_infov(mysql, value, arg);\n}",
          "project": "mariadb-connector-c",
          "hash": 260222517558586894785283733852562791600,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429729
        },
        {
          "func": "mysql_get_socket(MYSQL *mysql)\n{\n  return mariadb_get_socket(mysql);\n}",
          "project": "mariadb-connector-c",
          "hash": 72239553276577952597504120876756915746,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429694
        },
        {
          "func": "static my_socket mariadb_get_socket(MYSQL *mysql)\n{\n  my_socket sock= INVALID_SOCKET;\n  if (mysql->net.pvio)\n  {\n    ma_pvio_get_handle(mysql->net.pvio, &sock);\n\n  }\n  /* if an asynchronous connect is in progress, we need to obtain\n     pvio handle from async_context until the connection was\n     successfully established.\n  */\n  else if (mysql->options.extension && mysql->options.extension->async_context &&\n           mysql->options.extension->async_context->pvio)\n  {\n    ma_pvio_get_handle(mysql->options.extension->async_context->pvio, &sock);\n  }\n  return sock;\n}",
          "project": "mariadb-connector-c",
          "hash": 315036384148822492369287916293424404609,
          "size": 19,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429745
        },
        {
          "func": "my_bool STDCALL mariadb_connection(MYSQL *mysql)\n{\n  return (strstr(mysql->server_version, \"MariaDB\") ||\n          strstr(mysql->server_version, \"-maria-\"));\n}",
          "project": "mariadb-connector-c",
          "hash": 115443252438559440682462900203206671459,
          "size": 5,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429713
        },
        {
          "func": "my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...)\n{\n  va_list ap;\n\n  va_start(ap, arg);\n\n  switch(value) {\n  case MARIADB_MAX_ALLOWED_PACKET:\n    *((size_t *)arg)= (size_t)max_allowed_packet;\n    break;\n  case MARIADB_NET_BUFFER_LENGTH:\n    *((size_t *)arg)= (size_t)net_buffer_length;\n    break;\n  case MARIADB_CONNECTION_ERROR_ID:\n    if (!mysql)\n      goto error;\n    *((unsigned int *)arg)= mysql->net.last_errno;\n    break;\n  case MARIADB_CONNECTION_ERROR:\n    if (!mysql)\n      goto error;\n    *((char **)arg)= mysql->net.last_error;\n    break;\n  case MARIADB_CONNECTION_SQLSTATE:\n    if (!mysql)\n      goto error;\n    *((char **)arg)= mysql->net.sqlstate;\n    break;\n  case MARIADB_CONNECTION_TLS_VERSION:\n    #ifdef HAVE_TLS\n    if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n      *((char **)arg)= (char *)ma_pvio_tls_get_protocol_version(mysql->net.pvio->ctls);\n    else\n    #endif\n      goto error;\n    break;\n  case MARIADB_CONNECTION_TLS_VERSION_ID:\n    #ifdef HAVE_TLS\n    if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n      *((unsigned int *)arg)= ma_pvio_tls_get_protocol_version_id(mysql->net.pvio->ctls);\n    else\n    #endif\n      goto error;\n    break;\n  case MARIADB_TLS_LIBRARY:\n#ifdef HAVE_TLS\n    *((const char **)arg)= tls_library_version;\n#else\n    *((const char **)arg)= \"Off\";\n#endif\n    break;\n  case MARIADB_CLIENT_VERSION:\n    *((const char **)arg)= MARIADB_CLIENT_VERSION_STR;\n    break;\n  case MARIADB_CLIENT_VERSION_ID:\n    *((size_t *)arg)= MARIADB_VERSION_ID;\n    break;\n  case MARIADB_CONNECTION_SERVER_VERSION:\n    if (mysql)\n      *((char **)arg)= mysql->server_version;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SERVER_TYPE:\n    if (mysql)\n      *((const char **)arg)= mariadb_connection(mysql) ? \"MariaDB\" : \"MySQL\";\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SERVER_VERSION_ID:\n    if (mysql)\n      *((size_t *)arg)= mariadb_server_version_id(mysql);\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_PROTOCOL_VERSION_ID:\n    if (mysql)\n      *((unsigned int *)arg)= mysql->protocol_version;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_MARIADB_CHARSET_INFO:\n    if (mysql)\n      mariadb_get_charset_info(mysql, (MY_CHARSET_INFO *)arg);\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SOCKET:\n    if (mysql)\n      *((my_socket *)arg)= mariadb_get_socket(mysql);\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_TYPE:\n    if (mysql  && mysql->net.pvio)\n      *((int *)arg)= (int)mysql->net.pvio->type;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_ASYNC_TIMEOUT_MS:\n    if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n      *((unsigned int *)arg)= mysql->options.extension->async_context->timeout_value;\n    break;\n  case MARIADB_CONNECTION_ASYNC_TIMEOUT:\n    if (mysql && mysql->options.extension && mysql->options.extension->async_context)\n    {\n      unsigned int timeout= mysql->options.extension->async_context->timeout_value;\n      if (timeout > UINT_MAX - 999)\n        *((unsigned int *)arg)= (timeout - 1)/1000 + 1;\n      else\n        *((unsigned int *)arg)= (timeout+999)/1000;\n    }\n    break;\n  case MARIADB_CHARSET_NAME:\n    {\n      char *name;\n      name= va_arg(ap, char *);\n      if (name)\n        *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_name(name);\n      else\n        goto error;\n    }\n    break;\n  case MARIADB_CHARSET_ID:\n    {\n      unsigned int nr;\n      nr= va_arg(ap, unsigned int);\n      *((MARIADB_CHARSET_INFO **)arg)= (MARIADB_CHARSET_INFO *)mysql_find_charset_nr(nr);\n    }\n    break;\n  case MARIADB_CONNECTION_SSL_CIPHER:\n    #ifdef HAVE_TLS\n    if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)\n      *((char **)arg)= (char *)ma_pvio_tls_cipher(mysql->net.pvio->ctls);\n    else\n    #endif\n      goto error;\n    break;\n  case MARIADB_CLIENT_ERRORS:\n    *((char ***)arg)= (char **)client_errors;\n    break;\n  case MARIADB_CONNECTION_INFO:\n    if (mysql)\n      *((char **)arg)= (char *)mysql->info;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_PVIO_TYPE:\n    if (mysql && mysql->net.pvio)\n      *((unsigned int *)arg)= (unsigned int)mysql->net.pvio->type;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SCHEMA:\n    if (mysql)\n      *((char **)arg)= mysql->db;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_USER:\n    if (mysql)\n      *((char **)arg)= mysql->user;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_PORT:\n    if (mysql)\n      *((unsigned int *)arg)= mysql->port;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_UNIX_SOCKET:\n    if (mysql)\n      *((char **)arg)= mysql->unix_socket;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_HOST:\n    if (mysql)\n      *((char **)arg)= mysql->host;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SERVER_STATUS:\n    if (mysql)\n      *((unsigned int *)arg)= mysql->server_status;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_SERVER_CAPABILITIES:\n    if (mysql)\n      *((unsigned long *)arg)= mysql->server_capabilities;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_EXTENDED_SERVER_CAPABILITIES:\n    if (mysql)\n      *((unsigned long *)arg)= mysql->extension->mariadb_server_capabilities;\n    else\n      goto error;\n    break;\n  case MARIADB_CONNECTION_CLIENT_CAPABILITIES:\n    if (mysql)\n      *((unsigned long *)arg)= mysql->client_flag;\n    else\n      goto error;\n    break;\n  default:\n    va_end(ap);\n    return(-1);\n  }\n  va_end(ap);\n  return(0);\nerror:\n  va_end(ap);\n  return(-1);\n}",
          "project": "mariadb-connector-c",
          "hash": 169671727087038349126198218159280624326,
          "size": 217,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429678
        },
        {
          "func": "void STDCALL mysql_get_character_set_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n  mariadb_get_charset_info(mysql, cs);\n}",
          "project": "mariadb-connector-c",
          "hash": 217164025069153547830281264000695896647,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429705
        },
        {
          "func": "unsigned long STDCALL mysql_get_server_version(MYSQL *mysql)\n{\n  return (unsigned long)mariadb_server_version_id(mysql);\n}",
          "project": "mariadb-connector-c",
          "hash": 122711105199939788046945873828848009668,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429708
        },
        {
          "func": "static void mariadb_get_charset_info(MYSQL *mysql, MY_CHARSET_INFO *cs)\n{\n  if (!cs)\n    return;\n\n  cs->number= mysql->charset->nr;\n  cs->csname=  mysql->charset->csname;\n  cs->name= mysql->charset->name;\n  cs->state= 0;\n  cs->comment= NULL;\n  cs->dir= NULL;\n  cs->mbminlen= mysql->charset->char_minlen;\n  cs->mbmaxlen= mysql->charset->char_maxlen;\n\n  return;\n}",
          "project": "mariadb-connector-c",
          "hash": 234853578981854839530463108815494608239,
          "size": 16,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429695
        },
        {
          "func": "static size_t mariadb_server_version_id(MYSQL *mysql)\n{\n  size_t major, minor, patch;\n  char *p;\n\n  if (!(p = mysql->server_version)) {\n    return 0;\n  }\n\n  major = strtol(p, &p, 10);\n  p += 1; /* consume the dot */\n  minor = strtol(p, &p, 10);\n  p += 1; /* consume the dot */\n  patch = strtol(p, &p, 10);\n\n  return (major * 10000L + (unsigned long)(minor * 100L + patch));\n}",
          "project": "mariadb-connector-c",
          "hash": 313301315730600233929478529358826963028,
          "size": 17,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429739
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "process_update",
        "verify_signature",
        "get_esl_cert",
        "get_esl_signature_list"
      ],
      "group_size": 15,
      "functions": [
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "int check_timestamp(const char *key, const struct efi_time *timestamp,\n\t\t    char *last_timestamp)\n{\n\tstruct efi_time *prev;\n\tuint64_t new;\n\tuint64_t last;\n\n\tprev = get_last_timestamp(key, last_timestamp);\n\tif (prev == NULL)\n\t\treturn OPAL_INTERNAL_ERROR;\n\n\tprlog(PR_DEBUG, \"timestamp year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(timestamp->year), timestamp->month,\n\t\t\ttimestamp->day);\n\tprlog(PR_DEBUG, \"prev year is %d month %d day %d\\n\",\n\t\t\tle16_to_cpu(prev->year), prev->month, prev->day);\n\n\tnew = unpack_timestamp(timestamp);\n\tlast = unpack_timestamp(prev);\n\n\tif (new > last)\n\t\treturn OPAL_SUCCESS;\n\n\treturn OPAL_PERMISSION;\n}",
          "idx": 521655,
          "cwe": "CWE-681",
          "hash": 71734921946669776012689805880040557221,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static int verify_signature(const struct efi_variable_authentication_2 *auth,\n\t\t\t    const char *newcert, const size_t new_data_size,\n\t\t\t    const struct secvar *avar)\n{\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tmbedtls_x509_crt x509;\n\tchar *signing_cert = NULL;\n\tchar *x509_buf = NULL;\n\tint signing_cert_size;\n\tint rc = 0;\n\tchar *errbuf;\n\tint eslvarsize;\n\tint eslsize;\n\tint offset = 0;\n\n\tif (!auth)\n\t\treturn OPAL_PARAMETER;\n\n\t/* Extract the pkcs7 from the auth structure */\n\tpkcs7 = get_pkcs7(auth);\n\t/* Failure to parse pkcs7 implies bad input. */\n\tif (!pkcs7)\n\t\treturn OPAL_PARAMETER;\n\n\tprlog(PR_INFO, \"Load the signing certificate from the keystore\");\n\n\teslvarsize = avar->data_size;\n\n\t/* Variable is not empty */\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = get_esl_signature_list_size(avar->data + offset,\n\t\t\t\t\t\t      eslvarsize);\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tsigning_cert_size = get_esl_cert(avar->data + offset,\n\t\t\t\t\t\t eslvarsize, &signing_cert);\n\t\tif (signing_cert_size < 0) {\n\t\t\trc = signing_cert_size;\n\t\t\tbreak;\n\t\t}\n\n\t\tmbedtls_x509_crt_init(&x509);\n\t\trc = mbedtls_x509_crt_parse(&x509,\n\t\t\t\t\t    signing_cert,\n\t\t\t\t\t    signing_cert_size);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif(rc) {\n\t\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\t\trc = mbedtls_x509_crt_info(x509_buf,\n\t\t\t\t\t   CERT_BUFFER_SIZE,\n\t\t\t\t\t   \"CRT:\",\n\t\t\t\t\t   &x509);\n\n\t\t/* This should not happen, unless something corrupted in PNOR */\n\t\tif (rc < 0) {\n\t\t\tfree(x509_buf);\n\t\t\trc = OPAL_INTERNAL_ERROR;\n\t\t\tbreak;\n\t\t}\n\n\t\tprlog(PR_INFO, \"%s \\n\", x509_buf);\n\t\tfree(x509_buf);\n\t\tx509_buf = NULL;\n\n\t\trc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size);\n\n\t\t/* If you find a signing certificate, you are done */\n\t\tif (rc == 0) {\n\t\t\tprlog(PR_INFO, \"Signature Verification passed\\n\");\n\t\t\tmbedtls_x509_crt_free(&x509);\n\t\t\tbreak;\n\t\t} else {\n\t\t\terrbuf = zalloc(MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tmbedtls_strerror(rc, errbuf, MBEDTLS_ERR_BUFFER_SIZE);\n\t\t\tprlog(PR_ERR, \"Signature Verification failed %02x %s\\n\",\n\t\t\t\t\trc, errbuf);\n\t\t\tfree(errbuf);\n\t\t\trc = OPAL_PERMISSION;\n\t\t}\n\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tmbedtls_x509_crt_free(&x509);\n\t\tfree(signing_cert);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tsigning_cert = NULL;\n\n\t}\n\n\tfree(signing_cert);\n\tmbedtls_pkcs7_free(pkcs7);\n\tfree(pkcs7);\n\n\treturn rc;\n}",
          "idx": 521654,
          "cwe": "CWE-681",
          "hash": 169175420840573290317758226120475277153,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "int process_update(const struct secvar *update, char **newesl,\n\t\t   int *new_data_size, struct efi_time *timestamp,\n\t\t   struct list_head *bank, char *last_timestamp)\n{\n\tstruct efi_variable_authentication_2 *auth = NULL;\n\tvoid *auth_buffer = NULL;\n\tint auth_buffer_size = 0;\n\tconst char *key_authority[3];\n\tchar *tbhbuffer = NULL;\n\tsize_t tbhbuffersize = 0;\n\tstruct secvar *avar = NULL;\n\tint rc = 0;\n\tint i;\n\n\t/* We need to split data into authentication descriptor and new ESL */\n\tauth_buffer_size = get_auth_descriptor2(update->data,\n\t\t\t\t\t\tupdate->data_size,\n\t\t\t\t\t\t&auth_buffer);\n\tif ((auth_buffer_size < 0)\n\t     || (update->data_size < auth_buffer_size)) {\n\t\tprlog(PR_ERR, \"Invalid auth buffer size\\n\");\n\t\trc = auth_buffer_size;\n\t\tgoto out;\n\t}\n\n\tauth = auth_buffer;\n\n\tif (!timestamp) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\tmemcpy(timestamp, auth_buffer, sizeof(struct efi_time));\n\n\trc = check_timestamp(update->key, timestamp, last_timestamp);\n\t/* Failure implies probably an older command being resubmitted */\n\tif (rc != OPAL_SUCCESS) {\n\t\tprlog(PR_ERR, \"Timestamp verification failed for key %s\\n\", update->key);\n\t\tgoto out;\n\t}\n\n\t/* Calculate the size of new ESL data */\n\t*new_data_size = update->data_size - auth_buffer_size;\n\tif (*new_data_size < 0) {\n\t\tprlog(PR_ERR, \"Invalid new ESL (new data content) size\\n\");\n\t\trc = OPAL_PARAMETER;\n\t\tgoto out;\n\t}\n\t*newesl = zalloc(*new_data_size);\n\tif (!(*newesl)) {\n\t\trc = OPAL_NO_MEM;\n\t\tgoto out;\n\t}\n\tmemcpy(*newesl, update->data + auth_buffer_size, *new_data_size);\n\n\t/* Validate the new ESL is in right format */\n\trc = validate_esl_list(update->key, *newesl, *new_data_size);\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"ESL validation failed for key %s with error %04x\\n\",\n\t\t      update->key, rc);\n\t\tgoto out;\n\t}\n\n\tif (setup_mode) {\n\t\trc = OPAL_SUCCESS;\n\t\tgoto out;\n\t}\n\n\t/* Prepare the data to be verified */\n\ttbhbuffer = get_hash_to_verify(update->key, *newesl, *new_data_size,\n\t\t\t\ttimestamp);\n\tif (!tbhbuffer) {\n\t\trc = OPAL_INTERNAL_ERROR;\n\t\tgoto out;\n\t}\n\n\t/* Get the authority to verify the signature */\n\tget_key_authority(key_authority, update->key);\n\n\t/*\n\t * Try for all the authorities that are allowed to sign.\n\t * For eg. db/dbx can be signed by both PK or KEK\n\t */\n\tfor (i = 0; key_authority[i] != NULL; i++) {\n\t\tprlog(PR_DEBUG, \"key is %s\\n\", update->key);\n\t\tprlog(PR_DEBUG, \"key authority is %s\\n\", key_authority[i]);\n\t\tavar = find_secvar(key_authority[i],\n\t\t\t\t    strlen(key_authority[i]) + 1,\n\t\t\t\t    bank);\n\t\tif (!avar || !avar->data_size)\n\t\t\tcontinue;\n\n\t\t/* Verify the signature */\n\t\trc = verify_signature(auth, tbhbuffer, tbhbuffersize,\n\t\t\t\t      avar);\n\n\t\t/* Break if signature verification is successful */\n\t\tif (rc == OPAL_SUCCESS) {\n\t\t\tprlog(PR_INFO, \"Key %s successfully verified by authority %s\\n\", update->key, key_authority[i]);\n\t\t\tbreak;\n\t\t}\n\t}\n\nout:\n\tfree(auth_buffer);\n\tfree(tbhbuffer);\n\n\treturn rc;\n}",
          "idx": 521660,
          "cwe": "CWE-681",
          "hash": 178401092850407839532373766829369702237,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 1,
          "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le32_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}",
          "idx": 217514,
          "cwe": "CWE-681",
          "hash": 261903108962534180969470598132431142070,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static uint64_t unpack_timestamp(const struct efi_time *timestamp)\n{\n\tuint64_t val = 0;\n\tuint16_t year = le16_to_cpu(timestamp->year);\n\n\t/* pad1, nanosecond, timezone, daylight and pad2 are meant to be zero */\n\tval |= ((uint64_t) timestamp->pad1 & 0xFF) << 0;\n\tval |= ((uint64_t) timestamp->second & 0xFF) << (1*8);\n\tval |= ((uint64_t) timestamp->minute & 0xFF) << (2*8);\n\tval |= ((uint64_t) timestamp->hour & 0xFF) << (3*8);\n\tval |= ((uint64_t) timestamp->day & 0xFF) << (4*8);\n\tval |= ((uint64_t) timestamp->month & 0xFF) << (5*8);\n\tval |= ((uint64_t) year) << (6*8);\n\n\treturn val;\n}",
          "idx": 521649,
          "cwe": "CWE-681",
          "hash": 337463125729458282018478225518421551092,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)\n{\n\tuint32_t dw_length;\n\tsize_t size;\n\n\tassert(auth != NULL);\n\n\tdw_length = le32_to_cpu(auth->auth_info.hdr.dw_length);\n\tsize = dw_length - (sizeof(auth->auth_info.hdr.dw_length)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_revision)\n\t\t\t+ sizeof(auth->auth_info.hdr.w_certificate_type)\n\t\t\t+ sizeof(auth->auth_info.cert_type));\n\n\treturn size;\n}",
          "idx": 521659,
          "cwe": "CWE-681",
          "hash": 250773754624625586965202166265104085065,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffer)\n{\n\tconst struct efi_variable_authentication_2 *auth = buf;\n\tint auth_buffer_size;\n\tsize_t len;\n\n\tassert(auth_buffer != NULL);\n\tif (buflen < sizeof(struct efi_variable_authentication_2)\n\t    || !buf)\n\t\t\treturn OPAL_PARAMETER;\n\n\tlen = get_pkcs7_len(auth);\n\t/* pkcs7 content length cannot be greater than buflen */ \n\tif (len > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\tauth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)\n\t\t\t   + sizeof(auth->auth_info.cert_type) + len;\n\n\t*auth_buffer = zalloc(auth_buffer_size);\n\tif (!(*auth_buffer))\n\t\treturn OPAL_NO_MEM;\n\n\t/*\n\t * Data = auth descriptor + new ESL data.\n\t * Extracts only the auth descriptor from data.\n\t */\n\tmemcpy(*auth_buffer, buf, auth_buffer_size);\n\n\treturn auth_buffer_size;\n}",
          "idx": 521656,
          "cwe": "CWE-681",
          "hash": 305644016089787436408464435206138914640,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static bool validate_hash(uuid_t type, int size)\n{\n        if (uuid_equals(&type, &EFI_CERT_SHA1_GUID) && (size == 20))\n                return true;\n\n        if (uuid_equals(&type, &EFI_CERT_SHA224_GUID) && (size == 28))\n                return true;\n\n        if (uuid_equals(&type, &EFI_CERT_SHA256_GUID) && (size == 32))\n                return true;\n\n        if (uuid_equals(&type, &EFI_CERT_SHA384_GUID) && (size == 48))\n                return true;\n\n        if (uuid_equals(&type, &EFI_CERT_SHA512_GUID) && (size == 64))\n                return true;\n\n        return false;\n}",
          "idx": 521657,
          "cwe": "CWE-681",
          "hash": 178128338452607838604171323429136382734,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth)\n{\n\tchar *checkpkcs7cert = NULL;\n\tsize_t len;\n\tmbedtls_pkcs7 *pkcs7 = NULL;\n\tint rc;\n\n\tlen = get_pkcs7_len(auth);\n\n\tpkcs7 = malloc(sizeof(struct mbedtls_pkcs7));\n\tif (!pkcs7)\n\t\treturn NULL;\n\n\tmbedtls_pkcs7_init(pkcs7);\n\trc = mbedtls_pkcs7_parse_der( auth->auth_info.cert_data, len, pkcs7);\n\tif (rc <= 0) {\n\t\tprlog(PR_ERR, \"Parsing pkcs7 failed %04x\\n\", rc);\n\t\tgoto out;\n\t}\n\n\tcheckpkcs7cert = zalloc(CERT_BUFFER_SIZE);\n\tif (!checkpkcs7cert)\n\t\tgoto out;\n\n\trc = mbedtls_x509_crt_info(checkpkcs7cert, CERT_BUFFER_SIZE, \"CRT:\",\n\t\t\t\t   &(pkcs7->signed_data.certs));\n\tif (rc < 0) {\n\t\tprlog(PR_ERR, \"Failed to parse the certificate in PKCS7 structure\\n\");\n\t\tfree(checkpkcs7cert);\n\t\tgoto out;\n\t}\n\n\tprlog(PR_DEBUG, \"%s \\n\", checkpkcs7cert);\n\tfree(checkpkcs7cert);\n\treturn pkcs7;\n\nout:\n\tmbedtls_pkcs7_free(pkcs7);\n\tpkcs7 = NULL;\n\treturn pkcs7;\n}",
          "idx": 521644,
          "cwe": "CWE-681",
          "hash": 285422590631529911090789466166025019210,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static void get_key_authority(const char *ret[3], const char *key)\n{\n\tint i = 0;\n\n\tif (key_equals(key, \"PK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"KEK\")) {\n\t\tret[i++] = \"PK\";\n\t} else if (key_equals(key, \"db\") || key_equals(key, \"dbx\")) {\n\t\tret[i++] = \"KEK\";\n\t\tret[i++] = \"PK\";\n\t}\n\n\tret[i] = NULL;\n}",
          "idx": 521642,
          "cwe": "CWE-681",
          "hash": 297738273191075284106162991641740642673,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static int32_t get_esl_signature_list_size(const char *buf, const size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\treturn le32_to_cpu(list->SignatureListSize);\n}",
          "idx": 521643,
          "cwe": "CWE-681",
          "hash": 78060638800999667578112940727001384482,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static EFI_SIGNATURE_LIST* get_esl_signature_list(const char *buf, size_t buflen)\n{\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\tif (buflen < sizeof(EFI_SIGNATURE_LIST) || !buf)\n\t\treturn NULL;\n\n\tlist = (EFI_SIGNATURE_LIST *)buf;\n\n\treturn list;\n}",
          "idx": 521652,
          "cwe": "CWE-681",
          "hash": 120387305635648549803864652788577802214,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static int get_esl_cert(const char *buf, const size_t buflen, char **cert)\n{\n\tsize_t sig_data_offset;\n\tsize_t size;\n\tEFI_SIGNATURE_LIST *list = get_esl_signature_list(buf, buflen);\n\n\tif (!list)\n\t\treturn OPAL_PARAMETER;\n\n\tassert(cert != NULL);\n\n\tsize = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);\n\n\tprlog(PR_DEBUG,\"size of signature list size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureListSize));\n\tprlog(PR_DEBUG, \"size of signature header size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureHeaderSize));\n\tprlog(PR_DEBUG, \"size of signature size is %u\\n\",\n\t\t\tle32_to_cpu(list->SignatureSize));\n\n\tsig_data_offset = sizeof(EFI_SIGNATURE_LIST)\n\t\t\t  + le32_to_cpu(list->SignatureHeaderSize)\n\t\t\t  + 16 * sizeof(uint8_t);\n\tif (sig_data_offset > buflen)\n\t\treturn OPAL_PARAMETER;\n\n\t*cert = zalloc(size);\n\tif (!(*cert))\n\t\treturn OPAL_NO_MEM;\n\n\t/* Since buf can have more than one ESL, copy only the size calculated\n\t * to return single ESL */\n\tmemcpy(*cert, buf + sig_data_offset, size);\n\n\treturn size;\n}",
          "idx": 521650,
          "cwe": "CWE-681",
          "hash": 76056064316561882808219871420473489575,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "static bool validate_cert(char *signing_cert, int signing_cert_size)\n{\n\tmbedtls_x509_crt x509;\n\tchar *x509_buf = NULL;\n\tint rc;\n\n\tmbedtls_x509_crt_init(&x509);\n\trc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size);\n\n\t/* If failure in parsing the certificate, exit */\n\tif(rc) {\n\t\tprlog(PR_ERR, \"X509 certificate parsing failed %04x\\n\", rc);\n\t\treturn false;\n\t}\n\n\tx509_buf = zalloc(CERT_BUFFER_SIZE);\n\trc = mbedtls_x509_crt_info(x509_buf, CERT_BUFFER_SIZE, \"CRT:\", &x509);\n\n\tmbedtls_x509_crt_free(&x509);\n\tfree(x509_buf);\n\tx509_buf = NULL;\n\n\t/* If failure in reading the certificate, exit */\n\tif (rc < 0)\n\t\treturn false;\n\n\treturn true;\n}",
          "idx": 521646,
          "cwe": "CWE-681",
          "hash": 89322362298830297891556293893589653635,
          "dataset": "other"
        },
        {
          "project": "skiboot",
          "commit_id": "5be38b672c1410e2f10acd3ad2eecfdc81d5daf7",
          "target": 0,
          "func": "int validate_esl_list(const char *key, const char *esl, const size_t size)\n{\n\tint count = 0;\n\tint dsize;\n\tchar *data = NULL;\n\tint eslvarsize = size;\n\tint eslsize;\n\tint rc = OPAL_SUCCESS;\n\tint offset = 0;\n\tEFI_SIGNATURE_LIST *list = NULL;\n\n\twhile (eslvarsize > 0) {\n\t\tprlog(PR_DEBUG, \"esl var size size is %d offset is %d\\n\", eslvarsize, offset);\n\t\tif (eslvarsize < sizeof(EFI_SIGNATURE_LIST))\n\t\t\tbreak;\n\n\t\t/* Check Supported ESL Type */\n\t\tlist = get_esl_signature_list(esl, eslvarsize);\n\n\t\tif (!list)\n\t\t\treturn OPAL_PARAMETER;\n\n\t\t/* Calculate the size of the ESL */\n\t\teslsize = le32_to_cpu(list->SignatureListSize);\n\n\t\t/* If could not extract the size */\n\t\tif (eslsize <= 0) {\n\t\t\tprlog(PR_ERR, \"Invalid size of the ESL: %u\\n\",\n\t\t\t\t\tle32_to_cpu(list->SignatureListSize));\n\t\t\trc = OPAL_PARAMETER;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Extract the certificate from the ESL */\n\t\tdsize = get_esl_cert(esl, eslvarsize, &data);\n\t\tif (dsize < 0) {\n\t\t\trc = dsize;\n\t\t\tbreak;\n\t\t}\n\n\t\tif (key_equals(key, \"dbx\")) {\n\t\t\tif (!validate_hash(list->SignatureType, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid hash is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t       if (!uuid_equals(&list->SignatureType, &EFI_CERT_X509_GUID)\n\t\t\t   || !validate_cert(data, dsize)) {\n\t\t\t\tprlog(PR_ERR, \"No valid cert is found\\n\");\n\t\t\t\trc = OPAL_PARAMETER;\n\t\t\t\tbreak;\n\t\t       }\n\t\t}\n\n\t\tcount++;\n\n\t\t/* Look for the next ESL */\n\t\toffset = offset + eslsize;\n\t\teslvarsize = eslvarsize - eslsize;\n\t\tfree(data);\n\t\t/* Since we are going to allocate again in the next iteration */\n\t\tdata = NULL;\n\t}\n\n\tif (rc == OPAL_SUCCESS) {\n\t\tif (key_equals(key, \"PK\") && (count > 1)) {\n\t\t\tprlog(PR_ERR, \"PK can only be one\\n\");\n\t\t\trc = OPAL_PARAMETER;\n\t\t} else {\n\t\t\trc = count;\n\t\t}\n\t}\n\n\tfree(data);\n\n\tprlog(PR_INFO, \"Total ESLs are %d\\n\", rc);\n\treturn rc;\n}",
          "idx": 521648,
          "cwe": "CWE-681",
          "hash": 135687032396769714616764529094035254125,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "trace_vbprintk",
        "ftrace_trace_stack",
        "__ftrace_trace_stack"
      ],
      "group_size": 15,
      "functions": [
        {
          "func": "int __trace_bputs(unsigned long ip, const char *str)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct bputs_entry *entry;\n\tunsigned long irq_flags;\n\tint size = sizeof(struct bputs_entry);\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPUTS, size,\n\t\t\t\t\t    irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->str\t\t\t= str;\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn 1;\n}",
          "project": "linux",
          "hash": 97935509873229655098639551909617223595,
          "size": 33,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445651
        },
        {
          "func": "void __trace_stack(struct trace_array *tr, unsigned long flags, int skip,\n\t\t   int pc)\n{\n\tstruct ring_buffer *buffer = tr->trace_buffer.buffer;\n\n\tif (rcu_is_watching()) {\n\t\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\t\treturn;\n\t}\n\n\t/*\n\t * When an NMI triggers, RCU is enabled via rcu_nmi_enter(),\n\t * but if the above rcu_is_watching() failed, then the NMI\n\t * triggered someplace critical, and rcu_irq_enter() should\n\t * not be called from NMI.\n\t */\n\tif (unlikely(in_nmi()))\n\t\treturn;\n\n\t/*\n\t * It is possible that a function is being traced in a\n\t * location that RCU is not watching. A call to\n\t * rcu_irq_enter() will make sure that it is, but there's\n\t * a few internal rcu functions that could be traced\n\t * where that wont work either. In those cases, we just\n\t * do nothing.\n\t */\n\tif (unlikely(rcu_irq_enter_disabled()))\n\t\treturn;\n\n\trcu_irq_enter_irqson();\n\t__ftrace_trace_stack(buffer, flags, skip, pc, NULL);\n\trcu_irq_exit_irqson();\n}",
          "project": "linux",
          "hash": 148688729114021066957743413682696870780,
          "size": 34,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445686
        },
        {
          "func": "trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t  int type,\n\t\t\t  unsigned long len,\n\t\t\t  unsigned long flags, int pc)\n{\n\treturn __trace_buffer_lock_reserve(buffer, type, len, flags, pc);\n}",
          "project": "linux",
          "hash": 290494509004862626438777072381730768500,
          "size": 7,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445711
        },
        {
          "func": "void trace_dump_stack(int skip)\n{\n\tunsigned long flags;\n\n\tif (tracing_disabled || tracing_selftest_running)\n\t\treturn;\n\n\tlocal_save_flags(flags);\n\n\t/*\n\t * Skip 3 more, seems to get us at the caller of\n\t * this function.\n\t */\n\tskip += 3;\n\t__ftrace_trace_stack(global_trace.trace_buffer.buffer,\n\t\t\t     flags, skip, preempt_count(), NULL);\n}",
          "project": "linux",
          "hash": 209716427486737830029222622578390806861,
          "size": 17,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445554
        },
        {
          "func": "static void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t unsigned long flags,\n\t\t\t\t int skip, int pc, struct pt_regs *regs)\n{\n\tstruct trace_event_call *call = &event_kernel_stack;\n\tstruct ring_buffer_event *event;\n\tstruct stack_entry *entry;\n\tstruct stack_trace trace;\n\tint use_stack;\n\tint size = FTRACE_STACK_ENTRIES;\n\n\ttrace.nr_entries\t= 0;\n\ttrace.skip\t\t= skip;\n\n\t/*\n\t * Add two, for this function and the call to save_stack_trace()\n\t * If regs is set, then these functions will not be in the way.\n\t */\n\tif (!regs)\n\t\ttrace.skip += 2;\n\n\t/*\n\t * Since events can happen in NMIs there's no safe way to\n\t * use the per cpu ftrace_stacks. We reserve it and if an interrupt\n\t * or NMI comes in, it will just have to use the default\n\t * FTRACE_STACK_SIZE.\n\t */\n\tpreempt_disable_notrace();\n\n\tuse_stack = __this_cpu_inc_return(ftrace_stack_reserve);\n\t/*\n\t * We don't need any atomic variables, just a barrier.\n\t * If an interrupt comes in, we don't care, because it would\n\t * have exited and put the counter back to what we want.\n\t * We just need a barrier to keep gcc from moving things\n\t * around.\n\t */\n\tbarrier();\n\tif (use_stack == 1) {\n\t\ttrace.entries\t\t= this_cpu_ptr(ftrace_stack.calls);\n\t\ttrace.max_entries\t= FTRACE_STACK_MAX_ENTRIES;\n\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\n\t\tif (trace.nr_entries > size)\n\t\t\tsize = trace.nr_entries;\n\t} else\n\t\t/* From now on, use_stack is a boolean */\n\t\tuse_stack = 0;\n\n\tsize *= sizeof(unsigned long);\n\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_STACK,\n\t\t\t\t\t    sizeof(*entry) + size, flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\n\tmemset(&entry->caller, 0, size);\n\n\tif (use_stack)\n\t\tmemcpy(&entry->caller, trace.entries,\n\t\t       trace.nr_entries * sizeof(unsigned long));\n\telse {\n\t\ttrace.max_entries\t= FTRACE_STACK_ENTRIES;\n\t\ttrace.entries\t\t= entry->caller;\n\t\tif (regs)\n\t\t\tsave_stack_trace_regs(regs, &trace);\n\t\telse\n\t\t\tsave_stack_trace(&trace);\n\t}\n\n\tentry->size = trace.nr_entries;\n\n\tif (!call_filter_check_discard(call, entry, buffer, event))\n\t\t__buffer_unlock_commit(buffer, event);\n\n out:\n\t/* Again, don't let gcc optimize things here */\n\tbarrier();\n\t__this_cpu_dec(ftrace_stack_reserve);\n\tpreempt_enable_notrace();\n\n}",
          "project": "linux",
          "hash": 228181925911186695377319876003635852001,
          "size": 87,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445528
        },
        {
          "func": "static inline void __ftrace_trace_stack(struct ring_buffer *buffer,\n\t\t\t\t\tunsigned long flags,\n\t\t\t\t\tint skip, int pc, struct pt_regs *regs)\n{\n}",
          "project": "linux",
          "hash": 326356546210729082046651620939364926726,
          "size": 5,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445804
        },
        {
          "func": "static void put_trace_buf(void)\n{\n\t/* Don't let the decrement of nesting leak before this */\n\tbarrier();\n\tthis_cpu_dec(trace_percpu_buffer->nesting);\n}",
          "project": "linux",
          "hash": 151274970754355397862267931791174596447,
          "size": 6,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445718
        },
        {
          "func": "trace_event_setup(struct ring_buffer_event *event,\n\t\t  int type, unsigned long flags, int pc)\n{\n\tstruct trace_entry *ent = ring_buffer_event_data(event);\n\n\ttracing_generic_entry_update(ent, flags, pc);\n\tent->type = type;\n}",
          "project": "linux",
          "hash": 33661644687624186718785817022496531739,
          "size": 8,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445676
        },
        {
          "func": "void trace_buffer_unlock_commit_regs(struct trace_array *tr,\n\t\t\t\t     struct ring_buffer *buffer,\n\t\t\t\t     struct ring_buffer_event *event,\n\t\t\t\t     unsigned long flags, int pc,\n\t\t\t\t     struct pt_regs *regs)\n{\n\t__buffer_unlock_commit(buffer, event);\n\n\t/*\n\t * If regs is not set, then skip the following callers:\n\t *   trace_buffer_unlock_commit_regs\n\t *   event_trigger_unlock_commit\n\t *   trace_event_buffer_commit\n\t *   trace_event_raw_event_sched_switch\n\t * Note, we can still get here via blktrace, wakeup tracer\n\t * and mmiotrace, but that's ok if they lose a function or\n\t * two. They are that meaningful.\n\t */\n\tftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);\n\tftrace_trace_userstack(buffer, flags, pc);\n}",
          "project": "linux",
          "hash": 286052656294965236812004646636467502665,
          "size": 21,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445619
        },
        {
          "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t      struct ring_buffer *buffer,\n\t\t\t\t      unsigned long flags,\n\t\t\t\t      int skip, int pc, struct pt_regs *regs)\n{\n}",
          "project": "linux",
          "hash": 12958771922969768168390039976616805710,
          "size": 6,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445697
        },
        {
          "func": "static inline void ftrace_trace_stack(struct trace_array *tr,\n\t\t\t\t      struct ring_buffer *buffer,\n\t\t\t\t      unsigned long flags,\n\t\t\t\t      int skip, int pc, struct pt_regs *regs)\n{\n\tif (!(tr->trace_flags & TRACE_ITER_STACKTRACE))\n\t\treturn;\n\n\t__ftrace_trace_stack(buffer, flags, skip, pc, regs);\n}",
          "project": "linux",
          "hash": 122015228433718164966279605143093293709,
          "size": 10,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445815
        },
        {
          "func": "int __trace_puts(unsigned long ip, const char *str, int size)\n{\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct print_entry *entry;\n\tunsigned long irq_flags;\n\tint alloc;\n\tint pc;\n\n\tif (!(global_trace.trace_flags & TRACE_ITER_PRINTK))\n\t\treturn 0;\n\n\tpc = preempt_count();\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\talloc = sizeof(*entry) + size + 2; /* possible \\n added */\n\n\tlocal_save_flags(irq_flags);\n\tbuffer = global_trace.trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, \n\t\t\t\t\t    irq_flags, pc);\n\tif (!event)\n\t\treturn 0;\n\n\tentry = ring_buffer_event_data(event);\n\tentry->ip = ip;\n\n\tmemcpy(&entry->buf, str, size);\n\n\t/* Add a newline if necessary */\n\tif (entry->buf[size - 1] != '\\n') {\n\t\tentry->buf[size] = '\\n';\n\t\tentry->buf[size + 1] = '\\0';\n\t} else\n\t\tentry->buf[size] = '\\0';\n\n\t__buffer_unlock_commit(buffer, event);\n\tftrace_trace_stack(&global_trace, buffer, irq_flags, 4, pc, NULL);\n\n\treturn size;\n}",
          "project": "linux",
          "hash": 333230938796332990582828767642145709691,
          "size": 43,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445537
        },
        {
          "func": "__trace_buffer_lock_reserve(struct ring_buffer *buffer,\n\t\t\t  int type,\n\t\t\t  unsigned long len,\n\t\t\t  unsigned long flags, int pc)\n{\n\tstruct ring_buffer_event *event;\n\n\tevent = ring_buffer_lock_reserve(buffer, len);\n\tif (event != NULL)\n\t\ttrace_event_setup(event, type, flags, pc);\n\n\treturn event;\n}",
          "project": "linux",
          "hash": 277862938369440085694307103004898588643,
          "size": 13,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445828
        },
        {
          "func": "int trace_vbprintk(unsigned long ip, const char *fmt, va_list args)\n{\n\tstruct trace_event_call *call = &event_bprint;\n\tstruct ring_buffer_event *event;\n\tstruct ring_buffer *buffer;\n\tstruct trace_array *tr = &global_trace;\n\tstruct bprint_entry *entry;\n\tunsigned long flags;\n\tchar *tbuffer;\n\tint len = 0, size, pc;\n\n\tif (unlikely(tracing_selftest_running || tracing_disabled))\n\t\treturn 0;\n\n\t/* Don't pollute graph traces with trace_vprintk internals */\n\tpause_graph_tracing();\n\n\tpc = preempt_count();\n\tpreempt_disable_notrace();\n\n\ttbuffer = get_trace_buf();\n\tif (!tbuffer) {\n\t\tlen = 0;\n\t\tgoto out_nobuffer;\n\t}\n\n\tlen = vbin_printf((u32 *)tbuffer, TRACE_BUF_SIZE/sizeof(int), fmt, args);\n\n\tif (len > TRACE_BUF_SIZE/sizeof(int) || len < 0)\n\t\tgoto out;\n\n\tlocal_save_flags(flags);\n\tsize = sizeof(*entry) + sizeof(u32) * len;\n\tbuffer = tr->trace_buffer.buffer;\n\tevent = __trace_buffer_lock_reserve(buffer, TRACE_BPRINT, size,\n\t\t\t\t\t    flags, pc);\n\tif (!event)\n\t\tgoto out;\n\tentry = ring_buffer_event_data(event);\n\tentry->ip\t\t\t= ip;\n\tentry->fmt\t\t\t= fmt;\n\n\tmemcpy(entry->buf, tbuffer, sizeof(u32) * len);\n\tif (!call_filter_check_discard(call, entry, buffer, event)) {\n\t\t__buffer_unlock_commit(buffer, event);\n\t\tftrace_trace_stack(tr, buffer, flags, 6, pc, NULL);\n\t}\n\nout:\n\tput_trace_buf();\n\nout_nobuffer:\n\tpreempt_enable_notrace();\n\tunpause_graph_tracing();\n\n\treturn len;\n}",
          "project": "linux",
          "hash": 253947971610352669400134070783242158477,
          "size": 57,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445733
        },
        {
          "func": "int call_filter_check_discard(struct trace_event_call *call, void *rec,\n\t\t\t      struct ring_buffer *buffer,\n\t\t\t      struct ring_buffer_event *event)\n{\n\tif (unlikely(call->flags & TRACE_EVENT_FL_FILTERED) &&\n\t    !filter_match_preds(call->filter, rec)) {\n\t\t__trace_event_discard_commit(buffer, event);\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 295670194917690430799317477652109148509,
          "size": 12,
          "commit_id": "4397f04575c44e1440ec2e49b6302785c95fd2f8",
          "message": "tracing: Fix possible double free on failure of allocating trace buffer\n\nJing Xia and Chunyan Zhang reported that on failing to allocate part of the\ntracing buffer, memory is freed, but the pointers that point to them are not\ninitialized back to NULL, and later paths may try to free the freed memory\nagain. Jing and Chunyan fixed one of the locations that does this, but\nmissed a spot.\n\nLink: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com\n\nCc: stable@vger.kernel.org\nFixes: 737223fbca3b1 (\"tracing: Consolidate buffer allocation code\")\nReported-by: Jing Xia <jing.xia@spreadtrum.com>\nReported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>\nSigned-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>",
          "target": 0,
          "dataset": "other",
          "idx": 445792
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "HrReadHeaders",
        "HrParseHeaders",
        "HrGetHeaderValue"
      ],
      "group_size": 14,
      "functions": [
        {
          "func": "HRESULT Http::HrFinalize()\n{\n\tHRESULT hr = hrSuccess;\n\n\tHrResponseHeader(\"Content-Length\", stringify(m_strRespBody.length()));\n\n\t// force chunked http for long size response, should check version >= 1.1 to disable chunking\n\tif (m_strRespBody.size() < HTTP_CHUNK_SIZE || m_strHttpVer != \"1.1\") {\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\t\tif (!m_strRespBody.empty()) {\n\t\t\tm_lpChannel->HrWriteString(m_strRespBody);\n\t\t\tec_log_debug(\"Response body:\\n%s\", m_strRespBody.c_str());\n\t\t}\n\t}\n\telse\n\t{\n\t\tconst char *lpstrBody = m_strRespBody.data();\n\t\tchar lpstrLen[10];\n\t\tauto szBodyLen = m_strRespBody.size(); // length of data to be sent to the client\n\t\tsize_t szBodyWritten = 0; // length of data sent to client\n\t\tunsigned int szPart = HTTP_CHUNK_SIZE;\t\t\t\t\t\t// default length of chunk data to be written\n\n\t\tHrResponseHeader(\"Transfer-Encoding\", \"chunked\");\n\t\thr = HrFlushHeaders();\n\t\tif (hr != hrSuccess && hr != MAPI_E_END_OF_SESSION) {\n\t\t\tec_log_debug(\"Http::HrFinalize flush fail(2) %d\", hr);\n\t\t\tm_ulRetCode = 0;\n\t\t\treturn hr;\n\t\t}\n\n\t\twhile (szBodyWritten < szBodyLen)\n\t\t{\n\t\t\tif ((szBodyWritten + HTTP_CHUNK_SIZE) > szBodyLen)\n\t\t\t\tszPart = szBodyLen - szBodyWritten;\t\t\t\t// change length of data for last chunk\n\t\t\t// send hex length of data and data part\n\t\t\tsnprintf(lpstrLen, sizeof(lpstrLen), \"%X\", szPart);\n\t\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t\tm_lpChannel->HrWriteLine(string_view(lpstrBody, szPart));\n\t\t\tszBodyWritten += szPart;\n\t\t\tlpstrBody += szPart;\n\t\t}\n\n\t\t// end of response\n\t\tsnprintf(lpstrLen, 10, \"0\\r\\n\");\n\t\tm_lpChannel->HrWriteLine(lpstrLen);\n\t\t// just the first part of the body in the log. header shows it's chunked.\n\t\tec_log_debug(\"%s\", m_strRespBody.c_str());\n\t}\n\n\t// if http_log_enable?\n\tchar szTime[32];\n\ttime_t now = time(NULL);\n\ttm local;\n\tstd::string strAgent;\n\tlocaltime_r(&now, &local);\n\t// @todo we're in C LC_TIME locale to get the correct (month) format, but the timezone will be GMT, which is not wanted.\n\tstrftime(szTime, ARRAY_SIZE(szTime), \"%d/%b/%Y:%H:%M:%S %z\", &local);\n\tHrGetHeaderValue(\"User-Agent\", &strAgent);\n\tec_log_notice(\"%s - %s [%s] \\\"%s\\\" %d %d \\\"-\\\" \\\"%s\\\"\", m_lpChannel->peer_addr(), m_strUser.empty() ? \"-\" : m_strUser.c_str(), szTime, m_strAction.c_str(), m_ulRetCode, (int)m_strRespBody.length(), strAgent.c_str());\n\tm_ulRetCode = 0;\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 259595367262276487244267405280402291162,
          "size": 67,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412624
        },
        {
          "func": "HRESULT Http::HrGetDepth(ULONG *ulDepth)\n{\n\tstd::string strDepth;\n\t/*\n\t * Valid input: [0, 1, infinity]\n\t */\n\tauto hr = HrGetHeaderValue(\"Depth\", &strDepth);\n\tif (hr != hrSuccess)\n\t\t*ulDepth = 0; /* Default is no subfolders. Default should become a parameter. It is action dependent. */\n\telse if (strDepth == \"infinity\")\n\t\t*ulDepth = 2;\n\telse {\n\t\t*ulDepth = atoi(strDepth.c_str());\n\t\tif (*ulDepth > 1)\n\t\t\t*ulDepth = 1;\n\t}\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 217517827692339967634595091257873772062,
          "size": 18,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412614
        },
        {
          "func": "HRESULT Http::HrReadBody()\n{\n\tstd::string strLength;\n\n\t// find the Content-Length\n\tif (HrGetHeaderValue(\"Content-Length\", &strLength) != hrSuccess) {\n\t\tec_log_debug(\"Http::HrReadBody content-length missing\");\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto ulContLength = atoi(strLength.c_str());\n\tif (ulContLength <= 0) {\n\t\tec_log_debug(\"Http::HrReadBody content-length invalid %d\", ulContLength);\n\t\treturn MAPI_E_NOT_FOUND;\n\t}\n\tauto hr = m_lpChannel->HrReadBytes(&m_strReqBody, ulContLength);\n\tif (!m_strUser.empty())\n\t\tec_log_debug(\"Request body:\\n%s\", m_strReqBody.c_str());\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 113696208786814068339618293734508448744,
          "size": 19,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412634
        },
        {
          "func": "HRESULT Http::HrRequestAuth(const std::string &strMsg)\n{\n\tauto hr = HrResponseHeader(401, \"Unauthorized\");\n\tif (hr != hrSuccess)\n\t\treturn hr;\n\treturn HrResponseHeader(\"WWW-Authenticate\", \"Basic realm=\\\"\" + strMsg + \"\\\"\");\n}",
          "project": "kopano-core",
          "hash": 326592081151301752571350035393463588511,
          "size": 7,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412626
        },
        {
          "func": "HRESULT Http::HrReadHeaders()\n{\n\tHRESULT hr;\n\tstd::string strBuffer;\n\tULONG n = 0;\n\tstd::map<std::string, std::string>::iterator iHeader = mapHeaders.end();\n\n\tec_log_debug(\"Receiving headers:\");\n\tdo\n\t{\n\t\thr = m_lpChannel->HrReadLine(strBuffer);\n\t\tif (hr != hrSuccess)\n\t\t\treturn hr;\n\t\tif (strBuffer.empty())\n\t\t\tbreak;\n\n\t\tif (n == 0) {\n\t\t\tm_strAction = strBuffer;\n\t\t} else {\n\t\t\tauto pos = strBuffer.find(':');\n\t\t\tsize_t start = 0;\n\n\t\t\tif (strBuffer[0] == ' ' || strBuffer[0] == '\\t') {\n\t\t\t\tif (iHeader == mapHeaders.end())\n\t\t\t\t\tcontinue;\n\t\t\t\t// continue header\n\t\t\t\twhile (strBuffer[start] == ' ' || strBuffer[start] == '\\t')\n\t\t\t\t\t++start;\n\t\t\t\tiHeader->second += strBuffer.substr(start);\n\t\t\t} else {\n\t\t\t\t// new header\n\t\t\t\tauto r = mapHeaders.emplace(strBuffer.substr(0, pos), strBuffer.substr(pos + 2));\n\t\t\t\tiHeader = r.first;\n\t\t\t}\n\t\t}\n\n\t\tif (strBuffer.find(\"Authorization\") != std::string::npos)\n\t\t\tec_log_debug(\"< Authorization: <value hidden>\");\n\t\telse\n\t\t\tec_log_debug(\"< \"+strBuffer);\n\t\t++n;\n\t} while(hr == hrSuccess);\n\n\thr = HrParseHeaders();\n\tif (hr != hrSuccess)\n\t\thr_ldebug(hr, \"parsing headers failed\");\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 252899856337214612444746933964237135309,
          "size": 48,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 1,
          "dataset": "other",
          "idx": 208547
        },
        {
          "func": "HRESULT Http::HrReadHeaders()\n{\n\tHRESULT hr;\n\tstd::string strBuffer;\n\tULONG n = 0;\n\tstd::map<std::string, std::string>::iterator iHeader = mapHeaders.end();\n\tstatic constexpr std::size_t MAX_HEADER_LENGTH = 65536;\n\tstd::size_t numOfBytesRead = 0;\n\n\tec_log_debug(\"Receiving headers:\");\n\tdo\n\t{\n\t\thr = m_lpChannel->HrReadLine(strBuffer);\n\t\tif (hr != hrSuccess)\n\t\t\treturn hr;\n\t\tif (strBuffer.empty())\n\t\t\tbreak;\n\n\t\tnumOfBytesRead += strBuffer.size();\n\t\tif(numOfBytesRead > MAX_HEADER_LENGTH) {\n\t\t\treturn MAPI_E_TOO_BIG;\n\t\t}\n\n\t\tif (n == 0) {\n\t\t\tm_strAction = strBuffer;\n\t\t} else {\n\t\t\tauto pos = strBuffer.find(':');\n\t\t\tsize_t start = 0;\n\n\t\t\tif (strBuffer[0] == ' ' || strBuffer[0] == '\\t') {\n\t\t\t\tif (iHeader == mapHeaders.end())\n\t\t\t\t\tcontinue;\n\t\t\t\t// continue header\n\t\t\t\twhile (strBuffer[start] == ' ' || strBuffer[start] == '\\t')\n\t\t\t\t\t++start;\n\t\t\t\tiHeader->second += strBuffer.substr(start);\n\t\t\t} else {\n\t\t\t\t// new header\n\t\t\t\tauto r = mapHeaders.emplace(strBuffer.substr(0, pos), strBuffer.substr(pos + 2));\n\t\t\t\tiHeader = r.first;\n\t\t\t}\n\t\t}\n\n\t\tif (strBuffer.find(\"Authorization\") != std::string::npos)\n\t\t\tec_log_debug(\"< Authorization: <value hidden>\");\n\t\telse\n\t\t\tec_log_debug(\"< \"+strBuffer);\n\t\t++n;\n\t} while(hr == hrSuccess);\n\n\thr = HrParseHeaders();\n\tif (hr != hrSuccess)\n\t\thr_ldebug(hr, \"parsing headers failed\");\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 80967487134144399005768631526292358142,
          "size": 55,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412620
        },
        {
          "func": "HRESULT Http::HrGetDestination(std::string *strDestination)\n{\n\tstd::string strHost, strDest;\n\n\t// example:  Host: server:port\n\tauto hr = HrGetHeaderValue(\"Host\", &strHost);\n\tif(hr != hrSuccess) {\n\t\tec_log_debug(\"Http::HrGetDestination host header missing\");\n\t\treturn hr;\n\t}\n\t// example:  Destination: http://server:port/caldav/username/folderid/entry.ics\n\thr = HrGetHeaderValue(\"Destination\", &strDest);\n\tif (hr != hrSuccess) {\n\t\tec_log_debug(\"Http::HrGetDestination destination header missing\");\n\t\treturn hr;\n\t}\n\tauto pos = strDest.find(strHost);\n\tif (pos == std::string::npos) {\n\t\tec_log_err(\"Refusing to move calendar item from %s to different host on url %s\", strHost.c_str(), strDest.c_str());\n\t\treturn MAPI_E_CALL_FAILED;\n\t}\n\tstrDest.erase(0, pos + strHost.length());\n\t*strDestination = std::move(strDest);\n\treturn hrSuccess;\n}",
          "project": "kopano-core",
          "hash": 16316728809572534170415762015635437994,
          "size": 25,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412637
        },
        {
          "func": "HRESULT Http::HrParseHeaders()\n{\n\tstd::string strAuthdata;\n\tstd::string strUserAgent;\n\n\tauto items = tokenize(m_strAction, ' ', true);\n\tif (items.size() != 3) {\n\t\tec_log_debug(\"HrParseHeaders invalid != 3 tokens\");\n\t\treturn MAPI_E_INVALID_PARAMETER;\n\t}\n\tm_strMethod = items[0];\n\tm_strURL = items[1];\n\tm_strHttpVer = items[2];\n\t// converts %20 -> ' '\n\tm_strPath = urlDecode(m_strURL);\n\n\t// find the content-type\n\t// Content-Type: text/xml;charset=UTF-8\n\tauto hr = HrGetHeaderValue(\"Content-Type\", &m_strCharSet);\n\tif (hr == hrSuccess)\n\t\tm_strCharSet = content_type_get_charset(m_strCharSet.c_str(), m_lpConfig->GetSetting(\"default_charset\"));\n\telse\n\t\tm_strCharSet = m_lpConfig->GetSetting(\"default_charset\"); // really should be UTF-8\n\n\thr = HrGetHeaderValue(\"User-Agent\", &strUserAgent);\n\tif (hr == hrSuccess) {\n\t\tsize_t space = strUserAgent.find(\" \");\n\n\t\tif (space != std::string::npos) {\n\t\t\tm_strUserAgent = strUserAgent.substr(0, space);\n\t\t\tm_strUserAgentVersion = strUserAgent.substr(space + 1);\n\t\t}\n\t\telse {\n\t\t\tm_strUserAgent = strUserAgent;\n\t\t}\n\t}\n\n\t// find the Authorisation data (Authorization: Basic wr8y273yr2y3r87y23ry7=)\n\thr = HrGetHeaderValue(\"Authorization\", &strAuthdata);\n\tif (hr != hrSuccess) {\n\t\thr = HrGetHeaderValue(\"WWW-Authenticate\", &strAuthdata);\n\t\tif (hr != hrSuccess)\n\t\t\treturn S_OK; /* ignore empty Authorization */\n\t}\n\n\titems = tokenize(strAuthdata, ' ', true);\n\t// we only support basic authentication\n\tif (items.size() != 2 || items[0] != \"Basic\") {\n\t\tec_log_debug(\"HrParseHeaders login failed\");\n\t\treturn MAPI_E_LOGON_FAILED;\n\t}\n\tauto user_pass = base64_decode(items[1]);\n\tauto colon_pos = user_pass.find(\":\");\n\tif (colon_pos == std::string::npos) {\n\t\tec_log_debug(\"HrParseHeaders password missing\");\n\t\treturn MAPI_E_LOGON_FAILED;\n\t}\n\n\tm_strUser = user_pass.substr(0, colon_pos);\n\tm_strPass = user_pass.substr(colon_pos+1, std::string::npos);\n\treturn hrSuccess;\n}",
          "project": "kopano-core",
          "hash": 160499996596065679693723483967338886598,
          "size": 62,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412631
        },
        {
          "func": "HRESULT Http::HrResponseHeader(const std::string &strHeader, const std::string &strValue)\n{\n\tm_lstHeaders.emplace_back(strHeader + \": \" + strValue);\n\treturn hrSuccess;\n}",
          "project": "kopano-core",
          "hash": 43027752424028596896501914067857753536,
          "size": 5,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412622
        },
        {
          "func": "HRESULT Http::HrResponseHeader(unsigned int ulCode, const std::string &strResponse)\n{\n\tm_ulRetCode = ulCode;\n\t// do not set headers if once set\n\tif (!m_strRespHeader.empty())\n\t\treturn MAPI_E_CALL_FAILED;\n\tm_strRespHeader = \"HTTP/1.1 \" + stringify(ulCode) + \" \" + strResponse;\n\treturn hrSuccess;\n}",
          "project": "kopano-core",
          "hash": 94039446103434651188289106409173390514,
          "size": 9,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412635
        },
        {
          "func": "bool Http::CheckIfMatch(LPMAPIPROP lpProp)\n{\n\tbool ret = false, invert = false;\n\tstd::string strIf, strValue;\n\tmemory_ptr<SPropValue> ptrLastModTime;\n\n\tif (lpProp != nullptr &&\n\t    HrGetOneProp(lpProp, PR_LAST_MODIFICATION_TIME, &~ptrLastModTime) == hrSuccess)\n\t\tstrValue = stringify_int64(FileTimeToUnixTime(ptrLastModTime->Value.ft), false);\n\n\tif (HrGetHeaderValue(\"If-Match\", &strIf) == hrSuccess) {\n\t\tif (strIf == \"*\" && ptrLastModTime == nullptr)\n\t\t\t// we have an object without a last mod time, not allowed\n\t\t\treturn false;\n\t} else if (HrGetHeaderValue(\"If-None-Match\", &strIf) == hrSuccess) {\n\t\tif (strIf == \"*\" && ptrLastModTime != nullptr)\n\t\t\t// we have an object which has a last mod time, not allowed\n\t\t\treturn false;\n\t\tinvert = true;\n\t} else {\n\t\treturn true;\n\t}\n\n\t// check all etags for a match\n\tfor (auto &i : tokenize(strIf, ',', true)) {\n\t\tif (i.at(0) == '\"' || i.at(0) == '\\'')\n\t\t\ti.assign(i.begin() + 1, i.end() - 1);\n\t\tif (i == strValue) {\n\t\t\tret = true;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (invert)\n\t\tret = !ret;\n\treturn ret;\n}",
          "project": "kopano-core",
          "hash": 20941424626266380182721228937115832815,
          "size": 36,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412617
        },
        {
          "func": "HRESULT Http::HrToHTTPCode(HRESULT hr)\n{\n\tif (hr == hrSuccess)\n\t\treturn HrResponseHeader(200, \"Ok\");\n\telse if (hr == MAPI_E_NO_ACCESS)\n\t\treturn HrResponseHeader(403, \"Forbidden\");\n\telse if (hr == MAPI_E_NOT_FOUND)\n\t\treturn HrResponseHeader(404, \"Not Found\");\n\t// @todo other codes?\n\treturn HrResponseHeader(500, \"Unhanded error \" + stringify_hex(hr));\n}",
          "project": "kopano-core",
          "hash": 292016140630203762883778197098120421520,
          "size": 11,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412618
        },
        {
          "func": "HRESULT Http::HrGetHeaderValue(const std::string &strHeader, std::string *strValue)\n{\n\tauto iHeader = mapHeaders.find(strHeader);\n\tif (iHeader == mapHeaders.cend())\n\t\treturn MAPI_E_NOT_FOUND;\n\t*strValue = iHeader->second;\n\treturn hrSuccess;\n}",
          "project": "kopano-core",
          "hash": 72639894483250812810845856289290598907,
          "size": 8,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412615
        },
        {
          "func": "HRESULT Http::HrFlushHeaders()\n{\n\tHRESULT hr = hrSuccess;\n\tstd::string strOutput, strConnection;\n\tchar lpszChar[128];\n\n\tHrGetHeaderValue(\"Connection\", &strConnection);\n\t// Add misc. headers\n\tHrResponseHeader(\"Server\",\"Kopano\");\n\tstruct tm dummy;\n\tstrftime(lpszChar, 127, \"%a, %d %b %Y %H:%M:%S GMT\", gmtime_safe(time(nullptr), &dummy));\n\tHrResponseHeader(\"Date\", lpszChar);\n\tif (m_ulKeepAlive != 0 && strcasecmp(strConnection.c_str(), \"keep-alive\") == 0) {\n\t\tHrResponseHeader(\"Connection\", \"Keep-Alive\");\n\t\tHrResponseHeader(\"Keep-Alive\", stringify(m_ulKeepAlive));\n\t}\n\telse\n\t{\n\t\tHrResponseHeader(\"Connection\", \"close\");\n\t\thr = MAPI_E_END_OF_SESSION;\n\t}\n\n\t// create headers packet\n\tassert(m_ulRetCode != 0);\n\tif (m_ulRetCode == 0)\n\t\tHrResponseHeader(500, \"Request handled incorrectly\");\n\tec_log_debug(\"> \" + m_strRespHeader);\n\tstrOutput += m_strRespHeader + \"\\r\\n\";\n\tm_strRespHeader.clear();\n\tfor (const auto &h : m_lstHeaders) {\n\t\tec_log_debug(\"> \" + h);\n\t\tstrOutput += h + \"\\r\\n\";\n\t}\n\tm_lstHeaders.clear();\n\t//as last line has a CRLF. The HrWriteLine adds one more CRLF.\n\t//this means the End of headder.\n\tm_lpChannel->HrWriteLine(strOutput);\n\treturn hr;\n}",
          "project": "kopano-core",
          "hash": 287019352431824453208165934954791138515,
          "size": 39,
          "commit_id": "512457466b87039c6a8d25887fdaca6173619546",
          "message": "Set limit on header size to prevent bad alloc\n\nThis sets a hard limit of 64 KiB to the header to prevent a memory\nallocation exception from being thrown during the parsing of the request\nheaders.",
          "target": 0,
          "dataset": "other",
          "idx": 412621
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "do_huge_pmd_anonymous_page",
        "__do_huge_pmd_anonymous_page",
        "maybe_pmd_mkwrite"
      ],
      "group_size": 13,
      "functions": [
        {
          "func": "static void insert_pfn_pmd(struct vm_area_struct *vma, unsigned long addr,\n\t\tpmd_t *pmd, pfn_t pfn, pgprot_t prot, bool write,\n\t\tpgtable_t pgtable)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tpmd_t entry;\n\tspinlock_t *ptl;\n\n\tptl = pmd_lock(mm, pmd);\n\tif (!pmd_none(*pmd)) {\n\t\tif (write) {\n\t\t\tif (pmd_pfn(*pmd) != pfn_t_to_pfn(pfn)) {\n\t\t\t\tWARN_ON_ONCE(!is_huge_zero_pmd(*pmd));\n\t\t\t\tgoto out_unlock;\n\t\t\t}\n\t\t\tentry = pmd_mkyoung(*pmd);\n\t\t\tentry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);\n\t\t\tif (pmdp_set_access_flags(vma, addr, pmd, entry, 1))\n\t\t\t\tupdate_mmu_cache_pmd(vma, addr, pmd);\n\t\t}\n\n\t\tgoto out_unlock;\n\t}\n\n\tentry = pmd_mkhuge(pfn_t_pmd(pfn, prot));\n\tif (pfn_t_devmap(pfn))\n\t\tentry = pmd_mkdevmap(entry);\n\tif (write) {\n\t\tentry = pmd_mkyoung(pmd_mkdirty(entry));\n\t\tentry = maybe_pmd_mkwrite(entry, vma);\n\t}\n\n\tif (pgtable) {\n\t\tpgtable_trans_huge_deposit(mm, pmd, pgtable);\n\t\tmm_inc_nr_ptes(mm);\n\t\tpgtable = NULL;\n\t}\n\n\tset_pmd_at(mm, addr, pmd, entry);\n\tupdate_mmu_cache_pmd(vma, addr, pmd);\n\nout_unlock:\n\tspin_unlock(ptl);\n\tif (pgtable)\n\t\tpte_free(mm, pgtable);\n}",
          "project": "linux",
          "hash": 52858789939630070314033604561150746297,
          "size": 46,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364139
        },
        {
          "func": "static vm_fault_t do_huge_pmd_wp_page_fallback(struct vm_fault *vmf,\n\t\t\tpmd_t orig_pmd, struct page *page)\n{\n\tstruct vm_area_struct *vma = vmf->vma;\n\tunsigned long haddr = vmf->address & HPAGE_PMD_MASK;\n\tstruct mem_cgroup *memcg;\n\tpgtable_t pgtable;\n\tpmd_t _pmd;\n\tint i;\n\tvm_fault_t ret = 0;\n\tstruct page **pages;\n\tstruct mmu_notifier_range range;\n\n\tpages = kmalloc_array(HPAGE_PMD_NR, sizeof(struct page *),\n\t\t\t      GFP_KERNEL);\n\tif (unlikely(!pages)) {\n\t\tret |= VM_FAULT_OOM;\n\t\tgoto out;\n\t}\n\n\tfor (i = 0; i < HPAGE_PMD_NR; i++) {\n\t\tpages[i] = alloc_page_vma_node(GFP_HIGHUSER_MOVABLE, vma,\n\t\t\t\t\t       vmf->address, page_to_nid(page));\n\t\tif (unlikely(!pages[i] ||\n\t\t\t     mem_cgroup_try_charge_delay(pages[i], vma->vm_mm,\n\t\t\t\t     GFP_KERNEL, &memcg, false))) {\n\t\t\tif (pages[i])\n\t\t\t\tput_page(pages[i]);\n\t\t\twhile (--i >= 0) {\n\t\t\t\tmemcg = (void *)page_private(pages[i]);\n\t\t\t\tset_page_private(pages[i], 0);\n\t\t\t\tmem_cgroup_cancel_charge(pages[i], memcg,\n\t\t\t\t\t\tfalse);\n\t\t\t\tput_page(pages[i]);\n\t\t\t}\n\t\t\tkfree(pages);\n\t\t\tret |= VM_FAULT_OOM;\n\t\t\tgoto out;\n\t\t}\n\t\tset_page_private(pages[i], (unsigned long)memcg);\n\t}\n\n\tfor (i = 0; i < HPAGE_PMD_NR; i++) {\n\t\tcopy_user_highpage(pages[i], page + i,\n\t\t\t\t   haddr + PAGE_SIZE * i, vma);\n\t\t__SetPageUptodate(pages[i]);\n\t\tcond_resched();\n\t}\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,\n\t\t\t\thaddr, haddr + HPAGE_PMD_SIZE);\n\tmmu_notifier_invalidate_range_start(&range);\n\n\tvmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);\n\tif (unlikely(!pmd_same(*vmf->pmd, orig_pmd)))\n\t\tgoto out_free_pages;\n\tVM_BUG_ON_PAGE(!PageHead(page), page);\n\n\t/*\n\t * Leave pmd empty until pte is filled note we must notify here as\n\t * concurrent CPU thread might write to new page before the call to\n\t * mmu_notifier_invalidate_range_end() happens which can lead to a\n\t * device seeing memory write in different order than CPU.\n\t *\n\t * See Documentation/vm/mmu_notifier.rst\n\t */\n\tpmdp_huge_clear_flush_notify(vma, haddr, vmf->pmd);\n\n\tpgtable = pgtable_trans_huge_withdraw(vma->vm_mm, vmf->pmd);\n\tpmd_populate(vma->vm_mm, &_pmd, pgtable);\n\n\tfor (i = 0; i < HPAGE_PMD_NR; i++, haddr += PAGE_SIZE) {\n\t\tpte_t entry;\n\t\tentry = mk_pte(pages[i], vma->vm_page_prot);\n\t\tentry = maybe_mkwrite(pte_mkdirty(entry), vma);\n\t\tmemcg = (void *)page_private(pages[i]);\n\t\tset_page_private(pages[i], 0);\n\t\tpage_add_new_anon_rmap(pages[i], vmf->vma, haddr, false);\n\t\tmem_cgroup_commit_charge(pages[i], memcg, false, false);\n\t\tlru_cache_add_active_or_unevictable(pages[i], vma);\n\t\tvmf->pte = pte_offset_map(&_pmd, haddr);\n\t\tVM_BUG_ON(!pte_none(*vmf->pte));\n\t\tset_pte_at(vma->vm_mm, haddr, vmf->pte, entry);\n\t\tpte_unmap(vmf->pte);\n\t}\n\tkfree(pages);\n\n\tsmp_wmb(); /* make pte visible before pmd */\n\tpmd_populate(vma->vm_mm, vmf->pmd, pgtable);\n\tpage_remove_rmap(page, true);\n\tspin_unlock(vmf->ptl);\n\n\t/*\n\t * No need to double call mmu_notifier->invalidate_range() callback as\n\t * the above pmdp_huge_clear_flush_notify() did already call it.\n\t */\n\tmmu_notifier_invalidate_range_only_end(&range);\n\n\tret |= VM_FAULT_WRITE;\n\tput_page(page);\n\nout:\n\treturn ret;\n\nout_free_pages:\n\tspin_unlock(vmf->ptl);\n\tmmu_notifier_invalidate_range_end(&range);\n\tfor (i = 0; i < HPAGE_PMD_NR; i++) {\n\t\tmemcg = (void *)page_private(pages[i]);\n\t\tset_page_private(pages[i], 0);\n\t\tmem_cgroup_cancel_charge(pages[i], memcg, false);\n\t\tput_page(pages[i]);\n\t}\n\tkfree(pages);\n\tgoto out;\n}",
          "project": "linux",
          "hash": 130300490822755964571089515210837497500,
          "size": 116,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364146
        },
        {
          "func": "static vm_fault_t __do_huge_pmd_anonymous_page(struct vm_fault *vmf,\n\t\t\tstruct page *page, gfp_t gfp)\n{\n\tstruct vm_area_struct *vma = vmf->vma;\n\tstruct mem_cgroup *memcg;\n\tpgtable_t pgtable;\n\tunsigned long haddr = vmf->address & HPAGE_PMD_MASK;\n\tvm_fault_t ret = 0;\n\n\tVM_BUG_ON_PAGE(!PageCompound(page), page);\n\n\tif (mem_cgroup_try_charge_delay(page, vma->vm_mm, gfp, &memcg, true)) {\n\t\tput_page(page);\n\t\tcount_vm_event(THP_FAULT_FALLBACK);\n\t\tcount_vm_event(THP_FAULT_FALLBACK_CHARGE);\n\t\treturn VM_FAULT_FALLBACK;\n\t}\n\n\tpgtable = pte_alloc_one(vma->vm_mm);\n\tif (unlikely(!pgtable)) {\n\t\tret = VM_FAULT_OOM;\n\t\tgoto release;\n\t}\n\n\tclear_huge_page(page, vmf->address, HPAGE_PMD_NR);\n\t/*\n\t * The memory barrier inside __SetPageUptodate makes sure that\n\t * clear_huge_page writes become visible before the set_pmd_at()\n\t * write.\n\t */\n\t__SetPageUptodate(page);\n\n\tvmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);\n\tif (unlikely(!pmd_none(*vmf->pmd))) {\n\t\tgoto unlock_release;\n\t} else {\n\t\tpmd_t entry;\n\n\t\tret = check_stable_address_space(vma->vm_mm);\n\t\tif (ret)\n\t\t\tgoto unlock_release;\n\n\t\t/* Deliver the page fault to userland */\n\t\tif (userfaultfd_missing(vma)) {\n\t\t\tvm_fault_t ret2;\n\n\t\t\tspin_unlock(vmf->ptl);\n\t\t\tmem_cgroup_cancel_charge(page, memcg, true);\n\t\t\tput_page(page);\n\t\t\tpte_free(vma->vm_mm, pgtable);\n\t\t\tret2 = handle_userfault(vmf, VM_UFFD_MISSING);\n\t\t\tVM_BUG_ON(ret2 & VM_FAULT_FALLBACK);\n\t\t\treturn ret2;\n\t\t}\n\n\t\tentry = mk_huge_pmd(page, vma->vm_page_prot);\n\t\tentry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);\n\t\tpage_add_new_anon_rmap(page, vma, haddr, true);\n\t\tmem_cgroup_commit_charge(page, memcg, false, true);\n\t\tlru_cache_add_active_or_unevictable(page, vma);\n\t\tpgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);\n\t\tset_pmd_at(vma->vm_mm, haddr, vmf->pmd, entry);\n\t\tadd_mm_counter(vma->vm_mm, MM_ANONPAGES, HPAGE_PMD_NR);\n\t\tmm_inc_nr_ptes(vma->vm_mm);\n\t\tspin_unlock(vmf->ptl);\n\t\tcount_vm_event(THP_FAULT_ALLOC);\n\t\tcount_memcg_events(memcg, THP_FAULT_ALLOC, 1);\n\t}\n\n\treturn 0;\nunlock_release:\n\tspin_unlock(vmf->ptl);\nrelease:\n\tif (pgtable)\n\t\tpte_free(vma->vm_mm, pgtable);\n\tmem_cgroup_cancel_charge(page, memcg, true);\n\tput_page(page);\n\treturn ret;\n\n}",
          "project": "linux",
          "hash": 275114735309297372780902708916285798590,
          "size": 80,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364127
        },
        {
          "func": "vm_fault_t vmf_insert_pfn_pmd_prot(struct vm_fault *vmf, pfn_t pfn,\n\t\t\t\t   pgprot_t pgprot, bool write)\n{\n\tunsigned long addr = vmf->address & PMD_MASK;\n\tstruct vm_area_struct *vma = vmf->vma;\n\tpgtable_t pgtable = NULL;\n\n\t/*\n\t * If we had pmd_special, we could avoid all these restrictions,\n\t * but we need to be consistent with PTEs and architectures that\n\t * can't support a 'special' bit.\n\t */\n\tBUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&\n\t\t\t!pfn_t_devmap(pfn));\n\tBUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==\n\t\t\t\t\t\t(VM_PFNMAP|VM_MIXEDMAP));\n\tBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\n\tif (addr < vma->vm_start || addr >= vma->vm_end)\n\t\treturn VM_FAULT_SIGBUS;\n\n\tif (arch_needs_pgtable_deposit()) {\n\t\tpgtable = pte_alloc_one(vma->vm_mm);\n\t\tif (!pgtable)\n\t\t\treturn VM_FAULT_OOM;\n\t}\n\n\ttrack_pfn_insert(vma, &pgprot, pfn);\n\n\tinsert_pfn_pmd(vma, addr, vmf->pmd, pfn, pgprot, write, pgtable);\n\treturn VM_FAULT_NOPAGE;\n}",
          "project": "linux",
          "hash": 170544210575966782036032329512632262586,
          "size": 32,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364205
        },
        {
          "func": "pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma)\n{\n\tif (likely(vma->vm_flags & VM_WRITE))\n\t\tpmd = pmd_mkwrite(pmd);\n\treturn pmd;\n}",
          "project": "linux",
          "hash": 74096385663612383266064894913746127235,
          "size": 6,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364167
        },
        {
          "func": "vm_fault_t do_huge_pmd_wp_page(struct vm_fault *vmf, pmd_t orig_pmd)\n{\n\tstruct vm_area_struct *vma = vmf->vma;\n\tstruct page *page = NULL, *new_page;\n\tstruct mem_cgroup *memcg;\n\tunsigned long haddr = vmf->address & HPAGE_PMD_MASK;\n\tstruct mmu_notifier_range range;\n\tgfp_t huge_gfp;\t\t\t/* for allocation and charge */\n\tvm_fault_t ret = 0;\n\n\tvmf->ptl = pmd_lockptr(vma->vm_mm, vmf->pmd);\n\tVM_BUG_ON_VMA(!vma->anon_vma, vma);\n\tif (is_huge_zero_pmd(orig_pmd))\n\t\tgoto alloc;\n\tspin_lock(vmf->ptl);\n\tif (unlikely(!pmd_same(*vmf->pmd, orig_pmd)))\n\t\tgoto out_unlock;\n\n\tpage = pmd_page(orig_pmd);\n\tVM_BUG_ON_PAGE(!PageCompound(page) || !PageHead(page), page);\n\t/*\n\t * We can only reuse the page if nobody else maps the huge page or it's\n\t * part.\n\t */\n\tif (!trylock_page(page)) {\n\t\tget_page(page);\n\t\tspin_unlock(vmf->ptl);\n\t\tlock_page(page);\n\t\tspin_lock(vmf->ptl);\n\t\tif (unlikely(!pmd_same(*vmf->pmd, orig_pmd))) {\n\t\t\tunlock_page(page);\n\t\t\tput_page(page);\n\t\t\tgoto out_unlock;\n\t\t}\n\t\tput_page(page);\n\t}\n\tif (reuse_swap_page(page, NULL)) {\n\t\tpmd_t entry;\n\t\tentry = pmd_mkyoung(orig_pmd);\n\t\tentry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);\n\t\tif (pmdp_set_access_flags(vma, haddr, vmf->pmd, entry,  1))\n\t\t\tupdate_mmu_cache_pmd(vma, vmf->address, vmf->pmd);\n\t\tret |= VM_FAULT_WRITE;\n\t\tunlock_page(page);\n\t\tgoto out_unlock;\n\t}\n\tunlock_page(page);\n\tget_page(page);\n\tspin_unlock(vmf->ptl);\nalloc:\n\tif (__transparent_hugepage_enabled(vma) &&\n\t    !transparent_hugepage_debug_cow()) {\n\t\thuge_gfp = alloc_hugepage_direct_gfpmask(vma);\n\t\tnew_page = alloc_hugepage_vma(huge_gfp, vma, haddr, HPAGE_PMD_ORDER);\n\t} else\n\t\tnew_page = NULL;\n\n\tif (likely(new_page)) {\n\t\tprep_transhuge_page(new_page);\n\t} else {\n\t\tif (!page) {\n\t\t\tsplit_huge_pmd(vma, vmf->pmd, vmf->address);\n\t\t\tret |= VM_FAULT_FALLBACK;\n\t\t} else {\n\t\t\tret = do_huge_pmd_wp_page_fallback(vmf, orig_pmd, page);\n\t\t\tif (ret & VM_FAULT_OOM) {\n\t\t\t\tsplit_huge_pmd(vma, vmf->pmd, vmf->address);\n\t\t\t\tret |= VM_FAULT_FALLBACK;\n\t\t\t}\n\t\t\tput_page(page);\n\t\t}\n\t\tcount_vm_event(THP_FAULT_FALLBACK);\n\t\tgoto out;\n\t}\n\n\tif (unlikely(mem_cgroup_try_charge_delay(new_page, vma->vm_mm,\n\t\t\t\t\thuge_gfp, &memcg, true))) {\n\t\tput_page(new_page);\n\t\tsplit_huge_pmd(vma, vmf->pmd, vmf->address);\n\t\tif (page)\n\t\t\tput_page(page);\n\t\tret |= VM_FAULT_FALLBACK;\n\t\tcount_vm_event(THP_FAULT_FALLBACK);\n\t\tcount_vm_event(THP_FAULT_FALLBACK_CHARGE);\n\t\tgoto out;\n\t}\n\n\tcount_vm_event(THP_FAULT_ALLOC);\n\tcount_memcg_events(memcg, THP_FAULT_ALLOC, 1);\n\n\tif (!page)\n\t\tclear_huge_page(new_page, vmf->address, HPAGE_PMD_NR);\n\telse\n\t\tcopy_user_huge_page(new_page, page, vmf->address,\n\t\t\t\t    vma, HPAGE_PMD_NR);\n\t__SetPageUptodate(new_page);\n\n\tmmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,\n\t\t\t\thaddr, haddr + HPAGE_PMD_SIZE);\n\tmmu_notifier_invalidate_range_start(&range);\n\n\tspin_lock(vmf->ptl);\n\tif (page)\n\t\tput_page(page);\n\tif (unlikely(!pmd_same(*vmf->pmd, orig_pmd))) {\n\t\tspin_unlock(vmf->ptl);\n\t\tmem_cgroup_cancel_charge(new_page, memcg, true);\n\t\tput_page(new_page);\n\t\tgoto out_mn;\n\t} else {\n\t\tpmd_t entry;\n\t\tentry = mk_huge_pmd(new_page, vma->vm_page_prot);\n\t\tentry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);\n\t\tpmdp_huge_clear_flush_notify(vma, haddr, vmf->pmd);\n\t\tpage_add_new_anon_rmap(new_page, vma, haddr, true);\n\t\tmem_cgroup_commit_charge(new_page, memcg, false, true);\n\t\tlru_cache_add_active_or_unevictable(new_page, vma);\n\t\tset_pmd_at(vma->vm_mm, haddr, vmf->pmd, entry);\n\t\tupdate_mmu_cache_pmd(vma, vmf->address, vmf->pmd);\n\t\tif (!page) {\n\t\t\tadd_mm_counter(vma->vm_mm, MM_ANONPAGES, HPAGE_PMD_NR);\n\t\t} else {\n\t\t\tVM_BUG_ON_PAGE(!PageHead(page), page);\n\t\t\tpage_remove_rmap(page, true);\n\t\t\tput_page(page);\n\t\t}\n\t\tret |= VM_FAULT_WRITE;\n\t}\n\tspin_unlock(vmf->ptl);\nout_mn:\n\t/*\n\t * No need to double call mmu_notifier->invalidate_range() callback as\n\t * the above pmdp_huge_clear_flush_notify() did already call it.\n\t */\n\tmmu_notifier_invalidate_range_only_end(&range);\nout:\n\treturn ret;\nout_unlock:\n\tspin_unlock(vmf->ptl);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 251248643641509686843439954088131461450,
          "size": 141,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364165
        },
        {
          "func": "int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,\n\t\t  pmd_t *dst_pmd, pmd_t *src_pmd, unsigned long addr,\n\t\t  struct vm_area_struct *vma)\n{\n\tspinlock_t *dst_ptl, *src_ptl;\n\tstruct page *src_page;\n\tpmd_t pmd;\n\tpgtable_t pgtable = NULL;\n\tint ret = -ENOMEM;\n\n\t/* Skip if can be re-fill on fault */\n\tif (!vma_is_anonymous(vma))\n\t\treturn 0;\n\n\tpgtable = pte_alloc_one(dst_mm);\n\tif (unlikely(!pgtable))\n\t\tgoto out;\n\n\tdst_ptl = pmd_lock(dst_mm, dst_pmd);\n\tsrc_ptl = pmd_lockptr(src_mm, src_pmd);\n\tspin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);\n\n\tret = -EAGAIN;\n\tpmd = *src_pmd;\n\n\t/*\n\t * Make sure the _PAGE_UFFD_WP bit is cleared if the new VMA\n\t * does not have the VM_UFFD_WP, which means that the uffd\n\t * fork event is not enabled.\n\t */\n\tif (!(vma->vm_flags & VM_UFFD_WP))\n\t\tpmd = pmd_clear_uffd_wp(pmd);\n\n#ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION\n\tif (unlikely(is_swap_pmd(pmd))) {\n\t\tswp_entry_t entry = pmd_to_swp_entry(pmd);\n\n\t\tVM_BUG_ON(!is_pmd_migration_entry(pmd));\n\t\tif (is_write_migration_entry(entry)) {\n\t\t\tmake_migration_entry_read(&entry);\n\t\t\tpmd = swp_entry_to_pmd(entry);\n\t\t\tif (pmd_swp_soft_dirty(*src_pmd))\n\t\t\t\tpmd = pmd_swp_mksoft_dirty(pmd);\n\t\t\tset_pmd_at(src_mm, addr, src_pmd, pmd);\n\t\t}\n\t\tadd_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR);\n\t\tmm_inc_nr_ptes(dst_mm);\n\t\tpgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);\n\t\tset_pmd_at(dst_mm, addr, dst_pmd, pmd);\n\t\tret = 0;\n\t\tgoto out_unlock;\n\t}\n#endif\n\n\tif (unlikely(!pmd_trans_huge(pmd))) {\n\t\tpte_free(dst_mm, pgtable);\n\t\tgoto out_unlock;\n\t}\n\t/*\n\t * When page table lock is held, the huge zero pmd should not be\n\t * under splitting since we don't split the page itself, only pmd to\n\t * a page table.\n\t */\n\tif (is_huge_zero_pmd(pmd)) {\n\t\tstruct page *zero_page;\n\t\t/*\n\t\t * get_huge_zero_page() will never allocate a new page here,\n\t\t * since we already have a zero page to copy. It just takes a\n\t\t * reference.\n\t\t */\n\t\tzero_page = mm_get_huge_zero_page(dst_mm);\n\t\tset_huge_zero_page(pgtable, dst_mm, vma, addr, dst_pmd,\n\t\t\t\tzero_page);\n\t\tret = 0;\n\t\tgoto out_unlock;\n\t}\n\n\tsrc_page = pmd_page(pmd);\n\tVM_BUG_ON_PAGE(!PageHead(src_page), src_page);\n\tget_page(src_page);\n\tpage_dup_rmap(src_page, true);\n\tadd_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR);\n\tmm_inc_nr_ptes(dst_mm);\n\tpgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);\n\n\tpmdp_set_wrprotect(src_mm, addr, src_pmd);\n\tpmd = pmd_mkold(pmd_wrprotect(pmd));\n\tset_pmd_at(dst_mm, addr, dst_pmd, pmd);\n\n\tret = 0;\nout_unlock:\n\tspin_unlock(src_ptl);\n\tspin_unlock(dst_ptl);\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 103272740496478568545173712775090740691,
          "size": 96,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364174
        },
        {
          "func": "void remove_migration_pmd(struct page_vma_mapped_walk *pvmw, struct page *new)\n{\n\tstruct vm_area_struct *vma = pvmw->vma;\n\tstruct mm_struct *mm = vma->vm_mm;\n\tunsigned long address = pvmw->address;\n\tunsigned long mmun_start = address & HPAGE_PMD_MASK;\n\tpmd_t pmde;\n\tswp_entry_t entry;\n\n\tif (!(pvmw->pmd && !pvmw->pte))\n\t\treturn;\n\n\tentry = pmd_to_swp_entry(*pvmw->pmd);\n\tget_page(new);\n\tpmde = pmd_mkold(mk_huge_pmd(new, vma->vm_page_prot));\n\tif (pmd_swp_soft_dirty(*pvmw->pmd))\n\t\tpmde = pmd_mksoft_dirty(pmde);\n\tif (is_write_migration_entry(entry))\n\t\tpmde = maybe_pmd_mkwrite(pmde, vma);\n\n\tflush_cache_range(vma, mmun_start, mmun_start + HPAGE_PMD_SIZE);\n\tif (PageAnon(new))\n\t\tpage_add_anon_rmap(new, vma, mmun_start, true);\n\telse\n\t\tpage_add_file_rmap(new, true);\n\tset_pmd_at(mm, mmun_start, pvmw->pmd, pmde);\n\tif ((vma->vm_flags & VM_LOCKED) && !PageDoubleMap(new))\n\t\tmlock_vma_page(new);\n\tupdate_mmu_cache_pmd(vma, address, pvmw->pmd);\n}",
          "project": "linux",
          "hash": 19287154360258264912542134856683106514,
          "size": 30,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364175
        },
        {
          "func": "struct page *alloc_new_node_page(struct page *page, unsigned long node)\n{\n\tif (PageHuge(page))\n\t\treturn alloc_huge_page_node(page_hstate(compound_head(page)),\n\t\t\t\t\tnode);\n\telse if (PageTransHuge(page)) {\n\t\tstruct page *thp;\n\n\t\tthp = alloc_pages_node(node,\n\t\t\t(GFP_TRANSHUGE | __GFP_THISNODE),\n\t\t\tHPAGE_PMD_ORDER);\n\t\tif (!thp)\n\t\t\treturn NULL;\n\t\tprep_transhuge_page(thp);\n\t\treturn thp;\n\t} else\n\t\treturn __alloc_pages_node(node, GFP_HIGHUSER_MOVABLE |\n\t\t\t\t\t\t    __GFP_THISNODE, 0);\n}",
          "project": "linux",
          "hash": 269550787845310994534123708151069293968,
          "size": 19,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366733
        },
        {
          "func": "static inline gfp_t alloc_hugepage_direct_gfpmask(struct vm_area_struct *vma)\n{\n\tconst bool vma_madvised = !!(vma->vm_flags & VM_HUGEPAGE);\n\n\t/* Always do synchronous compaction */\n\tif (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags))\n\t\treturn GFP_TRANSHUGE | (vma_madvised ? 0 : __GFP_NORETRY);\n\n\t/* Kick kcompactd and fail quickly */\n\tif (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags))\n\t\treturn GFP_TRANSHUGE_LIGHT | __GFP_KSWAPD_RECLAIM;\n\n\t/* Synchronous compaction if madvised, otherwise kick kcompactd */\n\tif (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags))\n\t\treturn GFP_TRANSHUGE_LIGHT |\n\t\t\t(vma_madvised ? __GFP_DIRECT_RECLAIM :\n\t\t\t\t\t__GFP_KSWAPD_RECLAIM);\n\n\t/* Only do synchronous compaction if madvised */\n\tif (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags))\n\t\treturn GFP_TRANSHUGE_LIGHT |\n\t\t       (vma_madvised ? __GFP_DIRECT_RECLAIM : 0);\n\n\treturn GFP_TRANSHUGE_LIGHT;\n}",
          "project": "linux",
          "hash": 90840456381970735333293333930027885597,
          "size": 25,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364179
        },
        {
          "func": "vm_fault_t do_huge_pmd_anonymous_page(struct vm_fault *vmf)\n{\n\tstruct vm_area_struct *vma = vmf->vma;\n\tgfp_t gfp;\n\tstruct page *page;\n\tunsigned long haddr = vmf->address & HPAGE_PMD_MASK;\n\n\tif (!transhuge_vma_suitable(vma, haddr))\n\t\treturn VM_FAULT_FALLBACK;\n\tif (unlikely(anon_vma_prepare(vma)))\n\t\treturn VM_FAULT_OOM;\n\tif (unlikely(khugepaged_enter(vma, vma->vm_flags)))\n\t\treturn VM_FAULT_OOM;\n\tif (!(vmf->flags & FAULT_FLAG_WRITE) &&\n\t\t\t!mm_forbids_zeropage(vma->vm_mm) &&\n\t\t\ttransparent_hugepage_use_zero_page()) {\n\t\tpgtable_t pgtable;\n\t\tstruct page *zero_page;\n\t\tbool set;\n\t\tvm_fault_t ret;\n\t\tpgtable = pte_alloc_one(vma->vm_mm);\n\t\tif (unlikely(!pgtable))\n\t\t\treturn VM_FAULT_OOM;\n\t\tzero_page = mm_get_huge_zero_page(vma->vm_mm);\n\t\tif (unlikely(!zero_page)) {\n\t\t\tpte_free(vma->vm_mm, pgtable);\n\t\t\tcount_vm_event(THP_FAULT_FALLBACK);\n\t\t\treturn VM_FAULT_FALLBACK;\n\t\t}\n\t\tvmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);\n\t\tret = 0;\n\t\tset = false;\n\t\tif (pmd_none(*vmf->pmd)) {\n\t\t\tret = check_stable_address_space(vma->vm_mm);\n\t\t\tif (ret) {\n\t\t\t\tspin_unlock(vmf->ptl);\n\t\t\t} else if (userfaultfd_missing(vma)) {\n\t\t\t\tspin_unlock(vmf->ptl);\n\t\t\t\tret = handle_userfault(vmf, VM_UFFD_MISSING);\n\t\t\t\tVM_BUG_ON(ret & VM_FAULT_FALLBACK);\n\t\t\t} else {\n\t\t\t\tset_huge_zero_page(pgtable, vma->vm_mm, vma,\n\t\t\t\t\t\t   haddr, vmf->pmd, zero_page);\n\t\t\t\tspin_unlock(vmf->ptl);\n\t\t\t\tset = true;\n\t\t\t}\n\t\t} else\n\t\t\tspin_unlock(vmf->ptl);\n\t\tif (!set)\n\t\t\tpte_free(vma->vm_mm, pgtable);\n\t\treturn ret;\n\t}\n\tgfp = alloc_hugepage_direct_gfpmask(vma);\n\tpage = alloc_hugepage_vma(gfp, vma, haddr, HPAGE_PMD_ORDER);\n\tif (unlikely(!page)) {\n\t\tcount_vm_event(THP_FAULT_FALLBACK);\n\t\treturn VM_FAULT_FALLBACK;\n\t}\n\tprep_transhuge_page(page);\n\treturn __do_huge_pmd_anonymous_page(vmf, page, gfp);\n}",
          "project": "linux",
          "hash": 307922489138449253324634289520844340954,
          "size": 61,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364189
        },
        {
          "func": "void prep_transhuge_page(struct page *page)\n{\n\t/*\n\t * we use page->mapping and page->indexlru in second tail page\n\t * as list_head: assuming THP order >= 2\n\t */\n\n\tINIT_LIST_HEAD(page_deferred_list(page));\n\tset_compound_page_dtor(page, TRANSHUGE_PAGE_DTOR);\n}",
          "project": "linux",
          "hash": 36251465554535299360952724868793398443,
          "size": 10,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364122
        },
        {
          "func": "static bool set_huge_zero_page(pgtable_t pgtable, struct mm_struct *mm,\n\t\tstruct vm_area_struct *vma, unsigned long haddr, pmd_t *pmd,\n\t\tstruct page *zero_page)\n{\n\tpmd_t entry;\n\tif (!pmd_none(*pmd))\n\t\treturn false;\n\tentry = mk_pmd(zero_page, vma->vm_page_prot);\n\tentry = pmd_mkhuge(entry);\n\tif (pgtable)\n\t\tpgtable_trans_huge_deposit(mm, pmd, pgtable);\n\tset_pmd_at(mm, haddr, pmd, entry);\n\tmm_inc_nr_ptes(mm);\n\treturn true;\n}",
          "project": "linux",
          "hash": 214089667157610661978204254094844907808,
          "size": 15,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364135
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "update_recv_secondary_order",
        "update_read_cache_bitmap_v3_order",
        "free_cache_bitmap_v3_order"
      ],
      "group_size": 13,
      "functions": [
        {
          "func": "CACHE_BITMAP_V2_ORDER* copy_cache_bitmap_v2_order(rdpContext* context,\n                                                  const CACHE_BITMAP_V2_ORDER* order)\n{\n\tCACHE_BITMAP_V2_ORDER* dst = calloc(1, sizeof(CACHE_BITMAP_V2_ORDER));\n\n\tif (!dst || !order)\n\t\tgoto fail;\n\n\t*dst = *order;\n\n\tif (order->bitmapLength > 0)\n\t{\n\t\tdst->bitmapDataStream = malloc(order->bitmapLength);\n\n\t\tif (!dst->bitmapDataStream)\n\t\t\tgoto fail;\n\n\t\tmemcpy(dst->bitmapDataStream, order->bitmapDataStream, order->bitmapLength);\n\t}\n\n\treturn dst;\nfail:\n\tfree_cache_bitmap_v2_order(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 296333061998125916548086785090753340020,
          "size": 25,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269202
        },
        {
          "func": "static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order(rdpUpdate* update, wStream* s,\n                                                                UINT16 flags)\n{\n\tBYTE bitsPerPixelId;\n\tBITMAP_DATA_EX* bitmapData;\n\tUINT32 new_len;\n\tBYTE* new_data;\n\tCACHE_BITMAP_V3_ORDER* cache_bitmap_v3;\n\n\tif (!update || !s)\n\t\treturn NULL;\n\n\tcache_bitmap_v3 = calloc(1, sizeof(CACHE_BITMAP_V3_ORDER));\n\n\tif (!cache_bitmap_v3)\n\t\tgoto fail;\n\n\tcache_bitmap_v3->cacheId = flags & 0x00000003;\n\tcache_bitmap_v3->flags = (flags & 0x0000FF80) >> 7;\n\tbitsPerPixelId = (flags & 0x00000078) >> 3;\n\tcache_bitmap_v3->bpp = CBR23_BPP[bitsPerPixelId];\n\n\tif (Stream_GetRemainingLength(s) < 21)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, cache_bitmap_v3->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT32(s, cache_bitmap_v3->key1);       /* key1 (4 bytes) */\n\tStream_Read_UINT32(s, cache_bitmap_v3->key2);       /* key2 (4 bytes) */\n\tbitmapData = &cache_bitmap_v3->bitmapData;\n\tStream_Read_UINT8(s, bitmapData->bpp);\n\n\tif ((bitmapData->bpp < 1) || (bitmapData->bpp > 32))\n\t{\n\t\tWLog_Print(update->log, WLOG_ERROR, \"invalid bpp value %\" PRIu32 \"\", bitmapData->bpp);\n\t\tgoto fail;\n\t}\n\n\tStream_Seek_UINT8(s);                      /* reserved1 (1 byte) */\n\tStream_Seek_UINT8(s);                      /* reserved2 (1 byte) */\n\tStream_Read_UINT8(s, bitmapData->codecID); /* codecID (1 byte) */\n\tStream_Read_UINT16(s, bitmapData->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, bitmapData->height); /* height (2 bytes) */\n\tStream_Read_UINT32(s, new_len);            /* length (4 bytes) */\n\n\tif (Stream_GetRemainingLength(s) < new_len)\n\t\tgoto fail;\n\n\tnew_data = (BYTE*)realloc(bitmapData->data, new_len);\n\n\tif (!new_data)\n\t\tgoto fail;\n\n\tbitmapData->data = new_data;\n\tbitmapData->length = new_len;\n\tStream_Read(s, bitmapData->data, bitmapData->length);\n\treturn cache_bitmap_v3;\nfail:\n\tfree_cache_bitmap_v3_order(update->context, cache_bitmap_v3);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 291583708128739086368313518907899263999,
          "size": 60,
          "commit_id": "67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8",
          "message": "Fixed #6013: Check new length is > 0",
          "target": 1,
          "dataset": "other",
          "idx": 212441
        },
        {
          "func": "static CACHE_BITMAP_V3_ORDER* update_read_cache_bitmap_v3_order(rdpUpdate* update, wStream* s,\n                                                                UINT16 flags)\n{\n\tBYTE bitsPerPixelId;\n\tBITMAP_DATA_EX* bitmapData;\n\tUINT32 new_len;\n\tBYTE* new_data;\n\tCACHE_BITMAP_V3_ORDER* cache_bitmap_v3;\n\n\tif (!update || !s)\n\t\treturn NULL;\n\n\tcache_bitmap_v3 = calloc(1, sizeof(CACHE_BITMAP_V3_ORDER));\n\n\tif (!cache_bitmap_v3)\n\t\tgoto fail;\n\n\tcache_bitmap_v3->cacheId = flags & 0x00000003;\n\tcache_bitmap_v3->flags = (flags & 0x0000FF80) >> 7;\n\tbitsPerPixelId = (flags & 0x00000078) >> 3;\n\tcache_bitmap_v3->bpp = CBR23_BPP[bitsPerPixelId];\n\n\tif (Stream_GetRemainingLength(s) < 21)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, cache_bitmap_v3->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT32(s, cache_bitmap_v3->key1);       /* key1 (4 bytes) */\n\tStream_Read_UINT32(s, cache_bitmap_v3->key2);       /* key2 (4 bytes) */\n\tbitmapData = &cache_bitmap_v3->bitmapData;\n\tStream_Read_UINT8(s, bitmapData->bpp);\n\n\tif ((bitmapData->bpp < 1) || (bitmapData->bpp > 32))\n\t{\n\t\tWLog_Print(update->log, WLOG_ERROR, \"invalid bpp value %\" PRIu32 \"\", bitmapData->bpp);\n\t\tgoto fail;\n\t}\n\n\tStream_Seek_UINT8(s);                      /* reserved1 (1 byte) */\n\tStream_Seek_UINT8(s);                      /* reserved2 (1 byte) */\n\tStream_Read_UINT8(s, bitmapData->codecID); /* codecID (1 byte) */\n\tStream_Read_UINT16(s, bitmapData->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, bitmapData->height); /* height (2 bytes) */\n\tStream_Read_UINT32(s, new_len);            /* length (4 bytes) */\n\n\tif ((new_len == 0) || (Stream_GetRemainingLength(s) < new_len))\n\t\tgoto fail;\n\n\tnew_data = (BYTE*)realloc(bitmapData->data, new_len);\n\n\tif (!new_data)\n\t\tgoto fail;\n\n\tbitmapData->data = new_data;\n\tbitmapData->length = new_len;\n\tStream_Read(s, bitmapData->data, bitmapData->length);\n\treturn cache_bitmap_v3;\nfail:\n\tfree_cache_bitmap_v3_order(update->context, cache_bitmap_v3);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 77696160753710370793899447687850386826,
          "size": 60,
          "commit_id": "b8beb55913471952f92770c90c372139d78c16c0",
          "message": "Fixed OOB read in update_read_cache_bitmap_v3_order\n\nCVE-2020-11096 thanks @antonio-morales for finding this.",
          "target": 1,
          "dataset": "other",
          "idx": 213355
        },
        {
          "func": "void free_cache_bitmap_v2_order(rdpContext* context, CACHE_BITMAP_V2_ORDER* order)\n{\n\tif (order)\n\t\tfree(order->bitmapDataStream);\n\n\tfree(order);\n}",
          "project": "FreeRDP",
          "hash": 221767611266004245152449704276202565310,
          "size": 7,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269194
        },
        {
          "func": "void free_cache_glyph_order(rdpContext* context, CACHE_GLYPH_ORDER* glyph)\n{\n\tif (glyph)\n\t{\n\t\tsize_t x;\n\n\t\tfor (x = 0; x < ARRAYSIZE(glyph->glyphData); x++)\n\t\t\tfree(glyph->glyphData[x].aj);\n\n\t\tfree(glyph->unicodeCharacters);\n\t}\n\n\tfree(glyph);\n}",
          "project": "FreeRDP",
          "hash": 205192972806593312026876061649317866446,
          "size": 14,
          "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d",
          "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.",
          "target": 0,
          "dataset": "other",
          "idx": 432855
        },
        {
          "func": "CACHE_GLYPH_V2_ORDER* copy_cache_glyph_v2_order(rdpContext* context,\n                                                const CACHE_GLYPH_V2_ORDER* glyph)\n{\n\tsize_t x;\n\tCACHE_GLYPH_V2_ORDER* dst = calloc(1, sizeof(CACHE_GLYPH_V2_ORDER));\n\n\tif (!dst || !glyph)\n\t\tgoto fail;\n\n\t*dst = *glyph;\n\n\tfor (x = 0; x < glyph->cGlyphs; x++)\n\t{\n\t\tconst GLYPH_DATA_V2* src = &glyph->glyphData[x];\n\t\tGLYPH_DATA_V2* data = &dst->glyphData[x];\n\n\t\tif (src->aj)\n\t\t{\n\t\t\tconst size_t size = src->cb;\n\t\t\tdata->aj = malloc(size);\n\n\t\t\tif (!data->aj)\n\t\t\t\tgoto fail;\n\n\t\t\tmemcpy(data->aj, src->aj, size);\n\t\t}\n\t}\n\n\tif (glyph->unicodeCharacters)\n\t{\n\t\tif (glyph->cGlyphs == 0)\n\t\t\tgoto fail;\n\n\t\tdst->unicodeCharacters = calloc(glyph->cGlyphs, sizeof(WCHAR));\n\n\t\tif (!dst->unicodeCharacters)\n\t\t\tgoto fail;\n\n\t\tmemcpy(dst->unicodeCharacters, glyph->unicodeCharacters, sizeof(WCHAR) * glyph->cGlyphs);\n\t}\n\n\treturn dst;\nfail:\n\tfree_cache_glyph_v2_order(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 332058525179374455367826884199598206629,
          "size": 46,
          "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d",
          "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.",
          "target": 0,
          "dataset": "other",
          "idx": 432853
        },
        {
          "func": "void free_cache_glyph_v2_order(rdpContext* context, CACHE_GLYPH_V2_ORDER* glyph)\n{\n\tif (glyph)\n\t{\n\t\tsize_t x;\n\n\t\tfor (x = 0; x < ARRAYSIZE(glyph->glyphData); x++)\n\t\t\tfree(glyph->glyphData[x].aj);\n\n\t\tfree(glyph->unicodeCharacters);\n\t}\n\n\tfree(glyph);\n}",
          "project": "FreeRDP",
          "hash": 95326473378522169881435832165778710407,
          "size": 14,
          "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d",
          "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.",
          "target": 0,
          "dataset": "other",
          "idx": 432862
        },
        {
          "func": "CACHE_BITMAP_ORDER* copy_cache_bitmap_order(rdpContext* context, const CACHE_BITMAP_ORDER* order)\n{\n\tCACHE_BITMAP_ORDER* dst = calloc(1, sizeof(CACHE_BITMAP_ORDER));\n\n\tif (!dst || !order)\n\t\tgoto fail;\n\n\t*dst = *order;\n\n\tif (order->bitmapLength > 0)\n\t{\n\t\tdst->bitmapDataStream = malloc(order->bitmapLength);\n\n\t\tif (!dst->bitmapDataStream)\n\t\t\tgoto fail;\n\n\t\tmemcpy(dst->bitmapDataStream, order->bitmapDataStream, order->bitmapLength);\n\t}\n\n\treturn dst;\nfail:\n\tfree_cache_bitmap_order(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 194015093638480048603004532078545000067,
          "size": 24,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269191
        },
        {
          "func": "static BOOL update_recv_secondary_order(rdpUpdate* update, wStream* s, BYTE flags)\n{\n\tBOOL rc = FALSE;\n\tBYTE* next;\n\tBYTE orderType;\n\tUINT16 extraFlags;\n\tUINT16 orderLength;\n\trdpContext* context = update->context;\n\trdpSettings* settings = context->settings;\n\trdpSecondaryUpdate* secondary = update->secondary;\n\tconst char* name;\n\n\tif (Stream_GetRemainingLength(s) < 5)\n\t{\n\t\tWLog_Print(update->log, WLOG_ERROR, \"Stream_GetRemainingLength(s) < 5\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, orderLength); /* orderLength (2 bytes) */\n\tStream_Read_UINT16(s, extraFlags);  /* extraFlags (2 bytes) */\n\tStream_Read_UINT8(s, orderType);    /* orderType (1 byte) */\n\tnext = Stream_Pointer(s) + ((INT16)orderLength) + 7;\n\tname = secondary_order_string(orderType);\n\tWLog_Print(update->log, WLOG_DEBUG, \"Secondary Drawing Order %s\", name);\n\n\tif (!check_secondary_order_supported(update->log, settings, orderType, name))\n\t\treturn FALSE;\n\n\tswitch (orderType)\n\t{\n\t\tcase ORDER_TYPE_BITMAP_UNCOMPRESSED:\n\t\tcase ORDER_TYPE_CACHE_BITMAP_COMPRESSED:\n\t\t{\n\t\t\tconst BOOL compressed = (orderType == ORDER_TYPE_CACHE_BITMAP_COMPRESSED);\n\t\t\tCACHE_BITMAP_ORDER* order =\n\t\t\t    update_read_cache_bitmap_order(update, s, compressed, extraFlags);\n\n\t\t\tif (order)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheBitmap, context, order);\n\t\t\t\tfree_cache_bitmap_order(context, order);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase ORDER_TYPE_BITMAP_UNCOMPRESSED_V2:\n\t\tcase ORDER_TYPE_BITMAP_COMPRESSED_V2:\n\t\t{\n\t\t\tconst BOOL compressed = (orderType == ORDER_TYPE_BITMAP_COMPRESSED_V2);\n\t\t\tCACHE_BITMAP_V2_ORDER* order =\n\t\t\t    update_read_cache_bitmap_v2_order(update, s, compressed, extraFlags);\n\n\t\t\tif (order)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheBitmapV2, context, order);\n\t\t\t\tfree_cache_bitmap_v2_order(context, order);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase ORDER_TYPE_BITMAP_COMPRESSED_V3:\n\t\t{\n\t\t\tCACHE_BITMAP_V3_ORDER* order = update_read_cache_bitmap_v3_order(update, s, extraFlags);\n\n\t\t\tif (order)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheBitmapV3, context, order);\n\t\t\t\tfree_cache_bitmap_v3_order(context, order);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase ORDER_TYPE_CACHE_COLOR_TABLE:\n\t\t{\n\t\t\tCACHE_COLOR_TABLE_ORDER* order =\n\t\t\t    update_read_cache_color_table_order(update, s, extraFlags);\n\n\t\t\tif (order)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheColorTable, context, order);\n\t\t\t\tfree_cache_color_table_order(context, order);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase ORDER_TYPE_CACHE_GLYPH:\n\t\t{\n\t\t\tswitch (settings->GlyphSupportLevel)\n\t\t\t{\n\t\t\t\tcase GLYPH_SUPPORT_PARTIAL:\n\t\t\t\tcase GLYPH_SUPPORT_FULL:\n\t\t\t\t{\n\t\t\t\t\tCACHE_GLYPH_ORDER* order = update_read_cache_glyph_order(update, s, extraFlags);\n\n\t\t\t\t\tif (order)\n\t\t\t\t\t{\n\t\t\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheGlyph, context, order);\n\t\t\t\t\t\tfree_cache_glyph_order(context, order);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\t\tcase GLYPH_SUPPORT_ENCODE:\n\t\t\t\t{\n\t\t\t\t\tCACHE_GLYPH_V2_ORDER* order =\n\t\t\t\t\t    update_read_cache_glyph_v2_order(update, s, extraFlags);\n\n\t\t\t\t\tif (order)\n\t\t\t\t\t{\n\t\t\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheGlyphV2, context, order);\n\t\t\t\t\t\tfree_cache_glyph_v2_order(context, order);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\t\tcase GLYPH_SUPPORT_NONE:\n\t\t\t\tdefault:\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase ORDER_TYPE_CACHE_BRUSH:\n\t\t\t/* [MS-RDPEGDI] 2.2.2.2.1.2.7 Cache Brush (CACHE_BRUSH_ORDER) */\n\t\t\t{\n\t\t\t\tCACHE_BRUSH_ORDER* order = update_read_cache_brush_order(update, s, extraFlags);\n\n\t\t\t\tif (order)\n\t\t\t\t{\n\t\t\t\t\trc = IFCALLRESULT(FALSE, secondary->CacheBrush, context, order);\n\t\t\t\t\tfree_cache_brush_order(context, order);\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tWLog_Print(update->log, WLOG_WARN, \"SECONDARY ORDER %s not supported\", name);\n\t\t\tbreak;\n\t}\n\n\tif (!rc)\n\t{\n\t\tWLog_Print(update->log, WLOG_ERROR, \"SECONDARY ORDER %s failed\", name);\n\t}\n\n\tStream_SetPointer(s, next);\n\treturn rc;\n}",
          "project": "FreeRDP",
          "hash": 156867765287874217204946411442748727742,
          "size": 148,
          "commit_id": "192856cb59974ee4d7d3e72cbeafa676aa7565cf",
          "message": "Fixed #6012: CVE-2020-11526: Out of bounds read in update_recv_orders\n\nThanks to @hac425xxx and Sunglin and HuanGMz from Knownsec 404",
          "target": 1,
          "dataset": "other",
          "idx": 207756
        },
        {
          "func": "CACHE_BITMAP_V3_ORDER* copy_cache_bitmap_v3_order(rdpContext* context,\n                                                  const CACHE_BITMAP_V3_ORDER* order)\n{\n\tCACHE_BITMAP_V3_ORDER* dst = calloc(1, sizeof(CACHE_BITMAP_V3_ORDER));\n\n\tif (!dst || !order)\n\t\tgoto fail;\n\n\t*dst = *order;\n\n\tif (order->bitmapData.length > 0)\n\t{\n\t\tdst->bitmapData.data = malloc(order->bitmapData.length);\n\n\t\tif (!dst->bitmapData.data)\n\t\t\tgoto fail;\n\n\t\tmemcpy(dst->bitmapData.data, order->bitmapData.data, order->bitmapData.length);\n\t}\n\n\treturn dst;\nfail:\n\tfree_cache_bitmap_v3_order(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 210881049528549885989360453768631656819,
          "size": 25,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269198
        },
        {
          "func": "void free_cache_bitmap_order(rdpContext* context, CACHE_BITMAP_ORDER* order)\n{\n\tif (order)\n\t\tfree(order->bitmapDataStream);\n\n\tfree(order);\n}",
          "project": "FreeRDP",
          "hash": 37091885076933477361756036580488597291,
          "size": 7,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269197
        },
        {
          "func": "void free_cache_bitmap_v3_order(rdpContext* context, CACHE_BITMAP_V3_ORDER* order)\n{\n\tif (order)\n\t\tfree(order->bitmapData.data);\n\n\tfree(order);\n}",
          "project": "FreeRDP",
          "hash": 169573674798552902886578508623593668300,
          "size": 7,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269193
        },
        {
          "func": "CACHE_GLYPH_ORDER* copy_cache_glyph_order(rdpContext* context, const CACHE_GLYPH_ORDER* glyph)\n{\n\tsize_t x;\n\tCACHE_GLYPH_ORDER* dst = calloc(1, sizeof(CACHE_GLYPH_ORDER));\n\n\tif (!dst || !glyph)\n\t\tgoto fail;\n\n\t*dst = *glyph;\n\n\tfor (x = 0; x < glyph->cGlyphs; x++)\n\t{\n\t\tconst GLYPH_DATA* src = &glyph->glyphData[x];\n\t\tGLYPH_DATA* data = &dst->glyphData[x];\n\n\t\tif (src->aj)\n\t\t{\n\t\t\tconst size_t size = src->cb;\n\t\t\tdata->aj = malloc(size);\n\n\t\t\tif (!data->aj)\n\t\t\t\tgoto fail;\n\n\t\t\tmemcpy(data->aj, src->aj, size);\n\t\t}\n\t}\n\n\tif (glyph->unicodeCharacters)\n\t{\n\t\tif (glyph->cGlyphs == 0)\n\t\t\tgoto fail;\n\n\t\tdst->unicodeCharacters = calloc(glyph->cGlyphs, sizeof(WCHAR));\n\n\t\tif (!dst->unicodeCharacters)\n\t\t\tgoto fail;\n\n\t\tmemcpy(dst->unicodeCharacters, glyph->unicodeCharacters, sizeof(WCHAR) * glyph->cGlyphs);\n\t}\n\n\treturn dst;\nfail:\n\tfree_cache_glyph_order(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 134562887397399806706260166032444547857,
          "size": 45,
          "commit_id": "c0fd449ec0870b050d350d6d844b1ea6dad4bc7d",
          "message": "Fixed Out-of-bound read in glyph_cache_put\n\nCVE-2020-11098 thanks to @antonio-morales for finding this.",
          "target": 0,
          "dataset": "other",
          "idx": 432865
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "xdp_umem_release_deferred",
        "xdp_umem_release",
        "xdp_umem_clear_dev",
        "xdp_clear_umem_at_qid"
      ],
      "group_size": 14,
      "functions": [
        {
          "func": "static int xdp_umem_account_pages(struct xdp_umem *umem)\n{\n\tunsigned long lock_limit, new_npgs, old_npgs;\n\n\tif (capable(CAP_IPC_LOCK))\n\t\treturn 0;\n\n\tlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;\n\tumem->user = get_uid(current_user());\n\n\tdo {\n\t\told_npgs = atomic_long_read(&umem->user->locked_vm);\n\t\tnew_npgs = old_npgs + umem->npgs;\n\t\tif (new_npgs > lock_limit) {\n\t\t\tfree_uid(umem->user);\n\t\t\tumem->user = NULL;\n\t\t\treturn -ENOBUFS;\n\t\t}\n\t} while (atomic_long_cmpxchg(&umem->user->locked_vm, old_npgs,\n\t\t\t\t     new_npgs) != old_npgs);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 268538672441488282436843170881902415474,
          "size": 22,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364111
        },
        {
          "func": "static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)\n{\n\tbool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;\n\tu32 chunk_size = mr->chunk_size, headroom = mr->headroom;\n\tunsigned int chunks, chunks_per_page;\n\tu64 addr = mr->addr, size = mr->len;\n\tint size_chk, err;\n\n\tif (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {\n\t\t/* Strictly speaking we could support this, if:\n\t\t * - huge pages, or*\n\t\t * - using an IOMMU, or\n\t\t * - making sure the memory area is consecutive\n\t\t * but for now, we simply say \"computer says no\".\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif (mr->flags & ~(XDP_UMEM_UNALIGNED_CHUNK_FLAG |\n\t\t\tXDP_UMEM_USES_NEED_WAKEUP))\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks && !is_power_of_2(chunk_size))\n\t\treturn -EINVAL;\n\n\tif (!PAGE_ALIGNED(addr)) {\n\t\t/* Memory area has to be page size aligned. For\n\t\t * simplicity, this might change.\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif ((addr + size) < addr)\n\t\treturn -EINVAL;\n\n\tchunks = (unsigned int)div_u64(size, chunk_size);\n\tif (chunks == 0)\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks) {\n\t\tchunks_per_page = PAGE_SIZE / chunk_size;\n\t\tif (chunks < chunks_per_page || chunks % chunks_per_page)\n\t\t\treturn -EINVAL;\n\t}\n\n\tsize_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;\n\tif (size_chk < 0)\n\t\treturn -EINVAL;\n\n\tumem->address = (unsigned long)addr;\n\tumem->chunk_mask = unaligned_chunks ? XSK_UNALIGNED_BUF_ADDR_MASK\n\t\t\t\t\t    : ~((u64)chunk_size - 1);\n\tumem->size = size;\n\tumem->headroom = headroom;\n\tumem->chunk_size_nohr = chunk_size - headroom;\n\tumem->npgs = size / PAGE_SIZE;\n\tumem->pgs = NULL;\n\tumem->user = NULL;\n\tumem->flags = mr->flags;\n\tINIT_LIST_HEAD(&umem->xsk_list);\n\tspin_lock_init(&umem->xsk_list_lock);\n\n\trefcount_set(&umem->users, 1);\n\n\terr = xdp_umem_account_pages(umem);\n\tif (err)\n\t\treturn err;\n\n\terr = xdp_umem_pin_pages(umem);\n\tif (err)\n\t\tgoto out_account;\n\n\tumem->pages = kvcalloc(umem->npgs, sizeof(*umem->pages),\n\t\t\t       GFP_KERNEL_ACCOUNT);\n\tif (!umem->pages) {\n\t\terr = -ENOMEM;\n\t\tgoto out_pin;\n\t}\n\n\terr = xdp_umem_map_pages(umem);\n\tif (!err)\n\t\treturn 0;\n\n\tkvfree(umem->pages);\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_account:\n\txdp_umem_unaccount_pages(umem);\n\treturn err;\n}",
          "project": "linux",
          "hash": 269028637877237764370672455302491205384,
          "size": 91,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 1,
          "dataset": "other",
          "idx": 204723
        },
        {
          "func": "static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)\n{\n\tbool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;\n\tu32 chunk_size = mr->chunk_size, headroom = mr->headroom;\n\tunsigned int chunks, chunks_per_page;\n\tu64 addr = mr->addr, size = mr->len;\n\tint err;\n\n\tif (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {\n\t\t/* Strictly speaking we could support this, if:\n\t\t * - huge pages, or*\n\t\t * - using an IOMMU, or\n\t\t * - making sure the memory area is consecutive\n\t\t * but for now, we simply say \"computer says no\".\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif (mr->flags & ~(XDP_UMEM_UNALIGNED_CHUNK_FLAG |\n\t\t\tXDP_UMEM_USES_NEED_WAKEUP))\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks && !is_power_of_2(chunk_size))\n\t\treturn -EINVAL;\n\n\tif (!PAGE_ALIGNED(addr)) {\n\t\t/* Memory area has to be page size aligned. For\n\t\t * simplicity, this might change.\n\t\t */\n\t\treturn -EINVAL;\n\t}\n\n\tif ((addr + size) < addr)\n\t\treturn -EINVAL;\n\n\tchunks = (unsigned int)div_u64(size, chunk_size);\n\tif (chunks == 0)\n\t\treturn -EINVAL;\n\n\tif (!unaligned_chunks) {\n\t\tchunks_per_page = PAGE_SIZE / chunk_size;\n\t\tif (chunks < chunks_per_page || chunks % chunks_per_page)\n\t\t\treturn -EINVAL;\n\t}\n\n\tif (headroom >= chunk_size - XDP_PACKET_HEADROOM)\n\t\treturn -EINVAL;\n\n\tumem->address = (unsigned long)addr;\n\tumem->chunk_mask = unaligned_chunks ? XSK_UNALIGNED_BUF_ADDR_MASK\n\t\t\t\t\t    : ~((u64)chunk_size - 1);\n\tumem->size = size;\n\tumem->headroom = headroom;\n\tumem->chunk_size_nohr = chunk_size - headroom;\n\tumem->npgs = size / PAGE_SIZE;\n\tumem->pgs = NULL;\n\tumem->user = NULL;\n\tumem->flags = mr->flags;\n\tINIT_LIST_HEAD(&umem->xsk_list);\n\tspin_lock_init(&umem->xsk_list_lock);\n\n\trefcount_set(&umem->users, 1);\n\n\terr = xdp_umem_account_pages(umem);\n\tif (err)\n\t\treturn err;\n\n\terr = xdp_umem_pin_pages(umem);\n\tif (err)\n\t\tgoto out_account;\n\n\tumem->pages = kvcalloc(umem->npgs, sizeof(*umem->pages),\n\t\t\t       GFP_KERNEL_ACCOUNT);\n\tif (!umem->pages) {\n\t\terr = -ENOMEM;\n\t\tgoto out_pin;\n\t}\n\n\terr = xdp_umem_map_pages(umem);\n\tif (!err)\n\t\treturn 0;\n\n\tkvfree(umem->pages);\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_account:\n\txdp_umem_unaccount_pages(umem);\n\treturn err;\n}",
          "project": "linux",
          "hash": 42054657955985470671897377670619516821,
          "size": 90,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364107
        },
        {
          "func": "static void xdp_umem_release(struct xdp_umem *umem)\n{\n\trtnl_lock();\n\txdp_umem_clear_dev(umem);\n\trtnl_unlock();\n\n\tida_simple_remove(&umem_ida, umem->id);\n\n\tif (umem->fq) {\n\t\txskq_destroy(umem->fq);\n\t\tumem->fq = NULL;\n\t}\n\n\tif (umem->cq) {\n\t\txskq_destroy(umem->cq);\n\t\tumem->cq = NULL;\n\t}\n\n\txsk_reuseq_destroy(umem);\n\n\txdp_umem_unmap_pages(umem);\n\txdp_umem_unpin_pages(umem);\n\n\tkvfree(umem->pages);\n\tumem->pages = NULL;\n\n\txdp_umem_unaccount_pages(umem);\n\tkfree(umem);\n}",
          "project": "linux",
          "hash": 217396931244922685619923757724925916399,
          "size": 29,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364104
        },
        {
          "func": "static void xdp_umem_unaccount_pages(struct xdp_umem *umem)\n{\n\tif (umem->user) {\n\t\tatomic_long_sub(umem->npgs, &umem->user->locked_vm);\n\t\tfree_uid(umem->user);\n\t}\n}",
          "project": "linux",
          "hash": 247610559453453652885989910169467502202,
          "size": 7,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364102
        },
        {
          "func": "int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev,\n\t\t\tu16 queue_id, u16 flags)\n{\n\tbool force_zc, force_copy;\n\tstruct netdev_bpf bpf;\n\tint err = 0;\n\n\tASSERT_RTNL();\n\n\tforce_zc = flags & XDP_ZEROCOPY;\n\tforce_copy = flags & XDP_COPY;\n\n\tif (force_zc && force_copy)\n\t\treturn -EINVAL;\n\n\tif (xdp_get_umem_from_qid(dev, queue_id))\n\t\treturn -EBUSY;\n\n\terr = xdp_reg_umem_at_qid(dev, umem, queue_id);\n\tif (err)\n\t\treturn err;\n\n\tumem->dev = dev;\n\tumem->queue_id = queue_id;\n\n\tif (flags & XDP_USE_NEED_WAKEUP) {\n\t\tumem->flags |= XDP_UMEM_USES_NEED_WAKEUP;\n\t\t/* Tx needs to be explicitly woken up the first time.\n\t\t * Also for supporting drivers that do not implement this\n\t\t * feature. They will always have to call sendto().\n\t\t */\n\t\txsk_set_tx_need_wakeup(umem);\n\t}\n\n\tdev_hold(dev);\n\n\tif (force_copy)\n\t\t/* For copy-mode, we are done. */\n\t\treturn 0;\n\n\tif (!dev->netdev_ops->ndo_bpf || !dev->netdev_ops->ndo_xsk_wakeup) {\n\t\terr = -EOPNOTSUPP;\n\t\tgoto err_unreg_umem;\n\t}\n\n\tbpf.command = XDP_SETUP_XSK_UMEM;\n\tbpf.xsk.umem = umem;\n\tbpf.xsk.queue_id = queue_id;\n\n\terr = dev->netdev_ops->ndo_bpf(dev, &bpf);\n\tif (err)\n\t\tgoto err_unreg_umem;\n\n\tumem->zc = true;\n\treturn 0;\n\nerr_unreg_umem:\n\tif (!force_zc)\n\t\terr = 0; /* fallback to copy mode */\n\tif (err)\n\t\txdp_clear_umem_at_qid(dev, queue_id);\n\treturn err;\n}",
          "project": "linux",
          "hash": 126635444260904263682819293481218507053,
          "size": 63,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364110
        },
        {
          "func": "static void xdp_umem_unpin_pages(struct xdp_umem *umem)\n{\n\tunpin_user_pages_dirty_lock(umem->pgs, umem->npgs, true);\n\n\tkfree(umem->pgs);\n\tumem->pgs = NULL;\n}",
          "project": "linux",
          "hash": 254606291712845223014071918045503359746,
          "size": 7,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364117
        },
        {
          "func": "static void xdp_clear_umem_at_qid(struct net_device *dev, u16 queue_id)\n{\n\tif (queue_id < dev->real_num_rx_queues)\n\t\tdev->_rx[queue_id].umem = NULL;\n\tif (queue_id < dev->real_num_tx_queues)\n\t\tdev->_tx[queue_id].umem = NULL;\n}",
          "project": "linux",
          "hash": 104632601349284797194213397935015920102,
          "size": 7,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364103
        },
        {
          "func": "static int xdp_umem_map_pages(struct xdp_umem *umem)\n{\n\tunsigned int i;\n\tvoid *addr;\n\n\tfor (i = 0; i < umem->npgs; i++) {\n\t\tif (PageHighMem(umem->pgs[i]))\n\t\t\taddr = vmap(&umem->pgs[i], 1, VM_MAP, PAGE_KERNEL);\n\t\telse\n\t\t\taddr = page_address(umem->pgs[i]);\n\n\t\tif (!addr) {\n\t\t\txdp_umem_unmap_pages(umem);\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tumem->pages[i].addr = addr;\n\t}\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 50613713072544451655542689635667364971,
          "size": 21,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364113
        },
        {
          "func": "static void xdp_umem_release_deferred(struct work_struct *work)\n{\n\tstruct xdp_umem *umem = container_of(work, struct xdp_umem, work);\n\n\txdp_umem_release(umem);\n}",
          "project": "linux",
          "hash": 96177688199214672207149422695399068976,
          "size": 6,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364114
        },
        {
          "func": "static int xdp_reg_umem_at_qid(struct net_device *dev, struct xdp_umem *umem,\n\t\t\t       u16 queue_id)\n{\n\tif (queue_id >= max_t(unsigned int,\n\t\t\t      dev->real_num_rx_queues,\n\t\t\t      dev->real_num_tx_queues))\n\t\treturn -EINVAL;\n\n\tif (queue_id < dev->real_num_rx_queues)\n\t\tdev->_rx[queue_id].umem = umem;\n\tif (queue_id < dev->real_num_tx_queues)\n\t\tdev->_tx[queue_id].umem = umem;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 234138038399570815048179683194141842007,
          "size": 15,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364101
        },
        {
          "func": "static void xdp_umem_unmap_pages(struct xdp_umem *umem)\n{\n\tunsigned int i;\n\n\tfor (i = 0; i < umem->npgs; i++)\n\t\tif (PageHighMem(umem->pgs[i]))\n\t\t\tvunmap(umem->pages[i].addr);\n}",
          "project": "linux",
          "hash": 146591201870171263235681356786529738192,
          "size": 8,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364116
        },
        {
          "func": "void xdp_umem_clear_dev(struct xdp_umem *umem)\n{\n\tstruct netdev_bpf bpf;\n\tint err;\n\n\tASSERT_RTNL();\n\n\tif (!umem->dev)\n\t\treturn;\n\n\tif (umem->zc) {\n\t\tbpf.command = XDP_SETUP_XSK_UMEM;\n\t\tbpf.xsk.umem = NULL;\n\t\tbpf.xsk.queue_id = umem->queue_id;\n\n\t\terr = umem->dev->netdev_ops->ndo_bpf(umem->dev, &bpf);\n\n\t\tif (err)\n\t\t\tWARN(1, \"failed to disable umem!\\n\");\n\t}\n\n\txdp_clear_umem_at_qid(umem->dev, umem->queue_id);\n\n\tdev_put(umem->dev);\n\tumem->dev = NULL;\n\tumem->zc = false;\n}",
          "project": "linux",
          "hash": 98411041127965363436279721513388452524,
          "size": 27,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364099
        },
        {
          "func": "static int xdp_umem_pin_pages(struct xdp_umem *umem)\n{\n\tunsigned int gup_flags = FOLL_WRITE;\n\tlong npgs;\n\tint err;\n\n\tumem->pgs = kcalloc(umem->npgs, sizeof(*umem->pgs),\n\t\t\t    GFP_KERNEL | __GFP_NOWARN);\n\tif (!umem->pgs)\n\t\treturn -ENOMEM;\n\n\tdown_read(&current->mm->mmap_sem);\n\tnpgs = pin_user_pages(umem->address, umem->npgs,\n\t\t\t      gup_flags | FOLL_LONGTERM, &umem->pgs[0], NULL);\n\tup_read(&current->mm->mmap_sem);\n\n\tif (npgs != umem->npgs) {\n\t\tif (npgs >= 0) {\n\t\t\tumem->npgs = npgs;\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out_pin;\n\t\t}\n\t\terr = npgs;\n\t\tgoto out_pgs;\n\t}\n\treturn 0;\n\nout_pin:\n\txdp_umem_unpin_pages(umem);\nout_pgs:\n\tkfree(umem->pgs);\n\tumem->pgs = NULL;\n\treturn err;\n}",
          "project": "linux",
          "hash": 313636902645447711638277821491787845349,
          "size": 34,
          "commit_id": "99e3a236dd43d06c65af0a2ef9cb44306aef6e02",
          "message": "xsk: Add missing check on user supplied headroom size\n\nAdd a check that the headroom cannot be larger than the available\nspace in the chunk. In the current code, a malicious user can set the\nheadroom to a value larger than the chunk size minus the fixed XDP\nheadroom. That way packets with a length larger than the supported\nsize in the umem could get accepted and result in an out-of-bounds\nwrite.\n\nFixes: c0c77d8fb787 (\"xsk: add user memory registration support sockopt\")\nReported-by: Bui Quang Minh <minhquangbui99@gmail.com>\nSigned-off-by: Magnus Karlsson <magnus.karlsson@intel.com>\nSigned-off-by: Daniel Borkmann <daniel@iogearbox.net>\nLink: https://bugzilla.kernel.org/show_bug.cgi?id=207225\nLink: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com",
          "target": 0,
          "dataset": "other",
          "idx": 364115
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "strcpy",
        "FPRINTF",
        "int_error"
      ],
      "group_size": 11,
      "functions": [
        {
          "func": "mk_env_string (name, value)\n     const char *name, *value;\n{\n  int name_len, value_len;\n  char\t*p;\n\n  name_len = strlen (name);\n  value_len = STRLEN (value);\n  p = (char *)xmalloc (2 + name_len + value_len);\n  strcpy (p, name);\n  p[name_len] = '=';\n  if (value && *value)\n    strcpy (p + name_len + 1, value);\n  else\n    p[name_len + 1] = '\\0';\n  return (p);\n}",
          "project": "bash",
          "hash": 210912462216513730843145064806343527172,
          "size": 17,
          "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5",
          "message": "commit bash-20120224 snapshot",
          "target": 0,
          "dataset": "other",
          "idx": 379374
        },
        {
          "func": "put_gnu_argv_flags_into_env (pid, flags_string)\n     intmax_t pid;\n     char *flags_string;\n{\n  char *dummy, *pbuf;\n  int l, fl;\n\n  pbuf = itos (pid);\n  l = strlen (pbuf);\n\n  fl = strlen (flags_string);\n\n  dummy = (char *)xmalloc (l + fl + 30);\n  dummy[0] = '_';\n  strcpy (dummy + 1, pbuf);\n  strcpy (dummy + 1 + l, \"_GNU_nonoption_argv_flags_\");\n  dummy[l + 27] = '=';\n  strcpy (dummy + l + 28, flags_string);\n\n  free (pbuf);\n\n  export_env = add_or_supercede_exported_var (dummy, 0);\n}",
          "project": "bash",
          "hash": 299609612077231472911037381966990061404,
          "size": 23,
          "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5",
          "message": "commit bash-20120224 snapshot",
          "target": 0,
          "dataset": "other",
          "idx": 379483
        },
        {
          "func": "update_export_env_inplace (env_prefix, preflen, value)\n     char *env_prefix;\n     int preflen;\n     char *value;\n{\n  char *evar;\n\n  evar = (char *)xmalloc (STRLEN (value) + preflen + 1);\n  strcpy (evar, env_prefix);\n  if (value)\n    strcpy (evar + preflen, value);\n  export_env = add_or_supercede_exported_var (evar, 0);\n}",
          "project": "bash",
          "hash": 294853108275349592107125389728478073882,
          "size": 13,
          "commit_id": "863d31ae775d56b785dc5b0105b6d251515d81d5",
          "message": "commit bash-20120224 snapshot",
          "target": 0,
          "dataset": "other",
          "idx": 379569
        },
        {
          "func": "assign_string (char **pvar, char *value)\n{\n  char *p = xrealloc (*pvar, strlen (value) + 1);\n  strcpy (p, value);\n  *pvar = p;\n}",
          "target": 0,
          "cwe": [
            "CWE-190"
          ],
          "project": "cpio",
          "commit_id": "dd96882877721703e19272fe25034560b794061b",
          "hash": 223890895103693535028760049566072890053,
          "size": 6,
          "message": "Rewrite dynamic string support.\n\n* src/dstring.c (ds_init): Take a single argument.\n(ds_free): New function.\n(ds_resize): Take a single argument.  Use x2nrealloc to expand\nthe storage.\n(ds_reset,ds_append,ds_concat,ds_endswith): New function.\n(ds_fgetstr): Rewrite.  In particular, this fixes integer overflow.\n* src/dstring.h (dynamic_string): Keep both the allocated length\n(ds_size) and index of the next free byte in the string (ds_idx).\n(ds_init,ds_resize): Change signature.\n(ds_len): New macro.\n(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.\n* src/copyin.c: Use new ds_ functions.\n* src/copyout.c: Likewise.\n* src/copypass.c: Likewise.\n* src/util.c: Likewise.",
          "dataset": "other",
          "idx": 499708
        },
        {
          "func": "stylefont(const char *fontname, TBOOLEAN isbold, TBOOLEAN isitalic)\n{\n    int div;\n    char *markup = gp_alloc( strlen(fontname) + 16, \"font markup\");\n    strcpy(markup, fontname);\n    /* base font name can be followed by ,<size> or :Variant */\n    if ((div = strcspn(markup,\",:\")))\n\tmarkup[div] = '\\0';\n    if (isbold)\n\tstrcat(markup, \":Bold\");\n    if (isitalic)\n\tstrcat(markup, \":Italic\");\n\n    FPRINTF((stderr, \"MARKUP FONT: %s -> %s\\n\", fontname, markup));\n    return markup;\n}",
          "target": 0,
          "cwe": [
            "CWE-787"
          ],
          "project": "gnuplot",
          "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632",
          "hash": 221400835128564701357109709082557739196,
          "size": 16,
          "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303",
          "dataset": "other",
          "idx": 506583
        },
        {
          "func": "term_start_multiplot()\n{\n    FPRINTF((stderr, \"term_start_multiplot()\\n\"));\n    multiplot_start();\n#ifdef USE_MOUSE\n    UpdateStatusline();\n#endif\n}",
          "target": 0,
          "cwe": [
            "CWE-787"
          ],
          "project": "gnuplot",
          "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632",
          "hash": 58141844531723157650231985193655293573,
          "size": 8,
          "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303",
          "dataset": "other",
          "idx": 506582
        },
        {
          "func": "term_check_multiplot_okay(TBOOLEAN f_interactive)\n{\n    FPRINTF((stderr, \"term_multiplot_okay(%d)\\n\", f_interactive));\n\n    if (!term_initialised)\n\treturn;                 /* they've not started yet */\n\n    /* make sure that it is safe to issue an interactive prompt\n     * it is safe if\n     *   it is not an interactive read, or\n     *   the terminal supports interactive multiplot, or\n     *   we are not writing to stdout and terminal doesn't\n     *     refuse multiplot outright\n     */\n    if (!f_interactive || (term->flags & TERM_CAN_MULTIPLOT) ||\n\t((gpoutfile != stdout) && !(term->flags & TERM_CANNOT_MULTIPLOT))\n\t) {\n\t/* it's okay to use multiplot here, but suspend first */\n\tterm_suspend();\n\treturn;\n    }\n    /* uh oh: they're not allowed to be in multiplot here */\n\n    term_end_multiplot();\n\n    /* at this point we know that it is interactive and that the\n     * terminal can either only do multiplot when writing to\n     * to a file, or it does not do multiplot at all\n     */\n\n    if (term->flags & TERM_CANNOT_MULTIPLOT)\n\tint_error(NO_CARET, \"This terminal does not support multiplot\");\n    else\n\tint_error(NO_CARET, \"Must set output to a file or put all multiplot commands on one input line\");\n}",
          "target": 0,
          "cwe": [
            "CWE-787"
          ],
          "project": "gnuplot",
          "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632",
          "hash": 135695253295517626706309145417227311762,
          "size": 35,
          "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303",
          "dataset": "other",
          "idx": 506603
        },
        {
          "func": "stats_command()\n{\n#ifdef USE_STATS\n    statsrequest();\n#else\n    int_error(NO_CARET,\"This copy of gnuplot was not configured with support for the stats command\");\n#endif\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 96749858619889230295498705379399258983,
          "size": 8,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506517
        },
        {
          "func": "update_command()\n{\n    int_error(NO_CARET, \"DEPRECATED command 'update', please use 'save fit' instead\");\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 194252680971822072527739673533196355651,
          "size": 4,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506553
        },
        {
          "func": "null_scale(double x, double y)\n{\n    (void) x;                   /* avoid -Wunused warning */\n    (void) y;\n    int_error(NO_CARET, \"Attempt to call deprecated terminal function\");\n    return FALSE;               /* can't be done */\n}",
          "target": 0,
          "cwe": [
            "CWE-787"
          ],
          "project": "gnuplot",
          "commit_id": "963c7df3e0c5266efff260d0dff757dfe03d3632",
          "hash": 9300924069147076799766333577949355387,
          "size": 7,
          "message": "Better error handling for faulty font syntax\n\nA missing close-quote in an enhanced text font specification could\ncause a segfault.\nBug #2303",
          "dataset": "other",
          "idx": 506618
        },
        {
          "func": "string_expand_macros()\n{\n\tif (expand_1level_macros() && expand_1level_macros()\n\t&&  expand_1level_macros() && expand_1level_macros())\n\t    int_error(NO_CARET, \"Macros nested too deeply\");\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 299807278727130784107005395103776063523,
          "size": 6,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506542
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "mwifiex_deauthenticate_all",
        "mwifiex_deauthenticate",
        "mwifiex_deauthenticate_infra"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "int mwifiex_deauthenticate(struct mwifiex_private *priv, u8 *mac)\n{\n\tint ret = 0;\n\n\tif (!priv->media_connected)\n\t\treturn 0;\n\n\tswitch (priv->bss_mode) {\n\tcase NL80211_IFTYPE_STATION:\n\tcase NL80211_IFTYPE_P2P_CLIENT:\n\t\tret = mwifiex_deauthenticate_infra(priv, mac);\n\t\tif (ret)\n\t\t\tcfg80211_disconnected(priv->netdev, 0, NULL, 0,\n\t\t\t\t\t      true, GFP_KERNEL);\n\t\tbreak;\n\tcase NL80211_IFTYPE_ADHOC:\n\t\treturn mwifiex_send_cmd(priv, HostCmd_CMD_802_11_AD_HOC_STOP,\n\t\t\t\t\tHostCmd_ACT_GEN_SET, 0, NULL, true);\n\tcase NL80211_IFTYPE_AP:\n\t\treturn mwifiex_send_cmd(priv, HostCmd_CMD_UAP_BSS_STOP,\n\t\t\t\t\tHostCmd_ACT_GEN_SET, 0, NULL, true);\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 236807138668342781556278705542041524454,
          "size": 27,
          "commit_id": "5c455c5ab332773464d02ba17015acdca198f03d",
          "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start\n\nmwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>\nLink: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com",
          "target": 0,
          "dataset": "other",
          "idx": 444820
        },
        {
          "func": "void mwifiex_deauthenticate_all(struct mwifiex_adapter *adapter)\n{\n\tstruct mwifiex_private *priv;\n\tint i;\n\n\tfor (i = 0; i < adapter->priv_num; i++) {\n\t\tpriv = adapter->priv[i];\n\t\tif (priv)\n\t\t\tmwifiex_deauthenticate(priv, NULL);\n\t}\n}",
          "project": "linux",
          "hash": 189959406002554123173285325117710338587,
          "size": 11,
          "commit_id": "5c455c5ab332773464d02ba17015acdca198f03d",
          "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start\n\nmwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>\nLink: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com",
          "target": 0,
          "dataset": "other",
          "idx": 444819
        },
        {
          "func": "static int mwifiex_deauthenticate_infra(struct mwifiex_private *priv, u8 *mac)\n{\n\tu8 mac_address[ETH_ALEN];\n\tint ret;\n\n\tif (!mac || is_zero_ether_addr(mac))\n\t\tmemcpy(mac_address,\n\t\t       priv->curr_bss_params.bss_descriptor.mac_address,\n\t\t       ETH_ALEN);\n\telse\n\t\tmemcpy(mac_address, mac, ETH_ALEN);\n\n\tret = mwifiex_send_cmd(priv, HostCmd_CMD_802_11_DEAUTHENTICATE,\n\t\t\t       HostCmd_ACT_GEN_SET, 0, mac_address, true);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 159153326079788819329188692913654936904,
          "size": 17,
          "commit_id": "5c455c5ab332773464d02ba17015acdca198f03d",
          "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start\n\nmwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>\nLink: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com",
          "target": 0,
          "dataset": "other",
          "idx": 444810
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "cardos_create_file",
        "cardos_construct_fcp",
        "cardos_acl_to_bytes",
        "acl_to_byte"
      ],
      "group_size": 65,
      "functions": [
        {
          "func": "static int tcos_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)\n{\n\tint r;\n\n\tif (!serial)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\n\t/* see if we have cached serial number */\n\tif (card->serialnr.len) {\n\t\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\t\treturn SC_SUCCESS;\n\t}\n\n\tcard->serialnr.len = sizeof card->serialnr.value;\n\tr = sc_parse_ef_gdo(card, card->serialnr.value, &card->serialnr.len, NULL, 0);\n\tif (r < 0) {\n\t\tcard->serialnr.len = 0;\n\t\treturn r;\n\t}\n\n\t/* copy and return serial number */\n\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 246565780126900044203384817876515447629,
          "size": 25,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453697
        },
        {
          "func": "static int cardos_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)\n{\n\tint r;\n\tsc_apdu_t apdu;\n\tu8  rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x81);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le   = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r,  \"APDU transmit failed\");\n\tif (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)\n\t\treturn SC_ERROR_INTERNAL;\n\tif ((apdu.resplen == 8) && (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3)) {\n\t\t/* cache serial number */\n\t\tmemcpy(card->serialnr.value, rbuf, 8);\n\t\tcard->serialnr.len = 8;\n\t} else if (apdu.resplen == 32) {\n\t\t/* cache serial number */\n\t\tmemcpy(card->serialnr.value, &rbuf[10], 6);\n\t\tcard->serialnr.len = 6;\n\t} else {\n\t\tsc_log(card->ctx,  \"unexpected response to GET DATA serial\"\n\t\t\t\t\" number\\n\");\n\t\treturn SC_ERROR_INTERNAL;\n\t}\n\t/* copy and return serial number */\n\tmemcpy(serial, &card->serialnr, sizeof(*serial));\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 154421957446064598755895165006922596116,
          "size": 31,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270679
        },
        {
          "func": "static int cardos_create_file(sc_card_t *card, sc_file_t *file)\n{\n\tint       r;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_GENERIC ||\n\t    card->type == SC_CARD_TYPE_CARDOS_M4_01) {\n\t\tr = cardos_set_file_attributes(card, file);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t\treturn iso_ops->create_file(card, file);\n\t} else if (card->type == SC_CARD_TYPE_CARDOS_M4_2 ||\n\t           card->type == SC_CARD_TYPE_CARDOS_M4_3 ||\n\t\t   card->type == SC_CARD_TYPE_CARDOS_M4_2B ||\n\t           card->type == SC_CARD_TYPE_CARDOS_M4_2C ||\n\t\t   card->type == SC_CARD_TYPE_CARDOS_M4_4) {\n\t\tu8        sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\t\tsize_t    len = sizeof(sbuf);\n\t\tsc_apdu_t apdu;\n\n\t\tr = cardos_construct_fcp(card, file, sbuf, &len);\n\t\tif (r < 0) {\n\t\t\tsc_log(card->ctx,  \"unable to create FCP\");\n\t\t\treturn r;\n\t\t}\n\t\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE0, 0x00, 0x00);\n\t\tapdu.lc      = len;\n\t\tapdu.datalen = len;\n\t\tapdu.data    = sbuf;\n\n\t\tr = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\t\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t} else\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n}",
          "project": "OpenSC",
          "hash": 288258945563116713298860710976484617827,
          "size": 39,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270696
        },
        {
          "func": "static int tcos_create_file(sc_card_t *card, sc_file_t *file)\n{\n\tint r;\n\tsize_t len;\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tsc_apdu_t apdu;\n\n\tlen = SC_MAX_APDU_BUFFER_SIZE;\n\tr = tcos_construct_fci(file, sbuf, &len);\n\tLOG_TEST_RET(card->ctx, r, \"tcos_construct_fci() failed\");\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE0, 0x00, 0x00);\n\tapdu.cla |= 0x80;  /* this is an proprietary extension */\n\tapdu.lc = len;\n\tapdu.datalen = len;\n\tapdu.data = sbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}",
          "project": "OpenSC",
          "hash": 87076920813955038984168861991618883272,
          "size": 21,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453692
        },
        {
          "func": "static int tcos_compute_signature(sc_card_t *card, const u8 * data, size_t datalen, u8 * out, size_t outlen)\n{\n\tsize_t i, dlen=datalen;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tint tcos3, r;\n\n\tassert(card != NULL && data != NULL && out != NULL);\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\n\t// We can sign (key length / 8) bytes\n\tif (datalen > 256) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\n\tif(((tcos_data *)card->drv_data)->next_sign) {\n\t\tif(datalen>48) {\n\t\t\tsc_log(card->ctx, \"Data to be signed is too long (TCOS supports max. 48 bytes)\\n\");\n\t\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\t\t}\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x9E, 0x9A);\n\t\tmemcpy(sbuf, data, datalen);\n\t\tdlen=datalen;\n\t} else {\n\t\tint keylen= tcos3 ? 256 : 128;\n\t\tsc_format_apdu(card, &apdu, keylen>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);\n\t\tfor(i=0; i<sizeof(sbuf);++i) sbuf[i]=0xff;\n\t\tsbuf[0]=0x02; sbuf[1]=0x00; sbuf[2]=0x01; sbuf[keylen-datalen]=0x00;\n\t\tmemcpy(sbuf+keylen-datalen+1, data, datalen);\n\t\tdlen=keylen+1;\n\t}\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = tcos3 ? 256 : 128;\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = dlen;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\tif (tcos3 && apdu.p1==0x80 && apdu.sw1==0x6A && apdu.sw2==0x87) {\n\t\tint keylen=128;\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);\n\t\tfor(i=0; i<sizeof(sbuf);++i) sbuf[i]=0xff;\n\t\tsbuf[0]=0x02; sbuf[1]=0x00; sbuf[2]=0x01; sbuf[keylen-datalen]=0x00;\n\t\tmemcpy(sbuf+keylen-datalen+1, data, datalen);\n\t\tdlen=keylen+1;\n\n\t\tapdu.resp = rbuf;\n\t\tapdu.resplen = sizeof(rbuf);\n\t\tapdu.le = 128;\n\t\tapdu.data = sbuf;\n\t\tapdu.lc = apdu.datalen = dlen;\n\t\tr = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\t}\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len = apdu.resplen>outlen ? outlen : apdu.resplen;\n\t\tmemcpy(out, apdu.resp, len);\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, len);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}",
          "project": "OpenSC",
          "hash": 296448152350111572857031665246126932505,
          "size": 61,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453704
        },
        {
          "func": "static int tcos_setperm(sc_card_t *card, int enable_nullpin)\n{\n\tint r;\n\tsc_apdu_t apdu;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xEE, 0x00, 0x00);\n\tapdu.cla |= 0x80;\n\tapdu.lc = 0;\n\tapdu.datalen = 0;\n\tapdu.data = NULL;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}",
          "project": "OpenSC",
          "hash": 135071921926935975134723629067504187915,
          "size": 16,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453707
        },
        {
          "func": "static int cardos_pass_algo_flags(sc_card_t *card, struct sc_cardctl_cardos_pass_algo_flags * ptr)\n{\n\tcardos_data_t * priv = (cardos_data_t *)card->drv_data;\n\tint r = 0;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tswitch (ptr->pass) {\n\t\tcase 1:\n\t\t\tptr->card_flags = card->flags;\n\t\t\tptr->used_flags = priv->flags;\n\t\t\tptr->ec_flags = priv->ec_flags;\n\t\t\tptr->ext_flags = priv->ext_flags;\n\t\t\tbreak;\n\t\tcase 2:\n\t\t\tr = cardos_add_algs(card,ptr->new_flags, ptr->ec_flags, ptr->ext_flags);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsc_log(card->ctx, \"ptr->pass: %ul invalid\", ptr->pass);\n\t\t\tr = SC_ERROR_INTERNAL;\n\t}\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 322754554900044373761081908493363275949,
          "size": 22,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270678
        },
        {
          "func": "static int tcos_set_security_env(sc_card_t *card, const sc_security_env_t *env, int se_num)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE], *p;\n\tint r, default_key, tcos3;\n\ttcos_data *data;\n\n\tassert(card != NULL && env != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tif (se_num || (env->operation!=SC_SEC_OPERATION_DECIPHER && env->operation!=SC_SEC_OPERATION_SIGN)) {\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tif(!(env->flags & SC_SEC_ENV_KEY_REF_PRESENT))\n\t\tsc_log(ctx,\n\t\t\t\"No Key-Reference in SecEnvironment\\n\");\n\telse\n\t\tsc_log(ctx,\n\t\t\t\"Key-Reference %02X (len=%\"SC_FORMAT_LEN_SIZE_T\"u)\\n\",\n\t\t\tenv->key_ref[0], env->key_ref_len);\n\t/* Key-Reference 0x80 ?? */\n\tdefault_key= !(env->flags & SC_SEC_ENV_KEY_REF_PRESENT) || (env->key_ref_len==1 && env->key_ref[0]==0x80);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\", tcos3,\n\t\t!!(env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tdata->pad_flags = env->algorithm_flags;\n\tdata->next_sign = default_key;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, tcos3 ? 0x41 : 0xC1, 0xB8);\n\tp = sbuf;\n\tif (env->flags & SC_SEC_ENV_KEY_REF_PRESENT) {\n\t\t*p++ = (env->flags & SC_SEC_ENV_KEY_REF_SYMMETRIC) ? 0x83 : 0x84;\n\t\t*p++ = env->key_ref_len;\n\t\tmemcpy(p, env->key_ref, env->key_ref_len);\n\t\tp += env->key_ref_len;\n\t}\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = (p - sbuf);\n\n\tr=sc_transmit_apdu(card, &apdu);\n\tif (r) {\n\t\tsc_log(ctx,\n\t\t\t\"%s: APDU transmit failed\", sc_strerror(r));\n\t\treturn r;\n\t}\n\tif (apdu.sw1==0x6A && (apdu.sw2==0x81 || apdu.sw2==0x88)) {\n\t\tsc_log(ctx,\n\t\t\t\"Detected Signature-Only key\\n\");\n\t\tif (env->operation==SC_SEC_OPERATION_SIGN && default_key) return SC_SUCCESS;\n\t}\n\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}",
          "project": "OpenSC",
          "hash": 46602344664369450852260308414175827075,
          "size": 56,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453705
        },
        {
          "func": "static int tcos_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)\n{\n\tswitch (cmd) {\n\tcase SC_CARDCTL_TCOS_SETPERM:\n\t\treturn tcos_setperm(card, !!ptr);\n\tcase SC_CARDCTL_GET_SERIALNR:\n\t\treturn tcos_get_serialnr(card, (sc_serial_number_t *)ptr);\n\t}\n\treturn SC_ERROR_NOT_SUPPORTED;\n}",
          "project": "OpenSC",
          "hash": 144617548674885742297924822046400097296,
          "size": 10,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453698
        },
        {
          "func": "static int iasecc_parse_ef_atr(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_private_data *pdata = (struct iasecc_private_data *) card->drv_data;\n\tstruct iasecc_version *version = &pdata->version;\n\tstruct iasecc_io_buffer_sizes *sizes = &pdata->max_sizes;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\trv = sc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\tif (card->ef_atr->pre_issuing_len < 4)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid pre-issuing data\");\n\n\tversion->ic_manufacturer =\tcard->ef_atr->pre_issuing[0];\n\tversion->ic_type =\t\tcard->ef_atr->pre_issuing[1];\n\tversion->os_version =\t\tcard->ef_atr->pre_issuing[2];\n\tversion->iasecc_version =\tcard->ef_atr->pre_issuing[3];\n\tsc_log(ctx, \"EF.ATR: IC manufacturer/type %X/%X, OS/IasEcc versions %X/%X\",\n\t\tversion->ic_manufacturer, version->ic_type, version->os_version, version->iasecc_version);\n\n\tif (card->ef_atr->issuer_data_len < 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid issuer data\");\n\n\tsizes->send =\t card->ef_atr->issuer_data[2] * 0x100 + card->ef_atr->issuer_data[3];\n\tsizes->send_sc = card->ef_atr->issuer_data[6] * 0x100 + card->ef_atr->issuer_data[7];\n\tsizes->recv =\t card->ef_atr->issuer_data[10] * 0x100 + card->ef_atr->issuer_data[11];\n\tsizes->recv_sc = card->ef_atr->issuer_data[14] * 0x100 + card->ef_atr->issuer_data[15];\n\n\tcard->max_send_size = sizes->send;\n\tcard->max_recv_size = sizes->recv;\n\n\t/* Most of the card producers interpret 'send' values as \"maximum APDU data size\".\n\t * Oberthur strictly follows specification and interpret these values as \"maximum APDU command size\".\n\t * Here we need 'data size'.\n\t */\n\tif (card->max_send_size > 0xFF)\n\t\tcard->max_send_size -= 5;\n\n\tsc_log(ctx,\n\t       \"EF.ATR: max send/recv sizes %\"SC_FORMAT_LEN_SIZE_T\"X/%\"SC_FORMAT_LEN_SIZE_T\"X\",\n\t       card->max_send_size, card->max_recv_size);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 66128117229491948271469462797222185054,
          "size": 46,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263055
        },
        {
          "func": "static int tcos_construct_fci(const sc_file_t *file,\n                              u8 *out, size_t *outlen)\n{\n\tu8 *p = out;\n\tu8 buf[64];\n\tsize_t n;\n\n\t/* FIXME: possible buffer overflow */\n\n\t*p++ = 0x6F; /* FCI */\n\tp++;\n\n\t/* File size */\n\tbuf[0] = (file->size >> 8) & 0xFF;\n\tbuf[1] = file->size & 0xFF;\n\tsc_asn1_put_tag(0x81, buf, 2, p, 16, &p);\n\n\t/* File descriptor */\n\tn = 0;\n\tbuf[n] = file->shareable ? 0x40 : 0;\n\tswitch (file->type) {\n\tcase SC_FILE_TYPE_WORKING_EF:\n\t\tbreak;\n\tcase SC_FILE_TYPE_DF:\n\t\tbuf[0] |= 0x38;\n\t\tbreak;\n\tdefault:\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t}\n\tbuf[n++] |= file->ef_structure & 7;\n\tif ( (file->ef_structure & 7) > 1) {\n\t\t/* record structured file */\n\t\tbuf[n++] = 0x41; /* indicate 3rd byte */\n\t\tbuf[n++] = file->record_length;\n\t}\n\tsc_asn1_put_tag(0x82, buf, n, p, 8, &p);\n\n\t/* File identifier */\n\tbuf[0] = (file->id >> 8) & 0xFF;\n\tbuf[1] = file->id & 0xFF;\n\tsc_asn1_put_tag(0x83, buf, 2, p, 16, &p);\n\n\t/* Directory name */\n\tif (file->type == SC_FILE_TYPE_DF) {\n\t\tif (file->namelen) {\n\t\t\tsc_asn1_put_tag(0x84, file->name, file->namelen,\n                                        p, 16, &p);\n\t\t} else {\n\t\t\t/* TCOS needs one, so we use a faked one */\n\t\t\tsnprintf ((char *) buf, sizeof(buf)-1, \"foo-%lu\",\n                                  (unsigned long) time (NULL));\n\t\t\tsc_asn1_put_tag(0x84, buf, strlen ((char *) buf), p, 16, &p);\n\t\t}\n\t}\n\n\t/* File descriptor extension */\n\tif (file->prop_attr_len && file->prop_attr) {\n\t\tn = file->prop_attr_len;\n\t\tmemcpy(buf, file->prop_attr, n);\n\t} else {\n\t\tn = 0;\n\t\tbuf[n++] = 0x01; /* not invalidated, permanent */\n\t\tif (file->type == SC_FILE_TYPE_WORKING_EF)\n\t\t\tbuf[n++] = 0x00; /* generic data file */\n\t}\n\tsc_asn1_put_tag(0x85, buf, n, p, 16, &p);\n\n\t/* Security attributes */\n\tif (file->sec_attr_len && file->sec_attr) {\n\t\tmemcpy(buf, file->sec_attr, file->sec_attr_len);\n\t\tn = file->sec_attr_len;\n\t} else {\n\t\t/* no attributes given - fall back to default one */\n\t\tmemcpy (buf+ 0, \"\\xa4\\x00\\x00\\x00\\xff\\xff\", 6); /* select */\n\t\tmemcpy (buf+ 6, \"\\xb0\\x00\\x00\\x00\\xff\\xff\", 6); /* read bin */\n\t\tmemcpy (buf+12, \"\\xd6\\x00\\x00\\x00\\xff\\xff\", 6); /* upd bin */\n\t\tmemcpy (buf+18, \"\\x60\\x00\\x00\\x00\\xff\\xff\", 6); /* admin grp*/\n\t\tn = 24;\n\t}\n\tsc_asn1_put_tag(0x86, buf, n, p, sizeof (buf), &p);\n\n\n\t/* fixup length of FCI */\n\tout[1] = p - out - 2;\n\n\t*outlen = p - out;\n\treturn 0;\n}",
          "project": "OpenSC",
          "hash": 163425523657768046224170230800267043710,
          "size": 88,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453699
        },
        {
          "func": "static int tcos_list_files(sc_card_t *card, u8 *buf, size_t buflen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE], p1;\n\tint r, count = 0;\n\n\tassert(card != NULL);\n\tctx = card->ctx;\n\n\tfor (p1=1; p1<=2; p1++) {\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xAA, p1, 0);\n\t\tapdu.cla = 0x80;\n\t\tapdu.resp = rbuf;\n\t\tapdu.resplen = sizeof(rbuf);\n\t\tapdu.le = 256;\n\t\tr = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(ctx, r, \"APDU transmit failed\");\n\t\tif (apdu.sw1==0x6A && (apdu.sw2==0x82 || apdu.sw2==0x88)) continue;\n\t\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t\tLOG_TEST_RET(ctx, r, \"List Dir failed\");\n\t\tif (apdu.resplen > buflen) return SC_ERROR_BUFFER_TOO_SMALL;\n\t\tsc_log(ctx,\n\t\t\t\"got %\"SC_FORMAT_LEN_SIZE_T\"u %s-FileIDs\\n\",\n\t\t\tapdu.resplen / 2, p1 == 1 ? \"DF\" : \"EF\");\n\n\t\tmemcpy(buf, apdu.resp, apdu.resplen);\n\t\tbuf += apdu.resplen;\n\t\tbuflen -= apdu.resplen;\n\t\tcount += apdu.resplen;\n\t}\n\treturn count;\n}",
          "project": "OpenSC",
          "hash": 77871488236966928341429659826285412295,
          "size": 33,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453701
        },
        {
          "func": "static int cardos_construct_fcp(sc_card_t *card, const sc_file_t *file,\n\tu8 *out, size_t *outlen)\n{\n\tu8     buf[64], *p = out;\n\tsize_t inlen = *outlen, len;\n\tint    r;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tif (out == NULL || inlen < 64)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t/* add FCP tag */\n\t*p++ = 0x62;\n\t/* we will add the length later  */\n\tp++;\n\n\tmemset(buf, 0, sizeof(buf));\n\n\t/* set the length */\n\tbuf[0] = (file->size >> 8) & 0xff;\n\tbuf[1] = file->size        & 0xff;\n\tif (file->type == SC_FILE_TYPE_DF)\n\t\tr = sc_asn1_put_tag(0x81, buf, 2, p, 4, &p);\n\telse\n\t\tr = sc_asn1_put_tag(0x80, buf, 2, p, 4, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set file type  */\n\tif (file->shareable != 0)\n\t\tbuf[0] = 0x40;\n\telse\n\t\tbuf[0] = 0x00;\n\tif (file->type == SC_FILE_TYPE_WORKING_EF) {\n\t\tswitch (file->ef_structure) {\n\t\tcase SC_FILE_EF_TRANSPARENT:\n\t\t\tbuf[0] |= 0x01;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_LINEAR_VARIABLE_TLV:\n\t\t\tbuf[0] |= 0x05;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_LINEAR_FIXED:\n\t\t\tbuf[0] |= 0x02;\n\t\t\tbuf[1] |= 0x21;\n\t\t\tbuf[2] |= 0x00;\n\t\t\tbuf[3] |= (u8) file->record_length;\n\t\t\tbuf[4] |= (u8) file->record_count;\n\t\t\tbreak;\n\t\tcase SC_FILE_EF_CYCLIC:\n\t\t\tbuf[0] |= 0x06;\n\t\t\tbuf[1] |= 0x21;\n\t\t\tbuf[2] |= 0x00;\n\t\t\tbuf[3] |= (u8) file->record_length;\n\t\t\tbuf[4] |= (u8) file->record_count;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tsc_log(card->ctx,  \"unknown EF type: %u\", file->type);\n\t\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t\t}\n\t\tif (file->ef_structure == SC_FILE_EF_CYCLIC ||\n\t\t    file->ef_structure == SC_FILE_EF_LINEAR_FIXED)\n\t\tr = sc_asn1_put_tag(0x82, buf, 5, p, 8, &p);\n\telse\n\t\tr = sc_asn1_put_tag(0x82, buf, 1, p, 8, &p);\n\t} else if (file->type == SC_FILE_TYPE_DF) {\n\t\tbuf[0] |= 0x38;\n\t\tr = sc_asn1_put_tag(0x82, buf, 1, p, 8, &p);\n\t} else\n\t\treturn SC_ERROR_NOT_SUPPORTED;\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set file id */\n\tbuf[0] = (file->id >> 8) & 0xff;\n\tbuf[1] = file->id        & 0xff;\n\tr = sc_asn1_put_tag(0x83, buf, 2, p, 8, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set aid (for DF only) */\n\tif (file->type == SC_FILE_TYPE_DF && file->namelen != 0) {\n\t\tr = sc_asn1_put_tag(0x84, file->name, file->namelen, p, 20, &p);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\t/* set proprietary file attributes */\n\tbuf[0] = 0x00;\t\t/* use default values */\n\tif (file->type == SC_FILE_TYPE_DF)\n\t\tr = sc_asn1_put_tag(0x85, buf, 1, p, 8, &p);\n\telse {\n\t\tbuf[1] = 0x00;\n\t\tbuf[2] = 0x00;\n\t\tr = sc_asn1_put_tag(0x85, buf, 1, p, 8, &p);\n\t}\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* set ACs  */\n\tlen = 9;\n\tr = cardos_acl_to_bytes(card, file, buf, &len);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\tr = sc_asn1_put_tag(0x86, buf, len, p, 18, &p);\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\t/* finally set the length of the FCP */\n\tout[1] = p - out - 2;\n\n\t*outlen = p - out;\n\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 42348384099158164533092156599026838044,
          "size": 108,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270675
        },
        {
          "func": "static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len, u8 * out, size_t outlen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\ttcos_data *data;\n\tint tcos3, r;\n\n\tassert(card != NULL && crgram != NULL && out != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\",tcos3,\n\t\t!!(data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tsc_format_apdu(card, &apdu, crgram_len>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = crgram_len;\n\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = crgram_len+1;\n\tsbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);\n\tmemcpy(sbuf+1, crgram, crgram_len);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len= (apdu.resplen>outlen) ? outlen : apdu.resplen;\n\t\tunsigned int offset=0;\n\t\tif(tcos3 && (data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) && apdu.resp[0]==0 && apdu.resp[1]==2) {\n\t\t\toffset=2; while(offset<len && apdu.resp[offset]!=0) ++offset;\n\t\t\toffset=(offset<len-1) ? offset+1 : 0;\n\t\t}\n\t\tmemcpy(out, apdu.resp+offset, len-offset);\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, len-offset);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}",
          "project": "OpenSC",
          "hash": 35692446162590344930620836498368260919,
          "size": 44,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 1,
          "dataset": "other",
          "idx": 211948
        },
        {
          "func": "static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len, u8 * out, size_t outlen)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\tu8 sbuf[SC_MAX_APDU_BUFFER_SIZE];\n\ttcos_data *data;\n\tint tcos3, r;\n\n\tassert(card != NULL && crgram != NULL && out != NULL);\n\tctx = card->ctx;\n\ttcos3=(card->type==SC_CARD_TYPE_TCOS_V3);\n\tdata=(tcos_data *)card->drv_data;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t\t\"TCOS3:%d PKCS1:%d\\n\",tcos3,\n\t\t!!(data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1));\n\n\tsc_format_apdu(card, &apdu, crgram_len>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = crgram_len;\n\n\tapdu.data = sbuf;\n\tapdu.lc = apdu.datalen = crgram_len+1;\n\tsbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);\n\tif (sizeof sbuf - 1 < crgram_len)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\tmemcpy(sbuf+1, crgram, crgram_len);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1==0x90 && apdu.sw2==0x00) {\n\t\tsize_t len= (apdu.resplen>outlen) ? outlen : apdu.resplen;\n\t\tunsigned int offset=0;\n\t\tif(tcos3 && (data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) && apdu.resp[0]==0 && apdu.resp[1]==2) {\n\t\t\toffset=2; while(offset<len && apdu.resp[offset]!=0) ++offset;\n\t\t\toffset=(offset<len-1) ? offset+1 : 0;\n\t\t}\n\t\tmemcpy(out, apdu.resp+offset, len-offset);\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, len-offset);\n\t}\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}",
          "project": "OpenSC",
          "hash": 135428929269373710791680828572609443287,
          "size": 46,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453691
        },
        {
          "func": "static int acl_to_byte(const sc_acl_entry_t *e)\n{\n\tif (e != NULL) {\n\t\tswitch (e->method) {\n\t\tcase SC_AC_NONE:\n\t\t\treturn 0x00;\n\t\tcase SC_AC_NEVER:\n\t\t\treturn 0xFF;\n\t\tcase SC_AC_CHV:\n\t\tcase SC_AC_TERM:\n\t\tcase SC_AC_AUT:\n\t\t\tif (e->key_ref == SC_AC_KEY_REF_NONE)\n\t\t\t\treturn -1;\n\t\t\tif (e->key_ref > 0x7F)\n\t\t\t\treturn -1;\n\t\t\treturn e->key_ref;\n\t\t}\n\t}\n        return 0x00;\n}",
          "project": "OpenSC",
          "hash": 173709416336833647761968270085829929264,
          "size": 20,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270692
        },
        {
          "func": "static int cardos_init(sc_card_t *card)\n{\n\tcardos_data_t * priv = NULL;\n\tunsigned long flags = 0;\n\tsize_t data_field_length;\n\tsc_apdu_t apdu;\n\tu8 rbuf[2];\n\tint r;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tpriv = calloc(1, sizeof(cardos_data_t));\n\tif (!priv)\n\t\tLOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);\n\tcard->drv_data = priv;\n\n\tcard->name = \"Atos CardOS\";\n\tcard->cla = 0x00;\n\n\t/* let user override flags and type from opensc.conf */\n\t/* user can override card->type too.*/\n\tif (card->flags) {\n\t    flags = card->flags;\n\t} else {\n\n\t\t/* Set up algorithm info. */\n\t\tflags = 0;\n\t\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0) {\n\t\t\tflags |= SC_ALGORITHM_RSA_PAD_PKCS1;\n\t\t} else if(card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\t\tflags |= SC_ALGORITHM_RSA_RAW\n\t\t\t\t| SC_ALGORITHM_RSA_HASH_NONE\n\t\t\t\t| SC_ALGORITHM_ONBOARD_KEY_GEN;\n\t\t} else {\n\t\t\tflags |= SC_ALGORITHM_RSA_RAW\n\t\t\t\t| SC_ALGORITHM_RSA_HASH_NONE\n\t\t\t\t| SC_ALGORITHM_NEED_USAGE\n\t\t\t\t| SC_ALGORITHM_ONBOARD_KEY_GEN;\n\t\t}\n\t}\n\n\tpriv->flags = flags;\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_2) {\n\t\tr = cardos_have_2048bit_package(card);\n\t\tif (r < 0) {\n\t\t\tr = SC_ERROR_INVALID_CARD;\n\t\t\tgoto err;\n\t\t}\n\t\tif (r == 1)\n\t\t\tpriv->rsa_2048 = 1;\n\t\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\t} else if (card->type == SC_CARD_TYPE_CARDOS_M4_3\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_2B\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_2C\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_M4_4\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_V5_0\n\t\t|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tpriv->rsa_2048 = 1;\n\t\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\t\t/* TODO check this. EC only if in supported_algo */\n\t\tpriv->ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;\n\t}\n\n\t/* probe DATA FIELD LENGTH with GET DATA */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x8D);\n\tapdu.le = sizeof rbuf;\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tif (r < 0)\n\t\tLOG_TEST_GOTO_ERR(card->ctx,\n\t\t\t\tSC_ERROR_INVALID_CARD,\n\t\t\t\t\"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tif (r < 0)\n\t\tLOG_TEST_GOTO_ERR(card->ctx,\n\t\t\t\tSC_ERROR_INVALID_CARD,\n\t\t\t\t\"GET DATA command returned error\");\n\tif (apdu.resplen != 2) {\n\t\tr = SC_ERROR_INVALID_CARD;\n\t\tgoto err;\n\t}\n\tdata_field_length = ((rbuf[0] << 8) | rbuf[1]);\n\n\t/* TODO is this really needed? strip the length of possible Lc and Le bytes */\n\n\t/* Use Min card sizes and reader too. for V5_3 at least*/\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tsc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, \"data_field_length:%\"SC_FORMAT_LEN_SIZE_T\"u \"\n\t\t\t\t\"card->reader->max_send_size:%\"SC_FORMAT_LEN_SIZE_T\"u \"\n\t\t\t\t\"card->reader->max_recv_size:%\"SC_FORMAT_LEN_SIZE_T\"u %s\",\n\t\t\t\tdata_field_length, card->reader->max_send_size, card->reader->max_recv_size,\n\t\t\t\t(card->caps & SC_CARD_CAP_APDU_EXT) ? \"SC_CARD_CAP_APDU_EXT\" : \" \");\n\n\t\tif (card->caps & SC_CARD_CAP_APDU_EXT) {\n\t\t\tcard->max_send_size  = data_field_length - 6;\n#ifdef _WIN32\n\t\t\t/* Windows does not support PCSC PART_10 and may have forced reader to 255/256\n\t\t\t * https://github.com/OpenSC/OpenSC/commit/eddea6f3c2d3dafc2c09eba6695c745a61b5186f\n\t\t\t * may have reset this. if so, will override and force extended \n\t\t\t * Most, if not all, cardos cards do extended, but not chaining \n\t\t\t */\n\t\t\tif (card->reader->max_send_size == 255 && card->reader->max_recv_size == 256) {\n\t\t\t\tsc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, \"resetting reader to use data_field_length\");\n\t\t\t\tcard->reader->max_send_size = data_field_length - 6;\n\t\t\t\tcard->reader->max_recv_size = data_field_length - 3;\n\t\t\t}\n#endif\n\t\t} else\n\t\t\tcard->max_send_size = data_field_length - 3;\n\n\t\tcard->max_send_size = sc_get_max_send_size(card); /* include reader sizes and protocol */\n\t\tcard->max_recv_size = data_field_length - 2;\n\t\tcard->max_recv_size = sc_get_max_recv_size(card);\n\t} else {\n\t\t/* old way, disregards reader capabilities */\n\t\tif (card->caps & SC_CARD_CAP_APDU_EXT)\n\t\t\tcard->max_send_size = data_field_length - 6;\n\t\telse\n\t\t\tcard->max_send_size = data_field_length - 3;\n\t\t/* strip the length of SW bytes */\n\t\tcard->max_recv_size = data_field_length - 2;\n\t}\n\n\t/*for new cards, wait till after sc_pkcs15_bind_internal reads tokeninfo */\n\tif (card->type != SC_CARD_TYPE_CARDOS_V5_0 && card->type != SC_CARD_TYPE_CARDOS_V5_3) {\n\t\tr = cardos_add_algs(card, flags, 0, 0);\n\t}\n\nerr:\n\tif (r != SC_SUCCESS) {\n\t\tfree(priv);\n\t\tcard->drv_data = NULL;\n\t}\n\n\treturn r;\n}",
          "project": "OpenSC",
          "hash": 135725401098783659846816081236713466705,
          "size": 140,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270700
        },
        {
          "func": "do_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,\n\t\t     u8 *out, size_t outlen)\n{\n\t/* cardos_data_t* priv = (cardos_data_t*)card->drv_dataa */;\n\tint r;\n\tsc_apdu_t apdu;\n\n\t/* INS: 0x2A  PERFORM SECURITY OPERATION\n\t * P1:  0x9E  Resp: Digital Signature\n\t * P2:  0x9A  Cmd: Input for Digital Signature */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);\n\tapdu.resp    = out;\n\tapdu.le      = outlen;\n\tapdu.resplen = outlen;\n\n\tapdu.data    = data;\n\tapdu.lc      = datalen;\n\tapdu.datalen = datalen;\n\tfixup_transceive_length(card, &apdu);\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, apdu.resplen);\n\telse\n\t\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));\n}",
          "project": "OpenSC",
          "hash": 202624707865085526865329845707584797210,
          "size": 27,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270677
        },
        {
          "func": "iasecc_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, size_t *out_len)\n{\n\tstruct sc_apdu apdu;\n\tunsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];\n\tint rv;\n\n\t/* Select application (deselect previously selected application) */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);\n\tapdu.lc = aid->len;\n\tapdu.data = aid->value;\n\tapdu.datalen = aid->len;\n\tapdu.resplen = sizeof(apdu_resp);\n\tapdu.resp = apdu_resp;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, rv, \"Cannot select AID\");\n\n\tif (*out_len < apdu.resplen)\n\t\tLOG_TEST_RET(card->ctx, SC_ERROR_BUFFER_TOO_SMALL, \"Cannot select AID\");\n\tmemcpy(out, apdu.resp, apdu.resplen);\n\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 314375111371679731751921746163275144084,
          "size": 25,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477393
        },
        {
          "func": "static int cardos_set_file_attributes(sc_card_t *card, sc_file_t *file)\n{\n\tint r;\n\n\tif (file->type_attr_len == 0) {\n\t\tu8 type[3];\n\n\t\tmemset(type, 0, sizeof(type));\n\t\ttype[0] = 0x00;\n\t\tswitch (file->type) {\n\t\tcase SC_FILE_TYPE_WORKING_EF:\n\t\t\tbreak;\n\t\tcase SC_FILE_TYPE_DF:\n\t\t\ttype[0] = 0x38;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t\t}\n\t\tif (file->type != SC_FILE_TYPE_DF) {\n\t\t\tswitch (file->ef_structure) {\n\t\t\tcase SC_FILE_EF_LINEAR_FIXED_TLV:\n\t\t\tcase SC_FILE_EF_LINEAR_VARIABLE:\n\t\t\tcase SC_FILE_EF_CYCLIC_TLV:\n\t\t\t\treturn SC_ERROR_NOT_SUPPORTED;\n\t\t\t\t/* No idea what this means, but it\n\t\t\t\t * seems to be required for key\n\t\t\t\t * generation. */\n\t\t\tcase SC_FILE_EF_LINEAR_VARIABLE_TLV:\n\t\t\t\ttype[1] = 0xff;\n\t\t\t\t/* fall through */\n\t\t\tdefault:\n\t\t\t\ttype[0] |= file->ef_structure & 7;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tr = sc_file_set_type_attr(file, type, sizeof(type));\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\tif (file->prop_attr_len == 0) {\n\t\tu8 status[3];\n\n\t\tstatus[0] = 0x01;\n\t\tif (file->type == SC_FILE_TYPE_DF) {\n\t\t\tstatus[1] = (file->size >> 8) & 0xFF;\n\t\t\tstatus[2] = file->size & 0xFF;\n\t\t} else {\n\t\t\tstatus[1] = status[2] = 0x00; /* not used */\n\t\t}\n\t\tr = sc_file_set_prop_attr(file, status, sizeof(status));\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\tif (file->sec_attr_len == 0) {\n\t\tu8     acl[9];\n\t\tsize_t blen = sizeof(acl);\n\n\t\tr = cardos_acl_to_bytes(card, file, acl, &blen);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t\tr = sc_file_set_sec_attr(file, acl, blen);\n\t\tif (r != SC_SUCCESS)\n\t\t\treturn r;\n\t}\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 8159461168753449454459203169536368628,
          "size": 66,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270674
        },
        {
          "func": "sc_awp_parse_df(struct sc_pkcs15_card *p15card, struct sc_pkcs15_df *df)\n{\n\tstruct sc_context *ctx = p15card->card->ctx;\n\tunsigned char *buf = NULL;\n\tsize_t buf_len;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (df->type != SC_PKCS15_PRKDF && df->type != SC_PKCS15_DODF)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tif (df->enumerated)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\n\trv = sc_oberthur_read_file(p15card, AWP_OBJECTS_LIST_PRV, &buf, &buf_len, 1);\n\tLOG_TEST_RET(ctx, rv, \"Parse DF: read private objects info failed\");\n\n\trv = sc_oberthur_parse_privateinfo(p15card, buf, buf_len, 0);\n\n\tif (buf)\n\t\tfree(buf);\n\n\tif (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\n\tLOG_TEST_RET(ctx, rv, \"Parse DF: private info parse error\");\n\tdf->enumerated = 1;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 55332694305653857702712485092716248016,
          "size": 30,
          "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27",
          "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843",
          "target": 0,
          "dataset": "other",
          "idx": 230099
        },
        {
          "func": "sc_pkcs15emu_oberthur_init_ex(struct sc_pkcs15_card * p15card, struct sc_aid *aid)\n{\n\tint rv;\n\n\tLOG_FUNC_CALLED(p15card->card->ctx);\n\trv = oberthur_detect_card(p15card);\n\tif (!rv)\n\t\trv = sc_pkcs15emu_oberthur_init(p15card);\n\n\tLOG_FUNC_RETURN(p15card->card->ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 245335353404583265920343713660703353903,
          "size": 11,
          "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27",
          "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843",
          "target": 0,
          "dataset": "other",
          "idx": 230109
        },
        {
          "func": "sc_oberthur_parse_tokeninfo (struct sc_pkcs15_card *p15card,\n\t\tunsigned char *buff, size_t len, int postpone_allowed)\n{\n\tstruct sc_context *ctx = p15card->card->ctx;\n\tchar label[0x21];\n\tunsigned flags;\n\tint ii;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (!buff || len < 0x24)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"Cannot parse token info\");\n\n\tmemset(label, 0, sizeof(label));\n\n\tmemcpy(label, buff, 0x20);\n\tii = 0x20;\n\twhile (*(label + --ii)==' ' && ii)\n\t\t;\n\t*(label + ii + 1) = '\\0';\n\n\tflags = *(buff + 0x22) * 0x100 + *(buff + 0x23);\n\n\tset_string(&p15card->tokeninfo->label, label);\n\tset_string(&p15card->tokeninfo->manufacturer_id, \"Oberthur/OpenSC\");\n\n\tif (flags & 0x01)\n\t\tp15card->tokeninfo->flags |= SC_PKCS15_TOKEN_PRN_GENERATION;\n\n\tsc_log(ctx, \"label %s\", p15card->tokeninfo->label);\n\tsc_log(ctx, \"manufacturer_id %s\", p15card->tokeninfo->manufacturer_id);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 73661682719962094701154276042337108222,
          "size": 33,
          "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27",
          "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843",
          "target": 0,
          "dataset": "other",
          "idx": 230111
        },
        {
          "func": "iasecc_sdo_get_data(struct sc_card *card, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv, sdo_tag;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tsdo_tag = iasecc_sdo_tag_from_class(sdo->sdo_class);\n\n\trv = iasecc_sdo_get_tagged_data(card, sdo_tag, sdo);\n\t/* When there is no public data 'GET DATA' returns error */\n\tif (rv != SC_ERROR_INCORRECT_PARAMETERS)\n\t\tLOG_TEST_RET(ctx, rv, \"cannot parse ECC SDO data\");\n\n\trv = iasecc_sdo_get_tagged_data(card, IASECC_DOCP_TAG, sdo);\n\tLOG_TEST_RET(ctx, rv, \"cannot parse ECC DOCP data\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 49310794631010853128006989686318405656,
          "size": 19,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263039
        },
        {
          "func": "iasecc_erase_binary(struct sc_card *card, unsigned int offs, size_t count, unsigned long flags)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *tmp = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t       \"iasecc_erase_binary(card:%p) count %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t       card, count);\n\tif (!count)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"'ERASE BINARY' failed: invalid size to erase\");\n\n\ttmp = malloc(count);\n\tif (!tmp)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"Cannot allocate temporary buffer\");\n\tmemset(tmp, 0xFF, count);\n\n\trv = sc_update_binary(card, offs, tmp, count, flags);\n\tfree(tmp);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 305103293588835110101823939097430484444,
          "size": 23,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263042
        },
        {
          "func": "iasecc_get_chv_reference_from_se(struct sc_card *card, int *se_reference)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_se_info se;\n\tstruct sc_crt crt;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (!se_reference)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"Invalid arguments\");\n\n\tmemset(&se, 0, sizeof(se));\n\tse.reference = *se_reference;\n\n\trv = iasecc_se_get_info(card, &se);\n\tLOG_TEST_RET(ctx, rv, \"get SE info error\");\n\n\tmemset(&crt, 0, sizeof(crt));\n\tcrt.tag = IASECC_CRT_TAG_AT;\n\tcrt.usage = IASECC_UQB_AT_USER_PASSWORD;\n\n\trv = iasecc_se_get_crt(card, &se, &crt);\n\tLOG_TEST_RET(ctx, rv, \"Cannot get 'USER PASSWORD' authentication template\");\n\n\tsc_file_free(se.df);\n\tLOG_FUNC_RETURN(ctx, crt.refs[0]);\n}",
          "project": "OpenSC",
          "hash": 331721932546177784077675557689432422364,
          "size": 28,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263046
        },
        {
          "func": "iasecc_chv_cache_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_pin_status *current = NULL;\n\tunsigned char data_sha1[SHA_DIGEST_LENGTH];\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (pin_cmd->pin1.data)\n\t\tSHA1(pin_cmd->pin1.data, pin_cmd->pin1.len, data_sha1);\n\telse\n\t\tmemset(data_sha1, 0, SHA_DIGEST_LENGTH);\n\tsc_log_hex(ctx, \"data_sha1: %s\", data_sha1, SHA_DIGEST_LENGTH);\n\n\tfor(current = checked_pins; current; current = current->next)\n\t\tif (current->reference == pin_cmd->pin_reference)\n\t\t\tbreak;\n\n\tif (current && !memcmp(data_sha1, current->sha1, SHA_DIGEST_LENGTH))   {\n\t\tsc_log(ctx, \"PIN-%i status 'verified'\", pin_cmd->pin_reference);\n\t\treturn current;\n\t}\n\n\tsc_log(ctx, \"PIN-%i status 'not verified'\", pin_cmd->pin_reference);\n\treturn NULL;\n}",
          "project": "OpenSC",
          "hash": 100182165700546527777392159720951233771,
          "size": 26,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263056
        },
        {
          "func": "iasecc_decipher(struct sc_card *card,\n\t\tconst unsigned char *in, size_t in_len,\n\t\tunsigned char *out, size_t out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char sbuf[0x200];\n\tunsigned char resp[SC_MAX_APDU_BUFFER_SIZE];\n\tsize_t offs;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(card->ctx,\n\t       \"crgram_len %\"SC_FORMAT_LEN_SIZE_T\"u;  outlen %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t       in_len, out_len);\n\tif (!out || !out_len || in_len > SC_MAX_APDU_BUFFER_SIZE)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\n\toffs = 0;\n\tsbuf[offs++] = 0x81;\n\tmemcpy(sbuf + offs, in, in_len);\n\toffs += in_len;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);\n\tapdu.flags |= SC_APDU_FLAGS_CHAINING;\n\tapdu.data = sbuf;\n\tapdu.datalen = offs;\n\tapdu.lc = offs;\n\tapdu.resp = resp;\n\tapdu.resplen = sizeof(resp);\n\tapdu.le = 256;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"Card returned error\");\n\n\tif (out_len > apdu.resplen)\n\t\tout_len = apdu.resplen;\n\n\tmemcpy(out, apdu.resp, out_len);\n\trv = out_len;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 310842747367203805416055449723509140251,
          "size": 45,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263062
        },
        {
          "func": "iasecc_sdo_get_tagged_data(struct sc_card *card, int sdo_tag, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char sbuf[0x100];\n\tsize_t offs = sizeof(sbuf) - 1;\n\tunsigned char rbuf[0x400];\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tsbuf[offs--] = 0x80;\n\tsbuf[offs--] = sdo_tag & 0xFF;\n\tif ((sdo_tag >> 8) & 0xFF)\n\t\tsbuf[offs--] = (sdo_tag >> 8) & 0xFF;\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\n\tsbuf[offs--] = sdo->sdo_ref & 0x9F;\n\tsbuf[offs--] = sdo->sdo_class | IASECC_OBJECT_REF_LOCAL;\n\tsbuf[offs--] = IASECC_SDO_TAG_HEADER;\n\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\tsbuf[offs--] = IASECC_SDO_TEMPLATE_TAG;\n\n\tsbuf[offs] = sizeof(sbuf) - offs - 1;\n\toffs--;\n\tsbuf[offs] = 0x4D;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xCB, 0x3F, 0xFF);\n\tapdu.data = sbuf + offs;\n\tapdu.datalen = sizeof(sbuf) - offs;\n\tapdu.lc = sizeof(sbuf) - offs;\n\tapdu.resp = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.le = 0x100;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"SDO get data error\");\n\n\trv = iasecc_sdo_parse(card, apdu.resp, apdu.resplen, sdo);\n\tLOG_TEST_RET(ctx, rv, \"cannot parse SDO data\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 25529644230219156488265076316226132132,
          "size": 48,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263066
        },
        {
          "func": "iasecc_pin_get_status(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_pin_cmd_data info;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (data->pin_type != SC_AC_CHV)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"PIN type is not supported for status\");\n\n\tmemset(&info, 0, sizeof(info));\n\tinfo.cmd = SC_PIN_CMD_GET_INFO;\n\tinfo.pin_type = data->pin_type;\n\tinfo.pin_reference = data->pin_reference;\n\n\trv = iso_ops->pin_cmd(card, &info, tries_left);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN info\");\n\n\tdata->pin1.max_tries = info.pin1.max_tries;\n\tdata->pin1.tries_left = info.pin1.tries_left;\n\tdata->pin1.logged_in = info.pin1.logged_in;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 106841744387906902811671076600302558838,
          "size": 25,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263067
        },
        {
          "func": "iasecc_sdo_delete(struct sc_card *card, struct iasecc_sdo *sdo)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_apdu apdu;\n\tunsigned char data[6] = {\n\t\t0x70, 0x04, 0xBF, 0xFF, 0xFF, 0x00\n\t};\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (sdo->magic != SC_CARDCTL_IASECC_SDO_MAGIC)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid SDO data\");\n\n\tdata[2] = IASECC_SDO_TAG_HEADER;\n\tdata[3] = sdo->sdo_class | 0x80;\n\tdata[4] = sdo->sdo_ref;\n\tsc_log(ctx, \"delete SDO %02X%02X%02X\", data[2], data[3], data[4]);\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xDB, 0x3F, 0xFF);\n\tapdu.data = data;\n\tapdu.datalen = sizeof(data);\n\tapdu.lc = sizeof(data);\n\tapdu.flags |= SC_APDU_FLAGS_CHAINING;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(ctx, rv, \"delete SDO error\");\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 43258280201331597194492542871471416732,
          "size": 31,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263070
        },
        {
          "func": "iasecc_get_challenge(struct sc_card *card, u8 * rnd, size_t len)\n{\n\t/* As IAS/ECC cannot handle other data length than 0x08 */\n\tu8 rbuf[8];\n\tsize_t out_len;\n\tint r;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tr = iso_ops->get_challenge(card, rbuf, sizeof rbuf);\n\tLOG_TEST_RET(card->ctx, r, \"GET CHALLENGE cmd failed\");\n\n\tif (len < (size_t) r) {\n\t\tout_len = len;\n\t} else {\n\t\tout_len = (size_t) r;\n\t}\n\tmemcpy(rnd, rbuf, out_len);\n\n\tLOG_FUNC_RETURN(card->ctx, (int) out_len);\n}",
          "project": "OpenSC",
          "hash": 261201501953976210586813636913118699689,
          "size": 21,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263071
        },
        {
          "func": "iasecc_emulate_fcp(struct sc_context *ctx, struct sc_apdu *apdu)\n{\n\tunsigned char dummy_df_fcp[] = {\n\t\t0x62,0xFF,\n\t\t\t0x82,0x01,0x38,\n\t\t\t0x8A,0x01,0x05,\n\t\t\t0xA1,0x04,0x8C,0x02,0x02,0x00,\n\t\t\t0x84,0xFF,\n\t\t\t\t0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\n\t\t\t\t0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF\n\t};\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (apdu->p1 != 0x04)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"FCP emulation supported only for the DF-NAME selection type\");\n\tif (apdu->datalen > 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Invalid DF-NAME length\");\n\tif (apdu->resplen < apdu->datalen + 16)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, \"not enough space for FCP data\");\n\n\tmemcpy(dummy_df_fcp + 16, apdu->data, apdu->datalen);\n\tdummy_df_fcp[15] = apdu->datalen;\n\tdummy_df_fcp[1] = apdu->datalen + 14;\n\tmemcpy(apdu->resp, dummy_df_fcp, apdu->datalen + 16);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 176776630660953583824664816852844312503,
          "size": 28,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263075
        },
        {
          "func": "iasecc_logout(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_path path;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (!card->ef_atr || !card->ef_atr->aid.len)\n\t\treturn SC_SUCCESS;\n\n\tmemset(&path, 0, sizeof(struct sc_path));\n\tpath.type = SC_PATH_TYPE_DF_NAME;\n\tmemcpy(path.value, card->ef_atr->aid.value, card->ef_atr->aid.len);\n\tpath.len = card->ef_atr->aid.len;\n\n\trv = iasecc_select_file(card, &path, NULL);\n\tsc_log(ctx, \"Select ECC ROOT with the AID from EF.ATR: rv %i\", rv);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 148666483426494250974710574127556653719,
          "size": 20,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263081
        },
        {
          "func": "iasecc_pin_get_info(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_pin_policy policy;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"iasecc_pin_get_info(card:%p)\", card);\n\n\t/*\n\t * Get PIN status first and thereafter update with info from PIN policy, when available.\n\t * The first one is typically used for the PIN verification status and number of remaining\n\t * tries, and the second one for the maximum tries. If a field is present in both, the\n\t * policy takes precedence.\n\t */\n\trv = iasecc_pin_get_status(card, data, tries_left);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN status\");\n\n\trv = iasecc_pin_get_policy(card, data, &policy);\n\tLOG_TEST_RET(ctx, rv, \"Failed to get PIN policy\");\n\n\t/*\n\t * We only care about the tries_xxx fields in the PIN policy, since the other ones are not\n\t * commonly expected or used in a SC_PIN_CMD_GET_INFO response.\tNote that max_tries is\n\t * always taken from the policy, since it is never expected to be available in status (it\n\t * is set to -1 when not available in policy).\n\t */\n\tdata->pin1.max_tries = policy.tries_maximum;\n\tif (policy.tries_remaining >= 0)\n\t\tdata->pin1.tries_left = policy.tries_remaining;\n\n\tif (tries_left)\n\t\t*tries_left = data->pin1.tries_left;\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 132552394277754119898556595827787832900,
          "size": 36,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263082
        },
        {
          "func": "iasecc_read_public_key(struct sc_card *card, unsigned type,\n\t\tstruct sc_path *key_path, unsigned ref, unsigned size,\n\t\tunsigned char **out, size_t *out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo sdo;\n\tstruct sc_pkcs15_bignum bn[2];\n\tstruct sc_pkcs15_pubkey_rsa rsa_key;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (type != SC_ALGORITHM_RSA)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tsc_log(ctx, \"read public kay(ref:%i;size:%i)\", ref, size);\n\n\tmemset(&bn, 0, sizeof bn);\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;\n\tsdo.sdo_ref  = ref & ~IASECC_OBJECT_REF_LOCAL;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_GOTO_ERR(ctx, rv, \"failed to read public key: cannot get RSA SDO data\");\n\n\tif (out)\n\t\t*out = NULL;\n\tif (out_len)\n\t\t*out_len = 0;\n\n\tbn[0].data = (unsigned char *) malloc(sdo.data.pub_key.n.size);\n\tif (!bn[0].data)\n\t\tLOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate modulus\");\n\tbn[0].len = sdo.data.pub_key.n.size;\n\tmemcpy(bn[0].data, sdo.data.pub_key.n.value, sdo.data.pub_key.n.size);\n\n\tbn[1].data = (unsigned char *) malloc(sdo.data.pub_key.e.size);\n\tif (!bn[1].data)\n\t\tLOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate exponent\");\n\tbn[1].len = sdo.data.pub_key.e.size;\n\tmemcpy(bn[1].data, sdo.data.pub_key.e.value, sdo.data.pub_key.e.size);\n\n\trsa_key.modulus = bn[0];\n\trsa_key.exponent = bn[1];\n\n\trv = sc_pkcs15_encode_pubkey_rsa(ctx, &rsa_key, out, out_len);\n\tLOG_TEST_GOTO_ERR(ctx, rv, \"failed to read public key: cannot encode RSA public key\");\n\n\tif (out && out_len)\n\t\tsc_log(ctx, \"encoded public key: %s\", sc_dump_hex(*out, *out_len));\n\nerr:\n\tif (bn[0].data)\n\t\tfree(bn[0].data);\n\tif (bn[1].data)\n\t\tfree(bn[1].data);\n\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 315203167397516228462441843403656781758,
          "size": 60,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263083
        },
        {
          "func": "iasecc_init_oberthur(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned int flags;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tflags = IASECC_CARD_DEFAULT_FLAGS;\n\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);\n\t_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);\n\n\tcard->caps = IASECC_CARD_DEFAULT_CAPS;\n\n\tiasecc_parse_ef_atr(card);\n\n\t/* if we fail to select CM, */\n\tif (gp_select_card_manager(card)) {\n\t\tgp_select_isd_rid(card);\n\t}\n\n\trv = iasecc_oberthur_match(card);\n\tLOG_TEST_RET(ctx, rv, \"unknown Oberthur's IAS/ECC card\");\n\n\trv = iasecc_select_mf(card, NULL);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\trv = iasecc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"EF.ATR read or parse error\");\n\n\tsc_log(ctx, \"EF.ATR(aid:'%s')\", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 205389055147630064158010606194876395963,
          "size": 34,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263085
        },
        {
          "func": "iasecc_oberthur_match(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *hist = card->reader->atr_info.hist_bytes;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (*hist != 0x80 || ((*(hist+1)&0xF0) != 0xF0))\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OBJECT_NOT_FOUND);\n\n\tsc_log_hex(ctx, \"AID in historical_bytes\", hist + 2, *(hist+1) & 0x0F);\n\n\tif (memcmp(hist + 2, OberthurIASECC_AID.value, *(hist+1) & 0x0F))\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_RECORD_NOT_FOUND);\n\n\tif (!card->ef_atr)\n\t\tcard->ef_atr = calloc(1, sizeof(struct sc_ef_atr));\n\tif (!card->ef_atr)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\n\tmemcpy(card->ef_atr->aid.value, OberthurIASECC_AID.value, OberthurIASECC_AID.len);\n\tcard->ef_atr->aid.len = OberthurIASECC_AID.len;\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 163712996260215261531884654967222438081,
          "size": 25,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263087
        },
        {
          "func": "iasecc_mi_match(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char resp[0x100];\n\tsize_t resp_len;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tresp_len = sizeof(resp);\n\trv = iasecc_select_aid(card, &MIIASECC_AID, resp, &resp_len);\n\tLOG_TEST_RET(ctx, rv, \"IASECC: failed to select MI IAS/ECC applet\");\n\n\tif (!card->ef_atr)\n\t\tcard->ef_atr = calloc(1, sizeof(struct sc_ef_atr));\n\tif (!card->ef_atr)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\n\tmemcpy(card->ef_atr->aid.value, MIIASECC_AID.value, MIIASECC_AID.len);\n\tcard->ef_atr->aid.len = MIIASECC_AID.len;\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 95111025810445059847280487070484214495,
          "size": 23,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263092
        },
        {
          "func": "iasecc_keyset_change(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo_update update;\n\tstruct iasecc_sdo sdo;\n\tunsigned scb;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"Change keyset(ref:%i,lengths:%i)\", data->pin_reference, data->pin2.len);\n\tif (!data->pin2.data || data->pin2.len < 32)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Needs at least 32 bytes for a new keyset value\");\n\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_KEYSET;\n\tsdo.sdo_ref  = data->pin_reference;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_RET(ctx, rv, \"Cannot get keyset data\");\n\n\tif (sdo.docp.acls_contact.size == 0)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, \"Bewildered ... there are no ACLs\");\n\tscb = sdo.docp.scbs[IASECC_ACLS_KEYSET_PUT_DATA];\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tsc_log(ctx, \"SCB:0x%X\", scb);\n\tif (!(scb & IASECC_SCB_METHOD_SM))\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"Other then protected by SM, the keyset change is not supported\");\n\n\tmemset(&update, 0, sizeof(update));\n\tupdate.magic = SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA;\n\tupdate.sdo_class = sdo.sdo_class;\n\tupdate.sdo_ref = sdo.sdo_ref;\n\n\tupdate.fields[0].parent_tag = IASECC_SDO_KEYSET_TAG;\n\tupdate.fields[0].tag = IASECC_SDO_KEYSET_TAG_MAC;\n\t/* FIXME is it safe to modify the const value here? */\n\tupdate.fields[0].value = (unsigned char *) data->pin2.data;\n\tupdate.fields[0].size = 16;\n\n\tupdate.fields[1].parent_tag = IASECC_SDO_KEYSET_TAG;\n\tupdate.fields[1].tag = IASECC_SDO_KEYSET_TAG_ENC;\n\t/* FIXME is it safe to modify the const value here? */\n\tupdate.fields[1].value = (unsigned char *) data->pin2.data + 16;\n\tupdate.fields[1].size = 16;\n\n\trv = iasecc_sm_sdo_update(card, (scb & IASECC_SCB_METHOD_MASK_REF), &update);\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 204991041015945350884073502971386064385,
          "size": 49,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263101
        },
        {
          "func": "iasecc_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, size_t *out_len)\n{\n\tstruct sc_apdu apdu;\n\tunsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];\n\tint rv;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\t/* Select application (deselect previously selected application) */\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);\n\tapdu.lc = aid->len;\n\tapdu.data = aid->value;\n\tapdu.datalen = aid->len;\n\tapdu.resplen = sizeof(apdu_resp);\n\tapdu.resp = apdu_resp;\n\n\trv = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, rv, \"Cannot select AID\");\n\n\tif (*out_len < apdu.resplen)\n\t\tLOG_TEST_RET(card->ctx, SC_ERROR_BUFFER_TOO_SMALL, \"Cannot select AID\");\n\tmemcpy(out, apdu.resp, apdu.resplen);\n\n\tLOG_FUNC_RETURN(card->ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 21848766340836499823157684633773894841,
          "size": 27,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263102
        },
        {
          "func": "iasecc_se_at_to_chv_reference(struct sc_card *card, unsigned reference,\n\t\tunsigned *chv_reference)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_se_info se;\n\tstruct sc_crt crt;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx, \"SE reference %i\", reference);\n\n\tif (reference > IASECC_SE_REF_MAX)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);\n\n\tmemset(&se, 0, sizeof(se));\n\tse.reference = reference;\n\n\trv = iasecc_se_get_info(card, &se);\n\tLOG_TEST_RET(ctx, rv, \"SDO get data error\");\n\n\tmemset(&crt, 0, sizeof(crt));\n\tcrt.tag = IASECC_CRT_TAG_AT;\n\tcrt.usage = IASECC_UQB_AT_USER_PASSWORD;\n\n\trv = iasecc_se_get_crt(card, &se, &crt);\n\tLOG_TEST_RET(ctx, rv, \"no authentication template for USER PASSWORD\");\n\n\tif (chv_reference)\n\t\t*chv_reference = crt.refs[0];\n\n\tsc_file_free(se.df);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 97041316709397951495231138749203507311,
          "size": 34,
          "commit_id": "ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c",
          "message": "iasecc: Prevent stack buffer overflow when empty ACL is returned\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800",
          "target": 0,
          "dataset": "other",
          "idx": 263103
        },
        {
          "func": "cardos_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data,\n\t\t int *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tint rv;\n\n\tLOG_FUNC_CALLED(card->ctx);\n\n\tdata->flags |= SC_PIN_CMD_NEED_PADDING;\n\tdata->pin_reference |= 0x80;\n\n\tsc_log(ctx, \"PIN_CMD(cmd:%i, ref:%i)\", data->cmd, data->pin_reference);\n\tsc_log(ctx,\n\t       \"PIN1(max:%\"SC_FORMAT_LEN_SIZE_T\"u, min:%\"SC_FORMAT_LEN_SIZE_T\"u)\",\n\t       data->pin1.max_length, data->pin1.min_length);\n\tsc_log(ctx,\n\t       \"PIN2(max:%\"SC_FORMAT_LEN_SIZE_T\"u, min:%\"SC_FORMAT_LEN_SIZE_T\"u)\",\n\t       data->pin2.max_length, data->pin2.min_length);\n\n\t/* FIXME: the following values depend on what pin length was\n\t * used when creating the BS objects */\n\tif (data->pin1.max_length == 0)\n\t\tdata->pin1.max_length = 8;\n\tif (data->pin2.max_length == 0)\n\t\tdata->pin2.max_length = 8;\n\n\trv = iso_ops->pin_cmd(card, data, tries_left);\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 110217722918257014182321427742726906495,
          "size": 29,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270683
        },
        {
          "func": "iasecc_init_oberthur(struct sc_card *card)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned int flags;\n\tint rv = 0;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tflags = IASECC_CARD_DEFAULT_FLAGS;\n\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);\n\t_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);\n\n\tcard->caps = SC_CARD_CAP_RNG;\n\tcard->caps |= SC_CARD_CAP_APDU_EXT;\n\tcard->caps |= SC_CARD_CAP_USE_FCI_AC;\n\n\tiasecc_parse_ef_atr(card);\n\n\t/* if we fail to select CM, */\n\tif (gp_select_card_manager(card)) {\n\t\tgp_select_isd_rid(card);\n\t}\n\n\trv = iasecc_oberthur_match(card);\n\tLOG_TEST_RET(ctx, rv, \"unknown Oberthur's IAS/ECC card\");\n\n\trv = iasecc_select_mf(card, NULL);\n\tLOG_TEST_RET(ctx, rv, \"MF selection error\");\n\n\trv = iasecc_parse_ef_atr(card);\n\tLOG_TEST_RET(ctx, rv, \"EF.ATR read or parse error\");\n\n\tsc_log(ctx, \"EF.ATR(aid:'%s')\", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 241877578292856038970382487397898662950,
          "size": 36,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477388
        },
        {
          "func": "iasecc_erase_binary(struct sc_card *card, unsigned int offs, size_t count, unsigned long flags)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tunsigned char *tmp = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_log(ctx,\n\t       \"iasecc_erase_binary(card:%p) count %\"SC_FORMAT_LEN_SIZE_T\"u\",\n\t       card, count);\n\tif (!count)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, \"'ERASE BINARY' failed: invalid size to erase\");\n\n\ttmp = malloc(count);\n\tif (!tmp)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"Cannot allocate temporary buffer\");\n\tmemset(tmp, 0xFF, count);\n\n\trv = sc_update_binary(card, offs, tmp, count, flags);\n\tfree(tmp);\n\tLOG_TEST_RET(ctx, rv, \"iasecc_erase_binary() update binary error\");\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 286767445392702469437890767623375659064,
          "size": 23,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477391
        },
        {
          "func": "iasecc_pin_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd_data,\n\t\tint *tries_left)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct sc_pin_cmd_data pin_cmd;\n        struct sc_acl_entry acl = pin_cmd_data->pin1.acls[IASECC_ACLS_CHV_VERIFY];\n\tint rv = SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;\n\n\tLOG_FUNC_CALLED(ctx);\n\n\tif (pin_cmd_data->pin_type != SC_AC_CHV)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, \"PIN type is not supported for the verification\");\n\n\tsc_log(ctx, \"Verify ACL(method:%X;ref:%X)\", acl.method, acl.key_ref);\n\tif (acl.method != IASECC_SCB_ALWAYS)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_SECURITY_STATUS_NOT_SATISFIED);\n\n\tpin_cmd = *pin_cmd_data;\n\tpin_cmd.pin1.data = (unsigned char *)\"\";\n\tpin_cmd.pin1.len = 0;\n\n\trv = iasecc_chv_verify(card, &pin_cmd, tries_left);\n\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 56839879132402598366734645598041357512,
          "size": 25,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477397
        },
        {
          "func": "iasecc_delete_file(struct sc_card *card, const struct sc_path *path)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tconst struct sc_acl_entry *entry = NULL;\n\tstruct sc_apdu apdu;\n\tstruct sc_file *file = NULL;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tsc_print_cache(card);\n\n\trv = iasecc_select_file(card, path, &file);\n\tif (rv == SC_ERROR_FILE_NOT_FOUND)\n\t\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n\tLOG_TEST_RET(ctx, rv, \"Cannot select file to delete\");\n\n\tentry = sc_file_get_acl_entry(file, SC_AC_OP_DELETE);\n\tif (!entry)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, \"Cannot delete file: no 'DELETE' acl\");\n\n\tsc_log(ctx, \"DELETE method/reference %X/%X\", entry->method, entry->key_ref);\n\tif (entry->method == SC_AC_SCB && (entry->key_ref & IASECC_SCB_METHOD_SM))   {\n\t\tunsigned char se_num = (entry->method == SC_AC_SCB) ? (entry->key_ref & IASECC_SCB_METHOD_MASK_REF) : 0;\n\t\trv = iasecc_sm_delete_file(card, se_num, file->id);\n\t}\n\telse   {\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xE4, 0x00, 0x00);\n\n\t\trv = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(ctx, rv, \"APDU transmit failed\");\n\t\trv = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\t\tLOG_TEST_RET(ctx, rv, \"Delete file failed\");\n\n\t\tif (card->cache.valid)\n\t\t\tsc_file_free(card->cache.current_ef);\n\t\tcard->cache.current_ef = NULL;\n\t}\n\n\tsc_file_free(file);\n\tLOG_FUNC_RETURN(ctx, rv);\n}",
          "project": "OpenSC",
          "hash": 106435940525695054652280206737331373380,
          "size": 41,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477399
        },
        {
          "func": "iasecc_read_public_key(struct sc_card *card, unsigned type,\n\t\tstruct sc_path *key_path, unsigned ref, unsigned size,\n\t\tunsigned char **out, size_t *out_len)\n{\n\tstruct sc_context *ctx = card->ctx;\n\tstruct iasecc_sdo sdo;\n\tstruct sc_pkcs15_bignum bn[2];\n\tstruct sc_pkcs15_pubkey_rsa rsa_key;\n\tint rv;\n\n\tLOG_FUNC_CALLED(ctx);\n\tif (type != SC_ALGORITHM_RSA)\n\t\tLOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);\n\n\tsc_log(ctx, \"read public kay(ref:%i;size:%i)\", ref, size);\n\n\tmemset(&sdo, 0, sizeof(sdo));\n\tsdo.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;\n\tsdo.sdo_ref  = ref & ~IASECC_OBJECT_REF_LOCAL;\n\n\trv = iasecc_sdo_get_data(card, &sdo);\n\tLOG_TEST_RET(ctx, rv, \"failed to read public key: cannot get RSA SDO data\");\n\n\tif (out)\n\t\t*out = NULL;\n\tif (out_len)\n\t\t*out_len = 0;\n\n\tbn[0].data = (unsigned char *) malloc(sdo.data.pub_key.n.size);\n\tif (!bn[0].data)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate modulus\");\n\tbn[0].len = sdo.data.pub_key.n.size;\n\tmemcpy(bn[0].data, sdo.data.pub_key.n.value, sdo.data.pub_key.n.size);\n\n\tbn[1].data = (unsigned char *) malloc(sdo.data.pub_key.e.size);\n\tif (!bn[1].data)\n\t\tLOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, \"failed to read public key: cannot allocate exponent\");\n\tbn[1].len = sdo.data.pub_key.e.size;\n\tmemcpy(bn[1].data, sdo.data.pub_key.e.value, sdo.data.pub_key.e.size);\n\n\trsa_key.modulus = bn[0];\n\trsa_key.exponent = bn[1];\n\n\trv = sc_pkcs15_encode_pubkey_rsa(ctx, &rsa_key, out, out_len);\n\tLOG_TEST_RET(ctx, rv, \"failed to read public key: cannot encode RSA public key\");\n\n\tif (out && out_len)\n\t\tsc_log(ctx, \"encoded public key: %s\", sc_dump_hex(*out, *out_len));\n\n\tif (bn[0].data)\n\t\tfree(bn[0].data);\n\tif (bn[1].data)\n\t\tfree(bn[1].data);\n\n\tiasecc_sdo_free_fields(card, &sdo);\n\n\tLOG_FUNC_RETURN(ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 249819631170925573129321638182432322482,
          "size": 58,
          "commit_id": "03628449b75a93787eb2359412a3980365dda49b",
          "message": "iasecc: fixed unbound recursion",
          "target": 0,
          "dataset": "other",
          "idx": 477409
        },
        {
          "func": "static int cardos_match_card(sc_card_t *card)\n{\n\tunsigned char atr[SC_MAX_ATR_SIZE];\n\tint i;\n\n\ti = _sc_match_atr(card, cardos_atrs, &card->type);\n\tif (i < 0)\n\t\treturn 0;\n\n\tmemcpy(atr, card->atr.value, sizeof(atr));\n\n\t/* Do not change card type for CIE! */\n\tif (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_4)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_3)\n\t\treturn 1;\n\tif (card->type == SC_CARD_TYPE_CARDOS_M4_2) {\n\t\tint rv;\n\t\tsc_apdu_t apdu;\n\t\tu8 rbuf[SC_MAX_APDU_BUFFER_SIZE];\n\t\t/* first check some additional ATR bytes */\n\t\tif ((atr[4] != 0xff && atr[4] != 0x02) ||\n\t\t    (atr[6] != 0x10 && atr[6] != 0x0a) ||\n\t\t    (atr[9] != 0x55 && atr[9] != 0x58))\n\t\t\treturn 0;\n\t\t/* get the os version using GET DATA and compare it with\n\t\t * version in the ATR */\n\t\tsc_log(card->ctx,  \"checking cardos version ...\");\n\t\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x82);\n\t\tapdu.resp = rbuf;\n\t\tapdu.resplen = sizeof(rbuf);\n\t\tapdu.le = 256;\n\t\tapdu.lc = 0;\n\t\trv = sc_transmit_apdu(card, &apdu);\n\t\tLOG_TEST_RET(card->ctx, rv, \"APDU transmit failed\");\n\t\tif (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)\n\t\t\treturn 0;\n\t\tif (apdu.resp[0] != atr[10] ||\n\t\t    apdu.resp[1] != atr[11])\n\t\t\t/* version mismatch */\n\t\t\treturn 0;\n\t\tif (atr[11] <= 0x04) {\n\t\t\tsc_log(card->ctx,  \"found cardos m4.01\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_01;\n\t\t} else if (atr[11] == 0x08) {\n\t\t\tsc_log(card->ctx,  \"found cardos v4.3b\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_3;\n\t\t} else if (atr[11] == 0x09) {\n\t\t\tsc_log(card->ctx,  \"found cardos v4.2b\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_2B;\n\t\t} else if (atr[11] >= 0x0B) {\n\t\t\tsc_log(card->ctx,  \"found cardos v4.2c or higher\");\n\t\t\tcard->type = SC_CARD_TYPE_CARDOS_M4_2C;\n\t\t} else {\n\t\t\tsc_log(card->ctx,  \"found cardos m4.2\");\n\t\t}\n\t}\n\treturn 1;\n}",
          "project": "OpenSC",
          "hash": 32307202605202363560520887583044093580,
          "size": 63,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270685
        },
        {
          "func": "static int cardos_finish(sc_card_t *card)\n{\n\tint r = 0;\n\n\tif (card == NULL )\n\t\treturn 0;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t/* free priv data */\n\tif (card->drv_data) { /* priv */\n\t\tfree(card->drv_data);\n\t\tcard->drv_data = NULL;\n\t}\n\n\tSC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);\n}",
          "project": "OpenSC",
          "hash": 244173873168509094839430270510823033122,
          "size": 17,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270682
        },
        {
          "func": "static int cardos_select_file(sc_card_t *card,\n\t\t\t      const sc_path_t *in_path,\n\t\t\t      sc_file_t **file)\n{\n\tint r;\n\t\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tr = iso_ops->select_file(card, in_path, file);\n\tif (r >= 0 && file)\n\t\tparse_sec_attr((*file), (*file)->sec_attr, (*file)->sec_attr_len);\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 220167332415412336103533624089271004879,
          "size": 12,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270699
        },
        {
          "func": "static int cardos_acl_to_bytes(sc_card_t *card, const sc_file_t *file,\n\tu8 *buf, size_t *outlen)\n{\n\tint       i, byte;\n\tconst int *idx;\n\n\tif (buf == NULL || *outlen < 9)\n\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\n\tidx = (file->type == SC_FILE_TYPE_DF) ?  df_acl : ef_acl;\n\tfor (i = 0; i < 9; i++) {\n\t\tif (idx[i] < 0)\n\t\t\tbyte = 0x00;\n\t\telse\n\t\t\tbyte = acl_to_byte(sc_file_get_acl_entry(file, idx[i]));\n\t\tif (byte < 0) {\n\t\t\tsc_log(card->ctx,  \"Invalid ACL\\n\");\n\t\t\treturn SC_ERROR_INVALID_ARGUMENTS;\n\t\t}\n\t\tbuf[i] = byte;\n\t}\n\t*outlen = 9;\n\n\treturn SC_SUCCESS;\n}",
          "project": "OpenSC",
          "hash": 116603371760897077753850198424747802332,
          "size": 25,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270669
        },
        {
          "func": "static int tcos_delete_file(sc_card_t *card, const sc_path_t *path)\n{\n\tint r;\n\tu8 sbuf[2];\n\tsc_apdu_t apdu;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tif (path->type != SC_PATH_TYPE_FILE_ID && path->len != 2) {\n\t\tsc_log(card->ctx, \"File type has to be SC_PATH_TYPE_FILE_ID\\n\");\n\t\tLOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tsbuf[0] = path->value[0];\n\tsbuf[1] = path->value[1];\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE4, 0x00, 0x00);\n\tapdu.cla |= 0x80;\n\tapdu.lc = 2;\n\tapdu.datalen = 2;\n\tapdu.data = sbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\treturn sc_check_sw(card, apdu.sw1, apdu.sw2);\n}",
          "project": "OpenSC",
          "hash": 321169854647165267216778895686755280248,
          "size": 23,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453696
        },
        {
          "func": "static int cardos_list_files(sc_card_t *card, u8 *buf, size_t buflen)\n{\n\tsc_apdu_t apdu;\n\tu8        rbuf[256], offset = 0;\n\tconst u8  *p = rbuf, *q;\n\tint       r;\n\tsize_t    fids = 0, len;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t/* 0x16: DIRECTORY */\n\t/* 0x02: list both DF and EF */\n\nget_next_part:\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0x16, 0x02, offset);\n\tapdu.cla = 0x80;\n\tapdu.le = 256;\n\tapdu.resplen = 256;\n\tapdu.resp = rbuf;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"DIRECTORY command returned error\");\n\n\tif (apdu.resplen > 256) {\n\t\tsc_log(card->ctx,  \"directory listing > 256 bytes, cutting\");\n\t}\n\n\tlen = apdu.resplen;\n\twhile (len != 0) {\n\t\tsize_t   tlen = 0, ilen = 0;\n\t\t/* is there a file information block (0x6f) ? */\n\t\tp = sc_asn1_find_tag(card->ctx, p, len, 0x6f, &tlen);\n\t\tif (p == NULL) {\n\t\t\tsc_log(card->ctx,  \"directory tag missing\");\n\t\t\treturn SC_ERROR_INTERNAL;\n\t\t}\n\t\tif (tlen == 0)\n\t\t\t/* empty directory */\n\t\t\tbreak;\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x86, &ilen);\n\t\tif (q == NULL || ilen != 2) {\n\t\t\tsc_log(card->ctx,  \"error parsing file id TLV object\");\n\t\t\treturn SC_ERROR_INTERNAL;\n\t\t}\n\t\t/* put file id in buf */\n\t\tif (buflen >= 2) {\n\t\t\tbuf[fids++] = q[0];\n\t\t\tbuf[fids++] = q[1];\n\t\t\tbuflen -= 2;\n\t\t} else\n\t\t\t/* not enough space left in buffer => break */\n\t\t\tbreak;\n\t\t/* extract next offset */\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x8a, &ilen);\n\t\tif (q != NULL && ilen == 1) {\n\t\t\toffset = (u8)ilen;\n\t\t\tgoto get_next_part;\n\t\t}\n\t\tlen -= tlen + 2;\n\t\tp   += tlen;\n\t}\n\n\tr = fids;\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 256535442528642757002930638413340543712,
          "size": 68,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270687
        },
        {
          "func": "static int cardos_add_algs(sc_card_t *card, unsigned long flags, unsigned long ec_flags, unsigned long ext_flags)\n{\n\n\tcardos_data_t * priv = (cardos_data_t *)card->drv_data;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\t_sc_card_add_rsa_alg(card,  512, flags, 0);\n\t_sc_card_add_rsa_alg(card,  768, flags, 0);\n\t_sc_card_add_rsa_alg(card, 1024, flags, 0);\n\tif (priv->rsa_2048 == 1) {\n\t\t_sc_card_add_rsa_alg(card, 1280, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 1536, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 1792, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 2048, flags, 0);\n\t}\n\n\tif (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {\n\t\t/* Starting with CardOS 5, the card supports PIN query commands */\n\t\tcard->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;\n\t\t_sc_card_add_rsa_alg(card, 3072, flags, 0);\n\t\t_sc_card_add_rsa_alg(card, 4096, flags, 0);\n\t}\n\n\t/* TODO need to get sizes from supported_algos too */\n\tif (ec_flags != 0) {\n\t\t _sc_card_add_ec_alg(card, 256, ec_flags, priv->ext_flags, NULL);\n\t\t _sc_card_add_ec_alg(card, 384, ec_flags, priv->ext_flags, NULL);\n\t}\n\n\treturn 0;\n}",
          "project": "OpenSC",
          "hash": 64861983557475617371339454162084572131,
          "size": 32,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270686
        },
        {
          "func": "static int tcos_select_file(sc_card_t *card,\n                            const sc_path_t *in_path,\n                            sc_file_t **file_out)\n{\n\tsc_context_t *ctx;\n\tsc_apdu_t apdu;\n\tsc_file_t *file=NULL;\n\tu8 buf[SC_MAX_APDU_BUFFER_SIZE], pathbuf[SC_MAX_PATH_SIZE], *path = pathbuf;\n\tint r, pathlen;\n\n\tassert(card != NULL && in_path != NULL);\n\tctx=card->ctx;\n\tmemcpy(path, in_path->value, in_path->len);\n\tpathlen = in_path->len;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0, 0x04);\n\n\tswitch (in_path->type) {\n\tcase SC_PATH_TYPE_FILE_ID:\n\t\tif (pathlen != 2) return SC_ERROR_INVALID_ARGUMENTS;\n\t\t/* fall through */\n\tcase SC_PATH_TYPE_FROM_CURRENT:\n\t\tapdu.p1 = 9;\n\t\tbreak;\n\tcase SC_PATH_TYPE_DF_NAME:\n\t\tapdu.p1 = 4;\n\t\tbreak;\n\tcase SC_PATH_TYPE_PATH:\n\t\tapdu.p1 = 8;\n\t\tif (pathlen >= 2 && memcmp(path, \"\\x3F\\x00\", 2) == 0) path += 2, pathlen -= 2;\n\t\tif (pathlen == 0) apdu.p1 = 0;\n\t\tbreak;\n\tcase SC_PATH_TYPE_PARENT:\n\t\tapdu.p1 = 3;\n\t\tpathlen = 0;\n\t\tbreak;\n\tdefault:\n\t\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);\n\t}\n\tif( pathlen == 0 ) apdu.cse = SC_APDU_CASE_2_SHORT;\n\n\tapdu.lc = pathlen;\n\tapdu.data = path;\n\tapdu.datalen = pathlen;\n\n\tif (file_out != NULL) {\n\t\tapdu.resp = buf;\n\t\tapdu.resplen = sizeof(buf);\n\t\tapdu.le = 256;\n\t} else {\n\t\tapdu.resplen = 0;\n\t\tapdu.le = 0;\n\t\tapdu.p2 = 0x0C;\n\t\tapdu.cse = (pathlen == 0) ? SC_APDU_CASE_1 : SC_APDU_CASE_3_SHORT;\n\t}\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(ctx, r, \"APDU transmit failed\");\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tif (r || file_out == NULL) SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, r);\n\n\tif (apdu.resplen < 1 || apdu.resp[0] != 0x62) {\n\t\tsc_log(ctx, \"received invalid template %02X\\n\", apdu.resp[0]);\n\t\tSC_FUNC_RETURN(ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);\n\t}\n\n\tfile = sc_file_new();\n\tif (file == NULL) LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);\n\t*file_out = file;\n\tfile->path = *in_path;\n\n\tiso_ops->process_fci(card, file, apdu.resp, apdu.resplen);\n\n\tparse_sec_attr(card, file, file->sec_attr, file->sec_attr_len);\n\n\treturn 0;\n}",
          "project": "OpenSC",
          "hash": 23889856979611356599779607889701841783,
          "size": 77,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453702
        },
        {
          "func": "static int cardos_have_2048bit_package(sc_card_t *card)\n{\n\tsc_apdu_t apdu;\n        u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];\n        int       r;\n\tconst u8  *p = rbuf, *q;\n\tsize_t    len, tlen = 0, ilen = 0;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);\n\tapdu.resp    = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.lc = 0;\n\tapdu.le = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif ((len = apdu.resplen) == 0)\n\t\t/* looks like no package has been installed  */\n\t\treturn 0;\n\n\twhile (len != 0) {\n\t\tp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);\n\t\tif (p == NULL)\n\t\t\treturn 0;\n\t\tq = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);\n\t\tif (q == NULL || ilen != 4)\n\t\t\treturn 0;\n\t\tif (q[0] == 0x1c)\n\t\t\treturn 1;\n\t\tp   += tlen;\n\t\tlen -= tlen + 2;\n\t}\n\n\treturn 0;\n}",
          "project": "OpenSC",
          "hash": 92357617617140958826267024638443033197,
          "size": 35,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 1,
          "dataset": "other",
          "idx": 198234
        },
        {
          "func": "static int cardos_have_2048bit_package(sc_card_t *card)\n{\n\tsc_apdu_t apdu;\n        u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];\n        int       r;\n\tconst u8  *p = rbuf, *q, *pp;\n\tsize_t    len, tlen = 0, ilen = 0;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);\n\tapdu.resp    = rbuf;\n\tapdu.resplen = sizeof(rbuf);\n\tapdu.lc = 0;\n\tapdu.le = 256;\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tif ((len = apdu.resplen) == 0)\n\t\t/* looks like no package has been installed  */\n\t\treturn 0;\n\n\twhile (len != 0) {\n\t\tpp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);\n\t\tif (pp == NULL)\n\t\t\treturn 0;\n\t\tq = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);\n\t\tif (q == NULL || ilen != 4)\n\t\t\treturn 0;\n\t\tif (q[0] == 0x1c)\n\t\t\treturn 1;\n\t\tp   += tlen;\n\t\tlen -= tlen + 2;\n\t}\n\n\treturn 0;\n}",
          "project": "OpenSC",
          "hash": 331177212470604586059658277731450158649,
          "size": 35,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270673
        },
        {
          "func": "static void parse_sec_attr(sc_file_t *file, const u8 *buf, size_t len)\n{\n\tsize_t i;\n\tconst int *idx;\n\n\tidx = (file->type == SC_FILE_TYPE_DF) ?  df_acl : ef_acl;\n\n\t/* acl defaults to 0xFF if unspecified */\n\tfor (i = 0; i < 9; i++)\n\t\tif (idx[i] != -1)\n\t\t\tadd_acl_entry(file, idx[i], (u8)((i < len) ? buf[i] : 0xFF));\n}",
          "project": "OpenSC",
          "hash": 163767943676078759362856467431489935218,
          "size": 12,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270681
        },
        {
          "func": "static void parse_sec_attr(sc_card_t *card,\n                           sc_file_t *file, const u8 *buf, size_t len)\n{\n\tunsigned int op;\n\n\t/* list directory is not covered by ACLs - so always add an entry */\n\tsc_file_add_acl_entry (file, SC_AC_OP_LIST_FILES,\n                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t/* FIXME: check for what LOCK is used */\n\tsc_file_add_acl_entry (file, SC_AC_OP_LOCK,\n                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\tfor (; len >= 6; len -= 6, buf += 6) {\n\t\t/* FIXME: temporary hacks */\n\t\tif (!memcmp(buf, \"\\xa4\\x00\\x00\\x00\\xff\\xff\", 6)) {/* select */\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_SELECT,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\xb0\\x00\\x00\\x00\\xff\\xff\", 6)) {/*read*/\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_READ,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\xd6\\x00\\x00\\x00\\xff\\xff\", 6)) {/*upd*/\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_UPDATE,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else if (!memcmp(buf, \"\\x60\\x00\\x00\\x00\\xff\\xff\", 6)) {/*adm */\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_WRITE,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_CREATE,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_INVALIDATE,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t\tsc_file_add_acl_entry (file, SC_AC_OP_REHABILITATE,\n                                               SC_AC_NONE, SC_AC_KEY_REF_NONE);\n\t\t} else {\n\t\t\t/* the first byte tells use the command or the\n\t\t\t   command group.  We have to mask bit 0\n\t\t\t   because this one distinguish between AND/OR\n\t\t\t   combination of PINs*/\n\t\t\top = map_operations (buf[0]);\n\t\t\tif (op == (unsigned int)-1) {\n\t\t\t\tsc_log(card->ctx,\n\t\t\t\t\t\"Unknown security command byte %02x\\n\",\n\t\t\t\t\tbuf[0]);\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (!buf[1])\n\t\t\t\tsc_file_add_acl_entry (file, op,\n                                                       SC_AC_NONE,\n                                                       SC_AC_KEY_REF_NONE);\n\t\t\telse\n\t\t\t\tsc_file_add_acl_entry (file, op,\n                                                       SC_AC_CHV, buf[1]);\n\n\t\t\tif (!buf[2] && !buf[3])\n\t\t\t\tsc_file_add_acl_entry (file, op,\n                                                       SC_AC_NONE,\n                                                       SC_AC_KEY_REF_NONE);\n\t\t\telse\n\t\t\t\tsc_file_add_acl_entry (file, op,\n                                                       SC_AC_TERM,\n                                                       (buf[2]<<8)|buf[3]);\n\t\t}\n\t}\n}",
          "project": "OpenSC",
          "hash": 284667084980065280010456910650927112728,
          "size": 62,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453694
        },
        {
          "func": "oberthur_detect_card(struct sc_pkcs15_card * p15card)\n{\n\tstruct sc_card *card = p15card->card;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\tif (p15card->card->type != SC_CARD_TYPE_OBERTHUR_64K)\n\t\tLOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_WRONG_CARD);\n\tLOG_FUNC_RETURN(p15card->card->ctx, SC_SUCCESS);\n}",
          "project": "OpenSC",
          "hash": 1983533969969801423954953399161347915,
          "size": 9,
          "commit_id": "1db88374bb7706a115d5c3617c6f16115c33bf27",
          "message": "oberthur: Correctly check for return values\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843",
          "target": 0,
          "dataset": "other",
          "idx": 230101
        },
        {
          "func": "cardos_put_data_oci(sc_card_t *card,\n\t\t\tstruct sc_cardctl_cardos_obj_info *args)\n{\n\tsc_apdu_t\tapdu;\n\tint\t\tr;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tmemset(&apdu, 0, sizeof(apdu));\n\tapdu.cse = SC_APDU_CASE_3_SHORT;\n\tapdu.cla = 0x00;\n\tapdu.ins = 0xda;\n\tapdu.p1  = 0x01;\n\tapdu.p2  = 0x6e;\n\tapdu.lc  = args->len;\n\tapdu.data = args->data;\n\tapdu.datalen = args->len;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 50999835762767213036437079009335667961,
          "size": 26,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270676
        },
        {
          "func": "cardos_lifecycle_set(sc_card_t *card, int *mode)\n{\n\tsc_apdu_t\tapdu;\n\tint\t\tr;\n\n\tint current;\n\tint target;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\ttarget = *mode;\n\n\tr = cardos_lifecycle_get(card, &current);\n\t\n\tif (r != SC_SUCCESS)\n\t\treturn r;\n\n\tif (current == target || current == SC_CARDCTRL_LIFECYCLE_OTHER)\n\t\treturn SC_SUCCESS;\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x10, 0, 0);\n\tapdu.cla = 0x80;\n\tapdu.le = 0;\n\tapdu.resplen = 0;\n\tapdu.resp = NULL;\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 146465645650993959180142670245930613814,
          "size": 34,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270690
        },
        {
          "func": "cardos_restore_security_env(sc_card_t *card, int se_num)\n{\n\tsc_apdu_t apdu;\n\tint\tr;\n\n\tSC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);\n\n\tsc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x22, 0, se_num);\n\tapdu.p1 = (card->type == SC_CARD_TYPE_CARDOS_CIE_V1 ? 0xF3 : 0x03);\n\n\tr = sc_transmit_apdu(card, &apdu);\n\tLOG_TEST_RET(card->ctx, r, \"APDU transmit failed\");\n\n\tr = sc_check_sw(card, apdu.sw1, apdu.sw2);\n\tLOG_TEST_RET(card->ctx, r, \"Card returned error\");\n\n\tLOG_FUNC_RETURN(card->ctx, r);\n}",
          "project": "OpenSC",
          "hash": 317882808282407343140909309524103511340,
          "size": 18,
          "commit_id": "1252aca9f10771ef5ba8405e73cf2da50827958f",
          "message": "cardos: Correctly calculate the left bytes to avoid buffer overrun\n\nThanks oss-fuzz\n\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912",
          "target": 0,
          "dataset": "other",
          "idx": 270694
        },
        {
          "func": "static unsigned int map_operations (int commandbyte)\n{\n\tunsigned int op = (unsigned int)-1;\n\n\tswitch ( (commandbyte & 0xfe) ) {\n\t\tcase 0xe2: /* append record */   op = SC_AC_OP_UPDATE; break;\n\t\tcase 0x24: /* change password */ op = SC_AC_OP_UPDATE; break;\n\t\tcase 0xe0: /* create */          op = SC_AC_OP_CREATE; break;\n\t\tcase 0xe4: /* delete */          op = SC_AC_OP_DELETE; break;\n\t\tcase 0xe8: /* exclude sfi */     op = SC_AC_OP_WRITE; break;\n\t\tcase 0x82: /* external auth */   op = SC_AC_OP_READ; break;\n\t\tcase 0xe6: /* include sfi */     op = SC_AC_OP_WRITE; break;\n\t\tcase 0x88: /* internal auth */   op = SC_AC_OP_READ; break;\n\t\tcase 0x04: /* invalidate */      op = SC_AC_OP_INVALIDATE; break;\n\t\tcase 0x2a: /* perform sec. op */ op = SC_AC_OP_SELECT; break;\n\t\tcase 0xb0: /* read binary */     op = SC_AC_OP_READ; break;\n\t\tcase 0xb2: /* read record */     op = SC_AC_OP_READ; break;\n\t\tcase 0x44: /* rehabilitate */    op = SC_AC_OP_REHABILITATE; break;\n\t\tcase 0xa4: /* select */          op = SC_AC_OP_SELECT; break;\n\t\tcase 0xee: /* set permanent */   op = SC_AC_OP_CREATE; break;\n\t\tcase 0x2c: /* unblock password */op = SC_AC_OP_WRITE; break;\n\t\tcase 0xd6: /* update binary */   op = SC_AC_OP_WRITE; break;\n\t\tcase 0xdc: /* update record */   op = SC_AC_OP_WRITE; break;\n\t\tcase 0x20: /* verify password */ op = SC_AC_OP_SELECT; break;\n\t\tcase 0x60: /* admin group */     op = SC_AC_OP_CREATE; break;\n\t}\n\treturn op;\n}",
          "project": "OpenSC",
          "hash": 107567217371536538402704324989314269568,
          "size": 28,
          "commit_id": "9d294de90d1cc66956389856e60b6944b27b4817",
          "message": "prevent out of bounds write\n\nfixes https://oss-fuzz.com/testcase-detail/5226571123392512",
          "target": 0,
          "dataset": "other",
          "idx": 453693
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "clear_decompress",
        "clear_decompress_glyph_data",
        "convert_color"
      ],
      "group_size": 15,
      "functions": [
        {
          "func": "static BOOL clear_decompress_nscodec(NSC_CONTEXT* nsc, UINT32 width, UINT32 height, wStream* s,\n                                     UINT32 bitmapDataByteCount, BYTE* pDstData, UINT32 DstFormat,\n                                     UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel)\n{\n\tBOOL rc;\n\n\tif (Stream_GetRemainingLength(s) < bitmapDataByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t         Stream_GetRemainingLength(s), bitmapDataByteCount);\n\t\treturn FALSE;\n\t}\n\n\trc = nsc_process_message(nsc, 32, width, height, Stream_Pointer(s), bitmapDataByteCount,\n\t                         pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel, width, height,\n\t                         FREERDP_FLIP_NONE);\n\tStream_Seek(s, bitmapDataByteCount);\n\treturn rc;\n}",
          "project": "FreeRDP",
          "hash": 2561498304080266048116044689734629889,
          "size": 19,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448693
        },
        {
          "func": "CLEAR_CONTEXT* clear_context_new(BOOL Compressor)\n{\n\tCLEAR_CONTEXT* clear;\n\tclear = (CLEAR_CONTEXT*)calloc(1, sizeof(CLEAR_CONTEXT));\n\n\tif (!clear)\n\t\treturn NULL;\n\n\tclear->Compressor = Compressor;\n\tclear->nsc = nsc_context_new();\n\n\tif (!clear->nsc)\n\t\tgoto error_nsc;\n\n\tif (!updateContextFormat(clear, PIXEL_FORMAT_BGRX32))\n\t\tgoto error_nsc;\n\n\tif (!clear_resize_buffer(clear, 512, 512))\n\t\tgoto error_nsc;\n\n\tif (!clear->TempBuffer)\n\t\tgoto error_nsc;\n\n\tif (!clear_context_reset(clear))\n\t\tgoto error_nsc;\n\n\treturn clear;\nerror_nsc:\n\tclear_context_free(clear);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 244644863767852592835138564581886404642,
          "size": 31,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448687
        },
        {
          "func": "static BOOL clear_decompress_bands_data(CLEAR_CONTEXT* clear, wStream* s, UINT32 bandsByteCount,\n                                        UINT32 nWidth, UINT32 nHeight, BYTE* pDstData,\n                                        UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst,\n                                        UINT32 nYDst)\n{\n\tUINT32 i, y;\n\tUINT32 count;\n\tUINT32 suboffset;\n\tUINT32 nXDstRel;\n\tUINT32 nYDstRel;\n\n\tif (Stream_GetRemainingLength(s) < bandsByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [11 expected]\", Stream_GetRemainingLength(s));\n\t\treturn FALSE;\n\t}\n\n\tsuboffset = 0;\n\n\twhile (suboffset < bandsByteCount)\n\t{\n\t\tBYTE r, g, b;\n\t\tUINT16 xStart;\n\t\tUINT16 xEnd;\n\t\tUINT16 yStart;\n\t\tUINT16 yEnd;\n\t\tUINT32 colorBkg;\n\t\tUINT16 vBarHeader;\n\t\tUINT16 vBarYOn;\n\t\tUINT16 vBarYOff;\n\t\tUINT32 vBarCount;\n\t\tUINT32 vBarPixelCount;\n\t\tUINT32 vBarShortPixelCount;\n\n\t\tif (Stream_GetRemainingLength(s) < 11)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [11 expected]\", Stream_GetRemainingLength(s));\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tStream_Read_UINT16(s, xStart);\n\t\tStream_Read_UINT16(s, xEnd);\n\t\tStream_Read_UINT16(s, yStart);\n\t\tStream_Read_UINT16(s, yEnd);\n\t\tStream_Read_UINT8(s, b);\n\t\tStream_Read_UINT8(s, g);\n\t\tStream_Read_UINT8(s, r);\n\t\tsuboffset += 11;\n\t\tcolorBkg = FreeRDPGetColor(clear->format, r, g, b, 0xFF);\n\n\t\tif (xEnd < xStart)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"xEnd %\" PRIu16 \" < xStart %\" PRIu16 \"\", xEnd, xStart);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (yEnd < yStart)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"yEnd %\" PRIu16 \" < yStart %\" PRIu16 \"\", yEnd, yStart);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tvBarCount = (xEnd - xStart) + 1;\n\n\t\tfor (i = 0; i < vBarCount; i++)\n\t\t{\n\t\t\tUINT32 vBarHeight;\n\t\t\tCLEAR_VBAR_ENTRY* vBarEntry = NULL;\n\t\t\tCLEAR_VBAR_ENTRY* vBarShortEntry;\n\t\t\tBOOL vBarUpdate = FALSE;\n\t\t\tconst BYTE* pSrcPixel;\n\n\t\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tStream_Read_UINT16(s, vBarHeader);\n\t\t\tsuboffset += 2;\n\t\t\tvBarHeight = (yEnd - yStart + 1);\n\n\t\t\tif (vBarHeight > 52)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"vBarHeight (%\" PRIu32 \") > 52\", vBarHeight);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tif ((vBarHeader & 0xC000) == 0x4000) /* SHORT_VBAR_CACHE_HIT */\n\t\t\t{\n\t\t\t\tconst UINT16 vBarIndex = (vBarHeader & 0x3FFF);\n\t\t\t\tvBarShortEntry = &(clear->ShortVBarStorage[vBarIndex]);\n\n\t\t\t\tif (!vBarShortEntry)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"missing vBarShortEntry %\" PRIu16 \"\", vBarIndex);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tif (Stream_GetRemainingLength(s) < 1)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [1 expected]\",\n\t\t\t\t\t         Stream_GetRemainingLength(s));\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tStream_Read_UINT8(s, vBarYOn);\n\t\t\t\tsuboffset += 1;\n\t\t\t\tvBarShortPixelCount = vBarShortEntry->count;\n\t\t\t\tvBarUpdate = TRUE;\n\t\t\t}\n\t\t\telse if ((vBarHeader & 0xC000) == 0x0000) /* SHORT_VBAR_CACHE_MISS */\n\t\t\t{\n\t\t\t\tvBarYOn = (vBarHeader & 0xFF);\n\t\t\t\tvBarYOff = ((vBarHeader >> 8) & 0x3F);\n\n\t\t\t\tif (vBarYOff < vBarYOn)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"vBarYOff %\" PRIu16 \" < vBarYOn %\" PRIu16 \"\", vBarYOff, vBarYOn);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tvBarShortPixelCount = (vBarYOff - vBarYOn);\n\n\t\t\t\tif (vBarShortPixelCount > 52)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"vBarShortPixelCount %\" PRIu32 \" > 52\", vBarShortPixelCount);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tif (Stream_GetRemainingLength(s) < (vBarShortPixelCount * 3))\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t\t\t\t         Stream_GetRemainingLength(s), (vBarShortPixelCount * 3));\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tif (clear->ShortVBarStorageCursor >= CLEARCODEC_VBAR_SHORT_SIZE)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG,\n\t\t\t\t\t         \"clear->ShortVBarStorageCursor %\" PRIu32\n\t\t\t\t\t         \" >= CLEARCODEC_VBAR_SHORT_SIZE (%\" PRIu32 \")\",\n\t\t\t\t\t         clear->ShortVBarStorageCursor, CLEARCODEC_VBAR_SHORT_SIZE);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tvBarShortEntry = &(clear->ShortVBarStorage[clear->ShortVBarStorageCursor]);\n\t\t\t\tvBarShortEntry->count = vBarShortPixelCount;\n\n\t\t\t\tif (!resize_vbar_entry(clear, vBarShortEntry))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tfor (y = 0; y < vBarShortPixelCount; y++)\n\t\t\t\t{\n\t\t\t\t\tBYTE r, g, b;\n\t\t\t\t\tBYTE* dstBuffer = &vBarShortEntry->pixels[y * GetBytesPerPixel(clear->format)];\n\t\t\t\t\tUINT32 color;\n\t\t\t\t\tStream_Read_UINT8(s, b);\n\t\t\t\t\tStream_Read_UINT8(s, g);\n\t\t\t\t\tStream_Read_UINT8(s, r);\n\t\t\t\t\tcolor = FreeRDPGetColor(clear->format, r, g, b, 0xFF);\n\n\t\t\t\t\tif (!WriteColor(dstBuffer, clear->format, color))\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tsuboffset += (vBarShortPixelCount * 3);\n\t\t\t\tclear->ShortVBarStorageCursor =\n\t\t\t\t    (clear->ShortVBarStorageCursor + 1) % CLEARCODEC_VBAR_SHORT_SIZE;\n\t\t\t\tvBarUpdate = TRUE;\n\t\t\t}\n\t\t\telse if ((vBarHeader & 0x8000) == 0x8000) /* VBAR_CACHE_HIT */\n\t\t\t{\n\t\t\t\tconst UINT16 vBarIndex = (vBarHeader & 0x7FFF);\n\t\t\t\tvBarEntry = &(clear->VBarStorage[vBarIndex]);\n\n\t\t\t\t/* If the cache was reset we need to fill in some dummy data. */\n\t\t\t\tif (vBarEntry->size == 0)\n\t\t\t\t{\n\t\t\t\t\tWLog_WARN(TAG, \"Empty cache index %\" PRIu16 \", filling dummy data\", vBarIndex);\n\t\t\t\t\tvBarEntry->count = vBarHeight;\n\n\t\t\t\t\tif (!resize_vbar_entry(clear, vBarEntry))\n\t\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"invalid vBarHeader 0x%04\" PRIX16 \"\", vBarHeader);\n\t\t\t\treturn FALSE; /* invalid vBarHeader */\n\t\t\t}\n\n\t\t\tif (vBarUpdate)\n\t\t\t{\n\t\t\t\tUINT32 x;\n\t\t\t\tBYTE* pSrcPixel;\n\t\t\t\tBYTE* dstBuffer;\n\n\t\t\t\tif (clear->VBarStorageCursor >= CLEARCODEC_VBAR_SIZE)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG,\n\t\t\t\t\t         \"clear->VBarStorageCursor %\" PRIu32 \" >= CLEARCODEC_VBAR_SIZE %\" PRIu32\n\t\t\t\t\t         \"\",\n\t\t\t\t\t         clear->VBarStorageCursor, CLEARCODEC_VBAR_SIZE);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tvBarEntry = &(clear->VBarStorage[clear->VBarStorageCursor]);\n\t\t\t\tvBarPixelCount = vBarHeight;\n\t\t\t\tvBarEntry->count = vBarPixelCount;\n\n\t\t\t\tif (!resize_vbar_entry(clear, vBarEntry))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tdstBuffer = vBarEntry->pixels;\n\t\t\t\t/* if (y < vBarYOn), use colorBkg */\n\t\t\t\ty = 0;\n\t\t\t\tcount = vBarYOn;\n\n\t\t\t\tif ((y + count) > vBarPixelCount)\n\t\t\t\t\tcount = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0;\n\n\t\t\t\twhile (count--)\n\t\t\t\t{\n\t\t\t\t\tWriteColor(dstBuffer, clear->format, colorBkg);\n\t\t\t\t\tdstBuffer += GetBytesPerPixel(clear->format);\n\t\t\t\t}\n\n\t\t\t\t/*\n\t\t\t\t * if ((y >= vBarYOn) && (y < (vBarYOn + vBarShortPixelCount))),\n\t\t\t\t * use vBarShortPixels at index (y - shortVBarYOn)\n\t\t\t\t */\n\t\t\t\ty = vBarYOn;\n\t\t\t\tcount = vBarShortPixelCount;\n\n\t\t\t\tif ((y + count) > vBarPixelCount)\n\t\t\t\t\tcount = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0;\n\n\t\t\t\tpSrcPixel =\n\t\t\t\t    &vBarShortEntry->pixels[(y - vBarYOn) * GetBytesPerPixel(clear->format)];\n\n\t\t\t\tfor (x = 0; x < count; x++)\n\t\t\t\t{\n\t\t\t\t\tUINT32 color;\n\t\t\t\t\tcolor =\n\t\t\t\t\t    ReadColor(&pSrcPixel[x * GetBytesPerPixel(clear->format)], clear->format);\n\n\t\t\t\t\tif (!WriteColor(dstBuffer, clear->format, color))\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tdstBuffer += GetBytesPerPixel(clear->format);\n\t\t\t\t}\n\n\t\t\t\t/* if (y >= (vBarYOn + vBarShortPixelCount)), use colorBkg */\n\t\t\t\ty = vBarYOn + vBarShortPixelCount;\n\t\t\t\tcount = (vBarPixelCount > y) ? (vBarPixelCount - y) : 0;\n\n\t\t\t\twhile (count--)\n\t\t\t\t{\n\t\t\t\t\tif (!WriteColor(dstBuffer, clear->format, colorBkg))\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tdstBuffer += GetBytesPerPixel(clear->format);\n\t\t\t\t}\n\n\t\t\t\tvBarEntry->count = vBarPixelCount;\n\t\t\t\tclear->VBarStorageCursor = (clear->VBarStorageCursor + 1) % CLEARCODEC_VBAR_SIZE;\n\t\t\t}\n\n\t\t\tif (vBarEntry->count != vBarHeight)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"vBarEntry->count %\" PRIu32 \" != vBarHeight %\" PRIu32 \"\",\n\t\t\t\t         vBarEntry->count, vBarHeight);\n\t\t\t\tvBarEntry->count = vBarHeight;\n\n\t\t\t\tif (!resize_vbar_entry(clear, vBarEntry))\n\t\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tnXDstRel = nXDst + xStart;\n\t\t\tnYDstRel = nYDst + yStart;\n\t\t\tpSrcPixel = vBarEntry->pixels;\n\n\t\t\tif (i < nWidth)\n\t\t\t{\n\t\t\t\tcount = vBarEntry->count;\n\n\t\t\t\tif (count > nHeight)\n\t\t\t\t\tcount = nHeight;\n\n\t\t\t\tfor (y = 0; y < count; y++)\n\t\t\t\t{\n\t\t\t\t\tBYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) +\n\t\t\t\t\t                             ((nXDstRel + i) * GetBytesPerPixel(DstFormat))];\n\t\t\t\t\tUINT32 color = ReadColor(pSrcPixel, clear->format);\n\t\t\t\t\tcolor = FreeRDPConvertColor(color, clear->format, DstFormat, NULL);\n\n\t\t\t\t\tif (!WriteColor(pDstPixel8, DstFormat, color))\n\t\t\t\t\t\treturn FALSE;\n\n\t\t\t\t\tpSrcPixel += GetBytesPerPixel(clear->format);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 87336701581291969550785912604100068766,
          "size": 308,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448697
        },
        {
          "func": "static BOOL clear_decompress_glyph_data(CLEAR_CONTEXT* clear, wStream* s, UINT32 glyphFlags,\n                                        UINT32 nWidth, UINT32 nHeight, BYTE* pDstData,\n                                        UINT32 DstFormat, UINT32 nDstStep, UINT32 nXDst,\n                                        UINT32 nYDst, UINT32 nDstWidth, UINT32 nDstHeight,\n                                        const gdiPalette* palette, BYTE** ppGlyphData)\n{\n\tUINT16 glyphIndex = 0;\n\n\tif (ppGlyphData)\n\t\t*ppGlyphData = NULL;\n\n\tif ((glyphFlags & CLEARCODEC_FLAG_GLYPH_HIT) && !(glyphFlags & CLEARCODEC_FLAG_GLYPH_INDEX))\n\t{\n\t\tWLog_ERR(TAG, \"Invalid glyph flags %08\" PRIX32 \"\", glyphFlags);\n\t\treturn FALSE;\n\t}\n\n\tif ((glyphFlags & CLEARCODEC_FLAG_GLYPH_INDEX) == 0)\n\t\treturn TRUE;\n\n\tif ((nWidth * nHeight) > (1024 * 1024))\n\t{\n\t\tWLog_ERR(TAG, \"glyph too large: %\" PRIu32 \"x%\" PRIu32 \"\", nWidth, nHeight);\n\t\treturn FALSE;\n\t}\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, glyphIndex);\n\n\tif (glyphIndex >= 4000)\n\t{\n\t\tWLog_ERR(TAG, \"Invalid glyphIndex %\" PRIu16 \"\", glyphIndex);\n\t\treturn FALSE;\n\t}\n\n\tif (glyphFlags & CLEARCODEC_FLAG_GLYPH_HIT)\n\t{\n\t\tUINT32 nSrcStep;\n\t\tCLEAR_GLYPH_ENTRY* glyphEntry = &(clear->GlyphCache[glyphIndex]);\n\t\tBYTE* glyphData;\n\n\t\tif (!glyphEntry)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear->GlyphCache[%\" PRIu16 \"]=NULL\", glyphIndex);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tglyphData = (BYTE*)glyphEntry->pixels;\n\n\t\tif (!glyphData)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear->GlyphCache[%\" PRIu16 \"]->pixels=NULL\", glyphIndex);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif ((nWidth * nHeight) > glyphEntry->count)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"(nWidth %\" PRIu32 \" * nHeight %\" PRIu32 \") > glyphEntry->count %\" PRIu32 \"\",\n\t\t\t         nWidth, nHeight, glyphEntry->count);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tnSrcStep = nWidth * GetBytesPerPixel(clear->format);\n\t\treturn convert_color(pDstData, nDstStep, DstFormat, nXDst, nYDst, nWidth, nHeight,\n\t\t                     glyphData, nSrcStep, clear->format, nDstWidth, nDstHeight, palette);\n\t}\n\n\tif (glyphFlags & CLEARCODEC_FLAG_GLYPH_INDEX)\n\t{\n\t\tconst UINT32 bpp = GetBytesPerPixel(clear->format);\n\t\tCLEAR_GLYPH_ENTRY* glyphEntry = &(clear->GlyphCache[glyphIndex]);\n\t\tglyphEntry->count = nWidth * nHeight;\n\n\t\tif (glyphEntry->count > glyphEntry->size)\n\t\t{\n\t\t\tBYTE* tmp;\n\t\t\ttmp = realloc(glyphEntry->pixels, glyphEntry->count * bpp);\n\n\t\t\tif (!tmp)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"glyphEntry->pixels realloc %\" PRIu32 \" failed!\",\n\t\t\t\t         glyphEntry->count * bpp);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tglyphEntry->size = glyphEntry->count;\n\t\t\tglyphEntry->pixels = (UINT32*)tmp;\n\t\t}\n\n\t\tif (!glyphEntry->pixels)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"glyphEntry->pixels=NULL\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (ppGlyphData)\n\t\t\t*ppGlyphData = (BYTE*)glyphEntry->pixels;\n\n\t\treturn TRUE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 283254231141467108277168564924404272897,
          "size": 109,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448696
        },
        {
          "func": "void clear_context_free(CLEAR_CONTEXT* clear)\n{\n\tint i;\n\n\tif (!clear)\n\t\treturn;\n\n\tnsc_context_free(clear->nsc);\n\tfree(clear->TempBuffer);\n\n\tfor (i = 0; i < 4000; i++)\n\t\tfree(clear->GlyphCache[i].pixels);\n\n\tfor (i = 0; i < 32768; i++)\n\t\tfree(clear->VBarStorage[i].pixels);\n\n\tfor (i = 0; i < 16384; i++)\n\t\tfree(clear->ShortVBarStorage[i].pixels);\n\n\tfree(clear);\n}",
          "project": "FreeRDP",
          "hash": 116257062296696634205420506715336677175,
          "size": 21,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448690
        },
        {
          "func": "BOOL clear_context_reset(CLEAR_CONTEXT* clear)\n{\n\tif (!clear)\n\t\treturn FALSE;\n\n\tclear->seqNumber = 0;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 20768051255935120331692178107164808422,
          "size": 8,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448700
        },
        {
          "func": "static INLINE BOOL updateContextFormat(CLEAR_CONTEXT* clear, UINT32 DstFormat)\n{\n\tif (!clear || !clear->nsc)\n\t\treturn FALSE;\n\n\tclear->format = DstFormat;\n\treturn nsc_context_set_pixel_format(clear->nsc, DstFormat);\n}",
          "project": "FreeRDP",
          "hash": 227090566798061984309643416810198251718,
          "size": 8,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448698
        },
        {
          "func": "static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height)\n{\n\tUINT32 size;\n\n\tif (!clear)\n\t\treturn FALSE;\n\n\tsize = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format));\n\n\tif (size > clear->TempSize)\n\t{\n\t\tBYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size);\n\n\t\tif (!tmp)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear->TempBuffer realloc failed for %\" PRIu32 \" bytes\", size);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tclear->TempSize = size;\n\t\tclear->TempBuffer = tmp;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 108165721946250695003546590227162442804,
          "size": 25,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448689
        },
        {
          "func": "static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount, UINT32 width,\n                                          UINT32 height, BYTE* pDstData, UINT32 DstFormat,\n                                          UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel,\n                                          UINT32 nDstWidth, UINT32 nDstHeight)\n{\n\tUINT32 x = 0, y = 0;\n\tUINT32 i;\n\tUINT32 pixelCount;\n\tUINT32 bitmapDataOffset;\n\tUINT32 pixelIndex;\n\tUINT32 numBits;\n\tBYTE startIndex;\n\tBYTE stopIndex;\n\tBYTE suiteIndex;\n\tBYTE suiteDepth;\n\tBYTE paletteCount;\n\tUINT32 palette[128] = { 0 };\n\n\tif (Stream_GetRemainingLength(s) < bitmapDataByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t         Stream_GetRemainingLength(s), bitmapDataByteCount);\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT8(s, paletteCount);\n\tbitmapDataOffset = 1 + (paletteCount * 3);\n\n\tif ((paletteCount > 127) || (paletteCount < 1))\n\t{\n\t\tWLog_ERR(TAG, \"paletteCount %\" PRIu8 \"\", paletteCount);\n\t\treturn FALSE;\n\t}\n\n\tfor (i = 0; i < paletteCount; i++)\n\t{\n\t\tBYTE r, g, b;\n\t\tStream_Read_UINT8(s, b);\n\t\tStream_Read_UINT8(s, g);\n\t\tStream_Read_UINT8(s, r);\n\t\tpalette[i] = FreeRDPGetColor(DstFormat, r, g, b, 0xFF);\n\t}\n\n\tpixelIndex = 0;\n\tpixelCount = width * height;\n\tnumBits = CLEAR_LOG2_FLOOR[paletteCount - 1] + 1;\n\n\twhile (bitmapDataOffset < bitmapDataByteCount)\n\t{\n\t\tUINT32 tmp;\n\t\tUINT32 color;\n\t\tUINT32 runLengthFactor;\n\n\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tStream_Read_UINT8(s, tmp);\n\t\tStream_Read_UINT8(s, runLengthFactor);\n\t\tbitmapDataOffset += 2;\n\t\tsuiteDepth = (tmp >> numBits) & CLEAR_8BIT_MASKS[(8 - numBits)];\n\t\tstopIndex = tmp & CLEAR_8BIT_MASKS[numBits];\n\t\tstartIndex = stopIndex - suiteDepth;\n\n\t\tif (runLengthFactor >= 0xFF)\n\t\t{\n\t\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tStream_Read_UINT16(s, runLengthFactor);\n\t\t\tbitmapDataOffset += 2;\n\n\t\t\tif (runLengthFactor >= 0xFFFF)\n\t\t\t{\n\t\t\t\tif (Stream_GetRemainingLength(s) < 4)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [4 expected]\",\n\t\t\t\t\t         Stream_GetRemainingLength(s));\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tStream_Read_UINT32(s, runLengthFactor);\n\t\t\t\tbitmapDataOffset += 4;\n\t\t\t}\n\t\t}\n\n\t\tif (startIndex >= paletteCount)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"startIndex %\" PRIu8 \" > paletteCount %\" PRIu8 \"]\", startIndex,\n\t\t\t         paletteCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (stopIndex >= paletteCount)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stopIndex %\" PRIu8 \" > paletteCount %\" PRIu8 \"]\", stopIndex,\n\t\t\t         paletteCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tsuiteIndex = startIndex;\n\n\t\tif (suiteIndex > 127)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"suiteIndex %\" PRIu8 \" > 127]\", suiteIndex);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tcolor = palette[suiteIndex];\n\n\t\tif ((pixelIndex + runLengthFactor) > pixelCount)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"pixelIndex %\" PRIu32 \" + runLengthFactor %\" PRIu32 \" > pixelCount %\" PRIu32\n\t\t\t         \"\",\n\t\t\t         pixelIndex, runLengthFactor, pixelCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tfor (i = 0; i < runLengthFactor; i++)\n\t\t{\n\t\t\tBYTE* pTmpData =\n\t\t\t    &pDstData[(nXDstRel + x) * GetBytesPerPixel(DstFormat) + (nYDstRel + y) * nDstStep];\n\n\t\t\tif ((nXDstRel + x < nDstWidth) && (nYDstRel + y < nDstHeight))\n\t\t\t\tWriteColor(pTmpData, DstFormat, color);\n\n\t\t\tif (++x >= width)\n\t\t\t{\n\t\t\t\ty++;\n\t\t\t\tx = 0;\n\t\t\t}\n\t\t}\n\n\t\tpixelIndex += runLengthFactor;\n\n\t\tif ((pixelIndex + (suiteDepth + 1)) > pixelCount)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"pixelIndex %\" PRIu32 \" + suiteDepth %\" PRIu8 \" + 1 > pixelCount %\" PRIu32 \"\",\n\t\t\t         pixelIndex, suiteDepth, pixelCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tfor (i = 0; i <= suiteDepth; i++)\n\t\t{\n\t\t\tBYTE* pTmpData =\n\t\t\t    &pDstData[(nXDstRel + x) * GetBytesPerPixel(DstFormat) + (nYDstRel + y) * nDstStep];\n\t\t\tUINT32 color = palette[suiteIndex];\n\n\t\t\tif (suiteIndex > 127)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"suiteIndex %\" PRIu8 \" > 127\", suiteIndex);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tsuiteIndex++;\n\n\t\t\tif ((nXDstRel + x < nDstWidth) && (nYDstRel + y < nDstHeight))\n\t\t\t\tWriteColor(pTmpData, DstFormat, color);\n\n\t\t\tif (++x >= width)\n\t\t\t{\n\t\t\t\ty++;\n\t\t\t\tx = 0;\n\t\t\t}\n\t\t}\n\n\t\tpixelIndex += (suiteDepth + 1);\n\t}\n\n\tif (pixelIndex != pixelCount)\n\t{\n\t\tWLog_ERR(TAG, \"pixelIndex %\" PRIu32 \" != pixelCount %\" PRIu32 \"\", pixelIndex, pixelCount);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 145478480184200339868644033923186345312,
          "size": 184,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 1,
          "dataset": "other",
          "idx": 211489
        },
        {
          "func": "static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount, UINT32 width,\n                                          UINT32 height, BYTE* pDstData, UINT32 DstFormat,\n                                          UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel,\n                                          UINT32 nDstWidth, UINT32 nDstHeight)\n{\n\tUINT32 x = 0, y = 0;\n\tUINT32 i;\n\tUINT32 pixelCount;\n\tUINT32 bitmapDataOffset;\n\tsize_t pixelIndex;\n\tUINT32 numBits;\n\tBYTE startIndex;\n\tBYTE stopIndex;\n\tBYTE suiteIndex;\n\tBYTE suiteDepth;\n\tBYTE paletteCount;\n\tUINT32 palette[128] = { 0 };\n\n\tif (Stream_GetRemainingLength(s) < bitmapDataByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t         Stream_GetRemainingLength(s), bitmapDataByteCount);\n\t\treturn FALSE;\n\t}\n\n\tif (Stream_GetRemainingLength(s) < 1)\n\t\treturn FALSE;\n\tStream_Read_UINT8(s, paletteCount);\n\tbitmapDataOffset = 1 + (paletteCount * 3);\n\n\tif ((paletteCount > 127) || (paletteCount < 1))\n\t{\n\t\tWLog_ERR(TAG, \"paletteCount %\" PRIu8 \"\", paletteCount);\n\t\treturn FALSE;\n\t}\n\n\tif (Stream_GetRemainingLength(s) < 3ULL * paletteCount)\n\t\treturn FALSE;\n\n\tfor (i = 0; i < paletteCount; i++)\n\t{\n\t\tBYTE r, g, b;\n\t\tStream_Read_UINT8(s, b);\n\t\tStream_Read_UINT8(s, g);\n\t\tStream_Read_UINT8(s, r);\n\t\tpalette[i] = FreeRDPGetColor(DstFormat, r, g, b, 0xFF);\n\t}\n\n\tpixelIndex = 0;\n\tpixelCount = width * height;\n\tnumBits = CLEAR_LOG2_FLOOR[paletteCount - 1] + 1;\n\n\twhile (bitmapDataOffset < bitmapDataByteCount)\n\t{\n\t\tUINT32 tmp;\n\t\tUINT32 color;\n\t\tUINT32 runLengthFactor;\n\n\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tStream_Read_UINT8(s, tmp);\n\t\tStream_Read_UINT8(s, runLengthFactor);\n\t\tbitmapDataOffset += 2;\n\t\tsuiteDepth = (tmp >> numBits) & CLEAR_8BIT_MASKS[(8 - numBits)];\n\t\tstopIndex = tmp & CLEAR_8BIT_MASKS[numBits];\n\t\tstartIndex = stopIndex - suiteDepth;\n\n\t\tif (runLengthFactor >= 0xFF)\n\t\t{\n\t\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tStream_Read_UINT16(s, runLengthFactor);\n\t\t\tbitmapDataOffset += 2;\n\n\t\t\tif (runLengthFactor >= 0xFFFF)\n\t\t\t{\n\t\t\t\tif (Stream_GetRemainingLength(s) < 4)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [4 expected]\",\n\t\t\t\t\t         Stream_GetRemainingLength(s));\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tStream_Read_UINT32(s, runLengthFactor);\n\t\t\t\tbitmapDataOffset += 4;\n\t\t\t}\n\t\t}\n\n\t\tif (startIndex >= paletteCount)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"startIndex %\" PRIu8 \" > paletteCount %\" PRIu8 \"]\", startIndex,\n\t\t\t         paletteCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (stopIndex >= paletteCount)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stopIndex %\" PRIu8 \" > paletteCount %\" PRIu8 \"]\", stopIndex,\n\t\t\t         paletteCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tsuiteIndex = startIndex;\n\n\t\tif (suiteIndex > 127)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"suiteIndex %\" PRIu8 \" > 127]\", suiteIndex);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tcolor = palette[suiteIndex];\n\n\t\tif ((pixelIndex + runLengthFactor) > pixelCount)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"pixelIndex %\" PRIu32 \" + runLengthFactor %\" PRIu32 \" > pixelCount %\" PRIu32\n\t\t\t         \"\",\n\t\t\t         pixelIndex, runLengthFactor, pixelCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tfor (i = 0; i < runLengthFactor; i++)\n\t\t{\n\t\t\tBYTE* pTmpData =\n\t\t\t    &pDstData[(nXDstRel + x) * GetBytesPerPixel(DstFormat) + (nYDstRel + y) * nDstStep];\n\n\t\t\tif ((nXDstRel + x < nDstWidth) && (nYDstRel + y < nDstHeight))\n\t\t\t\tWriteColor(pTmpData, DstFormat, color);\n\n\t\t\tif (++x >= width)\n\t\t\t{\n\t\t\t\ty++;\n\t\t\t\tx = 0;\n\t\t\t}\n\t\t}\n\n\t\tpixelIndex += runLengthFactor;\n\n\t\tif ((pixelIndex + (suiteDepth + 1)) > pixelCount)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"pixelIndex %\" PRIu32 \" + suiteDepth %\" PRIu8 \" + 1 > pixelCount %\" PRIu32 \"\",\n\t\t\t         pixelIndex, suiteDepth, pixelCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tfor (i = 0; i <= suiteDepth; i++)\n\t\t{\n\t\t\tBYTE* pTmpData =\n\t\t\t    &pDstData[(nXDstRel + x) * GetBytesPerPixel(DstFormat) + (nYDstRel + y) * nDstStep];\n\t\t\tUINT32 color = palette[suiteIndex];\n\n\t\t\tif (suiteIndex > 127)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"suiteIndex %\" PRIu8 \" > 127\", suiteIndex);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tsuiteIndex++;\n\n\t\t\tif ((nXDstRel + x < nDstWidth) && (nYDstRel + y < nDstHeight))\n\t\t\t\tWriteColor(pTmpData, DstFormat, color);\n\n\t\t\tif (++x >= width)\n\t\t\t{\n\t\t\t\ty++;\n\t\t\t\tx = 0;\n\t\t\t}\n\t\t}\n\n\t\tpixelIndex += (suiteDepth + 1);\n\t}\n\n\tif (pixelIndex != pixelCount)\n\t{\n\t\tWLog_ERR(TAG, \"pixelIndex %\" PRIdz \" != pixelCount %\" PRIu32 \"\", pixelIndex, pixelCount);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 241001505274535680660475700376958696237,
          "size": 189,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448692
        },
        {
          "func": "static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry)\n{\n\tif (vBarEntry->count > vBarEntry->size)\n\t{\n\t\tconst UINT32 bpp = GetBytesPerPixel(clear->format);\n\t\tconst UINT32 oldPos = vBarEntry->size * bpp;\n\t\tconst UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp;\n\t\tBYTE* tmp;\n\t\tvBarEntry->size = vBarEntry->count;\n\t\ttmp = (BYTE*)realloc(vBarEntry->pixels, vBarEntry->count * bpp);\n\n\t\tif (!tmp)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"vBarEntry->pixels realloc %\" PRIu32 \" failed\", vBarEntry->count * bpp);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tmemset(&tmp[oldPos], 0, diffSize);\n\t\tvBarEntry->pixels = tmp;\n\t}\n\n\tif (!vBarEntry->pixels && vBarEntry->size)\n\t{\n\t\tWLog_ERR(TAG, \"vBarEntry->pixels is NULL but vBarEntry->size is %\" PRIu32 \"\",\n\t\t         vBarEntry->size);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 301666549911025748357340600681693137958,
          "size": 30,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448691
        },
        {
          "func": "static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* clear, wStream* s,\n                                            UINT32 subcodecByteCount, UINT32 nWidth, UINT32 nHeight,\n                                            BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep,\n                                            UINT32 nXDst, UINT32 nYDst, UINT32 nDstWidth,\n                                            UINT32 nDstHeight, const gdiPalette* palette)\n{\n\tUINT16 xStart;\n\tUINT16 yStart;\n\tUINT16 width;\n\tUINT16 height;\n\tUINT32 bitmapDataByteCount;\n\tBYTE subcodecId;\n\tUINT32 suboffset;\n\n\tif (Stream_GetRemainingLength(s) < subcodecByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t         Stream_GetRemainingLength(s), subcodecByteCount);\n\t\treturn FALSE;\n\t}\n\n\tsuboffset = 0;\n\n\twhile (suboffset < subcodecByteCount)\n\t{\n\t\tUINT32 nXDstRel;\n\t\tUINT32 nYDstRel;\n\n\t\tif (Stream_GetRemainingLength(s) < 13)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [13 expected]\", Stream_GetRemainingLength(s));\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tStream_Read_UINT16(s, xStart);\n\t\tStream_Read_UINT16(s, yStart);\n\t\tStream_Read_UINT16(s, width);\n\t\tStream_Read_UINT16(s, height);\n\t\tStream_Read_UINT32(s, bitmapDataByteCount);\n\t\tStream_Read_UINT8(s, subcodecId);\n\t\tsuboffset += 13;\n\n\t\tif (Stream_GetRemainingLength(s) < bitmapDataByteCount)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t\t         Stream_GetRemainingLength(s), bitmapDataByteCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tnXDstRel = nXDst + xStart;\n\t\tnYDstRel = nYDst + yStart;\n\n\t\tif (width > nWidth)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"width %\" PRIu16 \" > nWidth %\" PRIu32 \"\", width, nWidth);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (height > nHeight)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"height %\" PRIu16 \" > nHeight %\" PRIu32 \"\", height, nHeight);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tif (!clear_resize_buffer(clear, width, height))\n\t\t\treturn FALSE;\n\n\t\tswitch (subcodecId)\n\t\t{\n\t\t\tcase 0: /* Uncompressed */\n\t\t\t{\n\t\t\t\tUINT32 nSrcStep = width * GetBytesPerPixel(PIXEL_FORMAT_BGR24);\n\t\t\t\tUINT32 nSrcSize = nSrcStep * height;\n\n\t\t\t\tif (bitmapDataByteCount != nSrcSize)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"bitmapDataByteCount %\" PRIu32 \" != nSrcSize %\" PRIu32 \"\",\n\t\t\t\t\t         bitmapDataByteCount, nSrcSize);\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tif (!convert_color(pDstData, nDstStep, DstFormat, nXDstRel, nYDstRel, width, height,\n\t\t\t\t                   Stream_Pointer(s), nSrcStep, PIXEL_FORMAT_BGR24, nDstWidth,\n\t\t\t\t                   nDstHeight, palette))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tStream_Seek(s, bitmapDataByteCount);\n\t\t\t}\n\t\t\tbreak;\n\n\t\t\tcase 1: /* NSCodec */\n\t\t\t\tif (!clear_decompress_nscodec(clear->nsc, width, height, s, bitmapDataByteCount,\n\t\t\t\t                              pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tcase 2: /* CLEARCODEC_SUBCODEC_RLEX */\n\t\t\t\tif (!clear_decompress_subcode_rlex(s, bitmapDataByteCount, width, height, pDstData,\n\t\t\t\t                                   DstFormat, nDstStep, nXDstRel, nYDstRel,\n\t\t\t\t                                   nDstWidth, nDstHeight))\n\t\t\t\t\treturn FALSE;\n\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tWLog_ERR(TAG, \"Unknown subcodec ID %\" PRIu8 \"\", subcodecId);\n\t\t\t\treturn FALSE;\n\t\t}\n\n\t\tsuboffset += bitmapDataByteCount;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 94019142152375544956221959358843020228,
          "size": 115,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448695
        },
        {
          "func": "INT32 clear_decompress(CLEAR_CONTEXT* clear, const BYTE* pSrcData, UINT32 SrcSize, UINT32 nWidth,\n                       UINT32 nHeight, BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep,\n                       UINT32 nXDst, UINT32 nYDst, UINT32 nDstWidth, UINT32 nDstHeight,\n                       const gdiPalette* palette)\n{\n\tINT32 rc = -1;\n\tBYTE seqNumber;\n\tBYTE glyphFlags;\n\tUINT32 residualByteCount;\n\tUINT32 bandsByteCount;\n\tUINT32 subcodecByteCount;\n\twStream* s;\n\tBYTE* glyphData = NULL;\n\n\tif (!pDstData)\n\t\treturn -1002;\n\n\tif ((nDstWidth == 0) || (nDstHeight == 0))\n\t\treturn -1022;\n\n\tif ((nWidth > 0xFFFF) || (nHeight > 0xFFFF))\n\t\treturn -1004;\n\n\ts = Stream_New((BYTE*)pSrcData, SrcSize);\n\n\tif (!s)\n\t\treturn -2005;\n\n\tStream_SetLength(s, SrcSize);\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\tgoto fail;\n\t}\n\n\tif (!updateContextFormat(clear, DstFormat))\n\t\tgoto fail;\n\n\tStream_Read_UINT8(s, glyphFlags);\n\tStream_Read_UINT8(s, seqNumber);\n\n\tif (!clear->seqNumber && seqNumber)\n\t\tclear->seqNumber = seqNumber;\n\n\tif (seqNumber != clear->seqNumber)\n\t{\n\t\tWLog_ERR(TAG, \"Sequence number unexpected %\" PRIu8 \" - %\" PRIu32 \"\", seqNumber,\n\t\t         clear->seqNumber);\n\t\tWLog_ERR(TAG, \"seqNumber %\" PRIu8 \" != clear->seqNumber %\" PRIu32 \"\", seqNumber,\n\t\t         clear->seqNumber);\n\t\tgoto fail;\n\t}\n\n\tclear->seqNumber = (seqNumber + 1) % 256;\n\n\tif (glyphFlags & CLEARCODEC_FLAG_CACHE_RESET)\n\t{\n\t\tclear->VBarStorageCursor = 0;\n\t\tclear->ShortVBarStorageCursor = 0;\n\t}\n\n\tif (!clear_decompress_glyph_data(clear, s, glyphFlags, nWidth, nHeight, pDstData, DstFormat,\n\t                                 nDstStep, nXDst, nYDst, nDstWidth, nDstHeight, palette,\n\t                                 &glyphData))\n\t{\n\t\tWLog_ERR(TAG, \"clear_decompress_glyph_data failed!\");\n\t\tgoto fail;\n\t}\n\n\t/* Read composition payload header parameters */\n\tif (Stream_GetRemainingLength(s) < 12)\n\t{\n\t\tconst UINT32 mask = (CLEARCODEC_FLAG_GLYPH_HIT | CLEARCODEC_FLAG_GLYPH_INDEX);\n\n\t\tif ((glyphFlags & mask) == mask)\n\t\t\tgoto finish;\n\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [12 expected]\", Stream_GetRemainingLength(s));\n\t\tgoto fail;\n\t}\n\n\tStream_Read_UINT32(s, residualByteCount);\n\tStream_Read_UINT32(s, bandsByteCount);\n\tStream_Read_UINT32(s, subcodecByteCount);\n\n\tif (residualByteCount > 0)\n\t{\n\t\tif (!clear_decompress_residual_data(clear, s, residualByteCount, nWidth, nHeight, pDstData,\n\t\t                                    DstFormat, nDstStep, nXDst, nYDst, nDstWidth,\n\t\t                                    nDstHeight, palette))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear_decompress_residual_data failed!\");\n\t\t\tgoto fail;\n\t\t}\n\t}\n\n\tif (bandsByteCount > 0)\n\t{\n\t\tif (!clear_decompress_bands_data(clear, s, bandsByteCount, nWidth, nHeight, pDstData,\n\t\t                                 DstFormat, nDstStep, nXDst, nYDst))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear_decompress_bands_data failed!\");\n\t\t\tgoto fail;\n\t\t}\n\t}\n\n\tif (subcodecByteCount > 0)\n\t{\n\t\tif (!clear_decompress_subcodecs_data(clear, s, subcodecByteCount, nWidth, nHeight, pDstData,\n\t\t                                     DstFormat, nDstStep, nXDst, nYDst, nDstWidth,\n\t\t                                     nDstHeight, palette))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"clear_decompress_subcodecs_data failed!\");\n\t\t\tgoto fail;\n\t\t}\n\t}\n\n\tif (glyphData)\n\t{\n\t\tif (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData,\n\t\t                        DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE))\n\t\t\tgoto fail;\n\t}\n\nfinish:\n\trc = 0;\nfail:\n\tStream_Free(s, FALSE);\n\treturn rc;\n}",
          "project": "FreeRDP",
          "hash": 68296154578086025929012329809724926394,
          "size": 131,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448694
        },
        {
          "func": "static BOOL clear_decompress_residual_data(CLEAR_CONTEXT* clear, wStream* s,\n                                           UINT32 residualByteCount, UINT32 nWidth, UINT32 nHeight,\n                                           BYTE* pDstData, UINT32 DstFormat, UINT32 nDstStep,\n                                           UINT32 nXDst, UINT32 nYDst, UINT32 nDstWidth,\n                                           UINT32 nDstHeight, const gdiPalette* palette)\n{\n\tUINT32 i;\n\tUINT32 nSrcStep;\n\tUINT32 suboffset;\n\tBYTE* dstBuffer;\n\tUINT32 pixelIndex;\n\tUINT32 pixelCount;\n\n\tif (Stream_GetRemainingLength(s) < residualByteCount)\n\t{\n\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [%\" PRIu32 \" expected]\",\n\t\t         Stream_GetRemainingLength(s), residualByteCount);\n\t\treturn FALSE;\n\t}\n\n\tsuboffset = 0;\n\tpixelIndex = 0;\n\tpixelCount = nWidth * nHeight;\n\n\tif (!clear_resize_buffer(clear, nWidth, nHeight))\n\t\treturn FALSE;\n\n\tdstBuffer = clear->TempBuffer;\n\n\twhile (suboffset < residualByteCount)\n\t{\n\t\tBYTE r, g, b;\n\t\tUINT32 runLengthFactor;\n\t\tUINT32 color;\n\n\t\tif (Stream_GetRemainingLength(s) < 4)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [4 expected]\", Stream_GetRemainingLength(s));\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tStream_Read_UINT8(s, b);\n\t\tStream_Read_UINT8(s, g);\n\t\tStream_Read_UINT8(s, r);\n\t\tStream_Read_UINT8(s, runLengthFactor);\n\t\tsuboffset += 4;\n\t\tcolor = FreeRDPGetColor(clear->format, r, g, b, 0xFF);\n\n\t\tif (runLengthFactor >= 0xFF)\n\t\t{\n\t\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [2 expected]\", Stream_GetRemainingLength(s));\n\t\t\t\treturn FALSE;\n\t\t\t}\n\n\t\t\tStream_Read_UINT16(s, runLengthFactor);\n\t\t\tsuboffset += 2;\n\n\t\t\tif (runLengthFactor >= 0xFFFF)\n\t\t\t{\n\t\t\t\tif (Stream_GetRemainingLength(s) < 4)\n\t\t\t\t{\n\t\t\t\t\tWLog_ERR(TAG, \"stream short %\" PRIuz \" [4 expected]\",\n\t\t\t\t\t         Stream_GetRemainingLength(s));\n\t\t\t\t\treturn FALSE;\n\t\t\t\t}\n\n\t\t\t\tStream_Read_UINT32(s, runLengthFactor);\n\t\t\t\tsuboffset += 4;\n\t\t\t}\n\t\t}\n\n\t\tif ((pixelIndex + runLengthFactor) > pixelCount)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"pixelIndex %\" PRIu32 \" + runLengthFactor %\" PRIu32 \" > pixelCount %\" PRIu32\n\t\t\t         \"\",\n\t\t\t         pixelIndex, runLengthFactor, pixelCount);\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tfor (i = 0; i < runLengthFactor; i++)\n\t\t{\n\t\t\tWriteColor(dstBuffer, clear->format, color);\n\t\t\tdstBuffer += GetBytesPerPixel(clear->format);\n\t\t}\n\n\t\tpixelIndex += runLengthFactor;\n\t}\n\n\tnSrcStep = nWidth * GetBytesPerPixel(clear->format);\n\n\tif (pixelIndex != pixelCount)\n\t{\n\t\tWLog_ERR(TAG, \"pixelIndex %\" PRIu32 \" != pixelCount %\" PRIu32 \"\", pixelIndex, pixelCount);\n\t\treturn FALSE;\n\t}\n\n\treturn convert_color(pDstData, nDstStep, DstFormat, nXDst, nYDst, nWidth, nHeight,\n\t                     clear->TempBuffer, nSrcStep, clear->format, nDstWidth, nDstHeight,\n\t                     palette);\n}",
          "project": "FreeRDP",
          "hash": 192281134689880918936980083906130543365,
          "size": 103,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448686
        },
        {
          "func": "static BOOL convert_color(BYTE* dst, UINT32 nDstStep, UINT32 DstFormat, UINT32 nXDst, UINT32 nYDst,\n                          UINT32 nWidth, UINT32 nHeight, const BYTE* src, UINT32 nSrcStep,\n                          UINT32 SrcFormat, UINT32 nDstWidth, UINT32 nDstHeight,\n                          const gdiPalette* palette)\n{\n\tif (nWidth + nXDst > nDstWidth)\n\t\tnWidth = nDstWidth - nXDst;\n\n\tif (nHeight + nYDst > nDstHeight)\n\t\tnHeight = nDstHeight - nYDst;\n\n\treturn freerdp_image_copy(dst, DstFormat, nDstStep, nXDst, nYDst, nWidth, nHeight, src,\n\t                          SrcFormat, nSrcStep, 0, 0, palette, 0);\n}",
          "project": "FreeRDP",
          "hash": 234619938262544236369520415119142365098,
          "size": 14,
          "commit_id": "363d7046dfec4003b91aecf7867e3b05905f3843",
          "message": "Fixed oob read in clear_decompress_subcode_rlex\n\nFixed length checks before stream read.\nThanks to hac425 CVE-2020-11040",
          "target": 0,
          "dataset": "other",
          "idx": 448699
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "cil_reset_constrain",
        "cil_reset_classperms_list",
        "cil_reset_classperms"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static void cil_reset_constrain(struct cil_constrain *con)\n{\n\tcil_reset_classperms_list(con->classperms);\n\tcil_list_destroy(&con->datum_expr, CIL_FALSE);\n}",
          "project": "selinux",
          "hash": 42046458994733929604009528193484766354,
          "size": 5,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416780
        },
        {
          "func": "static inline void cil_reset_classperms_list(struct cil_list *cp_list)\n{\n\tstruct cil_list_item *curr;\n\n\tif (cp_list == NULL) {\n\t\treturn;\n\t}\n\n\tcil_list_for_each(curr, cp_list) {\n\t\tif (curr->flavor == CIL_CLASSPERMS) { /* KERNEL or MAP */\n\t\t\tcil_reset_classperms(curr->data);\n\t\t} else if (curr->flavor == CIL_CLASSPERMS_SET) { /* SET */\n\t\t\tcil_reset_classperms_set(curr->data);\n\t\t}\n\t}\n}",
          "project": "selinux",
          "hash": 316855638401060528974716351147820201392,
          "size": 16,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416755
        },
        {
          "func": "static void cil_reset_classpermissionset(struct cil_classpermissionset *cps)\n{\n\tcil_reset_classperms_list(cps->classperms);\n}",
          "project": "selinux",
          "hash": 235137699480676414178363936394519566185,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416786
        },
        {
          "func": "static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)\n{\n\tcil_reset_classpermission(cp_set->set);\n}",
          "project": "selinux",
          "hash": 228898186887741153148874390102479645011,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 1,
          "dataset": "other",
          "idx": 208940
        },
        {
          "func": "static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)\n{\n\tif (cp_set == NULL) {\n\t\treturn;\n\t}\n\n\tcp_set->set = NULL;\n}",
          "project": "selinux",
          "hash": 312395514706607151530792670992877795844,
          "size": 8,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416787
        },
        {
          "func": "static void cil_reset_classmapping(struct cil_classmapping *cm)\n{\n\tcil_reset_classperms_list(cm->classperms);\n}",
          "project": "selinux",
          "hash": 251512747502057207615297906506572828453,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416762
        },
        {
          "func": "static inline void cil_reset_classperms(struct cil_classperms *cp)\n{\n\tif (cp == NULL) {\n\t\treturn;\n\t}\n\n\tcil_list_destroy(&cp->perms, CIL_FALSE);\n}",
          "project": "selinux",
          "hash": 21946602524898828460963963114849050471,
          "size": 8,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416798
        },
        {
          "func": "static void cil_reset_avrule(struct cil_avrule *rule)\n{\n\tcil_reset_classperms_list(rule->perms.classperms);\n}",
          "project": "selinux",
          "hash": 251005912957380078455335345947156890607,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416754
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "_php_iconv_strpos",
        "php_iconv_string",
        "iconv_close"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static php_iconv_err_t _php_iconv_strpos(size_t *pretval,\n\tconst char *haystk, size_t haystk_nbytes,\n\tconst char *ndl, size_t ndl_nbytes,\n\tzend_long offset, const char *enc)\n{\n\tchar buf[GENERIC_SUPERSET_NBYTES];\n\n\tphp_iconv_err_t err = PHP_ICONV_ERR_SUCCESS;\n\n\ticonv_t cd;\n\n\tconst char *in_p;\n\tsize_t in_left;\n\n\tchar *out_p;\n\tsize_t out_left;\n\n\tsize_t cnt;\n\n\tzend_string *ndl_buf;\n\tconst char *ndl_buf_p;\n\tsize_t ndl_buf_left;\n\n\tsize_t match_ofs;\n\n\t*pretval = (size_t)-1;\n\n\terr = php_iconv_string(ndl, ndl_nbytes, &ndl_buf, GENERIC_SUPERSET_NAME, enc);\n\n\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\tif (ndl_buf != NULL) {\n\t\t\tzend_string_free(ndl_buf);\n\t\t}\n\t\treturn err;\n\t}\n\n\tcd = iconv_open(GENERIC_SUPERSET_NAME, enc);\n\n\tif (cd == (iconv_t)(-1)) {\n\t\tif (ndl_buf != NULL) {\n\t\t\tzend_string_free(ndl_buf);\n\t\t}\n#if ICONV_SUPPORTS_ERRNO\n\t\tif (errno == EINVAL) {\n\t\t\treturn PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\treturn PHP_ICONV_ERR_CONVERTER;\n\t\t}\n#else\n\t\treturn PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t}\n\n\tndl_buf_p = ZSTR_VAL(ndl_buf);\n\tndl_buf_left = ZSTR_LEN(ndl_buf);\n\tmatch_ofs = (size_t)-1;\n\n\tfor (in_p = haystk, in_left = haystk_nbytes, cnt = 0; in_left > 0; ++cnt) {\n\t\tsize_t prev_in_left;\n\t\tout_p = buf;\n\t\tout_left = sizeof(buf);\n\n\t\tprev_in_left = in_left;\n\n\t\tif (iconv(cd, (char **)&in_p, &in_left, (char **) &out_p, &out_left) == (size_t)-1) {\n\t\t\tif (prev_in_left == in_left) {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\tswitch (errno) {\n\t\t\t\t\tcase EINVAL:\n\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_CHAR;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase EILSEQ:\n\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_SEQ;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase E2BIG:\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n#endif\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (offset >= 0) {\n\t\t\tif (cnt >= (size_t)offset) {\n\t\t\t\tif (_php_iconv_memequal(buf, ndl_buf_p, sizeof(buf))) {\n\t\t\t\t\tif (match_ofs == (size_t)-1) {\n\t\t\t\t\t\tmatch_ofs = cnt;\n\t\t\t\t\t}\n\t\t\t\t\tndl_buf_p += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\tndl_buf_left -= GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\tif (ndl_buf_left == 0) {\n\t\t\t\t\t\t*pretval = match_ofs;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tsize_t i, j, lim;\n\n\t\t\t\t\ti = 0;\n\t\t\t\t\tj = GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\tlim = (size_t)(ndl_buf_p - ZSTR_VAL(ndl_buf));\n\n\t\t\t\t\twhile (j < lim) {\n\t\t\t\t\t\tif (_php_iconv_memequal(&ZSTR_VAL(ndl_buf)[j], &ZSTR_VAL(ndl_buf)[i],\n\t\t\t\t\t\t           GENERIC_SUPERSET_NBYTES)) {\n\t\t\t\t\t\t\ti += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tj -= i;\n\t\t\t\t\t\t\ti = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tj += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (_php_iconv_memequal(buf, &ZSTR_VAL(ndl_buf)[i], sizeof(buf))) {\n\t\t\t\t\t\tmatch_ofs += (lim - i) / GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\t\ti += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\t\tndl_buf_p = &ZSTR_VAL(ndl_buf)[i];\n\t\t\t\t\t\tndl_buf_left = ZSTR_LEN(ndl_buf) - i;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tmatch_ofs = (size_t)-1;\n\t\t\t\t\t\tndl_buf_p = ZSTR_VAL(ndl_buf);\n\t\t\t\t\t\tndl_buf_left = ZSTR_LEN(ndl_buf);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tif (_php_iconv_memequal(buf, ndl_buf_p, sizeof(buf))) {\n\t\t\t\tif (match_ofs == (size_t)-1) {\n\t\t\t\t\tmatch_ofs = cnt;\n\t\t\t\t}\n\t\t\t\tndl_buf_p += GENERIC_SUPERSET_NBYTES;\n\t\t\t\tndl_buf_left -= GENERIC_SUPERSET_NBYTES;\n\t\t\t\tif (ndl_buf_left == 0) {\n\t\t\t\t\t*pretval = match_ofs;\n\t\t\t\t\tndl_buf_p = ZSTR_VAL(ndl_buf);\n\t\t\t\t\tndl_buf_left = ZSTR_LEN(ndl_buf);\n\t\t\t\t\tmatch_ofs = -1;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tsize_t i, j, lim;\n\n\t\t\t\ti = 0;\n\t\t\t\tj = GENERIC_SUPERSET_NBYTES;\n\t\t\t\tlim = (size_t)(ndl_buf_p - ZSTR_VAL(ndl_buf));\n\n\t\t\t\twhile (j < lim) {\n\t\t\t\t\tif (_php_iconv_memequal(&ZSTR_VAL(ndl_buf)[j], &ZSTR_VAL(ndl_buf)[i],\n\t\t\t\t\t\t\t   GENERIC_SUPERSET_NBYTES)) {\n\t\t\t\t\t\ti += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tj -= i;\n\t\t\t\t\t\ti = 0;\n\t\t\t\t\t}\n\t\t\t\t\tj += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t}\n\n\t\t\t\tif (_php_iconv_memequal(buf, &ZSTR_VAL(ndl_buf)[i], sizeof(buf))) {\n\t\t\t\t\tmatch_ofs += (lim - i) / GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\ti += GENERIC_SUPERSET_NBYTES;\n\t\t\t\t\tndl_buf_p = &ZSTR_VAL(ndl_buf)[i];\n\t\t\t\t\tndl_buf_left = ZSTR_LEN(ndl_buf) - i;\n\t\t\t\t} else {\n\t\t\t\t\tmatch_ofs = (size_t)-1;\n\t\t\t\t\tndl_buf_p = ZSTR_VAL(ndl_buf);\n\t\t\t\t\tndl_buf_left = ZSTR_LEN(ndl_buf);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tif (ndl_buf) {\n\t\tzend_string_free(ndl_buf);\n\t}\n\n\ticonv_close(cd);\n\n\treturn err;\n}",
          "project": "php-src",
          "hash": 136705828539951720597151568353350696357,
          "size": 182,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382774
        },
        {
          "func": "free_sconv_object(struct archive_string_conv *sc)\n{\n\tfree(sc->from_charset);\n\tfree(sc->to_charset);\n\tarchive_string_free(&sc->utftmp);\n#if HAVE_ICONV\n\tif (sc->cd != (iconv_t)-1)\n\t\ticonv_close(sc->cd);\n\tif (sc->cd_w != (iconv_t)-1)\n\t\ticonv_close(sc->cd_w);\n#endif\n\tfree(sc);\n}",
          "project": "libarchive",
          "hash": 32070168319061805060860024230826786,
          "size": 13,
          "commit_id": "4f085eea879e2be745f4d9bf57e8513ae48157f4",
          "message": "Fix a possible heap-buffer-overflow in archive_string_append_from_wcs()\n\nWhen we grow the archive_string buffer, we have to make sure it fits\nat least one maximum-sized multibyte character in the current locale\nand the null character.\n\nFixes #1298",
          "target": 0,
          "dataset": "other",
          "idx": 325886
        },
        {
          "func": "PHP_ICONV_API php_iconv_err_t php_iconv_string(const char *in_p, size_t in_len, zend_string **out, const char *out_charset, const char *in_charset)\n{\n#if !ICONV_SUPPORTS_ERRNO\n\tsize_t in_size, out_size, out_left;\n\tchar *out_p;\n\ticonv_t cd;\n\tsize_t result;\n\tzend_string *ret, *out_buffer;\n\n\t*out = NULL;\n\n\t/*\n\t  This is not the right way to get output size...\n\t  This is not space efficient for large text.\n\t  This is also problem for encoding like UTF-7/UTF-8/ISO-2022 which\n\t  a single char can be more than 4 bytes.\n\t  I added 15 extra bytes for safety. <yohgaki@php.net>\n\t*/\n\tout_size = in_len * sizeof(int) + 15;\n\tout_left = out_size;\n\n\tin_size = in_len;\n\n\tcd = iconv_open(out_charset, in_charset);\n\n\tif (cd == (iconv_t)(-1)) {\n\t\treturn PHP_ICONV_ERR_UNKNOWN;\n\t}\n\n\tout_buffer = zend_string_alloc(out_size, 0);\n\tout_p = ZSTR_VAL(out_buffer);\n\n#ifdef NETWARE\n\tresult = iconv(cd, (char **) &in_p, &in_size, (char **)\n#else\n\tresult = iconv(cd, (const char **) &in_p, &in_size, (char **)\n#endif\n\t\t\t\t&out_p, &out_left);\n\n\tif (result == (size_t)(-1)) {\n\t\tzend_string_free(out_buffer);\n\t\treturn PHP_ICONV_ERR_UNKNOWN;\n\t}\n\n\tif (out_left < 8) {\n\t\tsize_t pos = out_p - ZSTR_VAL(out_buffer);\n\t\tout_buffer = zend_string_extend(out_buffer, out_size + 8, 0);\n\t\tout_p = ZSTR_VAL(out_buffer) + pos;\n\t\tout_size += 7;\n\t\tout_left += 7;\n\t}\n\n\t/* flush the shift-out sequences */\n\tresult = iconv(cd, NULL, NULL, &out_p, &out_left);\n\n\tif (result == (size_t)(-1)) {\n\t\tzend_string_free(out_buffer);\n\t\treturn PHP_ICONV_ERR_UNKNOWN;\n\t}\n\n\tZSTR_VAL(out_buffer)[out_size - out_left] = '\\0';\n\tZSTR_LEN(out_buffer) = out_size - out_left;\n\n\ticonv_close(cd);\n\n\t*out = out_buffer;\n\treturn PHP_ICONV_ERR_SUCCESS;\n\n#else\n\t/*\n\t  iconv supports errno. Handle it better way.\n\t*/\n\ticonv_t cd;\n\tsize_t in_left, out_size, out_left;\n\tchar *out_p;\n\tsize_t bsz, result = 0;\n\tphp_iconv_err_t retval = PHP_ICONV_ERR_SUCCESS;\n\tzend_string *out_buf;\n\tint ignore_ilseq = _php_check_ignore(out_charset);\n\n\t*out = NULL;\n\n\tcd = iconv_open(out_charset, in_charset);\n\n\tif (cd == (iconv_t)(-1)) {\n\t\tif (errno == EINVAL) {\n\t\t\treturn PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\treturn PHP_ICONV_ERR_CONVERTER;\n\t\t}\n\t}\n\tin_left= in_len;\n\tout_left = in_len + 32; /* Avoid realloc() most cases */\n\tout_size = 0;\n\tbsz = out_left;\n\tout_buf = zend_string_alloc(bsz, 0);\n\tout_p = ZSTR_VAL(out_buf);\n\n\twhile (in_left > 0) {\n\t\tresult = iconv(cd, (char **) &in_p, &in_left, (char **) &out_p, &out_left);\n\t\tout_size = bsz - out_left;\n\t\tif (result == (size_t)(-1)) {\n\t\t\tif (ignore_ilseq && errno == EILSEQ) {\n\t\t\t\tif (in_left <= 1) {\n\t\t\t\t\tresult = 0;\n\t\t\t\t} else {\n\t\t\t\t\terrno = 0;\n\t\t\t\t\tin_p++;\n\t\t\t\t\tin_left--;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (errno == E2BIG && in_left > 0) {\n\t\t\t\t/* converted string is longer than out buffer */\n\t\t\t\tbsz += in_len;\n\n\t\t\t\tout_buf = zend_string_extend(out_buf, bsz, 0);\n\t\t\t\tout_p = ZSTR_VAL(out_buf);\n\t\t\t\tout_p += out_size;\n\t\t\t\tout_left = bsz - out_size;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\t}\n\n\tif (result != (size_t)(-1)) {\n\t\t/* flush the shift-out sequences */\n\t\tfor (;;) {\n\t\t   \tresult = iconv(cd, NULL, NULL, (char **) &out_p, &out_left);\n\t\t\tout_size = bsz - out_left;\n\n\t\t\tif (result != (size_t)(-1)) {\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (errno == E2BIG) {\n\t\t\t\tbsz += 16;\n\t\t\t\tout_buf = zend_string_extend(out_buf, bsz, 0);\n\t\t\t\tout_p = ZSTR_VAL(out_buf);\n\t\t\t\tout_p += out_size;\n\t\t\t\tout_left = bsz - out_size;\n\t\t\t} else {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\ticonv_close(cd);\n\n\tif (result == (size_t)(-1)) {\n\t\tswitch (errno) {\n\t\t\tcase EINVAL:\n\t\t\t\tretval = PHP_ICONV_ERR_ILLEGAL_CHAR;\n\t\t\t\tbreak;\n\n\t\t\tcase EILSEQ:\n\t\t\t\tretval = PHP_ICONV_ERR_ILLEGAL_SEQ;\n\t\t\t\tbreak;\n\n\t\t\tcase E2BIG:\n\t\t\t\t/* should not happen */\n\t\t\t\tretval = PHP_ICONV_ERR_TOO_BIG;\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\t/* other error */\n\t\t\t\tzend_string_free(out_buf);\n\t\t\t\treturn PHP_ICONV_ERR_UNKNOWN;\n\t\t}\n\t}\n\t*out_p = '\\0';\n\tZSTR_LEN(out_buf) = out_size;\n\t*out = out_buf;\n\treturn retval;\n#endif\n}",
          "project": "php-src",
          "hash": 28003817645662753023565888650021665285,
          "size": 178,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382778
        },
        {
          "func": "static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *str, size_t str_nbytes, const char *enc, const char **next_pos, int mode)\n{\n\tphp_iconv_err_t err = PHP_ICONV_ERR_SUCCESS;\n\n\ticonv_t cd = (iconv_t)(-1), cd_pl = (iconv_t)(-1);\n\n\tconst char *p1;\n\tsize_t str_left;\n\tunsigned int scan_stat = 0;\n\tconst char *csname = NULL;\n\tsize_t csname_len;\n\tconst char *encoded_text = NULL;\n\tsize_t encoded_text_len = 0;\n\tconst char *encoded_word = NULL;\n\tconst char *spaces = NULL;\n\n\tphp_iconv_enc_scheme_t enc_scheme = PHP_ICONV_ENC_SCHEME_BASE64;\n\n\tif (next_pos != NULL) {\n\t\t*next_pos = NULL;\n\t}\n\n\tcd_pl = iconv_open(enc, ICONV_ASCII_ENCODING);\n\n\tif (cd_pl == (iconv_t)(-1)) {\n#if ICONV_SUPPORTS_ERRNO\n\t\tif (errno == EINVAL) {\n\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t}\n#else\n\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\tgoto out;\n\t}\n\n\tp1 = str;\n\tfor (str_left = str_nbytes; str_left > 0; str_left--, p1++) {\n\t\tint eos = 0;\n\n\t\tswitch (scan_stat) {\n\t\t\tcase 0: /* expecting any character */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t': /* a chunk of whitespaces */\n\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\terr = _php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tif (mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR) {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_SUCCESS;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 1: /* expecting a delimiter */\n\t\t\t\tif (*p1 != '?') {\n\t\t\t\t\tif (*p1 == '\\r' || *p1 == '\\n') {\n\t\t\t\t\t\t--p1;\n\t\t\t\t\t}\n\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcsname = p1 + 1;\n\t\t\t\tscan_stat = 2;\n\t\t\t\tbreak;\n\n\t\t\tcase 2: /* expecting a charset name */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '?': /* normal delimiter: encoding scheme follows */\n\t\t\t\t\t\tscan_stat = 3;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '*': /* new style delimiter: locale id follows */\n\t\t\t\t\t\tscan_stat = 10;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\r': case '\\n': /* not an encoded-word */\n\t\t\t\t\t\t--p1;\n\t\t\t\t\t\t_php_iconv_appendc(pretval, '=', cd_pl);\n\t\t\t\t\t\t_php_iconv_appendc(pretval, '?', cd_pl);\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, csname, (size_t)((p1 + 1) - csname), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tcsname = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tif (scan_stat != 2) {\n\t\t\t\t\tchar tmpbuf[80];\n\n\t\t\t\t\tif (csname == NULL) {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\n\t\t\t\t\tcsname_len = (size_t)(p1 - csname);\n\n\t\t\t\t\tif (csname_len > sizeof(tmpbuf) - 1) {\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tmemcpy(tmpbuf, csname, csname_len);\n\t\t\t\t\ttmpbuf[csname_len] = '\\0';\n\n\t\t\t\t\tif (cd != (iconv_t)(-1)) {\n\t\t\t\t\t\ticonv_close(cd);\n\t\t\t\t\t}\n\n\t\t\t\t\tcd = iconv_open(enc, tmpbuf);\n\n\t\t\t\t\tif (cd == (iconv_t)(-1)) {\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t/* Bad character set, but the user wants us to\n\t\t\t\t\t\t\t * press on. In this case, we'll just insert the\n\t\t\t\t\t\t\t * undecoded encoded word, since there isn't really\n\t\t\t\t\t\t\t * a more sensible behaviour available; the only\n\t\t\t\t\t\t\t * other options are to swallow the encoded word\n\t\t\t\t\t\t\t * entirely or decode it with an arbitrarily chosen\n\t\t\t\t\t\t\t * single byte encoding, both of which seem to have\n\t\t\t\t\t\t\t * a higher WTF factor than leaving it undecoded.\n\t\t\t\t\t\t\t *\n\t\t\t\t\t\t\t * Given this approach, we need to skip ahead to\n\t\t\t\t\t\t\t * the end of the encoded word. */\n\t\t\t\t\t\t\tint qmarks = 2;\n\t\t\t\t\t\t\twhile (qmarks > 0 && str_left > 1) {\n\t\t\t\t\t\t\t\tif (*(++p1) == '?') {\n\t\t\t\t\t\t\t\t\t--qmarks;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t--str_left;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t/* Look ahead to check for the terminating = that\n\t\t\t\t\t\t\t * should be there as well; if it's there, we'll\n\t\t\t\t\t\t\t * also include that. If it's not, there isn't much\n\t\t\t\t\t\t\t * we can do at this point. */\n\t\t\t\t\t\t\tif (*(p1 + 1) == '=') {\n\t\t\t\t\t\t\t\t++p1;\n\t\t\t\t\t\t\t\t--str_left;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t/* Let's go back and see if there are further\n\t\t\t\t\t\t\t * encoded words or bare content, and hope they\n\t\t\t\t\t\t\t * might actually have a valid character set. */\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\t\tif (errno == EINVAL) {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 3: /* expecting a encoding scheme specifier */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase 'b':\n\t\t\t\t\tcase 'B':\n\t\t\t\t\t\tenc_scheme = PHP_ICONV_ENC_SCHEME_BASE64;\n\t\t\t\t\t\tscan_stat = 4;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase 'q':\n\t\t\t\t\tcase 'Q':\n\t\t\t\t\t\tenc_scheme = PHP_ICONV_ENC_SCHEME_QPRINT;\n\t\t\t\t\t\tscan_stat = 4;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 4: /* expecting a delimiter */\n\t\t\t\tif (*p1 != '?') {\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t} else {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tencoded_text = p1 + 1;\n\t\t\t\tscan_stat = 5;\n\t\t\t\tbreak;\n\n\t\t\tcase 5: /* expecting an encoded portion */\n\t\t\t\tif (*p1 == '?') {\n\t\t\t\t\tencoded_text_len = (size_t)(p1 - encoded_text);\n\t\t\t\t\tscan_stat = 6;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 7: /* expecting a \"\\n\" character */\n\t\t\t\tif (*p1 == '\\n') {\n\t\t\t\t\tscan_stat = 8;\n\t\t\t\t} else {\n\t\t\t\t\t/* bare CR */\n\t\t\t\t\t_php_iconv_appendc(pretval, '\\r', cd_pl);\n\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\tscan_stat = 0;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 8: /* checking whether the following line is part of a\n\t\t\t\t\t   folded header */\n\t\t\t\tif (*p1 != ' ' && *p1 != '\\t') {\n\t\t\t\t\t--p1;\n\t\t\t\t\tstr_left = 1; /* quit_loop */\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (encoded_word == NULL) {\n\t\t\t\t\t_php_iconv_appendc(pretval, ' ', cd_pl);\n\t\t\t\t}\n\t\t\t\tspaces = NULL;\n\t\t\t\tscan_stat = 11;\n\t\t\t\tbreak;\n\n\t\t\tcase 6: /* expecting a End-Of-Chunk character \"=\" */\n\t\t\t\tif (*p1 != '=') {\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t} else {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tscan_stat = 9;\n\t\t\t\tif (str_left == 1) {\n\t\t\t\t\teos = 1;\n\t\t\t\t} else {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\tcase 9: /* choice point, seeing what to do next.*/\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t/* Handle non-RFC-compliant formats\n\t\t\t\t\t\t *\n\t\t\t\t\t\t * RFC2047 requires the character that comes right\n\t\t\t\t\t\t * after an encoded word (chunk) to be a whitespace,\n\t\t\t\t\t\t * while there are lots of broken implementations that\n\t\t\t\t\t\t * generate such malformed headers that don't fulfill\n\t\t\t\t\t\t * that requirement.\n\t\t\t\t\t\t */\n\t\t\t\t\t\tif (!eos) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/* break is omitted intentionally */\n\n\t\t\t\t\tcase '\\r': case '\\n': case ' ': case '\\t': {\n\t\t\t\t\t\tzend_string *decoded_text;\n\n\t\t\t\t\t\tswitch (enc_scheme) {\n\t\t\t\t\t\t\tcase PHP_ICONV_ENC_SCHEME_BASE64:\n\t\t\t\t\t\t\t\tdecoded_text = php_base64_decode((unsigned char*)encoded_text, encoded_text_len);\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase PHP_ICONV_ENC_SCHEME_QPRINT:\n\t\t\t\t\t\t\t\tdecoded_text = php_quot_print_decode((unsigned char*)encoded_text, encoded_text_len, 1);\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t\tdecoded_text = NULL;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (decoded_text == NULL) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, ZSTR_VAL(decoded_text), ZSTR_LEN(decoded_text), cd);\n\t\t\t\t\t\tzend_string_release(decoded_text);\n\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)(p1 - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (eos) { /* reached end-of-string. done. */\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tswitch (*p1) {\n\t\t\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase ' ': case '\\t': /* medial whitespaces */\n\t\t\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t} break;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 10: /* expects a language specifier. dismiss it for now */\n\t\t\t\tif (*p1 == '?') {\n\t\t\t\t\tscan_stat = 3;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 11: /* expecting a chunk of whitespaces */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tif (spaces != NULL && encoded_word == NULL) {\n\t\t\t\t\t\t\t_php_iconv_appendl(pretval, spaces, (size_t)(p1 - spaces), cd_pl);\n\t\t\t\t\t\t\tspaces = NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t':\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\tif (spaces != NULL) {\n\t\t\t\t\t\t\t_php_iconv_appendl(pretval, spaces, (size_t)(p1 - spaces), cd_pl);\n\t\t\t\t\t\t\tspaces = NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 12: /* expecting a non-encoded word */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t':\n\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tif (!(mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/* break is omitted intentionally */\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t}\n\t}\n\tswitch (scan_stat) {\n\t\tcase 0: case 8: case 11: case 12:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\tif (scan_stat == 1) {\n\t\t\t\t\t_php_iconv_appendc(pretval, '=', cd_pl);\n\t\t\t\t}\n\t\t\t\terr = PHP_ICONV_ERR_SUCCESS;\n\t\t\t} else {\n\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\tgoto out;\n\t\t\t}\n\t}\n\n\tif (next_pos != NULL) {\n\t\t*next_pos = p1;\n\t}\n\n\tsmart_str_0(pretval);\nout:\n\tif (cd != (iconv_t)(-1)) {\n\t\ticonv_close(cd);\n\t}\n\tif (cd_pl != (iconv_t)(-1)) {\n\t\ticonv_close(cd_pl);\n\t}\n\treturn err;\n}",
          "project": "php-src",
          "hash": 252711754502941885197887607368897836371,
          "size": 549,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 1,
          "dataset": "other",
          "idx": 206554
        },
        {
          "func": "static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *str, size_t str_nbytes, const char *enc, const char **next_pos, int mode)\n{\n\tphp_iconv_err_t err = PHP_ICONV_ERR_SUCCESS;\n\n\ticonv_t cd = (iconv_t)(-1), cd_pl = (iconv_t)(-1);\n\n\tconst char *p1;\n\tsize_t str_left;\n\tunsigned int scan_stat = 0;\n\tconst char *csname = NULL;\n\tsize_t csname_len;\n\tconst char *encoded_text = NULL;\n\tsize_t encoded_text_len = 0;\n\tconst char *encoded_word = NULL;\n\tconst char *spaces = NULL;\n\n\tphp_iconv_enc_scheme_t enc_scheme = PHP_ICONV_ENC_SCHEME_BASE64;\n\n\tif (next_pos != NULL) {\n\t\t*next_pos = NULL;\n\t}\n\n\tcd_pl = iconv_open(enc, ICONV_ASCII_ENCODING);\n\n\tif (cd_pl == (iconv_t)(-1)) {\n#if ICONV_SUPPORTS_ERRNO\n\t\tif (errno == EINVAL) {\n\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t}\n#else\n\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\tgoto out;\n\t}\n\n\tp1 = str;\n\tfor (str_left = str_nbytes; str_left > 0; str_left--, p1++) {\n\t\tint eos = 0;\n\n\t\tswitch (scan_stat) {\n\t\t\tcase 0: /* expecting any character */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t': /* a chunk of whitespaces */\n\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\terr = _php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tif (mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR) {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_SUCCESS;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 1: /* expecting a delimiter */\n\t\t\t\tif (*p1 != '?') {\n\t\t\t\t\tif (*p1 == '\\r' || *p1 == '\\n') {\n\t\t\t\t\t\t--p1;\n\t\t\t\t\t}\n\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcsname = p1 + 1;\n\t\t\t\tscan_stat = 2;\n\t\t\t\tbreak;\n\n\t\t\tcase 2: /* expecting a charset name */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '?': /* normal delimiter: encoding scheme follows */\n\t\t\t\t\t\tscan_stat = 3;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '*': /* new style delimiter: locale id follows */\n\t\t\t\t\t\tscan_stat = 10;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\r': case '\\n': /* not an encoded-word */\n\t\t\t\t\t\t--p1;\n\t\t\t\t\t\t_php_iconv_appendc(pretval, '=', cd_pl);\n\t\t\t\t\t\t_php_iconv_appendc(pretval, '?', cd_pl);\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, csname, (size_t)((p1 + 1) - csname), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tcsname = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t}\n\t\t\t\t\t\telse {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tif (scan_stat != 2) {\n\t\t\t\t\tchar tmpbuf[80];\n\n\t\t\t\t\tif (csname == NULL) {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\n\t\t\t\t\tcsname_len = (size_t)(p1 - csname);\n\n\t\t\t\t\tif (csname_len > sizeof(tmpbuf) - 1) {\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tmemcpy(tmpbuf, csname, csname_len);\n\t\t\t\t\ttmpbuf[csname_len] = '\\0';\n\n\t\t\t\t\tif (cd != (iconv_t)(-1)) {\n\t\t\t\t\t\ticonv_close(cd);\n\t\t\t\t\t}\n\n\t\t\t\t\tcd = iconv_open(enc, tmpbuf);\n\n\t\t\t\t\tif (cd == (iconv_t)(-1)) {\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t/* Bad character set, but the user wants us to\n\t\t\t\t\t\t\t * press on. In this case, we'll just insert the\n\t\t\t\t\t\t\t * undecoded encoded word, since there isn't really\n\t\t\t\t\t\t\t * a more sensible behaviour available; the only\n\t\t\t\t\t\t\t * other options are to swallow the encoded word\n\t\t\t\t\t\t\t * entirely or decode it with an arbitrarily chosen\n\t\t\t\t\t\t\t * single byte encoding, both of which seem to have\n\t\t\t\t\t\t\t * a higher WTF factor than leaving it undecoded.\n\t\t\t\t\t\t\t *\n\t\t\t\t\t\t\t * Given this approach, we need to skip ahead to\n\t\t\t\t\t\t\t * the end of the encoded word. */\n\t\t\t\t\t\t\tint qmarks = 2;\n\t\t\t\t\t\t\twhile (qmarks > 0 && str_left > 1) {\n\t\t\t\t\t\t\t\tif (*(++p1) == '?') {\n\t\t\t\t\t\t\t\t\t--qmarks;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t--str_left;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t/* Look ahead to check for the terminating = that\n\t\t\t\t\t\t\t * should be there as well; if it's there, we'll\n\t\t\t\t\t\t\t * also include that. If it's not, there isn't much\n\t\t\t\t\t\t\t * we can do at this point. */\n\t\t\t\t\t\t\tif (*(p1 + 1) == '=') {\n\t\t\t\t\t\t\t\t++p1;\n\t\t\t\t\t\t\t\tif (str_left > 1) {\n\t\t\t\t\t\t\t\t\t--str_left;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t/* Let's go back and see if there are further\n\t\t\t\t\t\t\t * encoded words or bare content, and hope they\n\t\t\t\t\t\t\t * might actually have a valid character set. */\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\t\tif (errno == EINVAL) {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 3: /* expecting a encoding scheme specifier */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase 'b':\n\t\t\t\t\tcase 'B':\n\t\t\t\t\t\tenc_scheme = PHP_ICONV_ENC_SCHEME_BASE64;\n\t\t\t\t\t\tscan_stat = 4;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase 'q':\n\t\t\t\t\tcase 'Q':\n\t\t\t\t\t\tenc_scheme = PHP_ICONV_ENC_SCHEME_QPRINT;\n\t\t\t\t\t\tscan_stat = 4;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 4: /* expecting a delimiter */\n\t\t\t\tif (*p1 != '?') {\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t} else {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tencoded_text = p1 + 1;\n\t\t\t\tscan_stat = 5;\n\t\t\t\tbreak;\n\n\t\t\tcase 5: /* expecting an encoded portion */\n\t\t\t\tif (*p1 == '?') {\n\t\t\t\t\tencoded_text_len = (size_t)(p1 - encoded_text);\n\t\t\t\t\tscan_stat = 6;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 7: /* expecting a \"\\n\" character */\n\t\t\t\tif (*p1 == '\\n') {\n\t\t\t\t\tscan_stat = 8;\n\t\t\t\t} else {\n\t\t\t\t\t/* bare CR */\n\t\t\t\t\t_php_iconv_appendc(pretval, '\\r', cd_pl);\n\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\tscan_stat = 0;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 8: /* checking whether the following line is part of a\n\t\t\t\t\t   folded header */\n\t\t\t\tif (*p1 != ' ' && *p1 != '\\t') {\n\t\t\t\t\t--p1;\n\t\t\t\t\tstr_left = 1; /* quit_loop */\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (encoded_word == NULL) {\n\t\t\t\t\t_php_iconv_appendc(pretval, ' ', cd_pl);\n\t\t\t\t}\n\t\t\t\tspaces = NULL;\n\t\t\t\tscan_stat = 11;\n\t\t\t\tbreak;\n\n\t\t\tcase 6: /* expecting a End-Of-Chunk character \"=\" */\n\t\t\t\tif (*p1 != '=') {\n\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t} else {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tscan_stat = 9;\n\t\t\t\tif (str_left == 1) {\n\t\t\t\t\teos = 1;\n\t\t\t\t} else {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\n\t\t\tcase 9: /* choice point, seeing what to do next.*/\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t/* Handle non-RFC-compliant formats\n\t\t\t\t\t\t *\n\t\t\t\t\t\t * RFC2047 requires the character that comes right\n\t\t\t\t\t\t * after an encoded word (chunk) to be a whitespace,\n\t\t\t\t\t\t * while there are lots of broken implementations that\n\t\t\t\t\t\t * generate such malformed headers that don't fulfill\n\t\t\t\t\t\t * that requirement.\n\t\t\t\t\t\t */\n\t\t\t\t\t\tif (!eos) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/* break is omitted intentionally */\n\n\t\t\t\t\tcase '\\r': case '\\n': case ' ': case '\\t': {\n\t\t\t\t\t\tzend_string *decoded_text;\n\n\t\t\t\t\t\tswitch (enc_scheme) {\n\t\t\t\t\t\t\tcase PHP_ICONV_ENC_SCHEME_BASE64:\n\t\t\t\t\t\t\t\tdecoded_text = php_base64_decode((unsigned char*)encoded_text, encoded_text_len);\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase PHP_ICONV_ENC_SCHEME_QPRINT:\n\t\t\t\t\t\t\t\tdecoded_text = php_quot_print_decode((unsigned char*)encoded_text, encoded_text_len, 1);\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t\tdecoded_text = NULL;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (decoded_text == NULL) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\terr = _php_iconv_appendl(pretval, ZSTR_VAL(decoded_text), ZSTR_LEN(decoded_text), cd);\n\t\t\t\t\t\tzend_string_release(decoded_text);\n\n\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\t\t\t\t\t/* pass the entire chunk through the converter */\n\t\t\t\t\t\t\t\terr = _php_iconv_appendl(pretval, encoded_word, (size_t)(p1 - encoded_word), cd_pl);\n\t\t\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\t\t\tif (err != PHP_ICONV_ERR_SUCCESS) {\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (eos) { /* reached end-of-string. done. */\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tswitch (*p1) {\n\t\t\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tcase ' ': case '\\t': /* medial whitespaces */\n\t\t\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t} break;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 10: /* expects a language specifier. dismiss it for now */\n\t\t\t\tif (*p1 == '?') {\n\t\t\t\t\tscan_stat = 3;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 11: /* expecting a chunk of whitespaces */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tif (spaces != NULL && encoded_word == NULL) {\n\t\t\t\t\t\t\t_php_iconv_appendl(pretval, spaces, (size_t)(p1 - spaces), cd_pl);\n\t\t\t\t\t\t\tspaces = NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t':\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tdefault: /* first letter of a non-encoded word */\n\t\t\t\t\t\tif (spaces != NULL) {\n\t\t\t\t\t\t\t_php_iconv_appendl(pretval, spaces, (size_t)(p1 - spaces), cd_pl);\n\t\t\t\t\t\t\tspaces = NULL;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tencoded_word = NULL;\n\t\t\t\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tscan_stat = 12;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tscan_stat = 0;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 12: /* expecting a non-encoded word */\n\t\t\t\tswitch (*p1) {\n\t\t\t\t\tcase '\\r': /* part of an EOL sequence? */\n\t\t\t\t\t\tscan_stat = 7;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\t\tscan_stat = 8;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase ' ': case '\\t':\n\t\t\t\t\t\tspaces = p1;\n\t\t\t\t\t\tscan_stat = 11;\n\t\t\t\t\t\tbreak;\n\n\t\t\t\t\tcase '=': /* first letter of an encoded chunk */\n\t\t\t\t\t\tif (!(mode & PHP_ICONV_MIME_DECODE_STRICT)) {\n\t\t\t\t\t\t\tencoded_word = p1;\n\t\t\t\t\t\t\tscan_stat = 1;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/* break is omitted intentionally */\n\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t_php_iconv_appendc(pretval, *p1, cd_pl);\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t}\n\t}\n\tswitch (scan_stat) {\n\t\tcase 0: case 8: case 11: case 12:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tif ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {\n\t\t\t\tif (scan_stat == 1) {\n\t\t\t\t\t_php_iconv_appendc(pretval, '=', cd_pl);\n\t\t\t\t}\n\t\t\t\terr = PHP_ICONV_ERR_SUCCESS;\n\t\t\t} else {\n\t\t\t\terr = PHP_ICONV_ERR_MALFORMED;\n\t\t\t\tgoto out;\n\t\t\t}\n\t}\n\n\tif (next_pos != NULL) {\n\t\t*next_pos = p1;\n\t}\n\n\tsmart_str_0(pretval);\nout:\n\tif (cd != (iconv_t)(-1)) {\n\t\ticonv_close(cd);\n\t}\n\tif (cd_pl != (iconv_t)(-1)) {\n\t\ticonv_close(cd_pl);\n\t}\n\treturn err;\n}",
          "project": "php-src",
          "hash": 218325121010366491134849590402382438328,
          "size": 551,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382780
        },
        {
          "func": "static int php_iconv_output_handler(void **nothing, php_output_context *output_context)\n{\n\tchar *s, *content_type, *mimetype = NULL;\n\tint output_status, mimetype_len = 0;\n\n\tif (output_context->op & PHP_OUTPUT_HANDLER_START) {\n\t\toutput_status = php_output_get_status();\n\t\tif (output_status & PHP_OUTPUT_SENT) {\n\t\t\treturn FAILURE;\n\t\t}\n\n\t\tif (SG(sapi_headers).mimetype && !strncasecmp(SG(sapi_headers).mimetype, \"text/\", 5)) {\n\t\t\tif ((s = strchr(SG(sapi_headers).mimetype,';')) == NULL){\n\t\t\t\tmimetype = SG(sapi_headers).mimetype;\n\t\t\t} else {\n\t\t\t\tmimetype = SG(sapi_headers).mimetype;\n\t\t\t\tmimetype_len = (int)(s - SG(sapi_headers).mimetype);\n\t\t\t}\n\t\t} else if (SG(sapi_headers).send_default_content_type) {\n\t\t\tmimetype = SG(default_mimetype) ? SG(default_mimetype) : SAPI_DEFAULT_MIMETYPE;\n\t\t}\n\n\t\tif (mimetype != NULL && !(output_context->op & PHP_OUTPUT_HANDLER_CLEAN)) {\n\t\t\tsize_t len;\n\t\t\tchar *p = strstr(get_output_encoding(), \"//\");\n\n\t\t\tif (p) {\n\t\t\t\tlen = spprintf(&content_type, 0, \"Content-Type:%.*s; charset=%.*s\", mimetype_len ? mimetype_len : (int) strlen(mimetype), mimetype, (int) (p - get_output_encoding()), get_output_encoding());\n\t\t\t} else {\n\t\t\t\tlen = spprintf(&content_type, 0, \"Content-Type:%.*s; charset=%s\", mimetype_len ? mimetype_len : (int) strlen(mimetype), mimetype, get_output_encoding());\n\t\t\t}\n\t\t\tif (content_type && SUCCESS == sapi_add_header(content_type, (uint)len, 0)) {\n\t\t\t\tSG(sapi_headers).send_default_content_type = 0;\n\t\t\t\tphp_output_handler_hook(PHP_OUTPUT_HANDLER_HOOK_IMMUTABLE, NULL);\n\t\t\t}\n\t\t}\n\t}\n\n\tif (output_context->in.used) {\n\t\tzend_string *out;\n\t\toutput_context->out.free = 1;\n\t\t_php_iconv_show_error(php_iconv_string(output_context->in.data, output_context->in.used, &out, get_output_encoding(), get_internal_encoding()), get_output_encoding(), get_internal_encoding());\n\t\tif (out) {\n\t\t\toutput_context->out.data = estrndup(ZSTR_VAL(out), ZSTR_LEN(out));\n\t\t\toutput_context->out.used = ZSTR_LEN(out);\n\t\t\tzend_string_free(out);\n\t\t} else {\n\t\t\toutput_context->out.data = NULL;\n\t\t\toutput_context->out.used = 0;\n\t\t}\n\t}\n\n\treturn SUCCESS;\n}",
          "project": "php-src",
          "hash": 116875874944930120587567879165216714373,
          "size": 54,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382781
        },
        {
          "func": "static php_iconv_err_t _php_iconv_mime_encode(smart_str *pretval, const char *fname, size_t fname_nbytes, const char *fval, size_t fval_nbytes, size_t max_line_len, const char *lfchars, php_iconv_enc_scheme_t enc_scheme, const char *out_charset, const char *enc)\n{\n\tphp_iconv_err_t err = PHP_ICONV_ERR_SUCCESS;\n\ticonv_t cd = (iconv_t)(-1), cd_pl = (iconv_t)(-1);\n\tsize_t char_cnt = 0;\n\tsize_t out_charset_len;\n\tsize_t lfchars_len;\n\tchar *buf = NULL;\n\tconst char *in_p;\n\tsize_t in_left;\n\tchar *out_p;\n\tsize_t out_left;\n\tzend_string *encoded = NULL;\n\tstatic int qp_table[256] = {\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0x00 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0x10 */\n\t\t3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x20 */\n\t\t1, 1, 1, 1, 1, 1, 1 ,1, 1, 1, 1, 1, 1, 3, 1, 3, /* 0x30 */\n\t\t1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x40 */\n\t\t1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, /* 0x50 */\n\t\t1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* 0x60 */\n\t\t1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, /* 0x70 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0x80 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0x90 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0xA0 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0xB0 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0xC0 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0xD0 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 0xE0 */\n\t\t3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3  /* 0xF0 */\n\t};\n\n\tout_charset_len = strlen(out_charset);\n\tlfchars_len = strlen(lfchars);\n\n\tif ((fname_nbytes + 2) >= max_line_len\n\t\t|| (out_charset_len + 12) >= max_line_len) {\n\t\t/* field name is too long */\n\t\terr = PHP_ICONV_ERR_TOO_BIG;\n\t\tgoto out;\n\t}\n\n\tcd_pl = iconv_open(ICONV_ASCII_ENCODING, enc);\n\tif (cd_pl == (iconv_t)(-1)) {\n#if ICONV_SUPPORTS_ERRNO\n\t\tif (errno == EINVAL) {\n\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t}\n#else\n\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\tgoto out;\n\t}\n\n\tcd = iconv_open(out_charset, enc);\n\tif (cd == (iconv_t)(-1)) {\n#if ICONV_SUPPORTS_ERRNO\n\t\tif (errno == EINVAL) {\n\t\t\terr = PHP_ICONV_ERR_WRONG_CHARSET;\n\t\t} else {\n\t\t\terr = PHP_ICONV_ERR_CONVERTER;\n\t\t}\n#else\n\t\terr = PHP_ICONV_ERR_UNKNOWN;\n#endif\n\t\tgoto out;\n\t}\n\n\tbuf = safe_emalloc(1, max_line_len, 5);\n\n\tchar_cnt = max_line_len;\n\n\t_php_iconv_appendl(pretval, fname, fname_nbytes, cd_pl);\n\tchar_cnt -= fname_nbytes;\n\tsmart_str_appendl(pretval, \": \", sizeof(\": \") - 1);\n\tchar_cnt -= 2;\n\n\tin_p = fval;\n\tin_left = fval_nbytes;\n\n\tdo {\n\t\tsize_t prev_in_left;\n\t\tsize_t out_size;\n\n\t\tif (char_cnt < (out_charset_len + 12)) {\n\t\t\t/* lfchars must be encoded in ASCII here*/\n\t\t\tsmart_str_appendl(pretval, lfchars, lfchars_len);\n\t\t\tsmart_str_appendc(pretval, ' ');\n\t\t\tchar_cnt = max_line_len - 1;\n\t\t}\n\n\t\tsmart_str_appendl(pretval, \"=?\", sizeof(\"=?\") - 1);\n\t\tchar_cnt -= 2;\n\t\tsmart_str_appendl(pretval, out_charset, out_charset_len);\n\t\tchar_cnt -= out_charset_len;\n\t\tsmart_str_appendc(pretval, '?');\n\t\tchar_cnt --;\n\n\t\tswitch (enc_scheme) {\n\t\t\tcase PHP_ICONV_ENC_SCHEME_BASE64: {\n\t\t\t\tsize_t ini_in_left;\n\t\t\t\tconst char *ini_in_p;\n\t\t\t\tsize_t out_reserved = 4;\n\n\t\t\t\tsmart_str_appendc(pretval, 'B');\n\t\t\t\tchar_cnt--;\n\t\t\t\tsmart_str_appendc(pretval, '?');\n\t\t\t\tchar_cnt--;\n\n\t\t\t\tprev_in_left = ini_in_left = in_left;\n\t\t\t\tini_in_p = in_p;\n\n\t\t\t\tout_size = (char_cnt - 2) / 4 * 3;\n\n\t\t\t\tfor (;;) {\n\t\t\t\t\tout_p = buf;\n\n\t\t\t\t\tif (out_size <= out_reserved) {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_TOO_BIG;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\n\t\t\t\t\tout_left = out_size - out_reserved;\n\n\t\t\t\t\tif (iconv(cd, (char **)&in_p, &in_left, (char **) &out_p, &out_left) == (size_t)-1) {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\tswitch (errno) {\n\t\t\t\t\t\t\tcase EINVAL:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_CHAR;\n\t\t\t\t\t\t\t\tgoto out;\n\n\t\t\t\t\t\t\tcase EILSEQ:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_SEQ;\n\t\t\t\t\t\t\t\tgoto out;\n\n\t\t\t\t\t\t\tcase E2BIG:\n\t\t\t\t\t\t\t\tif (prev_in_left == in_left) {\n\t\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_TOO_BIG;\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tif (prev_in_left == in_left) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t}\n\n\t\t\t\t\tout_left += out_reserved;\n\n\t\t\t\t\tif (iconv(cd, NULL, NULL, (char **) &out_p, &out_left) == (size_t)-1) {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\tif (errno != E2BIG) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tif (out_left != 0) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t} else {\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (iconv(cd, NULL, NULL, NULL, NULL) == (size_t)-1) {\n\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\tgoto out;\n\t\t\t\t\t}\n\n\t\t\t\t\tout_reserved += 4;\n\t\t\t\t\tin_left = ini_in_left;\n\t\t\t\t\tin_p = ini_in_p;\n\t\t\t\t}\n\n\t\t\t\tprev_in_left = in_left;\n\n\t\t\t\tencoded = php_base64_encode((unsigned char *) buf, (out_size - out_left));\n\n\t\t\t\tif (char_cnt < ZSTR_LEN(encoded)) {\n\t\t\t\t\t/* something went wrong! */\n\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\tgoto out;\n\t\t\t\t}\n\n\t\t\t\tsmart_str_appendl(pretval, ZSTR_VAL(encoded), ZSTR_LEN(encoded));\n\t\t\t\tchar_cnt -= ZSTR_LEN(encoded);\n\t\t\t\tsmart_str_appendl(pretval, \"?=\", sizeof(\"?=\") - 1);\n\t\t\t\tchar_cnt -= 2;\n\n\t\t\t\tzend_string_release(encoded);\n\t\t\t\tencoded = NULL;\n\t\t\t} break; /* case PHP_ICONV_ENC_SCHEME_BASE64: */\n\n\t\t\tcase PHP_ICONV_ENC_SCHEME_QPRINT: {\n\t\t\t\tsize_t ini_in_left;\n\t\t\t\tconst char *ini_in_p;\n\t\t\t\tconst unsigned char *p;\n\t\t\t\tsize_t nbytes_required;\n\n\t\t\t\tsmart_str_appendc(pretval, 'Q');\n\t\t\t\tchar_cnt--;\n\t\t\t\tsmart_str_appendc(pretval, '?');\n\t\t\t\tchar_cnt--;\n\n\t\t\t\tprev_in_left = ini_in_left = in_left;\n\t\t\t\tini_in_p = in_p;\n\n\t\t\t\tfor (out_size = (char_cnt - 2); out_size > 0;) {\n#if !ICONV_SUPPORTS_ERRNO\n\t\t\t\t\tsize_t prev_out_left;\n#endif\n\n\t\t\t\t\tnbytes_required = 0;\n\n\t\t\t\t\tout_p = buf;\n\t\t\t\t\tout_left = out_size;\n\n\t\t\t\t\tif (iconv(cd, (char **)&in_p, &in_left, (char **) &out_p, &out_left) == (size_t)-1) {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\tswitch (errno) {\n\t\t\t\t\t\t\tcase EINVAL:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_CHAR;\n\t\t\t\t\t\t\t\tgoto out;\n\n\t\t\t\t\t\t\tcase EILSEQ:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_ILLEGAL_SEQ;\n\t\t\t\t\t\t\t\tgoto out;\n\n\t\t\t\t\t\t\tcase E2BIG:\n\t\t\t\t\t\t\t\tif (prev_in_left == in_left) {\n\t\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tbreak;\n\n\t\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tif (prev_in_left == in_left) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t}\n#if !ICONV_SUPPORTS_ERRNO\n\t\t\t\t\tprev_out_left = out_left;\n#endif\n\t\t\t\t\tif (iconv(cd, NULL, NULL, (char **) &out_p, &out_left) == (size_t)-1) {\n#if ICONV_SUPPORTS_ERRNO\n\t\t\t\t\t\tif (errno != E2BIG) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#else\n\t\t\t\t\t\tif (out_left == prev_out_left) {\n\t\t\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\t\t\tgoto out;\n\t\t\t\t\t\t}\n#endif\n\t\t\t\t\t}\n\n\t\t\t\t\tfor (p = (unsigned char *)buf; p < (unsigned char *)out_p; p++) {\n\t\t\t\t\t\tnbytes_required += qp_table[*p];\n\t\t\t\t\t}\n\n\t\t\t\t\tif (nbytes_required <= char_cnt - 2) {\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\n\t\t\t\t\tout_size -= ((nbytes_required - (char_cnt - 2)) + 2) / 3;\n\t\t\t\t\tin_left = ini_in_left;\n\t\t\t\t\tin_p = ini_in_p;\n\t\t\t\t}\n\n\t\t\t\tfor (p = (unsigned char *)buf; p < (unsigned char *)out_p; p++) {\n\t\t\t\t\tif (qp_table[*p] == 1) {\n\t\t\t\t\t\tsmart_str_appendc(pretval, *(char *)p);\n\t\t\t\t\t\tchar_cnt--;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstatic char qp_digits[] = \"0123456789ABCDEF\";\n\t\t\t\t\t\tsmart_str_appendc(pretval, '=');\n\t\t\t\t\t\tsmart_str_appendc(pretval, qp_digits[(*p >> 4) & 0x0f]);\n\t\t\t\t\t\tsmart_str_appendc(pretval, qp_digits[(*p & 0x0f)]);\n\t\t\t\t\t\tchar_cnt -= 3;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tsmart_str_appendl(pretval, \"?=\", sizeof(\"?=\") - 1);\n\t\t\t\tchar_cnt -= 2;\n\n\t\t\t\tif (iconv(cd, NULL, NULL, NULL, NULL) == (size_t)-1) {\n\t\t\t\t\terr = PHP_ICONV_ERR_UNKNOWN;\n\t\t\t\t\tgoto out;\n\t\t\t\t}\n\n\t\t\t} break; /* case PHP_ICONV_ENC_SCHEME_QPRINT: */\n\t\t}\n\t} while (in_left > 0);\n\n\tsmart_str_0(pretval);\n\nout:\n\tif (cd != (iconv_t)(-1)) {\n\t\ticonv_close(cd);\n\t}\n\tif (cd_pl != (iconv_t)(-1)) {\n\t\ticonv_close(cd_pl);\n\t}\n\tif (encoded != NULL) {\n\t\tzend_string_release(encoded);\n\t}\n\tif (buf != NULL) {\n\t\tefree(buf);\n\t}\n\treturn err;\n}",
          "project": "php-src",
          "hash": 5466635189365711181839801820217943190,
          "size": 328,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382776
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "vt_compat_ioctl",
        "vt_ioctl",
        "vc_allocate"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "static int vt_disallocate(unsigned int vc_num)\n{\n\tstruct vc_data *vc = NULL;\n\tint ret = 0;\n\n\tconsole_lock();\n\tif (vt_busy(vc_num))\n\t\tret = -EBUSY;\n\telse if (vc_num)\n\t\tvc = vc_deallocate(vc_num);\n\tconsole_unlock();\n\n\tif (vc && vc_num >= MIN_NR_CONSOLES) {\n\t\ttty_port_destroy(&vc->port);\n\t\tkfree(vc);\n\t}\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 38463244511772680877703611945714587348,
          "size": 19,
          "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220",
          "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown().  This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0.  But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'.  A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2.  Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include <fcntl.h>\n\t#include <linux/vt.h>\n\t#include <sys/ioctl.h>\n\t#include <unistd.h>\n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: <stable@vger.kernel.org> # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby <jslaby@suse.cz>\nSigned-off-by: Eric Biggers <ebiggers@google.com>\nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 1,
          "dataset": "other",
          "idx": 210536
        },
        {
          "func": "static int vt_disallocate(unsigned int vc_num)\n{\n\tstruct vc_data *vc = NULL;\n\tint ret = 0;\n\n\tconsole_lock();\n\tif (VT_BUSY(vc_num))\n\t\tret = -EBUSY;\n\telse if (vc_num)\n\t\tvc = vc_deallocate(vc_num);\n\tconsole_unlock();\n\n\tif (vc && vc_num >= MIN_NR_CONSOLES) {\n\t\ttty_port_destroy(&vc->port);\n\t\tkfree(vc);\n\t}\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 80872964397264373033833941297370957398,
          "size": 19,
          "commit_id": "6cd1ed50efd88261298577cd92a14f2768eddeeb",
          "message": "vt: vt_ioctl: fix race in VT_RESIZEX\n\nWe need to make sure vc_cons[i].d is not NULL after grabbing\nconsole_lock(), or risk a crash.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]\nCPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0x123/0x180 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x45b399\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399\nRDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003\nRBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c\nModules linked in:\n---[ end trace 80970faf7a67eb77 ]---\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: stable <stable@vger.kernel.org>\nReported-by: syzbot <syzkaller@googlegroups.com>\nLink: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 458190
        },
        {
          "func": "int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)\n{\n\tstruct kbsentry *kbs;\n\tchar *p;\n\tu_char *q;\n\tu_char __user *up;\n\tint sz, fnw_sz;\n\tint delta;\n\tchar *first_free, *fj, *fnw;\n\tint i, j, k;\n\tint ret;\n\tunsigned long flags;\n\n\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\tperm = 0;\n\n\tkbs = kmalloc(sizeof(*kbs), GFP_KERNEL);\n\tif (!kbs) {\n\t\tret = -ENOMEM;\n\t\tgoto reterr;\n\t}\n\n\t/* we mostly copy too much here (512bytes), but who cares ;) */\n\tif (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {\n\t\tret = -EFAULT;\n\t\tgoto reterr;\n\t}\n\tkbs->kb_string[sizeof(kbs->kb_string)-1] = '\\0';\n\ti = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);\n\n\tswitch (cmd) {\n\tcase KDGKBSENT:\n\t\tsz = sizeof(kbs->kb_string) - 1; /* sz should have been\n\t\t\t\t\t\t  a struct member */\n\t\tup = user_kdgkb->kb_string;\n\t\tp = func_table[i];\n\t\tif(p)\n\t\t\tfor ( ; *p && sz; p++, sz--)\n\t\t\t\tif (put_user(*p, up++)) {\n\t\t\t\t\tret = -EFAULT;\n\t\t\t\t\tgoto reterr;\n\t\t\t\t}\n\t\tif (put_user('\\0', up)) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto reterr;\n\t\t}\n\t\tkfree(kbs);\n\t\treturn ((p && *p) ? -EOVERFLOW : 0);\n\tcase KDSKBSENT:\n\t\tif (!perm) {\n\t\t\tret = -EPERM;\n\t\t\tgoto reterr;\n\t\t}\n\n\t\tfnw = NULL;\n\t\tfnw_sz = 0;\n\t\t/* race aginst other writers */\n\t\tagain:\n\t\tspin_lock_irqsave(&func_buf_lock, flags);\n\t\tq = func_table[i];\n\n\t\t/* fj pointer to next entry after 'q' */\n\t\tfirst_free = funcbufptr + (funcbufsize - funcbufleft);\n\t\tfor (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)\n\t\t\t;\n\t\tif (j < MAX_NR_FUNC)\n\t\t\tfj = func_table[j];\n\t\telse\n\t\t\tfj = first_free;\n\t\t/* buffer usage increase by new entry */\n\t\tdelta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);\n\n\t\tif (delta <= funcbufleft) { \t/* it fits in current buf */\n\t\t    if (j < MAX_NR_FUNC) {\n\t\t\t/* make enough space for new entry at 'fj' */\n\t\t\tmemmove(fj + delta, fj, first_free - fj);\n\t\t\tfor (k = j; k < MAX_NR_FUNC; k++)\n\t\t\t    if (func_table[k])\n\t\t\t\tfunc_table[k] += delta;\n\t\t    }\n\t\t    if (!q)\n\t\t      func_table[i] = fj;\n\t\t    funcbufleft -= delta;\n\t\t} else {\t\t\t/* allocate a larger buffer */\n\t\t    sz = 256;\n\t\t    while (sz < funcbufsize - funcbufleft + delta)\n\t\t      sz <<= 1;\n\t\t    if (fnw_sz != sz) {\n\t\t      spin_unlock_irqrestore(&func_buf_lock, flags);\n\t\t      kfree(fnw);\n\t\t      fnw = kmalloc(sz, GFP_KERNEL);\n\t\t      fnw_sz = sz;\n\t\t      if (!fnw) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto reterr;\n\t\t      }\n\t\t      goto again;\n\t\t    }\n\n\t\t    if (!q)\n\t\t      func_table[i] = fj;\n\t\t    /* copy data before insertion point to new location */\n\t\t    if (fj > funcbufptr)\n\t\t\tmemmove(fnw, funcbufptr, fj - funcbufptr);\n\t\t    for (k = 0; k < j; k++)\n\t\t      if (func_table[k])\n\t\t\tfunc_table[k] = fnw + (func_table[k] - funcbufptr);\n\n\t\t    /* copy data after insertion point to new location */\n\t\t    if (first_free > fj) {\n\t\t\tmemmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);\n\t\t\tfor (k = j; k < MAX_NR_FUNC; k++)\n\t\t\t  if (func_table[k])\n\t\t\t    func_table[k] = fnw + (func_table[k] - funcbufptr) + delta;\n\t\t    }\n\t\t    if (funcbufptr != func_buf)\n\t\t      kfree(funcbufptr);\n\t\t    funcbufptr = fnw;\n\t\t    funcbufleft = funcbufleft - delta + sz - funcbufsize;\n\t\t    funcbufsize = sz;\n\t\t}\n\t\t/* finally insert item itself */\n\t\tstrcpy(func_table[i], kbs->kb_string);\n\t\tspin_unlock_irqrestore(&func_buf_lock, flags);\n\t\tbreak;\n\t}\n\tret = 0;\nreterr:\n\tkfree(kbs);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 264180744402252921977442661589697361235,
          "size": 131,
          "commit_id": "6ca03f90527e499dd5e32d6522909e2ad390896b",
          "message": "vt: keyboard, simplify vt_kdgkbsent\n\nUse 'strlen' of the string, add one for NUL terminator and simply do\n'copy_to_user' instead of the explicit 'for' loop. This makes the\nKDGKBSENT case more compact.\n\nThe only thing we need to take care about is NULL 'func_table[i]'. Use\nan empty string in that case.\n\nThe original check for overflow could never trigger as the func_buf\nstrings are always shorter or equal to 'struct kbsentry's.\n\nCc: <stable@vger.kernel.org>\nSigned-off-by: Jiri Slaby <jslaby@suse.cz>\nLink: https://lore.kernel.org/r/20201019085517.10176-1-jslaby@suse.cz\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 1,
          "dataset": "other",
          "idx": 212910
        },
        {
          "func": "int vc_allocate(unsigned int currcons)\t/* return 0 on success */\n{\n\tstruct vt_notifier_param param;\n\tstruct vc_data *vc;\n\n\tWARN_CONSOLE_UNLOCKED();\n\n\tif (currcons >= MAX_NR_CONSOLES)\n\t\treturn -ENXIO;\n\n\tif (vc_cons[currcons].d)\n\t\treturn 0;\n\n\t/* due to the granularity of kmalloc, we waste some memory here */\n\t/* the alloc is done in two steps, to optimize the common situation\n\t   of a 25x80 console (structsize=216, screenbuf_size=4000) */\n\t/* although the numbers above are not valid since long ago, the\n\t   point is still up-to-date and the comment still has its value\n\t   even if only as a historical artifact.  --mj, July 1998 */\n\tparam.vc = vc = kzalloc(sizeof(struct vc_data), GFP_KERNEL);\n\tif (!vc)\n\t\treturn -ENOMEM;\n\n\tvc_cons[currcons].d = vc;\n\ttty_port_init(&vc->port);\n\tvc->port.ops = &vc_port_ops;\n\tINIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);\n\n\tvisual_init(vc, currcons, 1);\n\n\tif (!*vc->vc_uni_pagedir_loc)\n\t\tcon_set_default_unimap(vc);\n\n\tvc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);\n\tif (!vc->vc_screenbuf)\n\t\tgoto err_free;\n\n\t/* If no drivers have overridden us and the user didn't pass a\n\t   boot option, default to displaying the cursor */\n\tif (global_cursor_default == -1)\n\t\tglobal_cursor_default = 1;\n\n\tvc_init(vc, vc->vc_rows, vc->vc_cols, 1);\n\tvcs_make_sysfs(currcons);\n\tatomic_notifier_call_chain(&vt_notifier_list, VT_ALLOCATE, &param);\n\n\treturn 0;\nerr_free:\n\tvisual_deinit(vc);\n\tkfree(vc);\n\tvc_cons[currcons].d = NULL;\n\treturn -ENOMEM;\n}",
          "project": "linux",
          "hash": 117512636323690110067298175533028534015,
          "size": 53,
          "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220",
          "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown().  This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0.  But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'.  A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2.  Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include <fcntl.h>\n\t#include <linux/vt.h>\n\t#include <sys/ioctl.h>\n\t#include <unistd.h>\n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: <stable@vger.kernel.org> # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby <jslaby@suse.cz>\nSigned-off-by: Eric Biggers <ebiggers@google.com>\nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 437043
        },
        {
          "func": "long vt_compat_ioctl(struct tty_struct *tty,\n\t     unsigned int cmd, unsigned long arg)\n{\n\tstruct vc_data *vc = tty->driver_data;\n\tstruct console_font_op op;\t/* used in multiple places here */\n\tunsigned int console = vc->vc_num;\n\tvoid __user *up = compat_ptr(arg);\n\tint perm;\n\n\n\tif (!vc_cons_allocated(console)) \t/* impossible? */\n\t\treturn -ENOIOCTLCMD;\n\n\t/*\n\t * To have permissions to do most of the vt ioctls, we either have\n\t * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.\n\t */\n\tperm = 0;\n\tif (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))\n\t\tperm = 1;\n\n\tswitch (cmd) {\n\t/*\n\t * these need special handlers for incompatible data structures\n\t */\n\tcase PIO_FONTX:\n\tcase GIO_FONTX:\n\t\treturn compat_fontx_ioctl(cmd, up, perm, &op);\n\n\tcase KDFONTOP:\n\t\treturn compat_kdfontop_ioctl(up, perm, &op, vc);\n\n\tcase PIO_UNIMAP:\n\tcase GIO_UNIMAP:\n\t\treturn compat_unimap_ioctl(cmd, up, perm, vc);\n\n\t/*\n\t * all these treat 'arg' as an integer\n\t */\n\tcase KIOCSOUND:\n\tcase KDMKTONE:\n#ifdef CONFIG_X86\n\tcase KDADDIO:\n\tcase KDDELIO:\n#endif\n\tcase KDSETMODE:\n\tcase KDMAPDISP:\n\tcase KDUNMAPDISP:\n\tcase KDSKBMODE:\n\tcase KDSKBMETA:\n\tcase KDSKBLED:\n\tcase KDSETLED:\n\tcase KDSIGACCEPT:\n\tcase VT_ACTIVATE:\n\tcase VT_WAITACTIVE:\n\tcase VT_RELDISP:\n\tcase VT_DISALLOCATE:\n\tcase VT_RESIZE:\n\tcase VT_RESIZEX:\n\t\treturn vt_ioctl(tty, cmd, arg);\n\n\t/*\n\t * the rest has a compatible data structure behind arg,\n\t * but we have to convert it to a proper 64 bit pointer.\n\t */\n\tdefault:\n\t\treturn vt_ioctl(tty, cmd, (unsigned long)up);\n\t}\n}",
          "project": "linux",
          "hash": 192018643298579271829100810505147802074,
          "size": 69,
          "commit_id": "6cd1ed50efd88261298577cd92a14f2768eddeeb",
          "message": "vt: vt_ioctl: fix race in VT_RESIZEX\n\nWe need to make sure vc_cons[i].d is not NULL after grabbing\nconsole_lock(), or risk a crash.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]\nCPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0x123/0x180 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x45b399\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399\nRDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003\nRBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c\nModules linked in:\n---[ end trace 80970faf7a67eb77 ]---\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: stable <stable@vger.kernel.org>\nReported-by: syzbot <syzkaller@googlegroups.com>\nLink: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 458188
        },
        {
          "func": "static void vt_disallocate_all(void)\n{\n\tstruct vc_data *vc[MAX_NR_CONSOLES];\n\tint i;\n\n\tconsole_lock();\n\tfor (i = 1; i < MAX_NR_CONSOLES; i++)\n\t\tif (!VT_BUSY(i))\n\t\t\tvc[i] = vc_deallocate(i);\n\t\telse\n\t\t\tvc[i] = NULL;\n\tconsole_unlock();\n\n\tfor (i = 1; i < MAX_NR_CONSOLES; i++) {\n\t\tif (vc[i] && i >= MIN_NR_CONSOLES) {\n\t\t\ttty_port_destroy(&vc[i]->port);\n\t\t\tkfree(vc[i]);\n\t\t}\n\t}\n}",
          "project": "linux",
          "hash": 285711189364176146888062077879526937291,
          "size": 20,
          "commit_id": "6cd1ed50efd88261298577cd92a14f2768eddeeb",
          "message": "vt: vt_ioctl: fix race in VT_RESIZEX\n\nWe need to make sure vc_cons[i].d is not NULL after grabbing\nconsole_lock(), or risk a crash.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]\nCPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0x123/0x180 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x45b399\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399\nRDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003\nRBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c\nModules linked in:\n---[ end trace 80970faf7a67eb77 ]---\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: stable <stable@vger.kernel.org>\nReported-by: syzbot <syzkaller@googlegroups.com>\nLink: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 458191
        },
        {
          "func": "int vt_ioctl(struct tty_struct *tty,\n\t     unsigned int cmd, unsigned long arg)\n{\n\tstruct vc_data *vc = tty->driver_data;\n\tstruct console_font_op op;\t/* used in multiple places here */\n\tunsigned int console;\n\tunsigned char ucval;\n\tunsigned int uival;\n\tvoid __user *up = (void __user *)arg;\n\tint i, perm;\n\tint ret = 0;\n\n\tconsole = vc->vc_num;\n\n\n\tif (!vc_cons_allocated(console)) { \t/* impossible? */\n\t\tret = -ENOIOCTLCMD;\n\t\tgoto out;\n\t}\n\n\n\t/*\n\t * To have permissions to do most of the vt ioctls, we either have\n\t * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.\n\t */\n\tperm = 0;\n\tif (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))\n\t\tperm = 1;\n \n\tswitch (cmd) {\n\tcase TIOCLINUX:\n\t\tret = tioclinux(tty, arg);\n\t\tbreak;\n\tcase KIOCSOUND:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\t/*\n\t\t * The use of PIT_TICK_RATE is historic, it used to be\n\t\t * the platform-dependent CLOCK_TICK_RATE between 2.6.12\n\t\t * and 2.6.36, which was a minor but unfortunate ABI\n\t\t * change. kd_mksound is locked by the input layer.\n\t\t */\n\t\tif (arg)\n\t\t\targ = PIT_TICK_RATE / arg;\n\t\tkd_mksound(arg, 0);\n\t\tbreak;\n\n\tcase KDMKTONE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t{\n\t\tunsigned int ticks, count;\n\t\t\n\t\t/*\n\t\t * Generate the tone for the appropriate number of ticks.\n\t\t * If the time is zero, turn off sound ourselves.\n\t\t */\n\t\tticks = msecs_to_jiffies((arg >> 16) & 0xffff);\n\t\tcount = ticks ? (arg & 0xffff) : 0;\n\t\tif (count)\n\t\t\tcount = PIT_TICK_RATE / count;\n\t\tkd_mksound(count, ticks);\n\t\tbreak;\n\t}\n\n\tcase KDGKBTYPE:\n\t\t/*\n\t\t * this is naïve.\n\t\t */\n\t\tucval = KB_101;\n\t\tret = put_user(ucval, (char __user *)arg);\n\t\tbreak;\n\n\t\t/*\n\t\t * These cannot be implemented on any machine that implements\n\t\t * ioperm() in user level (such as Alpha PCs) or not at all.\n\t\t *\n\t\t * XXX: you should never use these, just call ioperm directly..\n\t\t */\n#ifdef CONFIG_X86\n\tcase KDADDIO:\n\tcase KDDELIO:\n\t\t/*\n\t\t * KDADDIO and KDDELIO may be able to add ports beyond what\n\t\t * we reject here, but to be safe...\n\t\t *\n\t\t * These are locked internally via sys_ioperm\n\t\t */\n\t\tif (arg < GPFIRST || arg > GPLAST) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tret = ksys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;\n\t\tbreak;\n\n\tcase KDENABIO:\n\tcase KDDISABIO:\n\t\tret = ksys_ioperm(GPFIRST, GPNUM,\n\t\t\t\t  (cmd == KDENABIO)) ? -ENXIO : 0;\n\t\tbreak;\n#endif\n\n\t/* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */\n\t\t\n\tcase KDKBDREP:\n\t{\n\t\tstruct kbd_repeat kbrep;\n\t\t\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat))) {\n\t\t\tret =  -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kbd_rate(&kbrep);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase KDSETMODE:\n\t\t/*\n\t\t * currently, setting the mode from KD_TEXT to KD_GRAPHICS\n\t\t * doesn't do a whole lot. i'm not sure if it should do any\n\t\t * restoration of modes or what...\n\t\t *\n\t\t * XXX It should at least call into the driver, fbdev's definitely\n\t\t * need to restore their engine state. --BenH\n\t\t */\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tswitch (arg) {\n\t\tcase KD_GRAPHICS:\n\t\t\tbreak;\n\t\tcase KD_TEXT0:\n\t\tcase KD_TEXT1:\n\t\t\targ = KD_TEXT;\n\t\tcase KD_TEXT:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\t/* FIXME: this needs the console lock extending */\n\t\tif (vc->vc_mode == (unsigned char) arg)\n\t\t\tbreak;\n\t\tvc->vc_mode = (unsigned char) arg;\n\t\tif (console != fg_console)\n\t\t\tbreak;\n\t\t/*\n\t\t * explicitly blank/unblank the screen if switching modes\n\t\t */\n\t\tconsole_lock();\n\t\tif (arg == KD_TEXT)\n\t\t\tdo_unblank_screen(1);\n\t\telse\n\t\t\tdo_blank_screen(1);\n\t\tconsole_unlock();\n\t\tbreak;\n\n\tcase KDGETMODE:\n\t\tuival = vc->vc_mode;\n\t\tgoto setint;\n\n\tcase KDMAPDISP:\n\tcase KDUNMAPDISP:\n\t\t/*\n\t\t * these work like a combination of mmap and KDENABIO.\n\t\t * this could be easily finished.\n\t\t */\n\t\tret = -EINVAL;\n\t\tbreak;\n\n\tcase KDSKBMODE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tret = vt_do_kdskbmode(console, arg);\n\t\tif (ret == 0)\n\t\t\ttty_ldisc_flush(tty);\n\t\tbreak;\n\n\tcase KDGKBMODE:\n\t\tuival = vt_do_kdgkbmode(console);\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\t/* this could be folded into KDSKBMODE, but for compatibility\n\t   reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */\n\tcase KDSKBMETA:\n\t\tret = vt_do_kdskbmeta(console, arg);\n\t\tbreak;\n\n\tcase KDGKBMETA:\n\t\t/* FIXME: should review whether this is worth locking */\n\t\tuival = vt_do_kdgkbmeta(console);\n\tsetint:\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\tcase KDGETKEYCODE:\n\tcase KDSETKEYCODE:\n\t\tif(!capable(CAP_SYS_TTY_CONFIG))\n\t\t\tperm = 0;\n\t\tret = vt_do_kbkeycode_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\tcase KDGKBENT:\n\tcase KDSKBENT:\n\t\tret = vt_do_kdsk_ioctl(cmd, up, perm, console);\n\t\tbreak;\n\n\tcase KDGKBSENT:\n\tcase KDSKBSENT:\n\t\tret = vt_do_kdgkb_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\t/* Diacritical processing. Handled in keyboard.c as it has\n\t   to operate on the keyboard locks and structures */\n\tcase KDGKBDIACR:\n\tcase KDGKBDIACRUC:\n\tcase KDSKBDIACR:\n\tcase KDSKBDIACRUC:\n\t\tret = vt_do_diacrit(cmd, up, perm);\n\t\tbreak;\n\n\t/* the ioctls below read/set the flags usually shown in the leds */\n\t/* don't use them - they will go away without warning */\n\tcase KDGKBLED:\n\tcase KDSKBLED:\n\tcase KDGETLED:\n\tcase KDSETLED:\n\t\tret = vt_do_kdskled(console, cmd, arg, perm);\n\t\tbreak;\n\n\t/*\n\t * A process can indicate its willingness to accept signals\n\t * generated by pressing an appropriate key combination.\n\t * Thus, one can have a daemon that e.g. spawns a new console\n\t * upon a keypress and then changes to it.\n\t * See also the kbrequest field of inittab(5).\n\t */\n\tcase KDSIGACCEPT:\n\t{\n\t\tif (!perm || !capable(CAP_KILL))\n\t\t\treturn -EPERM;\n\t\tif (!valid_signal(arg) || arg < 1 || arg == SIGKILL)\n\t\t\tret = -EINVAL;\n\t\telse {\n\t\t\tspin_lock_irq(&vt_spawn_con.lock);\n\t\t\tput_pid(vt_spawn_con.pid);\n\t\t\tvt_spawn_con.pid = get_pid(task_pid(current));\n\t\t\tvt_spawn_con.sig = arg;\n\t\t\tspin_unlock_irq(&vt_spawn_con.lock);\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_SETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&tmp, up, sizeof(struct vt_mode))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tconsole_lock();\n\t\tvc->vt_mode = tmp;\n\t\t/* the frsig is ignored, so we set it to 0 */\n\t\tvc->vt_mode.frsig = 0;\n\t\tput_pid(vc->vt_pid);\n\t\tvc->vt_pid = get_pid(task_pid(current));\n\t\t/* no switch is required -- saw@shade.msu.ru */\n\t\tvc->vt_newvt = -1;\n\t\tconsole_unlock();\n\t\tbreak;\n\t}\n\n\tcase VT_GETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\t\tint rc;\n\n\t\tconsole_lock();\n\t\tmemcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));\n\t\tconsole_unlock();\n\n\t\trc = copy_to_user(up, &tmp, sizeof(struct vt_mode));\n\t\tif (rc)\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns global vt state. Note that VT 0 is always open, since\n\t * it's an alias for the current VT, and people can't use it here.\n\t * We cannot return state for more than 16 VTs, since v_state is short.\n\t */\n\tcase VT_GETSTATE:\n\t{\n\t\tstruct vt_stat __user *vtstat = up;\n\t\tunsigned short state, mask;\n\n\t\t/* Review: FIXME: Console lock ? */\n\t\tif (put_user(fg_console + 1, &vtstat->v_active))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tstate = 1;\t/* /dev/tty0 is always open */\n\t\t\tfor (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;\n\t\t\t\t\t\t\t++i, mask <<= 1)\n\t\t\t\tif (VT_IS_IN_USE(i))\n\t\t\t\t\tstate |= mask;\n\t\t\tret = put_user(state, &vtstat->v_state);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns the first available (non-opened) console.\n\t */\n\tcase VT_OPENQRY:\n\t\t/* FIXME: locking ? - but then this is a stupid API */\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; ++i)\n\t\t\tif (! VT_IS_IN_USE(i))\n\t\t\t\tbreak;\n\t\tuival = i < MAX_NR_CONSOLES ? (i+1) : -1;\n\t\tgoto setint;\t\t \n\n\t/*\n\t * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,\n\t * with num >= 1 (switches to vt 0, our console, are not allowed, just\n\t * to preserve sanity).\n\t */\n\tcase VT_ACTIVATE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret =  -ENXIO;\n\t\telse {\n\t\t\targ--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(arg);\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\tset_console(arg);\n\t\t}\n\t\tbreak;\n\n\tcase VT_SETACTIVATE:\n\t{\n\t\tstruct vt_setactivate vsa;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&vsa, (struct vt_setactivate __user *)arg,\n\t\t\t\t\tsizeof(struct vt_setactivate))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse {\n\t\t\tvsa.console = array_index_nospec(vsa.console,\n\t\t\t\t\t\t\t MAX_NR_CONSOLES + 1);\n\t\t\tvsa.console--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(vsa.console);\n\t\t\tif (ret == 0) {\n\t\t\t\tstruct vc_data *nvc;\n\t\t\t\t/* This is safe providing we don't drop the\n\t\t\t\t   console sem between vc_allocate and\n\t\t\t\t   finishing referencing nvc */\n\t\t\t\tnvc = vc_cons[vsa.console].d;\n\t\t\t\tnvc->vt_mode = vsa.mode;\n\t\t\t\tnvc->vt_mode.frsig = 0;\n\t\t\t\tput_pid(nvc->vt_pid);\n\t\t\t\tnvc->vt_pid = get_pid(task_pid(current));\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\t/* Commence switch and lock */\n\t\t\t/* Review set_console locks */\n\t\t\tset_console(vsa.console);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * wait until the specified VT has been activated\n\t */\n\tcase VT_WAITACTIVE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse\n\t\t\tret = vt_waitactive(arg);\n\t\tbreak;\n\n\t/*\n\t * If a vt is under process control, the kernel will not switch to it\n\t * immediately, but postpone the operation until the process calls this\n\t * ioctl, allowing the switch to complete.\n\t *\n\t * According to the X sources this is the behavior:\n\t *\t0:\tpending switch-from not OK\n\t *\t1:\tpending switch-from OK\n\t *\t2:\tcompleted switch-to OK\n\t */\n\tcase VT_RELDISP:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tconsole_lock();\n\t\tif (vc->vt_mode.mode != VT_PROCESS) {\n\t\t\tconsole_unlock();\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\t/*\n\t\t * Switching-from response\n\t\t */\n\t\tif (vc->vt_newvt >= 0) {\n\t\t\tif (arg == 0)\n\t\t\t\t/*\n\t\t\t\t * Switch disallowed, so forget we were trying\n\t\t\t\t * to do it.\n\t\t\t\t */\n\t\t\t\tvc->vt_newvt = -1;\n\n\t\t\telse {\n\t\t\t\t/*\n\t\t\t\t * The current vt has been released, so\n\t\t\t\t * complete the switch.\n\t\t\t\t */\n\t\t\t\tint newvt;\n\t\t\t\tnewvt = vc->vt_newvt;\n\t\t\t\tvc->vt_newvt = -1;\n\t\t\t\tret = vc_allocate(newvt);\n\t\t\t\tif (ret) {\n\t\t\t\t\tconsole_unlock();\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t/*\n\t\t\t\t * When we actually do the console switch,\n\t\t\t\t * make sure we are atomic with respect to\n\t\t\t\t * other console switches..\n\t\t\t\t */\n\t\t\t\tcomplete_change_console(vc_cons[newvt].d);\n\t\t\t}\n\t\t} else {\n\t\t\t/*\n\t\t\t * Switched-to response\n\t\t\t */\n\t\t\t/*\n\t\t\t * If it's just an ACK, ignore it\n\t\t\t */\n\t\t\tif (arg != VT_ACKACQ)\n\t\t\t\tret = -EINVAL;\n\t\t}\n\t\tconsole_unlock();\n\t\tbreak;\n\n\t /*\n\t  * Disallocate memory associated to VT (but leave VT1)\n\t  */\n\t case VT_DISALLOCATE:\n\t\tif (arg > MAX_NR_CONSOLES) {\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tif (arg == 0)\n\t\t\tvt_disallocate_all();\n\t\telse\n\t\t\tret = vt_disallocate(--arg);\n\t\tbreak;\n\n\tcase VT_RESIZE:\n\t{\n\t\tstruct vt_sizes __user *vtsizes = up;\n\t\tstruct vc_data *vc;\n\n\t\tushort ll,cc;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (get_user(ll, &vtsizes->v_rows) ||\n\t\t    get_user(cc, &vtsizes->v_cols))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tconsole_lock();\n\t\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\t\tvc = vc_cons[i].d;\n\n\t\t\t\tif (vc) {\n\t\t\t\t\tvc->vc_resize_user = 1;\n\t\t\t\t\t/* FIXME: review v tty lock */\n\t\t\t\t\tvc_resize(vc_cons[i].d, cc, ll);\n\t\t\t\t}\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_RESIZEX:\n\t{\n\t\tstruct vt_consize v;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&v, up, sizeof(struct vt_consize)))\n\t\t\treturn -EFAULT;\n\t\t/* FIXME: Should check the copies properly */\n\t\tif (!v.v_vlin)\n\t\t\tv.v_vlin = vc->vc_scan_lines;\n\t\tif (v.v_clin) {\n\t\t\tint rows = v.v_vlin/v.v_clin;\n\t\t\tif (v.v_rows != rows) {\n\t\t\t\tif (v.v_rows) /* Parameters don't add up */\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_rows = rows;\n\t\t\t}\n\t\t}\n\t\tif (v.v_vcol && v.v_ccol) {\n\t\t\tint cols = v.v_vcol/v.v_ccol;\n\t\t\tif (v.v_cols != cols) {\n\t\t\t\tif (v.v_cols)\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_cols = cols;\n\t\t\t}\n\t\t}\n\n\t\tif (v.v_clin > 32)\n\t\t\treturn -EINVAL;\n\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\tif (!vc_cons[i].d)\n\t\t\t\tcontinue;\n\t\t\tconsole_lock();\n\t\t\tif (v.v_vlin)\n\t\t\t\tvc_cons[i].d->vc_scan_lines = v.v_vlin;\n\t\t\tif (v.v_clin)\n\t\t\t\tvc_cons[i].d->vc_font.height = v.v_clin;\n\t\t\tvc_cons[i].d->vc_resize_user = 1;\n\t\t\tvc_resize(vc_cons[i].d, v.v_cols, v.v_rows);\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase PIO_FONT: {\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\top.op = KD_FONT_OP_SET;\n\t\top.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;\t/* Compatibility */\n\t\top.width = 8;\n\t\top.height = 0;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase GIO_FONT: {\n\t\top.op = KD_FONT_OP_GET;\n\t\top.flags = KD_FONT_FLAG_OLD;\n\t\top.width = 8;\n\t\top.height = 32;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase PIO_CMAP:\n                if (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t                ret = con_set_cmap(up);\n\t\tbreak;\n\n\tcase GIO_CMAP:\n                ret = con_get_cmap(up);\n\t\tbreak;\n\n\tcase PIO_FONTX:\n\tcase GIO_FONTX:\n\t\tret = do_fontx_ioctl(cmd, up, perm, &op);\n\t\tbreak;\n\n\tcase PIO_FONTRESET:\n\t{\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n#ifdef BROKEN_GRAPHICS_PROGRAMS\n\t\t/* With BROKEN_GRAPHICS_PROGRAMS defined, the default\n\t\t   font is not saved. */\n\t\tret = -ENOSYS;\n\t\tbreak;\n#else\n\t\t{\n\t\top.op = KD_FONT_OP_SET_DEFAULT;\n\t\top.data = NULL;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tconsole_lock();\n\t\tcon_set_default_unimap(vc_cons[fg_console].d);\n\t\tconsole_unlock();\n\t\tbreak;\n\t\t}\n#endif\n\t}\n\n\tcase KDFONTOP: {\n\t\tif (copy_from_user(&op, up, sizeof(op))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tif (!perm && op.op != KD_FONT_OP_GET)\n\t\t\treturn -EPERM;\n\t\tret = con_font_op(vc, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &op, sizeof(op)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase PIO_SCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_old(up);\n\t\tbreak;\n\n\tcase GIO_SCRNMAP:\n\t\tret = con_get_trans_old(up);\n\t\tbreak;\n\n\tcase PIO_UNISCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_new(up);\n\t\tbreak;\n\n\tcase GIO_UNISCRNMAP:\n\t\tret = con_get_trans_new(up);\n\t\tbreak;\n\n\tcase PIO_UNIMAPCLR:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tcon_clear_unimap(vc);\n\t\tbreak;\n\n\tcase PIO_UNIMAP:\n\tcase GIO_UNIMAP:\n\t\tret = do_unimap_ioctl(cmd, up, perm, vc);\n\t\tbreak;\n\n\tcase VT_LOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = 1;\n\t\tbreak;\n\tcase VT_UNLOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = 0;\n\t\tbreak;\n\tcase VT_GETHIFONTMASK:\n\t\tret = put_user(vc->vc_hi_font_mask,\n\t\t\t\t\t(unsigned short __user *)arg);\n\t\tbreak;\n\tcase VT_WAITEVENT:\n\t\tret = vt_event_wait_ioctl((struct vt_event __user *)arg);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENOIOCTLCMD;\n\t}\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 215976747485693149279929143438303006406,
          "size": 696,
          "commit_id": "6cd1ed50efd88261298577cd92a14f2768eddeeb",
          "message": "vt: vt_ioctl: fix race in VT_RESIZEX\n\nWe need to make sure vc_cons[i].d is not NULL after grabbing\nconsole_lock(), or risk a crash.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]\nCPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0x123/0x180 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x45b399\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399\nRDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003\nRBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c\nModules linked in:\n---[ end trace 80970faf7a67eb77 ]---\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: stable <stable@vger.kernel.org>\nReported-by: syzbot <syzkaller@googlegroups.com>\nLink: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 1,
          "dataset": "other",
          "idx": 212365
        },
        {
          "func": "int vt_ioctl(struct tty_struct *tty,\n\t     unsigned int cmd, unsigned long arg)\n{\n\tstruct vc_data *vc = tty->driver_data;\n\tstruct console_font_op op;\t/* used in multiple places here */\n\tunsigned int console = vc->vc_num;\n\tunsigned char ucval;\n\tunsigned int uival;\n\tvoid __user *up = (void __user *)arg;\n\tint i, perm;\n\tint ret = 0;\n\n\t/*\n\t * To have permissions to do most of the vt ioctls, we either have\n\t * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.\n\t */\n\tperm = 0;\n\tif (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))\n\t\tperm = 1;\n \n\tswitch (cmd) {\n\tcase TIOCLINUX:\n\t\tret = tioclinux(tty, arg);\n\t\tbreak;\n\tcase KIOCSOUND:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\t/*\n\t\t * The use of PIT_TICK_RATE is historic, it used to be\n\t\t * the platform-dependent CLOCK_TICK_RATE between 2.6.12\n\t\t * and 2.6.36, which was a minor but unfortunate ABI\n\t\t * change. kd_mksound is locked by the input layer.\n\t\t */\n\t\tif (arg)\n\t\t\targ = PIT_TICK_RATE / arg;\n\t\tkd_mksound(arg, 0);\n\t\tbreak;\n\n\tcase KDMKTONE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t{\n\t\tunsigned int ticks, count;\n\t\t\n\t\t/*\n\t\t * Generate the tone for the appropriate number of ticks.\n\t\t * If the time is zero, turn off sound ourselves.\n\t\t */\n\t\tticks = msecs_to_jiffies((arg >> 16) & 0xffff);\n\t\tcount = ticks ? (arg & 0xffff) : 0;\n\t\tif (count)\n\t\t\tcount = PIT_TICK_RATE / count;\n\t\tkd_mksound(count, ticks);\n\t\tbreak;\n\t}\n\n\tcase KDGKBTYPE:\n\t\t/*\n\t\t * this is naïve.\n\t\t */\n\t\tucval = KB_101;\n\t\tret = put_user(ucval, (char __user *)arg);\n\t\tbreak;\n\n\t\t/*\n\t\t * These cannot be implemented on any machine that implements\n\t\t * ioperm() in user level (such as Alpha PCs) or not at all.\n\t\t *\n\t\t * XXX: you should never use these, just call ioperm directly..\n\t\t */\n#ifdef CONFIG_X86\n\tcase KDADDIO:\n\tcase KDDELIO:\n\t\t/*\n\t\t * KDADDIO and KDDELIO may be able to add ports beyond what\n\t\t * we reject here, but to be safe...\n\t\t *\n\t\t * These are locked internally via sys_ioperm\n\t\t */\n\t\tif (arg < GPFIRST || arg > GPLAST) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tret = ksys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;\n\t\tbreak;\n\n\tcase KDENABIO:\n\tcase KDDISABIO:\n\t\tret = ksys_ioperm(GPFIRST, GPNUM,\n\t\t\t\t  (cmd == KDENABIO)) ? -ENXIO : 0;\n\t\tbreak;\n#endif\n\n\t/* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */\n\t\t\n\tcase KDKBDREP:\n\t{\n\t\tstruct kbd_repeat kbrep;\n\t\t\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat))) {\n\t\t\tret =  -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kbd_rate(&kbrep);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase KDSETMODE:\n\t\t/*\n\t\t * currently, setting the mode from KD_TEXT to KD_GRAPHICS\n\t\t * doesn't do a whole lot. i'm not sure if it should do any\n\t\t * restoration of modes or what...\n\t\t *\n\t\t * XXX It should at least call into the driver, fbdev's definitely\n\t\t * need to restore their engine state. --BenH\n\t\t */\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tswitch (arg) {\n\t\tcase KD_GRAPHICS:\n\t\t\tbreak;\n\t\tcase KD_TEXT0:\n\t\tcase KD_TEXT1:\n\t\t\targ = KD_TEXT;\n\t\tcase KD_TEXT:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\t/* FIXME: this needs the console lock extending */\n\t\tif (vc->vc_mode == (unsigned char) arg)\n\t\t\tbreak;\n\t\tvc->vc_mode = (unsigned char) arg;\n\t\tif (console != fg_console)\n\t\t\tbreak;\n\t\t/*\n\t\t * explicitly blank/unblank the screen if switching modes\n\t\t */\n\t\tconsole_lock();\n\t\tif (arg == KD_TEXT)\n\t\t\tdo_unblank_screen(1);\n\t\telse\n\t\t\tdo_blank_screen(1);\n\t\tconsole_unlock();\n\t\tbreak;\n\n\tcase KDGETMODE:\n\t\tuival = vc->vc_mode;\n\t\tgoto setint;\n\n\tcase KDMAPDISP:\n\tcase KDUNMAPDISP:\n\t\t/*\n\t\t * these work like a combination of mmap and KDENABIO.\n\t\t * this could be easily finished.\n\t\t */\n\t\tret = -EINVAL;\n\t\tbreak;\n\n\tcase KDSKBMODE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tret = vt_do_kdskbmode(console, arg);\n\t\tif (ret == 0)\n\t\t\ttty_ldisc_flush(tty);\n\t\tbreak;\n\n\tcase KDGKBMODE:\n\t\tuival = vt_do_kdgkbmode(console);\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\t/* this could be folded into KDSKBMODE, but for compatibility\n\t   reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */\n\tcase KDSKBMETA:\n\t\tret = vt_do_kdskbmeta(console, arg);\n\t\tbreak;\n\n\tcase KDGKBMETA:\n\t\t/* FIXME: should review whether this is worth locking */\n\t\tuival = vt_do_kdgkbmeta(console);\n\tsetint:\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\tcase KDGETKEYCODE:\n\tcase KDSETKEYCODE:\n\t\tif(!capable(CAP_SYS_TTY_CONFIG))\n\t\t\tperm = 0;\n\t\tret = vt_do_kbkeycode_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\tcase KDGKBENT:\n\tcase KDSKBENT:\n\t\tret = vt_do_kdsk_ioctl(cmd, up, perm, console);\n\t\tbreak;\n\n\tcase KDGKBSENT:\n\tcase KDSKBSENT:\n\t\tret = vt_do_kdgkb_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\t/* Diacritical processing. Handled in keyboard.c as it has\n\t   to operate on the keyboard locks and structures */\n\tcase KDGKBDIACR:\n\tcase KDGKBDIACRUC:\n\tcase KDSKBDIACR:\n\tcase KDSKBDIACRUC:\n\t\tret = vt_do_diacrit(cmd, up, perm);\n\t\tbreak;\n\n\t/* the ioctls below read/set the flags usually shown in the leds */\n\t/* don't use them - they will go away without warning */\n\tcase KDGKBLED:\n\tcase KDSKBLED:\n\tcase KDGETLED:\n\tcase KDSETLED:\n\t\tret = vt_do_kdskled(console, cmd, arg, perm);\n\t\tbreak;\n\n\t/*\n\t * A process can indicate its willingness to accept signals\n\t * generated by pressing an appropriate key combination.\n\t * Thus, one can have a daemon that e.g. spawns a new console\n\t * upon a keypress and then changes to it.\n\t * See also the kbrequest field of inittab(5).\n\t */\n\tcase KDSIGACCEPT:\n\t{\n\t\tif (!perm || !capable(CAP_KILL))\n\t\t\treturn -EPERM;\n\t\tif (!valid_signal(arg) || arg < 1 || arg == SIGKILL)\n\t\t\tret = -EINVAL;\n\t\telse {\n\t\t\tspin_lock_irq(&vt_spawn_con.lock);\n\t\t\tput_pid(vt_spawn_con.pid);\n\t\t\tvt_spawn_con.pid = get_pid(task_pid(current));\n\t\t\tvt_spawn_con.sig = arg;\n\t\t\tspin_unlock_irq(&vt_spawn_con.lock);\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_SETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&tmp, up, sizeof(struct vt_mode))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tconsole_lock();\n\t\tvc->vt_mode = tmp;\n\t\t/* the frsig is ignored, so we set it to 0 */\n\t\tvc->vt_mode.frsig = 0;\n\t\tput_pid(vc->vt_pid);\n\t\tvc->vt_pid = get_pid(task_pid(current));\n\t\t/* no switch is required -- saw@shade.msu.ru */\n\t\tvc->vt_newvt = -1;\n\t\tconsole_unlock();\n\t\tbreak;\n\t}\n\n\tcase VT_GETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\t\tint rc;\n\n\t\tconsole_lock();\n\t\tmemcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));\n\t\tconsole_unlock();\n\n\t\trc = copy_to_user(up, &tmp, sizeof(struct vt_mode));\n\t\tif (rc)\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns global vt state. Note that VT 0 is always open, since\n\t * it's an alias for the current VT, and people can't use it here.\n\t * We cannot return state for more than 16 VTs, since v_state is short.\n\t */\n\tcase VT_GETSTATE:\n\t{\n\t\tstruct vt_stat __user *vtstat = up;\n\t\tunsigned short state, mask;\n\n\t\t/* Review: FIXME: Console lock ? */\n\t\tif (put_user(fg_console + 1, &vtstat->v_active))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tstate = 1;\t/* /dev/tty0 is always open */\n\t\t\tfor (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;\n\t\t\t\t\t\t\t++i, mask <<= 1)\n\t\t\t\tif (vt_in_use(i))\n\t\t\t\t\tstate |= mask;\n\t\t\tret = put_user(state, &vtstat->v_state);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns the first available (non-opened) console.\n\t */\n\tcase VT_OPENQRY:\n\t\t/* FIXME: locking ? - but then this is a stupid API */\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; ++i)\n\t\t\tif (!vt_in_use(i))\n\t\t\t\tbreak;\n\t\tuival = i < MAX_NR_CONSOLES ? (i+1) : -1;\n\t\tgoto setint;\t\t \n\n\t/*\n\t * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,\n\t * with num >= 1 (switches to vt 0, our console, are not allowed, just\n\t * to preserve sanity).\n\t */\n\tcase VT_ACTIVATE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret =  -ENXIO;\n\t\telse {\n\t\t\targ--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(arg);\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\tset_console(arg);\n\t\t}\n\t\tbreak;\n\n\tcase VT_SETACTIVATE:\n\t{\n\t\tstruct vt_setactivate vsa;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&vsa, (struct vt_setactivate __user *)arg,\n\t\t\t\t\tsizeof(struct vt_setactivate))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse {\n\t\t\tvsa.console = array_index_nospec(vsa.console,\n\t\t\t\t\t\t\t MAX_NR_CONSOLES + 1);\n\t\t\tvsa.console--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(vsa.console);\n\t\t\tif (ret == 0) {\n\t\t\t\tstruct vc_data *nvc;\n\t\t\t\t/* This is safe providing we don't drop the\n\t\t\t\t   console sem between vc_allocate and\n\t\t\t\t   finishing referencing nvc */\n\t\t\t\tnvc = vc_cons[vsa.console].d;\n\t\t\t\tnvc->vt_mode = vsa.mode;\n\t\t\t\tnvc->vt_mode.frsig = 0;\n\t\t\t\tput_pid(nvc->vt_pid);\n\t\t\t\tnvc->vt_pid = get_pid(task_pid(current));\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\t/* Commence switch and lock */\n\t\t\t/* Review set_console locks */\n\t\t\tset_console(vsa.console);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * wait until the specified VT has been activated\n\t */\n\tcase VT_WAITACTIVE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse\n\t\t\tret = vt_waitactive(arg);\n\t\tbreak;\n\n\t/*\n\t * If a vt is under process control, the kernel will not switch to it\n\t * immediately, but postpone the operation until the process calls this\n\t * ioctl, allowing the switch to complete.\n\t *\n\t * According to the X sources this is the behavior:\n\t *\t0:\tpending switch-from not OK\n\t *\t1:\tpending switch-from OK\n\t *\t2:\tcompleted switch-to OK\n\t */\n\tcase VT_RELDISP:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tconsole_lock();\n\t\tif (vc->vt_mode.mode != VT_PROCESS) {\n\t\t\tconsole_unlock();\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\t/*\n\t\t * Switching-from response\n\t\t */\n\t\tif (vc->vt_newvt >= 0) {\n\t\t\tif (arg == 0)\n\t\t\t\t/*\n\t\t\t\t * Switch disallowed, so forget we were trying\n\t\t\t\t * to do it.\n\t\t\t\t */\n\t\t\t\tvc->vt_newvt = -1;\n\n\t\t\telse {\n\t\t\t\t/*\n\t\t\t\t * The current vt has been released, so\n\t\t\t\t * complete the switch.\n\t\t\t\t */\n\t\t\t\tint newvt;\n\t\t\t\tnewvt = vc->vt_newvt;\n\t\t\t\tvc->vt_newvt = -1;\n\t\t\t\tret = vc_allocate(newvt);\n\t\t\t\tif (ret) {\n\t\t\t\t\tconsole_unlock();\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t/*\n\t\t\t\t * When we actually do the console switch,\n\t\t\t\t * make sure we are atomic with respect to\n\t\t\t\t * other console switches..\n\t\t\t\t */\n\t\t\t\tcomplete_change_console(vc_cons[newvt].d);\n\t\t\t}\n\t\t} else {\n\t\t\t/*\n\t\t\t * Switched-to response\n\t\t\t */\n\t\t\t/*\n\t\t\t * If it's just an ACK, ignore it\n\t\t\t */\n\t\t\tif (arg != VT_ACKACQ)\n\t\t\t\tret = -EINVAL;\n\t\t}\n\t\tconsole_unlock();\n\t\tbreak;\n\n\t /*\n\t  * Disallocate memory associated to VT (but leave VT1)\n\t  */\n\t case VT_DISALLOCATE:\n\t\tif (arg > MAX_NR_CONSOLES) {\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tif (arg == 0)\n\t\t\tvt_disallocate_all();\n\t\telse\n\t\t\tret = vt_disallocate(--arg);\n\t\tbreak;\n\n\tcase VT_RESIZE:\n\t{\n\t\tstruct vt_sizes __user *vtsizes = up;\n\t\tstruct vc_data *vc;\n\n\t\tushort ll,cc;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (get_user(ll, &vtsizes->v_rows) ||\n\t\t    get_user(cc, &vtsizes->v_cols))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tconsole_lock();\n\t\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\t\tvc = vc_cons[i].d;\n\n\t\t\t\tif (vc) {\n\t\t\t\t\tvc->vc_resize_user = 1;\n\t\t\t\t\t/* FIXME: review v tty lock */\n\t\t\t\t\tvc_resize(vc_cons[i].d, cc, ll);\n\t\t\t\t}\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_RESIZEX:\n\t{\n\t\tstruct vt_consize v;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&v, up, sizeof(struct vt_consize)))\n\t\t\treturn -EFAULT;\n\t\t/* FIXME: Should check the copies properly */\n\t\tif (!v.v_vlin)\n\t\t\tv.v_vlin = vc->vc_scan_lines;\n\t\tif (v.v_clin) {\n\t\t\tint rows = v.v_vlin/v.v_clin;\n\t\t\tif (v.v_rows != rows) {\n\t\t\t\tif (v.v_rows) /* Parameters don't add up */\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_rows = rows;\n\t\t\t}\n\t\t}\n\t\tif (v.v_vcol && v.v_ccol) {\n\t\t\tint cols = v.v_vcol/v.v_ccol;\n\t\t\tif (v.v_cols != cols) {\n\t\t\t\tif (v.v_cols)\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_cols = cols;\n\t\t\t}\n\t\t}\n\n\t\tif (v.v_clin > 32)\n\t\t\treturn -EINVAL;\n\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\tstruct vc_data *vcp;\n\n\t\t\tif (!vc_cons[i].d)\n\t\t\t\tcontinue;\n\t\t\tconsole_lock();\n\t\t\tvcp = vc_cons[i].d;\n\t\t\tif (vcp) {\n\t\t\t\tif (v.v_vlin)\n\t\t\t\t\tvcp->vc_scan_lines = v.v_vlin;\n\t\t\t\tif (v.v_clin)\n\t\t\t\t\tvcp->vc_font.height = v.v_clin;\n\t\t\t\tvcp->vc_resize_user = 1;\n\t\t\t\tvc_resize(vcp, v.v_cols, v.v_rows);\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase PIO_FONT: {\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\top.op = KD_FONT_OP_SET;\n\t\top.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;\t/* Compatibility */\n\t\top.width = 8;\n\t\top.height = 0;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase GIO_FONT: {\n\t\top.op = KD_FONT_OP_GET;\n\t\top.flags = KD_FONT_FLAG_OLD;\n\t\top.width = 8;\n\t\top.height = 32;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase PIO_CMAP:\n                if (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t                ret = con_set_cmap(up);\n\t\tbreak;\n\n\tcase GIO_CMAP:\n                ret = con_get_cmap(up);\n\t\tbreak;\n\n\tcase PIO_FONTX:\n\tcase GIO_FONTX:\n\t\tret = do_fontx_ioctl(cmd, up, perm, &op);\n\t\tbreak;\n\n\tcase PIO_FONTRESET:\n\t{\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n#ifdef BROKEN_GRAPHICS_PROGRAMS\n\t\t/* With BROKEN_GRAPHICS_PROGRAMS defined, the default\n\t\t   font is not saved. */\n\t\tret = -ENOSYS;\n\t\tbreak;\n#else\n\t\t{\n\t\top.op = KD_FONT_OP_SET_DEFAULT;\n\t\top.data = NULL;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tconsole_lock();\n\t\tcon_set_default_unimap(vc_cons[fg_console].d);\n\t\tconsole_unlock();\n\t\tbreak;\n\t\t}\n#endif\n\t}\n\n\tcase KDFONTOP: {\n\t\tif (copy_from_user(&op, up, sizeof(op))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tif (!perm && op.op != KD_FONT_OP_GET)\n\t\t\treturn -EPERM;\n\t\tret = con_font_op(vc, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &op, sizeof(op)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase PIO_SCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_old(up);\n\t\tbreak;\n\n\tcase GIO_SCRNMAP:\n\t\tret = con_get_trans_old(up);\n\t\tbreak;\n\n\tcase PIO_UNISCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_new(up);\n\t\tbreak;\n\n\tcase GIO_UNISCRNMAP:\n\t\tret = con_get_trans_new(up);\n\t\tbreak;\n\n\tcase PIO_UNIMAPCLR:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tcon_clear_unimap(vc);\n\t\tbreak;\n\n\tcase PIO_UNIMAP:\n\tcase GIO_UNIMAP:\n\t\tret = do_unimap_ioctl(cmd, up, perm, vc);\n\t\tbreak;\n\n\tcase VT_LOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = true;\n\t\tbreak;\n\tcase VT_UNLOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = false;\n\t\tbreak;\n\tcase VT_GETHIFONTMASK:\n\t\tret = put_user(vc->vc_hi_font_mask,\n\t\t\t\t\t(unsigned short __user *)arg);\n\t\tbreak;\n\tcase VT_WAITEVENT:\n\t\tret = vt_event_wait_ioctl((struct vt_event __user *)arg);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENOIOCTLCMD;\n\t}\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 72552578102473405630135883744841071721,
          "size": 692,
          "commit_id": "ca4463bf8438b403596edd0ec961ca0d4fbe0220",
          "message": "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console\n\nThe VT_DISALLOCATE ioctl can free a virtual console while tty_release()\nis still running, causing a use-after-free in con_shutdown().  This\noccurs because VT_DISALLOCATE considers a virtual console's\n'struct vc_data' to be unused as soon as the corresponding tty's\nrefcount hits 0.  But actually it may be still being closed.\n\nFix this by making vc_data be reference-counted via the embedded\n'struct tty_port'.  A newly allocated virtual console has refcount 1.\nOpening it for the first time increments the refcount to 2.  Closing it\nfor the last time decrements the refcount (in tty_operations::cleanup()\nso that it happens late enough), as does VT_DISALLOCATE.\n\nReproducer:\n\t#include <fcntl.h>\n\t#include <linux/vt.h>\n\t#include <sys/ioctl.h>\n\t#include <unistd.h>\n\n\tint main()\n\t{\n\t\tif (fork()) {\n\t\t\tfor (;;)\n\t\t\t\tclose(open(\"/dev/tty5\", O_RDWR));\n\t\t} else {\n\t\t\tint fd = open(\"/dev/tty10\", O_RDWR);\n\n\t\t\tfor (;;)\n\t\t\t\tioctl(fd, VT_DISALLOCATE, 5);\n\t\t}\n\t}\n\nKASAN report:\n\tBUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\tWrite of size 8 at addr ffff88806a4ec108 by task syz_vt/129\n\n\tCPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014\n\tCall Trace:\n\t [...]\n\t con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278\n\t release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514\n\t tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629\n\t tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789\n\t [...]\n\n\tAllocated by task 129:\n\t [...]\n\t kzalloc include/linux/slab.h:669 [inline]\n\t vc_allocate drivers/tty/vt/vt.c:1085 [inline]\n\t vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066\n\t con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229\n\t tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]\n\t tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341\n\t tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]\n\t tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035\n\t [...]\n\n\tFreed by task 130:\n\t [...]\n\t kfree+0xbf/0x1e0 mm/slab.c:3757\n\t vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]\n\t vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818\n\t tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660\n\t [...]\n\nFixes: 4001d7b7fc27 (\"vt: push down the tty lock so we can see what is left to tackle\")\nCc: <stable@vger.kernel.org> # v3.4+\nReported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com\nAcked-by: Jiri Slaby <jslaby@suse.cz>\nSigned-off-by: Eric Biggers <ebiggers@google.com>\nLink: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 437046
        },
        {
          "func": "int vt_ioctl(struct tty_struct *tty,\n\t     unsigned int cmd, unsigned long arg)\n{\n\tstruct vc_data *vc = tty->driver_data;\n\tstruct console_font_op op;\t/* used in multiple places here */\n\tunsigned int console;\n\tunsigned char ucval;\n\tunsigned int uival;\n\tvoid __user *up = (void __user *)arg;\n\tint i, perm;\n\tint ret = 0;\n\n\tconsole = vc->vc_num;\n\n\n\tif (!vc_cons_allocated(console)) { \t/* impossible? */\n\t\tret = -ENOIOCTLCMD;\n\t\tgoto out;\n\t}\n\n\n\t/*\n\t * To have permissions to do most of the vt ioctls, we either have\n\t * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.\n\t */\n\tperm = 0;\n\tif (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))\n\t\tperm = 1;\n \n\tswitch (cmd) {\n\tcase TIOCLINUX:\n\t\tret = tioclinux(tty, arg);\n\t\tbreak;\n\tcase KIOCSOUND:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\t/*\n\t\t * The use of PIT_TICK_RATE is historic, it used to be\n\t\t * the platform-dependent CLOCK_TICK_RATE between 2.6.12\n\t\t * and 2.6.36, which was a minor but unfortunate ABI\n\t\t * change. kd_mksound is locked by the input layer.\n\t\t */\n\t\tif (arg)\n\t\t\targ = PIT_TICK_RATE / arg;\n\t\tkd_mksound(arg, 0);\n\t\tbreak;\n\n\tcase KDMKTONE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t{\n\t\tunsigned int ticks, count;\n\t\t\n\t\t/*\n\t\t * Generate the tone for the appropriate number of ticks.\n\t\t * If the time is zero, turn off sound ourselves.\n\t\t */\n\t\tticks = msecs_to_jiffies((arg >> 16) & 0xffff);\n\t\tcount = ticks ? (arg & 0xffff) : 0;\n\t\tif (count)\n\t\t\tcount = PIT_TICK_RATE / count;\n\t\tkd_mksound(count, ticks);\n\t\tbreak;\n\t}\n\n\tcase KDGKBTYPE:\n\t\t/*\n\t\t * this is naïve.\n\t\t */\n\t\tucval = KB_101;\n\t\tret = put_user(ucval, (char __user *)arg);\n\t\tbreak;\n\n\t\t/*\n\t\t * These cannot be implemented on any machine that implements\n\t\t * ioperm() in user level (such as Alpha PCs) or not at all.\n\t\t *\n\t\t * XXX: you should never use these, just call ioperm directly..\n\t\t */\n#ifdef CONFIG_X86\n\tcase KDADDIO:\n\tcase KDDELIO:\n\t\t/*\n\t\t * KDADDIO and KDDELIO may be able to add ports beyond what\n\t\t * we reject here, but to be safe...\n\t\t *\n\t\t * These are locked internally via sys_ioperm\n\t\t */\n\t\tif (arg < GPFIRST || arg > GPLAST) {\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\tret = ksys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;\n\t\tbreak;\n\n\tcase KDENABIO:\n\tcase KDDISABIO:\n\t\tret = ksys_ioperm(GPFIRST, GPNUM,\n\t\t\t\t  (cmd == KDENABIO)) ? -ENXIO : 0;\n\t\tbreak;\n#endif\n\n\t/* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */\n\t\t\n\tcase KDKBDREP:\n\t{\n\t\tstruct kbd_repeat kbrep;\n\t\t\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat))) {\n\t\t\tret =  -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = kbd_rate(&kbrep);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase KDSETMODE:\n\t\t/*\n\t\t * currently, setting the mode from KD_TEXT to KD_GRAPHICS\n\t\t * doesn't do a whole lot. i'm not sure if it should do any\n\t\t * restoration of modes or what...\n\t\t *\n\t\t * XXX It should at least call into the driver, fbdev's definitely\n\t\t * need to restore their engine state. --BenH\n\t\t */\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tswitch (arg) {\n\t\tcase KD_GRAPHICS:\n\t\t\tbreak;\n\t\tcase KD_TEXT0:\n\t\tcase KD_TEXT1:\n\t\t\targ = KD_TEXT;\n\t\tcase KD_TEXT:\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\t/* FIXME: this needs the console lock extending */\n\t\tif (vc->vc_mode == (unsigned char) arg)\n\t\t\tbreak;\n\t\tvc->vc_mode = (unsigned char) arg;\n\t\tif (console != fg_console)\n\t\t\tbreak;\n\t\t/*\n\t\t * explicitly blank/unblank the screen if switching modes\n\t\t */\n\t\tconsole_lock();\n\t\tif (arg == KD_TEXT)\n\t\t\tdo_unblank_screen(1);\n\t\telse\n\t\t\tdo_blank_screen(1);\n\t\tconsole_unlock();\n\t\tbreak;\n\n\tcase KDGETMODE:\n\t\tuival = vc->vc_mode;\n\t\tgoto setint;\n\n\tcase KDMAPDISP:\n\tcase KDUNMAPDISP:\n\t\t/*\n\t\t * these work like a combination of mmap and KDENABIO.\n\t\t * this could be easily finished.\n\t\t */\n\t\tret = -EINVAL;\n\t\tbreak;\n\n\tcase KDSKBMODE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tret = vt_do_kdskbmode(console, arg);\n\t\tif (ret == 0)\n\t\t\ttty_ldisc_flush(tty);\n\t\tbreak;\n\n\tcase KDGKBMODE:\n\t\tuival = vt_do_kdgkbmode(console);\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\t/* this could be folded into KDSKBMODE, but for compatibility\n\t   reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */\n\tcase KDSKBMETA:\n\t\tret = vt_do_kdskbmeta(console, arg);\n\t\tbreak;\n\n\tcase KDGKBMETA:\n\t\t/* FIXME: should review whether this is worth locking */\n\t\tuival = vt_do_kdgkbmeta(console);\n\tsetint:\n\t\tret = put_user(uival, (int __user *)arg);\n\t\tbreak;\n\n\tcase KDGETKEYCODE:\n\tcase KDSETKEYCODE:\n\t\tif(!capable(CAP_SYS_TTY_CONFIG))\n\t\t\tperm = 0;\n\t\tret = vt_do_kbkeycode_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\tcase KDGKBENT:\n\tcase KDSKBENT:\n\t\tret = vt_do_kdsk_ioctl(cmd, up, perm, console);\n\t\tbreak;\n\n\tcase KDGKBSENT:\n\tcase KDSKBSENT:\n\t\tret = vt_do_kdgkb_ioctl(cmd, up, perm);\n\t\tbreak;\n\n\t/* Diacritical processing. Handled in keyboard.c as it has\n\t   to operate on the keyboard locks and structures */\n\tcase KDGKBDIACR:\n\tcase KDGKBDIACRUC:\n\tcase KDSKBDIACR:\n\tcase KDSKBDIACRUC:\n\t\tret = vt_do_diacrit(cmd, up, perm);\n\t\tbreak;\n\n\t/* the ioctls below read/set the flags usually shown in the leds */\n\t/* don't use them - they will go away without warning */\n\tcase KDGKBLED:\n\tcase KDSKBLED:\n\tcase KDGETLED:\n\tcase KDSETLED:\n\t\tret = vt_do_kdskled(console, cmd, arg, perm);\n\t\tbreak;\n\n\t/*\n\t * A process can indicate its willingness to accept signals\n\t * generated by pressing an appropriate key combination.\n\t * Thus, one can have a daemon that e.g. spawns a new console\n\t * upon a keypress and then changes to it.\n\t * See also the kbrequest field of inittab(5).\n\t */\n\tcase KDSIGACCEPT:\n\t{\n\t\tif (!perm || !capable(CAP_KILL))\n\t\t\treturn -EPERM;\n\t\tif (!valid_signal(arg) || arg < 1 || arg == SIGKILL)\n\t\t\tret = -EINVAL;\n\t\telse {\n\t\t\tspin_lock_irq(&vt_spawn_con.lock);\n\t\t\tput_pid(vt_spawn_con.pid);\n\t\t\tvt_spawn_con.pid = get_pid(task_pid(current));\n\t\t\tvt_spawn_con.sig = arg;\n\t\t\tspin_unlock_irq(&vt_spawn_con.lock);\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_SETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&tmp, up, sizeof(struct vt_mode))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tconsole_lock();\n\t\tvc->vt_mode = tmp;\n\t\t/* the frsig is ignored, so we set it to 0 */\n\t\tvc->vt_mode.frsig = 0;\n\t\tput_pid(vc->vt_pid);\n\t\tvc->vt_pid = get_pid(task_pid(current));\n\t\t/* no switch is required -- saw@shade.msu.ru */\n\t\tvc->vt_newvt = -1;\n\t\tconsole_unlock();\n\t\tbreak;\n\t}\n\n\tcase VT_GETMODE:\n\t{\n\t\tstruct vt_mode tmp;\n\t\tint rc;\n\n\t\tconsole_lock();\n\t\tmemcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));\n\t\tconsole_unlock();\n\n\t\trc = copy_to_user(up, &tmp, sizeof(struct vt_mode));\n\t\tif (rc)\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns global vt state. Note that VT 0 is always open, since\n\t * it's an alias for the current VT, and people can't use it here.\n\t * We cannot return state for more than 16 VTs, since v_state is short.\n\t */\n\tcase VT_GETSTATE:\n\t{\n\t\tstruct vt_stat __user *vtstat = up;\n\t\tunsigned short state, mask;\n\n\t\t/* Review: FIXME: Console lock ? */\n\t\tif (put_user(fg_console + 1, &vtstat->v_active))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tstate = 1;\t/* /dev/tty0 is always open */\n\t\t\tfor (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;\n\t\t\t\t\t\t\t++i, mask <<= 1)\n\t\t\t\tif (VT_IS_IN_USE(i))\n\t\t\t\t\tstate |= mask;\n\t\t\tret = put_user(state, &vtstat->v_state);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * Returns the first available (non-opened) console.\n\t */\n\tcase VT_OPENQRY:\n\t\t/* FIXME: locking ? - but then this is a stupid API */\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; ++i)\n\t\t\tif (! VT_IS_IN_USE(i))\n\t\t\t\tbreak;\n\t\tuival = i < MAX_NR_CONSOLES ? (i+1) : -1;\n\t\tgoto setint;\t\t \n\n\t/*\n\t * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,\n\t * with num >= 1 (switches to vt 0, our console, are not allowed, just\n\t * to preserve sanity).\n\t */\n\tcase VT_ACTIVATE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret =  -ENXIO;\n\t\telse {\n\t\t\targ--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(arg);\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\tset_console(arg);\n\t\t}\n\t\tbreak;\n\n\tcase VT_SETACTIVATE:\n\t{\n\t\tstruct vt_setactivate vsa;\n\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tif (copy_from_user(&vsa, (struct vt_setactivate __user *)arg,\n\t\t\t\t\tsizeof(struct vt_setactivate))) {\n\t\t\tret = -EFAULT;\n\t\t\tgoto out;\n\t\t}\n\t\tif (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse {\n\t\t\tvsa.console = array_index_nospec(vsa.console,\n\t\t\t\t\t\t\t MAX_NR_CONSOLES + 1);\n\t\t\tvsa.console--;\n\t\t\tconsole_lock();\n\t\t\tret = vc_allocate(vsa.console);\n\t\t\tif (ret == 0) {\n\t\t\t\tstruct vc_data *nvc;\n\t\t\t\t/* This is safe providing we don't drop the\n\t\t\t\t   console sem between vc_allocate and\n\t\t\t\t   finishing referencing nvc */\n\t\t\t\tnvc = vc_cons[vsa.console].d;\n\t\t\t\tnvc->vt_mode = vsa.mode;\n\t\t\t\tnvc->vt_mode.frsig = 0;\n\t\t\t\tput_pid(nvc->vt_pid);\n\t\t\t\tnvc->vt_pid = get_pid(task_pid(current));\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t\tif (ret)\n\t\t\t\tbreak;\n\t\t\t/* Commence switch and lock */\n\t\t\t/* Review set_console locks */\n\t\t\tset_console(vsa.console);\n\t\t}\n\t\tbreak;\n\t}\n\n\t/*\n\t * wait until the specified VT has been activated\n\t */\n\tcase VT_WAITACTIVE:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (arg == 0 || arg > MAX_NR_CONSOLES)\n\t\t\tret = -ENXIO;\n\t\telse\n\t\t\tret = vt_waitactive(arg);\n\t\tbreak;\n\n\t/*\n\t * If a vt is under process control, the kernel will not switch to it\n\t * immediately, but postpone the operation until the process calls this\n\t * ioctl, allowing the switch to complete.\n\t *\n\t * According to the X sources this is the behavior:\n\t *\t0:\tpending switch-from not OK\n\t *\t1:\tpending switch-from OK\n\t *\t2:\tcompleted switch-to OK\n\t */\n\tcase VT_RELDISP:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n\t\tconsole_lock();\n\t\tif (vc->vt_mode.mode != VT_PROCESS) {\n\t\t\tconsole_unlock();\n\t\t\tret = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\t\t/*\n\t\t * Switching-from response\n\t\t */\n\t\tif (vc->vt_newvt >= 0) {\n\t\t\tif (arg == 0)\n\t\t\t\t/*\n\t\t\t\t * Switch disallowed, so forget we were trying\n\t\t\t\t * to do it.\n\t\t\t\t */\n\t\t\t\tvc->vt_newvt = -1;\n\n\t\t\telse {\n\t\t\t\t/*\n\t\t\t\t * The current vt has been released, so\n\t\t\t\t * complete the switch.\n\t\t\t\t */\n\t\t\t\tint newvt;\n\t\t\t\tnewvt = vc->vt_newvt;\n\t\t\t\tvc->vt_newvt = -1;\n\t\t\t\tret = vc_allocate(newvt);\n\t\t\t\tif (ret) {\n\t\t\t\t\tconsole_unlock();\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\t/*\n\t\t\t\t * When we actually do the console switch,\n\t\t\t\t * make sure we are atomic with respect to\n\t\t\t\t * other console switches..\n\t\t\t\t */\n\t\t\t\tcomplete_change_console(vc_cons[newvt].d);\n\t\t\t}\n\t\t} else {\n\t\t\t/*\n\t\t\t * Switched-to response\n\t\t\t */\n\t\t\t/*\n\t\t\t * If it's just an ACK, ignore it\n\t\t\t */\n\t\t\tif (arg != VT_ACKACQ)\n\t\t\t\tret = -EINVAL;\n\t\t}\n\t\tconsole_unlock();\n\t\tbreak;\n\n\t /*\n\t  * Disallocate memory associated to VT (but leave VT1)\n\t  */\n\t case VT_DISALLOCATE:\n\t\tif (arg > MAX_NR_CONSOLES) {\n\t\t\tret = -ENXIO;\n\t\t\tbreak;\n\t\t}\n\t\tif (arg == 0)\n\t\t\tvt_disallocate_all();\n\t\telse\n\t\t\tret = vt_disallocate(--arg);\n\t\tbreak;\n\n\tcase VT_RESIZE:\n\t{\n\t\tstruct vt_sizes __user *vtsizes = up;\n\t\tstruct vc_data *vc;\n\n\t\tushort ll,cc;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (get_user(ll, &vtsizes->v_rows) ||\n\t\t    get_user(cc, &vtsizes->v_cols))\n\t\t\tret = -EFAULT;\n\t\telse {\n\t\t\tconsole_lock();\n\t\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\t\tvc = vc_cons[i].d;\n\n\t\t\t\tif (vc) {\n\t\t\t\t\tvc->vc_resize_user = 1;\n\t\t\t\t\t/* FIXME: review v tty lock */\n\t\t\t\t\tvc_resize(vc_cons[i].d, cc, ll);\n\t\t\t\t}\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase VT_RESIZEX:\n\t{\n\t\tstruct vt_consize v;\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tif (copy_from_user(&v, up, sizeof(struct vt_consize)))\n\t\t\treturn -EFAULT;\n\t\t/* FIXME: Should check the copies properly */\n\t\tif (!v.v_vlin)\n\t\t\tv.v_vlin = vc->vc_scan_lines;\n\t\tif (v.v_clin) {\n\t\t\tint rows = v.v_vlin/v.v_clin;\n\t\t\tif (v.v_rows != rows) {\n\t\t\t\tif (v.v_rows) /* Parameters don't add up */\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_rows = rows;\n\t\t\t}\n\t\t}\n\t\tif (v.v_vcol && v.v_ccol) {\n\t\t\tint cols = v.v_vcol/v.v_ccol;\n\t\t\tif (v.v_cols != cols) {\n\t\t\t\tif (v.v_cols)\n\t\t\t\t\treturn -EINVAL;\n\t\t\t\tv.v_cols = cols;\n\t\t\t}\n\t\t}\n\n\t\tif (v.v_clin > 32)\n\t\t\treturn -EINVAL;\n\n\t\tfor (i = 0; i < MAX_NR_CONSOLES; i++) {\n\t\t\tstruct vc_data *vcp;\n\n\t\t\tif (!vc_cons[i].d)\n\t\t\t\tcontinue;\n\t\t\tconsole_lock();\n\t\t\tvcp = vc_cons[i].d;\n\t\t\tif (vcp) {\n\t\t\t\tif (v.v_vlin)\n\t\t\t\t\tvcp->vc_scan_lines = v.v_vlin;\n\t\t\t\tif (v.v_clin)\n\t\t\t\t\tvcp->vc_font.height = v.v_clin;\n\t\t\t\tvcp->vc_resize_user = 1;\n\t\t\t\tvc_resize(vcp, v.v_cols, v.v_rows);\n\t\t\t}\n\t\t\tconsole_unlock();\n\t\t}\n\t\tbreak;\n\t}\n\n\tcase PIO_FONT: {\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\top.op = KD_FONT_OP_SET;\n\t\top.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;\t/* Compatibility */\n\t\top.width = 8;\n\t\top.height = 0;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase GIO_FONT: {\n\t\top.op = KD_FONT_OP_GET;\n\t\top.flags = KD_FONT_FLAG_OLD;\n\t\top.width = 8;\n\t\top.height = 32;\n\t\top.charcount = 256;\n\t\top.data = up;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tbreak;\n\t}\n\n\tcase PIO_CMAP:\n                if (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t                ret = con_set_cmap(up);\n\t\tbreak;\n\n\tcase GIO_CMAP:\n                ret = con_get_cmap(up);\n\t\tbreak;\n\n\tcase PIO_FONTX:\n\tcase GIO_FONTX:\n\t\tret = do_fontx_ioctl(cmd, up, perm, &op);\n\t\tbreak;\n\n\tcase PIO_FONTRESET:\n\t{\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\n#ifdef BROKEN_GRAPHICS_PROGRAMS\n\t\t/* With BROKEN_GRAPHICS_PROGRAMS defined, the default\n\t\t   font is not saved. */\n\t\tret = -ENOSYS;\n\t\tbreak;\n#else\n\t\t{\n\t\top.op = KD_FONT_OP_SET_DEFAULT;\n\t\top.data = NULL;\n\t\tret = con_font_op(vc_cons[fg_console].d, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tconsole_lock();\n\t\tcon_set_default_unimap(vc_cons[fg_console].d);\n\t\tconsole_unlock();\n\t\tbreak;\n\t\t}\n#endif\n\t}\n\n\tcase KDFONTOP: {\n\t\tif (copy_from_user(&op, up, sizeof(op))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tif (!perm && op.op != KD_FONT_OP_GET)\n\t\t\treturn -EPERM;\n\t\tret = con_font_op(vc, &op);\n\t\tif (ret)\n\t\t\tbreak;\n\t\tif (copy_to_user(up, &op, sizeof(op)))\n\t\t\tret = -EFAULT;\n\t\tbreak;\n\t}\n\n\tcase PIO_SCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_old(up);\n\t\tbreak;\n\n\tcase GIO_SCRNMAP:\n\t\tret = con_get_trans_old(up);\n\t\tbreak;\n\n\tcase PIO_UNISCRNMAP:\n\t\tif (!perm)\n\t\t\tret = -EPERM;\n\t\telse\n\t\t\tret = con_set_trans_new(up);\n\t\tbreak;\n\n\tcase GIO_UNISCRNMAP:\n\t\tret = con_get_trans_new(up);\n\t\tbreak;\n\n\tcase PIO_UNIMAPCLR:\n\t\tif (!perm)\n\t\t\treturn -EPERM;\n\t\tcon_clear_unimap(vc);\n\t\tbreak;\n\n\tcase PIO_UNIMAP:\n\tcase GIO_UNIMAP:\n\t\tret = do_unimap_ioctl(cmd, up, perm, vc);\n\t\tbreak;\n\n\tcase VT_LOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = 1;\n\t\tbreak;\n\tcase VT_UNLOCKSWITCH:\n\t\tif (!capable(CAP_SYS_TTY_CONFIG))\n\t\t\treturn -EPERM;\n\t\tvt_dont_switch = 0;\n\t\tbreak;\n\tcase VT_GETHIFONTMASK:\n\t\tret = put_user(vc->vc_hi_font_mask,\n\t\t\t\t\t(unsigned short __user *)arg);\n\t\tbreak;\n\tcase VT_WAITEVENT:\n\t\tret = vt_event_wait_ioctl((struct vt_event __user *)arg);\n\t\tbreak;\n\tdefault:\n\t\tret = -ENOIOCTLCMD;\n\t}\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 188901637298738474521041844492795398881,
          "size": 701,
          "commit_id": "6cd1ed50efd88261298577cd92a14f2768eddeeb",
          "message": "vt: vt_ioctl: fix race in VT_RESIZEX\n\nWe need to make sure vc_cons[i].d is not NULL after grabbing\nconsole_lock(), or risk a crash.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]\nCPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0x123/0x180 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x45b399\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399\nRDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003\nRBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c\nModules linked in:\n---[ end trace 80970faf7a67eb77 ]---\nRIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883\nCode: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40\nRSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000\nRDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340\nRBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d\nR10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d\nR13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f\nFS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: stable <stable@vger.kernel.org>\nReported-by: syzbot <syzkaller@googlegroups.com>\nLink: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 458189
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "removeServiceTable",
        "freeService",
        "freeSubscriptionList",
        "freeSubscription"
      ],
      "group_size": 11,
      "functions": [
        {
          "func": "DOMString getElementValue(IXML_Node *node)\n{\n\tIXML_Node *child = (IXML_Node *)ixmlNode_getFirstChild(node);\n\tconst DOMString temp = NULL;\n\n\tif (child && ixmlNode_getNodeType(child) == eTEXT_NODE) {\n\t\ttemp = ixmlNode_getNodeValue(child);\n\n\t\treturn ixmlCloneDOMString(temp);\n\t} else {\n\t\treturn NULL;\n\t}\n}",
          "project": "pupnp",
          "hash": 248963931478249921935728461291453646516,
          "size": 13,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269111
        },
        {
          "func": "void freeServiceList(service_info *head)\n{\n\tservice_info *next = NULL;\n\n\twhile (head) {\n\t\tif (head->serviceType)\n\t\t\tixmlFreeDOMString(head->serviceType);\n\t\tif (head->serviceId)\n\t\t\tixmlFreeDOMString(head->serviceId);\n\t\tif (head->SCPDURL)\n\t\t\tfree(head->SCPDURL);\n\t\tif (head->controlURL)\n\t\t\tfree(head->controlURL);\n\t\tif (head->eventURL)\n\t\t\tfree(head->eventURL);\n\t\tif (head->UDN)\n\t\t\tixmlFreeDOMString(head->UDN);\n\t\tif (head->subscriptionList)\n\t\t\tfreeSubscriptionList(head->subscriptionList);\n\n\t\thead->TotalSubscriptions = 0;\n\t\tnext = head->next;\n\t\tfree(head);\n\t\thead = next;\n\t}\n}",
          "project": "pupnp",
          "hash": 135565784073126001774038307721809943269,
          "size": 26,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269098
        },
        {
          "func": "void RemoveSubscriptionSID(Upnp_SID sid, service_info *service)\n{\n\tsubscription *finger = service->subscriptionList;\n\tsubscription *previous = NULL;\n\n\twhile (finger) {\n\t\tif (!strcmp(sid, finger->sid)) {\n\t\t\tif (previous) {\n\t\t\t\tprevious->next = finger->next;\n\t\t\t} else {\n\t\t\t\tservice->subscriptionList = finger->next;\n\t\t\t}\n\t\t\tfinger->next = NULL;\n\t\t\tfreeSubscriptionList(finger);\n\t\t\tfinger = NULL;\n\t\t\tservice->TotalSubscriptions--;\n\t\t} else {\n\t\t\tprevious = finger;\n\t\t\tfinger = finger->next;\n\t\t}\n\t}\n}",
          "project": "pupnp",
          "hash": 308857782096118505859637858428697989434,
          "size": 22,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269106
        },
        {
          "func": "int getSubElement(const char *element_name, IXML_Node *node, IXML_Node **out)\n{\n\tconst DOMString NodeName = NULL;\n\tint found = 0;\n\tIXML_Node *child = (IXML_Node *)ixmlNode_getFirstChild(node);\n\n\t(*out) = NULL;\n\twhile (child && !found) {\n\t\tswitch (ixmlNode_getNodeType(child)) {\n\t\tcase eELEMENT_NODE:\n\t\t\tNodeName = ixmlNode_getNodeName(child);\n\t\t\tif (!strcmp(NodeName, element_name)) {\n\t\t\t\t(*out) = child;\n\t\t\t\tfound = 1;\n\t\t\t\treturn found;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t\tchild = (IXML_Node *)ixmlNode_getNextSibling(child);\n\t}\n\n\treturn found;\n}",
          "project": "pupnp",
          "hash": 130033586932793095968088401711419811378,
          "size": 25,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269103
        },
        {
          "func": "void freeSubscriptionList(subscription *head)\n{\n\tsubscription *next = NULL;\n\n\twhile (head) {\n\t\tnext = head->next;\n\t\tfreeSubscription(head);\n\t\tfree(head);\n\t\thead = next;\n\t}\n}",
          "project": "pupnp",
          "hash": 273543639749319163163564002725204598084,
          "size": 11,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269110
        },
        {
          "func": "void freeService(service_info *in)\n{\n\tif (in) {\n\t\tif (in->serviceType)\n\t\t\tixmlFreeDOMString(in->serviceType);\n\n\t\tif (in->serviceId)\n\t\t\tixmlFreeDOMString(in->serviceId);\n\n\t\tif (in->SCPDURL)\n\t\t\tfree(in->SCPDURL);\n\n\t\tif (in->controlURL)\n\t\t\tfree(in->controlURL);\n\n\t\tif (in->eventURL)\n\t\t\tfree(in->eventURL);\n\n\t\tif (in->UDN)\n\t\t\tixmlFreeDOMString(in->UDN);\n\n\t\tif (in->subscriptionList)\n\t\t\tfreeSubscriptionList(in->subscriptionList);\n\n\t\tin->TotalSubscriptions = 0;\n\t\tfree(in);\n\t}\n}",
          "project": "pupnp",
          "hash": 287091917212498406403175565134292375135,
          "size": 28,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269112
        },
        {
          "func": "int getServiceTable(\n\tIXML_Node *node, service_table *out, const char *DefaultURLBase)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *URLBase = NULL;\n\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tif (getSubElement(\"URLBase\", root, &URLBase)) {\n\t\t\tout->URLBase = getElementValue(URLBase);\n\t\t} else {\n\t\t\tif (DefaultURLBase) {\n\t\t\t\tout->URLBase =\n\t\t\t\t\tixmlCloneDOMString(DefaultURLBase);\n\t\t\t} else {\n\t\t\t\tout->URLBase = ixmlCloneDOMString(\"\");\n\t\t\t}\n\t\t}\n\t\tout->serviceList = getAllServiceList(\n\t\t\troot, out->URLBase, &out->endServiceList);\n\t\tif (out->serviceList) {\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\treturn 0;\n}",
          "project": "pupnp",
          "hash": 310742550464226623180272532368275699227,
          "size": 26,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269115
        },
        {
          "func": "int addServiceTable(\n\tIXML_Node *node, service_table *in, const char *DefaultURLBase)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *URLBase = NULL;\n\tservice_info *tempEnd = NULL;\n\n\tif (in->URLBase) {\n\t\tfree(in->URLBase);\n\t\tin->URLBase = NULL;\n\t}\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tif (getSubElement(\"URLBase\", root, &URLBase)) {\n\t\t\tin->URLBase = getElementValue(URLBase);\n\t\t} else {\n\t\t\tif (DefaultURLBase) {\n\t\t\t\tin->URLBase =\n\t\t\t\t\tixmlCloneDOMString(DefaultURLBase);\n\t\t\t} else {\n\t\t\t\tin->URLBase = ixmlCloneDOMString(\"\");\n\t\t\t}\n\t\t}\n\t\tif ((in->endServiceList->next = getAllServiceList(\n\t\t\t     root, in->URLBase, &tempEnd))) {\n\t\t\tin->endServiceList = tempEnd;\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\treturn 0;\n}",
          "project": "pupnp",
          "hash": 173558270051215024034795038958309722594,
          "size": 31,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269113
        },
        {
          "func": "void freeSubscription(subscription *sub)\n{\n\tif (sub) {\n\t\tfree_URL_list(&sub->DeliveryURLs);\n\t\tfreeSubscriptionQueuedEvents(sub);\n\t}\n}",
          "project": "pupnp",
          "hash": 292329439855868910009566177099290783325,
          "size": 7,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269114
        },
        {
          "func": "int removeServiceTable(IXML_Node *node, service_table *in)\n{\n\tIXML_Node *root = NULL;\n\tIXML_Node *currentUDN = NULL;\n\tDOMString UDN = NULL;\n\tIXML_NodeList *deviceList = NULL;\n\tservice_info *current_service = NULL;\n\tservice_info *start_search = NULL;\n\tservice_info *prev_service = NULL;\n\tlong unsigned int NumOfDevices = 0lu;\n\tlong unsigned int i = 0lu;\n\n\tif (getSubElement(\"root\", node, &root)) {\n\t\tstart_search = in->serviceList;\n\t\tdeviceList = ixmlElement_getElementsByTagName(\n\t\t\t(IXML_Element *)root, \"device\");\n\t\tif (deviceList) {\n\t\t\tNumOfDevices = ixmlNodeList_length(deviceList);\n\t\t\tfor (i = 0lu; i < NumOfDevices; i++) {\n\t\t\t\tif ((start_search) &&\n\t\t\t\t\t((getSubElement(\n\t\t\t\t\t\t \"UDN\", node, &currentUDN)) &&\n\t\t\t\t\t\t(UDN = getElementValue(\n\t\t\t\t\t\t\t currentUDN)))) {\n\t\t\t\t\tcurrent_service = start_search;\n\t\t\t\t\t/* Services are put in the service table\n\t\t\t\t\t * in the order in which they appear in\n\t\t\t\t\t * the description document, therefore\n\t\t\t\t\t * we go through the list only once to\n\t\t\t\t\t * remove a particular root device */\n\t\t\t\t\twhile ((current_service) &&\n\t\t\t\t\t\t(strcmp(current_service->UDN,\n\t\t\t\t\t\t\tUDN))) {\n\t\t\t\t\t\tcurrent_service =\n\t\t\t\t\t\t\tcurrent_service->next;\n\t\t\t\t\t\tif (current_service != NULL)\n\t\t\t\t\t\t\tprev_service =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t}\n\t\t\t\t\twhile ((current_service) &&\n\t\t\t\t\t\t(!strcmp(current_service->UDN,\n\t\t\t\t\t\t\tUDN))) {\n\t\t\t\t\t\tif (prev_service) {\n\t\t\t\t\t\t\tprev_service->next =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tin->serviceList =\n\t\t\t\t\t\t\t\tcurrent_service\n\t\t\t\t\t\t\t\t\t->next;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (current_service ==\n\t\t\t\t\t\t\tin->endServiceList)\n\t\t\t\t\t\t\tin->endServiceList =\n\t\t\t\t\t\t\t\tprev_service;\n\t\t\t\t\t\tstart_search =\n\t\t\t\t\t\t\tcurrent_service->next;\n\t\t\t\t\t\tfreeService(current_service);\n\t\t\t\t\t\tcurrent_service = start_search;\n\t\t\t\t\t}\n\t\t\t\t\tixmlFreeDOMString(UDN);\n\t\t\t\t\tUDN = NULL;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tixmlNodeList_free(deviceList);\n\t\t}\n\t}\n\treturn 1;\n}",
          "project": "pupnp",
          "hash": 31963404102913016798591168904916052274,
          "size": 71,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269099
        },
        {
          "func": "void freeServiceTable(service_table *table)\n{\n\tixmlFreeDOMString(table->URLBase);\n\tfreeServiceList(table->serviceList);\n\ttable->serviceList = NULL;\n\ttable->endServiceList = NULL;\n}",
          "project": "pupnp",
          "hash": 319711546520869408852480328531628814913,
          "size": 7,
          "commit_id": "c805c1de1141cb22f74c0d94dd5664bda37398e0",
          "message": "Fixes #177: NULL pointer dereference in FindServiceControlURLPath\n\nAlso fixes its dual bug in FindServiceEventURLPath.",
          "target": 0,
          "dataset": "other",
          "idx": 269107
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "svm_vm_init",
        "avic_vm_init",
        "avic_vm_destroy"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int svm_vm_init(struct kvm *kvm)\n{\n\tif (avic) {\n\t\tint ret = avic_vm_init(kvm);\n\t\tif (ret)\n\t\t\treturn ret;\n\t}\n\n\tkvm_apicv_init(kvm, avic);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 119231700638899789656496442858274257675,
          "size": 11,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432411
        },
        {
          "func": "static void avic_vm_destroy(struct kvm *kvm)\n{\n\tunsigned long flags;\n\tstruct kvm_svm *kvm_svm = to_kvm_svm(kvm);\n\n\tif (!avic)\n\t\treturn;\n\n\tif (kvm_svm->avic_logical_id_table_page)\n\t\t__free_page(kvm_svm->avic_logical_id_table_page);\n\tif (kvm_svm->avic_physical_id_table_page)\n\t\t__free_page(kvm_svm->avic_physical_id_table_page);\n\n\tspin_lock_irqsave(&svm_vm_data_hash_lock, flags);\n\thash_del(&kvm_svm->hnode);\n\tspin_unlock_irqrestore(&svm_vm_data_hash_lock, flags);\n}",
          "project": "linux",
          "hash": 78672790564658728860700505660849588389,
          "size": 17,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432565
        },
        {
          "func": "static int avic_vm_init(struct kvm *kvm)\n{\n\tunsigned long flags;\n\tint err = -ENOMEM;\n\tstruct kvm_svm *kvm_svm = to_kvm_svm(kvm);\n\tstruct kvm_svm *k2;\n\tstruct page *p_page;\n\tstruct page *l_page;\n\tu32 vm_id;\n\n\tif (!avic)\n\t\treturn 0;\n\n\t/* Allocating physical APIC ID table (4KB) */\n\tp_page = alloc_page(GFP_KERNEL_ACCOUNT);\n\tif (!p_page)\n\t\tgoto free_avic;\n\n\tkvm_svm->avic_physical_id_table_page = p_page;\n\tclear_page(page_address(p_page));\n\n\t/* Allocating logical APIC ID table (4KB) */\n\tl_page = alloc_page(GFP_KERNEL_ACCOUNT);\n\tif (!l_page)\n\t\tgoto free_avic;\n\n\tkvm_svm->avic_logical_id_table_page = l_page;\n\tclear_page(page_address(l_page));\n\n\tspin_lock_irqsave(&svm_vm_data_hash_lock, flags);\n again:\n\tvm_id = next_vm_id = (next_vm_id + 1) & AVIC_VM_ID_MASK;\n\tif (vm_id == 0) { /* id is 1-based, zero is not okay */\n\t\tnext_vm_id_wrapped = 1;\n\t\tgoto again;\n\t}\n\t/* Is it still in use? Only possible if wrapped at least once */\n\tif (next_vm_id_wrapped) {\n\t\thash_for_each_possible(svm_vm_data_hash, k2, hnode, vm_id) {\n\t\t\tif (k2->avic_vm_id == vm_id)\n\t\t\t\tgoto again;\n\t\t}\n\t}\n\tkvm_svm->avic_vm_id = vm_id;\n\thash_add(svm_vm_data_hash, &kvm_svm->hnode, kvm_svm->avic_vm_id);\n\tspin_unlock_irqrestore(&svm_vm_data_hash_lock, flags);\n\n\treturn 0;\n\nfree_avic:\n\tavic_vm_destroy(kvm);\n\treturn err;\n}",
          "project": "linux",
          "hash": 222672042186195717097421658155647046630,
          "size": 53,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432635
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "init_module",
        "sbni_init",
        "request_region"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "int __init init_module( void )\n{\n\tstruct net_device  *dev;\n\tint err;\n\n\twhile( num < SBNI_MAX_NUM_CARDS ) {\n\t\tdev = alloc_netdev(sizeof(struct net_local), \n\t\t\t\t   \"sbni%d\", sbni_devsetup);\n\t\tif( !dev)\n\t\t\tbreak;\n\n\t\tsprintf( dev->name, \"sbni%d\", num );\n\n\t\terr = sbni_init(dev);\n\t\tif (err) {\n\t\t\tfree_netdev(dev);\n\t\t\tbreak;\n\t\t}\n\n\t\tif( register_netdev( dev ) ) {\n\t\t\trelease_region( dev->base_addr, SBNI_IO_EXTENT );\n\t\t\tfree_netdev( dev );\n\t\t\tbreak;\n\t\t}\n\t}\n\n\treturn  *sbni_cards  ?  0  :  -ENODEV;\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "linux-2.6",
          "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e",
          "hash": 181433901727487330964454453377713851548,
          "size": 28,
          "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)\n1302 {\n[...]\n1319     case  SIOCDEVRESINSTATS :\n1320         if( current->euid != 0 )    /* root only */\n1321             return  -EPERM;\n[...]\n1336     case  SIOCDEVSHWSTATE :\n1337         if( current->euid != 0 )    /* root only */\n1338             return  -EPERM;\n[...]\n1357     case  SIOCDEVENSLAVE :\n1358         if( current->euid != 0 )    /* root only */\n1359             return  -EPERM;\n[...]\n1372     case  SIOCDEVEMANSIPATE :\n1373         if( current->euid != 0 )    /* root only */\n1374             return  -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo <eugeneteo@kernel.sg>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488965
        },
        {
          "func": "sbni_isa_probe( struct net_device  *dev )\n{\n\tif( dev->base_addr > 0x1ff\n\t    &&  request_region( dev->base_addr, SBNI_IO_EXTENT, dev->name )\n\t    &&  sbni_probe1( dev, dev->base_addr, dev->irq ) )\n\n\t\treturn  0;\n\telse {\n\t\tprintk( KERN_ERR \"sbni: base address 0x%lx is busy, or adapter \"\n\t\t\t\"is malfunctional!\\n\", dev->base_addr );\n\t\treturn  -ENODEV;\n\t}\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "linux-2.6",
          "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e",
          "hash": 23435996843988008996709935911737797945,
          "size": 13,
          "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)\n1302 {\n[...]\n1319     case  SIOCDEVRESINSTATS :\n1320         if( current->euid != 0 )    /* root only */\n1321             return  -EPERM;\n[...]\n1336     case  SIOCDEVSHWSTATE :\n1337         if( current->euid != 0 )    /* root only */\n1338             return  -EPERM;\n[...]\n1357     case  SIOCDEVENSLAVE :\n1358         if( current->euid != 0 )    /* root only */\n1359             return  -EPERM;\n[...]\n1372     case  SIOCDEVEMANSIPATE :\n1373         if( current->euid != 0 )    /* root only */\n1374             return  -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo <eugeneteo@kernel.sg>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488942
        },
        {
          "func": "int __init sbni_probe(int unit)\n{\n\tstruct net_device *dev;\n\tstatic unsigned  version_printed __initdata = 0;\n\tint err;\n\n\tdev = alloc_netdev(sizeof(struct net_local), \"sbni\", sbni_devsetup);\n\tif (!dev)\n\t\treturn -ENOMEM;\n\n\tsprintf(dev->name, \"sbni%d\", unit);\n\tnetdev_boot_setup_check(dev);\n\n\terr = sbni_init(dev);\n\tif (err) {\n\t\tfree_netdev(dev);\n\t\treturn err;\n\t}\n\n\terr = register_netdev(dev);\n\tif (err) {\n\t\trelease_region( dev->base_addr, SBNI_IO_EXTENT );\n\t\tfree_netdev(dev);\n\t\treturn err;\n\t}\n\tif( version_printed++ == 0 )\n\t\tprintk( KERN_INFO \"%s\", version );\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "linux-2.6",
          "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e",
          "hash": 134865134009037356775699546668150350259,
          "size": 29,
          "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)\n1302 {\n[...]\n1319     case  SIOCDEVRESINSTATS :\n1320         if( current->euid != 0 )    /* root only */\n1321             return  -EPERM;\n[...]\n1336     case  SIOCDEVSHWSTATE :\n1337         if( current->euid != 0 )    /* root only */\n1338             return  -EPERM;\n[...]\n1357     case  SIOCDEVENSLAVE :\n1358         if( current->euid != 0 )    /* root only */\n1359             return  -EPERM;\n[...]\n1372     case  SIOCDEVEMANSIPATE :\n1373         if( current->euid != 0 )    /* root only */\n1374             return  -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo <eugeneteo@kernel.sg>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488946
        },
        {
          "func": "static int __init sbni_init(struct net_device *dev)\n{\n\tint  i;\n\tif( dev->base_addr )\n\t\treturn  sbni_isa_probe( dev );\n\t/* otherwise we have to perform search our adapter */\n\n\tif( io[ num ] != -1 )\n\t\tdev->base_addr\t= io[ num ],\n\t\tdev->irq\t= irq[ num ];\n\telse if( scandone  ||  io[ 0 ] != -1 )\n\t\treturn  -ENODEV;\n\n\t/* if io[ num ] contains non-zero address, then that is on ISA bus */\n\tif( dev->base_addr )\n\t\treturn  sbni_isa_probe( dev );\n\n\t/* ...otherwise - scan PCI first */\n\tif( !skip_pci_probe  &&  !sbni_pci_probe( dev ) )\n\t\treturn  0;\n\n\tif( io[ num ] == -1 ) {\n\t\t/* Auto-scan will be stopped when first ISA card were found */\n\t\tscandone = 1;\n\t\tif( num > 0 )\n\t\t\treturn  -ENODEV;\n\t}\n\n\tfor( i = 0;  netcard_portlist[ i ];  ++i ) {\n\t\tint  ioaddr = netcard_portlist[ i ];\n\t\tif( request_region( ioaddr, SBNI_IO_EXTENT, dev->name )\n\t\t    &&  sbni_probe1( dev, ioaddr, 0 ))\n\t\t\treturn 0;\n\t}\n\n\treturn  -ENODEV;\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "linux-2.6",
          "commit_id": "f2455eb176ac87081bbfc9a44b21c7cd2bc1967e",
          "hash": 214086691161495212970362013776871450574,
          "size": 37,
          "message": "wan: Missing capability checks in sbni_ioctl()\n\nThere are missing capability checks in the following code:\n\n1300 static int\n1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)\n1302 {\n[...]\n1319     case  SIOCDEVRESINSTATS :\n1320         if( current->euid != 0 )    /* root only */\n1321             return  -EPERM;\n[...]\n1336     case  SIOCDEVSHWSTATE :\n1337         if( current->euid != 0 )    /* root only */\n1338             return  -EPERM;\n[...]\n1357     case  SIOCDEVENSLAVE :\n1358         if( current->euid != 0 )    /* root only */\n1359             return  -EPERM;\n[...]\n1372     case  SIOCDEVEMANSIPATE :\n1373         if( current->euid != 0 )    /* root only */\n1374             return  -EPERM;\n\nHere's my proposed fix:\n\nMissing capability checks.\n\nSigned-off-by: Eugene Teo <eugeneteo@kernel.sg>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488947
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "src_parser_cpp",
        "src_parser_trans_stage_1_2_3",
        "p_buf_push_tmp_char"
      ],
      "group_size": 8,
      "functions": [
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "int src_parser_cpp(const char *src, const struct trans_config cfg)\n{\n    int tmp_fd;\n    char fname[TMP_FILE_NAME_SIZE];\n\n    strncpy(fname, TMP_FILE_NAME, TMP_FILE_NAME_SIZE);\n    tmp_fd = mkstemp(fname);\n    if (tmp_fd == -1) {\n        fprintf(stderr, \"**Error: could not create a working file.\\n\");\n        return -1;\n    }\n\n    src_parser_trans_stage_1_2_3(tmp_fd, src, cfg);\n\n    print_file_full(tmp_fd);\n\n    unlink(fname);\n}",
          "idx": 519641,
          "cwe": "CWE-120",
          "hash": 271722396915397535572169577216631922211,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static inline int p_buf_write_f_char(struct parser_buf *buf, const int output_fd)\n{\n    return write(output_fd, &buf->f_buf[buf->f_indx++], 1);\n}",
          "idx": 519638,
          "cwe": "CWE-120",
          "hash": 11863702651619213404059498325548133161,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 1,
          "func": "static int src_parser_trans_stage_1_2_3(const int tmp_fd, const char *src, const struct trans_config cfg)\n{\n    struct parser_buf pbuf = {\n        .f_indx = 0,\n        .tmp_indx = 0,\n        .f_read_size = 0\n    };\n\n    int write_count = 0;\n    int src_fd;\n    int p_state = P_STATE_CODE;\n\n    src_fd = open(src, O_RDONLY);\n    if (src_fd == -1) {\n        fprintf(stderr, \"**Error: Could not open source file: %s.\\n\", src);\n        return -1;\n    }\n\n    while (p_buf_refill(&pbuf, src_fd) > 0) {\n\n        while (PBUF_F_REMD(pbuf)) {\n\n            switch (p_state) {\n            case P_STATE_COMMENT_C:\n\n                switch (PBUF_F_CHAR(pbuf)) {\n                case '*':\n                    p_buf_push_tmp_char(&pbuf, '*');\n                    continue;\n\n                case '/':\n                    if (pbuf.tmp_indx && (PBUF_TMP_PREV_CHAR(pbuf) == '*')) {\n                        pbuf.tmp_indx--;\n                        p_state = P_STATE_CODE;\n                    }\n                    break;\n\n                default:\n                    if (pbuf.tmp_indx && (PBUF_TMP_PREV_CHAR(pbuf) == '*'))\n                        pbuf.tmp_indx--;\n                    break;\n                }\n\n                pbuf.f_indx++;\n\n            case P_STATE_CODE:\n            default:\n\n                /* TODO: add trigraph support */\n\n                switch (PBUF_F_CHAR(pbuf)) {\n                case ' ':\n                case '\\t':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == ' ' || PBUF_TMP_PREV_CHAR(pbuf) == '\\t' ||\n                             PBUF_TMP_PREV_CHAR(pbuf) == '\\n'))\n                        pbuf.f_indx++;\n                    else\n                        p_buf_push_tmp_char(&pbuf, ' ');\n\n                    continue;\n\n                case '\\r':\n                case '\\n':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == ' ' || PBUF_TMP_PREV_CHAR(pbuf) == '\\t' ||\n                             PBUF_TMP_PREV_CHAR(pbuf) == '\\n')) {\n                        pbuf.f_indx++;\n                    } else if (pbuf.tmp_indx && \n                            (PBUF_TMP_PREV_CHAR(pbuf) == '\\\\')) {\n                        pbuf.tmp_indx--;\n                        pbuf.f_indx++;\n                    } else {\n                        p_buf_push_tmp_char(&pbuf, '\\n');\n                    }\n\n                    continue;\n\n                case '\\\\':\n                    p_buf_push_tmp_char(&pbuf, '\\\\');\n                    continue;\n\n                case '/':\n                    p_buf_push_tmp_char(&pbuf, '/');\n                    continue;\n\n                case '*':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == '/')) {\n                        pbuf.tmp_indx--;\n                        pbuf.f_indx++;\n                        p_state = P_STATE_COMMENT_C;\n                        continue;\n                    }\n\n                default:\n                    break;\n                }\n\n                /* TODO: check return values */\n                p_buf_write_tmp(&pbuf, tmp_fd);\n                p_buf_write_f_char(&pbuf, tmp_fd);\n            }\n        }\n    }\n\n    p_buf_write_tmp(&pbuf, tmp_fd);\n    return 0;\n}",
          "idx": 217253,
          "cwe": "CWE-120",
          "hash": 156243165944298433475865161512344109547,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static int src_parser_trans_stage_1_2_3(const int tmp_fd, const char *src, const struct trans_config cfg)\n{\n    struct parser_buf pbuf = {\n        .f_indx = 0,\n        .tmp_indx = 0,\n        .f_read_size = 0\n    };\n\n    int write_count = 0;\n    int src_fd;\n    int p_state = P_STATE_CODE;\n\n    src_fd = open(src, O_RDONLY);\n    if (src_fd == -1) {\n        fprintf(stderr, \"**Error: Could not open source file: %s.\\n\", src);\n        return -1;\n    }\n\n    while (p_buf_refill(&pbuf, src_fd) > 0) {\n\n        while (PBUF_F_REMD(pbuf)) {\n\n            switch (p_state) {\n            case P_STATE_COMMENT_C:\n\n                switch (PBUF_F_CHAR(pbuf)) {\n                case '*':\n                    p_buf_push_tmp_char(&pbuf, '*');\n                    continue;\n\n                case '/':\n                    if (pbuf.tmp_indx && (PBUF_TMP_PREV_CHAR(pbuf) == '*')) {\n                        pbuf.tmp_indx--;\n                        p_state = P_STATE_CODE;\n                    }\n                    break;\n\n                default:\n                    if (pbuf.tmp_indx && (PBUF_TMP_PREV_CHAR(pbuf) == '*'))\n                        pbuf.tmp_indx--;\n                    break;\n                }\n\n                pbuf.f_indx++;\n\n            case P_STATE_CODE:\n            default:\n\n                /* TODO: add trigraph support */\n\n                switch (PBUF_F_CHAR(pbuf)) {\n                case ' ':\n                case '\\t':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == ' ' || PBUF_TMP_PREV_CHAR(pbuf) == '\\t' ||\n                             PBUF_TMP_PREV_CHAR(pbuf) == '\\n'))\n                        pbuf.f_indx++;\n                    else\n                        p_buf_push_tmp_char(&pbuf, ' ');\n\n                    continue;\n\n                case '\\r':\n                case '\\n':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == ' ' || PBUF_TMP_PREV_CHAR(pbuf) == '\\t' ||\n                             PBUF_TMP_PREV_CHAR(pbuf) == '\\n')) {\n                        pbuf.f_indx++;\n                    } else if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == '\\\\')) {\n                        pbuf.tmp_indx--;\n                        pbuf.f_indx++;\n                    } else {\n                        p_buf_push_tmp_char(&pbuf, '\\n');\n                    }\n\n                    continue;\n\n                case '\\\\':\n                    p_buf_write_tmp(&pbuf, tmp_fd);\n                    p_buf_push_tmp_char(&pbuf, '\\\\');\n                    continue;\n\n                case '/':\n                    p_buf_write_tmp(&pbuf, tmp_fd);\n                    p_buf_push_tmp_char(&pbuf, '/');\n                    continue;\n\n                case '*':\n                    if (pbuf.tmp_indx &&\n                            (PBUF_TMP_PREV_CHAR(pbuf) == '/')) {\n                        pbuf.tmp_indx--;\n                        pbuf.f_indx++;\n                        p_state = P_STATE_COMMENT_C;\n                        continue;\n                    }\n\n                default:\n                    break;\n                }\n\n                /* TODO: check return values */\n                p_buf_write_tmp(&pbuf, tmp_fd);\n                p_buf_write_f_char(&pbuf, tmp_fd);\n            }\n        }\n    }\n\n    p_buf_write_tmp(&pbuf, tmp_fd);\n    return 0;\n}",
          "idx": 519639,
          "cwe": "CWE-120",
          "hash": 243330918601381518712115173837645650891,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static inline int p_buf_refill(struct parser_buf *buf, const int input_fd)\n{\n    int read_size;\n\n    read_size = read(input_fd, buf->f_buf, SRC_PARSER_F_BUF_SIZE);\n    buf->f_indx = 0;\n    buf->f_read_size = read_size;\n    return read_size;\n}",
          "idx": 519635,
          "cwe": "CWE-120",
          "hash": 94349456194879104248932935259912870119,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static inline int p_buf_write_tmp(struct parser_buf *buf, const int output_fd)\n{\n    int write_size;\n\n    if (!buf->tmp_indx)\n        return 0;\n\n    write_size = write(output_fd, buf->tmp_buf, buf->tmp_indx);\n    buf->tmp_indx = 0;\n\n    return write_size;\n}",
          "idx": 519640,
          "cwe": "CWE-120",
          "hash": 288338974588502287384365659415156191144,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static inline int p_buf_push_tmp_char(struct parser_buf *buf, const char c)\n{\n    buf->tmp_buf[buf->tmp_indx++] = c;\n    buf->f_indx++;\n    return buf->tmp_indx;\n}",
          "idx": 519637,
          "cwe": "CWE-120",
          "hash": 148700069090498604089502369601794249104,
          "dataset": "other"
        },
        {
          "project": "gilcc",
          "commit_id": "803969389ca9c06237075a7f8eeb1a19e6651759",
          "target": 0,
          "func": "static void print_file_full(int fd)\n{\n    char f_buf[SRC_PARSER_F_BUF_SIZE];\n    int read_size;\n\n    if (lseek(fd, 0, SEEK_SET)) {\n        fprintf(stderr, \"**Error: Could not set offset.\\n\");\n        return;\n    }\n\n    while ((read_size = read(fd, f_buf, SRC_PARSER_F_BUF_SIZE)) > 0) {\n        int read_indx = 0;\n\n        while (read_indx < read_size)\n            putchar(f_buf[read_indx++]);\n    }\n}",
          "idx": 519636,
          "cwe": "CWE-120",
          "hash": 188858436085828338784176103802441969941,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "update_send_surface_frame_bits",
        "update_force_flush",
        "update_flush",
        "update_begin_paint"
      ],
      "group_size": 25,
      "functions": [
        {
          "func": "static void free_bitmap_data(BITMAP_DATA* data, size_t count)\n{\n\tsize_t x;\n\n\tif (!data)\n\t\treturn;\n\n\tfor (x = 0; x < count; x++)\n\t\tfree(data[x].bitmapDataStream);\n\n\tfree(data);\n}",
          "project": "FreeRDP",
          "hash": 83561454008892408570795373937698034714,
          "size": 12,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269195
        },
        {
          "func": "static void update_flush(rdpContext* context)\n{\n\trdpUpdate* update = context->update;\n\n\tif (update->numberOrders > 0)\n\t{\n\t\tupdate_end_paint(update);\n\t\tupdate_begin_paint(update);\n\t}\n}",
          "project": "FreeRDP",
          "hash": 48646700703847888200234582864219006834,
          "size": 10,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295104
        },
        {
          "func": "void free_bitmap_update(rdpContext* context, BITMAP_UPDATE* pointer)\n{\n\tif (!pointer)\n\t\treturn;\n\n\tfree_bitmap_data(pointer->rectangles, pointer->number);\n\tfree(pointer);\n}",
          "project": "FreeRDP",
          "hash": 208939052026127177066053869993369151852,
          "size": 8,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269192
        },
        {
          "func": "static const char* update_type_to_string(UINT16 updateType)\n{\n\tif (updateType >= ARRAYSIZE(UPDATE_TYPE_STRINGS))\n\t\treturn \"UNKNOWN\";\n\n\treturn UPDATE_TYPE_STRINGS[updateType];\n}",
          "project": "FreeRDP",
          "hash": 159219454954151929240053594586134427915,
          "size": 7,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295037
        },
        {
          "func": "static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tWINPR_UNUSED(update);\n\tif (Stream_GetRemainingLength(s) < 18)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, bitmapData->destLeft);\n\tStream_Read_UINT16(s, bitmapData->destTop);\n\tStream_Read_UINT16(s, bitmapData->destRight);\n\tStream_Read_UINT16(s, bitmapData->destBottom);\n\tStream_Read_UINT16(s, bitmapData->width);\n\tStream_Read_UINT16(s, bitmapData->height);\n\tStream_Read_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Read_UINT16(s, bitmapData->flags);\n\tStream_Read_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Read_UINT16(s, bitmapData->cbScanWidth);     /* cbScanWidth (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t\tbitmapData->bitmapLength = bitmapData->cbCompMainBodySize;\n\t\t}\n\n\t\tbitmapData->compressed = TRUE;\n\t}\n\telse\n\t\tbitmapData->compressed = FALSE;\n\n\tif (Stream_GetRemainingLength(s) < bitmapData->bitmapLength)\n\t\treturn FALSE;\n\n\tif (bitmapData->bitmapLength > 0)\n\t{\n\t\tbitmapData->bitmapDataStream = malloc(bitmapData->bitmapLength);\n\n\t\tif (!bitmapData->bitmapDataStream)\n\t\t\treturn FALSE;\n\n\t\tmemcpy(bitmapData->bitmapDataStream, Stream_Pointer(s), bitmapData->bitmapLength);\n\t\tStream_Seek(s, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 118353352329739050106188835974278769803,
          "size": 51,
          "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637",
          "message": "Fixed #6005: Bounds checks in update_read_bitmap_data",
          "target": 1,
          "dataset": "other",
          "idx": 202811
        },
        {
          "func": "static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tWINPR_UNUSED(update);\n\tif (Stream_GetRemainingLength(s) < 18)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, bitmapData->destLeft);\n\tStream_Read_UINT16(s, bitmapData->destTop);\n\tStream_Read_UINT16(s, bitmapData->destRight);\n\tStream_Read_UINT16(s, bitmapData->destBottom);\n\tStream_Read_UINT16(s, bitmapData->width);\n\tStream_Read_UINT16(s, bitmapData->height);\n\tStream_Read_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Read_UINT16(s, bitmapData->flags);\n\tStream_Read_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tif (Stream_GetRemainingLength(s) < 8)\n\t\t\t\treturn FALSE;\n\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Read_UINT16(s, bitmapData->cbScanWidth);     /* cbScanWidth (2 bytes) */\n\t\t\tStream_Read_UINT16(s,\n\t\t\t                   bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t\tbitmapData->bitmapLength = bitmapData->cbCompMainBodySize;\n\t\t}\n\n\t\tbitmapData->compressed = TRUE;\n\t}\n\telse\n\t\tbitmapData->compressed = FALSE;\n\n\tif (Stream_GetRemainingLength(s) < bitmapData->bitmapLength)\n\t\treturn FALSE;\n\n\tif (bitmapData->bitmapLength > 0)\n\t{\n\t\tbitmapData->bitmapDataStream = malloc(bitmapData->bitmapLength);\n\n\t\tif (!bitmapData->bitmapDataStream)\n\t\t\treturn FALSE;\n\n\t\tmemcpy(bitmapData->bitmapDataStream, Stream_Pointer(s), bitmapData->bitmapLength);\n\t\tStream_Seek(s, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 19434549241602046540304179152592702379,
          "size": 54,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295074
        },
        {
          "func": "static BOOL update_write_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA* bitmapData)\n{\n\tif (!Stream_EnsureRemainingCapacity(s, 64 + bitmapData->bitmapLength))\n\t\treturn FALSE;\n\n\tif (update->autoCalculateBitmapData)\n\t{\n\t\tbitmapData->flags = 0;\n\t\tbitmapData->cbCompFirstRowSize = 0;\n\n\t\tif (bitmapData->compressed)\n\t\t\tbitmapData->flags |= BITMAP_COMPRESSION;\n\n\t\tif (update->context->settings->NoBitmapCompressionHeader)\n\t\t{\n\t\t\tbitmapData->flags |= NO_BITMAP_COMPRESSION_HDR;\n\t\t\tbitmapData->cbCompMainBodySize = bitmapData->bitmapLength;\n\t\t}\n\t}\n\n\tStream_Write_UINT16(s, bitmapData->destLeft);\n\tStream_Write_UINT16(s, bitmapData->destTop);\n\tStream_Write_UINT16(s, bitmapData->destRight);\n\tStream_Write_UINT16(s, bitmapData->destBottom);\n\tStream_Write_UINT16(s, bitmapData->width);\n\tStream_Write_UINT16(s, bitmapData->height);\n\tStream_Write_UINT16(s, bitmapData->bitsPerPixel);\n\tStream_Write_UINT16(s, bitmapData->flags);\n\tStream_Write_UINT16(s, bitmapData->bitmapLength);\n\n\tif (bitmapData->flags & BITMAP_COMPRESSION)\n\t{\n\t\tif (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))\n\t\t{\n\t\t\tStream_Write_UINT16(s,\n\t\t\t                    bitmapData->cbCompFirstRowSize); /* cbCompFirstRowSize (2 bytes) */\n\t\t\tStream_Write_UINT16(s,\n\t\t\t                    bitmapData->cbCompMainBodySize); /* cbCompMainBodySize (2 bytes) */\n\t\t\tStream_Write_UINT16(s, bitmapData->cbScanWidth);     /* cbScanWidth (2 bytes) */\n\t\t\tStream_Write_UINT16(s,\n\t\t\t                    bitmapData->cbUncompressedSize); /* cbUncompressedSize (2 bytes) */\n\t\t}\n\n\t\tStream_Write(s, bitmapData->bitmapDataStream, bitmapData->bitmapLength);\n\t}\n\telse\n\t{\n\t\tStream_Write(s, bitmapData->bitmapDataStream, bitmapData->bitmapLength);\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 150799345268186021110095569864090669993,
          "size": 52,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295067
        },
        {
          "func": "BOOL update_begin_paint(rdpUpdate* update)\n{\n\tif (!update)\n\t\treturn FALSE;\n\n\tEnterCriticalSection(&update->mux);\n\n\tif (!update->BeginPaint)\n\t\treturn TRUE;\n\n\treturn update->BeginPaint(update->context);\n}",
          "project": "FreeRDP",
          "hash": 220278009081811703954206093061125416118,
          "size": 12,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295073
        },
        {
          "func": "static BOOL update_send_bitmap_update(rdpContext* context, const BITMAP_UPDATE* bitmapUpdate)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\trdpUpdate* update = context->update;\n\tBOOL ret = TRUE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_bitmap_update(update, s, bitmapUpdate) ||\n\t    !fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_BITMAP, s,\n\t                              bitmapUpdate->skipCompression))\n\t{\n\t\tret = FALSE;\n\t\tgoto out_fail;\n\t}\n\n\tupdate_force_flush(context);\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}",
          "project": "FreeRDP",
          "hash": 259785527431013201702141036429401273574,
          "size": 25,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295090
        },
        {
          "func": "static BOOL update_send_surface_frame_marker(rdpContext* context,\n                                             const SURFACE_FRAME_MARKER* surfaceFrameMarker)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_surfcmd_frame_marker(s, surfaceFrameMarker->frameAction,\n\t                                       surfaceFrameMarker->frameId) ||\n\t    !fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s, FALSE))\n\t\tgoto out_fail;\n\n\tupdate_force_flush(context);\n\tret = TRUE;\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}",
          "project": "FreeRDP",
          "hash": 14746646581806677941908773020690319643,
          "size": 23,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295048
        },
        {
          "func": "BITMAP_UPDATE* copy_bitmap_update(rdpContext* context, const BITMAP_UPDATE* pointer)\n{\n\tBITMAP_UPDATE* dst = calloc(1, sizeof(BITMAP_UPDATE));\n\n\tif (!dst || !pointer)\n\t\tgoto fail;\n\n\t*dst = *pointer;\n\tdst->rectangles = copy_bitmap_data(pointer->rectangles, pointer->number);\n\n\tif (!dst->rectangles)\n\t\tgoto fail;\n\n\treturn dst;\nfail:\n\tfree_bitmap_update(context, dst);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 120969353999494657473109322312513246110,
          "size": 18,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269196
        },
        {
          "func": "BOOL update_end_paint(rdpUpdate* update)\n{\n\tBOOL rc = FALSE;\n\n\tif (!update)\n\t\treturn FALSE;\n\n\tif (update->EndPaint)\n\t\trc = update->EndPaint(update->context);\n\n\tLeaveCriticalSection(&update->mux);\n\treturn rc;\n}",
          "project": "FreeRDP",
          "hash": 281226130786164898487470841172171184793,
          "size": 13,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295042
        },
        {
          "func": "PALETTE_UPDATE* update_read_palette(rdpUpdate* update, wStream* s)\n{\n\tint i;\n\tPALETTE_ENTRY* entry;\n\tPALETTE_UPDATE* palette_update = calloc(1, sizeof(PALETTE_UPDATE));\n\n\tif (!palette_update)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 6)\n\t\tgoto fail;\n\n\tStream_Seek_UINT16(s);                         /* pad2Octets (2 bytes) */\n\tStream_Read_UINT32(s, palette_update->number); /* numberColors (4 bytes), must be set to 256 */\n\n\tif (palette_update->number > 256)\n\t\tpalette_update->number = 256;\n\n\tif (Stream_GetRemainingLength(s) < palette_update->number * 3)\n\t\tgoto fail;\n\n\t/* paletteEntries */\n\tfor (i = 0; i < (int)palette_update->number; i++)\n\t{\n\t\tentry = &palette_update->entries[i];\n\t\tStream_Read_UINT8(s, entry->red);\n\t\tStream_Read_UINT8(s, entry->green);\n\t\tStream_Read_UINT8(s, entry->blue);\n\t}\n\n\treturn palette_update;\nfail:\n\tfree_palette_update(update->context, palette_update);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 283340729672566557322005741550262330782,
          "size": 35,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295055
        },
        {
          "func": "static void update_force_flush(rdpContext* context)\n{\n\tupdate_flush(context);\n}",
          "project": "FreeRDP",
          "hash": 256528792647568151068722085504517172170,
          "size": 4,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295107
        },
        {
          "func": "static BOOL update_check_flush(rdpContext* context, int size)\n{\n\twStream* s;\n\trdpUpdate* update = context->update;\n\ts = update->us;\n\n\tif (!update->us)\n\t{\n\t\tupdate_begin_paint(update);\n\t\treturn FALSE;\n\t}\n\n\tif (Stream_GetPosition(s) + size + 64 >= 0x3FFF)\n\t{\n\t\tupdate_flush(context);\n\t\treturn TRUE;\n\t}\n\n\treturn FALSE;\n}",
          "project": "FreeRDP",
          "hash": 309124954730636076383571471676715976119,
          "size": 20,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295050
        },
        {
          "func": "static BOOL update_recv_orders(rdpUpdate* update, wStream* s)\n{\n\tUINT16 numberOrders;\n\n\tif (Stream_GetRemainingLength(s) < 6)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 6\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Seek_UINT16(s);               /* pad2OctetsA (2 bytes) */\n\tStream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */\n\tStream_Seek_UINT16(s);               /* pad2OctetsB (2 bytes) */\n\n\twhile (numberOrders > 0)\n\t{\n\t\tif (!update_recv_order(update, s))\n\t\t{\n\t\t\tWLog_ERR(TAG, \"update_recv_order() failed\");\n\t\t\treturn FALSE;\n\t\t}\n\n\t\tnumberOrders--;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 70322016649550153851599919894853004418,
          "size": 27,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295094
        },
        {
          "func": "static BOOL _update_begin_paint(rdpContext* context)\n{\n\twStream* s;\n\trdpUpdate* update = context->update;\n\n\tif (update->us)\n\t{\n\t\tif (!update_end_paint(update))\n\t\t\treturn FALSE;\n\t}\n\n\ts = fastpath_update_pdu_init_new(context->rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tStream_SealLength(s);\n\tStream_Seek(s, 2); /* numberOrders (2 bytes) */\n\tupdate->combineUpdates = TRUE;\n\tupdate->numberOrders = 0;\n\tupdate->us = s;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 206165084711978400762292566521593991429,
          "size": 23,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295041
        },
        {
          "func": "BOOL update_recv(rdpUpdate* update, wStream* s)\n{\n\tBOOL rc = FALSE;\n\tUINT16 updateType;\n\trdpContext* context = update->context;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 2\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, updateType); /* updateType (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"%s Update Data PDU\", UPDATE_TYPE_STRINGS[updateType]);\n\n\tif (!update_begin_paint(update))\n\t\tgoto fail;\n\n\tswitch (updateType)\n\t{\n\t\tcase UPDATE_TYPE_ORDERS:\n\t\t\trc = update_recv_orders(update, s);\n\t\t\tbreak;\n\n\t\tcase UPDATE_TYPE_BITMAP:\n\t\t{\n\t\t\tBITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);\n\n\t\t\tif (!bitmap_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_BITMAP - update_read_bitmap_update() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->BitmapUpdate, context, bitmap_update);\n\t\t\tfree_bitmap_update(update->context, bitmap_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_PALETTE:\n\t\t{\n\t\t\tPALETTE_UPDATE* palette_update = update_read_palette(update, s);\n\n\t\t\tif (!palette_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_PALETTE - update_read_palette() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->Palette, context, palette_update);\n\t\t\tfree_palette_update(context, palette_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_SYNCHRONIZE:\n\t\t\tif (!update_read_synchronize(update, s))\n\t\t\t\tgoto fail;\n\t\t\trc = IFCALLRESULT(TRUE, update->Synchronize, context);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\nfail:\n\n\tif (!update_end_paint(update))\n\t\trc = FALSE;\n\n\tif (!rc)\n\t{\n\t\tWLog_ERR(TAG, \"UPDATE_TYPE %s [%\" PRIu16 \"] failed\", update_type_to_string(updateType),\n\t\t         updateType);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 241599745468172248070055396754810927395,
          "size": 78,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 1,
          "dataset": "other",
          "idx": 199894
        },
        {
          "func": "BOOL update_recv(rdpUpdate* update, wStream* s)\n{\n\tBOOL rc = FALSE;\n\tUINT16 updateType;\n\trdpContext* context = update->context;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t{\n\t\tWLog_ERR(TAG, \"Stream_GetRemainingLength(s) < 2\");\n\t\treturn FALSE;\n\t}\n\n\tStream_Read_UINT16(s, updateType); /* updateType (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"%s Update Data PDU\", update_type_to_string(updateType));\n\n\tif (!update_begin_paint(update))\n\t\tgoto fail;\n\n\tswitch (updateType)\n\t{\n\t\tcase UPDATE_TYPE_ORDERS:\n\t\t\trc = update_recv_orders(update, s);\n\t\t\tbreak;\n\n\t\tcase UPDATE_TYPE_BITMAP:\n\t\t{\n\t\t\tBITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);\n\n\t\t\tif (!bitmap_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_BITMAP - update_read_bitmap_update() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->BitmapUpdate, context, bitmap_update);\n\t\t\tfree_bitmap_update(update->context, bitmap_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_PALETTE:\n\t\t{\n\t\t\tPALETTE_UPDATE* palette_update = update_read_palette(update, s);\n\n\t\t\tif (!palette_update)\n\t\t\t{\n\t\t\t\tWLog_ERR(TAG, \"UPDATE_TYPE_PALETTE - update_read_palette() failed\");\n\t\t\t\tgoto fail;\n\t\t\t}\n\n\t\t\trc = IFCALLRESULT(FALSE, update->Palette, context, palette_update);\n\t\t\tfree_palette_update(context, palette_update);\n\t\t}\n\t\tbreak;\n\n\t\tcase UPDATE_TYPE_SYNCHRONIZE:\n\t\t\tif (!update_read_synchronize(update, s))\n\t\t\t\tgoto fail;\n\t\t\trc = IFCALLRESULT(TRUE, update->Synchronize, context);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\nfail:\n\n\tif (!update_end_paint(update))\n\t\trc = FALSE;\n\n\tif (!rc)\n\t{\n\t\tWLog_ERR(TAG, \"UPDATE_TYPE %s [%\" PRIu16 \"] failed\", update_type_to_string(updateType),\n\t\t         updateType);\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 210712111577567156501672184535618537131,
          "size": 78,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295081
        },
        {
          "func": "static BOOL update_read_synchronize(rdpUpdate* update, wStream* s)\n{\n\tWINPR_UNUSED(update);\n\treturn Stream_SafeSeek(s, 2); /* pad2Octets (2 bytes) */\n\t                              /**\n\t                               * The Synchronize Update is an artifact from the\n\t                               * T.128 protocol and should be ignored.\n\t                               */\n}",
          "project": "FreeRDP",
          "hash": 15521892922773362950883267377898803764,
          "size": 9,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295084
        },
        {
          "func": "BITMAP_UPDATE* update_read_bitmap_update(rdpUpdate* update, wStream* s)\n{\n\tUINT32 i;\n\tBITMAP_UPDATE* bitmapUpdate = calloc(1, sizeof(BITMAP_UPDATE));\n\n\tif (!bitmapUpdate)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, bitmapUpdate->number); /* numberRectangles (2 bytes) */\n\tWLog_Print(update->log, WLOG_TRACE, \"BitmapUpdate: %\" PRIu32 \"\", bitmapUpdate->number);\n\n\tif (bitmapUpdate->number > bitmapUpdate->count)\n\t{\n\t\tUINT32 count = bitmapUpdate->number * 2;\n\t\tBITMAP_DATA* newdata =\n\t\t    (BITMAP_DATA*)realloc(bitmapUpdate->rectangles, sizeof(BITMAP_DATA) * count);\n\n\t\tif (!newdata)\n\t\t\tgoto fail;\n\n\t\tbitmapUpdate->rectangles = newdata;\n\t\tZeroMemory(&bitmapUpdate->rectangles[bitmapUpdate->count],\n\t\t           sizeof(BITMAP_DATA) * (count - bitmapUpdate->count));\n\t\tbitmapUpdate->count = count;\n\t}\n\n\t/* rectangles */\n\tfor (i = 0; i < bitmapUpdate->number; i++)\n\t{\n\t\tif (!update_read_bitmap_data(update, s, &bitmapUpdate->rectangles[i]))\n\t\t\tgoto fail;\n\t}\n\n\treturn bitmapUpdate;\nfail:\n\tfree_bitmap_update(update->context, bitmapUpdate);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 33813168314939692314756191926075884636,
          "size": 41,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295080
        },
        {
          "func": "static BITMAP_DATA* copy_bitmap_data(const BITMAP_DATA* data, size_t count)\n{\n\tsize_t x;\n\tBITMAP_DATA* dst = (BITMAP_DATA*)calloc(count, sizeof(BITMAP_DATA));\n\n\tif (!dst)\n\t\tgoto fail;\n\n\tfor (x = 0; x < count; x++)\n\t{\n\t\tdst[x] = data[x];\n\n\t\tif (data[x].bitmapLength > 0)\n\t\t{\n\t\t\tdst[x].bitmapDataStream = malloc(data[x].bitmapLength);\n\n\t\t\tif (!dst[x].bitmapDataStream)\n\t\t\t\tgoto fail;\n\n\t\t\tmemcpy(dst[x].bitmapDataStream, data[x].bitmapDataStream, data[x].bitmapLength);\n\t\t}\n\t}\n\n\treturn dst;\nfail:\n\tfree_bitmap_data(dst, count);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 188655361286083133164433477309812156230,
          "size": 28,
          "commit_id": "58dc36b3c883fd460199cedb6d30e58eba58298c",
          "message": "Fixed possible NULL dereference",
          "target": 0,
          "dataset": "other",
          "idx": 269201
        },
        {
          "func": "static BOOL update_write_bitmap_update(rdpUpdate* update, wStream* s,\n                                       const BITMAP_UPDATE* bitmapUpdate)\n{\n\tint i;\n\n\tif (!Stream_EnsureRemainingCapacity(s, 32))\n\t\treturn FALSE;\n\n\tStream_Write_UINT16(s, UPDATE_TYPE_BITMAP);   /* updateType */\n\tStream_Write_UINT16(s, bitmapUpdate->number); /* numberRectangles (2 bytes) */\n\n\t/* rectangles */\n\tfor (i = 0; i < (int)bitmapUpdate->number; i++)\n\t{\n\t\tif (!update_write_bitmap_data(update, s, &bitmapUpdate->rectangles[i]))\n\t\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 151834610885528242589531618165967839061,
          "size": 20,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295043
        },
        {
          "func": "static BOOL update_send_surface_frame_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cmd,\n                                           BOOL first, BOOL last, UINT32 frameId)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (first)\n\t{\n\t\tif (!update_write_surfcmd_frame_marker(s, SURFACECMD_FRAMEACTION_BEGIN, frameId))\n\t\t\tgoto out_fail;\n\t}\n\n\tif (!update_write_surfcmd_surface_bits(s, cmd))\n\t\tgoto out_fail;\n\n\tif (last)\n\t{\n\t\tif (!update_write_surfcmd_frame_marker(s, SURFACECMD_FRAMEACTION_END, frameId))\n\t\t\tgoto out_fail;\n\t}\n\n\tret = fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s,\n\t                               cmd->skipCompression);\n\tupdate_force_flush(context);\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}",
          "project": "FreeRDP",
          "hash": 156186922337010680300695249917953025135,
          "size": 34,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295025
        },
        {
          "func": "static BOOL update_send_surface_bits(rdpContext* context,\n                                     const SURFACE_BITS_COMMAND* surfaceBitsCommand)\n{\n\twStream* s;\n\trdpRdp* rdp = context->rdp;\n\tBOOL ret = FALSE;\n\tupdate_force_flush(context);\n\ts = fastpath_update_pdu_init(rdp->fastpath);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!update_write_surfcmd_surface_bits(s, surfaceBitsCommand))\n\t\tgoto out_fail;\n\n\tif (!fastpath_send_update_pdu(rdp->fastpath, FASTPATH_UPDATETYPE_SURFCMDS, s,\n\t                              surfaceBitsCommand->skipCompression))\n\t\tgoto out_fail;\n\n\tupdate_force_flush(context);\n\tret = TRUE;\nout_fail:\n\tStream_Release(s);\n\treturn ret;\n}",
          "project": "FreeRDP",
          "hash": 262077567665186060034193325515015087867,
          "size": 25,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295075
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "sst_donor_thread",
        "sst_disallow_writes",
        "run_sql_command"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static void* sst_joiner_thread (void* a)\n{\n  sst_thread_arg* arg= (sst_thread_arg*) a;\n  int err= 1;\n\n  {\n    const char magic[] = \"ready\";\n    const size_t magic_len = sizeof(magic) - 1;\n    const size_t out_len = 512;\n    char out[out_len];\n\n    WSREP_INFO(\"Running: '%s'\", arg->cmd);\n\n    wsp::process proc (arg->cmd, \"r\", arg->env);\n\n    if (proc.pipe() && !proc.error())\n    {\n      const char* tmp= my_fgets (out, out_len, proc.pipe());\n\n      if (!tmp || strlen(tmp) < (magic_len + 2) ||\n          strncasecmp (tmp, magic, magic_len))\n      {\n        WSREP_ERROR(\"Failed to read '%s <addr>' from: %s\\n\\tRead: '%s'\",\n                    magic, arg->cmd, tmp);\n        proc.wait();\n        if (proc.error()) err = proc.error();\n      }\n      else\n      {\n        err = 0;\n      }\n    }\n    else\n    {\n      err = proc.error();\n      WSREP_ERROR(\"Failed to execute: %s : %d (%s)\",\n                  arg->cmd, err, strerror(err));\n    }\n\n    // signal sst_prepare thread with ret code,\n    // it will go on sending SST request\n    mysql_mutex_lock   (&arg->lock);\n    if (!err)\n    {\n      arg->ret_str = strdup (out + magic_len + 1);\n      if (!arg->ret_str) err = ENOMEM;\n    }\n    arg->err = -err;\n    mysql_cond_signal  (&arg->cond);\n    mysql_mutex_unlock (&arg->lock); //! @note arg is unusable after that.\n\n    if (err) return NULL; /* lp:808417 - return immediately, don't signal\n                           * initializer thread to ensure single thread of\n                           * shutdown. */\n\n    wsrep_uuid_t  ret_uuid  = WSREP_UUID_UNDEFINED;\n    wsrep_seqno_t ret_seqno = WSREP_SEQNO_UNDEFINED;\n\n    // in case of successfull receiver start, wait for SST completion/end\n    char* tmp = my_fgets (out, out_len, proc.pipe());\n\n    proc.wait();\n    err= EINVAL;\n\n    if (!tmp)\n    {\n      WSREP_ERROR(\"Failed to read uuid:seqno from joiner script.\");\n      if (proc.error()) err = proc.error();\n    }\n    else\n    {\n      err= sst_scan_uuid_seqno (out, &ret_uuid, &ret_seqno);\n    }\n\n    if (err)\n    {\n      ret_uuid=  WSREP_UUID_UNDEFINED;\n      ret_seqno= -err;\n    }\n\n    // Tell initializer thread that SST is complete\n    wsrep_sst_complete (&ret_uuid, ret_seqno, true);\n  }\n\n  return NULL;\n}",
          "project": "mysql-wsrep",
          "hash": 217439709963457463119203737558761620939,
          "size": 86,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454798
        },
        {
          "func": "static void* sst_donor_thread (void* a)\n{\n  sst_thread_arg* arg= (sst_thread_arg*)a;\n\n  WSREP_INFO(\"Running: '%s'\", arg->cmd);\n\n  int  err= 1;\n  bool locked= false;\n\n  const char*  out= NULL;\n  const size_t out_len= 128;\n  char         out_buf[out_len];\n\n  wsrep_uuid_t  ret_uuid= WSREP_UUID_UNDEFINED;\n  wsrep_seqno_t ret_seqno= WSREP_SEQNO_UNDEFINED; // seqno of complete SST\n\n  wsp::thd thd(FALSE); // we turn off wsrep_on for this THD so that it can\n                       // operate with wsrep_ready == OFF\n  wsp::process proc(arg->cmd, \"r\", arg->env);\n\n  err= proc.error();\n\n/* Inform server about SST script startup and release TO isolation */\n  mysql_mutex_lock   (&arg->lock);\n  arg->err = -err;\n  mysql_cond_signal  (&arg->cond);\n  mysql_mutex_unlock (&arg->lock); //! @note arg is unusable after that.\n\n  if (proc.pipe() && !err)\n  {\nwait_signal:\n    out= my_fgets (out_buf, out_len, proc.pipe());\n\n    if (out)\n    {\n      const char magic_flush[]= \"flush tables\";\n      const char magic_cont[]= \"continue\";\n      const char magic_done[]= \"done\";\n\n      if (!strcasecmp (out, magic_flush))\n      {\n        err= sst_flush_tables (thd.ptr);\n        if (!err)\n        {\n          sst_disallow_writes (thd.ptr, true);\n          locked= true;\n          goto wait_signal;\n        }\n      }\n      else if (!strcasecmp (out, magic_cont))\n      {\n        if (locked)\n        {\n          sst_disallow_writes (thd.ptr, false);\n          thd.ptr->global_read_lock.unlock_global_read_lock (thd.ptr);\n          locked= false;\n        }\n        err=  0;\n        goto wait_signal;\n      }\n      else if (!strncasecmp (out, magic_done, strlen(magic_done)))\n      {\n        err= sst_scan_uuid_seqno (out + strlen(magic_done) + 1,\n                                  &ret_uuid, &ret_seqno);\n      }\n      else\n      {\n        WSREP_WARN(\"Received unknown signal: '%s'\", out);\n      }\n    }\n    else\n    {\n      WSREP_ERROR(\"Failed to read from: %s\", proc.cmd());\n      proc.wait();\n    }\n    if (!err && proc.error()) err= proc.error();\n  }\n  else\n  {\n    WSREP_ERROR(\"Failed to execute: %s : %d (%s)\",\n                proc.cmd(), err, strerror(err));\n  }\n\n  if (locked) // don't forget to unlock server before return\n  {\n    sst_disallow_writes (thd.ptr, false);\n    thd.ptr->global_read_lock.unlock_global_read_lock (thd.ptr);\n  }\n\n  // signal to donor that SST is over\n  struct wsrep_gtid const state_id = {\n      ret_uuid, err ? WSREP_SEQNO_UNDEFINED : ret_seqno\n  };\n  wsrep->sst_sent (wsrep, &state_id, -err);\n  proc.wait();\n\n  return NULL;\n}",
          "project": "mysql-wsrep",
          "hash": 38855360678351805483746364703237574356,
          "size": 98,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454815
        },
        {
          "func": "static int run_sql_command(THD *thd, const char *query)\n{\n  thd->set_query((char *)query, strlen(query));\n\n  Parser_state ps;\n  if (ps.init(thd, thd->query(), thd->query_length()))\n  {\n    WSREP_ERROR(\"SST query: %s failed\", query);\n    return -1;\n  }\n\n  mysql_parse(thd, thd->query(), thd->query_length(), &ps);\n  if (thd->is_error())\n  {\n    int const err= thd->get_stmt_da()->sql_errno();\n    WSREP_WARN (\"error executing '%s': %d (%s)%s\",\n                query, err, thd->get_stmt_da()->message(),\n                err == ER_UNKNOWN_SYSTEM_VARIABLE ?\n                \". Was mysqld built with --with-innodb-disallow-writes ?\" : \"\");\n    thd->clear_error();\n    return -1;\n  }\n  return 0;\n}",
          "project": "mysql-wsrep",
          "hash": 37295695973040892266835162114095774711,
          "size": 24,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454791
        },
        {
          "func": "static void sst_disallow_writes (THD* thd, bool yes)\n{\n  char query_str[64] = { 0, };\n  ssize_t const query_max = sizeof(query_str) - 1;\n  snprintf (query_str, query_max, \"SET GLOBAL innodb_disallow_writes=%d\",\n            yes ? 1 : 0);\n\n  if (run_sql_command(thd, query_str))\n  {\n    WSREP_ERROR(\"Failed to disallow InnoDB writes\");\n  }\n}",
          "project": "mysql-wsrep",
          "hash": 300071219344737688107883953353829541766,
          "size": 12,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454794
        },
        {
          "func": "void wsrep_sst_complete (const wsrep_uuid_t* sst_uuid,\n                         wsrep_seqno_t       sst_seqno,\n                         bool                needed)\n{\n  if (mysql_mutex_lock (&LOCK_wsrep_sst)) abort();\n  if (!sst_complete)\n  {\n    sst_complete = true;\n    sst_needed   = needed;\n    local_uuid   = *sst_uuid;\n    local_seqno  = sst_seqno;\n    mysql_cond_signal (&COND_wsrep_sst);\n  }\n  else\n  {\n    /* This can happen when called from wsrep_synced_cb().\n       At the moment there is no way to check there\n       if main thread is still waiting for signal,\n       so wsrep_sst_complete() is called from there\n       each time wsrep_ready changes from FALSE -> TRUE.\n    */\n    WSREP_DEBUG(\"Nobody is waiting for SST.\");\n  }\n  mysql_mutex_unlock (&LOCK_wsrep_sst);\n}",
          "project": "mysql-wsrep",
          "hash": 261387592869957718631605446779087108833,
          "size": 25,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454812
        },
        {
          "func": "static char* my_fgets (char* buf, size_t buf_len, FILE* stream)\n{\n   char* ret= fgets (buf, buf_len, stream);\n\n   if (ret)\n   {\n       size_t len = strlen(ret);\n       if (len > 0 && ret[len - 1] == '\\n') ret[len - 1] = '\\0';\n   }\n\n   return ret;\n}",
          "project": "mysql-wsrep",
          "hash": 230996557064736561789330414529743929038,
          "size": 12,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454816
        },
        {
          "func": "static int sst_scan_uuid_seqno (const char* str,\n                                wsrep_uuid_t* uuid, wsrep_seqno_t* seqno)\n{\n  int offt = wsrep_uuid_scan (str, strlen(str), uuid);\n  if (offt > 0 && strlen(str) > (unsigned int)offt && ':' == str[offt])\n  {\n    *seqno = strtoll (str + offt + 1, NULL, 10);\n    if (*seqno != LLONG_MAX || errno != ERANGE)\n    {\n      return 0;\n    }\n  }\n\n  WSREP_ERROR(\"Failed to parse uuid:seqno pair: '%s'\", str);\n  return EINVAL;\n}",
          "project": "mysql-wsrep",
          "hash": 178394032981522595047583967498590201062,
          "size": 16,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454803
        },
        {
          "func": "static int sst_flush_tables(THD* thd)\n{\n  WSREP_INFO(\"Flushing tables for SST...\");\n\n  int err;\n  int not_used;\n  if (run_sql_command(thd, \"FLUSH TABLES WITH READ LOCK\"))\n  {\n    WSREP_ERROR(\"Failed to flush and lock tables\");\n    err = -1;\n  }\n  else\n  {\n    /* make sure logs are flushed after global read lock acquired */\n    err= reload_acl_and_cache(thd, REFRESH_ENGINE_LOG | REFRESH_BINARY_LOG,\n\t\t\t      (TABLE_LIST*) 0, &not_used);\n  }\n\n  if (err)\n  {\n    WSREP_ERROR(\"Failed to flush tables: %d (%s)\", err, strerror(err));\n  }\n  else\n  {\n    WSREP_INFO(\"Tables flushed.\");\n    const char base_name[]= \"tables_flushed\";\n    ssize_t const full_len= strlen(mysql_real_data_home) + strlen(base_name)+2;\n    char *real_name = (char*) malloc(full_len);\n    sprintf(real_name, \"%s/%s\", mysql_real_data_home, base_name);\n    char *tmp_name = (char*) malloc(full_len + 4);\n    sprintf(tmp_name, \"%s.tmp\", real_name);\n\n    FILE* file= fopen(tmp_name, \"w+\");\n    if (0 == file)\n    {\n      err= errno;\n      WSREP_ERROR(\"Failed to open '%s': %d (%s)\", tmp_name, err,strerror(err));\n    }\n    else\n    {\n      fprintf(file, \"%s:%lld\\n\",\n              wsrep_cluster_state_uuid, (long long)wsrep_locked_seqno);\n      fsync(fileno(file));\n      fclose(file);\n      if (rename(tmp_name, real_name) == -1)\n      {\n        err= errno;\n        WSREP_ERROR(\"Failed to rename '%s' to '%s': %d (%s)\",\n                     tmp_name, real_name, err,strerror(err));\n      }\n    }\n    free(real_name);\n    free(tmp_name);\n  }\n\n  return err;\n}",
          "project": "mysql-wsrep",
          "hash": 340238269756931424095419272594003794219,
          "size": 57,
          "commit_id": "4ea4b0c6a318209ac09b15aaa906c7b4a13b988c",
          "message": "codership/mysql-wsrep-bugs#758 Donor uses invalid SST methods",
          "target": 0,
          "dataset": "other",
          "idx": 454777
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "APar_ExtractDetails",
        "APar_ExtractTrackDetails",
        "APar_Extract_esds_Info",
        "APar_skip_filler"
      ],
      "group_size": 18,
      "functions": [
        {
          "func": "uint16_t purge_extraneous_characters(char *data) {\n  uint16_t purgings = 0;\n  uint16_t str_len = strlen(data);\n  for (uint16_t str_offset = 0; str_offset < str_len; str_offset++) {\n    if (data[str_offset] < 32 || data[str_offset] == 127) {\n      data[str_offset] = 19;\n      purgings++;\n      break;\n    }\n  }\n  return purgings;\n}",
          "project": "atomicparsley",
          "hash": 101683490117903831020536704146633947144,
          "size": 12,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417014
        },
        {
          "func": "uint8_t APar_skip_filler(FILE *isofile, uint32_t start_position) {\n  uint8_t skip_bytes = 0;\n\n  while (true) {\n    uint8_t eval_byte = APar_read8(isofile, start_position + skip_bytes);\n\n    if (eval_byte == 0x80 || eval_byte == 0x81 ||\n        eval_byte == 0xFE) { // seems sometimes QT writes 0x81\n      skip_bytes++;\n    } else {\n      break;\n    }\n  }\n  return skip_bytes;\n}",
          "project": "atomicparsley",
          "hash": 62628116556512224921278752125499736093,
          "size": 15,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417016
        },
        {
          "func": "void APar_Extract_devc_Info(FILE *isofile,\n                            short track_level_atom,\n                            TrackInfo *track_info) {\n  uint64_t offset_into_devc = 8;\n  APar_readX(track_info->encoder_name,\n             isofile,\n             parsedAtoms[track_level_atom].AtomicStart + offset_into_devc,\n             4);\n  return;\n}",
          "project": "atomicparsley",
          "hash": 191832240744506458608612189209332629083,
          "size": 10,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417006
        },
        {
          "func": "void APar_ExtractTrackDetails(char *uint32_buffer,\n                              FILE *isofile,\n                              Trackage *track,\n                              TrackInfo *track_info) {\n  uint64_t _offset = 0;\n\n  APar_TrackLevelInfo(track, \"tkhd\");\n  if (APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 8) ==\n      0) {\n    if (APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 11) &\n        1) {\n      track_info->track_enabled = true;\n    }\n    track_info->creation_time =\n        APar_read32(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 12);\n    track_info->modified_time =\n        APar_read32(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 16);\n    track_info->duration =\n        APar_read32(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 28);\n  } else {\n    track_info->creation_time =\n        APar_read64(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 12);\n    track_info->modified_time =\n        APar_read64(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 20);\n    track_info->duration =\n        APar_read64(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom].AtomicStart + 36);\n  }\n\n  // language code\n  APar_TrackLevelInfo(track, \"mdhd\");\n  memset(uint32_buffer, 0, 5);\n  uint16_t packed_language = APar_read16(\n      uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 28);\n  memset(track_info->unpacked_lang, 0, 4);\n  APar_UnpackLanguage(\n      track_info->unpacked_lang,\n      packed_language); // http://www.w3.org/WAI/ER/IG/ert/iso639.htm\n\n  // track handler type\n  APar_TrackLevelInfo(track, \"hdlr\");\n  memset(uint32_buffer, 0, 5);\n  track_info->track_type = APar_read32(\n      uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 16);\n  if (track_info->track_type == 0x736F756E) { // soun\n    track_info->type_of_track = AUDIO_TRACK;\n  } else if (track_info->track_type == 0x76696465) { // vide\n    track_info->type_of_track = VIDEO_TRACK;\n  }\n  if (parsedAtoms[track->track_atom].AtomicLength > 34) {\n    memset(track_info->track_hdlr_name, 0, sizeof(track_info->track_hdlr_name));\n    APar_readX(track_info->track_hdlr_name,\n               isofile,\n               parsedAtoms[track->track_atom].AtomicStart + 32,\n               std::min((uint64_t)sizeof(track_info->track_hdlr_name),\n                        parsedAtoms[track->track_atom].AtomicLength - 32));\n  }\n\n  // codec section\n  APar_TrackLevelInfo(track, \"stsd\");\n  memset(uint32_buffer, 0, 5);\n  track_info->track_codec = APar_read32(\n      uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 20);\n\n  if (track_info->type_of_track & VIDEO_TRACK) { // vide\n    track_info->video_width =\n        APar_read16(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom + 1].AtomicStart + 32);\n    track_info->video_height =\n        APar_read16(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track->track_atom + 1].AtomicStart + 34);\n    track_info->macroblocks =\n        (track_info->video_width / 16) * (track_info->video_height / 16);\n\n    // avc profile & level\n    if (track_info->track_codec == 0x61766331 ||\n        track_info->track_codec == 0x64726D69) { // avc1 or drmi\n      track_info->contains_esds = false;\n      APar_TrackLevelInfo(track, \"avcC\");\n      // get avc1 profile/level; atom 'avcC' is :\n      // byte 1\tconfigurationVersion    byte 2\tAVCProfileIndication byte 3\n      // profile_compatibility    byte 4\tAVCLevelIndication\n      track_info->avc_version =\n          APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 8);\n      if (track_info->avc_version == 1) {\n        track_info->profile =\n            APar_read8(isofile, parsedAtoms[track->track_atom].AtomicStart + 9);\n        // uint8_t profile_compatibility = APar_read8(isofile,\n        // parsedAtoms[track.track_atom].AtomicStart + 10); /* is this reserved\n        // ?? */\n        track_info->level = APar_read8(\n            isofile, parsedAtoms[track->track_atom].AtomicStart + 11);\n      }\n\n      // avc1 doesn't have a hardcoded bitrate, so calculate it (off of stsz\n      // table summing) later\n    } else if (track_info->track_codec == 0x73323633) { // s263\n      APar_TrackLevelInfo(track, \"d263\");\n      if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"d263\", 4) == 0) {\n        APar_Extract_d263_Info(\n            uint32_buffer, isofile, track->track_atom, track_info);\n      }\n\n    } else { // mp4v\n      APar_TrackLevelInfo(track, \"esds\");\n      if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"esds\", 4) == 0) {\n        APar_Extract_esds_Info(\n            uint32_buffer,\n            isofile,\n            track->track_atom - 1,\n            track_info); // right, backtrack to the atom before 'esds' so we can\n                         // offset_into_stsd++\n      } else if (track_info->track_codec == 0x73323633) { // s263\n        track_info->type_of_track = VIDEO_TRACK;\n      } else if (track_info->track_codec == 0x73616D72 ||\n                 track_info->track_codec == 0x73617762 ||\n                 track_info->track_codec == 0x73617770 ||\n                 track_info->track_codec ==\n                     0x73766D72) { // samr, sawb, sawp & svmr\n        track_info->type_of_track = AUDIO_TRACK;\n      } else {\n        track_info->type_of_track = OTHER_TRACK; // a 'jpeg' track will fall\n                                                 // here\n      }\n    }\n\n  } else if (track_info->type_of_track & AUDIO_TRACK) {\n    if (track_info->track_codec == 0x73616D72 ||\n        track_info->track_codec == 0x73617762 ||\n        track_info->track_codec == 0x73617770 ||\n        track_info->track_codec ==\n            0x73766D72) { // samr,sawb, svmr (sawp doesn't contain modes)\n      APar_Extract_AMR_Info(\n          uint32_buffer, isofile, track->track_atom + 2, track_info);\n\n    } else if (track_info->track_codec == 0x73657663) { // sevc\n      APar_TrackLevelInfo(track, \"devc\");\n      if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"devc\", 4) == 0) {\n        APar_Extract_devc_Info(isofile, track->track_atom, track_info);\n      }\n\n    } else if (track_info->track_codec == 0x73716370) { // sqcp\n      APar_TrackLevelInfo(track, \"dqcp\");\n      if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"dqcp\", 4) == 0) {\n        APar_Extract_devc_Info(isofile,\n                               track->track_atom,\n                               track_info); // its the same thing\n      }\n\n    } else if (track_info->track_codec == 0x73736D76) { // ssmv\n      APar_TrackLevelInfo(track, \"dsmv\");\n      if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"dsmv\", 4) == 0) {\n        APar_Extract_devc_Info(isofile,\n                               track->track_atom,\n                               track_info); // its the same thing\n      }\n\n    } else {\n      APar_Extract_esds_Info(\n          uint32_buffer, isofile, track->track_atom, track_info);\n    }\n  }\n\n  // in case bitrate isn't found, manually determine it off of stsz summing\n  if ((track_info->type_of_track & AUDIO_TRACK ||\n       track_info->type_of_track & VIDEO_TRACK) &&\n      track_info->avg_bitrate == 0) {\n    if (track_info->track_codec == 0x616C6163) { // alac\n      track_info->channels =\n          APar_read16(uint32_buffer,\n                      isofile,\n                      parsedAtoms[track->track_atom + 1].AtomicStart + 24);\n    }\n  }\n\n  APar_TrackLevelInfo(track, \"stsz\");\n  if (memcmp(parsedAtoms[track->track_atom].AtomicName, \"stsz\", 4) == 0) {\n    track_info->sample_aggregate =\n        calcuate_sample_size(uint32_buffer, isofile, track->track_atom);\n  }\n\n  // get what exactly 'drmX' stands in for\n  if (track_info->track_codec >= 0x64726D00 &&\n      track_info->track_codec <= 0x64726DFF) {\n    track_info->type_of_track += DRM_PROTECTED_TRACK;\n    APar_TrackLevelInfo(track, \"frma\");\n    memset(uint32_buffer, 0, 5);\n    track_info->protected_codec = APar_read32(\n        uint32_buffer, isofile, parsedAtoms[track->track_atom].AtomicStart + 8);\n  }\n\n  // Encoder string; occasionally, it appears under stsd for a video track; it\n  // is typcally preceded by ' ' (1st char is unprintable) or 0x01B2\n  if (track_info->contains_esds) {\n    APar_TrackLevelInfo(track, \"esds\");\n\n    // technically, user_data_start_code should be tested aginst 0x000001B2;\n    // TODO: it should only be read up to section 3's length too\n    _offset = APar_FindValueInAtom(\n        uint32_buffer, isofile, track->track_atom, 24, 0x01B2);\n\n    if (_offset > 0 && _offset < parsedAtoms[track->track_atom].AtomicLength) {\n      _offset += 2;\n      memset(track_info->encoder_name,\n             0,\n             parsedAtoms[track->track_atom].AtomicLength - _offset);\n      APar_readX(track_info->encoder_name,\n                 isofile,\n                 parsedAtoms[track->track_atom].AtomicStart + _offset,\n                 parsedAtoms[track->track_atom].AtomicLength - _offset);\n    }\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 127721703970755291690436684429299715513,
          "size": 227,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417020
        },
        {
          "func": "void APar_ExtractMovieDetails(char *uint32_buffer,\n                              FILE *isofile,\n                              AtomicInfo *mvhd_atom) {\n  if (mvhd_atom->AtomicVerFlags & 0x01000000) {\n    movie_info.creation_time =\n        APar_read64(uint32_buffer, isofile, mvhd_atom->AtomicStart + 12);\n    movie_info.modified_time =\n        APar_read64(uint32_buffer, isofile, mvhd_atom->AtomicStart + 20);\n    movie_info.timescale =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 28);\n    movie_info.duration =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 32);\n    movie_info.timescale =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 36);\n    movie_info.duration =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 40);\n    movie_info.playback_rate =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 44);\n    movie_info.volume =\n        APar_read16(uint32_buffer, isofile, mvhd_atom->AtomicStart + 48);\n  } else {\n    movie_info.creation_time = (uint64_t)APar_read32(\n        uint32_buffer, isofile, mvhd_atom->AtomicStart + 12);\n    movie_info.modified_time = (uint64_t)APar_read32(\n        uint32_buffer, isofile, mvhd_atom->AtomicStart + 16);\n    movie_info.timescale =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 20);\n    movie_info.duration =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 24);\n    movie_info.playback_rate =\n        APar_read32(uint32_buffer, isofile, mvhd_atom->AtomicStart + 28);\n    movie_info.volume =\n        APar_read16(uint32_buffer, isofile, mvhd_atom->AtomicStart + 32);\n  }\n\n  movie_info.seconds = (float)movie_info.duration / (float)movie_info.timescale;\n#if defined(_MSC_VER)\n  __int64 media_bits = (__int64)mdatData * 8;\n#else\n  uint64_t media_bits = (uint64_t)mdatData * 8;\n#endif\n  movie_info.simple_bitrate_calc =\n      ((double)media_bits / movie_info.seconds) / 1000.0;\n\n  return;\n}",
          "project": "atomicparsley",
          "hash": 42901587396681727887008920962788444091,
          "size": 46,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417005
        },
        {
          "func": "void APar_TrackLevelInfo(Trackage *track, const char *track_search_atom_name) {\n  uint8_t track_tally = 0;\n  short iter = 0;\n\n  while (parsedAtoms[iter].NextAtomNumber != 0) {\n\n    if (strncmp(parsedAtoms[iter].AtomicName, \"trak\", 4) == 0) {\n      track_tally += 1;\n      if (track->track_num == 0) {\n        track->total_tracks += 1;\n\n      } else if (track->track_num == track_tally) {\n\n        short next_atom = parsedAtoms[iter].NextAtomNumber;\n        while (parsedAtoms[next_atom].AtomicLevel >\n               parsedAtoms[iter].AtomicLevel) {\n\n          if (strncmp(parsedAtoms[next_atom].AtomicName,\n                      track_search_atom_name,\n                      4) == 0) {\n\n            track->track_atom = parsedAtoms[next_atom].AtomicNumber;\n            return;\n          } else {\n            next_atom = parsedAtoms[next_atom].NextAtomNumber;\n          }\n          if (parsedAtoms[next_atom].AtomicLevel ==\n              parsedAtoms[iter].AtomicLevel) {\n            track->track_atom = 0;\n          }\n        }\n      }\n    }\n    iter = parsedAtoms[iter].NextAtomNumber;\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 122636019844906488610343867539066292935,
          "size": 37,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417011
        },
        {
          "func": "void APar_ShowMPEG4VisualProfileInfo(TrackInfo *track_info) {\n  fprintf(stdout, \"  MPEG-4 Visual \");\n  uint8_t mp4v_profile = 0;\n  if (movie_info.contains_iods) {\n    mp4v_profile = iods_info.video_profile_level;\n  } else {\n    mp4v_profile = track_info->m4v_profile;\n  }\n\n  // unparalleled joy - Annex G table g1 - a binary listing (this from\n  // 14496-2:2001)\n  if (mp4v_profile == 0x01) {\n    fprintf(stdout, \"Simple Profile, Level 1\"); // 00000001\n  } else if (mp4v_profile == 0x02) {\n    fprintf(stdout, \"Simple Profile, Level 2\"); // 00000010\n  } else if (mp4v_profile == 0x03) {\n    fprintf(stdout,\n            \"Simple Profile, Level 3\"); // most files will land here  //00000011\n\n  } else if (mp4v_profile == 0x08) { // Compressor can create these in 3gp files\n    fprintf(stdout, \"Simple Profile, Level 0\"); // ISO 14496-2:2004(e)\n                                                // //00001000\n\n    // Reserved 00000100 - 00000111\n  } else if (mp4v_profile == 0x10) {\n    fprintf(stdout, \"Simple Scalable Profile, Level 0\"); // 00010000\n  } else if (mp4v_profile == 0x11) {\n    fprintf(stdout, \"Simple Scalable Profile, Level 1\"); // 00010001\n  } else if (mp4v_profile == 0x12) {\n    fprintf(stdout, \"Simple Scalable Profile, Level 2\"); // 00010010\n\n    // Reserved 00010011 - 00100000\n  } else if (mp4v_profile == 0x21) {\n    fprintf(stdout, \"Core Profile, Level 1\"); // 00100001\n  } else if (mp4v_profile == 0x22) {\n    fprintf(stdout, \"Core Profile, Level 2\"); // 00100010\n\n    // Reserved 00100011 - 00110001\n  } else if (mp4v_profile == 0x32) {\n    fprintf(stdout, \"Main Profile, Level 2\"); // 00110010\n  } else if (mp4v_profile == 0x33) {\n    fprintf(stdout, \"Main Profile, Level 3\"); // 00110011\n  } else if (mp4v_profile == 0x34) {\n    fprintf(stdout, \"Main Profile, Level 4\"); // 00110100\n\n    // Reserved 00110101 - 01000001\n  } else if (mp4v_profile == 0x42) {\n    fprintf(stdout, \"N-bit Profile, Level 2\"); // 01000010\n\n    // Reserved 01000011 - 01010000\n  } else if (mp4v_profile == 0x51) {\n    fprintf(stdout, \"Scalable Texture Profile, Level 1\"); // 01010001\n\n    // Reserved 01010010 - 01100000\n  } else if (mp4v_profile == 0x61) {\n    fprintf(stdout, \"Simple Face Animation, Level 1\"); // 01100001\n  } else if (mp4v_profile == 0x62) {\n    fprintf(stdout, \"Simple Face Animation, Level 2\"); // 01100010\n\n  } else if (mp4v_profile == 0x63) {\n    fprintf(stdout, \"Simple FBA Profile, Level 1\"); // 01100011\n  } else if (mp4v_profile == 0x64) {\n    fprintf(stdout, \"Simple FBA Profile, Level 2\"); // 01100100\n\n    // Reserved 01100101 - 01110000\n  } else if (mp4v_profile == 0x71) {\n    fprintf(stdout, \"Basic Animated Texture Profile, Level 1\"); // 01110001\n  } else if (mp4v_profile == 0x72) {\n    fprintf(stdout, \"Basic Animated Texture Profile, Level 2\"); // 01110010\n\n    // Reserved 01110011 - 10000000\n  } else if (mp4v_profile == 0x81) {\n    fprintf(stdout, \"Hybrid Profile, Level 1\"); // 10000001\n  } else if (mp4v_profile == 0x82) {\n    fprintf(stdout, \"Hybrid Profile, Level 2\"); // 10000010\n\n    // Reserved 10000011 - 10010000\n  } else if (mp4v_profile == 0x91) {\n    fprintf(stdout, \"Advanced Real Time Simple Profile, Level 1\"); // 10010001\n  } else if (mp4v_profile == 0x92) {\n    fprintf(stdout, \"Advanced Real Time Simple Profile, Level 2\"); // 10010010\n  } else if (mp4v_profile == 0x93) {\n    fprintf(stdout, \"Advanced Real Time Simple Profile, Level 3\"); // 10010011\n  } else if (mp4v_profile == 0x94) {\n    fprintf(stdout, \"Advanced Real Time Simple Profile, Level 4\"); // 10010100\n\n    // Reserved 10010101 - 10100000\n  } else if (mp4v_profile == 0xA1) {\n    fprintf(stdout, \"Core Scalable Profile, Level 1\"); // 10100001\n  } else if (mp4v_profile == 0xA2) {\n    fprintf(stdout, \"Core Scalable Profile, Level 2\"); // 10100010\n  } else if (mp4v_profile == 0xA3) {\n    fprintf(stdout, \"Core Scalable Profile, Level 3\"); // 10100011\n\n    // Reserved 10100100 - 10110000\n  } else if (mp4v_profile == 0xB1) {\n    fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 1\"); // 10110001\n  } else if (mp4v_profile == 0xB2) {\n    fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 2\"); // 10110010\n  } else if (mp4v_profile == 0xB3) {\n    fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 3\"); // 10110011\n  } else if (mp4v_profile == 0xB4) {\n    fprintf(stdout, \"Advanced Coding Efficiency Profile, Level 4\"); // 10110100\n\n    // Reserved 10110101  11000000\n  } else if (mp4v_profile == 0xC1) {\n    fprintf(stdout, \"Advanced Core Profile, Level 1\"); // 11000001\n  } else if (mp4v_profile == 0xC2) {\n    fprintf(stdout, \"Advanced Core Profile, Level 2\"); // 11000010\n\n    // Reserved 11000011  11010000\n  } else if (mp4v_profile == 0xD1) {\n    fprintf(stdout, \"Advanced Scalable Texture, Level 1\"); // 11010001\n  } else if (mp4v_profile == 0xD2) {\n    fprintf(stdout, \"Advanced Scalable Texture, Level 2\"); // 11010010\n  } else if (mp4v_profile == 0xD2) {\n    fprintf(stdout, \"Advanced Scalable Texture, Level 3\"); // 11010011\n\n    // from a draft document - 1999 (earlier than the 2000 above!!)\n  } else if (mp4v_profile == 0xE1) {\n    fprintf(stdout, \"Simple Studio Profile, Level 1\"); // 11100001\n  } else if (mp4v_profile == 0xE2) {\n    fprintf(stdout, \"Simple Studio Profile, Level 2\"); // 11100010\n  } else if (mp4v_profile == 0xE3) {\n    fprintf(stdout, \"Simple Studio Profile, Level 3\"); // 11100011\n  } else if (mp4v_profile == 0xE4) {\n    fprintf(stdout, \"Simple Studio Profile, Level 4\"); // 11100100\n\n  } else if (mp4v_profile == 0xE5) {\n    fprintf(stdout, \"Core Studio Profile, Level 1\"); // 11100101\n  } else if (mp4v_profile == 0xE6) {\n    fprintf(stdout, \"Core Studio Profile, Level 2\"); // 11100110\n  } else if (mp4v_profile == 0xE7) {\n    fprintf(stdout, \"Core Studio Profile, Level 3\"); // 11100111\n  } else if (mp4v_profile == 0xE8) {\n    fprintf(stdout, \"Core Studio Profile, Level 4\"); // 11101000\n\n    // Reserved 11101001 - 11101111\n    // ISO 14496-2:2004(e)\n  } else if (mp4v_profile == 0xF0) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 0\"); // 11110000\n  } else if (mp4v_profile == 0xF1) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 1\"); // 11110001\n  } else if (mp4v_profile == 0xF2) {\n    fprintf(\n        stdout,\n        \"Advanced Simple Profile, Level 2\"); // 11110010  ////3gp files that QT\n                                             // says is H.263 have esds to 0xF2\n                                             // & their ObjectType set to 0x20\n                                             // (mpeg-4 visual)\n                                             ////...and its been figured out -\n                                             /// FILE EXTENSION of all things\n                                             /// determines mpeg-4 ASP or H.263\n  } else if (mp4v_profile == 0xF3) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 3\"); // 11110011\n  } else if (mp4v_profile == 0xF4) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 4\"); // 11110100\n  } else if (mp4v_profile == 0xF5) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 5\"); // 11110101\n\n    // Reserved 11110110\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Advanced Simple Profile, Level 3b\"); // 11110111\n\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 0\"); // 11111000\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 1\"); // 11111001\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 2\"); // 11111010\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 3\"); // 11111011\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 4\"); // 11111100\n  } else if (mp4v_profile == 0xF7) {\n    fprintf(stdout, \"Fine Granularity Scalable Profile/Level 5\"); // 11111101\n\n    // Reserved 11111110\n    // Reserved for Escape 11111111\n\n  } else {\n    fprintf(stdout, \"Unknown profile: 0x%X\", mp4v_profile);\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 266341568058411294601031432860065260063,
          "size": 185,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417022
        },
        {
          "func": "uint8_t APar_ExtractChannelInfo(FILE *isofile, uint32_t pos) {\n  uint8_t packed_channels = APar_read8(isofile, pos);\n  uint8_t unpacked_channels =\n      (packed_channels << 1); // just shift the first bit off the table\n  unpacked_channels =\n      (unpacked_channels >> 4); // and slide it on over back on the uint8_t\n  return unpacked_channels;\n}",
          "project": "atomicparsley",
          "hash": 237421857616930203238808630521330313243,
          "size": 8,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417010
        },
        {
          "func": "void APar_ShowMPEG4AACProfileInfo(TrackInfo *track_info) {\n  if (track_info->descriptor_object_typeID == 1) {\n    fprintf(stdout, \"  MPEG-4 AAC Main Profile\");\n  } else if (track_info->descriptor_object_typeID == 2) {\n    fprintf(\n        stdout,\n        \"  MPEG-4 AAC Low Complexity/LC Profile\"); // most files will land here\n  } else if (track_info->descriptor_object_typeID == 3) {\n    fprintf(stdout, \"  MPEG-4 AAC Scaleable Sample Rate/SSR Profile\");\n  } else if (track_info->descriptor_object_typeID == 4) {\n    fprintf(stdout, \"  MPEG-4 AAC Long Term Prediction Profile\");\n  } else if (track_info->descriptor_object_typeID == 5) {\n    fprintf(stdout, \"  MPEG-4 AAC High Efficiency/HE Profile\");\n  } else if (track_info->descriptor_object_typeID == 6) {\n    fprintf(stdout, \"  MPEG-4 AAC Scalable Profile\");\n  } else if (track_info->descriptor_object_typeID == 7) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Transform domain Weighted INterleave Vector \"\n            \"Quantization/TwinVQ Profile\");\n  } else if (track_info->descriptor_object_typeID == 8) {\n    fprintf(stdout, \"  MPEG-4 AAC Code Excited Linear Predictive/CELP Profile\");\n  } else if (track_info->descriptor_object_typeID == 9) {\n    fprintf(stdout, \"  MPEG-4 AAC HVXC Profile\");\n\n  } else if (track_info->descriptor_object_typeID == 12) {\n    fprintf(stdout, \"  MPEG-4 AAC TTSI Profile\");\n  } else if (track_info->descriptor_object_typeID == 13) {\n    fprintf(stdout, \"  MPEG-4 AAC Main Synthesis Profile\");\n  } else if (track_info->descriptor_object_typeID == 14) {\n    fprintf(stdout, \"  MPEG-4 AAC Wavetable Synthesis Profile\");\n  } else if (track_info->descriptor_object_typeID == 15) {\n    fprintf(stdout, \"  MPEG-4 AAC General MIDI Profile\");\n  } else if (track_info->descriptor_object_typeID == 16) {\n    fprintf(stdout, \"  MPEG-4 AAC Algorithmic Synthesis & Audio FX Profile\");\n  } else if (track_info->descriptor_object_typeID == 17) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC AAC Low Complexity/LC (+error recovery) Profile\");\n\n  } else if (track_info->descriptor_object_typeID == 19) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Long Term Prediction (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 20) {\n    fprintf(stdout, \"  MPEG-4 AAC Scalable (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 21) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Transform domain Weighted INterleave Vector \"\n            \"Quantization/TwinVQ (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 22) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Bit Sliced Arithmetic Coding/BSAC (+error \"\n            \"recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 23) {\n    fprintf(stdout, \"  MPEG-4 AAC Low Delay/LD (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 24) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Code Excited Linear Predictive/CELP (+error \"\n            \"recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 25) {\n    fprintf(stdout, \"  MPEG-4 AAC HXVC (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 26) {\n    fprintf(stdout,\n            \"  MPEG-4 AAC Harmonic and Individual Lines plus \"\n            \"Noise/HILN (+error recovery) Profile\");\n  } else if (track_info->descriptor_object_typeID == 27) {\n    fprintf(stdout, \"  MPEG-4 AAC Parametric (+error recovery) Profile\");\n\n  } else if (track_info->descriptor_object_typeID == 31) {\n    fprintf(\n        stdout,\n        \"  MPEG-4 ALS Audio Lossless Coding\"); // I think that mp4alsRM18 writes\n                                               // the channels wrong after\n                                               // objectedID: 0xF880 has 0\n                                               // channels; 0xF890 is 2ch\n  } else {\n    fprintf(stdout,\n            \"  MPEG-4 Unknown profile: 0x%X\",\n            track_info->descriptor_object_typeID);\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 165598504010110280304160833310444978647,
          "size": 80,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417019
        },
        {
          "func": "void APar_ShowObjectProfileInfo(uint8_t track_type, TrackInfo *track_info) {\n  if (track_info->contains_esds) {\n    switch (track_info->ObjectTypeIndication) {\n    // 0x00 es Lambada/Verboten/Forbidden\n    case 0x01:\n    case 0x02: {\n      fprintf(stdout, \"  MPEG-4 Systems (BIFS/ObjDesc)\");\n      break;\n    }\n    case 0x03: {\n      fprintf(stdout, \"  Interaction Stream\");\n      break;\n    }\n    case 0x04: {\n      fprintf(stdout, \"  MPEG-4 Systems Extended BIFS\");\n      break;\n    }\n    case 0x05: {\n      fprintf(stdout, \"  MPEG-4 Systems AFX\");\n      break;\n    }\n    case 0x06: {\n      fprintf(stdout, \"  Font Data Stream\");\n      break;\n    }\n    case 0x08: {\n      fprintf(stdout, \"  Synthesized Texture Stream\");\n      break;\n    }\n    case 0x07: {\n      fprintf(stdout, \"  Streaming Text Stream\");\n      break;\n    }\n    // 0x09-0x1F reserved\n    case 0x20: {\n      APar_ShowMPEG4VisualProfileInfo(track_info);\n      break;\n    }\n\n    case 0x40: { // vererable mpeg-4 aac\n      APar_ShowMPEG4AACProfileInfo(track_info);\n      break;\n    }\n\n    // 0x41-0x5F reserved\n    case 0x60: {\n      fprintf(stdout,\n              \"  MPEG-2 Visual Simple Profile\"); //'Visual ISO/IEC 13818-2\n                                                 // Simple Profile'\n      break;\n    }\n    case 0x61: {\n      fprintf(stdout, \"  MPEG-2 Visual Main Profile\"); //'Visual ISO/IEC 13818-2\n                                                       // Main Profile'\n      break;\n    }\n    case 0x62: {\n      fprintf(\n          stdout,\n          \"  MPEG-2 Visual SNR Profile\"); //'Visual ISO/IEC 13818-2 SNR Profile'\n      break;\n    }\n    case 0x63: {\n      fprintf(stdout,\n              \"  MPEG-2 Visual Spatial Profile\"); //'Visual ISO/IEC 13818-2\n                                                  // Spatial Profile'\n      break;\n    }\n    case 0x64: {\n      fprintf(stdout, \"  MPEG-2 Visual High Profile\"); //'Visual ISO/IEC 13818-2\n                                                       // High Profile'\n      break;\n    }\n    case 0x65: {\n      fprintf(stdout, \"  MPEG-2 Visual 4:2:2 Profile\"); //'Visual ISO/IEC\n                                                        // 13818-2 422 Profile'\n      break;\n    }\n    case 0x66: {\n      fprintf(\n          stdout,\n          \"  MPEG-2 AAC Main Profile\"); //'Audio ISO/IEC 13818-7 Main Profile'\n      break;\n    }\n    case 0x67: {\n      fprintf(stdout,\n              \"  MPEG-2 AAC Low Complexity Profile\"); // Audio ISO/IEC 13818-7\n                                                      // LowComplexity Profile\n      break;\n    }\n    case 0x68: {\n      fprintf(\n          stdout,\n          \"  MPEG-2 AAC Scaleable Sample Rate Profile\"); //'Audio ISO/IEC\n                                                         // 13818-7 Scaleable\n                                                         // Sampling Rate\n                                                         // Profile'\n      break;\n    }\n    case 0x69: {\n      fprintf(stdout, \"  MPEG-2 Audio\"); //'Audio ISO/IEC 13818-3'\n      break;\n    }\n    case 0x6A: {\n      fprintf(stdout, \"  MPEG-1 Visual\"); //'Visual ISO/IEC 11172-2'\n      break;\n    }\n    case 0x6B: {\n      fprintf(stdout, \"  MPEG-1 Audio\"); //'Audio ISO/IEC 11172-3'\n      break;\n    }\n    case 0x6C: {\n      fprintf(stdout, \"  JPEG\"); //'Visual ISO/IEC 10918-1'\n      break;\n    }\n    case 0x6D: {\n      fprintf(stdout, \"  PNG\"); // http://www.mp4ra.org/object.html\n      break;\n    }\n    case 0x6E: {\n      fprintf(stdout, \"  JPEG2000\"); //'Visual ISO/IEC 15444-1'\n      break;\n    }\n    case 0xA0: {\n      fprintf(stdout, \"  3GPP2 EVRC Voice\"); // http://www.mp4ra.org/object.html\n      break;\n    }\n    case 0xA1: {\n      fprintf(stdout, \"  3GPP2 SMV Voice\"); // http://www.mp4ra.org/object.html\n      break;\n    }\n    case 0xA2: {\n      fprintf(\n          stdout,\n          \"  3GPP2 Compact Multimedia Format\"); // http://www.mp4ra.org/object.html\n      break;\n    }\n\n    // 0xC0-0xE0 user private\n    case 0xE1: {\n      fprintf(stdout,\n              \"  3GPP2 QCELP (14K Voice)\"); // http://www.mp4ra.org/object.html\n      break;\n    }\n      // 0xE2-0xFE user private\n      // 0xFF no object type specified\n\n    default: {\n      // so many profiles, so little desire to list them all (in 14496-2 which I\n      // don't have)\n      if (movie_info.contains_iods && iods_info.audio_profile == 0xFE) {\n        fprintf(stdout,\n                \"  Private user object: 0x%X\",\n                track_info->ObjectTypeIndication);\n      } else {\n        fprintf(\n            stdout,\n            \"  Object Type Indicator: 0x%X  Description Ojbect Type ID: 0x%X\\n\",\n            track_info->ObjectTypeIndication,\n            track_info->descriptor_object_typeID);\n      }\n      break;\n    }\n    }\n\n  } else if (track_type == AVC1_TRACK) {\n    // profiles & levels are in the 14496-10 pdf (which I don't have access to),\n    // so... http://lists.mpegif.org/pipermail/mp4-tech/2006-January/006255.html\n    // http://iphome.hhi.de/suehring/tml/doc/lenc/html/configfile_8c-source.html\n    // 66=baseline, 77=main, 88=extended; 100=High, 110=High 10, 122=High 4:2:2,\n    // 144=High 4:4:4\n\n    switch (track_info->profile) {\n    case 66: {\n      fprintf(stdout, \"  AVC Baseline Profile\");\n      break;\n    }\n    case 77: {\n      fprintf(stdout, \"  AVC Main Profile\");\n      break;\n    }\n    case 88: {\n      fprintf(stdout, \"  AVC Extended Profile\");\n      break;\n    }\n    case 100: {\n      fprintf(stdout, \"  AVC High Profile\");\n      break;\n    }\n    case 110: {\n      fprintf(stdout, \"  AVC High 10 Profile\");\n      break;\n    }\n    case 122: {\n      fprintf(stdout, \"  AVC High 4:2:2 Profile\");\n      break;\n    }\n    case 144: {\n      fprintf(stdout, \"  AVC High 4:4:4 Profile\");\n      break;\n    }\n    default: {\n      fprintf(stdout, \"  Unknown Profile: %u\", track_info->profile);\n      break;\n    }\n    } // end profile switch\n\n    // Don't have access to levels either, but working off of:\n    // http://iphome.hhi.de/suehring/tml/doc/lenc/html/configfile_8c-source.html\n\n    // and the 15 levels it says here:\n    // http://www.chiariglione.org/mpeg/technologies/mp04-avc/index.htm (1b in\n    // http://en.wikipedia.org/wiki/H.264 seems nonsensical) working backwards,\n    // we get... a simple 2 digit number (with '20' just drop the 0; with 21,\n    // put in a decimal)\n    if (track_info->level > 0) {\n      switch (track_info->level) {\n      case 10:\n      case 20:\n      case 30:\n      case 40:\n      case 50: {\n        fprintf(stdout, \",  Level %u\", track_info->level / 10);\n        break;\n      }\n      case 11:\n      case 12:\n      case 13:\n      case 21:\n      case 22:\n      case 31:\n      case 32:\n      case 41:\n      case 42:\n      case 51: {\n        fprintf(stdout,\n                \",  Level %u.%u\",\n                track_info->level / 10,\n                track_info->level % 10);\n        break;\n      }\n      default: {\n        fprintf(stdout,\n                \", Unknown level %u.%u\",\n                track_info->level / 10,\n                track_info->level % 10);\n      }\n\n      } // end switch\n    }   // end level if\n  } else if (track_type == S_AMR_TRACK) {\n    char amr_modes[500] = {};\n    if (track_info->track_codec == 0x73616D72 ||\n        track_info->track_codec == 0x73617762) {\n      if (track_info->amr_modes & 0x0001)\n        mem_append(\"0\", amr_modes);\n      if (track_info->amr_modes & 0x0002)\n        mem_append(\"1\", amr_modes);\n      if (track_info->amr_modes & 0x0004)\n        mem_append(\"2\", amr_modes);\n      if (track_info->amr_modes & 0x0008)\n        mem_append(\"3\", amr_modes);\n      if (track_info->amr_modes & 0x0010)\n        mem_append(\"4\", amr_modes);\n      if (track_info->amr_modes & 0x0020)\n        mem_append(\"5\", amr_modes);\n      if (track_info->amr_modes & 0x0040)\n        mem_append(\"6\", amr_modes);\n      if (track_info->amr_modes & 0x0080)\n        mem_append(\"7\", amr_modes);\n      if (track_info->amr_modes & 0x0100)\n        mem_append(\"8\", amr_modes);\n      if (strlen(amr_modes) == 0)\n        memcpy(amr_modes, \"none\", 4);\n    } else if (track_info->track_codec == 0x73766D72) {\n      if (track_info->amr_modes & 0x0001)\n        mem_append(\"VMR-WB Mode 0, \", amr_modes);\n      if (track_info->amr_modes & 0x0002)\n        mem_append(\"VMR-WB Mode 1, \", amr_modes);\n      if (track_info->amr_modes & 0x0004)\n        mem_append(\"VMR-WB Mode 2, \", amr_modes);\n      if (track_info->amr_modes & 0x0008)\n        mem_append(\"VMR-WB Mode 3 (AMR-WB interoperable mode), \", amr_modes);\n      if (track_info->amr_modes & 0x0010)\n        mem_append(\"VMR-WB Mode 4, \", amr_modes);\n      if (track_info->amr_modes & 0x0020)\n        mem_append(\"VMR-WB Mode 2 with maximum half-rate, \", amr_modes);\n      if (track_info->amr_modes & 0x0040)\n        mem_append(\"VMR-WB Mode 4 with maximum half-rate, \", amr_modes);\n      uint16_t amr_modes_len = strlen(amr_modes);\n      if (amr_modes_len > 0)\n        memset(amr_modes + (amr_modes_len - 1), 0, 2);\n    }\n\n    if (track_info->track_codec == 0x73616D72) { // samr\n      fprintf(stdout,\n              \"  AMR Narrow-Band. Modes: %s. Encoder vendor code: %s\\n\",\n              amr_modes,\n              track_info->encoder_name);\n    } else if (track_info->track_codec == 0x73617762) { // sawb\n      fprintf(stdout,\n              \"  AMR Wide-Band. Modes: %s. Encoder vendor code: %s\\n\",\n              amr_modes,\n              track_info->encoder_name);\n    } else if (track_info->track_codec == 0x73617770) { // sawp\n      fprintf(stdout,\n              \"  AMR Wide-Band WB+. Encoder vendor code: %s\\n\",\n              track_info->encoder_name);\n    } else if (track_info->track_codec == 0x73766D72) { // svmr\n      fprintf(stdout,\n              \"  AMR VBR Wide-Band. Encoder vendor code: %s\\n\",\n              track_info->encoder_name);\n    }\n  } else if (track_type == EVRC_TRACK) {\n    fprintf(stdout,\n            \"  EVRC (Enhanced Variable Rate Coder). Encoder vendor code: %s\\n\",\n            track_info->encoder_name);\n\n  } else if (track_type == QCELP_TRACK) {\n    fprintf(stdout,\n            \"  QCELP (Qualcomm Code Excited Linear Prediction). Encoder vendor \"\n            \"code: %s\\n\",\n            track_info->encoder_name);\n\n  } else if (track_type == S263_TRACK) {\n    if (track_info->profile == 0) {\n      fprintf(stdout,\n              \"  H.263 Baseline Profile, Level %u. Encoder vendor code: %s\",\n              track_info->level,\n              track_info->encoder_name);\n    } else {\n      fprintf(stdout,\n              \"  H.263 Profile: %u, Level %u. Encoder vendor code: %s\",\n              track_info->profile,\n              track_info->level,\n              track_info->encoder_name);\n    }\n  }\n  if (track_type == AUDIO_TRACK) {\n    if (track_info->section5_length == 0) {\n      fprintf(stdout, \"    channels: (%u)\\n\", track_info->channels);\n    } else {\n      fprintf(stdout, \"    channels: [%u]\\n\", track_info->channels);\n    }\n  }\n}",
          "project": "atomicparsley",
          "hash": 124350642846074410248190708765891059001,
          "size": 346,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417012
        },
        {
          "func": "void APar_Extract_iods_Info(FILE *isofile, AtomicInfo *iods_atom) {\n  uint64_t iods_offset = iods_atom->AtomicStart + 8;\n  if (iods_atom->AtomicVerFlags == 0 &&\n      APar_read8(isofile, iods_offset + 4) == 0x10) {\n    iods_offset += 5;\n    iods_offset += APar_skip_filler(isofile, iods_offset);\n    uint8_t iods_objdescrip_len = APar_read8(isofile, iods_offset);\n    iods_offset++;\n    if (iods_objdescrip_len >= 7) {\n      iods_info.od_profile_level = APar_read8(isofile, iods_offset + 2);\n      iods_info.scene_profile_level = APar_read8(isofile, iods_offset + 3);\n      iods_info.audio_profile = APar_read8(isofile, iods_offset + 4);\n      iods_info.video_profile_level = APar_read8(isofile, iods_offset + 5);\n      iods_info.graphics_profile_level = APar_read8(isofile, iods_offset + 6);\n    }\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 277384074896141257014460403709543671039,
          "size": 18,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417015
        },
        {
          "func": "void mem_append(const char *add_string, char *dest_string) {\n  uint8_t str_len = strlen(dest_string);\n  if (str_len > 0) {\n    memcpy(dest_string + str_len, \", \", 2);\n    memcpy(dest_string + str_len + 2, add_string, strlen(add_string));\n  } else {\n    memcpy(dest_string, add_string, strlen(add_string));\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 60652369648347309681691534134780812327,
          "size": 10,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417013
        },
        {
          "func": "void APar_Print_TrackDetails(TrackInfo *track_info) {\n  if (track_info->max_bitrate > 0 && track_info->avg_bitrate > 0) {\n    fprintf(stdout, \"     %.2f kbp/s\", (float)track_info->avg_bitrate / 1000.0);\n  } else { // some ffmpeg encodings have avg_bitrate set to 0, but an inexact\n           // max_bitrate - actually, their esds seems a mess to me\n#if defined(_MSC_VER)\n    fprintf(stdout,\n            \"     %.2lf* kbp/s\",\n            ((double)((__int64)track_info->sample_aggregate) /\n             ((double)((__int64)track_info->duration) /\n              (double)((__int64)movie_info.timescale))) /\n                1000.0 * 8);\n    fprintf(stdout,\n            \"  %.3f sec\",\n            (float)track_info->duration / (float)movie_info.timescale);\n#else\n    fprintf(stdout,\n            \"     %.2lf* kbp/s\",\n            ((double)track_info->sample_aggregate /\n             ((double)track_info->duration / (double)movie_info.timescale)) /\n                1000.0 * 8);\n    fprintf(stdout,\n            \"  %.3f sec\",\n            (float)track_info->duration / (float)movie_info.timescale);\n#endif\n  }\n\n  if (track_info->track_codec == 0x6D703476) { // mp4v profile\n    APar_ShowObjectProfileInfo(MP4V_TRACK, track_info);\n  } else if (track_info->track_codec == 0x6D703461 ||\n             track_info->protected_codec == 0x6D703461) { // mp4a profile\n    APar_ShowObjectProfileInfo(AUDIO_TRACK, track_info);\n  } else if (track_info->track_codec ==\n             0x616C6163) { // alac - can't figure out a hardcoded bitrate either\n    fprintf(\n        stdout, \"  Apple Lossless    channels: [%u]\\n\", track_info->channels);\n  } else if (track_info->track_codec == 0x61766331 ||\n             track_info->protected_codec == 0x61766331) {\n    if (track_info->avc_version == 1) { // avc profile & level\n      APar_ShowObjectProfileInfo(AVC1_TRACK, track_info);\n    }\n  } else if (track_info->track_codec == 0x73323633) { // s263 in 3gp\n    APar_ShowObjectProfileInfo(S263_TRACK, track_info);\n  } else if (track_info->track_codec == 0x73616D72 ||\n             track_info->track_codec == 0x73617762 ||\n             track_info->track_codec == 0x73617770 ||\n             track_info->track_codec ==\n                 0x73766D72) { // samr,sawb,sawp & svmr in 3gp\n    track_info->type_of_track = S_AMR_TRACK;\n    APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n  } else if (track_info->track_codec == 0x73657663) { // evrc in 3gp\n    track_info->type_of_track = EVRC_TRACK;\n    APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n  } else if (track_info->track_codec == 0x73716370) { // qcelp in 3gp\n    track_info->type_of_track = QCELP_TRACK;\n    APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n  } else if (track_info->track_codec == 0x73736D76) { // smv in 3gp\n    track_info->type_of_track = SMV_TRACK;\n    APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n  } else { // unknown everything, 0 hardcoded bitrate\n    APar_ShowObjectProfileInfo(track_info->type_of_track, track_info);\n    fprintf(stdout, \"\\n\");\n  }\n\n  if (track_info->type_of_track & VIDEO_TRACK &&\n      ((track_info->max_bitrate > 0 &&\n        track_info->ObjectTypeIndication == 0x20) ||\n       track_info->avc_version == 1 || track_info->protected_codec != 0)) {\n    fprintf(stdout,\n            \"  %ux%u  (%\" PRIu32 \" macroblocks)\\n\",\n            track_info->video_width,\n            track_info->video_height,\n            track_info->macroblocks);\n  } else if (track_info->type_of_track & VIDEO_TRACK) {\n    fprintf(stdout, \"\\n\");\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 312415387240572110707737637139613228674,
          "size": 78,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417021
        },
        {
          "func": "void APar_Extract_d263_Info(char *uint32_buffer,\n                            FILE *isofile,\n                            short track_level_atom,\n                            TrackInfo *track_info) {\n  uint64_t offset_into_d263 = 8;\n  APar_readX(track_info->encoder_name,\n             isofile,\n             parsedAtoms[track_level_atom].AtomicStart + offset_into_d263,\n             4);\n  track_info->level = APar_read8(isofile,\n                                 parsedAtoms[track_level_atom].AtomicStart +\n                                     offset_into_d263 + 4 + 1);\n  track_info->profile = APar_read8(isofile,\n                                   parsedAtoms[track_level_atom].AtomicStart +\n                                       offset_into_d263 + 4 + 2);\n  // possible 'bitr' bitrate box afterwards\n  return;\n}",
          "project": "atomicparsley",
          "hash": 170389225265527118918192526862948718799,
          "size": 18,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417008
        },
        {
          "func": "void APar_Extract_AMR_Info(char *uint32_buffer,\n                           FILE *isofile,\n                           short track_level_atom,\n                           TrackInfo *track_info) {\n  uint32_t amr_specific_offet = 8;\n  APar_readX(track_info->encoder_name,\n             isofile,\n             parsedAtoms[track_level_atom].AtomicStart + amr_specific_offet,\n             4);\n  if (track_info->track_codec == 0x73616D72 ||\n      track_info->track_codec == 0x73617762 ||\n      track_info->track_codec ==\n          0x73766D72) { // samr,sawb & svmr contain modes only\n    track_info->amr_modes = APar_read16(\n        uint32_buffer,\n        isofile,\n        parsedAtoms[track_level_atom].AtomicStart + amr_specific_offet + 4 + 1);\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 120362767435234697194582042432714238529,
          "size": 20,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417024
        },
        {
          "func": "void APar_ExtractDetails(FILE *isofile, uint8_t optional_output) {\n  char uint32_buffer[5];\n  Trackage track = {0};\n\n  AtomicInfo *mvhdAtom = APar_FindAtom(\"moov.mvhd\", false, VERSIONED_ATOM, 0);\n  if (mvhdAtom != NULL) {\n    APar_ExtractMovieDetails(uint32_buffer, isofile, mvhdAtom);\n    fprintf(stdout,\n            \"Movie duration: %.3lf seconds (%s) - %.2lf* kbp/sec bitrate \"\n            \"(*=approximate)\\n\",\n            movie_info.seconds,\n            secsTOtime(movie_info.seconds),\n            movie_info.simple_bitrate_calc);\n    if (optional_output & SHOW_DATE_INFO) {\n      fprintf(stdout,\n              \"  Presentation Creation Date (UTC):     %s\\n\",\n              APar_extract_UTC(movie_info.creation_time));\n      fprintf(stdout,\n              \"  Presentation Modification Date (UTC): %s\\n\",\n              APar_extract_UTC(movie_info.modified_time));\n    }\n  }\n\n  AtomicInfo *iodsAtom = APar_FindAtom(\"moov.iods\", false, VERSIONED_ATOM, 0);\n  if (iodsAtom != NULL) {\n    movie_info.contains_iods = true;\n    APar_Extract_iods_Info(isofile, iodsAtom);\n  }\n\n  if (optional_output & SHOW_TRACK_INFO) {\n    APar_TrackLevelInfo(&track,\n                        NULL); // With track_num set to 0, it will return the\n                               // total trak atom into total_tracks here.\n\n    fprintf(\n        stdout, \"Low-level details. Total tracks: %u\\n\", track.total_tracks);\n    fprintf(stdout,\n            \"Trk  Type  Handler                    Kind  Lang  Bytes\\n\");\n\n    if (track.total_tracks > 0) {\n      while (track.total_tracks > track.track_num) {\n        track.track_num += 1;\n        TrackInfo track_info = {0};\n\n        // tracknum, handler type, handler name\n        APar_ExtractTrackDetails(uint32_buffer, isofile, &track, &track_info);\n        uint16_t more_whitespace =\n            purge_extraneous_characters(track_info.track_hdlr_name);\n\n        if (strlen(track_info.track_hdlr_name) == 0) {\n          memcpy(track_info.track_hdlr_name, \"[none listed]\", 13);\n        }\n        fprintf(stdout,\n                \"%u    %s  %s\",\n                track.track_num,\n                uint32tochar4(track_info.track_type, uint32_buffer),\n                track_info.track_hdlr_name);\n\n        uint16_t handler_len = strlen(track_info.track_hdlr_name);\n        if (handler_len < 25 + more_whitespace) {\n          for (uint16_t i = handler_len; i < 25 + more_whitespace; i++) {\n            fprintf(stdout, \" \");\n          }\n        }\n\n        // codec, language\n        fprintf(stdout,\n                \"  %s  %s   %\" PRIu64,\n                uint32tochar4(track_info.track_codec, uint32_buffer),\n                track_info.unpacked_lang,\n                track_info.sample_aggregate);\n\n        if (track_info.encoder_name[0] != 0 && track_info.contains_esds) {\n          purge_extraneous_characters(track_info.encoder_name);\n          fprintf(stdout, \"   Encoder: %s\", track_info.encoder_name);\n        }\n        if (track_info.type_of_track & DRM_PROTECTED_TRACK) {\n          fprintf(stdout,\n                  \" (protected %s)\",\n                  uint32tochar4(track_info.protected_codec, uint32_buffer));\n        }\n\n        fprintf(stdout, \"\\n\");\n        /*---------------------------------*/\n\n        if (track_info.type_of_track & VIDEO_TRACK ||\n            track_info.type_of_track & AUDIO_TRACK) {\n          APar_Print_TrackDetails(&track_info);\n        }\n\n        if (optional_output & SHOW_DATE_INFO) {\n          fprintf(stdout,\n                  \"       Creation Date (UTC):     %s\\n\",\n                  APar_extract_UTC(track_info.creation_time));\n          fprintf(stdout,\n                  \"       Modification Date (UTC): %s\\n\",\n                  APar_extract_UTC(track_info.modified_time));\n        }\n      }\n    }\n  }\n}",
          "project": "atomicparsley",
          "hash": 235760196453077041717585104526456578938,
          "size": 102,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 1,
          "dataset": "other",
          "idx": 208981
        },
        {
          "func": "void APar_ExtractDetails(FILE *isofile, uint8_t optional_output) {\n  char uint32_buffer[8];\n  Trackage track = {0};\n\n  AtomicInfo *mvhdAtom = APar_FindAtom(\"moov.mvhd\", false, VERSIONED_ATOM, 0);\n  if (mvhdAtom != NULL) {\n    APar_ExtractMovieDetails(uint32_buffer, isofile, mvhdAtom);\n    fprintf(stdout,\n            \"Movie duration: %.3lf seconds (%s) - %.2lf* kbp/sec bitrate \"\n            \"(*=approximate)\\n\",\n            movie_info.seconds,\n            secsTOtime(movie_info.seconds),\n            movie_info.simple_bitrate_calc);\n    if (optional_output & SHOW_DATE_INFO) {\n      fprintf(stdout,\n              \"  Presentation Creation Date (UTC):     %s\\n\",\n              APar_extract_UTC(movie_info.creation_time));\n      fprintf(stdout,\n              \"  Presentation Modification Date (UTC): %s\\n\",\n              APar_extract_UTC(movie_info.modified_time));\n    }\n  }\n\n  AtomicInfo *iodsAtom = APar_FindAtom(\"moov.iods\", false, VERSIONED_ATOM, 0);\n  if (iodsAtom != NULL) {\n    movie_info.contains_iods = true;\n    APar_Extract_iods_Info(isofile, iodsAtom);\n  }\n\n  if (optional_output & SHOW_TRACK_INFO) {\n    APar_TrackLevelInfo(&track,\n                        NULL); // With track_num set to 0, it will return the\n                               // total trak atom into total_tracks here.\n\n    fprintf(\n        stdout, \"Low-level details. Total tracks: %u\\n\", track.total_tracks);\n    fprintf(stdout,\n            \"Trk  Type  Handler                    Kind  Lang  Bytes\\n\");\n\n    if (track.total_tracks > 0) {\n      while (track.total_tracks > track.track_num) {\n        track.track_num += 1;\n        TrackInfo track_info = {0};\n\n        // tracknum, handler type, handler name\n        APar_ExtractTrackDetails(uint32_buffer, isofile, &track, &track_info);\n        uint16_t more_whitespace =\n            purge_extraneous_characters(track_info.track_hdlr_name);\n\n        if (strlen(track_info.track_hdlr_name) == 0) {\n          memcpy(track_info.track_hdlr_name, \"[none listed]\", 13);\n        }\n        fprintf(stdout,\n                \"%u    %s  %s\",\n                track.track_num,\n                uint32tochar4(track_info.track_type, uint32_buffer),\n                track_info.track_hdlr_name);\n\n        uint16_t handler_len = strlen(track_info.track_hdlr_name);\n        if (handler_len < 25 + more_whitespace) {\n          for (uint16_t i = handler_len; i < 25 + more_whitespace; i++) {\n            fprintf(stdout, \" \");\n          }\n        }\n\n        // codec, language\n        fprintf(stdout,\n                \"  %s  %s   %\" PRIu64,\n                uint32tochar4(track_info.track_codec, uint32_buffer),\n                track_info.unpacked_lang,\n                track_info.sample_aggregate);\n\n        if (track_info.encoder_name[0] != 0 && track_info.contains_esds) {\n          purge_extraneous_characters(track_info.encoder_name);\n          fprintf(stdout, \"   Encoder: %s\", track_info.encoder_name);\n        }\n        if (track_info.type_of_track & DRM_PROTECTED_TRACK) {\n          fprintf(stdout,\n                  \" (protected %s)\",\n                  uint32tochar4(track_info.protected_codec, uint32_buffer));\n        }\n\n        fprintf(stdout, \"\\n\");\n        /*---------------------------------*/\n\n        if (track_info.type_of_track & VIDEO_TRACK ||\n            track_info.type_of_track & AUDIO_TRACK) {\n          APar_Print_TrackDetails(&track_info);\n        }\n\n        if (optional_output & SHOW_DATE_INFO) {\n          fprintf(stdout,\n                  \"       Creation Date (UTC):     %s\\n\",\n                  APar_extract_UTC(track_info.creation_time));\n          fprintf(stdout,\n                  \"       Modification Date (UTC): %s\\n\",\n                  APar_extract_UTC(track_info.modified_time));\n        }\n      }\n    }\n  }\n}",
          "project": "atomicparsley",
          "hash": 27305014511647361793546293488526992046,
          "size": 102,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417017
        },
        {
          "func": "void APar_Extract_esds_Info(char *uint32_buffer,\n                            FILE *isofile,\n                            short track_level_atom,\n                            TrackInfo *track_info) {\n  uint64_t offset_into_stsd = 0;\n\n  while (offset_into_stsd < parsedAtoms[track_level_atom].AtomicLength) {\n    offset_into_stsd++;\n    if (APar_read32(uint32_buffer,\n                    isofile,\n                    parsedAtoms[track_level_atom].AtomicStart +\n                        offset_into_stsd) == 0x65736473) {\n      track_info->contains_esds = true;\n\n      uint64_t esds_start =\n          parsedAtoms[track_level_atom].AtomicStart + offset_into_stsd - 4;\n      uint64_t esds_length = APar_read32(uint32_buffer, isofile, esds_start);\n      uint64_t offset_into_esds =\n          12; // 4bytes length + 4 bytes name + 4bytes null\n\n      if (APar_read8(isofile, esds_start + offset_into_esds) == 0x03) {\n        offset_into_esds++;\n        offset_into_esds +=\n            APar_skip_filler(isofile, esds_start + offset_into_esds);\n      }\n\n      uint8_t section3_length =\n          APar_read8(isofile, esds_start + offset_into_esds);\n      if (section3_length <= esds_length && section3_length != 0) {\n        track_info->section3_length = section3_length;\n      } else {\n        break;\n      }\n\n      // for whatever reason, when mp4box muxes in ogg into an mp4 container,\n      // section 3 gets a 0x9D byte (which doesn't fall inline with what AP\n      // considers 'filler') then again, I haven't *completely* read the ISO\n      // specifications, so I could just be missing it the the ->voluminous<-\n      // 14496-X specifications.\n      uint8_t test_byte =\n          APar_read8(isofile, esds_start + offset_into_esds + 1);\n      if (test_byte != 0) {\n        offset_into_esds++;\n      }\n\n      offset_into_esds += 4; // 1 bytes section 0x03 length + 2 bytes + 1 byte\n\n      if (APar_read8(isofile, esds_start + offset_into_esds) == 0x04) {\n        offset_into_esds++;\n        offset_into_esds +=\n            APar_skip_filler(isofile, esds_start + offset_into_esds);\n      }\n\n      uint8_t section4_length =\n          APar_read8(isofile, esds_start + offset_into_esds);\n      if (section4_length <= section3_length && section4_length != 0) {\n        track_info->section4_length = section4_length;\n\n        if (section4_length == 0x9D)\n          offset_into_esds++; // upper limit? when gpac puts an ogg in, section\n                              // 3 is 9D - so is sec4 (section 4 real length\n                              // with ogg = 0x0E86)\n\n        offset_into_esds++;\n        track_info->ObjectTypeIndication =\n            APar_read8(isofile, esds_start + offset_into_esds);\n\n        // this is just so that ogg in mp4 won't have some bizarre high bitrate\n        // of like 2.8megabits/sec\n        uint8_t a_v_flag =\n            APar_read8(isofile,\n                       esds_start + offset_into_esds +\n                           1); // mp4box with ogg will set this to DD,\n                               // mp4a has it as 0x40, mp4v has 0x20\n\n        if (track_info->ObjectTypeIndication < 0xC0 &&\n            a_v_flag < 0xA0) { // 0xC0 marks user streams; but things below that\n                               // might still be wrong (like 0x6D - png)\n          offset_into_esds += 5;\n          track_info->max_bitrate = APar_read32(\n              uint32_buffer, isofile, esds_start + offset_into_esds);\n          offset_into_esds += 4;\n          track_info->avg_bitrate = APar_read32(\n              uint32_buffer, isofile, esds_start + offset_into_esds);\n          offset_into_esds += 4;\n        }\n      } else {\n        break;\n      }\n\n      if (APar_read8(isofile, esds_start + offset_into_esds) == 0x05) {\n        offset_into_esds++;\n        offset_into_esds +=\n            APar_skip_filler(isofile, esds_start + offset_into_esds);\n\n        uint8_t section5_length =\n            APar_read8(isofile, esds_start + offset_into_esds);\n        if ((section5_length <= section4_length || section4_length == 1) &&\n            section5_length != 0) {\n          track_info->section5_length = section5_length;\n          offset_into_esds += 1;\n\n          if (track_info->type_of_track & AUDIO_TRACK) {\n            uint8_t packed_objID = APar_read8(\n                isofile,\n                esds_start + offset_into_esds); // its packed with channel, but\n                                                // channel is fetched separately\n            track_info->descriptor_object_typeID = packed_objID >> 3;\n            offset_into_esds += 1;\n\n            track_info->channels = (uint16_t)APar_ExtractChannelInfo(\n                isofile, esds_start + offset_into_esds);\n\n          } else if (track_info->type_of_track & VIDEO_TRACK) {\n            // technically, visual_object_sequence_start_code should be tested\n            // aginst 0x000001B0\n            if (APar_read16(uint32_buffer,\n                            isofile,\n                            esds_start + offset_into_esds + 2) == 0x01B0) {\n              track_info->m4v_profile =\n                  APar_read8(isofile, esds_start + offset_into_esds + 2 + 2);\n            }\n          }\n        }\n        break; // uh, I've extracted the pertinent info\n      }\n    }\n    if (offset_into_stsd > parsedAtoms[track_level_atom].AtomicLength) {\n      break;\n    }\n  }\n  if ((track_info->section5_length == 0 &&\n       track_info->type_of_track & AUDIO_TRACK) ||\n      track_info->channels == 0) {\n    track_info->channels = APar_read16(\n        uint32_buffer, isofile, parsedAtoms[track_level_atom].AtomicStart + 40);\n  }\n  return;\n}",
          "project": "atomicparsley",
          "hash": 338529420259989405369420107226016196272,
          "size": 139,
          "commit_id": "d72ccf06c98259d7261e0f3ac4fd8717778782c1",
          "message": "Avoid stack overflow\n\nrefs: https://github.com/wez/atomicparsley/issues/32",
          "target": 0,
          "dataset": "other",
          "idx": 417018
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "svm_refresh_apicv_exec_ctrl",
        "avic_post_state_restore",
        "avic_handle_apic_id_update",
        "avic_handle_ldr_update",
        "avic_invalidate_logical_id_entry"
      ],
      "group_size": 15,
      "functions": [
        {
          "func": "static void avic_invalidate_logical_id_entry(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tbool flat = svm->dfr_reg == APIC_DFR_FLAT;\n\tu32 *entry = avic_get_logical_id_entry(vcpu, svm->ldr_reg, flat);\n\n\tif (entry)\n\t\tclear_bit(AVIC_LOGICAL_ID_ENTRY_VALID_BIT, (unsigned long *)entry);\n}",
          "project": "linux",
          "hash": 114357630180844998872360052660897220958,
          "size": 9,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432560
        },
        {
          "func": "static inline void avic_post_state_restore(struct kvm_vcpu *vcpu)\n{\n\tif (avic_handle_apic_id_update(vcpu) != 0)\n\t\treturn;\n\tavic_handle_dfr_update(vcpu);\n\tavic_handle_ldr_update(vcpu);\n}",
          "project": "linux",
          "hash": 195561001580473228900395420022605266505,
          "size": 7,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432502
        },
        {
          "func": "static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi)\n{\n\tunsigned long flags;\n\tstruct amd_svm_iommu_ir *cur;\n\n\tspin_lock_irqsave(&svm->ir_list_lock, flags);\n\tlist_for_each_entry(cur, &svm->ir_list, node) {\n\t\tif (cur->data != pi->ir_data)\n\t\t\tcontinue;\n\t\tlist_del(&cur->node);\n\t\tkfree(cur);\n\t\tbreak;\n\t}\n\tspin_unlock_irqrestore(&svm->ir_list_lock, flags);\n}",
          "project": "linux",
          "hash": 330101540998642652877669102020815133255,
          "size": 15,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432498
        },
        {
          "func": "static int avic_ldr_write(struct kvm_vcpu *vcpu, u8 g_physical_id, u32 ldr)\n{\n\tbool flat;\n\tu32 *entry, new_entry;\n\n\tflat = kvm_lapic_get_reg(vcpu->arch.apic, APIC_DFR) == APIC_DFR_FLAT;\n\tentry = avic_get_logical_id_entry(vcpu, ldr, flat);\n\tif (!entry)\n\t\treturn -EINVAL;\n\n\tnew_entry = READ_ONCE(*entry);\n\tnew_entry &= ~AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK;\n\tnew_entry |= (g_physical_id & AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK);\n\tnew_entry |= AVIC_LOGICAL_ID_ENTRY_VALID_MASK;\n\tWRITE_ONCE(*entry, new_entry);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 119525709928038156792618314889839906227,
          "size": 18,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432638
        },
        {
          "func": "static int svm_set_pi_irte_mode(struct kvm_vcpu *vcpu, bool activate)\n{\n\tint ret = 0;\n\tunsigned long flags;\n\tstruct amd_svm_iommu_ir *ir;\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\n\tif (!kvm_arch_has_assigned_device(vcpu->kvm))\n\t\treturn 0;\n\n\t/*\n\t * Here, we go through the per-vcpu ir_list to update all existing\n\t * interrupt remapping table entry targeting this vcpu.\n\t */\n\tspin_lock_irqsave(&svm->ir_list_lock, flags);\n\n\tif (list_empty(&svm->ir_list))\n\t\tgoto out;\n\n\tlist_for_each_entry(ir, &svm->ir_list, node) {\n\t\tif (activate)\n\t\t\tret = amd_iommu_activate_guest_mode(ir->data);\n\t\telse\n\t\t\tret = amd_iommu_deactivate_guest_mode(ir->data);\n\t\tif (ret)\n\t\t\tbreak;\n\t}\nout:\n\tspin_unlock_irqrestore(&svm->ir_list_lock, flags);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 275241649554292843302718847016310701132,
          "size": 31,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432451
        },
        {
          "func": "static void svm_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tstruct vmcb *vmcb = svm->vmcb;\n\tbool activated = kvm_vcpu_apicv_active(vcpu);\n\n\tif (!avic)\n\t\treturn;\n\n\tif (activated) {\n\t\t/**\n\t\t * During AVIC temporary deactivation, guest could update\n\t\t * APIC ID, DFR and LDR registers, which would not be trapped\n\t\t * by avic_unaccelerated_access_interception(). In this case,\n\t\t * we need to check and update the AVIC logical APIC ID table\n\t\t * accordingly before re-activating.\n\t\t */\n\t\tavic_post_state_restore(vcpu);\n\t\tvmcb->control.int_ctl |= AVIC_ENABLE_MASK;\n\t} else {\n\t\tvmcb->control.int_ctl &= ~AVIC_ENABLE_MASK;\n\t}\n\tmark_dirty(vmcb, VMCB_AVIC);\n\n\tsvm_set_pi_irte_mode(vcpu, activated);\n}",
          "project": "linux",
          "hash": 30038570026472557891286636352891763742,
          "size": 26,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432508
        },
        {
          "func": "static void avic_handle_dfr_update(struct kvm_vcpu *vcpu)\n{\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu32 dfr = kvm_lapic_get_reg(vcpu->arch.apic, APIC_DFR);\n\n\tif (svm->dfr_reg == dfr)\n\t\treturn;\n\n\tavic_invalidate_logical_id_entry(vcpu);\n\tsvm->dfr_reg = dfr;\n}",
          "project": "linux",
          "hash": 339179177992598638756627890988173320050,
          "size": 11,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432395
        },
        {
          "func": "static int svm_update_pi_irte(struct kvm *kvm, unsigned int host_irq,\n\t\t\t      uint32_t guest_irq, bool set)\n{\n\tstruct kvm_kernel_irq_routing_entry *e;\n\tstruct kvm_irq_routing_table *irq_rt;\n\tint idx, ret = -EINVAL;\n\n\tif (!kvm_arch_has_assigned_device(kvm) ||\n\t    !irq_remapping_cap(IRQ_POSTING_CAP))\n\t\treturn 0;\n\n\tpr_debug(\"SVM: %s: host_irq=%#x, guest_irq=%#x, set=%#x\\n\",\n\t\t __func__, host_irq, guest_irq, set);\n\n\tidx = srcu_read_lock(&kvm->irq_srcu);\n\tirq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);\n\tWARN_ON(guest_irq >= irq_rt->nr_rt_entries);\n\n\thlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {\n\t\tstruct vcpu_data vcpu_info;\n\t\tstruct vcpu_svm *svm = NULL;\n\n\t\tif (e->type != KVM_IRQ_ROUTING_MSI)\n\t\t\tcontinue;\n\n\t\t/**\n\t\t * Here, we setup with legacy mode in the following cases:\n\t\t * 1. When cannot target interrupt to a specific vcpu.\n\t\t * 2. Unsetting posted interrupt.\n\t\t * 3. APIC virtialization is disabled for the vcpu.\n\t\t * 4. IRQ has incompatible delivery mode (SMI, INIT, etc)\n\t\t */\n\t\tif (!get_pi_vcpu_info(kvm, e, &vcpu_info, &svm) && set &&\n\t\t    kvm_vcpu_apicv_active(&svm->vcpu)) {\n\t\t\tstruct amd_iommu_pi_data pi;\n\n\t\t\t/* Try to enable guest_mode in IRTE */\n\t\t\tpi.base = __sme_set(page_to_phys(svm->avic_backing_page) &\n\t\t\t\t\t    AVIC_HPA_MASK);\n\t\t\tpi.ga_tag = AVIC_GATAG(to_kvm_svm(kvm)->avic_vm_id,\n\t\t\t\t\t\t     svm->vcpu.vcpu_id);\n\t\t\tpi.is_guest_mode = true;\n\t\t\tpi.vcpu_data = &vcpu_info;\n\t\t\tret = irq_set_vcpu_affinity(host_irq, &pi);\n\n\t\t\t/**\n\t\t\t * Here, we successfully setting up vcpu affinity in\n\t\t\t * IOMMU guest mode. Now, we need to store the posted\n\t\t\t * interrupt information in a per-vcpu ir_list so that\n\t\t\t * we can reference to them directly when we update vcpu\n\t\t\t * scheduling information in IOMMU irte.\n\t\t\t */\n\t\t\tif (!ret && pi.is_guest_mode)\n\t\t\t\tsvm_ir_list_add(svm, &pi);\n\t\t} else {\n\t\t\t/* Use legacy mode in IRTE */\n\t\t\tstruct amd_iommu_pi_data pi;\n\n\t\t\t/**\n\t\t\t * Here, pi is used to:\n\t\t\t * - Tell IOMMU to use legacy mode for this interrupt.\n\t\t\t * - Retrieve ga_tag of prior interrupt remapping data.\n\t\t\t */\n\t\t\tpi.is_guest_mode = false;\n\t\t\tret = irq_set_vcpu_affinity(host_irq, &pi);\n\n\t\t\t/**\n\t\t\t * Check if the posted interrupt was previously\n\t\t\t * setup with the guest_mode by checking if the ga_tag\n\t\t\t * was cached. If so, we need to clean up the per-vcpu\n\t\t\t * ir_list.\n\t\t\t */\n\t\t\tif (!ret && pi.prev_ga_tag) {\n\t\t\t\tint id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag);\n\t\t\t\tstruct kvm_vcpu *vcpu;\n\n\t\t\t\tvcpu = kvm_get_vcpu_by_id(kvm, id);\n\t\t\t\tif (vcpu)\n\t\t\t\t\tsvm_ir_list_del(to_svm(vcpu), &pi);\n\t\t\t}\n\t\t}\n\n\t\tif (!ret && svm) {\n\t\t\ttrace_kvm_pi_irte_update(host_irq, svm->vcpu.vcpu_id,\n\t\t\t\t\t\t e->gsi, vcpu_info.vector,\n\t\t\t\t\t\t vcpu_info.pi_desc_addr, set);\n\t\t}\n\n\t\tif (ret < 0) {\n\t\t\tpr_err(\"%s: failed to update PI IRTE\\n\", __func__);\n\t\t\tgoto out;\n\t\t}\n\t}\n\n\tret = 0;\nout:\n\tsrcu_read_unlock(&kvm->irq_srcu, idx);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 318085719864330516266383533570991474878,
          "size": 99,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432530
        },
        {
          "func": "static bool is_avic_unaccelerated_access_trap(u32 offset)\n{\n\tbool ret = false;\n\n\tswitch (offset) {\n\tcase APIC_ID:\n\tcase APIC_EOI:\n\tcase APIC_RRR:\n\tcase APIC_LDR:\n\tcase APIC_DFR:\n\tcase APIC_SPIV:\n\tcase APIC_ESR:\n\tcase APIC_ICR:\n\tcase APIC_LVTT:\n\tcase APIC_LVTTHMR:\n\tcase APIC_LVTPC:\n\tcase APIC_LVT0:\n\tcase APIC_LVT1:\n\tcase APIC_LVTERR:\n\tcase APIC_TMICT:\n\tcase APIC_TDCR:\n\t\tret = true;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn ret;\n}",
          "project": "linux",
          "hash": 60203129318047945632968468677207001869,
          "size": 28,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432536
        },
        {
          "func": "static int avic_unaccel_trap_write(struct vcpu_svm *svm)\n{\n\tstruct kvm_lapic *apic = svm->vcpu.arch.apic;\n\tu32 offset = svm->vmcb->control.exit_info_1 &\n\t\t\t\tAVIC_UNACCEL_ACCESS_OFFSET_MASK;\n\n\tswitch (offset) {\n\tcase APIC_ID:\n\t\tif (avic_handle_apic_id_update(&svm->vcpu))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase APIC_LDR:\n\t\tif (avic_handle_ldr_update(&svm->vcpu))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase APIC_DFR:\n\t\tavic_handle_dfr_update(&svm->vcpu);\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\n\tkvm_lapic_reg_write(apic, offset, kvm_lapic_get_reg(apic, offset));\n\n\treturn 1;\n}",
          "project": "linux",
          "hash": 106232661564080307493698138402044433619,
          "size": 26,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432472
        },
        {
          "func": "static int avic_handle_ldr_update(struct kvm_vcpu *vcpu)\n{\n\tint ret = 0;\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu32 ldr = kvm_lapic_get_reg(vcpu->arch.apic, APIC_LDR);\n\tu32 id = kvm_xapic_id(vcpu->arch.apic);\n\n\tif (ldr == svm->ldr_reg)\n\t\treturn 0;\n\n\tavic_invalidate_logical_id_entry(vcpu);\n\n\tif (ldr)\n\t\tret = avic_ldr_write(vcpu, id, ldr);\n\n\tif (!ret)\n\t\tsvm->ldr_reg = ldr;\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 234317427710984396719900651698846146729,
          "size": 20,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432544
        },
        {
          "func": "static int avic_handle_apic_id_update(struct kvm_vcpu *vcpu)\n{\n\tu64 *old, *new;\n\tstruct vcpu_svm *svm = to_svm(vcpu);\n\tu32 id = kvm_xapic_id(vcpu->arch.apic);\n\n\tif (vcpu->vcpu_id == id)\n\t\treturn 0;\n\n\told = avic_get_physical_id_entry(vcpu, vcpu->vcpu_id);\n\tnew = avic_get_physical_id_entry(vcpu, id);\n\tif (!new || !old)\n\t\treturn 1;\n\n\t/* We need to move physical_id_entry to new offset */\n\t*new = *old;\n\t*old = 0ULL;\n\tto_svm(vcpu)->avic_physical_id_cache = new;\n\n\t/*\n\t * Also update the guest physical APIC ID in the logical\n\t * APIC ID table entry if already setup the LDR.\n\t */\n\tif (svm->ldr_reg)\n\t\tavic_handle_ldr_update(vcpu);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 121011130733983555787294718049649763766,
          "size": 28,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432606
        },
        {
          "func": "static int avic_unaccelerated_access_interception(struct vcpu_svm *svm)\n{\n\tint ret = 0;\n\tu32 offset = svm->vmcb->control.exit_info_1 &\n\t\t     AVIC_UNACCEL_ACCESS_OFFSET_MASK;\n\tu32 vector = svm->vmcb->control.exit_info_2 &\n\t\t     AVIC_UNACCEL_ACCESS_VECTOR_MASK;\n\tbool write = (svm->vmcb->control.exit_info_1 >> 32) &\n\t\t     AVIC_UNACCEL_ACCESS_WRITE_MASK;\n\tbool trap = is_avic_unaccelerated_access_trap(offset);\n\n\ttrace_kvm_avic_unaccelerated_access(svm->vcpu.vcpu_id, offset,\n\t\t\t\t\t    trap, write, vector);\n\tif (trap) {\n\t\t/* Handling Trap */\n\t\tWARN_ONCE(!write, \"svm: Handling trap read.\\n\");\n\t\tret = avic_unaccel_trap_write(svm);\n\t} else {\n\t\t/* Handling Fault */\n\t\tret = kvm_emulate_instruction(&svm->vcpu, 0);\n\t}\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 81436319974277451152718179696270566677,
          "size": 24,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432513
        },
        {
          "func": "static inline bool kvm_arch_has_assigned_device(struct kvm *kvm)\n{\n\treturn false;\n}",
          "project": "linux",
          "hash": 32850749792732072862793558309876279082,
          "size": 4,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354798
        },
        {
          "func": "static int svm_ir_list_add(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi)\n{\n\tint ret = 0;\n\tunsigned long flags;\n\tstruct amd_svm_iommu_ir *ir;\n\n\t/**\n\t * In some cases, the existing irte is updaed and re-set,\n\t * so we need to check here if it's already been * added\n\t * to the ir_list.\n\t */\n\tif (pi->ir_data && (pi->prev_ga_tag != 0)) {\n\t\tstruct kvm *kvm = svm->vcpu.kvm;\n\t\tu32 vcpu_id = AVIC_GATAG_TO_VCPUID(pi->prev_ga_tag);\n\t\tstruct kvm_vcpu *prev_vcpu = kvm_get_vcpu_by_id(kvm, vcpu_id);\n\t\tstruct vcpu_svm *prev_svm;\n\n\t\tif (!prev_vcpu) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\n\t\tprev_svm = to_svm(prev_vcpu);\n\t\tsvm_ir_list_del(prev_svm, pi);\n\t}\n\n\t/**\n\t * Allocating new amd_iommu_pi_data, which will get\n\t * add to the per-vcpu ir_list.\n\t */\n\tir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT);\n\tif (!ir) {\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\tir->data = pi->ir_data;\n\n\tspin_lock_irqsave(&svm->ir_list_lock, flags);\n\tlist_add(&ir->node, &svm->ir_list);\n\tspin_unlock_irqrestore(&svm->ir_list_lock, flags);\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 57031397710267844333495764165285579751,
          "size": 43,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432454
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "fanout_add",
        "fanout_find_new_id",
        "__fanout_id_is_free"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int fanout_add(struct sock *sk, u16 id, u16 type_flags)\n{\n\tstruct packet_rollover *rollover = NULL;\n\tstruct packet_sock *po = pkt_sk(sk);\n\tstruct packet_fanout *f, *match;\n\tu8 type = type_flags & 0xff;\n\tu8 flags = type_flags >> 8;\n\tint err;\n\n\tswitch (type) {\n\tcase PACKET_FANOUT_ROLLOVER:\n\t\tif (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)\n\t\t\treturn -EINVAL;\n\tcase PACKET_FANOUT_HASH:\n\tcase PACKET_FANOUT_LB:\n\tcase PACKET_FANOUT_CPU:\n\tcase PACKET_FANOUT_RND:\n\tcase PACKET_FANOUT_QM:\n\tcase PACKET_FANOUT_CBPF:\n\tcase PACKET_FANOUT_EBPF:\n\t\tbreak;\n\tdefault:\n\t\treturn -EINVAL;\n\t}\n\n\tmutex_lock(&fanout_mutex);\n\n\terr = -EALREADY;\n\tif (po->fanout)\n\t\tgoto out;\n\n\tif (type == PACKET_FANOUT_ROLLOVER ||\n\t    (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) {\n\t\terr = -ENOMEM;\n\t\trollover = kzalloc(sizeof(*rollover), GFP_KERNEL);\n\t\tif (!rollover)\n\t\t\tgoto out;\n\t\tatomic_long_set(&rollover->num, 0);\n\t\tatomic_long_set(&rollover->num_huge, 0);\n\t\tatomic_long_set(&rollover->num_failed, 0);\n\t}\n\n\tif (type_flags & PACKET_FANOUT_FLAG_UNIQUEID) {\n\t\tif (id != 0) {\n\t\t\terr = -EINVAL;\n\t\t\tgoto out;\n\t\t}\n\t\tif (!fanout_find_new_id(sk, &id)) {\n\t\t\terr = -ENOMEM;\n\t\t\tgoto out;\n\t\t}\n\t\t/* ephemeral flag for the first socket in the group: drop it */\n\t\tflags &= ~(PACKET_FANOUT_FLAG_UNIQUEID >> 8);\n\t}\n\n\tmatch = NULL;\n\tlist_for_each_entry(f, &fanout_list, list) {\n\t\tif (f->id == id &&\n\t\t    read_pnet(&f->net) == sock_net(sk)) {\n\t\t\tmatch = f;\n\t\t\tbreak;\n\t\t}\n\t}\n\terr = -EINVAL;\n\tif (match && match->flags != flags)\n\t\tgoto out;\n\tif (!match) {\n\t\terr = -ENOMEM;\n\t\tmatch = kzalloc(sizeof(*match), GFP_KERNEL);\n\t\tif (!match)\n\t\t\tgoto out;\n\t\twrite_pnet(&match->net, sock_net(sk));\n\t\tmatch->id = id;\n\t\tmatch->type = type;\n\t\tmatch->flags = flags;\n\t\tINIT_LIST_HEAD(&match->list);\n\t\tspin_lock_init(&match->lock);\n\t\trefcount_set(&match->sk_ref, 0);\n\t\tfanout_init_data(match);\n\t\tmatch->prot_hook.type = po->prot_hook.type;\n\t\tmatch->prot_hook.dev = po->prot_hook.dev;\n\t\tmatch->prot_hook.func = packet_rcv_fanout;\n\t\tmatch->prot_hook.af_packet_priv = match;\n\t\tmatch->prot_hook.id_match = match_fanout_group;\n\t\tlist_add(&match->list, &fanout_list);\n\t}\n\terr = -EINVAL;\n\n\tspin_lock(&po->bind_lock);\n\tif (po->running &&\n\t    match->type == type &&\n\t    match->prot_hook.type == po->prot_hook.type &&\n\t    match->prot_hook.dev == po->prot_hook.dev) {\n\t\terr = -ENOSPC;\n\t\tif (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) {\n\t\t\t__dev_remove_pack(&po->prot_hook);\n\t\t\tpo->fanout = match;\n\t\t\tpo->rollover = rollover;\n\t\t\trollover = NULL;\n\t\t\trefcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);\n\t\t\t__fanout_link(sk, po);\n\t\t\terr = 0;\n\t\t}\n\t}\n\tspin_unlock(&po->bind_lock);\n\n\tif (err && !refcount_read(&match->sk_ref)) {\n\t\tlist_del(&match->list);\n\t\tkfree(match);\n\t}\n\nout:\n\tkfree(rollover);\n\tmutex_unlock(&fanout_mutex);\n\treturn err;\n}",
          "project": "linux",
          "hash": 199983393709727263839366359142730932433,
          "size": 116,
          "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06",
          "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen <orcohen@paloaltonetworks.com>\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 330380
        },
        {
          "func": "static bool fanout_find_new_id(struct sock *sk, u16 *new_id)\n{\n\tu16 id = fanout_next_id;\n\n\tdo {\n\t\tif (__fanout_id_is_free(sk, id)) {\n\t\t\t*new_id = id;\n\t\t\tfanout_next_id = id + 1;\n\t\t\treturn true;\n\t\t}\n\n\t\tid++;\n\t} while (id != fanout_next_id);\n\n\treturn false;\n}",
          "project": "linux",
          "hash": 307272190883856057212126550315472654801,
          "size": 16,
          "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06",
          "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen <orcohen@paloaltonetworks.com>\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 330382
        },
        {
          "func": "static bool __fanout_id_is_free(struct sock *sk, u16 candidate_id)\n{\n\tstruct packet_fanout *f;\n\n\tlist_for_each_entry(f, &fanout_list, list) {\n\t\tif (f->id == candidate_id &&\n\t\t    read_pnet(&f->net) == sock_net(sk)) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}",
          "project": "linux",
          "hash": 469944124276933757549113293725692021,
          "size": 12,
          "commit_id": "acf69c946233259ab4d64f8869d4037a198c7f06",
          "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po->has_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen <orcohen@paloaltonetworks.com>\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 330372
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rdp_recv_autodetect_request_packet",
        "autodetect_recv_rtt_measure_request",
        "autodetect_send_rtt_measure_response"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static BOOL autodetect_recv_bandwidth_measure_payload(rdpRdp* rdp, wStream* s,\n                                                      AUTODETECT_REQ_PDU* autodetectReqPdu)\n{\n\tUINT16 payloadLength;\n\n\tif (autodetectReqPdu->headerLength != 0x08)\n\t\treturn FALSE;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, payloadLength); /* payloadLength (2 bytes) */\n\tif (!Stream_SafeSeek(s, payloadLength))\n\t\treturn FALSE;\n\tWLog_DBG(AUTODETECT_TAG, \"received Bandwidth Measure Payload PDU -> payloadLength=%\" PRIu16 \"\",\n\t         payloadLength);\n\t/* Add the payload length to the bandwidth measurement parameters */\n\trdp->autodetect->bandwidthMeasureByteCount += payloadLength;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 337919979129268049322478099158481414289,
          "size": 20,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434152
        },
        {
          "func": "static BOOL autodetect_send_bandwidth_measure_results(rdpRdp* rdp, UINT16 responseType,\n                                                      UINT16 sequenceNumber)\n{\n\tBOOL success = TRUE;\n\twStream* s;\n\tUINT64 timeDelta;\n\t/* Compute the total time */\n\ttimeDelta = GetTickCount64() - rdp->autodetect->bandwidthMeasureStartTime;\n\t/* Send the result PDU to the server */\n\ts = rdp_message_channel_pdu_init(rdp);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tWLog_VRB(AUTODETECT_TAG,\n\t         \"sending Bandwidth Measure Results PDU -> timeDelta=%\" PRIu32 \", byteCount=%\" PRIu32\n\t         \"\",\n\t         timeDelta, rdp->autodetect->bandwidthMeasureByteCount);\n\tStream_Write_UINT8(s, 0x0E);                        /* headerLength (1 byte) */\n\tStream_Write_UINT8(s, TYPE_ID_AUTODETECT_RESPONSE); /* headerTypeId (1 byte) */\n\tStream_Write_UINT16(s, sequenceNumber);             /* sequenceNumber (2 bytes) */\n\tStream_Write_UINT16(s, responseType);               /* responseType (1 byte) */\n\tStream_Write_UINT32(s, timeDelta);                  /* timeDelta (4 bytes) */\n\tStream_Write_UINT32(s, rdp->autodetect->bandwidthMeasureByteCount); /* byteCount (4 bytes) */\n\tIFCALLRET(rdp->autodetect->ClientBandwidthMeasureResult, success, rdp->context,\n\t          rdp->autodetect);\n\n\tif (!success)\n\t\treturn FALSE;\n\n\treturn rdp_send_message_channel_pdu(rdp, s, SEC_AUTODETECT_RSP);\n}",
          "project": "FreeRDP",
          "hash": 322009467810762472454222490766962838779,
          "size": 32,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434138
        },
        {
          "func": "static BOOL autodetect_send_rtt_measure_response(rdpRdp* rdp, UINT16 sequenceNumber)\n{\n\twStream* s;\n\t/* Send the response PDU to the server */\n\ts = rdp_message_channel_pdu_init(rdp);\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tWLog_VRB(AUTODETECT_TAG, \"sending RTT Measure Response PDU\");\n\tStream_Write_UINT8(s, 0x06);                        /* headerLength (1 byte) */\n\tStream_Write_UINT8(s, TYPE_ID_AUTODETECT_RESPONSE); /* headerTypeId (1 byte) */\n\tStream_Write_UINT16(s, sequenceNumber);             /* sequenceNumber (2 bytes) */\n\tStream_Write_UINT16(s, RDP_RTT_RESPONSE_TYPE);      /* responseType (1 byte) */\n\treturn rdp_send_message_channel_pdu(rdp, s, SEC_AUTODETECT_RSP);\n}",
          "project": "FreeRDP",
          "hash": 300752517779421708413144763955333017631,
          "size": 16,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434139
        },
        {
          "func": "static BOOL autodetect_recv_bandwidth_measure_start(rdpRdp* rdp, wStream* s,\n                                                    AUTODETECT_REQ_PDU* autodetectReqPdu)\n{\n\tif (autodetectReqPdu->headerLength != 0x06)\n\t\treturn FALSE;\n\n\tWLog_VRB(AUTODETECT_TAG, \"received Bandwidth Measure Start PDU - time=%\" PRIu64 \"\",\n\t         GetTickCount64());\n\t/* Initialize bandwidth measurement parameters */\n\trdp->autodetect->bandwidthMeasureStartTime = GetTickCount64();\n\trdp->autodetect->bandwidthMeasureByteCount = 0;\n\n\t/* Continuous Auto-Detection: mark the start of the measurement */\n\tif (autodetectReqPdu->requestType == RDP_BW_START_REQUEST_TYPE_CONTINUOUS)\n\t{\n\t\trdp->autodetect->bandwidthMeasureStarted = TRUE;\n\t}\n\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 29583987632282141180988489404379919590,
          "size": 20,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434148
        },
        {
          "func": "static BOOL autodetect_recv_bandwidth_measure_stop(rdpRdp* rdp, wStream* s,\n                                                   AUTODETECT_REQ_PDU* autodetectReqPdu)\n{\n\tUINT16 payloadLength;\n\tUINT16 responseType;\n\n\tif (autodetectReqPdu->requestType == RDP_BW_STOP_REQUEST_TYPE_CONNECTTIME)\n\t{\n\t\tif (autodetectReqPdu->headerLength != 0x08)\n\t\t\treturn FALSE;\n\n\t\tif (Stream_GetRemainingLength(s) < 2)\n\t\t\treturn FALSE;\n\n\t\tStream_Read_UINT16(s, payloadLength); /* payloadLength (2 bytes) */\n\t}\n\telse\n\t{\n\t\tif (autodetectReqPdu->headerLength != 0x06)\n\t\t\treturn FALSE;\n\n\t\tpayloadLength = 0;\n\t}\n\n\tif (!Stream_SafeSeek(s, payloadLength))\n\t\treturn FALSE;\n\n\tWLog_VRB(AUTODETECT_TAG, \"received Bandwidth Measure Stop PDU -> payloadLength=%\" PRIu16 \"\",\n\t         payloadLength);\n\t/* Add the payload length to the bandwidth measurement parameters */\n\trdp->autodetect->bandwidthMeasureByteCount += payloadLength;\n\n\t/* Continuous Auto-Detection: mark the stop of the measurement */\n\tif (autodetectReqPdu->requestType == RDP_BW_STOP_REQUEST_TYPE_CONTINUOUS)\n\t{\n\t\trdp->autodetect->bandwidthMeasureStarted = FALSE;\n\t}\n\n\t/* Send a response the server */\n\tresponseType = autodetectReqPdu->requestType == RDP_BW_STOP_REQUEST_TYPE_CONNECTTIME\n\t                   ? RDP_BW_RESULTS_RESPONSE_TYPE_CONNECTTIME\n\t                   : RDP_BW_RESULTS_RESPONSE_TYPE_CONTINUOUS;\n\treturn autodetect_send_bandwidth_measure_results(rdp, responseType,\n\t                                                 autodetectReqPdu->sequenceNumber);\n}",
          "project": "FreeRDP",
          "hash": 71042584829967519040970981149564740055,
          "size": 45,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434157
        },
        {
          "func": "int rdp_recv_autodetect_request_packet(rdpRdp* rdp, wStream* s)\n{\n\tAUTODETECT_REQ_PDU autodetectReqPdu;\n\tBOOL success = FALSE;\n\n\tif (Stream_GetRemainingLength(s) < 6)\n\t\treturn -1;\n\n\tStream_Read_UINT8(s, autodetectReqPdu.headerLength);    /* headerLength (1 byte) */\n\tStream_Read_UINT8(s, autodetectReqPdu.headerTypeId);    /* headerTypeId (1 byte) */\n\tStream_Read_UINT16(s, autodetectReqPdu.sequenceNumber); /* sequenceNumber (2 bytes) */\n\tStream_Read_UINT16(s, autodetectReqPdu.requestType);    /* requestType (2 bytes) */\n\tWLog_VRB(AUTODETECT_TAG,\n\t         \"rdp_recv_autodetect_request_packet: headerLength=%\" PRIu8 \", headerTypeId=%\" PRIu8\n\t         \", sequenceNumber=%\" PRIu16 \", requestType=%04\" PRIx16 \"\",\n\t         autodetectReqPdu.headerLength, autodetectReqPdu.headerTypeId,\n\t         autodetectReqPdu.sequenceNumber, autodetectReqPdu.requestType);\n\n\tif (autodetectReqPdu.headerTypeId != TYPE_ID_AUTODETECT_REQUEST)\n\t\treturn -1;\n\n\tswitch (autodetectReqPdu.requestType)\n\t{\n\t\tcase RDP_RTT_REQUEST_TYPE_CONTINUOUS:\n\t\tcase RDP_RTT_REQUEST_TYPE_CONNECTTIME:\n\t\t\t/* RTT Measure Request (RDP_RTT_REQUEST) - MS-RDPBCGR 2.2.14.1.1 */\n\t\t\tsuccess = autodetect_recv_rtt_measure_request(rdp, s, &autodetectReqPdu);\n\t\t\tbreak;\n\n\t\tcase RDP_BW_START_REQUEST_TYPE_CONTINUOUS:\n\t\tcase RDP_BW_START_REQUEST_TYPE_TUNNEL:\n\t\tcase RDP_BW_START_REQUEST_TYPE_CONNECTTIME:\n\t\t\t/* Bandwidth Measure Start (RDP_BW_START) - MS-RDPBCGR 2.2.14.1.2 */\n\t\t\tsuccess = autodetect_recv_bandwidth_measure_start(rdp, s, &autodetectReqPdu);\n\t\t\tbreak;\n\n\t\tcase RDP_BW_PAYLOAD_REQUEST_TYPE:\n\t\t\t/* Bandwidth Measure Payload (RDP_BW_PAYLOAD) - MS-RDPBCGR 2.2.14.1.3 */\n\t\t\tsuccess = autodetect_recv_bandwidth_measure_payload(rdp, s, &autodetectReqPdu);\n\t\t\tbreak;\n\n\t\tcase RDP_BW_STOP_REQUEST_TYPE_CONNECTTIME:\n\t\tcase RDP_BW_STOP_REQUEST_TYPE_CONTINUOUS:\n\t\tcase RDP_BW_STOP_REQUEST_TYPE_TUNNEL:\n\t\t\t/* Bandwidth Measure Stop (RDP_BW_STOP) - MS-RDPBCGR 2.2.14.1.4 */\n\t\t\tsuccess = autodetect_recv_bandwidth_measure_stop(rdp, s, &autodetectReqPdu);\n\t\t\tbreak;\n\n\t\tcase 0x0840:\n\t\tcase 0x0880:\n\t\tcase 0x08C0:\n\t\t\t/* Network Characteristics Result (RDP_NETCHAR_RESULT) - MS-RDPBCGR 2.2.14.1.5 */\n\t\t\tsuccess = autodetect_recv_netchar_result(rdp, s, &autodetectReqPdu);\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\n\treturn success ? 0 : -1;\n}",
          "project": "FreeRDP",
          "hash": 39594371236478491083915817460705255754,
          "size": 61,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434140
        },
        {
          "func": "static BOOL autodetect_recv_netchar_result(rdpRdp* rdp, wStream* s,\n                                           AUTODETECT_REQ_PDU* autodetectReqPdu)\n{\n\tBOOL success = TRUE;\n\n\tswitch (autodetectReqPdu->requestType)\n\t{\n\t\tcase 0x0840:\n\n\t\t\t/* baseRTT and averageRTT fields are present (bandwidth field is not) */\n\t\t\tif ((autodetectReqPdu->headerLength != 0x0E) || (Stream_GetRemainingLength(s) < 8))\n\t\t\t\treturn FALSE;\n\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharBaseRTT);    /* baseRTT (4 bytes) */\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharAverageRTT); /* averageRTT (4 bytes) */\n\t\t\tbreak;\n\n\t\tcase 0x0880:\n\n\t\t\t/* bandwidth and averageRTT fields are present (baseRTT field is not) */\n\t\t\tif ((autodetectReqPdu->headerLength != 0x0E) || (Stream_GetRemainingLength(s) < 8))\n\t\t\t\treturn FALSE;\n\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharBandwidth);  /* bandwidth (4 bytes) */\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharAverageRTT); /* averageRTT (4 bytes) */\n\t\t\tbreak;\n\n\t\tcase 0x08C0:\n\n\t\t\t/* baseRTT, bandwidth, and averageRTT fields are present */\n\t\t\tif ((autodetectReqPdu->headerLength != 0x12) || (Stream_GetRemainingLength(s) < 12))\n\t\t\t\treturn FALSE;\n\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharBaseRTT);    /* baseRTT (4 bytes) */\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharBandwidth);  /* bandwidth (4 bytes) */\n\t\t\tStream_Read_UINT32(s, rdp->autodetect->netCharAverageRTT); /* averageRTT (4 bytes) */\n\t\t\tbreak;\n\t}\n\n\tWLog_VRB(AUTODETECT_TAG,\n\t         \"received Network Characteristics Result PDU -> baseRTT=%\" PRIu32\n\t         \", bandwidth=%\" PRIu32 \", averageRTT=%\" PRIu32 \"\",\n\t         rdp->autodetect->netCharBaseRTT, rdp->autodetect->netCharBandwidth,\n\t         rdp->autodetect->netCharAverageRTT);\n\tIFCALLRET(rdp->autodetect->NetworkCharacteristicsResult, success, rdp->context,\n\t          autodetectReqPdu->sequenceNumber);\n\treturn success;\n}",
          "project": "FreeRDP",
          "hash": 129515073967912796909780175736799164859,
          "size": 48,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434133
        },
        {
          "func": "static BOOL autodetect_recv_rtt_measure_request(rdpRdp* rdp, wStream* s,\n                                                AUTODETECT_REQ_PDU* autodetectReqPdu)\n{\n\tif (autodetectReqPdu->headerLength != 0x06)\n\t\treturn FALSE;\n\n\tWLog_VRB(AUTODETECT_TAG, \"received RTT Measure Request PDU\");\n\t/* Send a response to the server */\n\treturn autodetect_send_rtt_measure_response(rdp, autodetectReqPdu->sequenceNumber);\n}",
          "project": "FreeRDP",
          "hash": 193019547130700004675180444091938847103,
          "size": 10,
          "commit_id": "f5e73cc7c9cd973b516a618da877c87b80950b65",
          "message": "Fixed #6009: Bounds checks in autodetect_recv_bandwidth_measure_results",
          "target": 0,
          "dataset": "other",
          "idx": 434151
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "v4l_enumstd",
        "v4l_video_std_enumstd",
        "v4l2_video_std_construct",
        "v4l2_video_std_frame_period"
      ],
      "group_size": 21,
      "functions": [
        {
          "func": "static int v4l_dqbuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_dqbuf(file, fh, p);\n}",
          "project": "linux",
          "hash": 52691748936560615690582291522302673890,
          "size": 8,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381470
        },
        {
          "func": "static int v4l_create_bufs(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_create_buffers *create = arg;\n\tint ret = check_fmt(file, create->format.type);\n\n\tif (ret)\n\t\treturn ret;\n\n\tCLEAR_AFTER_FIELD(create, capabilities);\n\n\tv4l_sanitize_format(&create->format);\n\n\tret = ops->vidioc_create_bufs(file, fh, create);\n\n\tif (create->format.type == V4L2_BUF_TYPE_VIDEO_CAPTURE ||\n\t    create->format.type == V4L2_BUF_TYPE_VIDEO_OUTPUT)\n\t\tcreate->format.fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 62121059000265789082663182956814599375,
          "size": 21,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381476
        },
        {
          "func": "static int v4l_prepare_buf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *b = arg;\n\tint ret = check_fmt(file, b->type);\n\n\treturn ret ? ret : ops->vidioc_prepare_buf(file, fh, b);\n}",
          "project": "linux",
          "hash": 93593508668867886508753059939189803048,
          "size": 8,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381446
        },
        {
          "func": "static int v4l_g_parm(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_streamparm *p = arg;\n\tv4l2_std_id std;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\tif (ops->vidioc_g_parm)\n\t\treturn ops->vidioc_g_parm(file, fh, p);\n\tif (p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE &&\n\t    p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)\n\t\treturn -EINVAL;\n\tp->parm.capture.readbuffers = 2;\n\tret = ops->vidioc_g_std(file, fh, &std);\n\tif (ret == 0)\n\t\tv4l2_video_std_frame_period(std, &p->parm.capture.timeperframe);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 285217389858183627080514663830040305361,
          "size": 20,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381463
        },
        {
          "func": "static int v4l_reqbufs(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_requestbuffers *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\tCLEAR_AFTER_FIELD(p, capabilities);\n\n\treturn ops->vidioc_reqbufs(file, fh, p);\n}",
          "project": "linux",
          "hash": 240349342782416093504801919514051773914,
          "size": 13,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381542
        },
        {
          "func": "int v4l2_video_std_construct(struct v4l2_standard *vs,\n\t\t\t     int id, const char *name)\n{\n\tvs->id = id;\n\tv4l2_video_std_frame_period(id, &vs->frameperiod);\n\tvs->framelines = (id & V4L2_STD_525_60) ? 525 : 625;\n\tstrscpy(vs->name, name, sizeof(vs->name));\n\treturn 0;\n}",
          "project": "linux",
          "hash": 120352557544698135776876024147406169370,
          "size": 9,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381439
        },
        {
          "func": "int v4l_video_std_enumstd(struct v4l2_standard *vs, v4l2_std_id id)\n{\n\tv4l2_std_id curr_id = 0;\n\tunsigned int index = vs->index, i, j = 0;\n\tconst char *descr = \"\";\n\n\t/* Return -ENODATA if the id for the current input\n\t   or output is 0, meaning that it doesn't support this API. */\n\tif (id == 0)\n\t\treturn -ENODATA;\n\n\t/* Return norm array in a canonical way */\n\tfor (i = 0; i <= index && id; i++) {\n\t\t/* last std value in the standards array is 0, so this\n\t\t   while always ends there since (id & 0) == 0. */\n\t\twhile ((id & standards[j].std) != standards[j].std)\n\t\t\tj++;\n\t\tcurr_id = standards[j].std;\n\t\tdescr = standards[j].descr;\n\t\tj++;\n\t\tif (curr_id == 0)\n\t\t\tbreak;\n\t\tif (curr_id != V4L2_STD_PAL &&\n\t\t\t\tcurr_id != V4L2_STD_SECAM &&\n\t\t\t\tcurr_id != V4L2_STD_NTSC)\n\t\t\tid &= ~curr_id;\n\t}\n\tif (i <= index)\n\t\treturn -EINVAL;\n\n\tv4l2_video_std_construct(vs, curr_id, descr);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 178397725439587788310168144641963259498,
          "size": 33,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381433
        },
        {
          "func": "void v4l2_video_std_frame_period(int id, struct v4l2_fract *frameperiod)\n{\n\tif (id & V4L2_STD_525_60) {\n\t\tframeperiod->numerator = 1001;\n\t\tframeperiod->denominator = 30000;\n\t} else {\n\t\tframeperiod->numerator = 1;\n\t\tframeperiod->denominator = 25;\n\t}\n}",
          "project": "linux",
          "hash": 148089183722148806808021314289397622229,
          "size": 10,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381520
        },
        {
          "func": "static int v4l_qbuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_qbuf(file, fh, p);\n}",
          "project": "linux",
          "hash": 157222351844404168784673082968847329956,
          "size": 8,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381445
        },
        {
          "func": "static int v4l_g_sliced_vbi_cap(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_sliced_vbi_cap *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/* Clear up to type, everything after type is zeroed already */\n\tmemset(p, 0, offsetof(struct v4l2_sliced_vbi_cap, type));\n\n\treturn ops->vidioc_g_sliced_vbi_cap(file, fh, p);\n}",
          "project": "linux",
          "hash": 329128045205648246809876828593763808289,
          "size": 14,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381454
        },
        {
          "func": "static void v4l_pix_format_touch(struct v4l2_pix_format *p)\n{\n\t/*\n\t * The v4l2_pix_format structure contains fields that make no sense for\n\t * touch. Set them to default values in this case.\n\t */\n\n\tp->field = V4L2_FIELD_NONE;\n\tp->colorspace = V4L2_COLORSPACE_RAW;\n\tp->flags = 0;\n\tp->ycbcr_enc = 0;\n\tp->quantization = 0;\n\tp->xfer_func = 0;\n}",
          "project": "linux",
          "hash": 137219025372022743751639520916036802044,
          "size": 14,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381474
        },
        {
          "func": "static int v4l_enum_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct video_device *vdev = video_devdata(file);\n\tstruct v4l2_fmtdesc *p = arg;\n\tint ret = check_fmt(file, p->type);\n\tu32 mbus_code;\n\tu32 cap_mask;\n\n\tif (ret)\n\t\treturn ret;\n\tret = -EINVAL;\n\n\tif (!(vdev->device_caps & V4L2_CAP_IO_MC))\n\t\tp->mbus_code = 0;\n\n\tmbus_code = p->mbus_code;\n\tCLEAR_AFTER_FIELD(p, type);\n\tp->mbus_code = mbus_code;\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tcap_mask = V4L2_CAP_VIDEO_CAPTURE_MPLANE |\n\t\t\t   V4L2_CAP_VIDEO_M2M_MPLANE;\n\t\tif (!!(vdev->device_caps & cap_mask) !=\n\t\t    (p->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE))\n\t\t\tbreak;\n\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_overlay(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tcap_mask = V4L2_CAP_VIDEO_OUTPUT_MPLANE |\n\t\t\t   V4L2_CAP_VIDEO_M2M_MPLANE;\n\t\tif (!!(vdev->device_caps & cap_mask) !=\n\t\t    (p->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE))\n\t\t\tbreak;\n\n\t\tif (unlikely(!ops->vidioc_enum_fmt_vid_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_vid_out(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_sdr_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_sdr_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_sdr_out(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_meta_cap))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_meta_cap(file, fh, arg);\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_enum_fmt_meta_out))\n\t\t\tbreak;\n\t\tret = ops->vidioc_enum_fmt_meta_out(file, fh, arg);\n\t\tbreak;\n\t}\n\tif (ret == 0)\n\t\tv4l_fill_fmtdesc(p);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 90328786900484574553755598205915494385,
          "size": 75,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381443
        },
        {
          "func": "static void v4l_sanitize_format(struct v4l2_format *fmt)\n{\n\tunsigned int offset;\n\n\t/* Make sure num_planes is not bogus */\n\tif (fmt->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE ||\n\t    fmt->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)\n\t\tfmt->fmt.pix_mp.num_planes = min_t(u32, fmt->fmt.pix_mp.num_planes,\n\t\t\t\t\t       VIDEO_MAX_PLANES);\n\n\t/*\n\t * The v4l2_pix_format structure has been extended with fields that were\n\t * not previously required to be set to zero by applications. The priv\n\t * field, when set to a magic value, indicates the the extended fields\n\t * are valid. Otherwise they will contain undefined values. To simplify\n\t * the API towards drivers zero the extended fields and set the priv\n\t * field to the magic value when the extended pixel format structure\n\t * isn't used by applications.\n\t */\n\n\tif (fmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE &&\n\t    fmt->type != V4L2_BUF_TYPE_VIDEO_OUTPUT)\n\t\treturn;\n\n\tif (fmt->fmt.pix.priv == V4L2_PIX_FMT_PRIV_MAGIC)\n\t\treturn;\n\n\tfmt->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\n\toffset = offsetof(struct v4l2_pix_format, priv)\n\t       + sizeof(fmt->fmt.pix.priv);\n\tmemset(((void *)&fmt->fmt.pix) + offset, 0,\n\t       sizeof(fmt->fmt.pix) - offset);\n}",
          "project": "linux",
          "hash": 25238072194471410135196938329748927821,
          "size": 34,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381536
        },
        {
          "func": "static int v4l_querybuf(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_buffer *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\treturn ret ? ret : ops->vidioc_querybuf(file, fh, p);\n}",
          "project": "linux",
          "hash": 249838897503378101136415139617656208493,
          "size": 8,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381466
        },
        {
          "func": "static int v4l_enumstd(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct video_device *vfd = video_devdata(file);\n\tstruct v4l2_standard *p = arg;\n\n\treturn v4l_video_std_enumstd(p, vfd->tvnorms);\n}",
          "project": "linux",
          "hash": 159782614002686590299693129890328166837,
          "size": 8,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381486
        },
        {
          "func": "static int v4l_g_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/*\n\t * fmt can't be cleared for these overlay types due to the 'clips'\n\t * 'clipcount' and 'bitmap' pointers in struct v4l2_window.\n\t * Those are provided by the user. So handle these two overlay types\n\t * first, and then just do a simple memset for the other types.\n\t */\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {\n\t\tstruct v4l2_clip *clips = p->fmt.win.clips;\n\t\tu32 clipcount = p->fmt.win.clipcount;\n\t\tvoid __user *bitmap = p->fmt.win.bitmap;\n\n\t\tmemset(&p->fmt, 0, sizeof(p->fmt));\n\t\tp->fmt.win.clips = clips;\n\t\tp->fmt.win.clipcount = clipcount;\n\t\tp->fmt.win.bitmap = bitmap;\n\t\tbreak;\n\t}\n\tdefault:\n\t\tmemset(&p->fmt, 0, sizeof(p->fmt));\n\t\tbreak;\n\t}\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_g_fmt_vid_cap))\n\t\t\tbreak;\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tret = ops->vidioc_g_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\treturn ops->vidioc_g_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\treturn ops->vidioc_g_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_g_fmt_vid_out))\n\t\t\tbreak;\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tret = ops->vidioc_g_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\treturn ops->vidioc_g_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\treturn ops->vidioc_g_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\treturn ops->vidioc_g_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\treturn ops->vidioc_g_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}",
          "project": "linux",
          "hash": 235318075384291975866263478208759487946,
          "size": 80,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381427
        },
        {
          "func": "static void v4l_fill_fmtdesc(struct v4l2_fmtdesc *fmt)\n{\n\tconst unsigned sz = sizeof(fmt->description);\n\tconst char *descr = NULL;\n\tu32 flags = 0;\n\n\t/*\n\t * We depart from the normal coding style here since the descriptions\n\t * should be aligned so it is easy to see which descriptions will be\n\t * longer than 31 characters (the max length for a description).\n\t * And frankly, this is easier to read anyway.\n\t *\n\t * Note that gcc will use O(log N) comparisons to find the right case.\n\t */\n\tswitch (fmt->pixelformat) {\n\t/* Max description length mask:\tdescr = \"0123456789012345678901234567890\" */\n\tcase V4L2_PIX_FMT_RGB332:\tdescr = \"8-bit RGB 3-3-2\"; break;\n\tcase V4L2_PIX_FMT_RGB444:\tdescr = \"16-bit A/XRGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_ARGB444:\tdescr = \"16-bit ARGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_XRGB444:\tdescr = \"16-bit XRGB 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGBA444:\tdescr = \"16-bit RGBA 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGBX444:\tdescr = \"16-bit RGBX 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_ABGR444:\tdescr = \"16-bit ABGR 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_XBGR444:\tdescr = \"16-bit XBGR 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_BGRA444:\tdescr = \"16-bit BGRA 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_BGRX444:\tdescr = \"16-bit BGRX 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_RGB555:\tdescr = \"16-bit A/XRGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_ARGB555:\tdescr = \"16-bit ARGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_XRGB555:\tdescr = \"16-bit XRGB 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_ABGR555:\tdescr = \"16-bit ABGR 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_XBGR555:\tdescr = \"16-bit XBGR 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_RGBA555:\tdescr = \"16-bit RGBA 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_RGBX555:\tdescr = \"16-bit RGBX 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_BGRA555:\tdescr = \"16-bit BGRA 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_BGRX555:\tdescr = \"16-bit BGRX 5-5-5-1\"; break;\n\tcase V4L2_PIX_FMT_RGB565:\tdescr = \"16-bit RGB 5-6-5\"; break;\n\tcase V4L2_PIX_FMT_RGB555X:\tdescr = \"16-bit A/XRGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_ARGB555X:\tdescr = \"16-bit ARGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_XRGB555X:\tdescr = \"16-bit XRGB 1-5-5-5 BE\"; break;\n\tcase V4L2_PIX_FMT_RGB565X:\tdescr = \"16-bit RGB 5-6-5 BE\"; break;\n\tcase V4L2_PIX_FMT_BGR666:\tdescr = \"18-bit BGRX 6-6-6-14\"; break;\n\tcase V4L2_PIX_FMT_BGR24:\tdescr = \"24-bit BGR 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGB24:\tdescr = \"24-bit RGB 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGR32:\tdescr = \"32-bit BGRA/X 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_ABGR32:\tdescr = \"32-bit BGRA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XBGR32:\tdescr = \"32-bit BGRX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGB32:\tdescr = \"32-bit A/XRGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_ARGB32:\tdescr = \"32-bit ARGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XRGB32:\tdescr = \"32-bit XRGB 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGRA32:\tdescr = \"32-bit ABGR 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_BGRX32:\tdescr = \"32-bit XBGR 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGBA32:\tdescr = \"32-bit RGBA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_RGBX32:\tdescr = \"32-bit RGBX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_GREY:\t\tdescr = \"8-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y4:\t\tdescr = \"4-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y6:\t\tdescr = \"6-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y10:\t\tdescr = \"10-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y12:\t\tdescr = \"12-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y14:\t\tdescr = \"14-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y16:\t\tdescr = \"16-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y16_BE:\tdescr = \"16-bit Greyscale BE\"; break;\n\tcase V4L2_PIX_FMT_Y10BPACK:\tdescr = \"10-bit Greyscale (Packed)\"; break;\n\tcase V4L2_PIX_FMT_Y10P:\t\tdescr = \"10-bit Greyscale (MIPI Packed)\"; break;\n\tcase V4L2_PIX_FMT_Y8I:\t\tdescr = \"Interleaved 8-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Y12I:\t\tdescr = \"Interleaved 12-bit Greyscale\"; break;\n\tcase V4L2_PIX_FMT_Z16:\t\tdescr = \"16-bit Depth\"; break;\n\tcase V4L2_PIX_FMT_INZI:\t\tdescr = \"Planar 10:16 Greyscale Depth\"; break;\n\tcase V4L2_PIX_FMT_CNF4:\t\tdescr = \"4-bit Depth Confidence (Packed)\"; break;\n\tcase V4L2_PIX_FMT_PAL8:\t\tdescr = \"8-bit Palette\"; break;\n\tcase V4L2_PIX_FMT_UV8:\t\tdescr = \"8-bit Chrominance UV 4-4\"; break;\n\tcase V4L2_PIX_FMT_YVU410:\tdescr = \"Planar YVU 4:1:0\"; break;\n\tcase V4L2_PIX_FMT_YVU420:\tdescr = \"Planar YVU 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_YUYV:\t\tdescr = \"YUYV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YYUV:\t\tdescr = \"YYUV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YVYU:\t\tdescr = \"YVYU 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_UYVY:\t\tdescr = \"UYVY 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_VYUY:\t\tdescr = \"VYUY 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YUV422P:\tdescr = \"Planar YUV 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_YUV411P:\tdescr = \"Planar YUV 4:1:1\"; break;\n\tcase V4L2_PIX_FMT_Y41P:\t\tdescr = \"YUV 4:1:1 (Packed)\"; break;\n\tcase V4L2_PIX_FMT_YUV444:\tdescr = \"16-bit A/XYUV 4-4-4-4\"; break;\n\tcase V4L2_PIX_FMT_YUV555:\tdescr = \"16-bit A/XYUV 1-5-5-5\"; break;\n\tcase V4L2_PIX_FMT_YUV565:\tdescr = \"16-bit YUV 5-6-5\"; break;\n\tcase V4L2_PIX_FMT_YUV32:\tdescr = \"32-bit A/XYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_AYUV32:\tdescr = \"32-bit AYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_XYUV32:\tdescr = \"32-bit XYUV 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_VUYA32:\tdescr = \"32-bit VUYA 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_VUYX32:\tdescr = \"32-bit VUYX 8-8-8-8\"; break;\n\tcase V4L2_PIX_FMT_YUV410:\tdescr = \"Planar YUV 4:1:0\"; break;\n\tcase V4L2_PIX_FMT_YUV420:\tdescr = \"Planar YUV 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_HI240:\tdescr = \"8-bit Dithered RGB (BTTV)\"; break;\n\tcase V4L2_PIX_FMT_HM12:\t\tdescr = \"YUV 4:2:0 (16x16 Macroblocks)\"; break;\n\tcase V4L2_PIX_FMT_M420:\t\tdescr = \"YUV 4:2:0 (M420)\"; break;\n\tcase V4L2_PIX_FMT_NV12:\t\tdescr = \"Y/CbCr 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_NV21:\t\tdescr = \"Y/CrCb 4:2:0\"; break;\n\tcase V4L2_PIX_FMT_NV16:\t\tdescr = \"Y/CbCr 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_NV61:\t\tdescr = \"Y/CrCb 4:2:2\"; break;\n\tcase V4L2_PIX_FMT_NV24:\t\tdescr = \"Y/CbCr 4:4:4\"; break;\n\tcase V4L2_PIX_FMT_NV42:\t\tdescr = \"Y/CrCb 4:4:4\"; break;\n\tcase V4L2_PIX_FMT_NV12M:\tdescr = \"Y/CbCr 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV21M:\tdescr = \"Y/CrCb 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV16M:\tdescr = \"Y/CbCr 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV61M:\tdescr = \"Y/CrCb 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV12MT:\tdescr = \"Y/CbCr 4:2:0 (64x32 MB, N-C)\"; break;\n\tcase V4L2_PIX_FMT_NV12MT_16X16:\tdescr = \"Y/CbCr 4:2:0 (16x16 MB, N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV420M:\tdescr = \"Planar YUV 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU420M:\tdescr = \"Planar YVU 4:2:0 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV422M:\tdescr = \"Planar YUV 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU422M:\tdescr = \"Planar YVU 4:2:2 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YUV444M:\tdescr = \"Planar YUV 4:4:4 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_YVU444M:\tdescr = \"Planar YVU 4:4:4 (N-C)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR8:\tdescr = \"8-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG8:\tdescr = \"8-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG8:\tdescr = \"8-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB8:\tdescr = \"8-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10:\tdescr = \"10-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10:\tdescr = \"10-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10:\tdescr = \"10-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10:\tdescr = \"10-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10P:\tdescr = \"10-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10P:\tdescr = \"10-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10P:\tdescr = \"10-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10P:\tdescr = \"10-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SBGGR10: descr = \"10-bit bayer BGGR IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SGBRG10: descr = \"10-bit bayer GBRG IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SGRBG10: descr = \"10-bit bayer GRBG IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_IPU3_SRGGB10: descr = \"10-bit bayer RGGB IPU3 Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10ALAW8:\tdescr = \"8-bit Bayer BGBG/GRGR (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10ALAW8:\tdescr = \"8-bit Bayer GBGB/RGRG (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10ALAW8:\tdescr = \"8-bit Bayer GRGR/BGBG (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10ALAW8:\tdescr = \"8-bit Bayer RGRG/GBGB (A-law)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR10DPCM8:\tdescr = \"8-bit Bayer BGBG/GRGR (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SGBRG10DPCM8:\tdescr = \"8-bit Bayer GBGB/RGRG (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SGRBG10DPCM8:\tdescr = \"8-bit Bayer GRGR/BGBG (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SRGGB10DPCM8:\tdescr = \"8-bit Bayer RGRG/GBGB (DPCM)\"; break;\n\tcase V4L2_PIX_FMT_SBGGR12:\tdescr = \"12-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG12:\tdescr = \"12-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG12:\tdescr = \"12-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB12:\tdescr = \"12-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR12P:\tdescr = \"12-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG12P:\tdescr = \"12-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG12P:\tdescr = \"12-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB12P:\tdescr = \"12-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR14:\tdescr = \"14-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG14:\tdescr = \"14-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG14:\tdescr = \"14-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB14:\tdescr = \"14-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SBGGR14P:\tdescr = \"14-bit Bayer BGBG/GRGR Packed\"; break;\n\tcase V4L2_PIX_FMT_SGBRG14P:\tdescr = \"14-bit Bayer GBGB/RGRG Packed\"; break;\n\tcase V4L2_PIX_FMT_SGRBG14P:\tdescr = \"14-bit Bayer GRGR/BGBG Packed\"; break;\n\tcase V4L2_PIX_FMT_SRGGB14P:\tdescr = \"14-bit Bayer RGRG/GBGB Packed\"; break;\n\tcase V4L2_PIX_FMT_SBGGR16:\tdescr = \"16-bit Bayer BGBG/GRGR\"; break;\n\tcase V4L2_PIX_FMT_SGBRG16:\tdescr = \"16-bit Bayer GBGB/RGRG\"; break;\n\tcase V4L2_PIX_FMT_SGRBG16:\tdescr = \"16-bit Bayer GRGR/BGBG\"; break;\n\tcase V4L2_PIX_FMT_SRGGB16:\tdescr = \"16-bit Bayer RGRG/GBGB\"; break;\n\tcase V4L2_PIX_FMT_SN9C20X_I420:\tdescr = \"GSPCA SN9C20X I420\"; break;\n\tcase V4L2_PIX_FMT_SPCA501:\tdescr = \"GSPCA SPCA501\"; break;\n\tcase V4L2_PIX_FMT_SPCA505:\tdescr = \"GSPCA SPCA505\"; break;\n\tcase V4L2_PIX_FMT_SPCA508:\tdescr = \"GSPCA SPCA508\"; break;\n\tcase V4L2_PIX_FMT_STV0680:\tdescr = \"GSPCA STV0680\"; break;\n\tcase V4L2_PIX_FMT_TM6000:\tdescr = \"A/V + VBI Mux Packet\"; break;\n\tcase V4L2_PIX_FMT_CIT_YYVYUY:\tdescr = \"GSPCA CIT YYVYUY\"; break;\n\tcase V4L2_PIX_FMT_KONICA420:\tdescr = \"GSPCA KONICA420\"; break;\n\tcase V4L2_PIX_FMT_HSV24:\tdescr = \"24-bit HSV 8-8-8\"; break;\n\tcase V4L2_PIX_FMT_HSV32:\tdescr = \"32-bit XHSV 8-8-8-8\"; break;\n\tcase V4L2_SDR_FMT_CU8:\t\tdescr = \"Complex U8\"; break;\n\tcase V4L2_SDR_FMT_CU16LE:\tdescr = \"Complex U16LE\"; break;\n\tcase V4L2_SDR_FMT_CS8:\t\tdescr = \"Complex S8\"; break;\n\tcase V4L2_SDR_FMT_CS14LE:\tdescr = \"Complex S14LE\"; break;\n\tcase V4L2_SDR_FMT_RU12LE:\tdescr = \"Real U12LE\"; break;\n\tcase V4L2_SDR_FMT_PCU16BE:\tdescr = \"Planar Complex U16BE\"; break;\n\tcase V4L2_SDR_FMT_PCU18BE:\tdescr = \"Planar Complex U18BE\"; break;\n\tcase V4L2_SDR_FMT_PCU20BE:\tdescr = \"Planar Complex U20BE\"; break;\n\tcase V4L2_TCH_FMT_DELTA_TD16:\tdescr = \"16-bit Signed Deltas\"; break;\n\tcase V4L2_TCH_FMT_DELTA_TD08:\tdescr = \"8-bit Signed Deltas\"; break;\n\tcase V4L2_TCH_FMT_TU16:\t\tdescr = \"16-bit Unsigned Touch Data\"; break;\n\tcase V4L2_TCH_FMT_TU08:\t\tdescr = \"8-bit Unsigned Touch Data\"; break;\n\tcase V4L2_META_FMT_VSP1_HGO:\tdescr = \"R-Car VSP1 1-D Histogram\"; break;\n\tcase V4L2_META_FMT_VSP1_HGT:\tdescr = \"R-Car VSP1 2-D Histogram\"; break;\n\tcase V4L2_META_FMT_UVC:\t\tdescr = \"UVC Payload Header Metadata\"; break;\n\tcase V4L2_META_FMT_D4XX:\tdescr = \"Intel D4xx UVC Metadata\"; break;\n\tcase V4L2_META_FMT_VIVID:       descr = \"Vivid Metadata\"; break;\n\tcase V4L2_META_FMT_RK_ISP1_PARAMS:\tdescr = \"Rockchip ISP1 3A Parameters\"; break;\n\tcase V4L2_META_FMT_RK_ISP1_STAT_3A:\tdescr = \"Rockchip ISP1 3A Statistics\"; break;\n\n\tdefault:\n\t\t/* Compressed formats */\n\t\tflags = V4L2_FMT_FLAG_COMPRESSED;\n\t\tswitch (fmt->pixelformat) {\n\t\t/* Max description length mask:\tdescr = \"0123456789012345678901234567890\" */\n\t\tcase V4L2_PIX_FMT_MJPEG:\tdescr = \"Motion-JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_JPEG:\t\tdescr = \"JFIF JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_DV:\t\tdescr = \"1394\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG:\t\tdescr = \"MPEG-1/2/4\"; break;\n\t\tcase V4L2_PIX_FMT_H264:\t\tdescr = \"H.264\"; break;\n\t\tcase V4L2_PIX_FMT_H264_NO_SC:\tdescr = \"H.264 (No Start Codes)\"; break;\n\t\tcase V4L2_PIX_FMT_H264_MVC:\tdescr = \"H.264 MVC\"; break;\n\t\tcase V4L2_PIX_FMT_H264_SLICE:\tdescr = \"H.264 Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_H263:\t\tdescr = \"H.263\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG1:\tdescr = \"MPEG-1 ES\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG2:\tdescr = \"MPEG-2 ES\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG2_SLICE:\tdescr = \"MPEG-2 Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_MPEG4:\tdescr = \"MPEG-4 Part 2 ES\"; break;\n\t\tcase V4L2_PIX_FMT_XVID:\t\tdescr = \"Xvid\"; break;\n\t\tcase V4L2_PIX_FMT_VC1_ANNEX_G:\tdescr = \"VC-1 (SMPTE 412M Annex G)\"; break;\n\t\tcase V4L2_PIX_FMT_VC1_ANNEX_L:\tdescr = \"VC-1 (SMPTE 412M Annex L)\"; break;\n\t\tcase V4L2_PIX_FMT_VP8:\t\tdescr = \"VP8\"; break;\n\t\tcase V4L2_PIX_FMT_VP8_FRAME:    descr = \"VP8 Frame\"; break;\n\t\tcase V4L2_PIX_FMT_VP9:\t\tdescr = \"VP9\"; break;\n\t\tcase V4L2_PIX_FMT_HEVC:\t\tdescr = \"HEVC\"; break; /* aka H.265 */\n\t\tcase V4L2_PIX_FMT_HEVC_SLICE:\tdescr = \"HEVC Parsed Slice Data\"; break;\n\t\tcase V4L2_PIX_FMT_FWHT:\t\tdescr = \"FWHT\"; break; /* used in vicodec */\n\t\tcase V4L2_PIX_FMT_FWHT_STATELESS:\tdescr = \"FWHT Stateless\"; break; /* used in vicodec */\n\t\tcase V4L2_PIX_FMT_CPIA1:\tdescr = \"GSPCA CPiA YUV\"; break;\n\t\tcase V4L2_PIX_FMT_WNVA:\t\tdescr = \"WNVA\"; break;\n\t\tcase V4L2_PIX_FMT_SN9C10X:\tdescr = \"GSPCA SN9C10X\"; break;\n\t\tcase V4L2_PIX_FMT_PWC1:\t\tdescr = \"Raw Philips Webcam Type (Old)\"; break;\n\t\tcase V4L2_PIX_FMT_PWC2:\t\tdescr = \"Raw Philips Webcam Type (New)\"; break;\n\t\tcase V4L2_PIX_FMT_ET61X251:\tdescr = \"GSPCA ET61X251\"; break;\n\t\tcase V4L2_PIX_FMT_SPCA561:\tdescr = \"GSPCA SPCA561\"; break;\n\t\tcase V4L2_PIX_FMT_PAC207:\tdescr = \"GSPCA PAC207\"; break;\n\t\tcase V4L2_PIX_FMT_MR97310A:\tdescr = \"GSPCA MR97310A\"; break;\n\t\tcase V4L2_PIX_FMT_JL2005BCD:\tdescr = \"GSPCA JL2005BCD\"; break;\n\t\tcase V4L2_PIX_FMT_SN9C2028:\tdescr = \"GSPCA SN9C2028\"; break;\n\t\tcase V4L2_PIX_FMT_SQ905C:\tdescr = \"GSPCA SQ905C\"; break;\n\t\tcase V4L2_PIX_FMT_PJPG:\t\tdescr = \"GSPCA PJPG\"; break;\n\t\tcase V4L2_PIX_FMT_OV511:\tdescr = \"GSPCA OV511\"; break;\n\t\tcase V4L2_PIX_FMT_OV518:\tdescr = \"GSPCA OV518\"; break;\n\t\tcase V4L2_PIX_FMT_JPGL:\t\tdescr = \"JPEG Lite\"; break;\n\t\tcase V4L2_PIX_FMT_SE401:\tdescr = \"GSPCA SE401\"; break;\n\t\tcase V4L2_PIX_FMT_S5C_UYVY_JPG:\tdescr = \"S5C73MX interleaved UYVY/JPEG\"; break;\n\t\tcase V4L2_PIX_FMT_MT21C:\tdescr = \"Mediatek Compressed Format\"; break;\n\t\tcase V4L2_PIX_FMT_SUNXI_TILED_NV12: descr = \"Sunxi Tiled NV12 Format\"; break;\n\t\tdefault:\n\t\t\tif (fmt->description[0])\n\t\t\t\treturn;\n\t\t\tWARN(1, \"Unknown pixelformat 0x%08x\\n\", fmt->pixelformat);\n\t\t\tflags = 0;\n\t\t\tsnprintf(fmt->description, sz, \"%c%c%c%c%s\",\n\t\t\t\t\t(char)(fmt->pixelformat & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 8) & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 16) & 0x7f),\n\t\t\t\t\t(char)((fmt->pixelformat >> 24) & 0x7f),\n\t\t\t\t\t(fmt->pixelformat & (1UL << 31)) ? \"-BE\" : \"\");\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (descr)\n\t\tWARN_ON(strscpy(fmt->description, descr, sz) < 0);\n\tfmt->flags |= flags;\n}",
          "project": "linux",
          "hash": 304550767409001950021568096384696210436,
          "size": 252,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381456
        },
        {
          "func": "static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\tunsigned int i;\n\n\tif (ret)\n\t\treturn ret;\n\n\tv4l_sanitize_format(p);\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_try_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t  bytesperline);\n\t\treturn ops->vidioc_try_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_try_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_try_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_try_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t  bytesperline);\n\t\treturn ops->vidioc_try_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vid_out_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_try_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_try_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_try_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_sdr_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_try_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_try_fmt_meta_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_try_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_try_fmt_meta_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_try_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}",
          "project": "linux",
          "hash": 251677547459383194768234227378707781497,
          "size": 101,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381442
        },
        {
          "func": "static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_format *p = arg;\n\tstruct video_device *vfd = video_devdata(file);\n\tint ret = check_fmt(file, p->type);\n\tunsigned int i;\n\n\tif (ret)\n\t\treturn ret;\n\n\tret = v4l_enable_media_source(vfd);\n\tif (ret)\n\t\treturn ret;\n\tv4l_sanitize_format(p);\n\n\tswitch (p->type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_s_fmt_vid_cap(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\tif (vfd->vfl_type == VFL_TYPE_TOUCH)\n\t\t\tv4l_pix_format_touch(&p->fmt.pix);\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t  bytesperline);\n\t\treturn ops->vidioc_s_fmt_vid_cap_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_s_fmt_vid_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_s_fmt_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix);\n\t\tret = ops->vidioc_s_fmt_vid_out(file, fh, arg);\n\t\t/* just in case the driver zeroed it again */\n\t\tp->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC;\n\t\treturn ret;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);\n\t\tfor (i = 0; i < p->fmt.pix_mp.num_planes; i++)\n\t\t\tCLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],\n\t\t\t\t\t  bytesperline);\n\t\treturn ops->vidioc_s_fmt_vid_out_mplane(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vid_out_overlay))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.win);\n\t\treturn ops->vidioc_s_fmt_vid_out_overlay(file, fh, arg);\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.vbi.flags);\n\t\treturn ops->vidioc_s_fmt_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sliced.io_size);\n\t\treturn ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sdr_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_s_fmt_sdr_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_sdr_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);\n\t\treturn ops->vidioc_s_fmt_sdr_out(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (unlikely(!ops->vidioc_s_fmt_meta_cap))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_s_fmt_meta_cap(file, fh, arg);\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (unlikely(!ops->vidioc_s_fmt_meta_out))\n\t\t\tbreak;\n\t\tCLEAR_AFTER_FIELD(p, fmt.meta);\n\t\treturn ops->vidioc_s_fmt_meta_out(file, fh, arg);\n\t}\n\treturn -EINVAL;\n}",
          "project": "linux",
          "hash": 211174988759662803706465165093416971314,
          "size": 104,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381434
        },
        {
          "func": "static int check_fmt(struct file *file, enum v4l2_buf_type type)\n{\n\tconst u32 vid_caps = V4L2_CAP_VIDEO_CAPTURE |\n\t\t\t     V4L2_CAP_VIDEO_CAPTURE_MPLANE |\n\t\t\t     V4L2_CAP_VIDEO_OUTPUT |\n\t\t\t     V4L2_CAP_VIDEO_OUTPUT_MPLANE |\n\t\t\t     V4L2_CAP_VIDEO_M2M | V4L2_CAP_VIDEO_M2M_MPLANE;\n\tconst u32 meta_caps = V4L2_CAP_META_CAPTURE |\n\t\t\t      V4L2_CAP_META_OUTPUT;\n\tstruct video_device *vfd = video_devdata(file);\n\tconst struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;\n\tbool is_vid = vfd->vfl_type == VFL_TYPE_VIDEO &&\n\t\t      (vfd->device_caps & vid_caps);\n\tbool is_vbi = vfd->vfl_type == VFL_TYPE_VBI;\n\tbool is_sdr = vfd->vfl_type == VFL_TYPE_SDR;\n\tbool is_tch = vfd->vfl_type == VFL_TYPE_TOUCH;\n\tbool is_meta = vfd->vfl_type == VFL_TYPE_VIDEO &&\n\t\t       (vfd->device_caps & meta_caps);\n\tbool is_rx = vfd->vfl_dir != VFL_DIR_TX;\n\tbool is_tx = vfd->vfl_dir != VFL_DIR_RX;\n\n\tif (ops == NULL)\n\t\treturn -EINVAL;\n\n\tswitch (type) {\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE:\n\t\tif ((is_vid || is_tch) && is_rx &&\n\t\t    (ops->vidioc_g_fmt_vid_cap || ops->vidioc_g_fmt_vid_cap_mplane))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:\n\t\tif ((is_vid || is_tch) && is_rx && ops->vidioc_g_fmt_vid_cap_mplane)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OVERLAY:\n\t\tif (is_vid && is_rx && ops->vidioc_g_fmt_vid_overlay)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT:\n\t\tif (is_vid && is_tx &&\n\t\t    (ops->vidioc_g_fmt_vid_out || ops->vidioc_g_fmt_vid_out_mplane))\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:\n\t\tif (is_vid && is_tx && ops->vidioc_g_fmt_vid_out_mplane)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:\n\t\tif (is_vid && is_tx && ops->vidioc_g_fmt_vid_out_overlay)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VBI_CAPTURE:\n\t\tif (is_vbi && is_rx && ops->vidioc_g_fmt_vbi_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_VBI_OUTPUT:\n\t\tif (is_vbi && is_tx && ops->vidioc_g_fmt_vbi_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:\n\t\tif (is_vbi && is_rx && ops->vidioc_g_fmt_sliced_vbi_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:\n\t\tif (is_vbi && is_tx && ops->vidioc_g_fmt_sliced_vbi_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_CAPTURE:\n\t\tif (is_sdr && is_rx && ops->vidioc_g_fmt_sdr_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_SDR_OUTPUT:\n\t\tif (is_sdr && is_tx && ops->vidioc_g_fmt_sdr_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_CAPTURE:\n\t\tif (is_meta && is_rx && ops->vidioc_g_fmt_meta_cap)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase V4L2_BUF_TYPE_META_OUTPUT:\n\t\tif (is_meta && is_tx && ops->vidioc_g_fmt_meta_out)\n\t\t\treturn 0;\n\t\tbreak;\n\tdefault:\n\t\tbreak;\n\t}\n\treturn -EINVAL;\n}",
          "project": "linux",
          "hash": 112015074752453142575913723608615365673,
          "size": 88,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381468
        },
        {
          "func": "static int v4l_s_parm(const struct v4l2_ioctl_ops *ops,\n\t\t\t\tstruct file *file, void *fh, void *arg)\n{\n\tstruct v4l2_streamparm *p = arg;\n\tint ret = check_fmt(file, p->type);\n\n\tif (ret)\n\t\treturn ret;\n\n\t/* Note: extendedmode is never used in drivers */\n\tif (V4L2_TYPE_IS_OUTPUT(p->type)) {\n\t\tmemset(p->parm.output.reserved, 0,\n\t\t       sizeof(p->parm.output.reserved));\n\t\tp->parm.output.extendedmode = 0;\n\t\tp->parm.output.outputmode &= V4L2_MODE_HIGHQUALITY;\n\t} else {\n\t\tmemset(p->parm.capture.reserved, 0,\n\t\t       sizeof(p->parm.capture.reserved));\n\t\tp->parm.capture.extendedmode = 0;\n\t\tp->parm.capture.capturemode &= V4L2_MODE_HIGHQUALITY;\n\t}\n\treturn ops->vidioc_s_parm(file, fh, p);\n}",
          "project": "linux",
          "hash": 27353891032889472259832183470436911914,
          "size": 23,
          "commit_id": "fb18802a338b36f675a388fc03d2aa504a0d0899",
          "message": "media: v4l: ioctl: Fix memory leak in video_usercopy\n\nWhen an IOCTL with argument size larger than 128 that also used array\narguments were handled, two memory allocations were made but alas, only\nthe latter one of them was released. This happened because there was only\na single local variable to hold such a temporary allocation.\n\nFix this by adding separate variables to hold the pointers to the\ntemporary allocations.\n\nReported-by: Arnd Bergmann <arnd@kernel.org>\nReported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com\nFixes: d14e6d76ebf7 (\"[media] v4l: Add multi-planar ioctl handling code\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>\nAcked-by: Arnd Bergmann <arnd@arndb.de>\nAcked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 381462
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "do_rt_sigqueueinfo",
        "__copy_siginfo_from_user32",
        "post_copy_siginfo_from_user32",
        "siginfo_layout"
      ],
      "group_size": 16,
      "functions": [
        {
          "func": "int copy_siginfo_from_user32(struct kernel_siginfo *to,\n\t\t\t     const struct compat_siginfo __user *ufrom)\n{\n\tstruct compat_siginfo from;\n\n\tif (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))\n\t\treturn -EFAULT;\n\n\treturn post_copy_siginfo_from_user32(to, &from);\n}",
          "project": "linux",
          "hash": 134574228271886297296357745617865034674,
          "size": 10,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375302
        },
        {
          "func": "static int post_copy_siginfo_from_user(kernel_siginfo_t *info,\n\t\t\t\t       const siginfo_t __user *from)\n{\n\tif (unlikely(!known_siginfo_layout(info->si_signo, info->si_code))) {\n\t\tchar __user *expansion = si_expansion(from);\n\t\tchar buf[SI_EXPANSION_SIZE];\n\t\tint i;\n\t\t/*\n\t\t * An unknown si_code might need more than\n\t\t * sizeof(struct kernel_siginfo) bytes.  Verify all of the\n\t\t * extra bytes are 0.  This guarantees copy_siginfo_to_user\n\t\t * will return this data to userspace exactly.\n\t\t */\n\t\tif (copy_from_user(&buf, expansion, SI_EXPANSION_SIZE))\n\t\t\treturn -EFAULT;\n\t\tfor (i = 0; i < SI_EXPANSION_SIZE; i++) {\n\t\t\tif (buf[i] != 0)\n\t\t\t\treturn -E2BIG;\n\t\t}\n\t}\n\treturn 0;\n}",
          "project": "linux",
          "hash": 55060182503102099690780687840941700041,
          "size": 22,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375326
        },
        {
          "func": "static int __copy_siginfo_from_user(int signo, kernel_siginfo_t *to,\n\t\t\t\t    const siginfo_t __user *from)\n{\n\tif (copy_from_user(to, from, sizeof(struct kernel_siginfo)))\n\t\treturn -EFAULT;\n\tto->si_signo = signo;\n\treturn post_copy_siginfo_from_user(to, from);\n}",
          "project": "linux",
          "hash": 102542278264639564529155079165514057120,
          "size": 8,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375267
        },
        {
          "func": "static int do_rt_sigqueueinfo(pid_t pid, int sig, kernel_siginfo_t *info)\n{\n\t/* Not even root can pretend to send signals from the kernel.\n\t * Nor can they impersonate a kill()/tgkill(), which adds source info.\n\t */\n\tif ((info->si_code >= 0 || info->si_code == SI_TKILL) &&\n\t    (task_pid_vnr(current) != pid))\n\t\treturn -EPERM;\n\n\t/* POSIX.1b doesn't mention process groups.  */\n\treturn kill_proc_info(sig, info, pid);\n}",
          "project": "linux",
          "hash": 48458042341210538429166068446592037897,
          "size": 12,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375176
        },
        {
          "func": "SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,\n\t\tsiginfo_t __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_sigqueueinfo(pid, sig, &info);\n}",
          "project": "linux",
          "hash": 322302222265666934385751767273215607712,
          "size": 9,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375240
        },
        {
          "func": "COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,\n\t\t\tcompat_pid_t, pid,\n\t\t\tint, sig,\n\t\t\tstruct compat_siginfo __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user32(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_sigqueueinfo(pid, sig, &info);\n}",
          "project": "linux",
          "hash": 65988940899178370911489318588231214916,
          "size": 11,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375253
        },
        {
          "func": "static inline bool has_si_pid_and_uid(struct kernel_siginfo *info)\n{\n\tbool ret = false;\n\tswitch (siginfo_layout(info->si_signo, info->si_code)) {\n\tcase SIL_KILL:\n\tcase SIL_CHLD:\n\tcase SIL_RT:\n\t\tret = true;\n\t\tbreak;\n\tcase SIL_TIMER:\n\tcase SIL_POLL:\n\tcase SIL_FAULT:\n\tcase SIL_FAULT_MCEERR:\n\tcase SIL_FAULT_BNDERR:\n\tcase SIL_FAULT_PKUERR:\n\tcase SIL_SYS:\n\t\tret = false;\n\t\tbreak;\n\t}\n\treturn ret;\n}",
          "project": "linux",
          "hash": 121501169807631765073914300583175770846,
          "size": 21,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375303
        },
        {
          "func": "static bool known_siginfo_layout(unsigned sig, int si_code)\n{\n\tif (si_code == SI_KERNEL)\n\t\treturn true;\n\telse if ((si_code > SI_USER)) {\n\t\tif (sig_specific_sicodes(sig)) {\n\t\t\tif (si_code <= sig_sicodes[sig].limit)\n\t\t\t\treturn true;\n\t\t}\n\t\telse if (si_code <= NSIGPOLL)\n\t\t\treturn true;\n\t}\n\telse if (si_code >= SI_DETHREAD)\n\t\treturn true;\n\telse if (si_code == SI_ASYNCNL)\n\t\treturn true;\n\treturn false;\n}",
          "project": "linux",
          "hash": 36307247290948407761413240940045488122,
          "size": 18,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375221
        },
        {
          "func": "static int __copy_siginfo_from_user32(int signo, struct kernel_siginfo *to,\n\t\t\t\t      const struct compat_siginfo __user *ufrom)\n{\n\tstruct compat_siginfo from;\n\n\tif (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))\n\t\treturn -EFAULT;\n\n\tfrom.si_signo = signo;\n\treturn post_copy_siginfo_from_user32(to, &from);\n}",
          "project": "linux",
          "hash": 124247512926836462060108247314911283729,
          "size": 11,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375181
        },
        {
          "func": "int copy_siginfo_from_user(kernel_siginfo_t *to, const siginfo_t __user *from)\n{\n\tif (copy_from_user(to, from, sizeof(struct kernel_siginfo)))\n\t\treturn -EFAULT;\n\treturn post_copy_siginfo_from_user(to, from);\n}",
          "project": "linux",
          "hash": 124625986354863302893265354423885863625,
          "size": 6,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375134
        },
        {
          "func": "static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, kernel_siginfo_t *info)\n{\n\t/* This is only valid for single tasks */\n\tif (pid <= 0 || tgid <= 0)\n\t\treturn -EINVAL;\n\n\t/* Not even root can pretend to send signals from the kernel.\n\t * Nor can they impersonate a kill()/tgkill(), which adds source info.\n\t */\n\tif ((info->si_code >= 0 || info->si_code == SI_TKILL) &&\n\t    (task_pid_vnr(current) != pid))\n\t\treturn -EPERM;\n\n\treturn do_send_specific(tgid, pid, sig, info);\n}",
          "project": "linux",
          "hash": 277171545470617207900572637566811702249,
          "size": 15,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375241
        },
        {
          "func": "COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo,\n\t\t\tcompat_pid_t, tgid,\n\t\t\tcompat_pid_t, pid,\n\t\t\tint, sig,\n\t\t\tstruct compat_siginfo __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user32(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_tgsigqueueinfo(tgid, pid, sig, &info);\n}",
          "project": "linux",
          "hash": 129110984812650198519765204128016640632,
          "size": 12,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375277
        },
        {
          "func": "SYSCALL_DEFINE4(rt_tgsigqueueinfo, pid_t, tgid, pid_t, pid, int, sig,\n\t\tsiginfo_t __user *, uinfo)\n{\n\tkernel_siginfo_t info;\n\tint ret = __copy_siginfo_from_user(sig, &info, uinfo);\n\tif (unlikely(ret))\n\t\treturn ret;\n\treturn do_rt_tgsigqueueinfo(tgid, pid, sig, &info);\n}",
          "project": "linux",
          "hash": 325930772512610538513707827592825328742,
          "size": 9,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375280
        },
        {
          "func": "static int copy_siginfo_from_user_any(kernel_siginfo_t *kinfo, siginfo_t *info)\n{\n#ifdef CONFIG_COMPAT\n\t/*\n\t * Avoid hooking up compat syscalls and instead handle necessary\n\t * conversions here. Note, this is a stop-gap measure and should not be\n\t * considered a generic solution.\n\t */\n\tif (in_compat_syscall())\n\t\treturn copy_siginfo_from_user32(\n\t\t\tkinfo, (struct compat_siginfo __user *)info);\n#endif\n\treturn copy_siginfo_from_user(kinfo, info);\n}",
          "project": "linux",
          "hash": 151402371257721093837308914835718232254,
          "size": 14,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375167
        },
        {
          "func": "static int post_copy_siginfo_from_user32(kernel_siginfo_t *to,\n\t\t\t\t\t const struct compat_siginfo *from)\n{\n\tclear_siginfo(to);\n\tto->si_signo = from->si_signo;\n\tto->si_errno = from->si_errno;\n\tto->si_code  = from->si_code;\n\tswitch(siginfo_layout(from->si_signo, from->si_code)) {\n\tcase SIL_KILL:\n\t\tto->si_pid = from->si_pid;\n\t\tto->si_uid = from->si_uid;\n\t\tbreak;\n\tcase SIL_TIMER:\n\t\tto->si_tid     = from->si_tid;\n\t\tto->si_overrun = from->si_overrun;\n\t\tto->si_int     = from->si_int;\n\t\tbreak;\n\tcase SIL_POLL:\n\t\tto->si_band = from->si_band;\n\t\tto->si_fd   = from->si_fd;\n\t\tbreak;\n\tcase SIL_FAULT:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tbreak;\n\tcase SIL_FAULT_MCEERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_addr_lsb = from->si_addr_lsb;\n\t\tbreak;\n\tcase SIL_FAULT_BNDERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_lower = compat_ptr(from->si_lower);\n\t\tto->si_upper = compat_ptr(from->si_upper);\n\t\tbreak;\n\tcase SIL_FAULT_PKUERR:\n\t\tto->si_addr = compat_ptr(from->si_addr);\n#ifdef __ARCH_SI_TRAPNO\n\t\tto->si_trapno = from->si_trapno;\n#endif\n\t\tto->si_pkey = from->si_pkey;\n\t\tbreak;\n\tcase SIL_CHLD:\n\t\tto->si_pid    = from->si_pid;\n\t\tto->si_uid    = from->si_uid;\n\t\tto->si_status = from->si_status;\n#ifdef CONFIG_X86_X32_ABI\n\t\tif (in_x32_syscall()) {\n\t\t\tto->si_utime = from->_sifields._sigchld_x32._utime;\n\t\t\tto->si_stime = from->_sifields._sigchld_x32._stime;\n\t\t} else\n#endif\n\t\t{\n\t\t\tto->si_utime = from->si_utime;\n\t\t\tto->si_stime = from->si_stime;\n\t\t}\n\t\tbreak;\n\tcase SIL_RT:\n\t\tto->si_pid = from->si_pid;\n\t\tto->si_uid = from->si_uid;\n\t\tto->si_int = from->si_int;\n\t\tbreak;\n\tcase SIL_SYS:\n\t\tto->si_call_addr = compat_ptr(from->si_call_addr);\n\t\tto->si_syscall   = from->si_syscall;\n\t\tto->si_arch      = from->si_arch;\n\t\tbreak;\n\t}\n\treturn 0;\n}",
          "project": "linux",
          "hash": 254289020798927830663748991786288110989,
          "size": 77,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375166
        },
        {
          "func": "enum siginfo_layout siginfo_layout(unsigned sig, int si_code)\n{\n\tenum siginfo_layout layout = SIL_KILL;\n\tif ((si_code > SI_USER) && (si_code < SI_KERNEL)) {\n\t\tif ((sig < ARRAY_SIZE(sig_sicodes)) &&\n\t\t    (si_code <= sig_sicodes[sig].limit)) {\n\t\t\tlayout = sig_sicodes[sig].layout;\n\t\t\t/* Handle the exceptions */\n\t\t\tif ((sig == SIGBUS) &&\n\t\t\t    (si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))\n\t\t\t\tlayout = SIL_FAULT_MCEERR;\n\t\t\telse if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))\n\t\t\t\tlayout = SIL_FAULT_BNDERR;\n#ifdef SEGV_PKUERR\n\t\t\telse if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))\n\t\t\t\tlayout = SIL_FAULT_PKUERR;\n#endif\n\t\t}\n\t\telse if (si_code <= NSIGPOLL)\n\t\t\tlayout = SIL_POLL;\n\t} else {\n\t\tif (si_code == SI_TIMER)\n\t\t\tlayout = SIL_TIMER;\n\t\telse if (si_code == SI_SIGIO)\n\t\t\tlayout = SIL_POLL;\n\t\telse if (si_code < 0)\n\t\t\tlayout = SIL_RT;\n\t}\n\treturn layout;\n}",
          "project": "linux",
          "hash": 45926953882594310783656867328119504000,
          "size": 30,
          "commit_id": "d1e7fd6462ca9fc76650fbe6ca800e35b24267da",
          "message": "signal: Extend exec_id to 64bits\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter.  With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec'd parent.  This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays.  Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won't even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions.  Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue.  So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" <ebiederm@xmission.com>",
          "target": 0,
          "dataset": "other",
          "idx": 375222
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "udev_util_replace_chars",
        "utf8_encoded_valid_unichar",
        "utf8_encoded_to_unichar",
        "utf8_encoded_expected_len"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "int udev_util_replace_chars(char *str, const char *white)\n{\n\tsize_t i = 0;\n\tint replaced = 0;\n\n\twhile (str[i] != '\\0') {\n\t\tint len;\n\n\t\tif (is_whitelisted(str[i], white)) {\n\t\t\ti++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* accept hex encoding */\n\t\tif (str[i] == '\\\\' && str[i+1] == 'x') {\n\t\t\ti += 2;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* accept valid utf8 */\n\t\tlen = utf8_encoded_valid_unichar(&str[i]);\n\t\tif (len > 1) {\n\t\t\ti += len;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* if space is allowed, replace whitespace with ordinary space */\n\t\tif (isspace(str[i]) && white != NULL && strchr(white, ' ') != NULL) {\n\t\t\tstr[i] = ' ';\n\t\t\ti++;\n\t\t\treplaced++;\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* everything else is replaced with '_' */\n\t\tstr[i] = '_';\n\t\ti++;\n\t\treplaced++;\n\t}\n\treturn replaced;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 5405405786316417121901887607525383556,
          "size": 41,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490332
        },
        {
          "func": "static int utf8_encoded_to_unichar(const char *str)\n{\n\tint unichar;\n\tint len;\n\tint i;\n\n\tlen = utf8_encoded_expected_len(str);\n\tswitch (len) {\n\tcase 1:\n\t\treturn (int)str[0];\n\tcase 2:\n\t\tunichar = str[0] & 0x1f;\n\t\tbreak;\n\tcase 3:\n\t\tunichar = (int)str[0] & 0x0f;\n\t\tbreak;\n\tcase 4:\n\t\tunichar = (int)str[0] & 0x07;\n\t\tbreak;\n\tcase 5:\n\t\tunichar = (int)str[0] & 0x03;\n\t\tbreak;\n\tcase 6:\n\t\tunichar = (int)str[0] & 0x01;\n\t\tbreak;\n\tdefault:\n\t\treturn -1;\n\t}\n\n\tfor (i = 1; i < len; i++) {\n\t\tif (((int)str[i] & 0xc0) != 0x80)\n\t\t\treturn -1;\n\t\tunichar <<= 6;\n\t\tunichar |= (int)str[i] & 0x3f;\n\t}\n\n\treturn unichar;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 206051964674283888462618593096782618800,
          "size": 38,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490338
        },
        {
          "func": "static int utf8_encoded_valid_unichar(const char *str)\n{\n\tint len;\n\tint unichar;\n\tint i;\n\n\tlen = utf8_encoded_expected_len(str);\n\tif (len == 0)\n\t\treturn -1;\n\n\t/* ascii is valid */\n\tif (len == 1)\n\t\treturn 1;\n\n\t/* check if expected encoded chars are available */\n\tfor (i = 0; i < len; i++)\n\t\tif ((str[i] & 0x80) != 0x80)\n\t\t\treturn -1;\n\n\tunichar = utf8_encoded_to_unichar(str);\n\n\t/* check if encoded length matches encoded value */\n\tif (utf8_unichar_to_encoded_len(unichar) != len)\n\t\treturn -1;\n\n\t/* check if value has valid range */\n\tif (!utf8_unichar_valid_range(unichar))\n\t\treturn -1;\n\n\treturn len;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 206053476377274378364373590995660911050,
          "size": 31,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490329
        },
        {
          "func": "static int is_whitelisted(char c, const char *white)\n{\n\tif ((c >= '0' && c <= '9') ||\n\t    (c >= 'A' && c <= 'Z') ||\n\t    (c >= 'a' && c <= 'z') ||\n\t    strchr(\"#+-.:=@_\", c) != NULL ||\n\t    (white != NULL && strchr(white, c) != NULL))\n\t\treturn 1;\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 301965509586629387251827066972038220926,
          "size": 10,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490346
        },
        {
          "func": "int udev_util_encode_string(const char *str, char *str_enc, size_t len)\n{\n\tsize_t i, j;\n\n\tif (str == NULL || str_enc == NULL || len == 0)\n\t\treturn -1;\n\n\tstr_enc[0] = '\\0';\n\tfor (i = 0, j = 0; str[i] != '\\0'; i++) {\n\t\tint seqlen;\n\n\t\tseqlen = utf8_encoded_valid_unichar(&str[i]);\n\t\tif (seqlen > 1) {\n\t\t\tmemcpy(&str_enc[j], &str[i], seqlen);\n\t\t\tj += seqlen;\n\t\t\ti += (seqlen-1);\n\t\t} else if (str[i] == '\\\\' || !is_whitelisted(str[i], NULL)) {\n\t\t\tsprintf(&str_enc[j], \"\\\\x%02x\", (unsigned char) str[i]);\n\t\t\tj += 4;\n\t\t} else {\n\t\t\tstr_enc[j] = str[i];\n\t\t\tj++;\n\t\t}\n\t\tif (j+3 >= len)\n\t\t\tgoto err;\n\t}\n\tstr_enc[j] = '\\0';\n\treturn 0;\nerr:\n\treturn -1;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 128389350005845428979590129521706681485,
          "size": 31,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490331
        },
        {
          "func": "static int utf8_encoded_expected_len(const char *str)\n{\n\tunsigned char c = (unsigned char)str[0];\n\n\tif (c < 0x80)\n\t\treturn 1;\n\tif ((c & 0xe0) == 0xc0)\n\t\treturn 2;\n\tif ((c & 0xf0) == 0xe0)\n\t\treturn 3;\n\tif ((c & 0xf8) == 0xf0)\n\t\treturn 4;\n\tif ((c & 0xfc) == 0xf8)\n\t\treturn 5;\n\tif ((c & 0xfe) == 0xfc)\n\t\treturn 6;\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 256127015334813263581801085103652188798,
          "size": 18,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490327
        },
        {
          "func": "static int utf8_unichar_valid_range(int unichar)\n{\n\tif (unichar > 0x10ffff)\n\t\treturn 0;\n\tif ((unichar & 0xfffff800) == 0xd800)\n\t\treturn 0;\n\tif ((unichar > 0xfdcf) && (unichar < 0xfdf0))\n\t\treturn 0;\n\tif ((unichar & 0xffff) == 0xffff)\n\t\treturn 0;\n\treturn 1;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 195740263550096629321937696988533578169,
          "size": 12,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490344
        },
        {
          "func": "static int utf8_unichar_to_encoded_len(int unichar)\n{\n\tif (unichar < 0x80)\n\t\treturn 1;\n\tif (unichar < 0x800)\n\t\treturn 2;\n\tif (unichar < 0x10000)\n\t\treturn 3;\n\tif (unichar < 0x200000)\n\t\treturn 4;\n\tif (unichar < 0x4000000)\n\t\treturn 5;\n\treturn 6;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 176663044449808812580689980385047039729,
          "size": 14,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490341
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "unzzip_print",
        "unzzip_cat",
        "unzzip_cat_file"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "int unzzip_extract (int argc, char ** argv)\n{\n    return unzzip_cat(argc, argv, 1);\n}",
          "project": "zziplib",
          "hash": 22916655569920147582655971729848876003,
          "size": 4,
          "commit_id": "ac9ae39ef419e9f0f83da1e583314d8c7cda34a6",
          "message": "#68 ssize_t return value of zzip_file_read is a signed value being possibly -1",
          "target": 0,
          "dataset": "other",
          "idx": 282824
        },
        {
          "func": "int unzzip_print (int argc, char ** argv)\n{\n    return unzzip_cat(argc, argv, 0);\n}",
          "project": "zziplib",
          "hash": 145330942703612534238755868724745065473,
          "size": 4,
          "commit_id": "ac9ae39ef419e9f0f83da1e583314d8c7cda34a6",
          "message": "#68 ssize_t return value of zzip_file_read is a signed value being possibly -1",
          "target": 0,
          "dataset": "other",
          "idx": 282821
        },
        {
          "func": "static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)\n{\n    ZZIP_FILE* file = zzip_file_open (disk, name, 0);\n    if (file) \n    {\n\tchar buffer[1024]; int len;\n\twhile ((len = zzip_file_read (file, buffer, 1024))) \n\t{\n\t    fwrite (buffer, 1, len, out);\n\t}\n\t\n\tzzip_file_close (file);\n    }\n}",
          "project": "zziplib",
          "hash": 213540364375667917653366276803369040606,
          "size": 14,
          "commit_id": "ac9ae39ef419e9f0f83da1e583314d8c7cda34a6",
          "message": "#68 ssize_t return value of zzip_file_read is a signed value being possibly -1",
          "target": 1,
          "dataset": "other",
          "idx": 198733
        },
        {
          "func": "static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)\n{\n    ZZIP_FILE* file = zzip_file_open (disk, name, 0);\n    if (file) \n    {\n\tchar buffer[1024]; int len;\n\twhile (0 < (len = zzip_file_read (file, buffer, 1024))) \n\t{\n\t    fwrite (buffer, 1, len, out);\n\t}\n\t\n\tzzip_file_close (file);\n    }\n}",
          "project": "zziplib",
          "hash": 253924670115102704045568268367383544838,
          "size": 14,
          "commit_id": "ac9ae39ef419e9f0f83da1e583314d8c7cda34a6",
          "message": "#68 ssize_t return value of zzip_file_read is a signed value being possibly -1",
          "target": 0,
          "dataset": "other",
          "idx": 282823
        },
        {
          "func": "static int unzzip_cat (int argc, char ** argv, int extract)\n{\n    int done = 0;\n    int argn;\n    ZZIP_DIR* disk;\n    zzip_error_t error;\n    \n    if (argc == 1)\n    {\n        printf (__FILE__ \" version \" ZZIP_PACKAGE_NAME \" \" ZZIP_PACKAGE_VERSION \"\\n\");\n        return EXIT_OK; /* better provide an archive argument */\n    }\n    \n    disk = zzip_dir_open (argv[1], &error);\n    if (! disk) {\n\tfprintf(stderr, \"%s: %s\\n\", argv[1], zzip_strerror(error));\n\treturn exitcode(error);\n    }\n\n    if (argc == 2)\n    {  /* list all */\n\tZZIP_DIRENT entry;\n\twhile(zzip_dir_read(disk, &entry))\n\t{\n\t    char* name = entry.d_name;\n\t    FILE* out = stdout;\n\t    if (extract) out = create_fopen(name, \"wb\", 1);\n\t    if (! out) {\n\t\tDBG3(\"fopen' %s : %s\", name, strerror(errno));\n\t        if (errno != EISDIR) done = EXIT_ERRORS;\n\t        continue;\n\t    }\n\t    unzzip_cat_file (disk, name, out);\n\t    if (extract) fclose(out);\n\t}\n    }\n    else\n    {   /* list only the matching entries - in order of zip directory */\n\tZZIP_DIRENT entry;\n\twhile(zzip_dir_read(disk, &entry))\n\t{\n\t    char* name = entry.d_name;\n\t    for (argn=1; argn < argc; argn++)\n\t    {\n\t\tif (! _zzip_fnmatch (argv[argn], name, \n\t\t    _zzip_FNM_NOESCAPE|_zzip_FNM_PATHNAME|_zzip_FNM_PERIOD))\n\t        {\n\t            FILE* out = stdout;\n\t            if (extract) out = create_fopen(name, \"wb\", 1);\n\t\t    if (! out) {\n\t\t\tDBG3(\"fopen. %s : %s\", name, strerror(errno));\n\t\t        if (errno != EISDIR) done = EXIT_ERRORS;\n\t\t        continue;\n\t\t    }\n\t            unzzip_cat_file (disk, name, out);\n\t            if (extract) fclose(out);\n\t\t    break; /* match loop */\n\t        }\n\t    }\n\t}\n    }\n    zzip_dir_close(disk);\n    return done;\n} ",
          "project": "zziplib",
          "hash": 176436902326764428383332283239598055138,
          "size": 64,
          "commit_id": "ac9ae39ef419e9f0f83da1e583314d8c7cda34a6",
          "message": "#68 ssize_t return value of zzip_file_read is a signed value being possibly -1",
          "target": 0,
          "dataset": "other",
          "idx": 282822
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "decode_frame",
        "decode_header",
        "check_header_variable"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static int decode_frame(AVCodecContext *avctx, void *data,\n                        int *got_frame, AVPacket *avpkt)\n{\n    EXRContext *s = avctx->priv_data;\n    ThreadFrame frame = { .f = data };\n    AVFrame *picture = data;\n    uint8_t *ptr;\n\n    int i, y, ret, ymax;\n    int planes;\n    int out_line_size;\n    int nb_blocks;   /* nb scanline or nb tile */\n    uint64_t start_offset_table;\n    uint64_t start_next_scanline;\n    PutByteContext offset_table_writer;\n\n    bytestream2_init(&s->gb, avpkt->data, avpkt->size);\n\n    if ((ret = decode_header(s, picture)) < 0)\n        return ret;\n\n    switch (s->pixel_type) {\n    case EXR_FLOAT:\n    case EXR_HALF:\n        if (s->channel_offsets[3] >= 0) {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_GBRAPF32;\n            } else {\n                /* todo: change this when a floating point pixel format with luma with alpha is implemented */\n                avctx->pix_fmt = AV_PIX_FMT_GBRAPF32;\n            }\n        } else {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_GBRPF32;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_GRAYF32;\n            }\n        }\n        break;\n    case EXR_UINT:\n        if (s->channel_offsets[3] >= 0) {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_RGBA64;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_YA16;\n            }\n        } else {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_RGB48;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_GRAY16;\n            }\n        }\n        break;\n    default:\n        av_log(avctx, AV_LOG_ERROR, \"Missing channel list.\\n\");\n        return AVERROR_INVALIDDATA;\n    }\n\n    if (s->apply_trc_type != AVCOL_TRC_UNSPECIFIED)\n        avctx->color_trc = s->apply_trc_type;\n\n    switch (s->compression) {\n    case EXR_RAW:\n    case EXR_RLE:\n    case EXR_ZIP1:\n        s->scan_lines_per_block = 1;\n        break;\n    case EXR_PXR24:\n    case EXR_ZIP16:\n        s->scan_lines_per_block = 16;\n        break;\n    case EXR_PIZ:\n    case EXR_B44:\n    case EXR_B44A:\n        s->scan_lines_per_block = 32;\n        break;\n    default:\n        avpriv_report_missing_feature(avctx, \"Compression %d\", s->compression);\n        return AVERROR_PATCHWELCOME;\n    }\n\n    /* Verify the xmin, xmax, ymin and ymax before setting the actual image size.\n     * It's possible for the data window can larger or outside the display window */\n    if (s->xmin > s->xmax  || s->ymin > s->ymax ||\n        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF) {\n        av_log(avctx, AV_LOG_ERROR, \"Wrong or missing size information.\\n\");\n        return AVERROR_INVALIDDATA;\n    }\n\n    if ((ret = ff_set_dimensions(avctx, s->w, s->h)) < 0)\n        return ret;\n\n    s->desc          = av_pix_fmt_desc_get(avctx->pix_fmt);\n    if (!s->desc)\n        return AVERROR_INVALIDDATA;\n\n    if (s->desc->flags & AV_PIX_FMT_FLAG_FLOAT) {\n        planes           = s->desc->nb_components;\n        out_line_size    = avctx->width * 4;\n    } else {\n        planes           = 1;\n        out_line_size    = avctx->width * 2 * s->desc->nb_components;\n    }\n\n    if (s->is_tile) {\n        nb_blocks = ((s->xdelta + s->tile_attr.xSize - 1) / s->tile_attr.xSize) *\n        ((s->ydelta + s->tile_attr.ySize - 1) / s->tile_attr.ySize);\n    } else { /* scanline */\n        nb_blocks = (s->ydelta + s->scan_lines_per_block - 1) /\n        s->scan_lines_per_block;\n    }\n\n    if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)\n        return ret;\n\n    if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks)\n        return AVERROR_INVALIDDATA;\n\n    // check offset table and recreate it if need\n    if (!s->is_tile && bytestream2_peek_le64(&s->gb) == 0) {\n        av_log(s->avctx, AV_LOG_DEBUG, \"recreating invalid scanline offset table\\n\");\n\n        start_offset_table = bytestream2_tell(&s->gb);\n        start_next_scanline = start_offset_table + nb_blocks * 8;\n        bytestream2_init_writer(&offset_table_writer, &avpkt->data[start_offset_table], nb_blocks * 8);\n\n        for (y = 0; y < nb_blocks; y++) {\n            /* write offset of prev scanline in offset table */\n            bytestream2_put_le64(&offset_table_writer, start_next_scanline);\n\n            /* get len of next scanline */\n            bytestream2_seek(&s->gb, start_next_scanline + 4, SEEK_SET);/* skip line number */\n            start_next_scanline += (bytestream2_get_le32(&s->gb) + 8);\n        }\n        bytestream2_seek(&s->gb, start_offset_table, SEEK_SET);\n    }\n\n    // save pointer we are going to use in decode_block\n    s->buf      = avpkt->data;\n    s->buf_size = avpkt->size;\n\n    // Zero out the start if ymin is not 0\n    for (i = 0; i < planes; i++) {\n        ptr = picture->data[i];\n        for (y = 0; y < s->ymin; y++) {\n            memset(ptr, 0, out_line_size);\n            ptr += picture->linesize[i];\n        }\n    }\n\n    s->picture = picture;\n\n    avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);\n\n    ymax = FFMAX(0, s->ymax + 1);\n    // Zero out the end if ymax+1 is not h\n    for (i = 0; i < planes; i++) {\n        ptr = picture->data[i] + (ymax * picture->linesize[i]);\n        for (y = ymax; y < avctx->height; y++) {\n            memset(ptr, 0, out_line_size);\n            ptr += picture->linesize[i];\n        }\n    }\n\n    picture->pict_type = AV_PICTURE_TYPE_I;\n    *got_frame = 1;\n\n    return avpkt->size;\n}",
          "project": "FFmpeg",
          "hash": 206532618456884129741435132538316190900,
          "size": 170,
          "commit_id": "3e5959b3457f7f1856d997261e6ac672bba49e8b",
          "message": "avcodec/exr: Check ymin vs. h\n\nFixes: out of array access\nFixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344\nFixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136\n\nFound-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg\nSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>",
          "target": 1,
          "dataset": "other",
          "idx": 197567
        },
        {
          "func": "static int decode_frame(AVCodecContext *avctx, void *data,\n                        int *got_frame, AVPacket *avpkt)\n{\n    EXRContext *s = avctx->priv_data;\n    GetByteContext *gb = &s->gb;\n    ThreadFrame frame = { .f = data };\n    AVFrame *picture = data;\n    uint8_t *ptr;\n\n    int i, y, ret, ymax;\n    int planes;\n    int out_line_size;\n    int nb_blocks;   /* nb scanline or nb tile */\n    uint64_t start_offset_table;\n    uint64_t start_next_scanline;\n    PutByteContext offset_table_writer;\n\n    bytestream2_init(gb, avpkt->data, avpkt->size);\n\n    if ((ret = decode_header(s, picture)) < 0)\n        return ret;\n\n    if ((s->compression == EXR_DWAA || s->compression == EXR_DWAB) &&\n        s->pixel_type == EXR_HALF) {\n        s->current_channel_offset *= 2;\n        for (int i = 0; i < 4; i++)\n            s->channel_offsets[i] *= 2;\n    }\n\n    switch (s->pixel_type) {\n    case EXR_FLOAT:\n    case EXR_HALF:\n        if (s->channel_offsets[3] >= 0) {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_GBRAPF32;\n            } else {\n                /* todo: change this when a floating point pixel format with luma with alpha is implemented */\n                avctx->pix_fmt = AV_PIX_FMT_GBRAPF32;\n            }\n        } else {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_GBRPF32;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_GRAYF32;\n            }\n        }\n        break;\n    case EXR_UINT:\n        if (s->channel_offsets[3] >= 0) {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_RGBA64;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_YA16;\n            }\n        } else {\n            if (!s->is_luma) {\n                avctx->pix_fmt = AV_PIX_FMT_RGB48;\n            } else {\n                avctx->pix_fmt = AV_PIX_FMT_GRAY16;\n            }\n        }\n        break;\n    default:\n        av_log(avctx, AV_LOG_ERROR, \"Missing channel list.\\n\");\n        return AVERROR_INVALIDDATA;\n    }\n\n    if (s->apply_trc_type != AVCOL_TRC_UNSPECIFIED)\n        avctx->color_trc = s->apply_trc_type;\n\n    switch (s->compression) {\n    case EXR_RAW:\n    case EXR_RLE:\n    case EXR_ZIP1:\n        s->scan_lines_per_block = 1;\n        break;\n    case EXR_PXR24:\n    case EXR_ZIP16:\n        s->scan_lines_per_block = 16;\n        break;\n    case EXR_PIZ:\n    case EXR_B44:\n    case EXR_B44A:\n    case EXR_DWAA:\n        s->scan_lines_per_block = 32;\n        break;\n    case EXR_DWAB:\n        s->scan_lines_per_block = 256;\n        break;\n    default:\n        avpriv_report_missing_feature(avctx, \"Compression %d\", s->compression);\n        return AVERROR_PATCHWELCOME;\n    }\n\n    /* Verify the xmin, xmax, ymin and ymax before setting the actual image size.\n     * It's possible for the data window can larger or outside the display window */\n    if (s->xmin > s->xmax  || s->ymin > s->ymax ||\n        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF) {\n        av_log(avctx, AV_LOG_ERROR, \"Wrong or missing size information.\\n\");\n        return AVERROR_INVALIDDATA;\n    }\n\n    if ((ret = ff_set_dimensions(avctx, s->w, s->h)) < 0)\n        return ret;\n\n    ff_set_sar(s->avctx, av_d2q(av_int2float(s->sar), 255));\n\n    s->desc          = av_pix_fmt_desc_get(avctx->pix_fmt);\n    if (!s->desc)\n        return AVERROR_INVALIDDATA;\n\n    if (s->desc->flags & AV_PIX_FMT_FLAG_FLOAT) {\n        planes           = s->desc->nb_components;\n        out_line_size    = avctx->width * 4;\n    } else {\n        planes           = 1;\n        out_line_size    = avctx->width * 2 * s->desc->nb_components;\n    }\n\n    if (s->is_tile) {\n        nb_blocks = ((s->xdelta + s->tile_attr.xSize - 1) / s->tile_attr.xSize) *\n        ((s->ydelta + s->tile_attr.ySize - 1) / s->tile_attr.ySize);\n    } else { /* scanline */\n        nb_blocks = (s->ydelta + s->scan_lines_per_block - 1) /\n        s->scan_lines_per_block;\n    }\n\n    if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)\n        return ret;\n\n    if (bytestream2_get_bytes_left(gb)/8 < nb_blocks)\n        return AVERROR_INVALIDDATA;\n\n    // check offset table and recreate it if need\n    if (!s->is_tile && bytestream2_peek_le64(gb) == 0) {\n        av_log(s->avctx, AV_LOG_DEBUG, \"recreating invalid scanline offset table\\n\");\n\n        start_offset_table = bytestream2_tell(gb);\n        start_next_scanline = start_offset_table + nb_blocks * 8;\n        bytestream2_init_writer(&offset_table_writer, &avpkt->data[start_offset_table], nb_blocks * 8);\n\n        for (y = 0; y < nb_blocks; y++) {\n            /* write offset of prev scanline in offset table */\n            bytestream2_put_le64(&offset_table_writer, start_next_scanline);\n\n            /* get len of next scanline */\n            bytestream2_seek(gb, start_next_scanline + 4, SEEK_SET);/* skip line number */\n            start_next_scanline += (bytestream2_get_le32(gb) + 8);\n        }\n        bytestream2_seek(gb, start_offset_table, SEEK_SET);\n    }\n\n    // save pointer we are going to use in decode_block\n    s->buf      = avpkt->data;\n    s->buf_size = avpkt->size;\n\n    // Zero out the start if ymin is not 0\n    for (i = 0; i < planes; i++) {\n        ptr = picture->data[i];\n        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {\n            memset(ptr, 0, out_line_size);\n            ptr += picture->linesize[i];\n        }\n    }\n\n    s->picture = picture;\n\n    avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);\n\n    ymax = FFMAX(0, s->ymax + 1);\n    // Zero out the end if ymax+1 is not h\n    if (ymax < avctx->height)\n        for (i = 0; i < planes; i++) {\n            ptr = picture->data[i] + (ymax * picture->linesize[i]);\n            for (y = ymax; y < avctx->height; y++) {\n                memset(ptr, 0, out_line_size);\n                ptr += picture->linesize[i];\n            }\n        }\n\n    picture->pict_type = AV_PICTURE_TYPE_I;\n    *got_frame = 1;\n\n    return avpkt->size;\n}",
          "project": "FFmpeg",
          "hash": 330286888782902150079930713180808864531,
          "size": 185,
          "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777",
          "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı <burakcarikci@crypttech.com>\nSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>",
          "target": 0,
          "dataset": "other",
          "idx": 262689
        },
        {
          "func": "static void skip_header_chunk(EXRContext *s)\n{\n    GetByteContext *gb = &s->gb;\n\n    while (bytestream2_get_bytes_left(gb) > 0) {\n        if (!bytestream2_peek_byte(gb))\n            break;\n\n        // Process unknown variables\n        for (int i = 0; i < 2; i++) // value_name and value_type\n            while (bytestream2_get_byte(gb) != 0);\n\n        // Skip variable length\n        bytestream2_skip(gb, bytestream2_get_le32(gb));\n    }\n}",
          "project": "FFmpeg",
          "hash": 19272837122676011976404639411214305373,
          "size": 16,
          "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777",
          "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı <burakcarikci@crypttech.com>\nSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>",
          "target": 0,
          "dataset": "other",
          "idx": 262679
        },
        {
          "func": "static int check_header_variable(EXRContext *s,\n                                 const char *value_name,\n                                 const char *value_type,\n                                 unsigned int minimum_length)\n{\n    GetByteContext *gb = &s->gb;\n    int var_size = -1;\n\n    if (bytestream2_get_bytes_left(gb) >= minimum_length &&\n        !strcmp(gb->buffer, value_name)) {\n        // found value_name, jump to value_type (null terminated strings)\n        gb->buffer += strlen(value_name) + 1;\n        if (!strcmp(gb->buffer, value_type)) {\n            gb->buffer += strlen(value_type) + 1;\n            var_size = bytestream2_get_le32(gb);\n            // don't go read past boundaries\n            if (var_size > bytestream2_get_bytes_left(gb))\n                var_size = 0;\n        } else {\n            // value_type not found, reset the buffer\n            gb->buffer -= strlen(value_name) + 1;\n            av_log(s->avctx, AV_LOG_WARNING,\n                   \"Unknown data type %s for header variable %s.\\n\",\n                   value_type, value_name);\n        }\n    }\n\n    return var_size;\n}",
          "project": "FFmpeg",
          "hash": 289516014085258602214466823964869426494,
          "size": 29,
          "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777",
          "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı <burakcarikci@crypttech.com>\nSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>",
          "target": 0,
          "dataset": "other",
          "idx": 262685
        },
        {
          "func": "static int decode_header(EXRContext *s, AVFrame *frame)\n{\n    AVDictionary *metadata = NULL;\n    GetByteContext *gb = &s->gb;\n    int magic_number, version, flags;\n    int layer_match = 0;\n    int ret;\n    int dup_channels = 0;\n\n    s->current_channel_offset = 0;\n    s->xmin               = ~0;\n    s->xmax               = ~0;\n    s->ymin               = ~0;\n    s->ymax               = ~0;\n    s->xdelta             = ~0;\n    s->ydelta             = ~0;\n    s->channel_offsets[0] = -1;\n    s->channel_offsets[1] = -1;\n    s->channel_offsets[2] = -1;\n    s->channel_offsets[3] = -1;\n    s->pixel_type         = EXR_UNKNOWN;\n    s->compression        = EXR_UNKN;\n    s->nb_channels        = 0;\n    s->w                  = 0;\n    s->h                  = 0;\n    s->tile_attr.xSize    = -1;\n    s->tile_attr.ySize    = -1;\n    s->is_tile            = 0;\n    s->is_multipart       = 0;\n    s->is_luma            = 0;\n    s->current_part       = 0;\n\n    if (bytestream2_get_bytes_left(gb) < 10) {\n        av_log(s->avctx, AV_LOG_ERROR, \"Header too short to parse.\\n\");\n        return AVERROR_INVALIDDATA;\n    }\n\n    magic_number = bytestream2_get_le32(gb);\n    if (magic_number != 20000630) {\n        /* As per documentation of OpenEXR, it is supposed to be\n         * int 20000630 little-endian */\n        av_log(s->avctx, AV_LOG_ERROR, \"Wrong magic number %d.\\n\", magic_number);\n        return AVERROR_INVALIDDATA;\n    }\n\n    version = bytestream2_get_byte(gb);\n    if (version != 2) {\n        avpriv_report_missing_feature(s->avctx, \"Version %d\", version);\n        return AVERROR_PATCHWELCOME;\n    }\n\n    flags = bytestream2_get_le24(gb);\n\n    if (flags & 0x02)\n        s->is_tile = 1;\n    if (flags & 0x10)\n        s->is_multipart = 1;\n    if (flags & 0x08) {\n        avpriv_report_missing_feature(s->avctx, \"deep data\");\n        return AVERROR_PATCHWELCOME;\n    }\n\n    // Parse the header\n    while (bytestream2_get_bytes_left(gb) > 0) {\n        int var_size;\n\n        while (s->is_multipart && s->current_part < s->selected_part &&\n               bytestream2_get_bytes_left(gb) > 0) {\n            if (bytestream2_peek_byte(gb)) {\n                skip_header_chunk(s);\n            } else {\n                bytestream2_skip(gb, 1);\n                if (!bytestream2_peek_byte(gb))\n                    break;\n            }\n            bytestream2_skip(gb, 1);\n            s->current_part++;\n        }\n\n        if (!bytestream2_peek_byte(gb)) {\n            if (!s->is_multipart)\n                break;\n            bytestream2_skip(gb, 1);\n            if (s->current_part == s->selected_part) {\n                while (bytestream2_get_bytes_left(gb) > 0) {\n                    if (bytestream2_peek_byte(gb)) {\n                        skip_header_chunk(s);\n                    } else {\n                        bytestream2_skip(gb, 1);\n                        if (!bytestream2_peek_byte(gb))\n                            break;\n                    }\n                }\n            }\n            if (!bytestream2_peek_byte(gb))\n                break;\n            s->current_part++;\n        }\n\n        if ((var_size = check_header_variable(s, \"channels\",\n                                              \"chlist\", 38)) >= 0) {\n            GetByteContext ch_gb;\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            bytestream2_init(&ch_gb, gb->buffer, var_size);\n\n            while (bytestream2_get_bytes_left(&ch_gb) >= 19) {\n                EXRChannel *channel;\n                enum ExrPixelType current_pixel_type;\n                int channel_index = -1;\n                int xsub, ysub;\n\n                if (strcmp(s->layer, \"\") != 0) {\n                    if (strncmp(ch_gb.buffer, s->layer, strlen(s->layer)) == 0) {\n                        layer_match = 1;\n                        av_log(s->avctx, AV_LOG_INFO,\n                               \"Channel match layer : %s.\\n\", ch_gb.buffer);\n                        ch_gb.buffer += strlen(s->layer);\n                        if (*ch_gb.buffer == '.')\n                            ch_gb.buffer++;         /* skip dot if not given */\n                    } else {\n                        layer_match = 0;\n                        av_log(s->avctx, AV_LOG_INFO,\n                               \"Channel doesn't match layer : %s.\\n\", ch_gb.buffer);\n                    }\n                } else {\n                    layer_match = 1;\n                }\n\n                if (layer_match) { /* only search channel if the layer match is valid */\n                    if (!av_strcasecmp(ch_gb.buffer, \"R\") ||\n                        !av_strcasecmp(ch_gb.buffer, \"X\") ||\n                        !av_strcasecmp(ch_gb.buffer, \"U\")) {\n                        channel_index = 0;\n                        s->is_luma = 0;\n                    } else if (!av_strcasecmp(ch_gb.buffer, \"G\") ||\n                               !av_strcasecmp(ch_gb.buffer, \"V\")) {\n                        channel_index = 1;\n                        s->is_luma = 0;\n                    } else if (!av_strcasecmp(ch_gb.buffer, \"Y\")) {\n                        channel_index = 1;\n                        s->is_luma = 1;\n                    } else if (!av_strcasecmp(ch_gb.buffer, \"B\") ||\n                               !av_strcasecmp(ch_gb.buffer, \"Z\") ||\n                               !av_strcasecmp(ch_gb.buffer, \"W\")) {\n                        channel_index = 2;\n                        s->is_luma = 0;\n                    } else if (!av_strcasecmp(ch_gb.buffer, \"A\")) {\n                        channel_index = 3;\n                    } else {\n                        av_log(s->avctx, AV_LOG_WARNING,\n                               \"Unsupported channel %.256s.\\n\", ch_gb.buffer);\n                    }\n                }\n\n                /* skip until you get a 0 */\n                while (bytestream2_get_bytes_left(&ch_gb) > 0 &&\n                       bytestream2_get_byte(&ch_gb))\n                    continue;\n\n                if (bytestream2_get_bytes_left(&ch_gb) < 4) {\n                    av_log(s->avctx, AV_LOG_ERROR, \"Incomplete header.\\n\");\n                    ret = AVERROR_INVALIDDATA;\n                    goto fail;\n                }\n\n                current_pixel_type = bytestream2_get_le32(&ch_gb);\n                if (current_pixel_type >= EXR_UNKNOWN) {\n                    avpriv_report_missing_feature(s->avctx, \"Pixel type %d\",\n                                                  current_pixel_type);\n                    ret = AVERROR_PATCHWELCOME;\n                    goto fail;\n                }\n\n                bytestream2_skip(&ch_gb, 4);\n                xsub = bytestream2_get_le32(&ch_gb);\n                ysub = bytestream2_get_le32(&ch_gb);\n\n                if (xsub != 1 || ysub != 1) {\n                    avpriv_report_missing_feature(s->avctx,\n                                                  \"Subsampling %dx%d\",\n                                                  xsub, ysub);\n                    ret = AVERROR_PATCHWELCOME;\n                    goto fail;\n                }\n\n                if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */\n                    if (s->pixel_type != EXR_UNKNOWN &&\n                        s->pixel_type != current_pixel_type) {\n                        av_log(s->avctx, AV_LOG_ERROR,\n                               \"RGB channels not of the same depth.\\n\");\n                        ret = AVERROR_INVALIDDATA;\n                        goto fail;\n                    }\n                    s->pixel_type                     = current_pixel_type;\n                    s->channel_offsets[channel_index] = s->current_channel_offset;\n                } else if (channel_index >= 0) {\n                    av_log(s->avctx, AV_LOG_WARNING,\n                            \"Multiple channels with index %d.\\n\", channel_index);\n                    if (++dup_channels > 10) {\n                        ret = AVERROR_INVALIDDATA;\n                        goto fail;\n                    }\n                }\n\n                s->channels = av_realloc(s->channels,\n                                         ++s->nb_channels * sizeof(EXRChannel));\n                if (!s->channels) {\n                    ret = AVERROR(ENOMEM);\n                    goto fail;\n                }\n                channel             = &s->channels[s->nb_channels - 1];\n                channel->pixel_type = current_pixel_type;\n                channel->xsub       = xsub;\n                channel->ysub       = ysub;\n\n                if (current_pixel_type == EXR_HALF) {\n                    s->current_channel_offset += 2;\n                } else {/* Float or UINT32 */\n                    s->current_channel_offset += 4;\n                }\n            }\n\n            /* Check if all channels are set with an offset or if the channels\n             * are causing an overflow  */\n            if (!s->is_luma) {/* if we expected to have at least 3 channels */\n                if (FFMIN3(s->channel_offsets[0],\n                           s->channel_offsets[1],\n                           s->channel_offsets[2]) < 0) {\n                    if (s->channel_offsets[0] < 0)\n                        av_log(s->avctx, AV_LOG_ERROR, \"Missing red channel.\\n\");\n                    if (s->channel_offsets[1] < 0)\n                        av_log(s->avctx, AV_LOG_ERROR, \"Missing green channel.\\n\");\n                    if (s->channel_offsets[2] < 0)\n                        av_log(s->avctx, AV_LOG_ERROR, \"Missing blue channel.\\n\");\n                    ret = AVERROR_INVALIDDATA;\n                    goto fail;\n                }\n            }\n\n            // skip one last byte and update main gb\n            gb->buffer = ch_gb.buffer + 1;\n            continue;\n        } else if ((var_size = check_header_variable(s, \"dataWindow\", \"box2i\",\n                                                     31)) >= 0) {\n            int xmin, ymin, xmax, ymax;\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            xmin   = bytestream2_get_le32(gb);\n            ymin   = bytestream2_get_le32(gb);\n            xmax   = bytestream2_get_le32(gb);\n            ymax   = bytestream2_get_le32(gb);\n\n            if (xmin > xmax || ymin > ymax ||\n                ymax == INT_MAX || xmax == INT_MAX ||\n                (unsigned)xmax - xmin >= INT_MAX ||\n                (unsigned)ymax - ymin >= INT_MAX) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n            s->xmin = xmin;\n            s->xmax = xmax;\n            s->ymin = ymin;\n            s->ymax = ymax;\n            s->xdelta = (s->xmax - s->xmin) + 1;\n            s->ydelta = (s->ymax - s->ymin) + 1;\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"displayWindow\",\n                                                     \"box2i\", 34)) >= 0) {\n            int32_t sx, sy, dx, dy;\n\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            sx = bytestream2_get_le32(gb);\n            sy = bytestream2_get_le32(gb);\n            dx = bytestream2_get_le32(gb);\n            dy = bytestream2_get_le32(gb);\n\n            s->w = dx - sx + 1;\n            s->h = dy - sy + 1;\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"lineOrder\",\n                                                     \"lineOrder\", 25)) >= 0) {\n            int line_order;\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            line_order = bytestream2_get_byte(gb);\n            av_log(s->avctx, AV_LOG_DEBUG, \"line order: %d.\\n\", line_order);\n            if (line_order > 2) {\n                av_log(s->avctx, AV_LOG_ERROR, \"Unknown line order.\\n\");\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"pixelAspectRatio\",\n                                                     \"float\", 31)) >= 0) {\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            s->sar = bytestream2_get_le32(gb);\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"compression\",\n                                                     \"compression\", 29)) >= 0) {\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            if (s->compression == EXR_UNKN)\n                s->compression = bytestream2_get_byte(gb);\n            else {\n                bytestream2_skip(gb, 1);\n                av_log(s->avctx, AV_LOG_WARNING,\n                       \"Found more than one compression attribute.\\n\");\n            }\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"tiles\",\n                                                     \"tiledesc\", 22)) >= 0) {\n            char tileLevel;\n\n            if (!s->is_tile)\n                av_log(s->avctx, AV_LOG_WARNING,\n                       \"Found tile attribute and scanline flags. Exr will be interpreted as scanline.\\n\");\n\n            s->tile_attr.xSize = bytestream2_get_le32(gb);\n            s->tile_attr.ySize = bytestream2_get_le32(gb);\n\n            tileLevel = bytestream2_get_byte(gb);\n            s->tile_attr.level_mode = tileLevel & 0x0f;\n            s->tile_attr.level_round = (tileLevel >> 4) & 0x0f;\n\n            if (s->tile_attr.level_mode >= EXR_TILE_LEVEL_UNKNOWN) {\n                avpriv_report_missing_feature(s->avctx, \"Tile level mode %d\",\n                                              s->tile_attr.level_mode);\n                ret = AVERROR_PATCHWELCOME;\n                goto fail;\n            }\n\n            if (s->tile_attr.level_round >= EXR_TILE_ROUND_UNKNOWN) {\n                avpriv_report_missing_feature(s->avctx, \"Tile level round %d\",\n                                              s->tile_attr.level_round);\n                ret = AVERROR_PATCHWELCOME;\n                goto fail;\n            }\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"writer\",\n                                                     \"string\", 1)) >= 0) {\n            uint8_t key[256] = { 0 };\n\n            bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1, var_size));\n            av_dict_set(&metadata, \"writer\", key, 0);\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"framesPerSecond\",\n                                                     \"rational\", 33)) >= 0) {\n            if (!var_size) {\n                ret = AVERROR_INVALIDDATA;\n                goto fail;\n            }\n\n            s->avctx->framerate.num = bytestream2_get_le32(gb);\n            s->avctx->framerate.den = bytestream2_get_le32(gb);\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"chunkCount\",\n                                                     \"int\", 23)) >= 0) {\n\n            s->chunk_count = bytestream2_get_le32(gb);\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"type\",\n                                                     \"string\", 16)) >= 0) {\n            uint8_t key[256] = { 0 };\n\n            bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1, var_size));\n            if (strncmp(\"scanlineimage\", key, var_size) &&\n                strncmp(\"tiledimage\", key, var_size))\n                return AVERROR_PATCHWELCOME;\n\n            continue;\n        } else if ((var_size = check_header_variable(s, \"preview\",\n                                                     \"preview\", 16)) >= 0) {\n            uint32_t pw = bytestream2_get_le32(gb);\n            uint32_t ph = bytestream2_get_le32(gb);\n            int64_t psize = 4LL * pw * ph;\n\n            if (psize >= bytestream2_get_bytes_left(gb))\n                return AVERROR_INVALIDDATA;\n\n            bytestream2_skip(gb, psize);\n\n            continue;\n        }\n\n        // Check if there are enough bytes for a header\n        if (bytestream2_get_bytes_left(gb) <= 9) {\n            av_log(s->avctx, AV_LOG_ERROR, \"Incomplete header\\n\");\n            ret = AVERROR_INVALIDDATA;\n            goto fail;\n        }\n\n        // Process unknown variables\n        {\n            uint8_t name[256] = { 0 };\n            uint8_t type[256] = { 0 };\n            uint8_t value[256] = { 0 };\n            int i = 0, size;\n\n            while (bytestream2_get_bytes_left(gb) > 0 &&\n                   bytestream2_peek_byte(gb) && i < 255) {\n                name[i++] = bytestream2_get_byte(gb);\n            }\n\n            bytestream2_skip(gb, 1);\n            i = 0;\n            while (bytestream2_get_bytes_left(gb) > 0 &&\n                   bytestream2_peek_byte(gb) && i < 255) {\n                type[i++] = bytestream2_get_byte(gb);\n            }\n            bytestream2_skip(gb, 1);\n            size = bytestream2_get_le32(gb);\n\n            bytestream2_get_buffer(gb, value, FFMIN(sizeof(value) - 1, size));\n            if (!strcmp(type, \"string\"))\n                av_dict_set(&metadata, name, value, 0);\n        }\n    }\n\n    if (s->compression == EXR_UNKN) {\n        av_log(s->avctx, AV_LOG_ERROR, \"Missing compression attribute.\\n\");\n        ret = AVERROR_INVALIDDATA;\n        goto fail;\n    }\n\n    if (s->is_tile) {\n        if (s->tile_attr.xSize < 1 || s->tile_attr.ySize < 1) {\n            av_log(s->avctx, AV_LOG_ERROR, \"Invalid tile attribute.\\n\");\n            ret = AVERROR_INVALIDDATA;\n            goto fail;\n        }\n    }\n\n    if (bytestream2_get_bytes_left(gb) <= 0) {\n        av_log(s->avctx, AV_LOG_ERROR, \"Incomplete frame.\\n\");\n        ret = AVERROR_INVALIDDATA;\n        goto fail;\n    }\n\n    frame->metadata = metadata;\n\n    // aaand we are done\n    bytestream2_skip(gb, 1);\n    return 0;\nfail:\n    av_dict_free(&metadata);\n    return ret;\n}",
          "project": "FFmpeg",
          "hash": 101409097968203521848128535463886770814,
          "size": 477,
          "commit_id": "26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777",
          "message": "avcodec/exr: More strictly check dc_count\n\nFixes: out of array access\nFixes: exr/deneme\n\nFound-by: Burak Çarıkçı <burakcarikci@crypttech.com>\nSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>",
          "target": 0,
          "dataset": "other",
          "idx": 262682
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "j2k_dump",
        "j2k_dump_image_header",
        "j2k_dump_image_comp_header"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static void opj_j2k_dump_tile_info(opj_tcp_t * l_default_tile,\n                                   OPJ_INT32 numcomps, FILE* out_stream)\n{\n    if (l_default_tile) {\n        OPJ_INT32 compno;\n\n        fprintf(out_stream, \"\\t default tile {\\n\");\n        fprintf(out_stream, \"\\t\\t csty=%#x\\n\", l_default_tile->csty);\n        fprintf(out_stream, \"\\t\\t prg=%#x\\n\", l_default_tile->prg);\n        fprintf(out_stream, \"\\t\\t numlayers=%d\\n\", l_default_tile->numlayers);\n        fprintf(out_stream, \"\\t\\t mct=%x\\n\", l_default_tile->mct);\n\n        for (compno = 0; compno < numcomps; compno++) {\n            opj_tccp_t *l_tccp = &(l_default_tile->tccps[compno]);\n            OPJ_UINT32 resno;\n            OPJ_INT32 bandno, numbands;\n\n            /* coding style*/\n            fprintf(out_stream, \"\\t\\t comp %d {\\n\", compno);\n            fprintf(out_stream, \"\\t\\t\\t csty=%#x\\n\", l_tccp->csty);\n            fprintf(out_stream, \"\\t\\t\\t numresolutions=%d\\n\", l_tccp->numresolutions);\n            fprintf(out_stream, \"\\t\\t\\t cblkw=2^%d\\n\", l_tccp->cblkw);\n            fprintf(out_stream, \"\\t\\t\\t cblkh=2^%d\\n\", l_tccp->cblkh);\n            fprintf(out_stream, \"\\t\\t\\t cblksty=%#x\\n\", l_tccp->cblksty);\n            fprintf(out_stream, \"\\t\\t\\t qmfbid=%d\\n\", l_tccp->qmfbid);\n\n            fprintf(out_stream, \"\\t\\t\\t preccintsize (w,h)=\");\n            for (resno = 0; resno < l_tccp->numresolutions; resno++) {\n                fprintf(out_stream, \"(%d,%d) \", l_tccp->prcw[resno], l_tccp->prch[resno]);\n            }\n            fprintf(out_stream, \"\\n\");\n\n            /* quantization style*/\n            fprintf(out_stream, \"\\t\\t\\t qntsty=%d\\n\", l_tccp->qntsty);\n            fprintf(out_stream, \"\\t\\t\\t numgbits=%d\\n\", l_tccp->numgbits);\n            fprintf(out_stream, \"\\t\\t\\t stepsizes (m,e)=\");\n            numbands = (l_tccp->qntsty == J2K_CCP_QNTSTY_SIQNT) ? 1 :\n                       (OPJ_INT32)l_tccp->numresolutions * 3 - 2;\n            for (bandno = 0; bandno < numbands; bandno++) {\n                fprintf(out_stream, \"(%d,%d) \", l_tccp->stepsizes[bandno].mant,\n                        l_tccp->stepsizes[bandno].expn);\n            }\n            fprintf(out_stream, \"\\n\");\n\n            /* RGN value*/\n            fprintf(out_stream, \"\\t\\t\\t roishift=%d\\n\", l_tccp->roishift);\n\n            fprintf(out_stream, \"\\t\\t }\\n\");\n        } /*end of component of default tile*/\n        fprintf(out_stream, \"\\t }\\n\"); /*end of default tile*/\n    }\n}",
          "project": "openjpeg",
          "hash": 51607478772090798622835946927947547776,
          "size": 52,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357433
        },
        {
          "func": "void j2k_dump(opj_j2k_t* p_j2k, OPJ_INT32 flag, FILE* out_stream)\n{\n    /* Check if the flag is compatible with j2k file*/\n    if ((flag & OPJ_JP2_INFO) || (flag & OPJ_JP2_IND)) {\n        fprintf(out_stream, \"Wrong flag\\n\");\n        return;\n    }\n\n    /* Dump the image_header */\n    if (flag & OPJ_IMG_INFO) {\n        if (p_j2k->m_private_image) {\n            j2k_dump_image_header(p_j2k->m_private_image, 0, out_stream);\n        }\n    }\n\n    /* Dump the codestream info from main header */\n    if (flag & OPJ_J2K_MH_INFO) {\n        if (p_j2k->m_private_image) {\n            opj_j2k_dump_MH_info(p_j2k, out_stream);\n        }\n    }\n    /* Dump all tile/codestream info */\n    if (flag & OPJ_J2K_TCH_INFO) {\n        OPJ_UINT32 l_nb_tiles = p_j2k->m_cp.th * p_j2k->m_cp.tw;\n        OPJ_UINT32 i;\n        opj_tcp_t * l_tcp = p_j2k->m_cp.tcps;\n        if (p_j2k->m_private_image) {\n            for (i = 0; i < l_nb_tiles; ++i) {\n                opj_j2k_dump_tile_info(l_tcp, (OPJ_INT32)p_j2k->m_private_image->numcomps,\n                                       out_stream);\n                ++l_tcp;\n            }\n        }\n    }\n\n    /* Dump the codestream info of the current tile */\n    if (flag & OPJ_J2K_TH_INFO) {\n\n    }\n\n    /* Dump the codestream index from main header */\n    if (flag & OPJ_J2K_MH_IND) {\n        opj_j2k_dump_MH_index(p_j2k, out_stream);\n    }\n\n    /* Dump the codestream index of the current tile */\n    if (flag & OPJ_J2K_TH_IND) {\n\n    }\n\n}",
          "project": "openjpeg",
          "hash": 17856137946455148866793740336225951354,
          "size": 51,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357301
        },
        {
          "func": "void j2k_dump_image_header(opj_image_t* img_header, OPJ_BOOL dev_dump_flag,\n                           FILE* out_stream)\n{\n    char tab[2];\n\n    if (dev_dump_flag) {\n        fprintf(stdout, \"[DEV] Dump an image_header struct {\\n\");\n        tab[0] = '\\0';\n    } else {\n        fprintf(out_stream, \"Image info {\\n\");\n        tab[0] = '\\t';\n        tab[1] = '\\0';\n    }\n\n    fprintf(out_stream, \"%s x0=%d, y0=%d\\n\", tab, img_header->x0, img_header->y0);\n    fprintf(out_stream,     \"%s x1=%d, y1=%d\\n\", tab, img_header->x1,\n            img_header->y1);\n    fprintf(out_stream, \"%s numcomps=%d\\n\", tab, img_header->numcomps);\n\n    if (img_header->comps) {\n        OPJ_UINT32 compno;\n        for (compno = 0; compno < img_header->numcomps; compno++) {\n            fprintf(out_stream, \"%s\\t component %d {\\n\", tab, compno);\n            j2k_dump_image_comp_header(&(img_header->comps[compno]), dev_dump_flag,\n                                       out_stream);\n            fprintf(out_stream, \"%s}\\n\", tab);\n        }\n    }\n\n    fprintf(out_stream, \"}\\n\");\n}",
          "project": "openjpeg",
          "hash": 11902064534528171501747539889597312753,
          "size": 31,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357331
        },
        {
          "func": "static void opj_j2k_dump_MH_info(opj_j2k_t* p_j2k, FILE* out_stream)\n{\n\n    fprintf(out_stream, \"Codestream info from main header: {\\n\");\n\n    fprintf(out_stream, \"\\t tx0=%d, ty0=%d\\n\", p_j2k->m_cp.tx0, p_j2k->m_cp.ty0);\n    fprintf(out_stream, \"\\t tdx=%d, tdy=%d\\n\", p_j2k->m_cp.tdx, p_j2k->m_cp.tdy);\n    fprintf(out_stream, \"\\t tw=%d, th=%d\\n\", p_j2k->m_cp.tw, p_j2k->m_cp.th);\n    opj_j2k_dump_tile_info(p_j2k->m_specific_param.m_decoder.m_default_tcp,\n                           (OPJ_INT32)p_j2k->m_private_image->numcomps, out_stream);\n    fprintf(out_stream, \"}\\n\");\n}",
          "project": "openjpeg",
          "hash": 67278379867667648901937234503624904387,
          "size": 12,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357443
        },
        {
          "func": "static void opj_j2k_dump_MH_index(opj_j2k_t* p_j2k, FILE* out_stream)\n{\n    opj_codestream_index_t* cstr_index = p_j2k->cstr_index;\n    OPJ_UINT32 it_marker, it_tile, it_tile_part;\n\n    fprintf(out_stream, \"Codestream index from main header: {\\n\");\n\n    fprintf(out_stream, \"\\t Main header start position=%\" PRIi64 \"\\n\"\n            \"\\t Main header end position=%\" PRIi64 \"\\n\",\n            cstr_index->main_head_start, cstr_index->main_head_end);\n\n    fprintf(out_stream, \"\\t Marker list: {\\n\");\n\n    if (cstr_index->marker) {\n        for (it_marker = 0; it_marker < cstr_index->marknum ; it_marker++) {\n            fprintf(out_stream, \"\\t\\t type=%#x, pos=%\" PRIi64 \", len=%d\\n\",\n                    cstr_index->marker[it_marker].type,\n                    cstr_index->marker[it_marker].pos,\n                    cstr_index->marker[it_marker].len);\n        }\n    }\n\n    fprintf(out_stream, \"\\t }\\n\");\n\n    if (cstr_index->tile_index) {\n\n        /* Simple test to avoid to write empty information*/\n        OPJ_UINT32 l_acc_nb_of_tile_part = 0;\n        for (it_tile = 0; it_tile < cstr_index->nb_of_tiles ; it_tile++) {\n            l_acc_nb_of_tile_part += cstr_index->tile_index[it_tile].nb_tps;\n        }\n\n        if (l_acc_nb_of_tile_part) {\n            fprintf(out_stream, \"\\t Tile index: {\\n\");\n\n            for (it_tile = 0; it_tile < cstr_index->nb_of_tiles ; it_tile++) {\n                OPJ_UINT32 nb_of_tile_part = cstr_index->tile_index[it_tile].nb_tps;\n\n                fprintf(out_stream, \"\\t\\t nb of tile-part in tile [%d]=%d\\n\", it_tile,\n                        nb_of_tile_part);\n\n                if (cstr_index->tile_index[it_tile].tp_index) {\n                    for (it_tile_part = 0; it_tile_part < nb_of_tile_part; it_tile_part++) {\n                        fprintf(out_stream, \"\\t\\t\\t tile-part[%d]: star_pos=%\" PRIi64 \", end_header=%\"\n                                PRIi64 \", end_pos=%\" PRIi64 \".\\n\",\n                                it_tile_part,\n                                cstr_index->tile_index[it_tile].tp_index[it_tile_part].start_pos,\n                                cstr_index->tile_index[it_tile].tp_index[it_tile_part].end_header,\n                                cstr_index->tile_index[it_tile].tp_index[it_tile_part].end_pos);\n                    }\n                }\n\n                if (cstr_index->tile_index[it_tile].marker) {\n                    for (it_marker = 0; it_marker < cstr_index->tile_index[it_tile].marknum ;\n                            it_marker++) {\n                        fprintf(out_stream, \"\\t\\t type=%#x, pos=%\" PRIi64 \", len=%d\\n\",\n                                cstr_index->tile_index[it_tile].marker[it_marker].type,\n                                cstr_index->tile_index[it_tile].marker[it_marker].pos,\n                                cstr_index->tile_index[it_tile].marker[it_marker].len);\n                    }\n                }\n            }\n            fprintf(out_stream, \"\\t }\\n\");\n        }\n    }\n\n    fprintf(out_stream, \"}\\n\");\n\n}",
          "project": "openjpeg",
          "hash": 2401832381883037027900156978202737645,
          "size": 69,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357391
        },
        {
          "func": "void j2k_dump_image_comp_header(opj_image_comp_t* comp_header,\n                                OPJ_BOOL dev_dump_flag, FILE* out_stream)\n{\n    char tab[3];\n\n    if (dev_dump_flag) {\n        fprintf(stdout, \"[DEV] Dump an image_comp_header struct {\\n\");\n        tab[0] = '\\0';\n    }       else {\n        tab[0] = '\\t';\n        tab[1] = '\\t';\n        tab[2] = '\\0';\n    }\n\n    fprintf(out_stream, \"%s dx=%d, dy=%d\\n\", tab, comp_header->dx, comp_header->dy);\n    fprintf(out_stream, \"%s prec=%d\\n\", tab, comp_header->prec);\n    fprintf(out_stream, \"%s sgnd=%d\\n\", tab, comp_header->sgnd);\n\n    if (dev_dump_flag) {\n        fprintf(out_stream, \"}\\n\");\n    }\n}",
          "project": "openjpeg",
          "hash": 329127559965974685019870250929135179467,
          "size": 22,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357277
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "rtnl_talk_suppress_rtnl_errmsg",
        "__rtnl_talk",
        "__rtnl_talk_iov",
        "rtnl_talk_error",
        "nl_dump_ext_ack"
      ],
      "group_size": 15,
      "functions": [
        {
          "func": "int rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iovec, size_t iovlen,\n\t\t  struct nlmsghdr **answer)\n{\n\treturn __rtnl_talk_iov(rtnl, iovec, iovlen, answer, true, NULL);\n}",
          "project": "iproute2",
          "hash": 75126113650359112333002503747350893451,
          "size": 5,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318210
        },
        {
          "func": "int rtnl_talk_suppress_rtnl_errmsg(struct rtnl_handle *rtnl, struct nlmsghdr *n,\n\t\t\t\t   struct nlmsghdr **answer)\n{\n\treturn __rtnl_talk(rtnl, n, answer, false, NULL);\n}",
          "project": "iproute2",
          "hash": 276177257538643753720790986623527364950,
          "size": 5,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318246
        },
        {
          "func": "static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,\n\t\t\t   size_t iovlen, struct nlmsghdr **answer,\n\t\t\t   bool show_rtnl_err, nl_ext_ack_fn_t errfn)\n{\n\tstruct sockaddr_nl nladdr = { .nl_family = AF_NETLINK };\n\tstruct iovec riov;\n\tstruct msghdr msg = {\n\t\t.msg_name = &nladdr,\n\t\t.msg_namelen = sizeof(nladdr),\n\t\t.msg_iov = iov,\n\t\t.msg_iovlen = iovlen,\n\t};\n\tunsigned int seq = 0;\n\tstruct nlmsghdr *h;\n\tint i, status;\n\tchar *buf;\n\n\tfor (i = 0; i < iovlen; i++) {\n\t\th = iov[i].iov_base;\n\t\th->nlmsg_seq = seq = ++rtnl->seq;\n\t\tif (answer == NULL)\n\t\t\th->nlmsg_flags |= NLM_F_ACK;\n\t}\n\n\tstatus = sendmsg(rtnl->fd, &msg, 0);\n\tif (status < 0) {\n\t\tperror(\"Cannot talk to rtnetlink\");\n\t\treturn -1;\n\t}\n\n\t/* change msg to use the response iov */\n\tmsg.msg_iov = &riov;\n\tmsg.msg_iovlen = 1;\n\ti = 0;\n\twhile (1) {\n\t\tstatus = rtnl_recvmsg(rtnl->fd, &msg, &buf);\n\t\t++i;\n\n\t\tif (status < 0)\n\t\t\treturn status;\n\n\t\tif (msg.msg_namelen != sizeof(nladdr)) {\n\t\t\tfprintf(stderr,\n\t\t\t\t\"sender address length == %d\\n\",\n\t\t\t\tmsg.msg_namelen);\n\t\t\texit(1);\n\t\t}\n\t\tfor (h = (struct nlmsghdr *)buf; status >= sizeof(*h); ) {\n\t\t\tint len = h->nlmsg_len;\n\t\t\tint l = len - sizeof(*h);\n\n\t\t\tif (l < 0 || len > status) {\n\t\t\t\tif (msg.msg_flags & MSG_TRUNC) {\n\t\t\t\t\tfprintf(stderr, \"Truncated message\\n\");\n\t\t\t\t\tfree(buf);\n\t\t\t\t\treturn -1;\n\t\t\t\t}\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"!!!malformed message: len=%d\\n\",\n\t\t\t\t\tlen);\n\t\t\t\texit(1);\n\t\t\t}\n\n\t\t\tif (nladdr.nl_pid != 0 ||\n\t\t\t    h->nlmsg_pid != rtnl->local.nl_pid ||\n\t\t\t    h->nlmsg_seq > seq || h->nlmsg_seq < seq - iovlen) {\n\t\t\t\t/* Don't forget to skip that message. */\n\t\t\t\tstatus -= NLMSG_ALIGN(len);\n\t\t\t\th = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len));\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tif (h->nlmsg_type == NLMSG_ERROR) {\n\t\t\t\tstruct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);\n\n\t\t\t\tif (l < sizeof(struct nlmsgerr)) {\n\t\t\t\t\tfprintf(stderr, \"ERROR truncated\\n\");\n\t\t\t\t\tfree(buf);\n\t\t\t\t\treturn -1;\n\t\t\t\t}\n\n\t\t\t\tif (!err->error)\n\t\t\t\t\t/* check messages from kernel */\n\t\t\t\t\tnl_dump_ext_ack(h, errfn);\n\n\t\t\t\tif (rtnl->proto != NETLINK_SOCK_DIAG &&\n\t\t\t\t    show_rtnl_err)\n\t\t\t\t\trtnl_talk_error(h, err, errfn);\n\n\t\t\t\terrno = -err->error;\n\t\t\t\tif (answer)\n\t\t\t\t\t*answer = (struct nlmsghdr *)buf;\n\t\t\t\telse\n\t\t\t\t\tfree(buf);\n\t\t\t\treturn -i;\n\t\t\t}\n\n\t\t\tif (answer) {\n\t\t\t\t*answer = (struct nlmsghdr *)buf;\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\tfprintf(stderr, \"Unexpected reply!!!\\n\");\n\n\t\t\tstatus -= NLMSG_ALIGN(len);\n\t\t\th = (struct nlmsghdr *)((char *)h + NLMSG_ALIGN(len));\n\t\t}\n\t\tfree(buf);\n\n\t\tif (msg.msg_flags & MSG_TRUNC) {\n\t\t\tfprintf(stderr, \"Message truncated\\n\");\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (status) {\n\t\t\tfprintf(stderr, \"!!!Remnant of size %d\\n\", status);\n\t\t\texit(1);\n\t\t}\n\t}\n}",
          "project": "iproute2",
          "hash": 92142101603136768225931051509924523570,
          "size": 120,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 1,
          "dataset": "other",
          "idx": 201365
        },
        {
          "func": "static int __rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n,\n\t\t       struct nlmsghdr **answer,\n\t\t       bool show_rtnl_err, nl_ext_ack_fn_t errfn)\n{\n\tstruct iovec iov = {\n\t\t.iov_base = n,\n\t\t.iov_len = n->nlmsg_len\n\t};\n\n\treturn __rtnl_talk_iov(rtnl, &iov, 1, answer, show_rtnl_err, errfn);\n}",
          "project": "iproute2",
          "hash": 258357111139890241141530940901744848252,
          "size": 11,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318243
        },
        {
          "func": "int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n,\n\t      struct nlmsghdr **answer)\n{\n\treturn __rtnl_talk(rtnl, n, answer, true, NULL);\n}",
          "project": "iproute2",
          "hash": 282123356199083406582312983221270494907,
          "size": 5,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318254
        },
        {
          "func": "static void rtnl_talk_error(struct nlmsghdr *h, struct nlmsgerr *err,\n\t\t\t    nl_ext_ack_fn_t errfn)\n{\n\tif (nl_dump_ext_ack(h, errfn))\n\t\treturn;\n\n\tfprintf(stderr, \"RTNETLINK answers: %s\\n\",\n\t\tstrerror(-err->error));\n}",
          "project": "iproute2",
          "hash": 70030816660616229372553035022519381719,
          "size": 9,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318227
        },
        {
          "func": "int rtnl_dump_filter_l(struct rtnl_handle *rth,\n\t\t       const struct rtnl_dump_filter_arg *arg)\n{\n\tstruct sockaddr_nl nladdr;\n\tstruct iovec iov;\n\tstruct msghdr msg = {\n\t\t.msg_name = &nladdr,\n\t\t.msg_namelen = sizeof(nladdr),\n\t\t.msg_iov = &iov,\n\t\t.msg_iovlen = 1,\n\t};\n\tchar *buf;\n\tint dump_intr = 0;\n\n\twhile (1) {\n\t\tint status;\n\t\tconst struct rtnl_dump_filter_arg *a;\n\t\tint found_done = 0;\n\t\tint msglen = 0;\n\n\t\tstatus = rtnl_recvmsg(rth->fd, &msg, &buf);\n\t\tif (status < 0)\n\t\t\treturn status;\n\n\t\tif (rth->dump_fp)\n\t\t\tfwrite(buf, 1, NLMSG_ALIGN(status), rth->dump_fp);\n\n\t\tfor (a = arg; a->filter; a++) {\n\t\t\tstruct nlmsghdr *h = (struct nlmsghdr *)buf;\n\n\t\t\tmsglen = status;\n\n\t\t\twhile (NLMSG_OK(h, msglen)) {\n\t\t\t\tint err = 0;\n\n\t\t\t\th->nlmsg_flags &= ~a->nc_flags;\n\n\t\t\t\tif (nladdr.nl_pid != 0 ||\n\t\t\t\t    h->nlmsg_pid != rth->local.nl_pid ||\n\t\t\t\t    h->nlmsg_seq != rth->dump)\n\t\t\t\t\tgoto skip_it;\n\n\t\t\t\tif (h->nlmsg_flags & NLM_F_DUMP_INTR)\n\t\t\t\t\tdump_intr = 1;\n\n\t\t\t\tif (h->nlmsg_type == NLMSG_DONE) {\n\t\t\t\t\terr = rtnl_dump_done(h);\n\t\t\t\t\tif (err < 0) {\n\t\t\t\t\t\tfree(buf);\n\t\t\t\t\t\treturn -1;\n\t\t\t\t\t}\n\n\t\t\t\t\tfound_done = 1;\n\t\t\t\t\tbreak; /* process next filter */\n\t\t\t\t}\n\n\t\t\t\tif (h->nlmsg_type == NLMSG_ERROR) {\n\t\t\t\t\trtnl_dump_error(rth, h);\n\t\t\t\t\tfree(buf);\n\t\t\t\t\treturn -1;\n\t\t\t\t}\n\n\t\t\t\tif (!rth->dump_fp) {\n\t\t\t\t\terr = a->filter(&nladdr, h, a->arg1);\n\t\t\t\t\tif (err < 0) {\n\t\t\t\t\t\tfree(buf);\n\t\t\t\t\t\treturn err;\n\t\t\t\t\t}\n\t\t\t\t}\n\nskip_it:\n\t\t\t\th = NLMSG_NEXT(h, msglen);\n\t\t\t}\n\t\t}\n\t\tfree(buf);\n\n\t\tif (found_done) {\n\t\t\tif (dump_intr)\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"Dump was interrupted and may be inconsistent.\\n\");\n\t\t\treturn 0;\n\t\t}\n\n\t\tif (msg.msg_flags & MSG_TRUNC) {\n\t\t\tfprintf(stderr, \"Message truncated\\n\");\n\t\t\tcontinue;\n\t\t}\n\t\tif (msglen) {\n\t\t\tfprintf(stderr, \"!!!Remnant of size %d\\n\", msglen);\n\t\t\texit(1);\n\t\t}\n\t}\n}",
          "project": "iproute2",
          "hash": 166921226395054266878638469800187184412,
          "size": 93,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318215
        },
        {
          "func": "int rtnl_talk_extack(struct rtnl_handle *rtnl, struct nlmsghdr *n,\n\t\t     struct nlmsghdr **answer,\n\t\t     nl_ext_ack_fn_t errfn)\n{\n\treturn __rtnl_talk(rtnl, n, answer, true, errfn);\n}",
          "project": "iproute2",
          "hash": 264744638057171992891412528702997048696,
          "size": 6,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318240
        },
        {
          "func": "static int rtnl_recvmsg(int fd, struct msghdr *msg, char **answer)\n{\n\tstruct iovec *iov = msg->msg_iov;\n\tchar *buf;\n\tint len;\n\n\tiov->iov_base = NULL;\n\tiov->iov_len = 0;\n\n\tlen = __rtnl_recvmsg(fd, msg, MSG_PEEK | MSG_TRUNC);\n\tif (len < 0)\n\t\treturn len;\n\n\tbuf = malloc(len);\n\tif (!buf) {\n\t\tfprintf(stderr, \"malloc error: not enough buffer\\n\");\n\t\treturn -ENOMEM;\n\t}\n\n\tiov->iov_base = buf;\n\tiov->iov_len = len;\n\n\tlen = __rtnl_recvmsg(fd, msg, 0);\n\tif (len < 0) {\n\t\tfree(buf);\n\t\treturn len;\n\t}\n\n\tif (answer)\n\t\t*answer = buf;\n\telse\n\t\tfree(buf);\n\n\treturn len;\n}",
          "project": "iproute2",
          "hash": 130784246103898234782440326940795739483,
          "size": 35,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318228
        },
        {
          "func": "static int rtnl_dump_done(struct nlmsghdr *h)\n{\n\tint len = *(int *)NLMSG_DATA(h);\n\n\tif (h->nlmsg_len < NLMSG_LENGTH(sizeof(int))) {\n\t\tfprintf(stderr, \"DONE truncated\\n\");\n\t\treturn -1;\n\t}\n\n\tif (len < 0) {\n\t\terrno = -len;\n\t\tswitch (errno) {\n\t\tcase ENOENT:\n\t\tcase EOPNOTSUPP:\n\t\t\treturn -1;\n\t\tcase EMSGSIZE:\n\t\t\tfprintf(stderr,\n\t\t\t\t\"Error: Buffer too small for object.\\n\");\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tperror(\"RTNETLINK answers\");\n\t\t}\n\t\treturn len;\n\t}\n\n\t/* check for any messages returned from kernel */\n\tnl_dump_ext_ack(h, NULL);\n\n\treturn 0;\n}",
          "project": "iproute2",
          "hash": 277082411931981204017671150617698319440,
          "size": 30,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318259
        },
        {
          "func": "static int __rtnl_recvmsg(int fd, struct msghdr *msg, int flags)\n{\n\tint len;\n\n\tdo {\n\t\tlen = recvmsg(fd, msg, flags);\n\t} while (len < 0 && (errno == EINTR || errno == EAGAIN));\n\n\tif (len < 0) {\n\t\tfprintf(stderr, \"netlink receive error %s (%d)\\n\",\n\t\t\tstrerror(errno), errno);\n\t\treturn -errno;\n\t}\n\n\tif (len == 0) {\n\t\tfprintf(stderr, \"EOF on netlink\\n\");\n\t\treturn -ENODATA;\n\t}\n\n\treturn len;\n}",
          "project": "iproute2",
          "hash": 4321026708248301105542426191233231815,
          "size": 21,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318255
        },
        {
          "func": "static void rtnl_dump_error(const struct rtnl_handle *rth,\n\t\t\t    struct nlmsghdr *h)\n{\n\n\tif (h->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr))) {\n\t\tfprintf(stderr, \"ERROR truncated\\n\");\n\t} else {\n\t\tconst struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);\n\n\t\terrno = -err->error;\n\t\tif (rth->proto == NETLINK_SOCK_DIAG &&\n\t\t    (errno == ENOENT ||\n\t\t     errno == EOPNOTSUPP))\n\t\t\treturn;\n\n\t\tif (!(rth->flags & RTNL_HANDLE_F_SUPPRESS_NLERR))\n\t\t\tperror(\"RTNETLINK answers\");\n\t}\n}",
          "project": "iproute2",
          "hash": 191557476382986932474280775943643105300,
          "size": 19,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318235
        },
        {
          "func": "int nl_dump_ext_ack(const struct nlmsghdr *nlh, nl_ext_ack_fn_t errfn)\n{\n\tstruct nlattr *tb[NLMSGERR_ATTR_MAX + 1] = {};\n\tconst struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh);\n\tconst struct nlmsghdr *err_nlh = NULL;\n\tunsigned int hlen = sizeof(*err);\n\tconst char *msg = NULL;\n\tuint32_t off = 0;\n\n\t/* no TLVs, nothing to do here */\n\tif (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))\n\t\treturn 0;\n\n\t/* if NLM_F_CAPPED is set then the inner err msg was capped */\n\tif (!(nlh->nlmsg_flags & NLM_F_CAPPED))\n\t\thlen += mnl_nlmsg_get_payload_len(&err->msg);\n\n\tif (mnl_attr_parse(nlh, hlen, err_attr_cb, tb) != MNL_CB_OK)\n\t\treturn 0;\n\n\tif (tb[NLMSGERR_ATTR_MSG])\n\t\tmsg = mnl_attr_get_str(tb[NLMSGERR_ATTR_MSG]);\n\n\tif (tb[NLMSGERR_ATTR_OFFS]) {\n\t\toff = mnl_attr_get_u32(tb[NLMSGERR_ATTR_OFFS]);\n\n\t\tif (off > nlh->nlmsg_len) {\n\t\t\tfprintf(stderr,\n\t\t\t\t\"Invalid offset for NLMSGERR_ATTR_OFFS\\n\");\n\t\t\toff = 0;\n\t\t} else if (!(nlh->nlmsg_flags & NLM_F_CAPPED))\n\t\t\terr_nlh = &err->msg;\n\t}\n\n\tif (errfn)\n\t\treturn errfn(msg, off, err_nlh);\n\n\tif (msg && *msg != '\\0') {\n\t\tbool is_err = !!err->error;\n\n\t\tfprintf(stderr, \"%s: %s\",\n\t\t\tis_err ? \"Error\" : \"Warning\", msg);\n\t\tif (msg[strlen(msg) - 1] != '.')\n\t\t\tfprintf(stderr, \".\");\n\t\tfprintf(stderr, \"\\n\");\n\n\t\treturn is_err ? 1 : 0;\n\t}\n\n\treturn 0;\n}",
          "project": "iproute2",
          "hash": 300270387770507140375902767365134012826,
          "size": 51,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318229
        },
        {
          "func": "int nl_dump_ext_ack(const struct nlmsghdr *nlh, nl_ext_ack_fn_t errfn)\n{\n\treturn 0;\n}",
          "project": "iproute2",
          "hash": 147008708141629430933019260862799517880,
          "size": 4,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318233
        },
        {
          "func": "int rtnl_dump_filter_nc(struct rtnl_handle *rth,\n\t\t     rtnl_filter_t filter,\n\t\t     void *arg1, __u16 nc_flags)\n{\n\tconst struct rtnl_dump_filter_arg a[2] = {\n\t\t{ .filter = filter, .arg1 = arg1, .nc_flags = nc_flags, },\n\t\t{ .filter = NULL,   .arg1 = NULL, .nc_flags = 0, },\n\t};\n\n\treturn rtnl_dump_filter_l(rth, a);\n}",
          "project": "iproute2",
          "hash": 53752171441152340212005918815825810107,
          "size": 11,
          "commit_id": "b45e300024bb0936a41821ad75117dc08b65669f",
          "message": "libnetlink: don't return error on success\n\nChange to error handling broke normal code.\n\nFixes: c60389e4f9ea (\"libnetlink: fix leak and using unused memory on error\")\nReported-by: David Ahern <dsahern@gmail.com>\nSigned-off-by: Stephen Hemminger <stephen@networkplumber.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318225
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "bcf_readrec",
        "bcf_record_check",
        "bcf_dec_size_safe",
        "bcf_dec_typed_int1_safe"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "int bcf_readrec(BGZF *fp, void *null, void *vv, int *tid, hts_pos_t *beg, hts_pos_t *end)\n{\n    bcf1_t *v = (bcf1_t *) vv;\n    int ret = bcf_read1_core(fp, v);\n    if (ret == 0) ret = bcf_record_check(NULL, v);\n    if (ret  >= 0)\n        *tid = v->rid, *beg = v->pos, *end = v->pos + v->rlen;\n    return ret;\n}",
          "project": "htslib",
          "hash": 33818452448365810705567639192787771876,
          "size": 9,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402249
        },
        {
          "func": "static int bcf_dec_size_safe(uint8_t *p, uint8_t *end, uint8_t **q,\n                             int *num, int *type) {\n    int r;\n    if (p >= end) return -1;\n    *type = *p & 0xf;\n    if (*p>>4 != 15) {\n        *q = p + 1;\n        *num = *p >> 4;\n        return 0;\n    }\n    r = bcf_dec_typed_int1_safe(p + 1, end, q, num);\n    if (r) return r;\n    return *num >= 0 ? 0 : -1;\n}",
          "project": "htslib",
          "hash": 141373285537262292830683104823021389913,
          "size": 14,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402201
        },
        {
          "func": "static int bcf_dec_typed_int1_safe(uint8_t *p, uint8_t *end, uint8_t **q,\n                                   int32_t *val) {\n    uint32_t t;\n    if (end - p < 2) return -1;\n    t = *p++ & 0xf;\n    /* Use if .. else if ... else instead of switch to force order.  Assumption\n       is that small integers are more frequent than big ones. */\n    if (t == BCF_BT_INT8) {\n        *q = p + 1;\n        *val = *(int8_t *) p;\n    } else if (t == BCF_BT_INT16) {\n        if (end - p < 2) return -1;\n        *q = p + 2;\n        *val = le_to_i16(p);\n    } else if (t == BCF_BT_INT32) {\n        if (end - p < 4) return -1;\n        *q = p + 4;\n        *val = le_to_i32(p);\n#ifdef VCF_ALLOW_INT64\n    } else if (t == BCF_BT_INT64) {\n        // This case should never happen because there should be no 64-bit BCFs\n        // at all, definitely not coming from htslib\n        if (end - p < 8) return -1;\n        *q = p + 8;\n        *val = le_to_i64(p);\n#endif\n    } else {\n        return -1;\n    }\n    return 0;\n}",
          "project": "htslib",
          "hash": 234731386941793576194670991723107717916,
          "size": 31,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402180
        },
        {
          "func": "static inline int bcf_read1_core(BGZF *fp, bcf1_t *v)\n{\n    uint8_t x[32];\n    ssize_t ret;\n    uint32_t shared_len, indiv_len;\n    if ((ret = bgzf_read(fp, x, 32)) != 32) {\n        if (ret == 0) return -1;\n        return -2;\n    }\n    bcf_clear1(v);\n    shared_len = le_to_u32(x);\n    if (shared_len < 24) return -2;\n    shared_len -= 24; // to exclude six 32-bit integers\n    if (ks_resize(&v->shared, shared_len) != 0) return -2;\n    indiv_len = le_to_u32(x + 4);\n    if (ks_resize(&v->indiv, indiv_len) != 0) return -2;\n    v->rid  = le_to_i32(x + 8);\n    v->pos  = le_to_u32(x + 12);\n    v->rlen = le_to_i32(x + 16);\n    v->qual = le_to_float(x + 20);\n    v->n_info = le_to_u16(x + 24);\n    v->n_allele = le_to_u16(x + 26);\n    v->n_sample = le_to_u32(x + 28) & 0xffffff;\n    v->n_fmt = x[31];\n    v->shared.l = shared_len;\n    v->indiv.l = indiv_len;\n    // silent fix of broken BCFs produced by earlier versions of bcf_subset, prior to and including bd6ed8b4\n    if ( (!v->indiv.l || !v->n_sample) && v->n_fmt ) v->n_fmt = 0;\n\n    if (bgzf_read(fp, v->shared.s, v->shared.l) != v->shared.l) return -2;\n    if (bgzf_read(fp, v->indiv.s, v->indiv.l) != v->indiv.l) return -2;\n    return 0;\n}",
          "project": "htslib",
          "hash": 12751460557049634954365934146773465993,
          "size": 33,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402240
        },
        {
          "func": "static int bcf_record_check(const bcf_hdr_t *hdr, bcf1_t *rec) {\n    uint8_t *ptr, *end;\n    size_t bytes;\n    uint32_t err = 0;\n    int type = 0;\n    int num  = 0;\n    int reflen = 0;\n    uint32_t i, reports;\n    const uint32_t is_integer = ((1 << BCF_BT_INT8)  |\n                                 (1 << BCF_BT_INT16) |\n#ifdef VCF_ALLOW_INT64\n                                 (1 << BCF_BT_INT64) |\n#endif\n                                 (1 << BCF_BT_INT32));\n    const uint32_t is_valid_type = (is_integer          |\n                                    (1 << BCF_BT_NULL)  |\n                                    (1 << BCF_BT_FLOAT) |\n                                    (1 << BCF_BT_CHAR));\n    int32_t max_id = hdr ? hdr->n[BCF_DT_ID] : 0;\n\n    // Check for valid contig ID\n    if (rec->rid < 0\n        || (hdr && (rec->rid >= hdr->n[BCF_DT_CTG]\n                    || hdr->id[BCF_DT_CTG][rec->rid].key == NULL))) {\n        hts_log_warning(\"Bad BCF record at %\"PRIhts_pos\": Invalid %s id %d\", rec->pos+1, \"CONTIG\", rec->rid);\n        err |= BCF_ERR_CTG_INVALID;\n    }\n\n    // Check ID\n    ptr = (uint8_t *) rec->shared.s;\n    end = ptr + rec->shared.l;\n    if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n    if (type != BCF_BT_CHAR) {\n        hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"ID\", type, get_type_name(type));\n        err |= BCF_ERR_TAG_INVALID;\n    }\n    bytes = (size_t) num << bcf_type_shift[type];\n    if (end - ptr < bytes) goto bad_shared;\n    ptr += bytes;\n\n    // Check REF and ALT\n    reports = 0;\n    for (i = 0; i < rec->n_allele; i++) {\n        if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n        if (type != BCF_BT_CHAR) {\n            if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"REF/ALT\", type, get_type_name(type));\n            err |= BCF_ERR_CHAR;\n        }\n        if (i == 0) reflen = num;\n        bytes = (size_t) num << bcf_type_shift[type];\n        if (end - ptr < bytes) goto bad_shared;\n        ptr += bytes;\n    }\n\n    // Check FILTER\n    reports = 0;\n    if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n    if (num > 0) {\n        bytes = (size_t) num << bcf_type_shift[type];\n        if (((1 << type) & is_integer) == 0) {\n            hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FILTER\", type, get_type_name(type));\n            err |= BCF_ERR_TAG_INVALID;\n            if (end - ptr < bytes) goto bad_shared;\n            ptr += bytes;\n        } else {\n            if (end - ptr < bytes) goto bad_shared;\n            for (i = 0; i < num; i++) {\n                int32_t key = bcf_dec_int1(ptr, type, &ptr);\n                if (key < 0\n                    || (hdr && (key >= max_id\n                                || hdr->id[BCF_DT_ID][key].key == NULL))) {\n                    if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                        hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FILTER\", key);\n                    err |= BCF_ERR_TAG_UNDEF;\n                }\n            }\n        }\n    }\n\n    // Check INFO\n    reports = 0;\n    for (i = 0; i < rec->n_info; i++) {\n        int32_t key = -1;\n        if (bcf_dec_typed_int1_safe(ptr, end, &ptr, &key) != 0) goto bad_shared;\n        if (key < 0 || (hdr && (key >= max_id\n                                || hdr->id[BCF_DT_ID][key].key == NULL))) {\n            if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"INFO\", key);\n            err |= BCF_ERR_TAG_UNDEF;\n        }\n        if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_shared;\n        if (((1 << type) & is_valid_type) == 0) {\n            if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"INFO\", type, get_type_name(type));\n            err |= BCF_ERR_TAG_INVALID;\n        }\n        bytes = (size_t) num << bcf_type_shift[type];\n        if (end - ptr < bytes) goto bad_shared;\n        ptr += bytes;\n    }\n\n    // Check FORMAT and individual information\n    ptr = (uint8_t *) rec->indiv.s;\n    end = ptr + rec->indiv.l;\n    reports = 0;\n    for (i = 0; i < rec->n_fmt; i++) {\n        int32_t key = -1;\n        if (bcf_dec_typed_int1_safe(ptr, end, &ptr, &key) != 0) goto bad_indiv;\n        if (key < 0\n            || (hdr && (key >= max_id\n                        || hdr->id[BCF_DT_ID][key].key == NULL))) {\n            if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s id %d\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FORMAT\", key);\n            err |= BCF_ERR_TAG_UNDEF;\n        }\n        if (bcf_dec_size_safe(ptr, end, &ptr, &num, &type) != 0) goto bad_indiv;\n        if (((1 << type) & is_valid_type) == 0) {\n            if (!reports++ || hts_verbose >= HTS_LOG_DEBUG)\n                hts_log_warning(\"Bad BCF record at %s:%\"PRIhts_pos\": Invalid %s type %d (%s)\", bcf_seqname_safe(hdr,rec), rec->pos+1, \"FORMAT\", type, get_type_name(type));\n            err |= BCF_ERR_TAG_INVALID;\n        }\n        bytes = ((size_t) num << bcf_type_shift[type]) * rec->n_sample;\n        if (end - ptr < bytes) goto bad_indiv;\n        ptr += bytes;\n    }\n\n    if (!err && rec->rlen < 0) {\n        // Treat bad rlen as a warning instead of an error, and try to\n        // fix up by using the length of the stored REF allele.\n        static int warned = 0;\n        if (!warned) {\n            hts_log_warning(\"BCF record at %s:%\"PRIhts_pos\" has invalid RLEN (%\"PRIhts_pos\"). \"\n                            \"Only one invalid RLEN will be reported.\",\n                            bcf_seqname_safe(hdr,rec), rec->pos+1, rec->rlen);\n            warned = 1;\n        }\n        rec->rlen = reflen >= 0 ? reflen : 0;\n    }\n\n    rec->errcode |= err;\n\n    return err ? -2 : 0; // Return -2 so bcf_read() reports an error\n\n bad_shared:\n    hts_log_error(\"Bad BCF record at %s:%\"PRIhts_pos\" - shared section malformed or too short\", bcf_seqname_safe(hdr,rec), rec->pos+1);\n    return -2;\n\n bad_indiv:\n    hts_log_error(\"Bad BCF record at %s:%\"PRIhts_pos\" - individuals section malformed or too short\", bcf_seqname_safe(hdr,rec), rec->pos+1);\n    return -2;\n}",
          "project": "htslib",
          "hash": 13043732940354638373013501762813051039,
          "size": 152,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402177
        },
        {
          "func": "int vcf_read(htsFile *fp, const bcf_hdr_t *h, bcf1_t *v)\n{\n    int ret;\n    ret = hts_getline(fp, KS_SEP_LINE, &fp->line);\n    if (ret < 0) return ret;\n    return vcf_parse1(&fp->line, h, v);\n}",
          "project": "htslib",
          "hash": 18430956208465103548864436074290095431,
          "size": 7,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402182
        },
        {
          "func": "int bcf_subset_format(const bcf_hdr_t *hdr, bcf1_t *rec)\n{\n    if ( !hdr->keep_samples ) return 0;\n    if ( !bcf_hdr_nsamples(hdr) )\n    {\n        rec->indiv.l = rec->n_sample = 0;\n        return 0;\n    }\n\n    int i, j;\n    uint8_t *ptr = (uint8_t*)rec->indiv.s, *dst = NULL, *src;\n    bcf_dec_t *dec = &rec->d;\n    hts_expand(bcf_fmt_t, rec->n_fmt, dec->m_fmt, dec->fmt);\n    for (i=0; i<dec->m_fmt; ++i) dec->fmt[i].p_free = 0;\n\n    for (i=0; i<rec->n_fmt; i++)\n    {\n        ptr = bcf_unpack_fmt_core1(ptr, rec->n_sample, &dec->fmt[i]);\n        src = dec->fmt[i].p - dec->fmt[i].size;\n        if ( dst )\n        {\n            memmove(dec->fmt[i-1].p + dec->fmt[i-1].p_len, dec->fmt[i].p - dec->fmt[i].p_off, dec->fmt[i].p_off);\n            dec->fmt[i].p = dec->fmt[i-1].p + dec->fmt[i-1].p_len + dec->fmt[i].p_off;\n        }\n        dst = dec->fmt[i].p;\n        for (j=0; j<hdr->nsamples_ori; j++)\n        {\n            src += dec->fmt[i].size;\n            if ( !bit_array_test(hdr->keep_samples,j) ) continue;\n            memmove(dst, src, dec->fmt[i].size);\n            dst += dec->fmt[i].size;\n        }\n        rec->indiv.l -= dec->fmt[i].p_len - (dst - dec->fmt[i].p);\n        dec->fmt[i].p_len = dst - dec->fmt[i].p;\n    }\n    rec->unpacked |= BCF_UN_FMT;\n\n    rec->n_sample = bcf_hdr_nsamples(hdr);\n    return 0;\n}",
          "project": "htslib",
          "hash": 313869283831717057726771406159143661219,
          "size": 40,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402194
        },
        {
          "func": "int bcf_read(htsFile *fp, const bcf_hdr_t *h, bcf1_t *v)\n{\n    if (fp->format.format == vcf) return vcf_read(fp,h,v);\n    int ret = bcf_read1_core(fp->fp.bgzf, v);\n    if (ret == 0) ret = bcf_record_check(h, v);\n    if ( ret!=0 || !h->keep_samples ) return ret;\n    return bcf_subset_format(h,v);\n}",
          "project": "htslib",
          "hash": 59715034301581063666044249619776521944,
          "size": 8,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402164
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "util_get_sys_driver",
        "get_sys_link",
        "util_strlcpy"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static ssize_t get_sys_link(struct udev *udev, const char *slink, const char *syspath, char *value, size_t size)\n{\n\tchar path[UTIL_PATH_SIZE];\n\tssize_t len;\n\tconst char *pos;\n\n\tutil_strlcpy(path, syspath, sizeof(path));\n\tutil_strlcat(path, \"/\", sizeof(path));\n\tutil_strlcat(path, slink, sizeof(path));\n\tlen = readlink(path, path, sizeof(path));\n\tif (len < 0 || len >= (ssize_t) sizeof(path))\n\t\treturn -1;\n\tpath[len] = '\\0';\n\tpos = strrchr(path, '/');\n\tif (pos == NULL)\n\t\treturn -1;\n\tpos = &pos[1];\n\tdbg(udev, \"resolved link to: '%s'\\n\", pos);\n\treturn util_strlcpy(value, pos, size);\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 170706486389395120822766530533024339126,
          "size": 20,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490337
        },
        {
          "func": "size_t util_strlcpy(char *dst, const char *src, size_t size)\n{\n\tsize_t bytes = 0;\n\tchar *q = dst;\n\tconst char *p = src;\n\tchar ch;\n\n\twhile ((ch = *p++)) {\n\t\tif (bytes+1 < size)\n\t\t\t*q++ = ch;\n\t\tbytes++;\n\t}\n\n\t/* If size == 0 there is no space for a final null... */\n\tif (size)\n\t\t*q = '\\0';\n\treturn bytes;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 59372724724277103526580946639086123403,
          "size": 18,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490330
        },
        {
          "func": "int util_resolve_sys_link(struct udev *udev, char *syspath, size_t size)\n{\n\tchar link_target[UTIL_PATH_SIZE];\n\n\tint len;\n\tint i;\n\tint back;\n\n\tlen = readlink(syspath, link_target, sizeof(link_target));\n\tif (len <= 0)\n\t\treturn -1;\n\tlink_target[len] = '\\0';\n\tdbg(udev, \"path link '%s' points to '%s'\\n\", syspath, link_target);\n\n\tfor (back = 0; strncmp(&link_target[back * 3], \"../\", 3) == 0; back++)\n\t\t;\n\tdbg(udev, \"base '%s', tail '%s', back %i\\n\", syspath, &link_target[back * 3], back);\n\tfor (i = 0; i <= back; i++) {\n\t\tchar *pos = strrchr(syspath, '/');\n\n\t\tif (pos == NULL)\n\t\t\treturn -1;\n\t\tpos[0] = '\\0';\n\t}\n\tdbg(udev, \"after moving back '%s'\\n\", syspath);\n\tutil_strlcat(syspath, \"/\", size);\n\tutil_strlcat(syspath, &link_target[back * 3], size);\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 245499895849437487231202101375366456480,
          "size": 29,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490343
        },
        {
          "func": "ssize_t util_get_sys_subsystem(struct udev *udev, const char *syspath, char *subsystem, size_t size)\n{\n\treturn get_sys_link(udev, \"subsystem\", syspath, subsystem, size);\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 59667652336681995129715824807812589835,
          "size": 4,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490340
        },
        {
          "func": "size_t util_strlcat(char *dst, const char *src, size_t size)\n{\n\tsize_t bytes = 0;\n\tchar *q = dst;\n\tconst char *p = src;\n\tchar ch;\n\n\twhile (bytes < size && *q) {\n\t\tq++;\n\t\tbytes++;\n\t}\n\tif (bytes == size)\n\t\treturn (bytes + strlen(src));\n\n\twhile ((ch = *p++)) {\n\t\tif (bytes+1 < size)\n\t\t*q++ = ch;\n\t\tbytes++;\n\t}\n\n\t*q = '\\0';\n\treturn bytes;\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 30325727257915378446130966860726349935,
          "size": 23,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490334
        },
        {
          "func": "ssize_t util_get_sys_driver(struct udev *udev, const char *syspath, char *driver, size_t size)\n{\n\treturn get_sys_link(udev, \"driver\", syspath, driver, size);\n}",
          "target": 0,
          "cwe": [
            "CWE-120"
          ],
          "project": "udev",
          "commit_id": "662c3110803bd8c1aedacc36788e6fd028944314",
          "hash": 238852136861315201702598224768757912017,
          "size": 4,
          "message": "path_encode: fix max length calculation\n\nSebastian Krahmer wrote:\n> it should reserve 4 times not 3 times len :)",
          "dataset": "other",
          "idx": 490335
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "kvm_s390_init",
        "kvm_init",
        "kvm_arch_init",
        "kvm_s390_cpu_feat_init",
        "plo_test_bit"
      ],
      "group_size": 19,
      "functions": [
        {
          "func": "void kvm_arch_hardware_unsetup(void)\n{\n\tgmap_unregister_pte_notifier(&gmap_notifier);\n\tgmap_unregister_pte_notifier(&vsie_gmap_notifier);\n\tatomic_notifier_chain_unregister(&s390_epoch_delta_notifier,\n\t\t\t\t\t &kvm_clock_notifier);\n}",
          "project": "linux",
          "hash": 118410648668929952188309157932227420309,
          "size": 7,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354646
        },
        {
          "func": "static void allow_cpu_feat(unsigned long nr)\n{\n\tset_bit_inv(nr, kvm_s390_available_cpu_feat);\n}",
          "project": "linux",
          "hash": 58534131025806512193431115757019879069,
          "size": 4,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354813
        },
        {
          "func": "void kvm_exit(void)\n{\n\tdebugfs_remove_recursive(kvm_debugfs_dir);\n\tmisc_deregister(&kvm_dev);\n\tkmem_cache_destroy(kvm_vcpu_cache);\n\tkvm_async_pf_deinit();\n\tunregister_syscore_ops(&kvm_syscore_ops);\n\tunregister_reboot_notifier(&kvm_reboot_notifier);\n\tcpuhp_remove_state_nocalls(CPUHP_AP_KVM_STARTING);\n\ton_each_cpu(hardware_disable_nolock, NULL, 1);\n\tkvm_arch_hardware_unsetup();\n\tkvm_arch_exit();\n\tkvm_irqfd_exit();\n\tfree_cpumask_var(cpus_hardware_enabled);\n\tkvm_vfio_ops_exit();\n}",
          "project": "linux",
          "hash": 110360090557712778110742486871748305796,
          "size": 16,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354697
        },
        {
          "func": "int kvm_register_device_ops(const struct kvm_device_ops *ops, u32 type)\n{\n\tif (type >= ARRAY_SIZE(kvm_device_ops_table))\n\t\treturn -ENOSPC;\n\n\tif (kvm_device_ops_table[type] != NULL)\n\t\treturn -EEXIST;\n\n\tkvm_device_ops_table[type] = ops;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 232948124377679066507315942381763154126,
          "size": 11,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354574
        },
        {
          "func": "static int __init kvm_s390_init(void)\n{\n\tint i;\n\n\tif (!sclp.has_sief2) {\n\t\tpr_info(\"SIE is not available\\n\");\n\t\treturn -ENODEV;\n\t}\n\n\tif (nested && hpage) {\n\t\tpr_info(\"A KVM host that supports nesting cannot back its KVM guests with huge pages\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tfor (i = 0; i < 16; i++)\n\t\tkvm_s390_fac_base[i] |=\n\t\t\tS390_lowcore.stfle_fac_list[i] & nonhyp_mask(i);\n\n\treturn kvm_init(NULL, sizeof(struct kvm_vcpu), 0, THIS_MODULE);\n}",
          "project": "linux",
          "hash": 288670679547903781264614562238410701976,
          "size": 20,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354599
        },
        {
          "func": "static void __exit kvm_s390_exit(void)\n{\n\tkvm_exit();\n}",
          "project": "linux",
          "hash": 248698086826202118304438027615529929353,
          "size": 4,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354771
        },
        {
          "func": "int kvm_arch_hardware_setup(void)\n{\n\tgmap_notifier.notifier_call = kvm_gmap_notifier;\n\tgmap_register_pte_notifier(&gmap_notifier);\n\tvsie_gmap_notifier.notifier_call = kvm_s390_vsie_gmap_notifier;\n\tgmap_register_pte_notifier(&vsie_gmap_notifier);\n\tatomic_notifier_chain_register(&s390_epoch_delta_notifier,\n\t\t\t\t       &kvm_clock_notifier);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 324031969922159705961758940599685394203,
          "size": 10,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354759
        },
        {
          "func": "static void kvm_init_debug(void)\n{\n\tstruct kvm_stats_debugfs_item *p;\n\n\tkvm_debugfs_dir = debugfs_create_dir(\"kvm\", NULL);\n\n\tkvm_debugfs_num_entries = 0;\n\tfor (p = debugfs_entries; p->name; ++p, kvm_debugfs_num_entries++) {\n\t\tdebugfs_create_file(p->name, KVM_DBGFS_GET_MODE(p),\n\t\t\t\t    kvm_debugfs_dir, (void *)(long)p->offset,\n\t\t\t\t    stat_fops[p->kind]);\n\t}\n}",
          "project": "linux",
          "hash": 284594237410303027503162658836886958191,
          "size": 13,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354499
        },
        {
          "func": "int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,\n\t\t  struct module *module)\n{\n\tint r;\n\tint cpu;\n\n\tr = kvm_arch_init(opaque);\n\tif (r)\n\t\tgoto out_fail;\n\n\t/*\n\t * kvm_arch_init makes sure there's at most one caller\n\t * for architectures that support multiple implementations,\n\t * like intel and amd on x86.\n\t * kvm_arch_init must be called before kvm_irqfd_init to avoid creating\n\t * conflicts in case kvm is already setup for another implementation.\n\t */\n\tr = kvm_irqfd_init();\n\tif (r)\n\t\tgoto out_irqfd;\n\n\tif (!zalloc_cpumask_var(&cpus_hardware_enabled, GFP_KERNEL)) {\n\t\tr = -ENOMEM;\n\t\tgoto out_free_0;\n\t}\n\n\tr = kvm_arch_hardware_setup();\n\tif (r < 0)\n\t\tgoto out_free_1;\n\n\tfor_each_online_cpu(cpu) {\n\t\tsmp_call_function_single(cpu, check_processor_compat, &r, 1);\n\t\tif (r < 0)\n\t\t\tgoto out_free_2;\n\t}\n\n\tr = cpuhp_setup_state_nocalls(CPUHP_AP_KVM_STARTING, \"kvm/cpu:starting\",\n\t\t\t\t      kvm_starting_cpu, kvm_dying_cpu);\n\tif (r)\n\t\tgoto out_free_2;\n\tregister_reboot_notifier(&kvm_reboot_notifier);\n\n\t/* A kmem cache lets us meet the alignment requirements of fx_save. */\n\tif (!vcpu_align)\n\t\tvcpu_align = __alignof__(struct kvm_vcpu);\n\tkvm_vcpu_cache =\n\t\tkmem_cache_create_usercopy(\"kvm_vcpu\", vcpu_size, vcpu_align,\n\t\t\t\t\t   SLAB_ACCOUNT,\n\t\t\t\t\t   offsetof(struct kvm_vcpu, arch),\n\t\t\t\t\t   sizeof_field(struct kvm_vcpu, arch),\n\t\t\t\t\t   NULL);\n\tif (!kvm_vcpu_cache) {\n\t\tr = -ENOMEM;\n\t\tgoto out_free_3;\n\t}\n\n\tr = kvm_async_pf_init();\n\tif (r)\n\t\tgoto out_free;\n\n\tkvm_chardev_ops.owner = module;\n\tkvm_vm_fops.owner = module;\n\tkvm_vcpu_fops.owner = module;\n\n\tr = misc_register(&kvm_dev);\n\tif (r) {\n\t\tpr_err(\"kvm: misc device register failed\\n\");\n\t\tgoto out_unreg;\n\t}\n\n\tregister_syscore_ops(&kvm_syscore_ops);\n\n\tkvm_preempt_ops.sched_in = kvm_sched_in;\n\tkvm_preempt_ops.sched_out = kvm_sched_out;\n\n\tkvm_init_debug();\n\n\tr = kvm_vfio_ops_init();\n\tWARN_ON(r);\n\n\treturn 0;\n\nout_unreg:\n\tkvm_async_pf_deinit();\nout_free:\n\tkmem_cache_destroy(kvm_vcpu_cache);\nout_free_3:\n\tunregister_reboot_notifier(&kvm_reboot_notifier);\n\tcpuhp_remove_state_nocalls(CPUHP_AP_KVM_STARTING);\nout_free_2:\n\tkvm_arch_hardware_unsetup();\nout_free_1:\n\tfree_cpumask_var(cpus_hardware_enabled);\nout_free_0:\n\tkvm_irqfd_exit();\nout_irqfd:\n\tkvm_arch_exit();\nout_fail:\n\treturn r;\n}",
          "project": "linux",
          "hash": 340188414203951212590925148914986464449,
          "size": 100,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354653
        },
        {
          "func": "int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,\n\t\t  struct module *module)\n{\n\tstruct kvm_cpu_compat_check c;\n\tint r;\n\tint cpu;\n\n\tr = kvm_arch_init(opaque);\n\tif (r)\n\t\tgoto out_fail;\n\n\t/*\n\t * kvm_arch_init makes sure there's at most one caller\n\t * for architectures that support multiple implementations,\n\t * like intel and amd on x86.\n\t * kvm_arch_init must be called before kvm_irqfd_init to avoid creating\n\t * conflicts in case kvm is already setup for another implementation.\n\t */\n\tr = kvm_irqfd_init();\n\tif (r)\n\t\tgoto out_irqfd;\n\n\tif (!zalloc_cpumask_var(&cpus_hardware_enabled, GFP_KERNEL)) {\n\t\tr = -ENOMEM;\n\t\tgoto out_free_0;\n\t}\n\n\tr = kvm_arch_hardware_setup(opaque);\n\tif (r < 0)\n\t\tgoto out_free_1;\n\n\tc.ret = &r;\n\tc.opaque = opaque;\n\tfor_each_online_cpu(cpu) {\n\t\tsmp_call_function_single(cpu, check_processor_compat, &c, 1);\n\t\tif (r < 0)\n\t\t\tgoto out_free_2;\n\t}\n\n\tr = cpuhp_setup_state_nocalls(CPUHP_AP_KVM_STARTING, \"kvm/cpu:starting\",\n\t\t\t\t      kvm_starting_cpu, kvm_dying_cpu);\n\tif (r)\n\t\tgoto out_free_2;\n\tregister_reboot_notifier(&kvm_reboot_notifier);\n\n\t/* A kmem cache lets us meet the alignment requirements of fx_save. */\n\tif (!vcpu_align)\n\t\tvcpu_align = __alignof__(struct kvm_vcpu);\n\tkvm_vcpu_cache =\n\t\tkmem_cache_create_usercopy(\"kvm_vcpu\", vcpu_size, vcpu_align,\n\t\t\t\t\t   SLAB_ACCOUNT,\n\t\t\t\t\t   offsetof(struct kvm_vcpu, arch),\n\t\t\t\t\t   sizeof_field(struct kvm_vcpu, arch),\n\t\t\t\t\t   NULL);\n\tif (!kvm_vcpu_cache) {\n\t\tr = -ENOMEM;\n\t\tgoto out_free_3;\n\t}\n\n\tr = kvm_async_pf_init();\n\tif (r)\n\t\tgoto out_free;\n\n\tkvm_chardev_ops.owner = module;\n\tkvm_vm_fops.owner = module;\n\tkvm_vcpu_fops.owner = module;\n\n\tr = misc_register(&kvm_dev);\n\tif (r) {\n\t\tpr_err(\"kvm: misc device register failed\\n\");\n\t\tgoto out_unreg;\n\t}\n\n\tregister_syscore_ops(&kvm_syscore_ops);\n\n\tkvm_preempt_ops.sched_in = kvm_sched_in;\n\tkvm_preempt_ops.sched_out = kvm_sched_out;\n\n\tkvm_init_debug();\n\n\tr = kvm_vfio_ops_init();\n\tWARN_ON(r);\n\n\treturn 0;\n\nout_unreg:\n\tkvm_async_pf_deinit();\nout_free:\n\tkmem_cache_destroy(kvm_vcpu_cache);\nout_free_3:\n\tunregister_reboot_notifier(&kvm_reboot_notifier);\n\tcpuhp_remove_state_nocalls(CPUHP_AP_KVM_STARTING);\nout_free_2:\n\tkvm_arch_hardware_unsetup();\nout_free_1:\n\tfree_cpumask_var(cpus_hardware_enabled);\nout_free_0:\n\tkvm_irqfd_exit();\nout_irqfd:\n\tkvm_arch_exit();\nout_fail:\n\treturn r;\n}",
          "project": "linux",
          "hash": 176440226956519822303124770590062821303,
          "size": 103,
          "commit_id": "f8be156be163a052a067306417cd0ff679068c97",
          "message": "KVM: do not allow mapping valid but non-reference-counted pages\n\nIt's possible to create a region which maps valid but non-refcounted\npages (e.g., tail pages of non-compound higher order allocations). These\nhost pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family\nof APIs, which take a reference to the page, which takes it from 0 to 1.\nWhen the reference is dropped, this will free the page incorrectly.\n\nFix this by only taking a reference on valid pages if it was non-zero,\nwhich indicates it is participating in normal refcounting (and can be\nreleased with put_page).\n\nThis addresses CVE-2021-22543.\n\nSigned-off-by: Nicholas Piggin <npiggin@gmail.com>\nTested-by: Paolo Bonzini <pbonzini@redhat.com>\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 404089
        },
        {
          "func": "static inline int plo_test_bit(unsigned char nr)\n{\n\tregister unsigned long r0 asm(\"0\") = (unsigned long) nr | 0x100;\n\tint cc;\n\n\tasm volatile(\n\t\t/* Parameter registers are ignored for \"test bit\" */\n\t\t\"\tplo\t0,0,0,0(0)\\n\"\n\t\t\"\tipm\t%0\\n\"\n\t\t\"\tsrl\t%0,28\\n\"\n\t\t: \"=d\" (cc)\n\t\t: \"d\" (r0)\n\t\t: \"cc\");\n\treturn cc == 0;\n}",
          "project": "linux",
          "hash": 178528055475595019807452522195902906438,
          "size": 15,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354520
        },
        {
          "func": "static __always_inline void __insn32_query(unsigned int opcode, u8 *query)\n{\n\tregister unsigned long r0 asm(\"0\") = 0;\t/* query function */\n\tregister unsigned long r1 asm(\"1\") = (unsigned long) query;\n\n\tasm volatile(\n\t\t/* Parameter regs are ignored */\n\t\t\"\t.insn\trrf,%[opc] << 16,2,4,6,0\\n\"\n\t\t:\n\t\t: \"d\" (r0), \"a\" (r1), [opc] \"i\" (opcode)\n\t\t: \"cc\", \"memory\");\n}",
          "project": "linux",
          "hash": 332085282912820967174711196860279370154,
          "size": 12,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354586
        },
        {
          "func": "void kvm_arch_exit(void)\n{\n\tkvm_s390_gib_destroy();\n\tdebug_unregister(kvm_s390_dbf);\n\tdebug_unregister(kvm_s390_dbf_uv);\n}",
          "project": "linux",
          "hash": 50746226886408816541434632809114833964,
          "size": 6,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354444
        },
        {
          "func": "static inline void kvm_irqfd_exit(void)\n{\n}",
          "project": "linux",
          "hash": 339205263512552737760374083186741470629,
          "size": 3,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354691
        },
        {
          "func": "static inline unsigned long nonhyp_mask(int i)\n{\n\tunsigned int nonhyp_fai = (sclp.hmfai << i * 2) >> 30;\n\n\treturn 0x0000ffffffffffffUL >> (nonhyp_fai << 4);\n}",
          "project": "linux",
          "hash": 105008827821000088978521093673141842577,
          "size": 6,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354719
        },
        {
          "func": "static void kvm_s390_cpu_feat_init(void)\n{\n\tint i;\n\n\tfor (i = 0; i < 256; ++i) {\n\t\tif (plo_test_bit(i))\n\t\t\tkvm_s390_available_subfunc.plo[i >> 3] |= 0x80 >> (i & 7);\n\t}\n\n\tif (test_facility(28)) /* TOD-clock steering */\n\t\tptff(kvm_s390_available_subfunc.ptff,\n\t\t     sizeof(kvm_s390_available_subfunc.ptff),\n\t\t     PTFF_QAF);\n\n\tif (test_facility(17)) { /* MSA */\n\t\t__cpacf_query(CPACF_KMAC, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kmac);\n\t\t__cpacf_query(CPACF_KMC, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kmc);\n\t\t__cpacf_query(CPACF_KM, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.km);\n\t\t__cpacf_query(CPACF_KIMD, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kimd);\n\t\t__cpacf_query(CPACF_KLMD, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.klmd);\n\t}\n\tif (test_facility(76)) /* MSA3 */\n\t\t__cpacf_query(CPACF_PCKMO, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.pckmo);\n\tif (test_facility(77)) { /* MSA4 */\n\t\t__cpacf_query(CPACF_KMCTR, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kmctr);\n\t\t__cpacf_query(CPACF_KMF, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kmf);\n\t\t__cpacf_query(CPACF_KMO, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kmo);\n\t\t__cpacf_query(CPACF_PCC, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.pcc);\n\t}\n\tif (test_facility(57)) /* MSA5 */\n\t\t__cpacf_query(CPACF_PRNO, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.ppno);\n\n\tif (test_facility(146)) /* MSA8 */\n\t\t__cpacf_query(CPACF_KMA, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kma);\n\n\tif (test_facility(155)) /* MSA9 */\n\t\t__cpacf_query(CPACF_KDSA, (cpacf_mask_t *)\n\t\t\t      kvm_s390_available_subfunc.kdsa);\n\n\tif (test_facility(150)) /* SORTL */\n\t\t__insn32_query(INSN_SORTL, kvm_s390_available_subfunc.sortl);\n\n\tif (test_facility(151)) /* DFLTCC */\n\t\t__insn32_query(INSN_DFLTCC, kvm_s390_available_subfunc.dfltcc);\n\n\tif (MACHINE_HAS_ESOP)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_ESOP);\n\t/*\n\t * We need SIE support, ESOP (PROT_READ protection for gmap_shadow),\n\t * 64bit SCAO (SCA passthrough) and IDTE (for gmap_shadow unshadowing).\n\t */\n\tif (!sclp.has_sief2 || !MACHINE_HAS_ESOP || !sclp.has_64bscao ||\n\t    !test_facility(3) || !nested)\n\t\treturn;\n\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_SIEF2);\n\tif (sclp.has_64bscao)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_64BSCAO);\n\tif (sclp.has_siif)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_SIIF);\n\tif (sclp.has_gpere)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_GPERE);\n\tif (sclp.has_gsls)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_GSLS);\n\tif (sclp.has_ib)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_IB);\n\tif (sclp.has_cei)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_CEI);\n\tif (sclp.has_ibs)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_IBS);\n\tif (sclp.has_kss)\n\t\tallow_cpu_feat(KVM_S390_VM_CPU_FEAT_KSS);\n\t/*\n\t * KVM_S390_VM_CPU_FEAT_SKEY: Wrong shadow of PTE.I bits will make\n\t * all skey handling functions read/set the skey from the PGSTE\n\t * instead of the real storage key.\n\t *\n\t * KVM_S390_VM_CPU_FEAT_CMMA: Wrong shadow of PTE.I bits will make\n\t * pages being detected as preserved although they are resident.\n\t *\n\t * KVM_S390_VM_CPU_FEAT_PFMFI: Wrong shadow of PTE.I bits will\n\t * have the same effect as for KVM_S390_VM_CPU_FEAT_SKEY.\n\t *\n\t * For KVM_S390_VM_CPU_FEAT_SKEY, KVM_S390_VM_CPU_FEAT_CMMA and\n\t * KVM_S390_VM_CPU_FEAT_PFMFI, all PTE.I and PGSTE bits have to be\n\t * correctly shadowed. We can do that for the PGSTE but not for PTE.I.\n\t *\n\t * KVM_S390_VM_CPU_FEAT_SIGPIF: Wrong SCB addresses in the SCA. We\n\t * cannot easily shadow the SCA because of the ipte lock.\n\t */\n}",
          "project": "linux",
          "hash": 38597385791183829234006308514818466630,
          "size": 102,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354821
        },
        {
          "func": "int kvm_arch_init(void *opaque)\n{\n\tint rc = -ENOMEM;\n\n\tkvm_s390_dbf = debug_register(\"kvm-trace\", 32, 1, 7 * sizeof(long));\n\tif (!kvm_s390_dbf)\n\t\treturn -ENOMEM;\n\n\tkvm_s390_dbf_uv = debug_register(\"kvm-uv\", 32, 1, 7 * sizeof(long));\n\tif (!kvm_s390_dbf_uv)\n\t\tgoto out;\n\n\tif (debug_register_view(kvm_s390_dbf, &debug_sprintf_view) ||\n\t    debug_register_view(kvm_s390_dbf_uv, &debug_sprintf_view))\n\t\tgoto out;\n\n\tkvm_s390_cpu_feat_init();\n\n\t/* Register floating interrupt controller interface. */\n\trc = kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);\n\tif (rc) {\n\t\tpr_err(\"A FLIC registration call failed with rc=%d\\n\", rc);\n\t\tgoto out;\n\t}\n\n\trc = kvm_s390_gib_init(GAL_ISC);\n\tif (rc)\n\t\tgoto out;\n\n\treturn 0;\n\nout:\n\tkvm_arch_exit();\n\treturn rc;\n}",
          "project": "linux",
          "hash": 308215839477062622451438864859069962733,
          "size": 35,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354755
        },
        {
          "func": "static int __init svm_init(void)\n{\n\treturn kvm_init(&svm_x86_ops, sizeof(struct vcpu_svm),\n\t\t\t__alignof__(struct vcpu_svm), THIS_MODULE);\n}",
          "project": "linux",
          "hash": 266626653823426228696872252366063844001,
          "size": 5,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432401
        },
        {
          "func": "static inline int kvm_irqfd_init(void)\n{\n\treturn 0;\n}",
          "project": "linux",
          "hash": 131730289999752891791530367718980670763,
          "size": 4,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354627
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "vhost_vdpa_process_iotlb_msg",
        "vhost_vdpa_process_iotlb_update",
        "vhost_vdpa_map"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,\n\t\t\t\t\tstruct vhost_iotlb_msg *msg)\n{\n\tstruct vhost_vdpa *v = container_of(dev, struct vhost_vdpa, vdev);\n\tstruct vdpa_device *vdpa = v->vdpa;\n\tconst struct vdpa_config_ops *ops = vdpa->config;\n\tint r = 0;\n\n\tr = vhost_dev_check_owner(dev);\n\tif (r)\n\t\treturn r;\n\n\tswitch (msg->type) {\n\tcase VHOST_IOTLB_UPDATE:\n\t\tr = vhost_vdpa_process_iotlb_update(v, msg);\n\t\tbreak;\n\tcase VHOST_IOTLB_INVALIDATE:\n\t\tvhost_vdpa_unmap(v, msg->iova, msg->size);\n\t\tbreak;\n\tcase VHOST_IOTLB_BATCH_BEGIN:\n\t\tv->in_batch = true;\n\t\tbreak;\n\tcase VHOST_IOTLB_BATCH_END:\n\t\tif (v->in_batch && ops->set_map)\n\t\t\tops->set_map(vdpa, dev->iotlb);\n\t\tv->in_batch = false;\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t\tbreak;\n\t}\n\n\treturn r;\n}",
          "project": "linux",
          "hash": 68411474748167562168444684230306994982,
          "size": 34,
          "commit_id": "f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9",
          "message": "vhost-vdpa: fix use-after-free of v->config_ctx\n\nWhen the 'v->config_ctx' eventfd_ctx reference is released we didn't\nset it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)\nis re-opened, the 'v->config_ctx' is invalid and calling again\nvhost_vdpa_config_put() causes use-after-free issues like the\nfollowing refcount_t underflow:\n\n    refcount_t: underflow; use-after-free.\n    WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0\n    RIP: 0010:refcount_warn_saturate+0xae/0xf0\n    Call Trace:\n     eventfd_ctx_put+0x5b/0x70\n     vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]\n     __fput+0x8e/0x240\n     ____fput+0xe/0x10\n     task_work_run+0x66/0xa0\n     exit_to_user_mode_prepare+0x118/0x120\n     syscall_exit_to_user_mode+0x21/0x50\n     ? __x64_sys_close+0x12/0x40\n     do_syscall_64+0x45/0x50\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFixes: 776f395004d8 (\"vhost_vdpa: Support config interrupt in vdpa\")\nCc: lingshan.zhu@intel.com\nCc: stable@vger.kernel.org\nSigned-off-by: Stefano Garzarella <sgarzare@redhat.com>\nLink: https://lore.kernel.org/r/20210311135257.109460-2-sgarzare@redhat.com\nSigned-off-by: Michael S. Tsirkin <mst@redhat.com>\nReviewed-by: Zhu Lingshan <lingshan.zhu@intel.com>\nAcked-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 478242
        },
        {
          "func": "static int vhost_vdpa_map(struct vhost_vdpa *v,\n\t\t\t  u64 iova, u64 size, u64 pa, u32 perm)\n{\n\tstruct vhost_dev *dev = &v->vdev;\n\tstruct vdpa_device *vdpa = v->vdpa;\n\tconst struct vdpa_config_ops *ops = vdpa->config;\n\tint r = 0;\n\n\tr = vhost_iotlb_add_range(dev->iotlb, iova, iova + size - 1,\n\t\t\t\t  pa, perm);\n\tif (r)\n\t\treturn r;\n\n\tif (ops->dma_map) {\n\t\tr = ops->dma_map(vdpa, iova, size, pa, perm);\n\t} else if (ops->set_map) {\n\t\tif (!v->in_batch)\n\t\t\tr = ops->set_map(vdpa, dev->iotlb);\n\t} else {\n\t\tr = iommu_map(v->domain, iova, pa, size,\n\t\t\t      perm_to_iommu_flags(perm));\n\t}\n\n\tif (r)\n\t\tvhost_iotlb_del_range(dev->iotlb, iova, iova + size - 1);\n\telse\n\t\tatomic64_add(size >> PAGE_SHIFT, &dev->mm->pinned_vm);\n\n\treturn r;\n}",
          "project": "linux",
          "hash": 530582098261606381105615368654912094,
          "size": 30,
          "commit_id": "f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9",
          "message": "vhost-vdpa: fix use-after-free of v->config_ctx\n\nWhen the 'v->config_ctx' eventfd_ctx reference is released we didn't\nset it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)\nis re-opened, the 'v->config_ctx' is invalid and calling again\nvhost_vdpa_config_put() causes use-after-free issues like the\nfollowing refcount_t underflow:\n\n    refcount_t: underflow; use-after-free.\n    WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0\n    RIP: 0010:refcount_warn_saturate+0xae/0xf0\n    Call Trace:\n     eventfd_ctx_put+0x5b/0x70\n     vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]\n     __fput+0x8e/0x240\n     ____fput+0xe/0x10\n     task_work_run+0x66/0xa0\n     exit_to_user_mode_prepare+0x118/0x120\n     syscall_exit_to_user_mode+0x21/0x50\n     ? __x64_sys_close+0x12/0x40\n     do_syscall_64+0x45/0x50\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFixes: 776f395004d8 (\"vhost_vdpa: Support config interrupt in vdpa\")\nCc: lingshan.zhu@intel.com\nCc: stable@vger.kernel.org\nSigned-off-by: Stefano Garzarella <sgarzare@redhat.com>\nLink: https://lore.kernel.org/r/20210311135257.109460-2-sgarzare@redhat.com\nSigned-off-by: Michael S. Tsirkin <mst@redhat.com>\nReviewed-by: Zhu Lingshan <lingshan.zhu@intel.com>\nAcked-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 478237
        },
        {
          "func": "static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,\n\t\t\t\t\t   struct vhost_iotlb_msg *msg)\n{\n\tstruct vhost_dev *dev = &v->vdev;\n\tstruct vhost_iotlb *iotlb = dev->iotlb;\n\tstruct page **page_list;\n\tunsigned long list_size = PAGE_SIZE / sizeof(struct page *);\n\tunsigned int gup_flags = FOLL_LONGTERM;\n\tunsigned long npages, cur_base, map_pfn, last_pfn = 0;\n\tunsigned long lock_limit, sz2pin, nchunks, i;\n\tu64 iova = msg->iova;\n\tlong pinned;\n\tint ret = 0;\n\n\tif (msg->iova < v->range.first ||\n\t    msg->iova + msg->size - 1 > v->range.last)\n\t\treturn -EINVAL;\n\n\tif (vhost_iotlb_itree_first(iotlb, msg->iova,\n\t\t\t\t    msg->iova + msg->size - 1))\n\t\treturn -EEXIST;\n\n\t/* Limit the use of memory for bookkeeping */\n\tpage_list = (struct page **) __get_free_page(GFP_KERNEL);\n\tif (!page_list)\n\t\treturn -ENOMEM;\n\n\tif (msg->perm & VHOST_ACCESS_WO)\n\t\tgup_flags |= FOLL_WRITE;\n\n\tnpages = PAGE_ALIGN(msg->size + (iova & ~PAGE_MASK)) >> PAGE_SHIFT;\n\tif (!npages) {\n\t\tret = -EINVAL;\n\t\tgoto free;\n\t}\n\n\tmmap_read_lock(dev->mm);\n\n\tlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;\n\tif (npages + atomic64_read(&dev->mm->pinned_vm) > lock_limit) {\n\t\tret = -ENOMEM;\n\t\tgoto unlock;\n\t}\n\n\tcur_base = msg->uaddr & PAGE_MASK;\n\tiova &= PAGE_MASK;\n\tnchunks = 0;\n\n\twhile (npages) {\n\t\tsz2pin = min_t(unsigned long, npages, list_size);\n\t\tpinned = pin_user_pages(cur_base, sz2pin,\n\t\t\t\t\tgup_flags, page_list, NULL);\n\t\tif (sz2pin != pinned) {\n\t\t\tif (pinned < 0) {\n\t\t\t\tret = pinned;\n\t\t\t} else {\n\t\t\t\tunpin_user_pages(page_list, pinned);\n\t\t\t\tret = -ENOMEM;\n\t\t\t}\n\t\t\tgoto out;\n\t\t}\n\t\tnchunks++;\n\n\t\tif (!last_pfn)\n\t\t\tmap_pfn = page_to_pfn(page_list[0]);\n\n\t\tfor (i = 0; i < pinned; i++) {\n\t\t\tunsigned long this_pfn = page_to_pfn(page_list[i]);\n\t\t\tu64 csize;\n\n\t\t\tif (last_pfn && (this_pfn != last_pfn + 1)) {\n\t\t\t\t/* Pin a contiguous chunk of memory */\n\t\t\t\tcsize = (last_pfn - map_pfn + 1) << PAGE_SHIFT;\n\t\t\t\tret = vhost_vdpa_map(v, iova, csize,\n\t\t\t\t\t\t     map_pfn << PAGE_SHIFT,\n\t\t\t\t\t\t     msg->perm);\n\t\t\t\tif (ret) {\n\t\t\t\t\t/*\n\t\t\t\t\t * Unpin the pages that are left unmapped\n\t\t\t\t\t * from this point on in the current\n\t\t\t\t\t * page_list. The remaining outstanding\n\t\t\t\t\t * ones which may stride across several\n\t\t\t\t\t * chunks will be covered in the common\n\t\t\t\t\t * error path subsequently.\n\t\t\t\t\t */\n\t\t\t\t\tunpin_user_pages(&page_list[i],\n\t\t\t\t\t\t\t pinned - i);\n\t\t\t\t\tgoto out;\n\t\t\t\t}\n\n\t\t\t\tmap_pfn = this_pfn;\n\t\t\t\tiova += csize;\n\t\t\t\tnchunks = 0;\n\t\t\t}\n\n\t\t\tlast_pfn = this_pfn;\n\t\t}\n\n\t\tcur_base += pinned << PAGE_SHIFT;\n\t\tnpages -= pinned;\n\t}\n\n\t/* Pin the rest chunk */\n\tret = vhost_vdpa_map(v, iova, (last_pfn - map_pfn + 1) << PAGE_SHIFT,\n\t\t\t     map_pfn << PAGE_SHIFT, msg->perm);\nout:\n\tif (ret) {\n\t\tif (nchunks) {\n\t\t\tunsigned long pfn;\n\n\t\t\t/*\n\t\t\t * Unpin the outstanding pages which are yet to be\n\t\t\t * mapped but haven't due to vdpa_map() or\n\t\t\t * pin_user_pages() failure.\n\t\t\t *\n\t\t\t * Mapped pages are accounted in vdpa_map(), hence\n\t\t\t * the corresponding unpinning will be handled by\n\t\t\t * vdpa_unmap().\n\t\t\t */\n\t\t\tWARN_ON(!last_pfn);\n\t\t\tfor (pfn = map_pfn; pfn <= last_pfn; pfn++)\n\t\t\t\tunpin_user_page(pfn_to_page(pfn));\n\t\t}\n\t\tvhost_vdpa_unmap(v, msg->iova, msg->size);\n\t}\nunlock:\n\tmmap_read_unlock(dev->mm);\nfree:\n\tfree_page((unsigned long)page_list);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 159855076274083097194438563861162008064,
          "size": 131,
          "commit_id": "f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9",
          "message": "vhost-vdpa: fix use-after-free of v->config_ctx\n\nWhen the 'v->config_ctx' eventfd_ctx reference is released we didn't\nset it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)\nis re-opened, the 'v->config_ctx' is invalid and calling again\nvhost_vdpa_config_put() causes use-after-free issues like the\nfollowing refcount_t underflow:\n\n    refcount_t: underflow; use-after-free.\n    WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0\n    RIP: 0010:refcount_warn_saturate+0xae/0xf0\n    Call Trace:\n     eventfd_ctx_put+0x5b/0x70\n     vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]\n     __fput+0x8e/0x240\n     ____fput+0xe/0x10\n     task_work_run+0x66/0xa0\n     exit_to_user_mode_prepare+0x118/0x120\n     syscall_exit_to_user_mode+0x21/0x50\n     ? __x64_sys_close+0x12/0x40\n     do_syscall_64+0x45/0x50\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFixes: 776f395004d8 (\"vhost_vdpa: Support config interrupt in vdpa\")\nCc: lingshan.zhu@intel.com\nCc: stable@vger.kernel.org\nSigned-off-by: Stefano Garzarella <sgarzare@redhat.com>\nLink: https://lore.kernel.org/r/20210311135257.109460-2-sgarzare@redhat.com\nSigned-off-by: Michael S. Tsirkin <mst@redhat.com>\nReviewed-by: Zhu Lingshan <lingshan.zhu@intel.com>\nAcked-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 478238
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "acpi_boot_init",
        "acpi_process_madt",
        "acpi_parse_madt_ioapic_entries",
        "acpi_sci_ioapic_setup"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static int __init acpi_parse_madt_lapic_entries(void)\n{\n\tint count;\n\n\tif (!cpu_has_apic)\n\t\treturn -ENODEV;\n\n\t/* \n\t * Note that the LAPIC address is obtained from the MADT (32-bit value)\n\t * and (optionally) overriden by a LAPIC_ADDR_OVR entry (64-bit value).\n\t */\n\n\tcount =\n\t    acpi_table_parse_madt(ACPI_MADT_LAPIC_ADDR_OVR,\n\t\t\t\t  acpi_parse_lapic_addr_ovr, 0);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX\n\t\t       \"Error parsing LAPIC address override entry\\n\");\n\t\treturn count;\n\t}\n\n\tmp_register_lapic_address(acpi_lapic_addr);\n\n\tcount = acpi_table_parse_madt(ACPI_MADT_LAPIC, acpi_parse_lapic,\n\t\t\t\t      MAX_APICS);\n\tif (!count) {\n\t\tprintk(KERN_ERR PREFIX \"No LAPIC entries present\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn -ENODEV;\n\t} else if (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing LAPIC entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\tcount =\n\t    acpi_table_parse_madt(ACPI_MADT_LAPIC_NMI, acpi_parse_lapic_nmi, 0);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing LAPIC NMI entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 213721789998004113445496180184575800672,
          "size": 44,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 499986
        },
        {
          "func": "static void __init acpi_process_madt(void)\n{\n#ifdef CONFIG_X86_LOCAL_APIC\n\tint count, error;\n\n\tcount = acpi_table_parse(ACPI_APIC, acpi_parse_madt);\n\tif (count >= 1) {\n\n\t\t/*\n\t\t * Parse MADT LAPIC entries\n\t\t */\n\t\terror = acpi_parse_madt_lapic_entries();\n\t\tif (!error) {\n\t\t\tacpi_lapic = 1;\n\n#ifdef CONFIG_X86_GENERICARCH\n\t\t\tgeneric_bigsmp_probe();\n#endif\n\t\t\t/*\n\t\t\t * Parse MADT IO-APIC entries\n\t\t\t */\n\t\t\terror = acpi_parse_madt_ioapic_entries();\n\t\t\tif (!error) {\n\t\t\t\tacpi_irq_model = ACPI_IRQ_MODEL_IOAPIC;\n\t\t\t\tacpi_irq_balance_set(NULL);\n\t\t\t\tacpi_ioapic = 1;\n\n\t\t\t\tsmp_found_config = 1;\n\t\t\t\tclustered_apic_check();\n\t\t\t}\n\t\t}\n\t\tif (error == -EINVAL) {\n\t\t\t/*\n\t\t\t * Dell Precision Workstation 410, 610 come here.\n\t\t\t */\n\t\t\tprintk(KERN_ERR PREFIX\n\t\t\t       \"Invalid BIOS MADT, disabling ACPI\\n\");\n\t\t\tdisable_acpi();\n\t\t}\n\t}\n#endif\n\treturn;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 304853954482509555927863505312876942754,
          "size": 43,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 500015
        },
        {
          "func": "static int __init acpi_parse_madt_ioapic_entries(void)\n{\n\tint count;\n\n\t/*\n\t * ACPI interpreter is required to complete interrupt setup,\n\t * so if it is off, don't enumerate the io-apics with ACPI.\n\t * If MPS is present, it will handle them,\n\t * otherwise the system will stay in PIC mode\n\t */\n\tif (acpi_disabled || acpi_noirq) {\n\t\treturn -ENODEV;\n\t}\n\n\tif (!cpu_has_apic) \n\t\treturn -ENODEV;\n\n\t/*\n\t * if \"noapic\" boot option, don't look for IO-APICs\n\t */\n\tif (skip_ioapic_setup) {\n\t\tprintk(KERN_INFO PREFIX \"Skipping IOAPIC probe \"\n\t\t       \"due to 'noapic' option.\\n\");\n\t\treturn -ENODEV;\n\t}\n\n\tcount =\n\t    acpi_table_parse_madt(ACPI_MADT_IOAPIC, acpi_parse_ioapic,\n\t\t\t\t  MAX_IO_APICS);\n\tif (!count) {\n\t\tprintk(KERN_ERR PREFIX \"No IOAPIC entries present\\n\");\n\t\treturn -ENODEV;\n\t} else if (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing IOAPIC entry\\n\");\n\t\treturn count;\n\t}\n\n\tcount =\n\t    acpi_table_parse_madt(ACPI_MADT_INT_SRC_OVR, acpi_parse_int_src_ovr,\n\t\t\t\t  NR_IRQ_VECTORS);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX\n\t\t       \"Error parsing interrupt source overrides entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\t/*\n\t * If BIOS did not supply an INT_SRC_OVR for the SCI\n\t * pretend we got one so we can set the SCI flags.\n\t */\n\tif (!acpi_sci_override_gsi)\n\t\tacpi_sci_ioapic_setup(acpi_fadt.sci_int, 0, 0);\n\n\t/* Fill in identity legacy mapings where no override */\n\tmp_config_acpi_legacy_irqs();\n\n\tcount =\n\t    acpi_table_parse_madt(ACPI_MADT_NMI_SRC, acpi_parse_nmi_src,\n\t\t\t\t  NR_IRQ_VECTORS);\n\tif (count < 0) {\n\t\tprintk(KERN_ERR PREFIX \"Error parsing NMI SRC entry\\n\");\n\t\t/* TBD: Cleanup to allow fallback to MPS */\n\t\treturn count;\n\t}\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 206089872263599311184274569938139731793,
          "size": 68,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 500001
        },
        {
          "func": "int __init acpi_boot_init(void)\n{\n\t/*\n\t * If acpi_disabled, bail out\n\t * One exception: acpi=ht continues far enough to enumerate LAPICs\n\t */\n\tif (acpi_disabled && !acpi_ht)\n\t\treturn 1;\n\n\tacpi_table_parse(ACPI_BOOT, acpi_parse_sbf);\n\n\t/*\n\t * set sci_int and PM timer address\n\t */\n\tacpi_table_parse(ACPI_FADT, acpi_parse_fadt);\n\n\t/*\n\t * Process the Multiple APIC Description Table (MADT), if present\n\t */\n\tacpi_process_madt();\n\n\tacpi_table_parse(ACPI_HPET, acpi_parse_hpet);\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 340091633310638462260892732834527967470,
          "size": 25,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 499993
        },
        {
          "func": "static void acpi_sci_ioapic_setup(u32 gsi, u16 polarity, u16 trigger)\n{\n\tif (trigger == 0)\t/* compatible SCI trigger is level */\n\t\ttrigger = 3;\n\n\tif (polarity == 0)\t/* compatible SCI polarity is low */\n\t\tpolarity = 3;\n\n\t/* Command-line over-ride via acpi_sci= */\n\tif (acpi_sci_flags.trigger)\n\t\ttrigger = acpi_sci_flags.trigger;\n\n\tif (acpi_sci_flags.polarity)\n\t\tpolarity = acpi_sci_flags.polarity;\n\n\t/*\n\t * mp_config_acpi_legacy_irqs() already setup IRQs < 16\n\t * If GSI is < 16, this will update its flags,\n\t * else it will create a new mp_irqs[] entry.\n\t */\n\tmp_override_legacy_irq(gsi, polarity, trigger, gsi);\n\n\t/*\n\t * stash over-ride to indicate we've been here\n\t * and for later update of acpi_fadt\n\t */\n\tacpi_sci_override_gsi = gsi;\n\treturn;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 39963657699800888970864861904027485773,
          "size": 29,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 500002
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "op_get",
        "get_obj_op",
        "op_head"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "RGWOp* RGWHandler_REST_Bucket_S3Website::get_obj_op(bool get_data)\n{\n  /** If we are in website mode, then it is explicitly impossible to run GET or\n   * HEAD on the actual directory. We must convert the request to run on the\n   * suffix object instead!\n   */\n  RGWGetObj_ObjStore_S3Website* op = new RGWGetObj_ObjStore_S3Website;\n  op->set_get_data(get_data);\n  return op;\n}",
          "project": "ceph",
          "hash": 195660400457123375261698596879597045215,
          "size": 10,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281264
        },
        {
          "func": "RGWOp* RGWHandler_REST_Obj_S3Website::get_obj_op(bool get_data)\n{\n  /** If we are in website mode, then it is explicitly impossible to run GET or\n   * HEAD on the actual directory. We must convert the request to run on the\n   * suffix object instead!\n   */\n  RGWGetObj_ObjStore_S3Website* op = new RGWGetObj_ObjStore_S3Website;\n  op->set_get_data(get_data);\n  return op;\n}",
          "project": "ceph",
          "hash": 217033840971029127971392402993146006018,
          "size": 10,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281312
        },
        {
          "func": "RGWOp* RGWHandler_REST_Service_S3Website::get_obj_op(bool get_data)\n{\n  /** If we are in website mode, then it is explicitly impossible to run GET or\n   * HEAD on the actual directory. We must convert the request to run on the\n   * suffix object instead!\n   */\n  RGWGetObj_ObjStore_S3Website* op = new RGWGetObj_ObjStore_S3Website;\n  op->set_get_data(get_data);\n  return op;\n}",
          "project": "ceph",
          "hash": 198827055528152227115833717972730456279,
          "size": 10,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281357
        },
        {
          "func": "RGWOp *RGWHandler_REST_Bucket_SWIFT::op_head()\n{\n  return get_obj_op(false);\n}",
          "project": "ceph",
          "hash": 88689066606298847544569478217160663156,
          "size": 4,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448769
        },
        {
          "func": "RGWOp *RGWHandler_REST_Bucket_SWIFT::op_get()\n{\n  return get_obj_op(true);\n}",
          "project": "ceph",
          "hash": 32664676222410224026898941198214209341,
          "size": 4,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448790
        },
        {
          "func": "RGWOp *RGWHandler_REST_Obj_SWIFT::op_get()\n{\n  return get_obj_op(true);\n}",
          "project": "ceph",
          "hash": 225871141364726036356028404809714778698,
          "size": 4,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448845
        },
        {
          "func": "RGWOp *RGWHandler_REST_Obj_SWIFT::op_head()\n{\n  return get_obj_op(false);\n}",
          "project": "ceph",
          "hash": 101711086821814895220611321391626329606,
          "size": 4,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448859
        },
        {
          "func": "RGWOp* RGWHandler_REST_S3Website::op_get()\n{\n  return get_obj_op(true);\n}",
          "project": "ceph",
          "hash": 305591977287224409658955069983375222658,
          "size": 4,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281337
        },
        {
          "func": "RGWOp* RGWHandler_REST_S3Website::op_head()\n{\n  return get_obj_op(false);\n}",
          "project": "ceph",
          "hash": 309456088556571296183843020617771044754,
          "size": 4,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281255
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "process_answer",
        "process_m_answer",
        "custom_fmt_match",
        "pj_assert"
      ],
      "group_size": 21,
      "functions": [
        {
          "func": "static pj_status_t custom_fmt_match(pj_pool_t *pool,\n\t\t\t\t    const pj_str_t *fmt_name,\n\t\t\t\t    pjmedia_sdp_media *offer,\n\t\t\t\t    unsigned o_fmt_idx,\n\t\t\t\t    pjmedia_sdp_media *answer,\n\t\t\t\t    unsigned a_fmt_idx,\n\t\t\t\t    unsigned option)\n{\n    unsigned i;\n\n    for (i = 0; i < fmt_match_cb_cnt; ++i) {\n\tif (pj_stricmp(fmt_name, &fmt_match_cb[i].fmt_name) == 0) {\n\t    pj_assert(fmt_match_cb[i].cb);\n\t    return (*fmt_match_cb[i].cb)(pool, offer, o_fmt_idx,\n\t\t\t\t\t answer, a_fmt_idx,\n\t\t\t\t\t option);\n\t}\n    }\n\n    /* Not customized format matching found, should be matched */\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 41301759871988627482220993993091844415,
          "size": 22,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449670
        },
        {
          "func": "static pj_status_t process_m_answer( pj_pool_t *pool,\n\t\t\t\t     pjmedia_sdp_media *offer,\n\t\t\t\t     pjmedia_sdp_media *answer,\n\t\t\t\t     pj_bool_t allow_asym)\n{\n    unsigned i;\n\n    /* Check that the media type match our offer. */\n\n    if (pj_strcmp(&answer->desc.media, &offer->desc.media)!=0) {\n\t/* The media type in the answer is different than the offer! */\n\treturn PJMEDIA_SDPNEG_EINVANSMEDIA;\n    }\n\n\n    /* Check that transport in the answer match our offer. */\n\n    /* At this point, transport type must be compatible, \n     * the transport instance will do more validation later.\n     */\n    if (pjmedia_sdp_transport_cmp(&answer->desc.transport, \n\t\t\t\t  &offer->desc.transport) \n\t!= PJ_SUCCESS)\n    {\n\treturn PJMEDIA_SDPNEG_EINVANSTP;\n    }\n\n\n    /* Check if remote has rejected our offer */\n    if (answer->desc.port == 0) {\n\t\n\t/* Remote has rejected our offer. \n\t * Deactivate our media too.\n\t */\n\tpjmedia_sdp_media_deactivate(pool, offer);\n\n\t/* Don't need to proceed */\n\treturn PJ_SUCCESS;\n    }\n\n    /* Ticket #1148: check if remote answer does not set port to zero when\n     * offered with port zero. Let's just tolerate it.\n     */\n    if (offer->desc.port == 0) {\n\t/* Don't need to proceed */\n\treturn PJ_SUCCESS;\n    }\n\n    /* Process direction attributes */\n    update_media_direction(pool, answer, offer);\n \n    /* If asymetric media is allowed, then just check that remote answer has \n     * codecs that are within the offer. \n     *\n     * Otherwise if asymetric media is not allowed, then we will choose only\n     * one codec in our initial offer to match the answer.\n     */\n    if (allow_asym) {\n\tfor (i=0; i<answer->desc.fmt_count; ++i) {\n\t    unsigned j;\n\t    pj_str_t *rem_fmt = &answer->desc.fmt[i];\n\n\t    for (j=0; j<offer->desc.fmt_count; ++j) {\n\t\tif (pj_strcmp(rem_fmt, &answer->desc.fmt[j])==0)\n\t\t    break;\n\t    }\n\n\t    if (j != offer->desc.fmt_count) {\n\t\t/* Found at least one common codec. */\n\t\tbreak;\n\t    }\n\t}\n\n\tif (i == answer->desc.fmt_count) {\n\t    /* No common codec in the answer! */\n\t    return PJMEDIA_SDPNEG_EANSNOMEDIA;\n\t}\n\n\tPJ_TODO(CHECK_SDP_NEGOTIATION_WHEN_ASYMETRIC_MEDIA_IS_ALLOWED);\n\n    } else {\n\t/* Offer format priority based on answer format index/priority */\n\tunsigned offer_fmt_prior[PJMEDIA_MAX_SDP_FMT];\n\n\t/* Remove all format in the offer that has no matching answer */\n\tfor (i=0; i<offer->desc.fmt_count;) {\n\t    unsigned pt;\n\t    pj_uint32_t j;\n\t    pj_str_t *fmt = &offer->desc.fmt[i];\n\t    \n\n\t    /* Find matching answer */\n\t    pt = pj_strtoul(fmt);\n\n\t    if (pt < 96) {\n\t\tfor (j=0; j<answer->desc.fmt_count; ++j) {\n\t\t    if (pj_strcmp(fmt, &answer->desc.fmt[j])==0)\n\t\t\tbreak;\n\t\t}\n\t    } else {\n\t\t/* This is dynamic payload type.\n\t\t * For dynamic payload type, we must look the rtpmap and\n\t\t * compare the encoding name.\n\t\t */\n\t\tconst pjmedia_sdp_attr *a;\n\t\tpjmedia_sdp_rtpmap or_;\n\n\t\t/* Get the rtpmap for the payload type in the offer. */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"rtpmap\", fmt);\n\t\tif (!a) {\n\t\t    pj_assert(!\"Bug! Offer should have been validated\");\n\t\t    return PJ_EBUG;\n\t\t}\n\t\tpjmedia_sdp_attr_get_rtpmap(a, &or_);\n\n\t\t/* Find paylaod in answer SDP with matching \n\t\t * encoding name and clock rate.\n\t\t */\n\t\tfor (j=0; j<answer->desc.fmt_count; ++j) {\n\t\t    a = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", \n\t\t\t\t\t\t     &answer->desc.fmt[j]);\n\t\t    if (a) {\n\t\t\tpjmedia_sdp_rtpmap ar;\n\t\t\tpjmedia_sdp_attr_get_rtpmap(a, &ar);\n\n\t\t\t/* See if encoding name, clock rate, and channel\n\t\t\t * count match \n\t\t\t */\n\t\t\tif (!pj_stricmp(&or_.enc_name, &ar.enc_name) &&\n\t\t\t    or_.clock_rate == ar.clock_rate &&\n\t\t\t    (pj_stricmp(&or_.param, &ar.param)==0 ||\n\t\t\t     (ar.param.slen==1 && *ar.param.ptr=='1')))\n\t\t\t{\n\t\t\t    /* Call custom format matching callbacks */\n\t\t\t    if (custom_fmt_match(pool, &or_.enc_name,\n\t\t\t\t\t\t offer, i, answer, j, 0) ==\n\t\t\t\tPJ_SUCCESS)\n\t\t\t    {\n\t\t\t\t/* Match! */\n\t\t\t\tbreak;\n\t\t\t    }\n\t\t\t}\n\t\t    }\n\t\t}\n\t    }\n\n\t    if (j == answer->desc.fmt_count) {\n\t\t/* This format has no matching answer.\n\t\t * Remove it from our offer.\n\t\t */\n\t\tpjmedia_sdp_attr *a;\n\n\t\t/* Remove rtpmap associated with this format */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"rtpmap\", fmt);\n\t\tif (a)\n\t\t    pjmedia_sdp_media_remove_attr(offer, a);\n\n\t\t/* Remove fmtp associated with this format */\n\t\ta = pjmedia_sdp_media_find_attr2(offer, \"fmtp\", fmt);\n\t\tif (a)\n\t\t    pjmedia_sdp_media_remove_attr(offer, a);\n\n\t\t/* Remove this format from offer's array */\n\t\tpj_array_erase(offer->desc.fmt, sizeof(offer->desc.fmt[0]),\n\t\t\t       offer->desc.fmt_count, i);\n\t\t--offer->desc.fmt_count;\n\n\t    } else {\n\t\toffer_fmt_prior[i] = j;\n\t\t++i;\n\t    }\n\t}\n\n\tif (0 == offer->desc.fmt_count) {\n\t    /* No common codec in the answer! */\n\t    return PJMEDIA_SDPNEG_EANSNOMEDIA;\n\t}\n\n\t/* Post process:\n\t * - Resort offer formats so the order match to the answer.\n\t * - Remove answer formats that unmatches to the offer.\n\t */\n\t\n\t/* Resort offer formats */\n\tfor (i=0; i<offer->desc.fmt_count; ++i) {\n\t    unsigned j;\n\t    for (j=i+1; j<offer->desc.fmt_count; ++j) {\n\t\tif (offer_fmt_prior[i] > offer_fmt_prior[j]) {\n\t\t    unsigned tmp = offer_fmt_prior[i];\n\t\t    offer_fmt_prior[i] = offer_fmt_prior[j];\n\t\t    offer_fmt_prior[j] = tmp;\n\t\t    str_swap(&offer->desc.fmt[i], &offer->desc.fmt[j]);\n\t\t}\n\t    }\n\t}\n\n\t/* Remove unmatched answer formats */\n\t{\n\t    unsigned del_cnt = 0;\n\t    for (i=0; i<answer->desc.fmt_count;) {\n\t\t/* The offer is ordered now, also the offer_fmt_prior */\n\t\tif (i >= offer->desc.fmt_count || \n\t\t    offer_fmt_prior[i]-del_cnt != i)\n\t\t{\n\t\t    pj_str_t *fmt = &answer->desc.fmt[i];\n\t\t    pjmedia_sdp_attr *a;\n\n\t\t    /* Remove rtpmap associated with this format */\n\t\t    a = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", fmt);\n\t\t    if (a)\n\t\t\tpjmedia_sdp_media_remove_attr(answer, a);\n\n\t\t    /* Remove fmtp associated with this format */\n\t\t    a = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", fmt);\n\t\t    if (a)\n\t\t\tpjmedia_sdp_media_remove_attr(answer, a);\n\n\t\t    /* Remove this format from answer's array */\n\t\t    pj_array_erase(answer->desc.fmt, \n\t\t\t\t   sizeof(answer->desc.fmt[0]),\n\t\t\t\t   answer->desc.fmt_count, i);\n\t\t    --answer->desc.fmt_count;\n\n\t\t    ++del_cnt;\n\t\t} else {\n\t\t    ++i;\n\t\t}\n\t    }\n\t}\n    }\n\n    /* Looks okay */\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 306619889036402259679557747540392102694,
          "size": 234,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449645
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_prefer_remote_codec_order(\n\t\t\t\t\t\tpjmedia_sdp_neg *neg,\n\t\t\t\t\t\tpj_bool_t prefer_remote)\n{\n    PJ_ASSERT_RETURN(neg, PJ_EINVAL);\n    neg->prefer_remote_codec_order = prefer_remote;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 135161748195259289338417694367735299272,
          "size": 8,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449648
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_active_local( pjmedia_sdp_neg *neg,\n\t\t\t\t\tconst pjmedia_sdp_session **local)\n{\n    PJ_ASSERT_RETURN(neg && local, PJ_EINVAL);\n    PJ_ASSERT_RETURN(neg->active_local_sdp, PJMEDIA_SDPNEG_ENOACTIVE);\n\n    *local = neg->active_local_sdp;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 247948104735515018551443226478703169078,
          "size": 9,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449649
        },
        {
          "func": "PJ_DEF(pjmedia_sdp_neg_state) pjmedia_sdp_neg_get_state( pjmedia_sdp_neg *neg )\n{\n    /* Check arguments are valid. */\n    PJ_ASSERT_RETURN(neg != NULL, PJMEDIA_SDP_NEG_STATE_NULL);\n    return neg->state;\n}",
          "project": "pjproject",
          "hash": 177841916266260096920835567958572204387,
          "size": 6,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449650
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_active_remote( pjmedia_sdp_neg *neg,\n\t\t\t\t   const pjmedia_sdp_session **remote)\n{\n    PJ_ASSERT_RETURN(neg && remote, PJ_EINVAL);\n    PJ_ASSERT_RETURN(neg->active_remote_sdp, PJMEDIA_SDPNEG_ENOACTIVE);\n\n    *remote = neg->active_remote_sdp;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 38478110242827854796437422570723391788,
          "size": 9,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449654
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_create_w_local_offer( pj_pool_t *pool,\n\t\t\t\t      const pjmedia_sdp_session *local,\n\t\t\t\t      pjmedia_sdp_neg **p_neg)\n{\n    pjmedia_sdp_neg *neg;\n    pj_status_t status;\n\n    /* Check arguments are valid. */\n    PJ_ASSERT_RETURN(pool && local && p_neg, PJ_EINVAL);\n\n    *p_neg = NULL;\n\n    /* Validate local offer. */\n    PJ_ASSERT_RETURN((status=pjmedia_sdp_validate(local))==PJ_SUCCESS, status);\n\n    /* Create and initialize negotiator. */\n    neg = PJ_POOL_ZALLOC_T(pool, pjmedia_sdp_neg);\n    PJ_ASSERT_RETURN(neg != NULL, PJ_ENOMEM);\n\n    neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;\n    neg->prefer_remote_codec_order = PJMEDIA_SDP_NEG_PREFER_REMOTE_CODEC_ORDER;\n    neg->answer_with_multiple_codecs = PJMEDIA_SDP_NEG_ANSWER_MULTIPLE_CODECS;\n    neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);\n    neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);\n\n    *p_neg = neg;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 145282566880350545106204485317244844707,
          "size": 28,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449656
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_remote_offer( pj_pool_t *pool,\n\t\t\t\t  pjmedia_sdp_neg *neg,\n\t\t\t\t  const pjmedia_sdp_session *remote)\n{\n    /* Check arguments are valid. */\n    PJ_ASSERT_RETURN(pool && neg && remote, PJ_EINVAL);\n\n    /* Can only do this in STATE_DONE.\n     * If we already provide local offer, then rx_remote_answer() should\n     * be called instead of this function.\n     */\n    PJ_ASSERT_RETURN(neg->state == PJMEDIA_SDP_NEG_STATE_DONE, \n\t\t     PJMEDIA_SDPNEG_EINSTATE);\n\n    /* State now is STATE_REMOTE_OFFER. */\n    neg->state = PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER;\n    neg->neg_remote_sdp = pjmedia_sdp_session_clone(pool, remote);\n\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 197722992564468219095324708107613173276,
          "size": 20,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449659
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_neg_remote( pjmedia_sdp_neg *neg,\n\t\t\t\tconst pjmedia_sdp_session **remote)\n{\n    PJ_ASSERT_RETURN(neg && remote, PJ_EINVAL);\n    PJ_ASSERT_RETURN(neg->neg_remote_sdp, PJMEDIA_SDPNEG_ENONEG);\n\n    *remote = neg->neg_remote_sdp;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 319226620947786118332536034092481320195,
          "size": 9,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449660
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_get_neg_local( pjmedia_sdp_neg *neg,\n\t\t\t       const pjmedia_sdp_session **local)\n{\n    PJ_ASSERT_RETURN(neg && local, PJ_EINVAL);\n    PJ_ASSERT_RETURN(neg->neg_local_sdp, PJMEDIA_SDPNEG_ENONEG);\n\n    *local = neg->neg_local_sdp;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 209072946929116056803334072498425119956,
          "size": 9,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449662
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_remote_answer( pj_pool_t *pool,\n\t\t\t\t   pjmedia_sdp_neg *neg,\n\t\t\t\t   const pjmedia_sdp_session *remote)\n{\n    /* Check arguments are valid. */\n    PJ_ASSERT_RETURN(pool && neg && remote, PJ_EINVAL);\n\n    /* Can only do this in STATE_LOCAL_OFFER.\n     * If we haven't provided local offer, then rx_remote_offer() should\n     * be called instead of this function.\n     */\n    PJ_ASSERT_RETURN(neg->state == PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER, \n\t\t     PJMEDIA_SDPNEG_EINSTATE);\n\n    /* We're ready to negotiate. */\n    neg->state = PJMEDIA_SDP_NEG_STATE_WAIT_NEGO;\n    neg->has_remote_answer = PJ_TRUE;\n    neg->neg_remote_sdp = pjmedia_sdp_session_clone(pool, remote);\n \n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 207244314488309070936957062457519591507,
          "size": 21,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449663
        },
        {
          "func": "PJ_DEF(pj_status_t) pjmedia_sdp_neg_set_answer_multiple_codecs(\n                        pjmedia_sdp_neg *neg,\n                        pj_bool_t answer_multiple)\n{\n    PJ_ASSERT_RETURN(neg, PJ_EINVAL);\n    neg->answer_with_multiple_codecs = answer_multiple;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 248117092337564478747123098065989074218,
          "size": 8,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449671
        },
        {
          "func": "PJ_DEF(pj_bool_t) pjmedia_sdp_neg_was_answer_remote(pjmedia_sdp_neg *neg)\n{\n    PJ_ASSERT_RETURN(neg, PJ_FALSE);\n\n    return neg->answer_was_remote;\n}",
          "project": "pjproject",
          "hash": 43796122874440838758990969022601113736,
          "size": 6,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449672
        },
        {
          "func": "static pj_status_t process_answer(pj_pool_t *pool,\n\t\t\t\t  pjmedia_sdp_session *local_offer,\n\t\t\t\t  pjmedia_sdp_session *answer,\n\t\t\t\t  pj_bool_t allow_asym,\n\t\t\t\t  pjmedia_sdp_session **p_active)\n{\n    unsigned omi = 0; /* Offer media index */\n    unsigned ami = 0; /* Answer media index */\n    pj_bool_t has_active = PJ_FALSE;\n    pjmedia_sdp_session *offer;\n    pj_status_t status;\n\n    /* Check arguments. */\n    PJ_ASSERT_RETURN(pool && local_offer && answer && p_active, PJ_EINVAL);\n\n    /* Duplicate local offer SDP. */\n    offer = pjmedia_sdp_session_clone(pool, local_offer);\n\n    /* Check that media count match between offer and answer */\n    // Ticket #527, different media count is allowed for more interoperability,\n    // however, the media order must be same between offer and answer.\n    // if (offer->media_count != answer->media_count)\n    //\t   return PJMEDIA_SDPNEG_EMISMEDIA;\n\n    /* Now update each media line in the offer with the answer. */\n    for (; omi<offer->media_count; ++omi) {\n\tif (ami == answer->media_count) {\n\t    /* The answer has less media than the offer */\n\t    pjmedia_sdp_media *am;\n\n\t    /* Generate matching-but-disabled-media for the answer */\n\t    am = sdp_media_clone_deactivate(pool, offer->media[omi],\n\t                                    offer->media[omi], offer);\n\t    answer->media[answer->media_count++] = am;\n\t    ++ami;\n\n\t    /* Deactivate our media offer too */\n\t    pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\n\t    /* No answer media to be negotiated */\n\t    continue;\n\t}\n\n\tstatus = process_m_answer(pool, offer->media[omi], answer->media[ami],\n\t\t\t\t  allow_asym);\n\n\t/* If media type is mismatched, just disable the media. */\n\tif (status == PJMEDIA_SDPNEG_EINVANSMEDIA) {\n\t    pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\t    continue;\n\t}\n\t/* No common format in the answer media. */\n\telse if (status == PJMEDIA_SDPNEG_EANSNOMEDIA) {\n\t    pjmedia_sdp_media_deactivate(pool, offer->media[omi]);\n\t    pjmedia_sdp_media_deactivate(pool, answer->media[ami]);\n\t} \n\t/* Return the error code, for other errors. */\n\telse if (status != PJ_SUCCESS) {\n\t    return status;\n\t}\n\n\tif (offer->media[omi]->desc.port != 0)\n\t    has_active = PJ_TRUE;\n\n\t++ami;\n    }\n\n    *p_active = offer;\n\n    return has_active ? PJ_SUCCESS : PJMEDIA_SDPNEG_ENOMEDIA;\n}",
          "project": "pjproject",
          "hash": 179732466098847472036252057851522054985,
          "size": 71,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449669
        },
        {
          "func": "static void str_swap(pj_str_t *str1, pj_str_t *str2)\n{\n    pj_str_t tmp = *str1;\n    *str1 = *str2;\n    *str2 = tmp;\n}",
          "project": "pjproject",
          "hash": 31071335874861223736375872402192073128,
          "size": 6,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449665
        },
        {
          "func": "static pj_status_t match_offer(pj_pool_t *pool,\n\t\t\t       pj_bool_t prefer_remote_codec_order,\n                               pj_bool_t answer_with_multiple_codecs,\n\t\t\t       const pjmedia_sdp_media *offer,\n\t\t\t       const pjmedia_sdp_media *preanswer,\n\t\t\t       const pjmedia_sdp_session *preanswer_sdp,\n\t\t\t       pjmedia_sdp_media **p_answer)\n{\n    unsigned i;\n    pj_bool_t master_has_codec = 0,\n\t      master_has_other = 0,\n\t      found_matching_codec = 0,\n\t      found_matching_telephone_event = 0,\n\t      found_matching_other = 0;\n    unsigned pt_answer_count = 0;\n    pj_str_t pt_answer[PJMEDIA_MAX_SDP_FMT];\n    pj_str_t pt_offer[PJMEDIA_MAX_SDP_FMT];\n    pjmedia_sdp_media *answer;\n    const pjmedia_sdp_media *master, *slave;\n    unsigned nclockrate = 0, clockrate[PJMEDIA_MAX_SDP_FMT];\n    unsigned ntel_clockrate = 0, tel_clockrate[PJMEDIA_MAX_SDP_FMT];\n\n    /* If offer has zero port, just clone the offer */\n    if (offer->desc.port == 0) {\n\tanswer = sdp_media_clone_deactivate(pool, offer, preanswer,\n\t\t\t\t\t    preanswer_sdp);\n\t*p_answer = answer;\n\treturn PJ_SUCCESS;\n    }\n\n    /* If the preanswer define zero port, this media is being rejected,\n     * just clone the preanswer.\n     */\n    if (preanswer->desc.port == 0) {\n\tanswer = pjmedia_sdp_media_clone(pool, preanswer);\n\t*p_answer = answer;\n\treturn PJ_SUCCESS;\n    }\n\n    /* Set master/slave negotiator based on prefer_remote_codec_order. */\n    if (prefer_remote_codec_order) {\n\tmaster = offer;\n\tslave  = preanswer;\n    } else {\n\tmaster = preanswer;\n\tslave  = offer;\n    }\n    \n    /* With the addition of telephone-event and dodgy MS RTC SDP, \n     * the answer generation algorithm looks really shitty...\n     */\n    for (i=0; i<master->desc.fmt_count; ++i) {\n\tunsigned j;\n\t\n\tif (pj_isdigit(*master->desc.fmt[i].ptr)) {\n\t    /* This is normal/standard payload type, where it's identified\n\t     * by payload number.\n\t     */\n\t    unsigned pt;\n\n\t    pt = pj_strtoul(&master->desc.fmt[i]);\n\t    \n\t    if (pt < 96) {\n\t\t/* For static payload type, it's enough to compare just\n\t\t * the payload number.\n\t\t */\n\n\t\tmaster_has_codec = 1;\n\n\t\t/* We just need to select one codec if not allowing multiple.\n\t\t * Continue if we have selected matching codec for previous \n\t\t * payload.\n\t\t */\n\t\tif (!answer_with_multiple_codecs && found_matching_codec)\n\t\t    continue;\n\n\t\t/* Find matching codec in local descriptor. */\n\t\tfor (j=0; j<slave->desc.fmt_count; ++j) {\n\t\t    unsigned p;\n\t\t    p = pj_strtoul(&slave->desc.fmt[j]);\n\t\t    if (p == pt && pj_isdigit(*slave->desc.fmt[j].ptr)) {\n\t\t\tunsigned k;\n\n\t\t\tfound_matching_codec = 1;\n\t\t\tpt_offer[pt_answer_count] = slave->desc.fmt[j];\n\t\t\tpt_answer[pt_answer_count++] = slave->desc.fmt[j];\n\n\t\t\t/* Take note of clock rate for tel-event. Note: for\n\t\t\t * static PT, we assume the clock rate is 8000.\n\t\t\t */\n\t\t\tfor (k=0; k<nclockrate; ++k)\n\t\t\t    if (clockrate[k] == 8000)\n\t\t\t\tbreak;\n\t\t\tif (k == nclockrate)\n\t\t\t    clockrate[nclockrate++] = 8000;\n\t\t\tbreak;\n\t\t    }\n\t\t}\n\n\t    } else {\n\t\t/* This is dynamic payload type.\n\t\t * For dynamic payload type, we must look the rtpmap and\n\t\t * compare the encoding name.\n\t\t */\n\t\tconst pjmedia_sdp_attr *a;\n\t\tpjmedia_sdp_rtpmap or_;\n\t\tpj_bool_t is_codec = 0;\n\n\t\t/* Get the rtpmap for the payload type in the master. */\n\t\ta = pjmedia_sdp_media_find_attr2(master, \"rtpmap\", \n\t\t\t\t\t\t &master->desc.fmt[i]);\n\t\tif (!a) {\n\t\t    pj_assert(!\"Bug! Offer should have been validated\");\n\t\t    return PJMEDIA_SDP_EMISSINGRTPMAP;\n\t\t}\n\t\tpjmedia_sdp_attr_get_rtpmap(a, &or_);\n\n\t\tif (pj_stricmp2(&or_.enc_name, \"telephone-event\")) {\n\t\t    master_has_codec = 1;\n\t\t    if (!answer_with_multiple_codecs && found_matching_codec)\n\t\t\tcontinue;\n\t\t    is_codec = 1;\n\t\t}\n\t\t\n\t\t/* Find paylaod in our initial SDP with matching \n\t\t * encoding name and clock rate.\n\t\t */\n\t\tfor (j=0; j<slave->desc.fmt_count; ++j) {\n\t\t    a = pjmedia_sdp_media_find_attr2(slave, \"rtpmap\", \n\t\t\t\t\t\t     &slave->desc.fmt[j]);\n\t\t    if (a) {\n\t\t\tpjmedia_sdp_rtpmap lr;\n\t\t\tpjmedia_sdp_attr_get_rtpmap(a, &lr);\n\n\t\t\t/* See if encoding name, clock rate, and\n\t\t\t * channel count  match \n\t\t\t */\n\t\t\tif (!pj_stricmp(&or_.enc_name, &lr.enc_name) &&\n\t\t\t    or_.clock_rate == lr.clock_rate &&\n\t\t\t    (pj_stricmp(&or_.param, &lr.param)==0 ||\n\t\t\t     (lr.param.slen==0 && or_.param.slen==1 && \n\t\t\t\t\t\t *or_.param.ptr=='1') || \n\t\t\t     (or_.param.slen==0 && lr.param.slen==1 && \n\t\t\t\t\t\t  *lr.param.ptr=='1'))) \n\t\t\t{\n\t\t\t    /* Match! */\n\t\t\t    if (is_codec) {\n\t\t\t\tpjmedia_sdp_media *o_med, *a_med;\n\t\t\t\tunsigned o_fmt_idx, a_fmt_idx;\n\t\t\t\tunsigned k;\n\n\t\t\t\to_med = (pjmedia_sdp_media*)offer;\n\t\t\t\ta_med = (pjmedia_sdp_media*)preanswer;\n\t\t\t\to_fmt_idx = prefer_remote_codec_order? i:j;\n\t\t\t\ta_fmt_idx = prefer_remote_codec_order? j:i;\n\n\t\t\t\t/* Call custom format matching callbacks */\n\t\t\t\tif (custom_fmt_match(pool, &or_.enc_name,\n\t\t\t\t\t\t     o_med, o_fmt_idx,\n\t\t\t\t\t\t     a_med, a_fmt_idx,\n\t\t\t\t\t\t     ALLOW_MODIFY_ANSWER) !=\n\t\t\t\t    PJ_SUCCESS)\n\t\t\t\t{\n\t\t\t\t    continue;\n\t\t\t\t}\n\t\t\t\tfound_matching_codec = 1;\n\n\t\t\t\t/* Take note of clock rate for tel-event */\n\t\t\t\tfor (k=0; k<nclockrate; ++k)\n\t\t\t\t    if (clockrate[k] == or_.clock_rate)\n\t\t\t\t\tbreak;\n\t\t\t\tif (k == nclockrate)\n\t\t\t\t    clockrate[nclockrate++] = or_.clock_rate;\n\t\t\t    } else {\n\t\t\t    \tunsigned k;\n\n\t\t\t\t/* Keep track of tel-event clock rate,\n\t\t\t\t * to prevent duplicate.\n\t\t\t\t */\n\t\t\t\tfor (k=0; k<ntel_clockrate; ++k)\n\t\t\t\t    if (tel_clockrate[k] == or_.clock_rate)\n\t\t\t\t\tbreak;\n\t\t\t\tif (k < ntel_clockrate)\n\t\t\t\t    continue;\n\t\t\t\t\n\t\t\t\ttel_clockrate[ntel_clockrate++] = or_.clock_rate;\n\t\t\t\tfound_matching_telephone_event = 1;\n\t\t\t    }\n\n\t\t\t    pt_offer[pt_answer_count] = \n\t\t\t\t\t\tprefer_remote_codec_order?\n\t\t\t\t\t\toffer->desc.fmt[i]:\n\t\t\t\t\t\toffer->desc.fmt[j];\n\t\t\t    pt_answer[pt_answer_count++] = \n\t\t\t\t\t\tprefer_remote_codec_order? \n\t\t\t\t\t\tpreanswer->desc.fmt[j]:\n\t\t\t\t\t\tpreanswer->desc.fmt[i];\n\t\t\t    break;\n\t\t\t}\n\t\t    }\n\t\t}\n\t    }\n\n\t} else {\n\t    /* This is a non-standard, brain damaged SDP where the payload\n\t     * type is non-numeric. It exists e.g. in Microsoft RTC based\n\t     * UA, to indicate instant messaging capability.\n\t     * Example:\n\t     *\t- m=x-ms-message 5060 sip null\n\t     */\n\t    master_has_other = 1;\n\t    if (found_matching_other)\n\t\tcontinue;\n\n\t    for (j=0; j<slave->desc.fmt_count; ++j) {\n\t\tif (!pj_strcmp(&master->desc.fmt[i], &slave->desc.fmt[j])) {\n\t\t    /* Match */\n\t\t    found_matching_other = 1;\n\t\t    pt_offer[pt_answer_count] = prefer_remote_codec_order?\n\t\t\t\t\t\toffer->desc.fmt[i]:\n\t\t\t\t\t\toffer->desc.fmt[j];\n\t\t    pt_answer[pt_answer_count++] = prefer_remote_codec_order? \n\t\t\t\t\t\t   preanswer->desc.fmt[j]:\n\t\t\t\t\t\t   preanswer->desc.fmt[i];\n\t\t    break;\n\t\t}\n\t    }\n\t}\n    }\n\n    /* See if all types of master can be matched. */\n    if (master_has_codec && !found_matching_codec) {\n\treturn PJMEDIA_SDPNEG_NOANSCODEC;\n    }\n\n    /* If this comment is removed, negotiation will fail if remote has offered\n       telephone-event and local is not configured with telephone-event\n\n    if (offer_has_telephone_event && !found_matching_telephone_event) {\n\treturn PJMEDIA_SDPNEG_NOANSTELEVENT;\n    }\n    */\n\n    if (master_has_other && !found_matching_other) {\n\treturn PJMEDIA_SDPNEG_NOANSUNKNOWN;\n    }\n\n    /* Seems like everything is in order. */\n\n    /* Remove unwanted telephone-event formats. */\n    if (found_matching_telephone_event) {\n\tpj_str_t first_televent_offer = {0};\n\tpj_str_t first_televent_answer = {0};\n\tunsigned matched_cnt = 0;\n\n\tfor (i=0; i<pt_answer_count; ) {\n\t    const pjmedia_sdp_attr *a;\n\t    pjmedia_sdp_rtpmap r;\n\t    unsigned j;\n\n\t    /* Skip static PT, as telephone-event uses dynamic PT */\n\t    if (!pj_isdigit(*pt_answer[i].ptr) || pj_strtol(&pt_answer[i])<96)\n\t    {\n\t\t++i;\n\t\tcontinue;\n\t    }\n\n\t    /* Get the rtpmap for format. */\n\t    a = pjmedia_sdp_media_find_attr2(preanswer, \"rtpmap\",\n\t\t\t\t\t     &pt_answer[i]);\n\t    pj_assert(a);\n\t    pjmedia_sdp_attr_get_rtpmap(a, &r);\n\n\t    /* Only care for telephone-event format */\n\t    if (pj_stricmp2(&r.enc_name, \"telephone-event\")) {\n\t\t++i;\n\t\tcontinue;\n\t    }\n\n\t    if (first_televent_offer.slen == 0) {\n\t\tfirst_televent_offer = pt_offer[i];\n\t\tfirst_televent_answer = pt_answer[i];\n\t    }\n\n\t    for (j=0; j<nclockrate; ++j) {\n\t\tif (r.clock_rate==clockrate[j])\n\t\t    break;\n\t    }\n\n\t    /* This tel-event's clockrate is unwanted, remove the tel-event */\n\t    if (j==nclockrate) {\n\t\tpj_array_erase(pt_answer, sizeof(pt_answer[0]),\n\t\t\t       pt_answer_count, i);\n\t\tpj_array_erase(pt_offer, sizeof(pt_offer[0]),\n\t\t\t       pt_answer_count, i);\n\t\tpt_answer_count--;\n\t    } else {\n\t\t++matched_cnt;\n\t\t++i;\n\t    }\n\t}\n\n\t/* Tel-event is wanted, but no matched clock rate (to the selected\n\t * audio codec), just put back any first matched tel-event formats.\n\t */\n\tif (!matched_cnt) {\n\t    pt_offer[pt_answer_count] = first_televent_offer;\n\t    pt_answer[pt_answer_count++] = first_televent_answer;\n\t}\n    }\n\n    /* Build the answer by cloning from preanswer, and reorder the payload\n     * to suit the offer.\n     */\n    answer = pjmedia_sdp_media_clone(pool, preanswer);\n    for (i=0; i<pt_answer_count; ++i) {\n\tunsigned j;\n\tfor (j=i; j<answer->desc.fmt_count; ++j) {\n\t    if (!pj_strcmp(&answer->desc.fmt[j], &pt_answer[i]))\n\t\tbreak;\n\t}\n\tpj_assert(j != answer->desc.fmt_count);\n\tstr_swap(&answer->desc.fmt[i], &answer->desc.fmt[j]);\n    }\n    \n    /* Remove unwanted local formats. */\n    for (i=pt_answer_count; i<answer->desc.fmt_count; ++i) {\n\tpjmedia_sdp_attr *a;\n\n\t/* Remove rtpmap for this format */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", \n\t\t\t\t\t &answer->desc.fmt[i]);\n\tif (a) {\n\t    pjmedia_sdp_media_remove_attr(answer, a);\n\t}\n\n\t/* Remove fmtp for this format */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", \n\t\t\t\t\t &answer->desc.fmt[i]);\n\tif (a) {\n\t    pjmedia_sdp_media_remove_attr(answer, a);\n\t}\n    }\n    answer->desc.fmt_count = pt_answer_count;\n\n#if PJMEDIA_SDP_NEG_ANSWER_SYMMETRIC_PT\n    apply_answer_symmetric_pt(pool, answer, pt_answer_count,\n\t\t\t      pt_offer, pt_answer);\n#endif\n\n    /* Update media direction. */\n    update_media_direction(pool, offer, answer);\n\n    *p_answer = answer;\n    return PJ_SUCCESS;\n}",
          "project": "pjproject",
          "hash": 69562952461395558680391602717220036992,
          "size": 356,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449668
        },
        {
          "func": "static void remove_all_media_directions(pjmedia_sdp_media *m)\n{\n    pjmedia_sdp_media_remove_all_attr(m, \"inactive\");\n    pjmedia_sdp_media_remove_all_attr(m, \"sendrecv\");\n    pjmedia_sdp_media_remove_all_attr(m, \"sendonly\");\n    pjmedia_sdp_media_remove_all_attr(m, \"recvonly\");\n}",
          "project": "pjproject",
          "hash": 159258827173720754826756580001459082748,
          "size": 7,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449674
        },
        {
          "func": "static void apply_answer_symmetric_pt(pj_pool_t *pool,\n\t\t\t\t      pjmedia_sdp_media *answer,\n\t\t\t\t      unsigned pt_cnt,\n\t\t\t\t      const pj_str_t pt_offer[],\n\t\t\t\t      const pj_str_t pt_answer[])\n{\n    pjmedia_sdp_attr *a_tmp[PJMEDIA_MAX_SDP_ATTR];\n    unsigned i, a_tmp_cnt = 0;\n\n    /* Rewrite the payload types in the answer if different to\n     * the ones in the offer.\n     */\n    for (i = 0; i < pt_cnt; ++i) {\n\tpjmedia_sdp_attr *a;\n\n\t/* Skip if the PTs are the same already, e.g: static PT. */\n\tif (pj_strcmp(&pt_answer[i], &pt_offer[i]) == 0)\n\t    continue;\n\n\t/* Rewrite payload type in the answer to match to the offer */\n\tpj_strdup(pool, &answer->desc.fmt[i], &pt_offer[i]);\n\n\t/* Also update payload type in rtpmap */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"rtpmap\", &pt_answer[i]);\n\tif (a) {\n\t    rewrite_pt(pool, &a->value, &pt_answer[i], &pt_offer[i]);\n\t    /* Temporarily remove the attribute in case the new payload\n\t     * type is being used by another format in the media.\n\t     */\n\t    pjmedia_sdp_media_remove_attr(answer, a);\n\t    a_tmp[a_tmp_cnt++] = a;\n\t}\n\n\t/* Also update payload type in fmtp */\n\ta = pjmedia_sdp_media_find_attr2(answer, \"fmtp\", &pt_answer[i]);\n\tif (a) {\n\t    rewrite_pt(pool, &a->value, &pt_answer[i], &pt_offer[i]);\n\t    /* Temporarily remove the attribute in case the new payload\n\t     * type is being used by another format in the media.\n\t     */\n\t    pjmedia_sdp_media_remove_attr(answer, a);\n\t    a_tmp[a_tmp_cnt++] = a;\n\t}\n    }\n\n    /* Return back 'rtpmap' and 'fmtp' attributes */\n    for (i = 0; i < a_tmp_cnt; ++i)\n\tpjmedia_sdp_media_add_attr(answer, a_tmp[i]);\n}",
          "project": "pjproject",
          "hash": 94676198818858138948052164899281419766,
          "size": 49,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449661
        },
        {
          "func": "static void update_media_direction(pj_pool_t *pool,\n\t\t\t\t   const pjmedia_sdp_media *remote,\n\t\t\t\t   pjmedia_sdp_media *local)\n{\n    pjmedia_dir old_dir = PJMEDIA_DIR_ENCODING_DECODING,\n\t        new_dir;\n\n    /* Get the media direction of local SDP */\n    if (pjmedia_sdp_media_find_attr2(local, \"sendonly\", NULL))\n\told_dir = PJMEDIA_DIR_ENCODING;\n    else if (pjmedia_sdp_media_find_attr2(local, \"recvonly\", NULL))\n\told_dir = PJMEDIA_DIR_DECODING;\n    else if (pjmedia_sdp_media_find_attr2(local, \"inactive\", NULL))\n\told_dir = PJMEDIA_DIR_NONE;\n\n    new_dir = old_dir;\n\n    /* Adjust local media direction based on remote media direction */\n    if (pjmedia_sdp_media_find_attr2(remote, \"inactive\", NULL) != NULL) {\n\t/* If remote has \"a=inactive\", then local is inactive too */\n\n\tnew_dir = PJMEDIA_DIR_NONE;\n\n    } else if(pjmedia_sdp_media_find_attr2(remote, \"sendonly\", NULL) != NULL) {\n\t/* If remote has \"a=sendonly\", then set local to \"recvonly\" if\n\t * it is currently \"sendrecv\". Otherwise if local is NOT \"recvonly\",\n\t * then set local direction to \"inactive\".\n\t */\n\tswitch (old_dir) {\n\tcase PJMEDIA_DIR_ENCODING_DECODING:\n\t    new_dir = PJMEDIA_DIR_DECODING;\n\t    break;\n\tcase PJMEDIA_DIR_DECODING:\n\t    /* No change */\n\t    break;\n\tdefault:\n\t    new_dir = PJMEDIA_DIR_NONE;\n\t    break;\n\t}\n\n    } else if(pjmedia_sdp_media_find_attr2(remote, \"recvonly\", NULL) != NULL) {\n\t/* If remote has \"a=recvonly\", then set local to \"sendonly\" if\n\t * it is currently \"sendrecv\". Otherwise if local is NOT \"sendonly\",\n\t * then set local direction to \"inactive\"\n\t */\n    \n\tswitch (old_dir) {\n\tcase PJMEDIA_DIR_ENCODING_DECODING:\n\t    new_dir = PJMEDIA_DIR_ENCODING;\n\t    break;\n\tcase PJMEDIA_DIR_ENCODING:\n\t    /* No change */\n\t    break;\n\tdefault:\n\t    new_dir = PJMEDIA_DIR_NONE;\n\t    break;\n\t}\n\n    } else {\n\t/* Remote indicates \"sendrecv\" capability. No change to local \n\t * direction \n\t */\n    }\n\n    if (new_dir != old_dir) {\n\tpjmedia_sdp_attr *a = NULL;\n\n\tremove_all_media_directions(local);\n\n\tswitch (new_dir) {\n\tcase PJMEDIA_DIR_NONE:\n\t    a = pjmedia_sdp_attr_create(pool, \"inactive\", NULL);\n\t    break;\n\tcase PJMEDIA_DIR_ENCODING:\n\t    a = pjmedia_sdp_attr_create(pool, \"sendonly\", NULL);\n\t    break;\n\tcase PJMEDIA_DIR_DECODING:\n\t    a = pjmedia_sdp_attr_create(pool, \"recvonly\", NULL);\n\t    break;\n\tdefault:\n\t    /* sendrecv */\n\t    break;\n\t}\n\t\n\tif (a) {\n\t    pjmedia_sdp_media_add_attr(local, a);\n\t}\n    }\n}",
          "project": "pjproject",
          "hash": 247833342213862715264954993641996018166,
          "size": 89,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449666
        },
        {
          "func": "static pj_status_t create_answer( pj_pool_t *pool,\n\t\t\t\t  pj_bool_t prefer_remote_codec_order,\n                                  pj_bool_t answer_with_multiple_codecs,\n\t\t\t\t  const pjmedia_sdp_session *initial,\n\t\t\t\t  const pjmedia_sdp_session *offer,\n\t\t\t\t  pjmedia_sdp_session **p_answer)\n{\n    pj_status_t status = PJMEDIA_SDPNEG_ENOMEDIA;\n    pj_bool_t has_active = PJ_FALSE;\n    pjmedia_sdp_session *answer;\n    char media_used[PJMEDIA_MAX_SDP_MEDIA];\n    unsigned i;\n\n    /* Validate remote offer. \n     * This should have been validated before.\n     */\n    PJ_ASSERT_RETURN((status=pjmedia_sdp_validate(offer))==PJ_SUCCESS, status);\n\n    /* Create initial answer by duplicating initial SDP,\n     * but clear all media lines. The media lines will be filled up later.\n     */\n    answer = pjmedia_sdp_session_clone(pool, initial);\n    PJ_ASSERT_RETURN(answer != NULL, PJ_ENOMEM);\n\n    answer->media_count = 0;\n\n    pj_bzero(media_used, sizeof(media_used));\n\n    /* For each media line, create our answer based on our initial\n     * capability.\n     */\n    for (i=0; i<offer->media_count; ++i) {\n\tconst pjmedia_sdp_media *om;\t/* offer */\n\tconst pjmedia_sdp_media *im;\t/* initial media */\n\tpjmedia_sdp_media *am = NULL;\t/* answer/result */\n\tunsigned j;\n\n\tom = offer->media[i];\n\n\t/* Find media description in our initial capability that matches\n\t * the media type and transport type of offer's media, has\n\t * matching codec, and has not been used to answer other offer.\n\t */\n\tfor (im=NULL, j=0; j<initial->media_count; ++j) {\n\t    im = initial->media[j];\n\t    if (pj_strcmp(&om->desc.media, &im->desc.media)==0 &&\n\t\tpj_strcmp(&om->desc.transport, &im->desc.transport)==0 &&\n\t\tmedia_used[j] == 0)\n\t    {\n                pj_status_t status2;\n\n\t\t/* See if it has matching codec. */\n\t\tstatus2 = match_offer(pool, prefer_remote_codec_order,\n                                      answer_with_multiple_codecs,\n\t\t\t\t      om, im, initial, &am);\n\t\tif (status2 == PJ_SUCCESS) {\n\t\t    /* Mark media as used. */\n\t\t    media_used[j] = 1;\n\t\t    break;\n                } else {\n                    status = status2;\n                }\n\t    }\n\t}\n\n\tif (j==initial->media_count) {\n\t    /* No matching media.\n\t     * Reject the offer by setting the port to zero in the answer.\n\t     */\n\t    /* For simplicity in the construction of the answer, we'll\n\t     * just clone the media from the offer. Anyway receiver will\n\t     * ignore anything in the media once it sees that the port\n\t     * number is zero.\n\t     */\n\t    am = sdp_media_clone_deactivate(pool, om, om, answer);\n\t} else {\n\t    /* The answer is in am */\n\t    pj_assert(am != NULL);\n\t}\n\n\t/* Add the media answer */\n\tanswer->media[answer->media_count++] = am;\n\n\t/* Check if this media is active.*/\n\tif (am->desc.port != 0)\n\t    has_active = PJ_TRUE;\n    }\n\n    *p_answer = answer;\n\n    return has_active ? PJ_SUCCESS : status;\n}",
          "project": "pjproject",
          "hash": 236570680447781241801738276633744309107,
          "size": 92,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449676
        },
        {
          "func": "PJ_DEF(pj_bool_t) pjmedia_sdp_neg_has_local_answer(pjmedia_sdp_neg *neg)\n{\n    pj_assert(neg && neg->state==PJMEDIA_SDP_NEG_STATE_WAIT_NEGO);\n    return !neg->has_remote_answer;\n}",
          "project": "pjproject",
          "hash": 108008355913245225190456683013015461598,
          "size": 5,
          "commit_id": "97b3d7addbaa720b7ddb0af9bf6f3e443e664365",
          "message": "Merge pull request from GHSA-hvq6-f89p-frvp",
          "target": 0,
          "dataset": "other",
          "idx": 449644
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ReadJpegFile",
        "ReadJpegSections",
        "process_SOFn",
        "Get16m"
      ],
      "group_size": 10,
      "functions": [
        {
          "func": "static void process_COM (const uchar * Data, int length)\r\n{\r\n    int ch;\r\n    char Comment[MAX_COMMENT_SIZE+1];\r\n    int nch;\r\n    int a;\r\n\r\n    nch = 0;\r\n\r\n    if (length > MAX_COMMENT_SIZE) length = MAX_COMMENT_SIZE; // Truncate if it won't fit in our structure.\r\n\r\n    for (a=2;a<length;a++){\r\n        ch = Data[a];\r\n\r\n        if (ch == '\\r' && a < length-1 && Data[a+1] == '\\n') continue; // Remove cr followed by lf.\r\n\r\n        if (ch >= 32 || ch == '\\n' || ch == '\\t'){\r\n            Comment[nch++] = (char)ch;\r\n        }else{\r\n            Comment[nch++] = '?';\r\n        }\r\n    }\r\n\r\n    Comment[nch] = '\\0'; // Null terminate\r\n\r\n    if (ShowTags){\r\n        printf(\"COM marker comment: %s\\n\",Comment);\r\n    }\r\n\r\n    strcpy(ImageInfo.Comments,Comment);\r\n}\r",
          "project": "jhead",
          "hash": 292664364004845683272530709796861522405,
          "size": 31,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261976
        },
        {
          "func": "Section_t * CreateSection(int SectionType, unsigned char * Data, int Size)\r\n{\r\n    Section_t * NewSection;\r\n    int a;\r\n    int NewIndex;\r\n\r\n    NewIndex = 0; // Figure out where to put the comment section.\r\n    if (SectionType == M_EXIF){\r\n        // Exif alwas goes first!\r\n    }else{\r\n        for (;NewIndex < 3;NewIndex++){ // Maximum fourth position (just for the heck of it)\r\n            if (Sections[NewIndex].Type == M_JFIF) continue; // Put it after Jfif\r\n            if (Sections[NewIndex].Type == M_EXIF) continue; // Put it after Exif\r\n            break;\r\n        }\r\n    }\r\n\r\n    if (SectionsRead < NewIndex){\r\n        ErrFatal(\"Too few sections!\");\r\n    }\r\n\r\n    CheckSectionsAllocated();\r\n    for (a=SectionsRead;a>NewIndex;a--){\r\n        Sections[a] = Sections[a-1];          \r\n    }\r\n    SectionsRead += 1;\r\n\r\n    NewSection = Sections+NewIndex;\r\n\r\n    NewSection->Type = SectionType;\r\n    NewSection->Size = Size;\r\n    NewSection->Data = Data;\r\n\r\n    return NewSection;\r\n}\r",
          "project": "jhead",
          "hash": 142414121532161571740607386321509279285,
          "size": 35,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261975
        },
        {
          "func": "static int Get16m(const void * Short)\r\n{\r\n    return (((uchar *)Short)[0] << 8) | ((uchar *)Short)[1];\r\n}\r",
          "project": "jhead",
          "hash": 224505929614412109203924983268393760920,
          "size": 4,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261970
        },
        {
          "func": "void DiscardAllButExif(void)\r\n{\r\n    Section_t ExifKeeper;\r\n    Section_t CommentKeeper;\r\n    Section_t IptcKeeper;\r\n    Section_t XmpKeeper;\r\n    int a;\r\n\r\n    memset(&ExifKeeper, 0, sizeof(ExifKeeper));\r\n    memset(&CommentKeeper, 0, sizeof(CommentKeeper));\r\n    memset(&IptcKeeper, 0, sizeof(IptcKeeper));\r\n    memset(&XmpKeeper, 0, sizeof(IptcKeeper));\r\n\r\n    for (a=0;a<SectionsRead;a++){\r\n        if (Sections[a].Type == M_EXIF && ExifKeeper.Type == 0){\r\n           ExifKeeper = Sections[a];\r\n        }else if (Sections[a].Type == M_XMP && XmpKeeper.Type == 0){\r\n           XmpKeeper = Sections[a];\r\n        }else if (Sections[a].Type == M_COM && CommentKeeper.Type == 0){\r\n            CommentKeeper = Sections[a];\r\n        }else if (Sections[a].Type == M_IPTC && IptcKeeper.Type == 0){\r\n            IptcKeeper = Sections[a];\r\n        }else{\r\n            free(Sections[a].Data);\r\n        }\r\n    }\r\n    SectionsRead = 0;\r\n    if (ExifKeeper.Type){\r\n        CheckSectionsAllocated();\r\n        Sections[SectionsRead++] = ExifKeeper;\r\n    }\r\n    if (CommentKeeper.Type){\r\n        CheckSectionsAllocated();\r\n        Sections[SectionsRead++] = CommentKeeper;\r\n    }\r\n    if (IptcKeeper.Type){\r\n        CheckSectionsAllocated();\r\n        Sections[SectionsRead++] = IptcKeeper;\r\n    }\r\n\r\n    if (XmpKeeper.Type){\r\n        CheckSectionsAllocated();\r\n        Sections[SectionsRead++] = XmpKeeper;\r\n    }\r\n}    \r",
          "project": "jhead",
          "hash": 212716664587015896897339550406074413700,
          "size": 45,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261974
        },
        {
          "func": "static void CheckSectionsAllocated(void)\r\n{\r\n    if (SectionsRead > SectionsAllocated){\r\n        ErrFatal(\"allocation screwup\");\r\n    }\r\n    if (SectionsRead >= SectionsAllocated){\r\n        SectionsAllocated += SectionsAllocated/2;\r\n        Sections = (Section_t *)realloc(Sections, sizeof(Section_t)*SectionsAllocated);\r\n        if (Sections == NULL){\r\n            ErrFatal(\"could not allocate data for entire image\");\r\n        }\r\n    }\r\n}\r",
          "project": "jhead",
          "hash": 198591798752355418002318661649443148034,
          "size": 13,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261984
        },
        {
          "func": "static void process_SOFn (const uchar * Data, int marker)\r\n{\r\n    int data_precision, num_components;\r\n\r\n    data_precision = Data[2];\r\n    ImageInfo.Height = Get16m(Data+3);\r\n    ImageInfo.Width = Get16m(Data+5);\r\n    num_components = Data[7];\r\n\r\n    if (num_components == 3){\r\n        ImageInfo.IsColor = 1;\r\n    }else{\r\n        ImageInfo.IsColor = 0;\r\n    }\r\n\r\n    ImageInfo.Process = marker;\r\n\r\n    if (ShowTags){\r\n        printf(\"JPEG image is %uw * %uh, %d color components, %d bits per sample\\n\",\r\n                   ImageInfo.Width, ImageInfo.Height, num_components, data_precision);\r\n    }\r\n}\r",
          "project": "jhead",
          "hash": 321479054901529407692575430681343822106,
          "size": 22,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261981
        },
        {
          "func": "int ReadJpegSections (FILE * infile, ReadMode_t ReadMode)\r\n{\r\n    int a;\r\n    int HaveCom = FALSE;\r\n\r\n    a = fgetc(infile);\r\n\r\n    if (a != 0xff || fgetc(infile) != M_SOI){\r\n        return FALSE;\r\n    }\r\n\r\n    ImageInfo.JfifHeader.XDensity = ImageInfo.JfifHeader.YDensity = 300;\r\n    ImageInfo.JfifHeader.ResolutionUnits = 1;\r\n\r\n    for(;;){\r\n        int itemlen;\r\n        int prev;\r\n        int marker = 0;\r\n        int ll,lh, got;\r\n        uchar * Data;\r\n\r\n        CheckSectionsAllocated();\r\n\r\n        prev = 0;\r\n        for (a=0;;a++){\r\n            marker = fgetc(infile);\r\n            if (marker != 0xff && prev == 0xff) break;\r\n            if (marker == EOF){\r\n                ErrFatal(\"Unexpected end of file\");\r\n            }\r\n            prev = marker;\r\n        }\r\n\r\n        if (a > 10){\r\n            ErrNonfatal(\"Extraneous %d padding bytes before section %02X\",a-1,marker);\r\n        }\r\n\r\n        Sections[SectionsRead].Type = marker;\r\n  \r\n        // Read the length of the section.\r\n        lh = fgetc(infile);\r\n        ll = fgetc(infile);\r\n        if (lh == EOF || ll == EOF){\r\n            ErrFatal(\"Unexpected end of file\");\r\n        }\r\n\r\n        itemlen = (lh << 8) | ll;\r\n\r\n        if (itemlen < 2){\r\n            ErrFatal(\"invalid marker\");\r\n        }\r\n\r\n        Sections[SectionsRead].Size = itemlen;\r\n\r\n        Data = (uchar *)malloc(itemlen);\r\n        if (Data == NULL){\r\n            ErrFatal(\"Could not allocate memory\");\r\n        }\r\n        Sections[SectionsRead].Data = Data;\r\n\r\n        // Store first two pre-read bytes.\r\n        Data[0] = (uchar)lh;\r\n        Data[1] = (uchar)ll;\r\n\r\n        got = fread(Data+2, 1, itemlen-2, infile); // Read the whole section.\r\n        if (got != itemlen-2){\r\n            ErrFatal(\"Premature end of file?\");\r\n        }\r\n        SectionsRead += 1;\r\n\r\n        switch(marker){\r\n\r\n            case M_SOS:   // stop before hitting compressed data \r\n                // If reading entire image is requested, read the rest of the data.\r\n                if (ReadMode & READ_IMAGE){\r\n                    int cp, ep, size;\r\n                    // Determine how much file is left.\r\n                    cp = ftell(infile);\r\n                    fseek(infile, 0, SEEK_END);\r\n                    ep = ftell(infile);\r\n                    fseek(infile, cp, SEEK_SET);\r\n\r\n                    size = ep-cp;\r\n                    Data = (uchar *)malloc(size);\r\n                    if (Data == NULL){\r\n                        ErrFatal(\"could not allocate data for entire image\");\r\n                    }\r\n\r\n                    got = fread(Data, 1, size, infile);\r\n                    if (got != size){\r\n                        ErrFatal(\"could not read the rest of the image\");\r\n                    }\r\n\r\n                    CheckSectionsAllocated();\r\n                    Sections[SectionsRead].Data = Data;\r\n                    Sections[SectionsRead].Size = size;\r\n                    Sections[SectionsRead].Type = PSEUDO_IMAGE_MARKER;\r\n                    SectionsRead ++;\r\n                    HaveAll = 1;\r\n                }\r\n                return TRUE;\r\n\r\n            case M_DQT:\r\n                // Use for jpeg quality guessing\r\n                process_DQT(Data, itemlen);\r\n                break;\r\n\r\n            case M_DHT:   \r\n                // Use for jpeg quality guessing\r\n                process_DHT(Data, itemlen);\r\n                break;\r\n\r\n\r\n            case M_EOI:   // in case it's a tables-only JPEG stream\r\n                fprintf(stderr,\"No image in jpeg!\\n\");\r\n                return FALSE;\r\n\r\n            case M_COM: // Comment section\r\n                if (HaveCom || ((ReadMode & READ_METADATA) == 0)){\r\n                    // Discard this section.\r\n                    free(Sections[--SectionsRead].Data);\r\n                }else{\r\n                    process_COM(Data, itemlen);\r\n                    HaveCom = TRUE;\r\n                }\r\n                break;\r\n\r\n            case M_JFIF:\r\n                // Regular jpegs always have this tag, exif images have the exif\r\n                // marker instead, althogh ACDsee will write images with both markers.\r\n                // this program will re-create this marker on absence of exif marker.\r\n                // hence no need to keep the copy from the file.\r\n                if (itemlen < 16){\r\n                    fprintf(stderr,\"Jfif header too short\\n\");\r\n                    goto ignore;\r\n                }\r\n                if (memcmp(Data+2, \"JFIF\\0\",5)){\r\n                    fprintf(stderr,\"Header missing JFIF marker\\n\");\r\n                }\r\n\r\n                ImageInfo.JfifHeader.Present = TRUE;\r\n                ImageInfo.JfifHeader.ResolutionUnits = Data[9];\r\n                ImageInfo.JfifHeader.XDensity = (Data[10]<<8) | Data[11];\r\n                ImageInfo.JfifHeader.YDensity = (Data[12]<<8) | Data[13];\r\n                if (ShowTags){\r\n                    printf(\"JFIF SOI marker: Units: %d \",ImageInfo.JfifHeader.ResolutionUnits);\r\n                    switch(ImageInfo.JfifHeader.ResolutionUnits){\r\n                        case 0: printf(\"(aspect ratio)\"); break;\r\n                        case 1: printf(\"(dots per inch)\"); break;\r\n                        case 2: printf(\"(dots per cm)\"); break;\r\n                        default: printf(\"(unknown)\"); break;\r\n                    }\r\n                    printf(\"  X-density=%d Y-density=%d\\n\",ImageInfo.JfifHeader.XDensity, ImageInfo.JfifHeader.YDensity);\r\n\r\n                    if (Data[14] || Data[15]){\r\n                        fprintf(stderr,\"Ignoring jfif header thumbnail\\n\");\r\n                    }\r\n                }\r\n\r\n                ignore:\r\n\r\n                free(Sections[--SectionsRead].Data);\r\n                break;\r\n\r\n            case M_EXIF:\r\n                // There can be different section using the same marker.\r\n                if (ReadMode & READ_METADATA){\r\n                    if (memcmp(Data+2, \"Exif\", 4) == 0){\r\n                        process_EXIF(Data, itemlen);\r\n                        break;\r\n                    }else if (memcmp(Data+2, \"http:\", 5) == 0){\r\n                        Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.\r\n                        if (ShowTags){\r\n                            printf(\"Image contains XMP section, %d bytes long\\n\", itemlen);\r\n                            if (ShowTags){\r\n                                ShowXmp(Sections[SectionsRead-1]);\r\n                            }\r\n                        }\r\n                        break;\r\n                    }\r\n                }\r\n                // Oterwise, discard this section.\r\n                free(Sections[--SectionsRead].Data);\r\n                break;\r\n\r\n            case M_IPTC:\r\n                if (ReadMode & READ_METADATA){\r\n                    if (ShowTags){\r\n                        printf(\"Image contains IPTC section, %d bytes long\\n\", itemlen);\r\n                    }\r\n                    // Note: We just store the IPTC section.  Its relatively straightforward\r\n                    // and we don't act on any part of it, so just display it at parse time.\r\n                }else{\r\n                    free(Sections[--SectionsRead].Data);\r\n                }\r\n                break;\r\n           \r\n            case M_SOF0: \r\n            case M_SOF1: \r\n            case M_SOF2: \r\n            case M_SOF3: \r\n            case M_SOF5: \r\n            case M_SOF6: \r\n            case M_SOF7: \r\n            case M_SOF9: \r\n            case M_SOF10:\r\n            case M_SOF11:\r\n            case M_SOF13:\r\n            case M_SOF14:\r\n            case M_SOF15:\r\n                if (itemlen < 8){\r\n                    fprintf(stderr,\"Section too short\\n\");\r\n                    break;\r\n                }\r\n                process_SOFn(Data, marker);\r\n                break;\r\n            default:\r\n                // Skip any other sections.\r\n                if (ShowTags){\r\n                    printf(\"Jpeg section marker 0x%02x size %d\\n\",marker, itemlen);\r\n                }\r\n                break;\r\n        }\r\n    }\r\n    return TRUE;\r\n}\r",
          "project": "jhead",
          "hash": 109190490159385379929171220952643934796,
          "size": 226,
          "commit_id": "5186ddcf9e35a7aa0ff0539489a930434a1325f4",
          "message": "Just allocate 20 bytes extra at the end of a section. Otherwise, we end\nup with a whole lot of little checks for structures that the file says\nare there but are unexpectedly cut off in fuzz tests",
          "target": 1,
          "dataset": "other",
          "idx": 206412
        },
        {
          "func": "int ReadJpegSections (FILE * infile, ReadMode_t ReadMode)\r\n{\r\n    int a;\r\n    int HaveCom = FALSE;\r\n\r\n    a = fgetc(infile);\r\n\r\n    if (a != 0xff || fgetc(infile) != M_SOI){\r\n        return FALSE;\r\n    }\r\n\r\n    ImageInfo.JfifHeader.XDensity = ImageInfo.JfifHeader.YDensity = 300;\r\n    ImageInfo.JfifHeader.ResolutionUnits = 1;\r\n\r\n    for(;;){\r\n        int itemlen;\r\n        int prev;\r\n        int marker = 0;\r\n        int ll,lh, got;\r\n        uchar * Data;\r\n\r\n        CheckSectionsAllocated();\r\n\r\n        prev = 0;\r\n        for (a=0;;a++){\r\n            marker = fgetc(infile);\r\n            if (marker != 0xff && prev == 0xff) break;\r\n            if (marker == EOF){\r\n                ErrFatal(\"Unexpected end of file\");\r\n            }\r\n            prev = marker;\r\n        }\r\n\r\n        if (a > 10){\r\n            ErrNonfatal(\"Extraneous %d padding bytes before section %02X\",a-1,marker);\r\n        }\r\n\r\n        Sections[SectionsRead].Type = marker;\r\n  \r\n        // Read the length of the section.\r\n        lh = fgetc(infile);\r\n        ll = fgetc(infile);\r\n        if (lh == EOF || ll == EOF){\r\n            ErrFatal(\"Unexpected end of file\");\r\n        }\r\n\r\n        itemlen = (lh << 8) | ll;\r\n\r\n        if (itemlen < 2){\r\n            ErrFatal(\"invalid marker\");\r\n        }\r\n\r\n        Sections[SectionsRead].Size = itemlen;\r\n\r\n        // Allocate an extra 20 bytes more than needed, because sometimes when reading structures,\r\n        // if the section erroneously ends before short structures that should be there, that can trip\r\n        // memory checkers in combination with fuzzers.\r\n        Data = (uchar *)malloc(itemlen+20);\r\n        if (Data == NULL){\r\n            ErrFatal(\"Could not allocate memory\");\r\n        }\r\n        Sections[SectionsRead].Data = Data;\r\n\r\n        // Store first two pre-read bytes.\r\n        Data[0] = (uchar)lh;\r\n        Data[1] = (uchar)ll;\r\n\r\n        got = fread(Data+2, 1, itemlen-2, infile); // Read the whole section.\r\n        if (got != itemlen-2){\r\n            ErrFatal(\"Premature end of file?\");\r\n        }\r\n        SectionsRead += 1;\r\n\r\n        switch(marker){\r\n\r\n            case M_SOS:   // stop before hitting compressed data \r\n                // If reading entire image is requested, read the rest of the data.\r\n                if (ReadMode & READ_IMAGE){\r\n                    int cp, ep, size;\r\n                    // Determine how much file is left.\r\n                    cp = ftell(infile);\r\n                    fseek(infile, 0, SEEK_END);\r\n                    ep = ftell(infile);\r\n                    fseek(infile, cp, SEEK_SET);\r\n\r\n                    size = ep-cp;\r\n                    Data = (uchar *)malloc(size);\r\n                    if (Data == NULL){\r\n                        ErrFatal(\"could not allocate data for entire image\");\r\n                    }\r\n\r\n                    got = fread(Data, 1, size, infile);\r\n                    if (got != size){\r\n                        ErrFatal(\"could not read the rest of the image\");\r\n                    }\r\n\r\n                    CheckSectionsAllocated();\r\n                    Sections[SectionsRead].Data = Data;\r\n                    Sections[SectionsRead].Size = size;\r\n                    Sections[SectionsRead].Type = PSEUDO_IMAGE_MARKER;\r\n                    SectionsRead ++;\r\n                    HaveAll = 1;\r\n                }\r\n                return TRUE;\r\n\r\n            case M_DQT:\r\n                // Use for jpeg quality guessing\r\n                process_DQT(Data, itemlen);\r\n                break;\r\n\r\n            case M_DHT:   \r\n                // Use for jpeg quality guessing\r\n                process_DHT(Data, itemlen);\r\n                break;\r\n\r\n\r\n            case M_EOI:   // in case it's a tables-only JPEG stream\r\n                fprintf(stderr,\"No image in jpeg!\\n\");\r\n                return FALSE;\r\n\r\n            case M_COM: // Comment section\r\n                if (HaveCom || ((ReadMode & READ_METADATA) == 0)){\r\n                    // Discard this section.\r\n                    free(Sections[--SectionsRead].Data);\r\n                }else{\r\n                    process_COM(Data, itemlen);\r\n                    HaveCom = TRUE;\r\n                }\r\n                break;\r\n\r\n            case M_JFIF:\r\n                // Regular jpegs always have this tag, exif images have the exif\r\n                // marker instead, althogh ACDsee will write images with both markers.\r\n                // this program will re-create this marker on absence of exif marker.\r\n                // hence no need to keep the copy from the file.\r\n                if (itemlen < 16){\r\n                    fprintf(stderr,\"Jfif header too short\\n\");\r\n                    goto ignore;\r\n                }\r\n                if (memcmp(Data+2, \"JFIF\\0\",5)){\r\n                    fprintf(stderr,\"Header missing JFIF marker\\n\");\r\n                }\r\n\r\n                ImageInfo.JfifHeader.Present = TRUE;\r\n                ImageInfo.JfifHeader.ResolutionUnits = Data[9];\r\n                ImageInfo.JfifHeader.XDensity = (Data[10]<<8) | Data[11];\r\n                ImageInfo.JfifHeader.YDensity = (Data[12]<<8) | Data[13];\r\n                if (ShowTags){\r\n                    printf(\"JFIF SOI marker: Units: %d \",ImageInfo.JfifHeader.ResolutionUnits);\r\n                    switch(ImageInfo.JfifHeader.ResolutionUnits){\r\n                        case 0: printf(\"(aspect ratio)\"); break;\r\n                        case 1: printf(\"(dots per inch)\"); break;\r\n                        case 2: printf(\"(dots per cm)\"); break;\r\n                        default: printf(\"(unknown)\"); break;\r\n                    }\r\n                    printf(\"  X-density=%d Y-density=%d\\n\",ImageInfo.JfifHeader.XDensity, ImageInfo.JfifHeader.YDensity);\r\n\r\n                    if (Data[14] || Data[15]){\r\n                        fprintf(stderr,\"Ignoring jfif header thumbnail\\n\");\r\n                    }\r\n                }\r\n\r\n                ignore:\r\n\r\n                free(Sections[--SectionsRead].Data);\r\n                break;\r\n\r\n            case M_EXIF:\r\n                // There can be different section using the same marker.\r\n                if (ReadMode & READ_METADATA){\r\n                    if (memcmp(Data+2, \"Exif\", 4) == 0){\r\n                        process_EXIF(Data, itemlen);\r\n                        break;\r\n                    }else if (memcmp(Data+2, \"http:\", 5) == 0){\r\n                        Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.\r\n                        if (ShowTags){\r\n                            printf(\"Image contains XMP section, %d bytes long\\n\", itemlen);\r\n                            if (ShowTags){\r\n                                ShowXmp(Sections[SectionsRead-1]);\r\n                            }\r\n                        }\r\n                        break;\r\n                    }\r\n                }\r\n                // Oterwise, discard this section.\r\n                free(Sections[--SectionsRead].Data);\r\n                break;\r\n\r\n            case M_IPTC:\r\n                if (ReadMode & READ_METADATA){\r\n                    if (ShowTags){\r\n                        printf(\"Image contains IPTC section, %d bytes long\\n\", itemlen);\r\n                    }\r\n                    // Note: We just store the IPTC section.  Its relatively straightforward\r\n                    // and we don't act on any part of it, so just display it at parse time.\r\n                }else{\r\n                    free(Sections[--SectionsRead].Data);\r\n                }\r\n                break;\r\n           \r\n            case M_SOF0: \r\n            case M_SOF1: \r\n            case M_SOF2: \r\n            case M_SOF3: \r\n            case M_SOF5: \r\n            case M_SOF6: \r\n            case M_SOF7: \r\n            case M_SOF9: \r\n            case M_SOF10:\r\n            case M_SOF11:\r\n            case M_SOF13:\r\n            case M_SOF14:\r\n            case M_SOF15:\r\n                if (itemlen < 8){\r\n                    fprintf(stderr,\"Section too short\\n\");\r\n                    break;\r\n                }\r\n                process_SOFn(Data, marker);\r\n                break;\r\n            default:\r\n                // Skip any other sections.\r\n                if (ShowTags){\r\n                    printf(\"Jpeg section marker 0x%02x size %d\\n\",marker, itemlen);\r\n                }\r\n                break;\r\n        }\r\n    }\r\n    return TRUE;\r\n}\r",
          "project": "jhead",
          "hash": 42724157494429028607325548164811225506,
          "size": 229,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261979
        },
        {
          "func": "void DiscardData(void)\r\n{\r\n    int a;\r\n\r\n    for (a=0;a<SectionsRead;a++){\r\n        free(Sections[a].Data);\r\n    }\r\n\r\n    memset(&ImageInfo, 0, sizeof(ImageInfo));\r\n    SectionsRead = 0;\r\n    HaveAll = 0;\r\n}\r",
          "project": "jhead",
          "hash": 235139893666732244556011120231657274967,
          "size": 12,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261971
        },
        {
          "func": "int ReadJpegFile(const char * FileName, ReadMode_t ReadMode)\r\n{\r\n    FILE * infile;\r\n    int ret;\r\n\r\n    infile = fopen(FileName, \"rb\"); // Unix ignores 'b', windows needs it.\r\n\r\n    if (infile == NULL) {\r\n        fprintf(stderr, \"can't open '%s'\\n\", FileName);\r\n        return FALSE;\r\n    }\r\n\r\n\r\n    // Scan the JPEG headers.\r\n    ret = ReadJpegSections(infile, ReadMode);\r\n    if (!ret){\r\n        if (ReadMode == READ_ANY){\r\n            // Process any files mode.  Ignore the fact that it's not\r\n            // a jpeg file.\r\n            ret = TRUE;\r\n        }else{\r\n            fprintf(stderr,\"Not JPEG: %s\\n\",FileName);\r\n        }\r\n    }\r\n\r\n    fclose(infile);\r\n\r\n    if (ret == FALSE){\r\n        DiscardData();\r\n    }\r\n    return ret;\r\n}\r",
          "project": "jhead",
          "hash": 182307760354961996623721805825707445609,
          "size": 32,
          "commit_id": "b8d78e5ec982e86cdd70ebfc1ebbb2273c982eea",
          "message": "Same error as previous checking in different function",
          "target": 0,
          "dataset": "other",
          "idx": 261972
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "WriteWEBPImage",
        "WriteAnimatedWEBPImage",
        "WriteSingleWEBPImage"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static MagickBooleanType WriteWEBPImage(const ImageInfo *image_info,\n  Image *image)\n{\n  const char\n    *value;\n\n  int\n    webp_status;\n\n  MagickBooleanType\n    status;\n\n  WebPAuxStats\n    statistics;\n\n  WebPConfig\n    configure;\n\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  WebPMemoryWriter\n    writer_info;\n#endif\n\n  WebPPicture\n    picture;\n\n  PictureMemory\n    memory = {0};\n\n  /*\n    Open output image file.\n  */\n  assert(image_info != (const ImageInfo *) NULL);\n  assert(image_info->signature == MagickCoreSignature);\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  if ((image->columns > 16383UL) || (image->rows > 16383UL))\n    ThrowWriterException(ImageError,\"WidthOrHeightExceedsLimit\");\n  status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);\n  if (status == MagickFalse)\n    return(status);\n  if (WebPConfigInit(&configure) == 0)\n    ThrowWriterException(ResourceLimitError,\"UnableToEncodeImageFile\");\n  if (WebPPictureInit(&picture) == 0)\n    ThrowWriterException(ResourceLimitError,\"UnableToEncodeImageFile\");\n#if !defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  picture.writer=WebPEncodeWriter;\n  picture.custom_ptr=(void *) image;\n#else\n  WebPMemoryWriterInit(&writer_info);\n  picture.writer=WebPMemoryWrite;\n  picture.custom_ptr=(&writer_info);\n#endif\n  picture.stats=(&statistics);\n  if (image->quality != UndefinedCompressionQuality)\n    configure.quality=(float) image->quality;\n  if (image->quality >= 100)\n    configure.lossless=1;\n  value=GetImageOption(image_info,\"webp:lossless\");\n  if (value != (char *) NULL)\n    configure.lossless=(int) ParseCommandOption(MagickBooleanOptions,\n      MagickFalse,value);\n  value=GetImageOption(image_info,\"webp:method\");\n  if (value != (char *) NULL)\n    configure.method=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:image-hint\");\n  if (value != (char *) NULL)\n    {\n      if (LocaleCompare(value,\"default\") == 0)\n        configure.image_hint=WEBP_HINT_DEFAULT;\n      if (LocaleCompare(value,\"photo\") == 0)\n        configure.image_hint=WEBP_HINT_PHOTO;\n      if (LocaleCompare(value,\"picture\") == 0)\n        configure.image_hint=WEBP_HINT_PICTURE;\n#if WEBP_ENCODER_ABI_VERSION >= 0x0200\n      if (LocaleCompare(value,\"graph\") == 0)\n        configure.image_hint=WEBP_HINT_GRAPH;\n#endif\n    }\n  value=GetImageOption(image_info,\"webp:target-size\");\n  if (value != (char *) NULL)\n    configure.target_size=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:target-psnr\");\n  if (value != (char *) NULL)\n    configure.target_PSNR=(float) StringToDouble(value,(char **) NULL);\n  value=GetImageOption(image_info,\"webp:segments\");\n  if (value != (char *) NULL)\n    configure.segments=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:sns-strength\");\n  if (value != (char *) NULL)\n    configure.sns_strength=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:filter-strength\");\n  if (value != (char *) NULL)\n    configure.filter_strength=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:filter-sharpness\");\n  if (value != (char *) NULL)\n    configure.filter_sharpness=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:filter-type\");\n  if (value != (char *) NULL)\n    configure.filter_type=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:auto-filter\");\n  if (value != (char *) NULL)\n    configure.autofilter=(int) ParseCommandOption(MagickBooleanOptions,\n      MagickFalse,value);\n  value=GetImageOption(image_info,\"webp:alpha-compression\");\n  if (value != (char *) NULL)\n    configure.alpha_compression=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:alpha-filtering\");\n  if (value != (char *) NULL)\n    configure.alpha_filtering=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:alpha-quality\");\n  if (value != (char *) NULL)\n    configure.alpha_quality=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:pass\");\n  if (value != (char *) NULL)\n    configure.pass=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:show-compressed\");\n  if (value != (char *) NULL)\n    configure.show_compressed=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:preprocessing\");\n  if (value != (char *) NULL)\n    configure.preprocessing=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:partitions\");\n  if (value != (char *) NULL)\n    configure.partitions=StringToInteger(value);\n  value=GetImageOption(image_info,\"webp:partition-limit\");\n  if (value != (char *) NULL)\n    configure.partition_limit=StringToInteger(value);\n#if WEBP_ENCODER_ABI_VERSION >= 0x0201\n  value=GetImageOption(image_info,\"webp:emulate-jpeg-size\");\n  if (value != (char *) NULL)\n    configure.emulate_jpeg_size=(int) ParseCommandOption(MagickBooleanOptions,\n      MagickFalse,value);\n  value=GetImageOption(image_info,\"webp:low-memory\");\n  if (value != (char *) NULL)\n    configure.low_memory=(int) ParseCommandOption(MagickBooleanOptions,\n      MagickFalse,value);\n  value=GetImageOption(image_info,\"webp:thread-level\");\n  if (value != (char *) NULL)\n    configure.thread_level=StringToInteger(value);\n#endif\n#if WEBP_ENCODER_ABI_VERSION >= 0x020e\n  value=GetImageOption(image_info,\"webp:use-sharp-yuv\");\n  if (value != (char *) NULL)\n    configure.use_sharp_yuv=StringToInteger(value);\n#endif\n  if (WebPValidateConfig(&configure) == 0)\n    ThrowWriterException(ResourceLimitError,\"UnableToEncodeImageFile\");\n\n  WriteSingleWEBPImage(image_info,image,&picture,&memory,&image->exception);\n\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  if ((image_info->adjoin != MagickFalse) &&\n      (GetPreviousImageInList(image) == (Image *) NULL) &&\n      (GetNextImageInList(image) != (Image *) NULL) &&\n      (image->iterations != 1))\n    WriteAnimatedWEBPImage(image_info,image,&configure,&writer_info,&image->exception);\n#endif\n\n  webp_status=WebPEncode(&configure,&picture);\n  if (webp_status == 0)\n    {\n      const char\n        *message;\n\n      switch (picture.error_code)\n      {\n        case VP8_ENC_ERROR_OUT_OF_MEMORY:\n        {\n          message=\"out of memory\";\n          break;\n        }\n        case VP8_ENC_ERROR_BITSTREAM_OUT_OF_MEMORY:\n        {\n          message=\"bitstream out of memory\";\n          break;\n        }\n        case VP8_ENC_ERROR_NULL_PARAMETER:\n        {\n          message=\"NULL parameter\";\n          break;\n        }\n        case VP8_ENC_ERROR_INVALID_CONFIGURATION:\n        {\n          message=\"invalid configuration\";\n          break;\n        }\n        case VP8_ENC_ERROR_BAD_DIMENSION:\n        {\n          message=\"bad dimension\";\n          break;\n        }\n        case VP8_ENC_ERROR_PARTITION0_OVERFLOW:\n        {\n          message=\"partition 0 overflow (> 512K)\";\n          break;\n        }\n        case VP8_ENC_ERROR_PARTITION_OVERFLOW:\n        {\n          message=\"partition overflow (> 16M)\";\n          break;\n        }\n        case VP8_ENC_ERROR_BAD_WRITE:\n        {\n          message=\"bad write\";\n          break;\n        }\n        case VP8_ENC_ERROR_FILE_TOO_BIG:\n        {\n          message=\"file too big (> 4GB)\";\n          break;\n        }\n#if WEBP_ENCODER_ABI_VERSION >= 0x0100\n        case VP8_ENC_ERROR_USER_ABORT:\n        {\n          message=\"user abort\";\n          break;\n        }\n#endif\n        default:\n        {\n          message=\"unknown exception\";\n          break;\n        }\n      }\n      (void) ThrowMagickException(&image->exception,GetMagickModule(),CorruptImageError,\n        (char *) message,\"`%s'\",image->filename);\n    }\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  {\n    const StringInfo\n      *profile;\n\n    WebPData\n      chunk,\n      image_chunk;\n\n    WebPMux\n      *mux;\n\n    WebPMuxError\n      mux_error;\n\n    /*\n      Set image profiles (if any).\n    */\n    image_chunk.bytes=writer_info.mem;\n    image_chunk.size=writer_info.size;\n    mux_error=WEBP_MUX_OK;\n    (void) memset(&chunk,0,sizeof(chunk));\n    mux=WebPMuxNew();\n    profile=GetImageProfile(image,\"ICC\");\n    if ((profile != (StringInfo *) NULL) && (mux_error == WEBP_MUX_OK))\n      {\n        chunk.bytes=GetStringInfoDatum(profile);\n        chunk.size=GetStringInfoLength(profile);\n        mux_error=WebPMuxSetChunk(mux,\"ICCP\",&chunk,0);\n      }\n    profile=GetImageProfile(image,\"EXIF\");\n    if ((profile != (StringInfo *) NULL) && (mux_error == WEBP_MUX_OK))\n      {\n        chunk.bytes=GetStringInfoDatum(profile);\n        chunk.size=GetStringInfoLength(profile);\n        if ((chunk.size >= 6) &&\n            (chunk.bytes[0] == 'E') && (chunk.bytes[1] == 'x') &&\n            (chunk.bytes[2] == 'i') && (chunk.bytes[3] == 'f') &&\n            (chunk.bytes[4] == '\\0') && (chunk.bytes[5] == '\\0'))\n          {\n            chunk.bytes=GetStringInfoDatum(profile)+6;\n            chunk.size-=6;\n          }\n        mux_error=WebPMuxSetChunk(mux,\"EXIF\",&chunk,0);\n      }\n    profile=GetImageProfile(image,\"XMP\");\n    if ((profile != (StringInfo *) NULL) && (mux_error == WEBP_MUX_OK))\n      {\n        chunk.bytes=GetStringInfoDatum(profile);\n        chunk.size=GetStringInfoLength(profile);\n        mux_error=WebPMuxSetChunk(mux,\"XMP\",&chunk,0);\n      }\n    if (mux_error != WEBP_MUX_OK)\n      (void) ThrowMagickException(&image->exception,GetMagickModule(),\n        ResourceLimitError,\"UnableToEncodeImageFile\",\"`%s'\",image->filename);\n    if (chunk.size != 0)\n      {\n        WebPData\n          picture_profiles;\n\n        /*\n          Replace original container with image profile (if any).\n        */\n        picture_profiles.bytes=writer_info.mem;\n        picture_profiles.size=writer_info.size;\n        WebPMuxSetImage(mux,&image_chunk,1);\n        mux_error=WebPMuxAssemble(mux,&picture_profiles);\n        WebPMemoryWriterClear(&writer_info);\n        writer_info.size=picture_profiles.size;\n        writer_info.mem=(unsigned char *) picture_profiles.bytes;\n      }\n    WebPMuxDelete(mux);\n  }\n  (void) WriteBlob(image,writer_info.size,writer_info.mem);\n#endif\n  picture.argb=(uint32_t *) NULL;\n  WebPPictureFree(&picture);\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  WebPMemoryWriterClear(&writer_info);\n#endif\n  (void) CloseBlob(image);\n  RelinquishVirtualMemory(memory.pixel_info);\n  return(webp_status == 0 ? MagickFalse : MagickTrue);\n}",
          "project": "ImageMagick6",
          "hash": 119946347181760794580512753926997806486,
          "size": 314,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370818
        },
        {
          "func": "static void FreePictureMemoryList (PictureMemory* head) {\n  PictureMemory* next;\n  while(head != NULL) {\n    next = head->next;\n    if(head->pixel_info != NULL)\n      RelinquishVirtualMemory(head->pixel_info);\n    free(head);\n    head = next;\n  }\n}",
          "project": "ImageMagick6",
          "hash": 292386166158901336250318830950126269652,
          "size": 10,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370811
        },
        {
          "func": "static MagickBooleanType WriteSingleWEBPImage(const ImageInfo *image_info,\n  Image *image,WebPPicture *picture,PictureMemory *picture_memory,\n  ExceptionInfo *exception)\n{\n  MagickBooleanType\n    status = MagickFalse;\n\n  uint32_t\n    *magick_restrict q;\n\n  ssize_t\n    y;\n\n#if WEBP_ENCODER_ABI_VERSION >= 0x0100\n  picture->progress_hook=WebPEncodeProgress;\n  picture->user_data=(void *) image;\n#endif\n  picture->width=(int) image->columns;\n  picture->height=(int) image->rows;\n  picture->argb_stride=(int) image->columns;\n  picture->use_argb=1;\n\n  /*\n    Allocate memory for pixels.\n  */\n  (void) TransformImageColorspace(image,sRGBColorspace);\n  picture_memory->pixel_info=AcquireVirtualMemory(image->columns,image->rows*\n    sizeof(*(picture->argb)));\n\n  if (picture_memory->pixel_info == (MemoryInfo *) NULL)\n    ThrowWriterException(ResourceLimitError,\"MemoryAllocationFailed\");\n  picture->argb=(uint32_t *) GetVirtualMemoryBlob(picture_memory->pixel_info);\n  /*\n    Convert image to WebP raster pixels.\n  */\n  q=picture->argb;\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    const PixelPacket\n      *magick_restrict p;\n\n    ssize_t\n      x;\n\n    p=GetVirtualPixels(image,0,y,image->columns,1,exception);\n    if (p == (const PixelPacket *) NULL)\n      break;\n    for (x=0; x < (ssize_t) image->columns; x++)\n    {\n      *q++=(uint32_t) (image->matte != MagickFalse ? (uint32_t)\n        ScaleQuantumToChar(GetPixelAlpha(p)) << 24 : 0xff000000) |\n        ((uint32_t) ScaleQuantumToChar(GetPixelRed(p)) << 16) |\n        ((uint32_t) ScaleQuantumToChar(GetPixelGreen(p)) << 8) |\n        ((uint32_t) ScaleQuantumToChar(GetPixelBlue(p)));\n      p++;\n    }\n    status=SetImageProgress(image,SaveImageTag,(MagickOffsetType) y,\n      image->rows);\n    if (status == MagickFalse)\n      break;\n  }\n  return status;\n}",
          "project": "ImageMagick6",
          "hash": 220261224620017316800574317796322837451,
          "size": 63,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370817
        },
        {
          "func": "static MagickBooleanType WriteAnimatedWEBPImage(const ImageInfo *image_info,\n  Image *image,WebPConfig *configure,WebPMemoryWriter *writer_info,\n  ExceptionInfo *exception)\n{\n  Image\n    *first_image;\n\n  PictureMemory\n    *current,\n    *head;\n\n  size_t\n    effective_delta = 0,\n    frame_timestamp = 0;\n\n  WebPAnimEncoder\n    *enc;\n\n  WebPAnimEncoderOptions\n    enc_options;\n\n  WebPData\n    webp_data;\n\n  WebPPicture\n    picture;\n\n  WebPAnimEncoderOptionsInit(&enc_options);\n  if (image_info->verbose)\n    enc_options.verbose = 1;\n\n  image=CoalesceImages(image, exception);\n  first_image=image;\n  enc=WebPAnimEncoderNew((int) image->page.width,(int) image->page.height,\n    &enc_options);\n\n  head=(PictureMemory *) calloc(sizeof(*head),1);\n  current=head;\n\n  while (image != NULL)\n  {\n    if (WebPPictureInit(&picture) == 0)\n      ThrowWriterException(ResourceLimitError,\"UnableToEncodeImageFile\");\n\n    WriteSingleWEBPImage(image_info, image, &picture, current, exception);\n\n    effective_delta = image->delay*1000/image->ticks_per_second;\n    if (effective_delta < 10)\n      effective_delta = 100; /* Consistent with gif2webp */\n    frame_timestamp+=effective_delta;\n\n    WebPAnimEncoderAdd(enc,&picture,(int) frame_timestamp,configure);\n\n    image = GetNextImageInList(image);\n    current->next=(PictureMemory *) calloc(sizeof(*head), 1);\n    current = current->next;\n  }\n  webp_data.bytes=writer_info->mem;\n  webp_data.size=writer_info->size;\n  WebPAnimEncoderAssemble(enc, &webp_data);\n  WebPMemoryWriterClear(writer_info);\n  writer_info->size=webp_data.size;\n  writer_info->mem=(unsigned char *) webp_data.bytes;\n  WebPAnimEncoderDelete(enc);\n  DestroyImageList(first_image);\n  FreePictureMemoryList(head);\n  return(MagickTrue);\n}",
          "project": "ImageMagick6",
          "hash": 88540247361010854619934050091886652539,
          "size": 68,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 1,
          "dataset": "other",
          "idx": 205720
        },
        {
          "func": "static MagickBooleanType WriteAnimatedWEBPImage(const ImageInfo *image_info,\n  Image *image,WebPConfig *configure,WebPMemoryWriter *writer_info,\n  ExceptionInfo *exception)\n{\n  Image\n    *first_image;\n\n  PictureMemory\n    *current,\n    *head;\n\n  size_t\n    effective_delta = 0,\n    frame_timestamp = 0;\n\n  WebPAnimEncoder\n    *enc;\n\n  WebPAnimEncoderOptions\n    enc_options;\n\n  WebPData\n    webp_data;\n\n  WebPPicture\n    picture;\n\n  WebPAnimEncoderOptionsInit(&enc_options);\n  if (image_info->verbose)\n    enc_options.verbose = 1;\n\n  image=CoalesceImages(image, exception);\n  first_image=image;\n  enc=WebPAnimEncoderNew((int) image->page.width,(int) image->page.height,\n    &enc_options);\n\n  head=(PictureMemory *) calloc(sizeof(*head),1);\n  current=head;\n\n  while (image != NULL)\n  {\n    if (WebPPictureInit(&picture) == 0)\n      ThrowWriterException(ResourceLimitError,\"UnableToEncodeImageFile\");\n\n    WriteSingleWEBPImage(image_info, image, &picture, current, exception);\n\n    effective_delta = image->delay*1000*PerceptibleReciprocal(\n      image->ticks_per_second);\n    if (effective_delta < 10)\n      effective_delta = 100; /* Consistent with gif2webp */\n    frame_timestamp+=effective_delta;\n\n    WebPAnimEncoderAdd(enc,&picture,(int) frame_timestamp,configure);\n\n    image = GetNextImageInList(image);\n    current->next=(PictureMemory *) calloc(sizeof(*head), 1);\n    current = current->next;\n  }\n  webp_data.bytes=writer_info->mem;\n  webp_data.size=writer_info->size;\n  WebPAnimEncoderAssemble(enc, &webp_data);\n  WebPMemoryWriterClear(writer_info);\n  writer_info->size=webp_data.size;\n  writer_info->mem=(unsigned char *) webp_data.bytes;\n  WebPAnimEncoderDelete(enc);\n  DestroyImageList(first_image);\n  FreePictureMemoryList(head);\n  return(MagickTrue);\n}",
          "project": "ImageMagick6",
          "hash": 184885542608773702111101964268936553139,
          "size": 69,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370809
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "esdsin",
        "getsize",
        "u8in",
        "datain"
      ],
      "group_size": 20,
      "functions": [
        {
          "func": "static int mdhdin(int size)\n{\n    // version/flags\n    u32in();\n    // Creation time\n    mp4config.ctime = u32in();\n    // Modification time\n    mp4config.mtime = u32in();\n    // Time scale\n    mp4config.samplerate = u32in();\n    // Duration\n    mp4config.samples = u32in();\n    // Language\n    u16in();\n    // pre_defined\n    u16in();\n\n    return size;\n};",
          "project": "faad2",
          "hash": 199526141618945524307402126500239822292,
          "size": 19,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221437
        },
        {
          "func": "static int hdlr2in(int size)\n{\n    uint8_t buf[4];\n\n    // version/flags\n    u32in();\n    // Predefined\n    u32in();\n    // Handler type\n    datain(buf, 4);\n    if (memcmp(buf, \"mdir\", 4))\n        return ERR_FAIL;\n    datain(buf, 4);\n    if (memcmp(buf, \"appl\", 4))\n        return ERR_FAIL;\n    // Reserved\n    u32in();\n    u32in();\n    // null terminator\n    u8in();\n\n    return size;\n};",
          "project": "faad2",
          "hash": 115686852012050553071183260739078458355,
          "size": 23,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221442
        },
        {
          "func": "static int stcoin(int size)\n{\n    // version/flags\n    u32in();\n    // Number of entries\n    if (u32in() < 1)\n        return ERR_FAIL;\n    // first chunk offset\n    mp4config.mdatofs = u32in();\n    // ignore the rest\n\n    return size;\n}",
          "project": "faad2",
          "hash": 24307622088068632029917249868008923896,
          "size": 13,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221443
        },
        {
          "func": "static int stszin(int size)\n{\n    int cnt;\n    uint32_t ofs;\n\n    // version/flags\n    u32in();\n    // Sample size\n    u32in();\n    // Number of entries\n    mp4config.frame.ents = u32in();\n    // fixme: check atom size\n    mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)\n                                  * (mp4config.frame.ents + 1));\n\n    if (!mp4config.frame.data)\n        return ERR_FAIL;\n\n    ofs = 0;\n    mp4config.frame.data[0] = ofs;\n    for (cnt = 0; cnt < mp4config.frame.ents; cnt++)\n    {\n        uint32_t fsize = u32in();\n\n        ofs += fsize;\n        if (mp4config.frame.maxsize < fsize)\n            mp4config.frame.maxsize = fsize;\n\n        mp4config.frame.data[cnt + 1] = ofs;\n\n        if (ofs < mp4config.frame.data[cnt])\n            return ERR_FAIL;\n    }\n\n    return size;\n}",
          "project": "faad2",
          "hash": 162931728092633650703368658690852714538,
          "size": 36,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 1,
          "dataset": "other",
          "idx": 195084
        },
        {
          "func": "static int stszin(int size)\n{\n    int cnt;\n    uint32_t ofs;\n\n    // version/flags\n    u32in();\n    // Sample size\n    u32in();\n    // Number of entries\n    mp4config.frame.ents = u32in();\n\n    if (!(mp4config.frame.ents + 1))\n        return ERR_FAIL;\n\n    mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)\n                                  * (mp4config.frame.ents + 1));\n\n    if (!mp4config.frame.data)\n        return ERR_FAIL;\n\n    ofs = 0;\n    mp4config.frame.data[0] = ofs;\n    for (cnt = 0; cnt < mp4config.frame.ents; cnt++)\n    {\n        uint32_t fsize = u32in();\n\n        ofs += fsize;\n        if (mp4config.frame.maxsize < fsize)\n            mp4config.frame.maxsize = fsize;\n\n        mp4config.frame.data[cnt + 1] = ofs;\n\n        if (ofs < mp4config.frame.data[cnt])\n            return ERR_FAIL;\n    }\n\n    return size;\n}",
          "project": "faad2",
          "hash": 128822819783274424928244029461541937327,
          "size": 39,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221432
        },
        {
          "func": "static int stsdin(int size)\n{\n    // version/flags\n    u32in();\n    // Number of entries(one 'mp4a')\n    if (u32in() != 1) //fixme: error handling\n        return ERR_FAIL;\n\n    return size;\n};",
          "project": "faad2",
          "hash": 197184068360264270082776493704524314753,
          "size": 10,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221440
        },
        {
          "func": "static int esdsin(int size)\n{\n    // descriptor tree:\n    // MP4ES_Descriptor\n    //   MP4DecoderConfigDescriptor\n    //      MP4DecSpecificInfoDescriptor\n    //   MP4SLConfigDescriptor\n    enum\n    { TAG_ES = 3, TAG_DC = 4, TAG_DSI = 5, TAG_SLC = 6 };\n\n    // version/flags\n    u32in();\n    if (u8in() != TAG_ES)\n        return ERR_FAIL;\n    getsize();\n    // ESID\n    u16in();\n    // flags(url(bit 6); ocr(5); streamPriority (0-4)):\n    u8in();\n\n    if (u8in() != TAG_DC)\n        return ERR_FAIL;\n    getsize();\n    if (u8in() != 0x40) /* not MPEG-4 audio */\n        return ERR_FAIL;\n    // flags\n    u8in();\n    // buffer size (24 bits)\n    mp4config.buffersize = u16in() << 8;\n    mp4config.buffersize |= u8in();\n    // bitrate\n    mp4config.bitratemax = u32in();\n    mp4config.bitrateavg = u32in();\n\n    if (u8in() != TAG_DSI)\n        return ERR_FAIL;\n    mp4config.asc.size = getsize();\n    if (mp4config.asc.size > sizeof(mp4config.asc.buf))\n        return ERR_FAIL;\n    // get AudioSpecificConfig\n    datain(mp4config.asc.buf, mp4config.asc.size);\n\n    if (u8in() != TAG_SLC)\n        return ERR_FAIL;\n    getsize();\n    // \"predefined\" (no idea)\n    u8in();\n\n    return size;\n}",
          "project": "faad2",
          "hash": 249840270236166144899568226199914208820,
          "size": 50,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221441
        },
        {
          "func": "static int mp4ain(int size)\n{\n    // Reserved (6 bytes)\n    u32in();\n    u16in();\n    // Data reference index\n    u16in();\n    // Version\n    u16in();\n    // Revision level\n    u16in();\n    // Vendor\n    u32in();\n    // Number of channels\n    mp4config.channels = u16in();\n    // Sample size (bits)\n    mp4config.bits = u16in();\n    // Compression ID\n    u16in();\n    // Packet size\n    u16in();\n    // Sample rate (16.16)\n    // fractional framerate, probably not for audio\n    // rate integer part\n    u16in();\n    // rate reminder part\n    u16in();\n\n    return size;\n}",
          "project": "faad2",
          "hash": 177094373413499688540303899101743171346,
          "size": 30,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221447
        },
        {
          "func": "static uint32_t getsize(void)\n{\n    int cnt;\n    uint32_t size = 0;\n    for (cnt = 0; cnt < 4; cnt++)\n    {\n        int tmp = u8in();\n\n        size <<= 7;\n        size |= (tmp & 0x7f);\n        if (!(tmp & 0x80))\n            break;\n    }\n    return size;\n}",
          "project": "faad2",
          "hash": 67050648525714646687008989580781566943,
          "size": 15,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221430
        },
        {
          "func": "static int stringin(char *txt, int sizemax)\n{\n    int size;\n    for (size = 0; size < sizemax; size++)\n    {\n        if (fread(txt + size, 1, 1, g_fin) != 1)\n            return ERR_FAIL;\n        if (!txt[size])\n            break;\n    }\n    txt[sizemax-1] = '\\0';\n\n    return size;\n}",
          "project": "faad2",
          "hash": 310710672344492615641722231561510106411,
          "size": 14,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221444
        },
        {
          "func": "static int u8in(void)\n{\n    uint8_t u8;\n    datain(&u8, 1);\n    return u8;\n}",
          "project": "faad2",
          "hash": 313092909630100574008088062923509792283,
          "size": 6,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221439
        },
        {
          "func": "static uint32_t u32in(void)\n{\n    uint32_t u32;\n    datain(&u32, 4);\n    u32 = bswap32(u32);\n    return u32;\n}",
          "project": "faad2",
          "hash": 90610583081550478693284108046074781749,
          "size": 7,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221454
        },
        {
          "func": "static inline uint32_t bswap32(const uint32_t u32)\n{\n#ifndef WORDS_BIGENDIAN\n#if defined (__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 3)))\n    return __builtin_bswap32(u32);\n#elif defined (_MSC_VER)\n    return _byteswap_ulong(u32);\n#else\n    return (u32 << 24) | ((u32 << 8) & 0xFF0000) | ((u32 >> 8) & 0xFF00) | (u32 >> 24);\n#endif\n#else\n    return u32;\n#endif\n}",
          "project": "faad2",
          "hash": 220379345707008644331573635180825066237,
          "size": 14,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221431
        },
        {
          "func": "static int ilstin(int size)\n{\n    enum {NUMSET = 1, GENRE, EXTAG};\n    int read = 0;\n\n    static struct {\n        char *name;\n        char *id;\n        int flag;\n    } tags[] = {\n        {\"Album       \", \"\\xa9\" \"alb\"},\n        {\"Album Artist\", \"aART\"},\n        {\"Artist      \", \"\\xa9\" \"ART\"},\n        {\"Comment     \", \"\\xa9\" \"cmt\"},\n        {\"Cover image \", \"covr\"},\n        {\"Compilation \", \"cpil\"},\n        {\"Copyright   \", \"cprt\"},\n        {\"Date        \", \"\\xa9\" \"day\"},\n        {\"Disc#       \", \"disk\", NUMSET},\n        {\"Genre       \", \"gnre\", GENRE},\n        {\"Grouping    \", \"\\xa9\" \"grp\"},\n        {\"Lyrics      \", \"\\xa9\" \"lyr\"},\n        {\"Title       \", \"\\xa9\" \"nam\"},\n        {\"Rating      \", \"rtng\"},\n        {\"BPM         \", \"tmpo\"},\n        {\"Encoder     \", \"\\xa9\" \"too\"},\n        {\"Track       \", \"trkn\", NUMSET},\n        {\"Composer    \", \"\\xa9\" \"wrt\"},\n        {0, \"----\", EXTAG},\n        {0},\n    };\n\n    static const char *genres[] = {\n        \"Blues\", \"Classic Rock\", \"Country\", \"Dance\",\n        \"Disco\", \"Funk\", \"Grunge\", \"Hip-Hop\",\n        \"Jazz\", \"Metal\", \"New Age\", \"Oldies\",\n        \"Other\", \"Pop\", \"R&B\", \"Rap\",\n        \"Reggae\", \"Rock\", \"Techno\", \"Industrial\",\n        \"Alternative\", \"Ska\", \"Death Metal\", \"Pranks\",\n        \"Soundtrack\", \"Euro-Techno\", \"Ambient\", \"Trip-Hop\",\n        \"Vocal\", \"Jazz+Funk\", \"Fusion\", \"Trance\",\n        \"Classical\", \"Instrumental\", \"Acid\", \"House\",\n        \"Game\", \"Sound Clip\", \"Gospel\", \"Noise\",\n        \"Alternative Rock\", \"Bass\", \"Soul\", \"Punk\",\n        \"Space\", \"Meditative\", \"Instrumental Pop\", \"Instrumental Rock\",\n        \"Ethnic\", \"Gothic\", \"Darkwave\", \"Techno-Industrial\",\n        \"Electronic\", \"Pop-Folk\", \"Eurodance\", \"Dream\",\n        \"Southern Rock\", \"Comedy\", \"Cult\", \"Gangsta\",\n        \"Top 40\", \"Christian Rap\", \"Pop/Funk\", \"Jungle\",\n        \"Native US\", \"Cabaret\", \"New Wave\", \"Psychadelic\",\n        \"Rave\", \"Showtunes\", \"Trailer\", \"Lo-Fi\",\n        \"Tribal\", \"Acid Punk\", \"Acid Jazz\", \"Polka\",\n        \"Retro\", \"Musical\", \"Rock & Roll\", \"Hard Rock\",\n        \"Folk\", \"Folk-Rock\", \"National Folk\", \"Swing\",\n        \"Fast Fusion\", \"Bebob\", \"Latin\", \"Revival\",\n        \"Celtic\", \"Bluegrass\", \"Avantgarde\", \"Gothic Rock\",\n        \"Progressive Rock\", \"Psychedelic Rock\", \"Symphonic Rock\", \"Slow Rock\",\n        \"Big Band\", \"Chorus\", \"Easy Listening\", \"Acoustic\",\n        \"Humour\", \"Speech\", \"Chanson\", \"Opera\",\n        \"Chamber Music\", \"Sonata\", \"Symphony\", \"Booty Bass\",\n        \"Primus\", \"Porn Groove\", \"Satire\", \"Slow Jam\",\n        \"Club\", \"Tango\", \"Samba\", \"Folklore\",\n        \"Ballad\", \"Power Ballad\", \"Rhythmic Soul\", \"Freestyle\",\n        \"Duet\", \"Punk Rock\", \"Drum Solo\", \"Acapella\",\n        \"Euro-House\", \"Dance Hall\", \"Goa\", \"Drum & Bass\",\n        \"Club - House\", \"Hardcore\", \"Terror\", \"Indie\",\n        \"BritPop\", \"Negerpunk\", \"Polsk Punk\", \"Beat\",\n        \"Christian Gangsta Rap\", \"Heavy Metal\", \"Black Metal\", \"Crossover\",\n        \"Contemporary Christian\", \"Christian Rock\", \"Merengue\", \"Salsa\",\n        \"Thrash Metal\", \"Anime\", \"JPop\", \"Synthpop\",\n        \"Unknown\",\n    };\n\n    fprintf(stderr, \"----------tag list-------------\\n\");\n    while(read < size)\n    {\n        int asize, dsize;\n        uint8_t id[5];\n        int cnt;\n        uint32_t type;\n\n        id[4] = 0;\n\n        asize = u32in();\n        read += asize;\n        asize -= 4;\n        if (datain(id, 4) < 4)\n            return ERR_FAIL;\n        asize -= 4;\n\n        for (cnt = 0; tags[cnt].id; cnt++)\n        {\n            if (!memcmp(id, tags[cnt].id, 4))\n                break;\n        }\n\n        if (tags[cnt].name)\n            fprintf(stderr, \"%s :   \", tags[cnt].name);\n        else\n        {\n            if (tags[cnt].flag != EXTAG)\n                fprintf(stderr, \"'%s'       :   \", id);\n        }\n\n        dsize = u32in();\n        asize -= 4;\n        if (datain(id, 4) < 4)\n            return ERR_FAIL;\n        asize -= 4;\n\n        if (tags[cnt].flag != EXTAG)\n        {\n            if (memcmp(id, \"data\", 4))\n                return ERR_FAIL;\n        }\n        else\n        {\n            int spc;\n\n            if (memcmp(id, \"mean\", 4))\n                goto skip;\n            dsize -= 8;\n            while (dsize > 0)\n            {\n                u8in();\n                asize--;\n                dsize--;\n            }\n            if (asize >= 8)\n            {\n                dsize = u32in() - 8;\n                asize -= 4;\n                if (datain(id, 4) < 4)\n                    return ERR_FAIL;\n                asize -= 4;\n                if (memcmp(id, \"name\", 4))\n                    goto skip;\n                u32in();\n                asize -= 4;\n                dsize -= 4;\n            }\n            spc = 13 - dsize;\n            if (spc < 0) spc = 0;\n            while (dsize > 0)\n            {\n                fprintf(stderr, \"%c\",u8in());\n                asize--;\n                dsize--;\n            }\n            while (spc--)\n                fprintf(stderr, \" \");\n            fprintf(stderr, \":   \");\n            if (asize >= 8)\n            {\n                dsize = u32in() - 8;\n                asize -= 4;\n                if (datain(id, 4) < 4)\n                    return ERR_FAIL;\n                asize -= 4;\n                if (memcmp(id, \"data\", 4))\n                    goto skip;\n                u32in();\n                asize -= 4;\n                dsize -= 4;\n            }\n            while (dsize > 0)\n            {\n                fprintf(stderr, \"%c\",u8in());\n                asize--;\n                dsize--;\n            }\n            fprintf(stderr, \"\\n\");\n\n            goto skip;\n        }\n        type = u32in();\n        asize -= 4;\n        u32in();\n        asize -= 4;\n\n        switch(type)\n        {\n        case 1:\n            while (asize > 0)\n            {\n                fprintf(stderr, \"%c\",u8in());\n                asize--;\n            }\n            break;\n        case 0:\n            switch(tags[cnt].flag)\n            {\n            case NUMSET:\n                u16in();\n                asize -= 2;\n\n                fprintf(stderr, \"%d\", u16in());\n                asize -= 2;\n                fprintf(stderr, \"/%d\", u16in());\n                asize -= 2;\n                break;\n            case GENRE:\n                {\n                    uint8_t gnum = u16in();\n                    asize -= 2;\n                    if (!gnum)\n                       goto skip;\n                    gnum--;\n                    if (gnum >= 147)\n                        gnum = 147;\n                    fprintf(stderr, \"%s\", genres[gnum]);\n                }\n                break;\n            default:\n                while(asize > 0)\n                {\n                    fprintf(stderr, \"%d/\", u16in());\n                    asize-=2;\n                }\n            }\n            break;\n        case 0x15:\n            //fprintf(stderr, \"(8bit data)\");\n            while(asize > 0)\n            {\n                fprintf(stderr, \"%d\", u8in());\n                asize--;\n                if (asize)\n                    fprintf(stderr, \"/\");\n            }\n            break;\n        case 0xd:\n            fprintf(stderr, \"(image data)\");\n            break;\n        default:\n            fprintf(stderr, \"(unknown data type)\");\n            break;\n        }\n        fprintf(stderr, \"\\n\");\n\n    skip:\n        // skip to the end of atom\n        while (asize > 0)\n        {\n            u8in();\n            asize--;\n        }\n    }\n    fprintf(stderr, \"-------------------------------\\n\");\n\n    return size;\n};",
          "project": "faad2",
          "hash": 270817636775156388719722064958229858604,
          "size": 252,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221450
        },
        {
          "func": "static int hdlr1in(int size)\n{\n    uint8_t buf[5];\n\n    buf[4] = 0;\n    // version/flags\n    u32in();\n    // pre_defined\n    u32in();\n    // Component subtype\n    datain(buf, 4);\n    if (mp4config.verbose.header)\n        fprintf(stderr, \"*track media type: '%s': \", buf);\n    if (memcmp(\"soun\", buf, 4))\n    {\n        if (mp4config.verbose.header)\n            fprintf(stderr, \"unsupported, skipping\\n\");\n        return ERR_UNSUPPORTED;\n    }\n    else\n    {\n        if (mp4config.verbose.header)\n            fprintf(stderr, \"OK\\n\");\n    }\n    // reserved\n    u32in();\n    u32in();\n    u32in();\n    // name\n    // null terminate\n    u8in();\n\n    return size;\n};",
          "project": "faad2",
          "hash": 154591307517079041335713649658869234735,
          "size": 34,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221445
        },
        {
          "func": "static int metain(int size)\n{\n    // version/flags\n    u32in();\n\n    return ERR_OK;\n};",
          "project": "faad2",
          "hash": 75324055347829734329165615870439980536,
          "size": 7,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221455
        },
        {
          "func": "static int ftypin(int size)\n{\n    enum {BUFSIZE = 40};\n    char buf[BUFSIZE];\n    uint32_t u32;\n\n    buf[4] = 0;\n    datain(buf, 4);\n    u32 = u32in();\n\n    if (mp4config.verbose.header)\n        fprintf(stderr, \"Brand:\\t\\t\\t%s(version %d)\\n\", buf, u32);\n\n    stringin(buf, BUFSIZE);\n\n    if (mp4config.verbose.header)\n        fprintf(stderr, \"Compatible brands:\\t%s\\n\", buf);\n\n    return size;\n}",
          "project": "faad2",
          "hash": 50311746152815412413561320829290338062,
          "size": 20,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221458
        },
        {
          "func": "static int datain(void *data, int size)\n{\n    if (fread(data, 1, size, g_fin) != size)\n        return ERR_FAIL;\n    return size;\n}",
          "project": "faad2",
          "hash": 338414385361084113991386902383601496212,
          "size": 6,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221429
        },
        {
          "func": "static uint16_t u16in(void)\n{\n    uint16_t u16;\n    datain(&u16, 2);\n    u16 = bswap16(u16);\n    return u16;\n}",
          "project": "faad2",
          "hash": 300009682279474729032196346079080354587,
          "size": 7,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221452
        },
        {
          "func": "static inline uint16_t bswap16(const uint16_t u16)\n{\n#ifndef WORDS_BIGENDIAN\n#if defined (__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 8)))\n    return __builtin_bswap16(u16);\n#elif defined (_MSC_VER)\n    return _byteswap_ushort(u16);\n#else\n    return (u16 << 8) | (u16 >> 8);\n#endif\n#else\n    return u16;\n#endif\n}",
          "project": "faad2",
          "hash": 93752458717884206147046017786973658718,
          "size": 14,
          "commit_id": "1b71a6ba963d131375f5e489b3b25e36f19f3f24",
          "message": "fix heap-buffer-overflow in mp4read.c\n\nThis originated from an integer overflow: If mp4config.frame.ents\nwould be read-in with a value of (uint32t)(-1), it would overflow to 0\nin the size calculation for the allocation in the next line. The\nmalloc() function would then successfully return a pointer to a memory\nregion of size 0, which will cause a segfault when written to.\n\nFixes #57.",
          "target": 0,
          "dataset": "other",
          "idx": 221456
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "nfs4_xdr_enc_create_session",
        "encode_create_session",
        "xdr_encode_array"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "xdr_encode_string(__be32 *p, const char *string)\n{\n\treturn xdr_encode_array(p, string, strlen(string));\n}",
          "project": "linux",
          "hash": 283093132022500626066677416199834873177,
          "size": 4,
          "commit_id": "6d1c0f3d28f98ea2736128ed3e46821496dc3a8c",
          "message": "sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base()\n\nThis seems to happen fairly easily during READ_PLUS testing on NFS v4.2.\nI found that we could end up accessing xdr->buf->pages[pgnr] with a pgnr\ngreater than the number of pages in the array. So let's just return\nearly if we're setting base to a point at the end of the page data and\nlet xdr_set_tail_base() handle setting up the buffer pointers instead.\n\nSigned-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>\nFixes: 8d86e373b0ef (\"SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base()\")\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 481083
        },
        {
          "func": "static void nfs4_xdr_enc_create_session(struct rpc_rqst *req,\n\t\t\t\t\tstruct xdr_stream *xdr,\n\t\t\t\t\tconst void *data)\n{\n\tconst struct nfs41_create_session_args *args = data;\n\tstruct compound_hdr hdr = {\n\t\t.minorversion = args->client->cl_mvops->minor_version,\n\t};\n\n\tencode_compound_hdr(xdr, req, &hdr);\n\tencode_create_session(xdr, args, &hdr);\n\tencode_nops(&hdr);\n}",
          "project": "linux",
          "hash": 54861487140608560829208413179510324463,
          "size": 13,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 430972
        },
        {
          "func": "static void encode_create_session(struct xdr_stream *xdr,\n\t\t\t\t  const struct nfs41_create_session_args *args,\n\t\t\t\t  struct compound_hdr *hdr)\n{\n\t__be32 *p;\n\tstruct nfs_client *clp = args->client;\n\tstruct rpc_clnt *clnt = clp->cl_rpcclient;\n\tstruct nfs_net *nn = net_generic(clp->cl_net, nfs_net_id);\n\tu32 max_resp_sz_cached;\n\n\t/*\n\t * Assumes OPEN is the biggest non-idempotent compound.\n\t * 2 is the verifier.\n\t */\n\tmax_resp_sz_cached = (NFS4_dec_open_sz + RPC_REPHDRSIZE + 2)\n\t\t\t\t* XDR_UNIT + RPC_MAX_AUTH_SIZE;\n\n\tencode_op_hdr(xdr, OP_CREATE_SESSION, decode_create_session_maxsz, hdr);\n\tp = reserve_space(xdr, 16 + 2*28 + 20 + clnt->cl_nodelen + 12);\n\tp = xdr_encode_hyper(p, args->clientid);\n\t*p++ = cpu_to_be32(args->seqid);\t\t\t/*Sequence id */\n\t*p++ = cpu_to_be32(args->flags);\t\t\t/*flags */\n\n\t/* Fore Channel */\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* header padding size */\n\t*p++ = cpu_to_be32(args->fc_attrs.max_rqst_sz);\t/* max req size */\n\t*p++ = cpu_to_be32(args->fc_attrs.max_resp_sz);\t/* max resp size */\n\t*p++ = cpu_to_be32(max_resp_sz_cached);\t\t/* Max resp sz cached */\n\t*p++ = cpu_to_be32(args->fc_attrs.max_ops);\t/* max operations */\n\t*p++ = cpu_to_be32(args->fc_attrs.max_reqs);\t/* max requests */\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* rdmachannel_attrs */\n\n\t/* Back Channel */\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* header padding size */\n\t*p++ = cpu_to_be32(args->bc_attrs.max_rqst_sz);\t/* max req size */\n\t*p++ = cpu_to_be32(args->bc_attrs.max_resp_sz);\t/* max resp size */\n\t*p++ = cpu_to_be32(args->bc_attrs.max_resp_sz_cached);\t/* Max resp sz cached */\n\t*p++ = cpu_to_be32(args->bc_attrs.max_ops);\t/* max operations */\n\t*p++ = cpu_to_be32(args->bc_attrs.max_reqs);\t/* max requests */\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* rdmachannel_attrs */\n\n\t*p++ = cpu_to_be32(args->cb_program);\t\t/* cb_program */\n\t*p++ = cpu_to_be32(1);\n\t*p++ = cpu_to_be32(RPC_AUTH_UNIX);\t\t\t/* auth_sys */\n\n\t/* authsys_parms rfc1831 */\n\t*p++ = cpu_to_be32(ktime_to_ns(nn->boot_time));\t/* stamp */\n\tp = xdr_encode_array(p, clnt->cl_nodename, clnt->cl_nodelen);\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* UID */\n\t*p++ = cpu_to_be32(0);\t\t\t\t/* GID */\n\t*p = cpu_to_be32(0);\t\t\t\t/* No more gids */\n}",
          "project": "linux",
          "hash": 271164664246807814614671893720271838784,
          "size": 52,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431326
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ldapsrv_accept_priv",
        "ldapsrv_accept",
        "ldapsrv_call_read_next",
        "ldapsrv_terminate_connection"
      ],
      "group_size": 20,
      "functions": [
        {
          "func": "void ldapsrv_notification_retry_setup(struct ldapsrv_service *service, bool force)\n{\n\tstruct ldapsrv_connection *conn = NULL;\n\tstruct timeval retry;\n\tsize_t num_pending = 0;\n\tsize_t num_active = 0;\n\n\tif (force) {\n\t\tTALLOC_FREE(service->notification.retry);\n\t\tservice->notification.generation += 1;\n\t}\n\n\tif (service->notification.retry != NULL) {\n\t\treturn;\n\t}\n\n\tfor (conn = service->connections; conn != NULL; conn = conn->next) {\n\t\tif (conn->pending_calls == NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tnum_pending += 1;\n\n\t\tif (conn->pending_calls->notification.generation !=\n\t\t    service->notification.generation)\n\t\t{\n\t\t\tnum_active += 1;\n\t\t}\n\t}\n\n\tif (num_pending == 0) {\n\t\treturn;\n\t}\n\n\tif (num_active != 0) {\n\t\tretry = timeval_current_ofs(0, 100);\n\t} else {\n\t\tretry = timeval_current_ofs(5, 0);\n\t}\n\n\tservice->notification.retry = tevent_wakeup_send(service,\n\t\t\t\t\t\t\t service->task->event_ctx,\n\t\t\t\t\t\t\t retry);\n\tif (service->notification.retry == NULL) {\n\t\t/* retry later */\n\t\treturn;\n\t}\n\n\ttevent_req_set_callback(service->notification.retry,\n\t\t\t\tldapsrv_notification_retry_done,\n\t\t\t\tservice);\n}",
          "project": "samba",
          "hash": 164211767725914976735745017379817965043,
          "size": 52,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274244
        },
        {
          "func": "static void ldapsrv_call_postprocess_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tstatus = call->postprocess_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_postprocess_done: \"\n\t\t\t\t\t \"call->postprocess_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (reason == NULL) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tTALLOC_FREE(call);\n\n\tldapsrv_call_read_next(conn);\n}",
          "project": "samba",
          "hash": 50898281518744840722080015617681281545,
          "size": 28,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274258
        },
        {
          "func": "static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req)\n{\n\tNTSTATUS status;\n\n\tif (tevent_req_is_nterror(req, &status)) {\n\t\ttevent_req_received(req);\n\t\treturn status;\n\t}\n\n\ttevent_req_received(req);\n\treturn NT_STATUS_OK;\n}",
          "project": "samba",
          "hash": 131695309655897279135109411774164603380,
          "size": 12,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274256
        },
        {
          "func": "static void ldapsrv_accept_nonpriv(struct stream_connection *c)\n{\n\tstruct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(\n\t\tc->private_data, struct ldapsrv_service);\n\tstruct auth_session_info *session_info;\n\tNTSTATUS status;\n\n\tstatus = auth_anonymous_session_info(\n\t\tc, ldapsrv_service->task->lp_ctx, &session_info);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tstream_terminate_connection(c, \"failed to setup anonymous \"\n\t\t\t\t\t    \"session info\");\n\t\treturn;\n\t}\n\tldapsrv_accept(c, session_info, false);\n}",
          "project": "samba",
          "hash": 200890418750490307386632058241356591988,
          "size": 16,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274268
        },
        {
          "func": "static bool ldapsrv_call_read_next(struct ldapsrv_connection *conn)\n{\n\tstruct tevent_req *subreq;\n\n\tif (conn->pending_calls != NULL) {\n\t\tconn->limits.endtime = timeval_zero();\n\n\t\tldapsrv_notification_retry_setup(conn->service, false);\n\t} else if (timeval_is_zero(&conn->limits.endtime)) {\n\t\tconn->limits.endtime =\n\t\t\ttimeval_current_ofs(conn->limits.initial_timeout, 0);\n\t} else {\n\t\tconn->limits.endtime =\n\t\t\ttimeval_current_ofs(conn->limits.conn_idle_time, 0);\n\t}\n\n\tif (conn->sockets.read_req != NULL) {\n\t\treturn true;\n\t}\n\n\t/*\n\t * The minimum size of a LDAP pdu is 7 bytes\n\t *\n\t * dumpasn1 -hh ldap-unbind-min.dat\n\t *\n\t *     <30 05 02 01 09 42 00>\n\t *    0    5: SEQUENCE {\n\t *     <02 01 09>\n\t *    2    1:   INTEGER 9\n\t *     <42 00>\n\t *    5    0:   [APPLICATION 2]\n\t *          :     Error: Object has zero length.\n\t *          :   }\n\t *\n\t * dumpasn1 -hh ldap-unbind-windows.dat\n\t *\n\t *     <30 84 00 00 00 05 02 01 09 42 00>\n\t *    0    5: SEQUENCE {\n\t *     <02 01 09>\n\t *    6    1:   INTEGER 9\n\t *     <42 00>\n\t *    9    0:   [APPLICATION 2]\n\t *          :     Error: Object has zero length.\n\t *          :   }\n\t *\n\t * This means using an initial read size\n\t * of 7 is ok.\n\t */\n\tsubreq = tstream_read_pdu_blob_send(conn,\n\t\t\t\t\t    conn->connection->event.ctx,\n\t\t\t\t\t    conn->sockets.active,\n\t\t\t\t\t    7, /* initial_read_size */\n\t\t\t\t\t    ldapsrv_packet_check,\n\t\t\t\t\t    conn);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_call_read_next: \"\n\t\t\t\t\"no memory for tstream_read_pdu_blob_send\");\n\t\treturn false;\n\t}\n\tif (!timeval_is_zero(&conn->limits.endtime)) {\n\t\tbool ok;\n\t\tok = tevent_req_set_endtime(subreq,\n\t\t\t\t\t    conn->connection->event.ctx,\n\t\t\t\t\t    conn->limits.endtime);\n\t\tif (!ok) {\n\t\t\tldapsrv_terminate_connection(\n\t\t\t\tconn,\n\t\t\t\t\"ldapsrv_call_read_next: \"\n\t\t\t\t\"no memory for tevent_req_set_endtime\");\n\t\t\treturn false;\n\t\t}\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_read_done, conn);\n\tconn->sockets.read_req = subreq;\n\treturn true;\n}",
          "project": "samba",
          "hash": 148804764610121926366840016195510941867,
          "size": 76,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274267
        },
        {
          "func": "static void ldapsrv_call_wait_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tconn->active_call = NULL;\n\n\tstatus = call->wait_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_wait_done: \"\n\t\t\t\t\t \"call->wait_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (reason == NULL) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tldapsrv_call_writev_start(call);\n}",
          "project": "samba",
          "hash": 245179838042033896261629711516324441256,
          "size": 28,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274257
        },
        {
          "func": "static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn,\n\t\t\t\t\t const char *reason)\n{\n\tstruct tevent_req *subreq;\n\n\tif (conn->limits.reason) {\n\t\treturn;\n\t}\n\n\tDLIST_REMOVE(conn->service->connections, conn);\n\n\tconn->limits.endtime = timeval_current_ofs(0, 500);\n\n\ttevent_queue_stop(conn->sockets.send_queue);\n\tTALLOC_FREE(conn->sockets.read_req);\n\tTALLOC_FREE(conn->deferred_expire_disconnect);\n\tif (conn->active_call) {\n\t\ttevent_req_cancel(conn->active_call);\n\t\tconn->active_call = NULL;\n\t}\n\n\tconn->limits.reason = talloc_strdup(conn, reason);\n\tif (conn->limits.reason == NULL) {\n\t\tTALLOC_FREE(conn->sockets.tls);\n\t\tTALLOC_FREE(conn->sockets.sasl);\n\t\tTALLOC_FREE(conn->sockets.raw);\n\t\tstream_terminate_connection(conn->connection, reason);\n\t\treturn;\n\t}\n\n\tsubreq = tstream_disconnect_send(conn,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.active);\n\tif (subreq == NULL) {\n\t\tTALLOC_FREE(conn->sockets.tls);\n\t\tTALLOC_FREE(conn->sockets.sasl);\n\t\tTALLOC_FREE(conn->sockets.raw);\n\t\tstream_terminate_connection(conn->connection, reason);\n\t\treturn;\n\t}\n\ttevent_req_set_endtime(subreq,\n\t\t\t       conn->connection->event.ctx,\n\t\t\t       conn->limits.endtime);\n\ttevent_req_set_callback(subreq, ldapsrv_terminate_connection_done, conn);\n}",
          "project": "samba",
          "hash": 89896492431690803255383534521597584901,
          "size": 45,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274255
        },
        {
          "func": "static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn = tevent_req_callback_data(\n\t\tsubreq, struct ldapsrv_connection);\n\tbool ok;\n\n\tok = tevent_wakeup_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!ok) {\n\t\tDBG_WARNING(\"tevent_wakeup_recv failed\\n\");\n\t}\n\tconn->deferred_expire_disconnect = NULL;\n\tldapsrv_terminate_connection(conn, \"network session expired\");\n}",
          "project": "samba",
          "hash": 149216946338093456042738285057139220459,
          "size": 14,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274260
        },
        {
          "func": "static void ldapsrv_accept(struct stream_connection *c,\n\t\t\t   struct auth_session_info *session_info,\n\t\t\t   bool is_privileged)\n{\n\tstruct ldapsrv_service *ldapsrv_service = \n\t\ttalloc_get_type(c->private_data, struct ldapsrv_service);\n\tstruct ldapsrv_connection *conn;\n\tstruct cli_credentials *server_credentials;\n\tstruct socket_address *socket_address;\n\tNTSTATUS status;\n\tint port;\n\tint ret;\n\tstruct tevent_req *subreq;\n\tstruct timeval endtime;\n\tchar *errstring = NULL;\n\n\tconn = talloc_zero(c, struct ldapsrv_connection);\n\tif (!conn) {\n\t\tstream_terminate_connection(c, \"ldapsrv_accept: out of memory\");\n\t\treturn;\n\t}\n\tconn->is_privileged = is_privileged;\n\n\tconn->sockets.send_queue = tevent_queue_create(conn, \"ldapsev send queue\");\n\tif (conn->sockets.send_queue == NULL) {\n\t\tstream_terminate_connection(c,\n\t\t\t\t\t    \"ldapsrv_accept: tevent_queue_create failed\");\n\t\treturn;\n\t}\n\n\tTALLOC_FREE(c->event.fde);\n\n\tret = tstream_bsd_existing_socket(conn,\n\t\t\t\t\t  socket_get_fd(c->socket),\n\t\t\t\t\t  &conn->sockets.raw);\n\tif (ret == -1) {\n\t\tstream_terminate_connection(c,\n\t\t\t\t\t    \"ldapsrv_accept: out of memory\");\n\t\treturn;\n\t}\n\tsocket_set_flags(c->socket, SOCKET_FLAG_NOCLOSE);\n\n\tconn->connection  = c;\n\tconn->service     = ldapsrv_service;\n\tconn->lp_ctx      = ldapsrv_service->task->lp_ctx;\n\n\tc->private_data   = conn;\n\n\tsocket_address = socket_get_my_addr(c->socket, conn);\n\tif (!socket_address) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_accept: failed to obtain local socket address!\");\n\t\treturn;\n\t}\n\tport = socket_address->port;\n\ttalloc_free(socket_address);\n\tif (port == 3268 || port == 3269) /* Global catalog */ {\n\t\tconn->global_catalog = true;\n\t}\n\n\tserver_credentials = cli_credentials_init(conn);\n\tif (!server_credentials) {\n\t\tstream_terminate_connection(c, \"Failed to init server credentials\\n\");\n\t\treturn;\n\t}\n\n\tcli_credentials_set_conf(server_credentials, conn->lp_ctx);\n\tstatus = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tstream_terminate_connection(c, talloc_asprintf(conn, \"Failed to obtain server credentials, perhaps a standalone server?: %s\\n\", nt_errstr(status)));\n\t\treturn;\n\t}\n\tconn->server_credentials = server_credentials;\n\n\tconn->session_info = session_info;\n\n\tconn->sockets.active = conn->sockets.raw;\n\n\tif (conn->is_privileged) {\n\t\tconn->require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_NO;\n\t} else {\n\t\tconn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);\n\t}\n\n\tret = ldapsrv_backend_Init(conn, &errstring);\n\tif (ret != LDB_SUCCESS) {\n\t\tchar *reason = talloc_asprintf(conn,\n\t\t\t\t\t       \"LDB backend for LDAP Init \"\n\t\t\t\t\t       \"failed: %s: %s\",\n\t\t\t\t\t       errstring, ldb_strerror(ret));\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\t/* load limits from the conf partition */\n\tldapsrv_load_limits(conn); /* should we fail on error ? */\n\n\t/* register the server */\t\n\tirpc_add_name(c->msg_ctx, \"ldap_server\");\n\n\tDLIST_ADD_END(ldapsrv_service->connections, conn);\n\n\tif (port != 636 && port != 3269) {\n\t\tldapsrv_call_read_next(conn);\n\t\treturn;\n\t}\n\n\tendtime = timeval_current_ofs(conn->limits.conn_idle_time, 0);\n\n\tsubreq = tstream_tls_accept_send(conn,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t conn->sockets.raw,\n\t\t\t\t\t conn->service->tls_params);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_accept: \"\n\t\t\t\t\"no memory for tstream_tls_accept_send\");\n\t\treturn;\n\t}\n\ttevent_req_set_endtime(subreq,\n\t\t\t       conn->connection->event.ctx,\n\t\t\t       endtime);\n\ttevent_req_set_callback(subreq, ldapsrv_accept_tls_done, conn);\n}",
          "project": "samba",
          "hash": 237481986044682052606798819803454206300,
          "size": 122,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274248
        },
        {
          "func": "static void ldapsrv_call_writev_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tint sys_errno;\n\tint rc;\n\n\trc = tstream_writev_queue_recv(subreq, &sys_errno);\n\tTALLOC_FREE(subreq);\n\n\t/* This releases the ASN.1 encoded packets from memory */\n\tTALLOC_FREE(call->out_iov);\n\tif (rc == -1) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_writev_done: \"\n\t\t\t\t\t \"tstream_writev_queue_recv() - %d:%s\",\n\t\t\t\t\t sys_errno, strerror(sys_errno));\n\t\tif (reason == NULL) {\n\t\t\treason = \"ldapsrv_call_writev_done: \"\n\t\t\t\t \"tstream_writev_queue_recv() failed\";\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tif (call->postprocess_send) {\n\t\tsubreq = call->postprocess_send(call,\n\t\t\t\t\t\tconn->connection->event.ctx,\n\t\t\t\t\t\tcall->postprocess_private);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn, \"ldapsrv_call_writev_done: \"\n\t\t\t\t\t\"call->postprocess_send - no memory\");\n\t\t\treturn;\n\t\t}\n\t\ttevent_req_set_callback(subreq,\n\t\t\t\t\tldapsrv_call_postprocess_done,\n\t\t\t\t\tcall);\n\t\treturn;\n\t}\n\n\t/* Perhaps still some more to send */\n\tif (call->replies != NULL) {\n\t\tldapsrv_call_writev_start(call);\n\t\treturn;\n\t}\n\n\tif (!call->notification.busy) {\n\t\tTALLOC_FREE(call);\n\t}\n\n\tldapsrv_call_read_next(conn);\n}",
          "project": "samba",
          "hash": 23721395339361040522884503184921195612,
          "size": 56,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274272
        },
        {
          "func": "static void ldapsrv_accept_tls_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_connection);\n\tint ret;\n\tint sys_errno;\n\n\tret = tstream_tls_accept_recv(subreq, &sys_errno,\n\t\t\t\t      conn, &conn->sockets.tls);\n\tTALLOC_FREE(subreq);\n\tif (ret == -1) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(conn, \"ldapsrv_accept_tls_loop: \"\n\t\t\t\t\t \"tstream_tls_accept_recv() - %d:%s\",\n\t\t\t\t\t sys_errno, strerror(sys_errno));\n\t\tif (!reason) {\n\t\t\treason = \"ldapsrv_accept_tls_loop: \"\n\t\t\t\t \"tstream_tls_accept_recv() - failed\";\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tconn->sockets.active = conn->sockets.tls;\n\tconn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;\n\tldapsrv_call_read_next(conn);\n}",
          "project": "samba",
          "hash": 156007926465375734284255274710207877505,
          "size": 30,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274266
        },
        {
          "func": "static void ldapsrv_notification_retry_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_service *service =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_service);\n\tstruct ldapsrv_connection *conn = NULL;\n\tstruct ldapsrv_connection *conn_next = NULL;\n\tbool ok;\n\n\tservice->notification.retry = NULL;\n\n\tok = tevent_wakeup_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!ok) {\n\t\t/* ignore */\n\t}\n\n\tfor (conn = service->connections; conn != NULL; conn = conn_next) {\n\t\tstruct ldapsrv_call *call = conn->pending_calls;\n\n\t\tconn_next = conn->next;\n\n\t\tif (conn->pending_calls == NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (conn->active_call != NULL) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tDLIST_DEMOTE(conn->pending_calls, call);\n\t\tcall->notification.generation =\n\t\t\t\tservice->notification.generation;\n\n\t\t/* queue the call in the global queue */\n\t\tsubreq = ldapsrv_process_call_send(call,\n\t\t\t\t\t\t   conn->connection->event.ctx,\n\t\t\t\t\t\t   conn->service->call_queue,\n\t\t\t\t\t\t   call);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t\"ldapsrv_process_call_send failed\");\n\t\t\tcontinue;\n\t\t}\n\t\ttevent_req_set_callback(subreq, ldapsrv_call_process_done, call);\n\t\tconn->active_call = subreq;\n\t}\n\n\tldapsrv_notification_retry_setup(service, false);\n}",
          "project": "samba",
          "hash": 209125356924479592647807381179697027992,
          "size": 50,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274249
        },
        {
          "func": "static int ldapsrv_load_limits(struct ldapsrv_connection *conn)\n{\n\tTALLOC_CTX *tmp_ctx;\n\tconst char *attrs[] = { \"configurationNamingContext\", NULL };\n\tconst char *attrs2[] = { \"lDAPAdminLimits\", NULL };\n\tstruct ldb_message_element *el;\n\tstruct ldb_result *res = NULL;\n\tstruct ldb_dn *basedn;\n\tstruct ldb_dn *conf_dn;\n\tstruct ldb_dn *policy_dn;\n\tunsigned int i;\n\tint ret;\n\n\t/* set defaults limits in case of failure */\n\tconn->limits.initial_timeout = 120;\n\tconn->limits.conn_idle_time = 900;\n\tconn->limits.max_page_size = 1000;\n\tconn->limits.max_notifications = 5;\n\tconn->limits.search_timeout = 120;\n\tconn->limits.expire_time = (struct timeval) {\n\t\t.tv_sec = get_time_t_max(),\n\t};\n\n\n\ttmp_ctx = talloc_new(conn);\n\tif (tmp_ctx == NULL) {\n\t\treturn -1;\n\t}\n\n\tbasedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);\n\tif (basedn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tconf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], \"configurationNamingContext\");\n\tif (conf_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tpolicy_dn = ldb_dn_copy(tmp_ctx, conf_dn);\n\tldb_dn_add_child_fmt(policy_dn, \"CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services\");\n\tif (policy_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tel = ldb_msg_find_element(res->msgs[0], \"lDAPAdminLimits\");\n\tif (el == NULL) {\n\t\tgoto failed;\n\t}\n\n\tfor (i = 0; i < el->num_values; i++) {\n\t\tchar policy_name[256];\n\t\tint policy_value, s;\n\n\t\ts = sscanf((const char *)el->values[i].data, \"%255[^=]=%d\", policy_name, &policy_value);\n\t\tif (s != 2 || policy_value == 0)\n\t\t\tcontinue;\n\t\tif (strcasecmp(\"InitRecvTimeout\", policy_name) == 0) {\n\t\t\tconn->limits.initial_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxConnIdleTime\", policy_name) == 0) {\n\t\t\tconn->limits.conn_idle_time = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxPageSize\", policy_name) == 0) {\n\t\t\tconn->limits.max_page_size = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxNotificationPerConn\", policy_name) == 0) {\n\t\t\tconn->limits.max_notifications = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxQueryDuration\", policy_name) == 0) {\n\t\t\tconn->limits.search_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t}\n\n\treturn 0;\n\nfailed:\n\tDBG_ERR(\"Failed to load ldap server query policies\\n\");\n\ttalloc_free(tmp_ctx);\n\treturn -1;\n}",
          "project": "samba",
          "hash": 179110453965118510639557808253855764974,
          "size": 104,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 1,
          "dataset": "other",
          "idx": 198425
        },
        {
          "func": "static int ldapsrv_load_limits(struct ldapsrv_connection *conn)\n{\n\tTALLOC_CTX *tmp_ctx;\n\tconst char *attrs[] = { \"configurationNamingContext\", NULL };\n\tconst char *attrs2[] = { \"lDAPAdminLimits\", NULL };\n\tstruct ldb_message_element *el;\n\tstruct ldb_result *res = NULL;\n\tstruct ldb_dn *basedn;\n\tstruct ldb_dn *conf_dn;\n\tstruct ldb_dn *policy_dn;\n\tunsigned int i;\n\tint ret;\n\n\t/* set defaults limits in case of failure */\n\tconn->limits.initial_timeout = 120;\n\tconn->limits.conn_idle_time = 900;\n\tconn->limits.max_page_size = 1000;\n\tconn->limits.max_notifications = 5;\n\tconn->limits.search_timeout = 120;\n\tconn->limits.expire_time = (struct timeval) {\n\t\t.tv_sec = get_time_t_max(),\n\t};\n\n\n\ttmp_ctx = talloc_new(conn);\n\tif (tmp_ctx == NULL) {\n\t\treturn -1;\n\t}\n\n\tbasedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);\n\tif (basedn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tconf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], \"configurationNamingContext\");\n\tif (conf_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tpolicy_dn = ldb_dn_copy(tmp_ctx, conf_dn);\n\tldb_dn_add_child_fmt(policy_dn, \"CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services\");\n\tif (policy_dn == NULL) {\n\t\tgoto failed;\n\t}\n\n\tret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);\n\tif (ret != LDB_SUCCESS) {\n\t\tgoto failed;\n\t}\n\n\tif (res->count != 1) {\n\t\tgoto failed;\n\t}\n\n\tel = ldb_msg_find_element(res->msgs[0], \"lDAPAdminLimits\");\n\tif (el == NULL) {\n\t\tgoto failed;\n\t}\n\n\tfor (i = 0; i < el->num_values; i++) {\n\t\tchar policy_name[256];\n\t\tint policy_value, s;\n\n\t\ts = sscanf((const char *)el->values[i].data, \"%255[^=]=%d\", policy_name, &policy_value);\n\t\tif (s != 2 || policy_value == 0)\n\t\t\tcontinue;\n\t\tif (strcasecmp(\"InitRecvTimeout\", policy_name) == 0) {\n\t\t\tconn->limits.initial_timeout = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxConnIdleTime\", policy_name) == 0) {\n\t\t\tconn->limits.conn_idle_time = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxPageSize\", policy_name) == 0) {\n\t\t\tconn->limits.max_page_size = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxNotificationPerConn\", policy_name) == 0) {\n\t\t\tconn->limits.max_notifications = policy_value;\n\t\t\tcontinue;\n\t\t}\n\t\tif (strcasecmp(\"MaxQueryDuration\", policy_name) == 0) {\n\t\t\tif (policy_value > 0) {\n\t\t\t\tconn->limits.search_timeout = policy_value;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t}\n\n\treturn 0;\n\nfailed:\n\tDBG_ERR(\"Failed to load ldap server query policies\\n\");\n\ttalloc_free(tmp_ctx);\n\treturn -1;\n}",
          "project": "samba",
          "hash": 20233092815787754852088965792044905240,
          "size": 106,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274270
        },
        {
          "func": "static NTSTATUS ldapsrv_packet_check(\n\tvoid *private_data,\n\tDATA_BLOB blob,\n\tsize_t *packet_size)\n{\n\tNTSTATUS ret;\n\tstruct ldapsrv_connection *conn = private_data;\n\tint result = LDB_SUCCESS;\n\n\tret = ldap_full_packet(private_data, blob, packet_size);\n\tif (!NT_STATUS_IS_OK(ret)) {\n\t\treturn ret;\n\t}\n\tresult = ldapsrv_check_packet_size(conn, *packet_size);\n\tif (result != LDAP_SUCCESS) {\n\t\treturn NT_STATUS_LDAP(result);\n\t}\n\treturn NT_STATUS_OK;\n}",
          "project": "samba",
          "hash": 26391111498996562762649733474230387709,
          "size": 19,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274263
        },
        {
          "func": "static void ldapsrv_call_writev_start(struct ldapsrv_call *call)\n{\n\tstruct ldapsrv_connection *conn = call->conn;\n\tstruct ldapsrv_reply *reply = NULL;\n\tstruct tevent_req *subreq = NULL;\n\tsize_t length = 0;\n\tsize_t i;\n\n\tcall->iov_count = 0;\n\n\t/* build all the replies into an IOV (no copy) */\n\tfor (reply = call->replies;\n\t     reply != NULL;\n\t     reply = reply->next) {\n\n\t\t/* Cap output at 25MB per writev() */\n\t\tif (length > length + reply->blob.length\n\t\t    || length + reply->blob.length > LDAP_SERVER_MAX_CHUNK_SIZE) {\n\t\t\tbreak;\n\t\t}\n\n\t\t/*\n\t\t * Overflow is harmless here, just used below to\n\t\t * decide if to read or write, but checked above anyway\n\t\t */\n\t\tlength += reply->blob.length;\n\n\t\t/*\n\t\t * At worst an overflow would mean we send less\n\t\t * replies\n\t\t */\n\t\tcall->iov_count++;\n\t}\n\n\tif (length == 0) {\n\t\tif (!call->notification.busy) {\n\t\t\tTALLOC_FREE(call);\n\t\t}\n\n\t\tldapsrv_call_read_next(conn);\n\t\treturn;\n\t}\n\n\t/* Cap call->iov_count at IOV_MAX */\n\tcall->iov_count = MIN(call->iov_count, IOV_MAX);\n\n\tcall->out_iov = talloc_array(call,\n\t\t\t\t     struct iovec,\n\t\t\t\t     call->iov_count);\n\tif (!call->out_iov) {\n\t\t/* This is not ideal */\n\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t     \"failed to allocate \"\n\t\t\t\t\t     \"iovec array\");\n\t\treturn;\n\t}\n\n\t/* We may have had to cap the number of replies at IOV_MAX */\n\tfor (i = 0;\n\t     i < call->iov_count && call->replies != NULL;\n\t     i++) {\n\t\treply = call->replies;\n\t\tcall->out_iov[i].iov_base = reply->blob.data;\n\t\tcall->out_iov[i].iov_len = reply->blob.length;\n\n\t\t/* Keep only the ASN.1 encoded data */\n\t\ttalloc_steal(call->out_iov, reply->blob.data);\n\n\t\tDLIST_REMOVE(call->replies, reply);\n\t\tTALLOC_FREE(reply);\n\t}\n\n\tif (i > call->iov_count) {\n\t\t/* This is not ideal, but also (essentially) impossible */\n\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t     \"call list ended\"\n\t\t\t\t\t     \"before iov_count\");\n\t\treturn;\n\t}\n\n\tsubreq = tstream_writev_queue_send(call,\n\t\t\t\t\t   conn->connection->event.ctx,\n\t\t\t\t\t   conn->sockets.active,\n\t\t\t\t\t   conn->sockets.send_queue,\n\t\t\t\t\t   call->out_iov, call->iov_count);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"stream_writev_queue_send failed\");\n\t\treturn;\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_writev_done, call);\n}",
          "project": "samba",
          "hash": 63660284643483350930249543818774251501,
          "size": 91,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274265
        },
        {
          "func": "static void ldapsrv_accept_priv(struct stream_connection *c)\n{\n\tstruct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(\n\t\tc->private_data, struct ldapsrv_service);\n\tstruct auth_session_info *session_info;\n\n\tsession_info = system_session(ldapsrv_service->task->lp_ctx);\n\tif (!session_info) {\n\t\tstream_terminate_connection(c, \"failed to setup system \"\n\t\t\t\t\t    \"session info\");\n\t\treturn;\n\t}\n\tldapsrv_accept(c, session_info, true);\n}",
          "project": "samba",
          "hash": 248588516067925582677625240081482568956,
          "size": 14,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274269
        },
        {
          "func": "static void ldapsrv_call_read_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_connection *conn =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_connection);\n\tNTSTATUS status;\n\tstruct ldapsrv_call *call;\n\tstruct asn1_data *asn1;\n\tDATA_BLOB blob;\n\tint ret = LDAP_SUCCESS;\n\tstruct ldap_request_limits limits = {0};\n\n\tconn->sockets.read_req = NULL;\n\n\tcall = talloc_zero(conn, struct ldapsrv_call);\n\tif (!call) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\ttalloc_set_destructor(call, ldapsrv_call_destructor);\n\n\tcall->conn = conn;\n\n\tstatus = tstream_read_pdu_blob_recv(subreq,\n\t\t\t\t\t    call,\n\t\t\t\t\t    &blob);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tconst char *reason;\n\n\t\treason = talloc_asprintf(call, \"ldapsrv_call_loop: \"\n\t\t\t\t\t \"tstream_read_pdu_blob_recv() - %s\",\n\t\t\t\t\t nt_errstr(status));\n\t\tif (!reason) {\n\t\t\treason = nt_errstr(status);\n\t\t}\n\n\t\tldapsrv_terminate_connection(conn, reason);\n\t\treturn;\n\t}\n\n\tret = ldapsrv_check_packet_size(conn, blob.length);\n\tif (ret != LDAP_SUCCESS) {\n\t\tldapsrv_terminate_connection(\n\t\t\tconn,\n\t\t\t\"Request packet too large\");\n\t\treturn;\n\t}\n\n\tasn1 = asn1_init(call, ASN1_MAX_TREE_DEPTH);\n\tif (asn1 == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\n\tcall->request = talloc(call, struct ldap_message);\n\tif (call->request == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"no memory\");\n\t\treturn;\n\t}\n\n\tasn1_load_nocopy(asn1, blob.data, blob.length);\n\n\tlimits.max_search_size =\n\t\tlpcfg_ldap_max_search_request_size(conn->lp_ctx);\n\tstatus = ldap_decode(\n\t\tasn1,\n\t\t&limits,\n\t\tsamba_ldap_control_handlers(),\n\t\tcall->request);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tldapsrv_terminate_connection(conn, nt_errstr(status));\n\t\treturn;\n\t}\n\n\tdata_blob_free(&blob);\n\tTALLOC_FREE(asn1);\n\n\n\t/* queue the call in the global queue */\n\tsubreq = ldapsrv_process_call_send(call,\n\t\t\t\t\t   conn->connection->event.ctx,\n\t\t\t\t\t   conn->service->call_queue,\n\t\t\t\t\t   call);\n\tif (subreq == NULL) {\n\t\tldapsrv_terminate_connection(conn, \"ldapsrv_process_call_send failed\");\n\t\treturn;\n\t}\n\ttevent_req_set_callback(subreq, ldapsrv_call_process_done, call);\n\tconn->active_call = subreq;\n}",
          "project": "samba",
          "hash": 83780409077588544429973836003259519563,
          "size": 91,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274251
        },
        {
          "func": "static void ldapsrv_call_process_done(struct tevent_req *subreq)\n{\n\tstruct ldapsrv_call *call =\n\t\ttevent_req_callback_data(subreq,\n\t\tstruct ldapsrv_call);\n\tstruct ldapsrv_connection *conn = call->conn;\n\tNTSTATUS status;\n\n\tconn->active_call = NULL;\n\n\tstatus = ldapsrv_process_call_recv(subreq);\n\tTALLOC_FREE(subreq);\n\tif (!NT_STATUS_IS_OK(status)) {\n\t\tldapsrv_terminate_connection(conn, nt_errstr(status));\n\t\treturn;\n\t}\n\n\tif (call->wait_send != NULL) {\n\t\tsubreq = call->wait_send(call,\n\t\t\t\t\t conn->connection->event.ctx,\n\t\t\t\t\t call->wait_private);\n\t\tif (subreq == NULL) {\n\t\t\tldapsrv_terminate_connection(conn,\n\t\t\t\t\t\"ldapsrv_call_process_done: \"\n\t\t\t\t\t\"call->wait_send - no memory\");\n\t\t\treturn;\n\t\t}\n\t\ttevent_req_set_callback(subreq,\n\t\t\t\t\tldapsrv_call_wait_done,\n\t\t\t\t\tcall);\n\t\tconn->active_call = subreq;\n\t\treturn;\n\t}\n\n\tldapsrv_call_writev_start(call);\n}",
          "project": "samba",
          "hash": 91770496350954271773300687472820359720,
          "size": 36,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274271
        },
        {
          "func": "static int ldapsrv_check_packet_size(\n\tstruct ldapsrv_connection *conn,\n\tsize_t size)\n{\n\tbool is_anonymous = false;\n\tsize_t max_size = 0;\n\n\tmax_size = lpcfg_ldap_max_anonymous_request_size(conn->lp_ctx);\n\tif (size <= max_size) {\n\t\treturn LDAP_SUCCESS;\n\t}\n\n\t/*\n\t * Request is larger than the maximum unauthenticated request size.\n\t * As this code is called frequently we avoid calling\n\t * security_token_is_anonymous if possible\n\t */\n\tif (conn->session_info != NULL &&\n\t\tconn->session_info->security_token != NULL) {\n\t\tis_anonymous = security_token_is_anonymous(\n\t\t\tconn->session_info->security_token);\n\t}\n\n\tif (is_anonymous) {\n\t\tDBG_WARNING(\n\t\t\t\"LDAP request size (%zu) exceeds (%zu)\\n\",\n\t\t\tsize,\n\t\t\tmax_size);\n\t\treturn LDAP_UNWILLING_TO_PERFORM;\n\t}\n\n\tmax_size = lpcfg_ldap_max_authenticated_request_size(conn->lp_ctx);\n\tif (size > max_size) {\n\t\tDBG_WARNING(\n\t\t\t\"LDAP request size (%zu) exceeds (%zu)\\n\",\n\t\t\tsize,\n\t\t\tmax_size);\n\t\treturn LDAP_UNWILLING_TO_PERFORM;\n\t}\n\treturn LDAP_SUCCESS;\n\n}",
          "project": "samba",
          "hash": 125310637314983518118518477367507280780,
          "size": 42,
          "commit_id": "f9b2267c6eb8138fc94df7a138ad5d87526f1d79",
          "message": "CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14694\n\nSigned-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>\nReviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>\n(cherry picked from commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049)",
          "target": 0,
          "dataset": "other",
          "idx": 274252
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "do_print",
        "do_show",
        "show_line",
        "acl_perm_str"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "int do_show(FILE *stream, const char *path_p, const struct stat *st,\n            acl_t acl, acl_t dacl)\n{\n\tstruct name_list *acl_names = get_list(st, acl),\n\t                 *first_acl_name = acl_names;\n\tstruct name_list *dacl_names = get_list(st, dacl),\n\t                 *first_dacl_name = dacl_names;\n\t\n\tint acl_names_width = max_name_length(acl_names);\n\tint dacl_names_width = max_name_length(dacl_names);\n\tacl_entry_t acl_ent;\n\tacl_entry_t dacl_ent;\n\tchar acl_mask[ACL_PERMS+1], dacl_mask[ACL_PERMS+1];\n\tint ret;\n\n\tnames_width = 8;\n\tif (acl_names_width > names_width)\n\t\tnames_width = acl_names_width;\n\tif (dacl_names_width > names_width)\n\t\tnames_width = dacl_names_width;\n\n\tacl_mask[0] = '\\0';\n\tif (acl) {\n\t\tacl_mask_perm_str(acl, acl_mask);\n\t\tret = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_ent);\n\t\tif (ret == 0)\n\t\t\tacl = NULL;\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\tdacl_mask[0] = '\\0';\n\tif (dacl) {\n\t\tacl_mask_perm_str(dacl, dacl_mask);\n\t\tret = acl_get_entry(dacl, ACL_FIRST_ENTRY, &dacl_ent);\n\t\tif (ret == 0)\n\t\t\tdacl = NULL;\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\tfprintf(stream, \"# file: %s\\n\", xquote(path_p, \"\\n\\r\"));\n\twhile (acl_names != NULL || dacl_names != NULL) {\n\t\tacl_tag_t acl_tag, dacl_tag;\n\n\t\tif (acl)\n\t\t\tacl_get_tag_type(acl_ent, &acl_tag);\n\t\tif (dacl)\n\t\t\tacl_get_tag_type(dacl_ent, &dacl_tag);\n\n\t\tif (acl && (!dacl || acl_tag < dacl_tag)) {\n\t\t\tshow_line(stream, &acl_names, acl, &acl_ent, acl_mask,\n\t\t\t          NULL, NULL, NULL, NULL);\n\t\t\tcontinue;\n\t\t} else if (dacl && (!acl || dacl_tag < acl_tag)) {\n\t\t\tshow_line(stream, NULL, NULL, NULL, NULL,\n\t\t\t          &dacl_names, dacl, &dacl_ent, dacl_mask);\n\t\t\tcontinue;\n\t\t} else {\n\t\t\tif (acl_tag == ACL_USER || acl_tag == ACL_GROUP) {\n\t\t\t\tid_t  *acl_id_p = NULL, *dacl_id_p = NULL;\n\t\t\t\tif (acl_ent)\n\t\t\t\t\tacl_id_p = acl_get_qualifier(acl_ent);\n\t\t\t\tif (dacl_ent)\n\t\t\t\t\tdacl_id_p = acl_get_qualifier(dacl_ent);\n\t\t\t\t\n\t\t\t\tif (acl && (!dacl || *acl_id_p < *dacl_id_p)) {\n\t\t\t\t\tshow_line(stream, &acl_names, acl,\n\t\t\t\t\t          &acl_ent, acl_mask,\n\t\t\t\t\t\t  NULL, NULL, NULL, NULL);\n\t\t\t\t\tcontinue;\n\t\t\t\t} else if (dacl &&\n\t\t\t\t\t(!acl || *dacl_id_p < *acl_id_p)) {\n\t\t\t\t\tshow_line(stream, NULL, NULL, NULL,\n\t\t\t\t\t          NULL, &dacl_names, dacl,\n\t\t\t\t\t\t  &dacl_ent, dacl_mask);\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\t\t\tshow_line(stream, &acl_names,  acl,  &acl_ent, acl_mask,\n\t\t\t\t  &dacl_names, dacl, &dacl_ent, dacl_mask);\n\t\t}\n\t}\n\n\tfree_list(first_acl_name);\n\tfree_list(first_dacl_name);\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 148979610646046169696771366369271425537,
          "size": 87,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491966
        },
        {
          "func": "void acl_mask_perm_str(acl_t acl, char *str)\n{\n\tacl_entry_t entry;\n\n\tstr[0] = '\\0';\n\tif (acl_get_entry(acl, ACL_FIRST_ENTRY, &entry) != 1)\n\t\treturn;\n\tfor(;;) {\n\t\tacl_tag_t tag;\n\n\t\tacl_get_tag_type(entry, &tag);\n\t\tif (tag == ACL_MASK) {\n\t\t\tacl_perm_str(entry, str);\n\t\t\treturn;\n\t\t}\n\t\tif (acl_get_entry(acl, ACL_NEXT_ENTRY, &entry) != 1)\n\t\t\treturn;\n\t}\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 102244957849193618816091429761976899252,
          "size": 19,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491977
        },
        {
          "func": "int do_print(const char *path_p, const struct stat *st, int walk_flags, void *unused)\n{\n\tconst char *default_prefix = NULL;\n\tacl_t acl = NULL, default_acl = NULL;\n\tint error = 0;\n\n\tif (walk_flags & WALK_TREE_FAILED) {\n\t\tfprintf(stderr, \"%s: %s: %s\\n\", progname, xquote(path_p, \"\\n\\r\"),\n\t\t\tstrerror(errno));\n\t\treturn 1;\n\t}\n\n\t/*\n\t * Symlinks can never have ACLs, so when doing a physical walk, we\n\t * skip symlinks altogether, and when doing a half-logical walk, we\n\t * skip all non-toplevel symlinks. \n\t */\n\tif ((walk_flags & WALK_TREE_SYMLINK) &&\n\t    ((walk_flags & WALK_TREE_PHYSICAL) ||\n\t     !(walk_flags & (WALK_TREE_TOPLEVEL | WALK_TREE_LOGICAL))))\n\t\treturn 0;\n\n\tif (opt_print_acl) {\n\t\tacl = acl_get_file(path_p, ACL_TYPE_ACCESS);\n\t\tif (acl == NULL && (errno == ENOSYS || errno == ENOTSUP))\n\t\t\tacl = acl_get_file_mode(path_p);\n\t\tif (acl == NULL)\n\t\t\tgoto fail;\n\t}\n\n\tif (opt_print_default_acl && S_ISDIR(st->st_mode)) {\n\t\tdefault_acl = acl_get_file(path_p, ACL_TYPE_DEFAULT);\n\t\tif (default_acl == NULL) {\n\t\t\tif (errno != ENOSYS && errno != ENOTSUP)\n\t\t\t\tgoto fail;\n\t\t} else if (acl_entries(default_acl) == 0) {\n\t\t\tacl_free(default_acl);\n\t\t\tdefault_acl = NULL;\n\t\t}\n\t}\n\n\tif (opt_skip_base &&\n\t    (!acl || acl_equiv_mode(acl, NULL) == 0) && !default_acl)\n\t\treturn 0;\n\n\tif (opt_print_acl && opt_print_default_acl)\n\t\tdefault_prefix = \"default:\";\n\n\tif (opt_strip_leading_slash) {\n\t\tif (*path_p == '/') {\n\t\t\tif (!absolute_warning) {\n\t\t\t\tfprintf(stderr, _(\"%s: Removing leading \"\n\t\t\t\t\t\"'/' from absolute path names\\n\"),\n\t\t\t\t        progname);\n\t\t\t\tabsolute_warning = 1;\n\t\t\t}\n\t\t\twhile (*path_p == '/')\n\t\t\t\tpath_p++;\n\t\t} else if (*path_p == '.' && *(path_p+1) == '/')\n\t\t\twhile (*++path_p == '/')\n\t\t\t\t/* nothing */ ;\n\t\tif (*path_p == '\\0')\n\t\t\tpath_p = \".\";\n\t}\n\n\tif (opt_tabular)  {\n\t\tif (do_show(stdout, path_p, st, acl, default_acl) != 0)\n\t\t\tgoto fail;\n\t} else {\n\t\tif (opt_comments) {\n\t\t\tprintf(\"# file: %s\\n\", xquote(path_p, \"\\n\\r\"));\n\t\t\tprintf(\"# owner: %s\\n\",\n\t\t\t       xquote(user_name(st->st_uid, opt_numeric), \" \\t\\n\\r\"));\n\t\t\tprintf(\"# group: %s\\n\",\n\t\t\t       xquote(group_name(st->st_gid, opt_numeric), \" \\t\\n\\r\"));\n\t\t}\n\t\tif (acl != NULL) {\n\t\t\tchar *acl_text = acl_to_any_text(acl, NULL, '\\n',\n\t\t\t\t\t\t\t print_options);\n\t\t\tif (!acl_text)\n\t\t\t\tgoto fail;\n\t\t\tif (puts(acl_text) < 0) {\n\t\t\t\tacl_free(acl_text);\n\t\t\t\tgoto fail;\n\t\t\t}\n\t\t\tacl_free(acl_text);\n\t\t}\n\t\tif (default_acl != NULL) {\n\t\t\tchar *acl_text = acl_to_any_text(default_acl, \n\t\t\t\t\t\t\t default_prefix, '\\n',\n\t\t\t\t\t\t\t print_options);\n\t\t\tif (!acl_text)\n\t\t\t\tgoto fail;\n\t\t\tif (puts(acl_text) < 0) {\n\t\t\t\tacl_free(acl_text);\n\t\t\t\tgoto fail;\n\t\t\t}\n\t\t\tacl_free(acl_text);\n\t\t}\n\t}\n\tif (acl || default_acl || opt_comments)\n\t\tprintf(\"\\n\");\n\ncleanup:\n\tif (acl)\n\t\tacl_free(acl);\n\tif (default_acl)\n\t\tacl_free(default_acl);\n\treturn error;\n\nfail:\n\tfprintf(stderr, \"%s: %s: %s\\n\", progname, xquote(path_p, \"\\n\\r\"),\n\t\tstrerror(errno));\n\terror = -1;\n\tgoto cleanup;\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 304094450354480469241650128653476885305,
          "size": 116,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491971
        },
        {
          "func": "void free_list(struct name_list *names)\n{\n\tstruct name_list *next;\n\n\twhile (names) {\n\t\tnext = names->next;\n\t\tfree(names);\n\t\tnames = next;\n\t}\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 246378709380030782815618129545973149210,
          "size": 10,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491972
        },
        {
          "func": "int show_line(FILE *stream, struct name_list **acl_names,  acl_t acl,\n              acl_entry_t *acl_ent, const char *acl_mask,\n              struct name_list **dacl_names, acl_t dacl,\n\t      acl_entry_t *dacl_ent, const char *dacl_mask)\n{\n\tacl_tag_t tag_type;\n\tconst char *tag, *name;\n\tchar acl_perm[ACL_PERMS+1], dacl_perm[ACL_PERMS+1];\n\n\tif (acl) {\n\t\tacl_get_tag_type(*acl_ent, &tag_type);\n\t\tname = (*acl_names)->name;\n\t} else {\n\t\tacl_get_tag_type(*dacl_ent, &tag_type);\n\t\tname = (*dacl_names)->name;\n\t}\n\n\tswitch(tag_type) {\n\t\tcase ACL_USER_OBJ:\n\t\t\ttag = \"USER\";\n\t\t\tbreak;\n\t\tcase ACL_USER:\n\t\t\ttag = \"user\";\n\t\t\tbreak;\n\t\tcase ACL_GROUP_OBJ:\n\t\t\ttag = \"GROUP\";\n\t\t\tbreak;\n\t\tcase ACL_GROUP:\n\t\t\ttag = \"group\";\n\t\t\tbreak;\n\t\tcase ACL_MASK:\n\t\t\ttag = \"mask\";\n\t\t\tbreak;\n\t\tcase ACL_OTHER:\n\t\t\ttag = \"other\";\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn -1;\n\t}\n\n\tmemset(acl_perm, ' ', ACL_PERMS);\n\tacl_perm[ACL_PERMS] = '\\0';\n\tif (acl_ent) {\n\t\tacl_perm_str(*acl_ent, acl_perm);\n\t\tif (tag_type != ACL_USER_OBJ && tag_type != ACL_OTHER &&\n\t\t    tag_type != ACL_MASK)\n\t\t\tapply_mask(acl_perm, acl_mask);\n\t}\n\tmemset(dacl_perm, ' ', ACL_PERMS);\n\tdacl_perm[ACL_PERMS] = '\\0';\n\tif (dacl_ent) {\n\t\tacl_perm_str(*dacl_ent, dacl_perm);\n\t\tif (tag_type != ACL_USER_OBJ && tag_type != ACL_OTHER &&\n\t\t    tag_type != ACL_MASK)\n\t\t\tapply_mask(dacl_perm, dacl_mask);\n\t}\n\n\tfprintf(stream, \"%-5s  %*s  %*s  %*s\\n\",\n\t        tag, -names_width, name,\n\t        -(int)ACL_PERMS, acl_perm,\n\t\t-(int)ACL_PERMS, dacl_perm);\n\n\tif (acl_names) {\n\t\tacl_get_entry(acl, ACL_NEXT_ENTRY, acl_ent);\n\t\t(*acl_names) = (*acl_names)->next;\n\t}\n\tif (dacl_names) {\n\t\tacl_get_entry(dacl, ACL_NEXT_ENTRY, dacl_ent);\n\t\t(*dacl_names) = (*dacl_names)->next;\n\t}\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 161065813611095891222693530206636661992,
          "size": 72,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491974
        },
        {
          "func": "void acl_perm_str(acl_entry_t entry, char *str)\n{\n\tacl_permset_t permset;\n\tint n;\n\n\tacl_get_permset(entry, &permset);\n\tfor (n = 0; n < (int) ACL_PERMS; n++) {\n\t\tstr[n] = (acl_get_perm(permset, acl_perm_defs[n].tag) ?\n\t\t          acl_perm_defs[n].c : '-');\n\t}\n\tstr[n] = '\\0';\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 240727839017765817104842232036773145645,
          "size": 12,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491975
        },
        {
          "func": "int max_name_length(struct name_list *names)\n{\n\tint max_len = 0;\n\twhile (names != NULL) {\n\t\tstruct name_list *next = names->next;\n\t\tint len = strlen(names->name);\n\n\t\tif (len > max_len)\n\t\t\tmax_len = len;\n\t\tnames = next;\n\t}\n\treturn max_len;\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 236533432565682712712378128349416165826,
          "size": 13,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491978
        },
        {
          "func": "void apply_mask(char *perm, const char *mask)\n{\n\twhile (*perm) {\n\t\tif (*mask == '-' && *perm >= 'a' && *perm <= 'z')\n\t\t\t*perm = *perm - 'a' + 'A';\n\t\tperm++;\n\t\tif (*mask)\n\t\t\tmask++;\n\t}\n}",
          "target": 0,
          "cwe": [],
          "project": "acl",
          "commit_id": "63451a06b7484d220750ed8574d3ee84e156daf5",
          "hash": 235784037899618074132466825107297440506,
          "size": 10,
          "message": "Make sure that getfacl -R only calls stat(2) on symlinks when it needs to\n\nThis fixes http://oss.sgi.com/bugzilla/show_bug.cgi?id=790\n\"getfacl follows symlinks, even without -L\".",
          "dataset": "other",
          "idx": 491968
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "tooLargePattern",
        "ASSERT_THROWS_CODE",
        "regex"
      ],
      "group_size": 34,
      "functions": [
        {
          "func": "void RegexMatchExpression::_init() {\n    uassert(\n        ErrorCodes::BadValue, \"Regular expression is too long\", _regex.size() <= kMaxPatternSize);\n\n    uassert(ErrorCodes::BadValue,\n            \"Regular expression cannot contain an embedded null byte\",\n            _regex.find('\\0') == std::string::npos);\n\n    uassert(ErrorCodes::BadValue,\n            \"Regular expression options string cannot contain an embedded null byte\",\n            _flags.find('\\0') == std::string::npos);\n}",
          "project": "mongo",
          "hash": 196906255193958728876698958313286561082,
          "size": 12,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 1,
          "dataset": "other",
          "idx": 209844
        },
        {
          "func": "void RegexMatchExpression::_init() {\n    uassert(\n        ErrorCodes::BadValue, \"Regular expression is too long\", _regex.size() <= kMaxPatternSize);\n\n    uassert(ErrorCodes::BadValue,\n            \"Regular expression cannot contain an embedded null byte\",\n            _regex.find('\\0') == std::string::npos);\n\n    uassert(ErrorCodes::BadValue,\n            \"Regular expression options string cannot contain an embedded null byte\",\n            _flags.find('\\0') == std::string::npos);\n\n    // isValidUTF8() checks for UTF-8 which does not map to a series of codepoints but does not\n    // check the validity of the code points themselves. These situations do not cause problems\n    // downstream so we do not do additional work to enforce that the code points are valid.\n    uassert(\n        5108300, \"Regular expression is invalid UTF-8\", isValidUTF8(_regex) && isValidUTF8(_flags));\n}",
          "project": "mongo",
          "hash": 296417704049406944583817007241379160223,
          "size": 18,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422547
        },
        {
          "func": "  RegexMatcherImpl(const RequirementRule& rule)\n      : BaseMatcherImpl(rule), regex_str_(rule.match().safe_regex().regex()),\n        path_matcher_(Matchers::PathMatcher::createSafeRegex(rule.match().safe_regex())) {\n    ASSERT(rule.match().path_specifier_case() ==\n           envoy::config::route::v3::RouteMatch::PathSpecifierCase::kSafeRegex);\n  }",
          "project": "envoy",
          "hash": 177926330647558908520111297623450225194,
          "size": 6,
          "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a",
          "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov <yavlasov@google.com>",
          "target": 0,
          "dataset": "other",
          "idx": 246608
        },
        {
          "func": "  ConnectMatcherImpl(const RequirementRule& rule) : BaseMatcherImpl(rule) {}",
          "project": "envoy",
          "hash": 69909293970036435930584561002786980459,
          "size": 1,
          "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a",
          "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov <yavlasov@google.com>",
          "target": 0,
          "dataset": "other",
          "idx": 246600
        },
        {
          "func": "RegexMatchExpression::RegexMatchExpression(StringData path, StringData regex, StringData options)\n    : LeafMatchExpression(REGEX, path),\n      _regex(regex.toString()),\n      _flags(options.toString()),\n      _re(new pcrecpp::RE(_regex.c_str(), flags2options(_flags.c_str()))) {\n    _init();\n}",
          "project": "mongo",
          "hash": 335861526958212346706983090925732908437,
          "size": 7,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422536
        },
        {
          "func": "RegexMatchExpression::RegexMatchExpression(StringData path, const BSONElement& e)\n    : LeafMatchExpression(REGEX, path),\n      _regex(e.regex()),\n      _flags(e.regexFlags()),\n      _re(new pcrecpp::RE(_regex.c_str(), flags2options(_flags.c_str()))) {\n    uassert(ErrorCodes::BadValue, \"regex not a regex\", e.type() == RegEx);\n    _init();\n}",
          "project": "mongo",
          "hash": 70858585662722592172046567506141856880,
          "size": 8,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422685
        },
        {
          "func": "  PathMatcherImpl(const RequirementRule& rule)\n      : BaseMatcherImpl(rule), path_(rule.match().path()),\n        path_matcher_(Matchers::PathMatcher::createExact(path_, !case_sensitive_)) {}",
          "project": "envoy",
          "hash": 236527079260690776661196479027875964453,
          "size": 3,
          "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a",
          "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov <yavlasov@google.com>",
          "target": 0,
          "dataset": "other",
          "idx": 246601
        },
        {
          "func": "  PrefixMatcherImpl(const RequirementRule& rule)\n      : BaseMatcherImpl(rule), prefix_(rule.match().prefix()),\n        path_matcher_(Matchers::PathMatcher::createPrefix(prefix_, !case_sensitive_)) {}",
          "project": "envoy",
          "hash": 81940720665359151703373047087591024809,
          "size": 3,
          "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a",
          "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov <yavlasov@google.com>",
          "target": 0,
          "dataset": "other",
          "idx": 246617
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementDotAllOn) {\n    BSONObj match = BSON(\"x\"\n                         << \"a b\");\n    BSONObj matchDotAll = BSON(\"x\"\n                               << \"a\\nb\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"ab\");\n    RegexMatchExpression regex(\"\", \"a.b\", \"s\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(regex.matchesSingleElement(matchDotAll.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 63412851143097204133445098103344934924,
          "size": 12,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422534
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesNull) {\n    RegexMatchExpression regex(\"a\", \"b\", \"\");\n    ASSERT(!regex.matchesBSON(BSONObj(), NULL));\n    ASSERT(!regex.matchesBSON(BSON(\"a\" << BSONNULL), NULL));\n}",
          "project": "mongo",
          "hash": 193009804061745465816871677323230638849,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422543
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementDotAllOff) {\n    BSONObj match = BSON(\"x\"\n                         << \"a b\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"a\\nb\");\n    RegexMatchExpression regex(\"\", \"a.b\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 254989944548547860653052183568318768603,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422567
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementWrongType) {\n    BSONObj notMatchInt = BSON(\"x\" << 1);\n    BSONObj notMatchBool = BSON(\"x\" << true);\n    RegexMatchExpression regex(\"\", \"1\", \"\");\n    ASSERT(!regex.matchesSingleElement(notMatchInt.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatchBool.firstElement()));\n}",
          "project": "mongo",
          "hash": 296477677199849513746558412559452083102,
          "size": 7,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422579
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementSymbolType) {\n    BSONObj match = BSONObjBuilder().appendSymbol(\"x\", \"yz\").obj();\n    BSONObj notMatch = BSONObjBuilder().appendSymbol(\"x\", \"gg\").obj();\n    RegexMatchExpression regex(\"\", \"yz\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 301556173795461187162616872778185518220,
          "size": 7,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422581
        },
        {
          "func": "TEST(RegexMatchExpression, ElemMatchKey) {\n    RegexMatchExpression regex(\"a\", \"b\", \"\");\n    MatchDetails details;\n    details.requestElemMatchKey();\n    ASSERT(!regex.matchesBSON(BSON(\"a\"\n                                   << \"c\"),\n                              &details));\n    ASSERT(!details.hasElemMatchKey());\n    ASSERT(regex.matchesBSON(BSON(\"a\"\n                                  << \"b\"),\n                             &details));\n    ASSERT(!details.hasElemMatchKey());\n    ASSERT(regex.matchesBSON(BSON(\"a\" << BSON_ARRAY(\"c\"\n                                                    << \"b\")),\n                             &details));\n    ASSERT(details.hasElemMatchKey());\n    ASSERT_EQUALS(\"1\", details.elemMatchKey());\n}",
          "project": "mongo",
          "hash": 145973166090898470211725047307295936287,
          "size": 18,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422582
        },
        {
          "func": "TEST(RegexMatchExpression, MalformedRegexAcceptedButMatchesNothing) {\n    RegexMatchExpression regex(\"a\", \"[(*ACCEPT)\", \"\");\n    ASSERT_FALSE(regex.matchesBSON(BSON(\"a\"\n                                        << \"\")));\n    ASSERT_FALSE(regex.matchesBSON(BSON(\"a\"\n                                        << \"[\")));\n}",
          "project": "mongo",
          "hash": 53344960387358334717005761952875921258,
          "size": 7,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422592
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementMultilineOn) {\n    BSONObj match = BSON(\"x\"\n                         << \"az\");\n    BSONObj matchMultiline = BSON(\"x\"\n                                  << \"\\naz\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"\\n\\n\");\n    RegexMatchExpression regex(\"\", \"^a\", \"m\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(regex.matchesSingleElement(matchMultiline.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 253041449393034191418301643541322807902,
          "size": 12,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422601
        },
        {
          "func": "TEST(RegexMatchExpression, RegexAcceptsUCPOption) {\n    RegexMatchExpression regex(\"a\", \"(*UCP)(\\\\w|\\u304C)\", \"\");\n    ASSERT(regex.matchesBSON(BSON(\"a\"\n                                  << \"k\")));\n    ASSERT(regex.matchesBSON(BSON(\"a\"\n                                  << \"\\u304B\")));\n    ASSERT(regex.matchesBSON(BSON(\"a\"\n                                  << \"\\u304C\")));\n}",
          "project": "mongo",
          "hash": 9313621577667968064463263427990204031,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422618
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementExtendedOff) {\n    BSONObj match = BSON(\"x\"\n                         << \"a b\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"ab\");\n    RegexMatchExpression regex(\"\", \"a b\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 189742530746481934825047330178964446135,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422626
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesScalar) {\n    RegexMatchExpression regex(\"a\", \"b\", \"\");\n    ASSERT(regex.matchesBSON(BSON(\"a\"\n                                  << \"b\"),\n                             NULL));\n    ASSERT(!regex.matchesBSON(BSON(\"a\"\n                                   << \"c\"),\n                              NULL));\n}",
          "project": "mongo",
          "hash": 238555791786910426223972844546631149159,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422627
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementMultipleFlags) {\n    BSONObj matchMultilineDotAll = BSON(\"x\"\n                                        << \"\\na\\nb\");\n    RegexMatchExpression regex(\"\", \"^a.b\", \"ms\");\n    ASSERT(regex.matchesSingleElement(matchMultilineDotAll.firstElement()));\n}",
          "project": "mongo",
          "hash": 274046080689778210121094181073121824682,
          "size": 6,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422630
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementMultilineOff) {\n    BSONObj match = BSON(\"x\"\n                         << \"az\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"\\naz\");\n    RegexMatchExpression regex(\"\", \"^a\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 30805843691375222757285220202287272140,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422646
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementCaseSensitive) {\n    BSONObj match = BSON(\"x\"\n                         << \"abc\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"ABC\");\n    RegexMatchExpression regex(\"\", \"abc\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 109807149515533842565870345205746509936,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422647
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesArrayValue) {\n    RegexMatchExpression regex(\"a\", \"b\", \"\");\n    ASSERT(regex.matchesBSON(BSON(\"a\" << BSON_ARRAY(\"c\"\n                                                    << \"b\")),\n                             NULL));\n    ASSERT(!regex.matchesBSON(BSON(\"a\" << BSON_ARRAY(\"d\"\n                                                     << \"c\")),\n                              NULL));\n}",
          "project": "mongo",
          "hash": 220263853473013391651097862422017913166,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422648
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementSimplePrefix) {\n    BSONObj match = BSON(\"x\"\n                         << \"abc\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"adz\");\n    RegexMatchExpression regex(\"\", \"^ab\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 104537045789006579046504453602952695715,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422657
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementUtf8) {\n    BSONObj multiByteCharacter = BSON(\"x\"\n                                      << \"\\xc2\\xa5\");\n    RegexMatchExpression regex(\"\", \"^.$\", \"\");\n    ASSERT(regex.matchesSingleElement(multiByteCharacter.firstElement()));\n}",
          "project": "mongo",
          "hash": 228045459094896457478921951931574105884,
          "size": 6,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422662
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementExact) {\n    BSONObj match = BSON(\"a\"\n                         << \"b\");\n    BSONObj notMatch = BSON(\"a\"\n                            << \"c\");\n    RegexMatchExpression regex(\"\", \"b\", \"\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 246675795675956434778627281700852083841,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422670
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementRegexType) {\n    BSONObj match = BSONObjBuilder().appendRegex(\"x\", \"yz\", \"i\").obj();\n    BSONObj notMatchPattern = BSONObjBuilder().appendRegex(\"x\", \"r\", \"i\").obj();\n    BSONObj notMatchFlags = BSONObjBuilder().appendRegex(\"x\", \"yz\", \"s\").obj();\n    RegexMatchExpression regex(\"\", \"yz\", \"i\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatchPattern.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatchFlags.firstElement()));\n}",
          "project": "mongo",
          "hash": 41068840303974328139967044120733554012,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422671
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementExtendedOn) {\n    BSONObj match = BSON(\"x\"\n                         << \"ab\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"a b\");\n    RegexMatchExpression regex(\"\", \"a b\", \"x\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 30100801040499127389091838096252595386,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422678
        },
        {
          "func": "TEST(RegexMatchExpression, MatchesElementCaseInsensitive) {\n    BSONObj match = BSON(\"x\"\n                         << \"abc\");\n    BSONObj matchUppercase = BSON(\"x\"\n                                  << \"ABC\");\n    BSONObj notMatch = BSON(\"x\"\n                            << \"abz\");\n    RegexMatchExpression regex(\"\", \"abc\", \"i\");\n    ASSERT(regex.matchesSingleElement(match.firstElement()));\n    ASSERT(regex.matchesSingleElement(matchUppercase.firstElement()));\n    ASSERT(!regex.matchesSingleElement(notMatch.firstElement()));\n}",
          "project": "mongo",
          "hash": 270724244339065023498330291061524903221,
          "size": 12,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422679
        },
        {
          "func": "TEST(RegexMatchExpression, TooLargePattern) {\n    string tooLargePattern(50 * 1000, 'z');\n    ASSERT_THROWS_CODE(RegexMatchExpression regex(\"a\", tooLargePattern, \"\"),\n                       AssertionException,\n                       ErrorCodes::BadValue);\n}",
          "project": "mongo",
          "hash": 144259179245132325864815488828294198010,
          "size": 6,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422610
        },
        {
          "func": "  BaseMatcherImpl(const RequirementRule& rule)\n      : case_sensitive_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(rule.match(), case_sensitive, true)),\n        config_headers_(Http::HeaderUtility::buildHeaderDataVector(rule.match().headers())) {\n    for (const auto& query_parameter : rule.match().query_parameters()) {\n      config_query_parameters_.push_back(\n          std::make_unique<Router::ConfigUtility::QueryParameterMatcher>(query_parameter));\n    }\n  }",
          "project": "envoy",
          "hash": 166923194649114364939241113749561431729,
          "size": 8,
          "commit_id": "9371333230b1a6e1be2eccf4868771e11af6253a",
          "message": "CVE-2021-43824\n\njwt_atuhn: fixed the crash when a CONNECT request is sent to JWT filter\nconfigured with regex match.\n\nSigned-off-by: Yan Avlasov <yavlasov@google.com>",
          "target": 0,
          "dataset": "other",
          "idx": 246628
        },
        {
          "func": "TEST(ModMatchExpression, ZeroDivisor) {\n    ASSERT_THROWS_CODE(ModMatchExpression mod(\"\", 0, 1), AssertionException, ErrorCodes::BadValue);\n}",
          "project": "mongo",
          "hash": 210026470774459985495121513352399864150,
          "size": 3,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422550
        },
        {
          "func": "TEST(RegexMatchExpression, RegexCannotContainEmbeddedNullByte) {\n    {\n        const auto embeddedNull = \"a\\0b\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", embeddedNull, \"\"),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto singleNullByte = \"\\0\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", singleNullByte, \"\"),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto leadingNullByte = \"\\0bbbb\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", leadingNullByte, \"\"),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto trailingNullByte = \"bbbb\\0\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", trailingNullByte, \"\"),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n}",
          "project": "mongo",
          "hash": 214167679385357894421527743201648837080,
          "size": 29,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422624
        },
        {
          "func": "TEST(RegexMatchExpression, RegexOptionsStringCannotContainEmbeddedNullByte) {\n    {\n        const auto embeddedNull = \"a\\0b\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", \"pattern\", embeddedNull),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto singleNullByte = \"\\0\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", \"pattern\", singleNullByte),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto leadingNullByte = \"\\0bbbb\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", \"pattern\", leadingNullByte),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n\n    {\n        const auto trailingNullByte = \"bbbb\\0\"_sd;\n        ASSERT_THROWS_CODE(RegexMatchExpression regex(\"path\", \"pattern\", trailingNullByte),\n                           AssertionException,\n                           ErrorCodes::BadValue);\n    }\n}",
          "project": "mongo",
          "hash": 284944757388508690836471167619011489748,
          "size": 29,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422651
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "FromkLinuxCpuSet",
        "kLinuxCpuSetCheckBit",
        "kLinuxCpuWordNum"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "inline uint64_t kLinuxCpuWordNum(int cpu) {\n  return cpu / (8 * sizeof(klinux_cpu_set_word));\n}",
          "project": "asylo",
          "hash": 308057746686457165258786405237147697555,
          "size": 3,
          "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39",
          "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9",
          "target": 0,
          "dataset": "other",
          "idx": 263430
        },
        {
          "func": "int kLinuxCpuSetCheckBit(int cpu, klinux_cpu_set_t *set) {\n  return (set->words[kLinuxCpuWordNum(cpu)] &\n          (static_cast<klinux_cpu_set_word>(1) << kLinuxCpuBitNum(cpu))) != 0;\n}",
          "project": "asylo",
          "hash": 9664284605372000371369559691608006991,
          "size": 4,
          "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39",
          "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9",
          "target": 0,
          "dataset": "other",
          "idx": 263440
        },
        {
          "func": "inline klinux_cpu_set_word kLinuxCpuBitNum(int cpu) {\n  return cpu % (8 * sizeof(klinux_cpu_set_word));\n}",
          "project": "asylo",
          "hash": 206687947824855021326968881950347607340,
          "size": 3,
          "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39",
          "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9",
          "target": 0,
          "dataset": "other",
          "idx": 263432
        },
        {
          "func": "bool FromkLinuxCpuSet(klinux_cpu_set_t *input, cpu_set_t *output) {\n  if (!input || !output) {\n    return false;\n  }\n\n  CPU_ZERO(output);\n\n  for (int cpu = 0; cpu < KLINUX_CPU_SET_MAX_CPUS; cpu++) {\n    if (kLinuxCpuSetCheckBit(cpu, input)) {\n      CPU_SET(cpu, output);\n    }\n  }\n  return true;\n}",
          "project": "asylo",
          "hash": 83580394826757849395774231587230699499,
          "size": 14,
          "commit_id": "bda9772e7872b0d2b9bee32930cf7a4983837b39",
          "message": "Check input length in FromLinuxSockAddr\n\nPiperOrigin-RevId: 333785506\nChange-Id: I1d68fb8954665eebc1018d80ff995cbe9e7ed6a9",
          "target": 0,
          "dataset": "other",
          "idx": 263439
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "flatview_read",
        "flatview_read_continue",
        "memory_access_size"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,\n                                  const void *buf, hwaddr len)\n{\n    hwaddr l;\n    hwaddr addr1;\n    MemoryRegion *mr;\n\n    l = len;\n    mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);\n    if (!flatview_access_allowed(mr, attrs, addr, len)) {\n        return MEMTX_ACCESS_ERROR;\n    }\n    return flatview_write_continue(fv, addr, attrs, buf, len,\n                                   addr1, l, mr);\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 111322297083016839008485737585231516371,
          "size": 15,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514787
        },
        {
          "func": "int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)\n{\n    unsigned access_size_max = mr->ops->valid.max_access_size;\n\n    /* Regions are assumed to support 1-4 byte accesses unless\n       otherwise specified.  */\n    if (access_size_max == 0) {\n        access_size_max = 4;\n    }\n\n    /* Bound the maximum access by the alignment of the address.  */\n    if (!mr->ops->impl.unaligned) {\n        unsigned align_size_max = addr & -addr;\n        if (align_size_max != 0 && align_size_max < access_size_max) {\n            access_size_max = align_size_max;\n        }\n    }\n\n    /* Don't attempt accesses larger than the maximum.  */\n    if (l > access_size_max) {\n        l = access_size_max;\n    }\n    l = pow2floor(l);\n\n    return l;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 128892610593230758689950558718855065981,
          "size": 26,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514764
        },
        {
          "func": "static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,\n                                           MemTxAttrs attrs,\n                                           const void *ptr,\n                                           hwaddr len, hwaddr addr1,\n                                           hwaddr l, MemoryRegion *mr)\n{\n    uint8_t *ram_ptr;\n    uint64_t val;\n    MemTxResult result = MEMTX_OK;\n    bool release_lock = false;\n    const uint8_t *buf = ptr;\n\n    for (;;) {\n        if (!flatview_access_allowed(mr, attrs, addr1, l)) {\n            result |= MEMTX_ACCESS_ERROR;\n            /* Keep going. */\n        } else if (!memory_access_is_direct(mr, true)) {\n            release_lock |= prepare_mmio_access(mr);\n            l = memory_access_size(mr, l, addr1);\n            /* XXX: could force current_cpu to NULL to avoid\n               potential bugs */\n            val = ldn_he_p(buf, l);\n            result |= memory_region_dispatch_write(mr, addr1, val,\n                                                   size_memop(l), attrs);\n        } else {\n            /* RAM case */\n            ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);\n            memcpy(ram_ptr, buf, l);\n            invalidate_and_set_dirty(mr, addr1, l);\n        }\n\n        if (release_lock) {\n            qemu_mutex_unlock_iothread();\n            release_lock = false;\n        }\n\n        len -= l;\n        buf += l;\n        addr += l;\n\n        if (!len) {\n            break;\n        }\n\n        l = len;\n        mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);\n    }\n\n    return result;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 235798208000865140915448621750172246340,
          "size": 50,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514750
        },
        {
          "func": "static inline MemTxResult address_space_write_rom_internal(AddressSpace *as,\n                                                           hwaddr addr,\n                                                           MemTxAttrs attrs,\n                                                           const void *ptr,\n                                                           hwaddr len,\n                                                           enum write_rom_type type)\n{\n    hwaddr l;\n    uint8_t *ram_ptr;\n    hwaddr addr1;\n    MemoryRegion *mr;\n    const uint8_t *buf = ptr;\n\n    RCU_READ_LOCK_GUARD();\n    while (len > 0) {\n        l = len;\n        mr = address_space_translate(as, addr, &addr1, &l, true, attrs);\n\n        if (!(memory_region_is_ram(mr) ||\n              memory_region_is_romd(mr))) {\n            l = memory_access_size(mr, l, addr1);\n        } else {\n            /* ROM/RAM case */\n            ram_ptr = qemu_map_ram_ptr(mr->ram_block, addr1);\n            switch (type) {\n            case WRITE_DATA:\n                memcpy(ram_ptr, buf, l);\n                invalidate_and_set_dirty(mr, addr1, l);\n                break;\n            case FLUSH_CACHE:\n                flush_idcache_range((uintptr_t)ram_ptr, (uintptr_t)ram_ptr, l);\n                break;\n            }\n        }\n        len -= l;\n        buf += l;\n        addr += l;\n    }\n    return MEMTX_OK;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 113409499952132379188333851003709465197,
          "size": 40,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514782
        },
        {
          "func": "static MemTxResult flatview_read(FlatView *fv, hwaddr addr,\n                                 MemTxAttrs attrs, void *buf, hwaddr len)\n{\n    hwaddr l;\n    hwaddr addr1;\n    MemoryRegion *mr;\n\n    l = len;\n    mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);\n    if (!flatview_access_allowed(mr, attrs, addr, len)) {\n        return MEMTX_ACCESS_ERROR;\n    }\n    return flatview_read_continue(fv, addr, attrs, buf, len,\n                                  addr1, l, mr);\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 159611724233729046758076535418035210163,
          "size": 15,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514779
        },
        {
          "func": "static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,\n                                    hwaddr addr, hwaddr len)\n{\n    if (likely(!attrs.memory)) {\n        return true;\n    }\n    if (memory_region_is_ram(mr)) {\n        return true;\n    }\n    qemu_log_mask(LOG_GUEST_ERROR,\n                  \"Invalid access to non-RAM device at \"\n                  \"addr 0x%\" HWADDR_PRIX \", size %\" HWADDR_PRIu \", \"\n                  \"region '%s'\\n\", addr, len, memory_region_name(mr));\n    return false;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 78259487319584410108391883915596765157,
          "size": 15,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514770
        },
        {
          "func": "bool prepare_mmio_access(MemoryRegion *mr)\n{\n    bool release_lock = false;\n\n    if (!qemu_mutex_iothread_locked()) {\n        qemu_mutex_lock_iothread();\n        release_lock = true;\n    }\n    if (mr->flush_coalesced_mmio) {\n        qemu_flush_coalesced_mmio_buffer();\n    }\n\n    return release_lock;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 263096267271380692382362820570665888790,
          "size": 14,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514766
        },
        {
          "func": "MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,\n                                   MemTxAttrs attrs, void *ptr,\n                                   hwaddr len, hwaddr addr1, hwaddr l,\n                                   MemoryRegion *mr)\n{\n    uint8_t *ram_ptr;\n    uint64_t val;\n    MemTxResult result = MEMTX_OK;\n    bool release_lock = false;\n    uint8_t *buf = ptr;\n\n    fuzz_dma_read_cb(addr, len, mr);\n    for (;;) {\n        if (!flatview_access_allowed(mr, attrs, addr1, l)) {\n            result |= MEMTX_ACCESS_ERROR;\n            /* Keep going. */\n        } else if (!memory_access_is_direct(mr, false)) {\n            /* I/O case */\n            release_lock |= prepare_mmio_access(mr);\n            l = memory_access_size(mr, l, addr1);\n            result |= memory_region_dispatch_read(mr, addr1, &val,\n                                                  size_memop(l), attrs);\n            stn_he_p(buf, l, val);\n        } else {\n            /* RAM case */\n            ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);\n            memcpy(buf, ram_ptr, l);\n        }\n\n        if (release_lock) {\n            qemu_mutex_unlock_iothread();\n            release_lock = false;\n        }\n\n        len -= l;\n        buf += l;\n        addr += l;\n\n        if (!len) {\n            break;\n        }\n\n        l = len;\n        mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);\n    }\n\n    return result;\n}",
          "target": 0,
          "cwe": [
            "CWE-908"
          ],
          "project": "qemu",
          "commit_id": "418ade7849ce7641c0f7333718caf5091a02fd4c",
          "hash": 126242774040219518758898534185243601349,
          "size": 48,
          "message": "softmmu: Always initialize xlat in address_space_translate_for_iotlb\n\nThe bug is an uninitialized memory read, along the translate_fail\npath, which results in garbage being read from iotlb_to_section,\nwhich can lead to a crash in io_readx/io_writex.\n\nThe bug may be fixed by writing any value with zero\nin ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using\nthe xlat'ed address returns io_mem_unassigned, as desired by the\ntranslate_fail path.\n\nIt is most useful to record the original physical page address,\nwhich will eventually be logged by memory_region_access_valid\nwhen the access is rejected by unassigned_mem_accepts.\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1065\nSigned-off-by: Richard Henderson <richard.henderson@linaro.org>\nReviewed-by: Peter Maydell <peter.maydell@linaro.org>\nMessage-Id: <20220621153829.366423-1-richard.henderson@linaro.org>",
          "dataset": "other",
          "idx": 514784
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ntlmssp_append_target_info",
        "i_zero",
        "ntlmssp_append_string",
        "append_string"
      ],
      "group_size": 12,
      "functions": [
        {
          "func": "bool ntlmssp_check_response(const struct ntlmssp_response *response,\n\t\t\t    size_t data_size, const char **error)\n{\n\tif (data_size < sizeof(struct ntlmssp_response)) {\n\t\t*error = \"response too short\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le64(&response->magic) != NTLMSSP_MAGIC) {\n\t\t*error = \"signature mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le32(&response->type) != NTLMSSP_MSG_TYPE3) {\n\t\t*error = \"message type mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (!ntlmssp_check_buffer(&response->lm_response, data_size, error) ||\n\t    !ntlmssp_check_buffer(&response->ntlm_response, data_size, error) ||\n\t    !ntlmssp_check_buffer(&response->domain, data_size, error) ||\n\t    !ntlmssp_check_buffer(&response->user, data_size, error) ||\n\t    !ntlmssp_check_buffer(&response->workstation, data_size, error))\n\t\treturn FALSE;\n\n\treturn TRUE;\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 308575781816202870018561307819992021820,
          "size": 27,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506425
        },
        {
          "func": "static unsigned int read_le32(const unsigned char *p)\n{\n    return ((unsigned int) p[0])\n        | ((unsigned int) p[1] << 8)\n        | ((unsigned int) p[2] << 16)\n        | ((unsigned int) p[3] << 24);\n}",
          "project": "fluent-bit",
          "hash": 130456446374820103303280755667404613105,
          "size": 7,
          "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af",
          "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor <david@adalogics.com>",
          "target": 0,
          "dataset": "other",
          "idx": 417947
        },
        {
          "func": "static void ntlmssp_append_target_info(buffer_t *buf, size_t buffer_offset, ...)\n{\n\tstruct ntlmssp_v2_target_info info;\n\tstruct ntlmssp_buffer buffer;\n\tva_list args;\n\tunsigned int length, total_length = 0;\n\tint type;\n\n\twrite_le32(&buffer.offset, buf->used);\n\n\tva_start(args, buffer_offset);\n\n\tdo {\n\t\tconst char *data;\n\t\ttype = va_arg(args, int);\n\n\t\ti_zero(&info);\n\t\twrite_le16(&info.type, type);\n\n\t\tswitch (type) {\n\t\t\tcase NTPLMSSP_V2_TARGET_END:\n\t\t\t\tbuffer_append(buf, &info, sizeof(info));\n\t\t\t\tlength = sizeof(info);\n\t\t\t\tbreak;\n\t\t\tcase NTPLMSSP_V2_TARGET_SERVER:\n\t\t\tcase NTPLMSSP_V2_TARGET_DOMAIN:\n\t\t\tcase NTPLMSSP_V2_TARGET_FQDN:\n\t\t\tcase NTPLMSSP_V2_TARGET_DNS:\n\t\t\t\tdata = va_arg(args, const char *);\n\t\t\t\twrite_le16(&info.length,\n\t\t\t\t\t   strlen(data) * sizeof(ucs2le_t));\n\t\t\t\tbuffer_append(buf, &info, sizeof(info));\n\t\t\t\tlength = append_string(buf, data, FALSE, TRUE) +\n\t\t\t\t\t sizeof(info);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\ti_panic(\"Invalid NTLM target info block type \"\n\t\t\t\t\t\"%u\", type);\n\t\t}\n\n\t\ttotal_length += length;\n\t\n\t} while (type != NTPLMSSP_V2_TARGET_END);\n\n\tva_end(args);\n\n\twrite_le16(&buffer.length, total_length);\n\twrite_le16(&buffer.space, total_length);\n\tbuffer_write(buf, buffer_offset, &buffer, sizeof(buffer));\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 304744503973824614610420588575244245089,
          "size": 50,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506419
        },
        {
          "func": "static inline uint32_t ntlmssp_flags(uint32_t client_flags)\n{\n\tuint32_t flags = NTLMSSP_NEGOTIATE_NTLM |\n\t\t\t NTLMSSP_NEGOTIATE_TARGET_INFO;\n\n\tif ((client_flags & NTLMSSP_NEGOTIATE_UNICODE) != 0)\n\t\tflags |= NTLMSSP_NEGOTIATE_UNICODE;\n\telse\n\t\tflags |= NTLMSSP_NEGOTIATE_OEM;\n\n\tif ((client_flags & NTLMSSP_NEGOTIATE_NTLM2) != 0)\n\t\tflags |= NTLMSSP_NEGOTIATE_NTLM2;\n\n\tif ((client_flags & NTLMSSP_REQUEST_TARGET) != 0)\n\t\tflags |= NTLMSSP_REQUEST_TARGET | NTLMSSP_TARGET_TYPE_SERVER;\n\n\treturn flags;\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 143518257012832472132156956647676353494,
          "size": 18,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506422
        },
        {
          "func": "int flb_gzip_uncompress(void *in_data, size_t in_len,\n                        void **out_data, size_t *out_len)\n{\n    int status;\n    uint8_t *p;\n    void *out_buf;\n    size_t out_size = 0;\n    void *zip_data;\n    size_t zip_len;\n    unsigned char flg;\n    unsigned int xlen, hcrc;\n    unsigned int dlen, crc;\n    mz_ulong crc_out;\n    mz_stream stream;\n    const unsigned char *start;\n\n    /* Minimal length: header + crc32 */\n    if (in_len < 18) {\n        flb_error(\"[gzip] unexpected content length\");\n        return -1;\n    }\n\n    /* Magic bytes */\n    p = in_data;\n    if (p[0] != 0x1F || p[1] != 0x8B) {\n        flb_error(\"[gzip] invalid magic bytes\");\n        return -1;\n    }\n\n    if (p[2] != 8) {\n        flb_error(\"[gzip] invalid method\");\n        return -1;\n    }\n\n    /* Flag byte */\n    flg = p[3];\n\n    /* Reserved bits */\n    if (flg & 0xE0) {\n        flb_error(\"[gzip] invalid flag\");\n        return -1;\n    }\n\n    /* Skip base header of 10 bytes */\n    start = p + FLB_GZIP_HEADER_OFFSET;\n\n    /* Skip extra data if present */\n    if (flg & FEXTRA) {\n        xlen = read_le16(start);\n        if (xlen > in_len - 12) {\n            flb_error(\"[gzip] invalid gzip data\");\n            return -1;\n        }\n        start += xlen + 2;\n    }\n\n    /* Skip file name if present */\n    if (flg & FNAME) {\n        do {\n            if (start - p >= in_len) {\n                flb_error(\"[gzip] invalid gzip data (FNAME)\");\n                return -1;\n            }\n        } while (*start++);\n    }\n\n    /* Skip file comment if present */\n    if (flg & FCOMMENT) {\n        do {\n            if (start - p >= in_len) {\n                flb_error(\"[gzip] invalid gzip data (FCOMMENT)\");\n                return -1;\n            }\n        } while (*start++);\n    }\n\n    /* Check header crc if present */\n    if (flg & FHCRC) {\n        if (start - p > in_len - 2) {\n            flb_error(\"[gzip] invalid gzip data (FHRC)\");\n            return -1;\n        }\n\n        hcrc = read_le16(start);\n        crc = mz_crc32(MZ_CRC32_INIT, p, start - p) & 0x0000FFFF;\n        if (hcrc != crc) {\n            flb_error(\"[gzip] invalid gzip header CRC\");\n            return -1;\n        }\n        start += 2;\n    }\n\n    /* Get decompressed length */\n    dlen = read_le32(&p[in_len - 4]);\n\n    /* Get CRC32 checksum of original data */\n    crc = read_le32(&p[in_len - 8]);\n\n    /* Decompress data */\n    if ((p + in_len) - p < 8) {\n        flb_error(\"[gzip] invalid gzip CRC32 checksum\");\n        return -1;\n    }\n\n    /* Allocate outgoing buffer */\n    out_buf = flb_malloc(dlen);\n    if (!out_buf) {\n        flb_errno();\n        return -1;\n    }\n    out_size = dlen;\n\n    /* Map zip content */\n    zip_data = (uint8_t *) start;\n    zip_len = (p + in_len) - start - 8;\n\n    memset(&stream, 0, sizeof(stream));\n    stream.next_in = zip_data;\n    stream.avail_in = zip_len;\n    stream.next_out = out_buf;\n    stream.avail_out = out_size;\n\n    status = mz_inflateInit2(&stream, -Z_DEFAULT_WINDOW_BITS);\n    if (status != MZ_OK) {\n        flb_free(out_buf);\n        return -1;\n    }\n\n    status = mz_inflate(&stream, MZ_FINISH);\n    if (status != MZ_STREAM_END) {\n        mz_inflateEnd(&stream);\n        flb_free(out_buf);\n        return -1;\n    }\n\n    if (stream.total_out != dlen) {\n        mz_inflateEnd(&stream);\n        flb_free(out_buf);\n        flb_error(\"[gzip] invalid gzip data size\");\n        return -1;\n    }\n\n    /* terminate the stream, it's not longer required */\n    mz_inflateEnd(&stream);\n\n    /* Validate message CRC vs inflated data CRC */\n    crc_out = mz_crc32(MZ_CRC32_INIT, out_buf, dlen);\n    if (crc_out != crc) {\n        flb_free(out_buf);\n        flb_error(\"[gzip] invalid GZip checksum (CRC32)\");\n        return -1;\n    }\n\n    /* set the uncompressed data */\n    *out_len = dlen;\n    *out_data = out_buf;\n\n    return 0;\n}",
          "project": "fluent-bit",
          "hash": 86999460491909484734595669886450493823,
          "size": 159,
          "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af",
          "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor <david@adalogics.com>",
          "target": 0,
          "dataset": "other",
          "idx": 417951
        },
        {
          "func": "static unsigned int append_string(buffer_t *buf, const char *str, \n\t\t\t\t  bool ucase, bool unicode)\n{\n\tunsigned int length = 0;\n\n\tfor ( ; *str != '\\0'; str++) {\n\t\tbuffer_append_c(buf, ucase ? i_toupper(*str) : *str);\n\t\tif (unicode) {\n\t\t\tbuffer_append_c(buf, 0);\n\t\t\tlength++; \n\t\t}\n\t\tlength++;\n\t}\n\n\treturn length;\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 270835728281084741559078096449952534504,
          "size": 16,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506418
        },
        {
          "func": "static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,\n\t\t\t\t size_t data_size, const char **error)\n{\n\tuint32_t offset = read_le32(&buffer->offset);\n\tuint16_t length = read_le16(&buffer->length);\n\tuint16_t space = read_le16(&buffer->space);\n\n\t/* Empty buffer is ok */\n\tif (length == 0 && space == 0)\n\t\treturn TRUE;\n\n\tif (offset >= data_size) {\n\t\t*error = \"buffer offset out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset + space > data_size) {\n\t\t*error = \"buffer end out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "target": 1,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 44503422073269898902321827906643231697,
          "size": 23,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 216799
        },
        {
          "func": "static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,\n\t\t\t\t size_t data_size, const char **error)\n{\n\tuint32_t offset = read_le32(&buffer->offset);\n\tuint16_t length = read_le16(&buffer->length);\n\tuint16_t space = read_le16(&buffer->space);\n\n\t/* Empty buffer is ok */\n\tif (length == 0 && space == 0)\n\t\treturn TRUE;\n\n\tif (length > data_size) {\n\t\t*error = \"buffer length out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset >= data_size) {\n\t\t*error = \"buffer offset out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\tif (offset + space > data_size) {\n\t\t*error = \"buffer end out of bounds\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 207567383368999279475384375671028455850,
          "size": 28,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506421
        },
        {
          "func": "static void ntlmssp_append_string(buffer_t *buf, size_t buffer_offset,\n\t\t\t\t  const char *str, bool unicode)\n{\n\tstruct ntlmssp_buffer buffer;\n\tunsigned int length;\n\n\twrite_le32(&buffer.offset, buf->used);\n\n\tlength = append_string(buf, str, FALSE, unicode);\n\n\twrite_le16(&buffer.length, length);\n\twrite_le16(&buffer.space, length);\n\tbuffer_write(buf, buffer_offset, &buffer, sizeof(buffer));\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 302108502454610039907347848030792437312,
          "size": 14,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506420
        },
        {
          "func": "ntlmssp_create_challenge(pool_t pool, const struct ntlmssp_request *request,\n\t\t\t size_t *size)\n{\n\tbuffer_t *buf;\n\tuint32_t flags = ntlmssp_flags(read_le32(&request->flags));\n\tbool unicode = (flags & NTLMSSP_NEGOTIATE_UNICODE) != 0;\n\tstruct ntlmssp_challenge c;\n\n\tbuf = buffer_create_dynamic(pool, sizeof(struct ntlmssp_challenge));\n\n\ti_zero(&c);\n\twrite_le64(&c.magic, NTLMSSP_MAGIC);\n\twrite_le32(&c.type, NTLMSSP_MSG_TYPE2);\n\twrite_le32(&c.flags, flags);\n\trandom_fill(c.challenge, sizeof(c.challenge));\n\n\tbuffer_write(buf, 0, &c, sizeof(c));\n\n\tif ((flags & NTLMSSP_TARGET_TYPE_SERVER) != 0)\n\t\tntlmssp_append_string(buf,\n\t\t\toffsetof(struct ntlmssp_challenge, target_name),\n\t\t\tmy_hostname, unicode);\n\n\tntlmssp_append_target_info(buf, offsetof(struct ntlmssp_challenge,\n\t\t\t\t\t\t target_info),\n\t\t\t\t   NTPLMSSP_V2_TARGET_FQDN, my_hostname,\n\t\t\t\t   NTPLMSSP_V2_TARGET_END);\n\n\t*size = buf->used;\n\treturn buffer_free_without_data(&buf);\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 320103123546302170650251415237215051807,
          "size": 31,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506423
        },
        {
          "func": "static unsigned int read_le16(const unsigned char *p)\n{\n    return ((unsigned int) p[0]) | ((unsigned int) p[1] << 8);\n}",
          "project": "fluent-bit",
          "hash": 324762848922911257424959728155920709102,
          "size": 4,
          "commit_id": "cadff53c093210404aed01c4cf586adb8caa07af",
          "message": "gzip: fix compression size calculation (oss-fuzz 27261)\n\nSigned-off-by: davkor <david@adalogics.com>",
          "target": 0,
          "dataset": "other",
          "idx": 417950
        },
        {
          "func": "bool ntlmssp_check_request(const struct ntlmssp_request *request,\n\t\t\t   size_t data_size, const char **error)\n{\n\tuint32_t flags;\n\n\tif (data_size < sizeof(struct ntlmssp_request)) {\n\t\t*error = \"request too short\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le64(&request->magic) != NTLMSSP_MAGIC) {\n\t\t*error = \"signature mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tif (read_le32(&request->type) != NTLMSSP_MSG_TYPE1) {\n\t\t*error = \"message type mismatch\";\n\t\treturn FALSE;\n\t}\n\n\tflags = read_le32(&request->flags);\n\n\tif ((flags & NTLMSSP_NEGOTIATE_NTLM) == 0) {\n\t\t*error = \"client doesn't advertise NTLM support\";\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}",
          "target": 0,
          "cwe": [
            "CWE-125"
          ],
          "project": "core",
          "commit_id": "fb246611e62ad8c5a95b0ca180a63f17aa34b0d8",
          "hash": 259203876739144659665264532647969570099,
          "size": 29,
          "message": "lib-ntlm: Check buffer length on responses\n\nAdd missing check for buffer length.\n\nIf this is not checked, it is possible to send message which\ncauses read past buffer bug.\n\nBroken in c7480644202e5451fbed448508ea29a25cffc99c",
          "dataset": "other",
          "idx": 506424
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "fix_and_set_name_from_value",
        "fix_from_value",
        "fix_charset_and_length_from_str_value",
        "char_length"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "  void fix_charset_and_length_from_str_value(Derivation dv)\n  {\n    fix_charset_and_length_from_str_value(dv, Metadata(&str_value));\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 154327255266273886720011309447068665016,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509365
        },
        {
          "func": "  void fix_charset_and_length_from_str_value(Derivation dv, Metadata metadata)\n  {\n    /*\n      We have to have a different max_length than 'length' here to\n      ensure that we get the right length if we do use the item\n      to create a new table. In this case max_length must be the maximum\n      number of chars for a string of this type because we in Create_field::\n      divide the max_length with mbmaxlen).\n    */\n    collation.set(str_value.charset(), dv, metadata.repertoire());\n    fix_char_length(metadata.char_length());\n    decimals= NOT_FIXED_DEC;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 86150775855358446446247509084940415998,
          "size": 13,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509395
        },
        {
          "func": "  DTCollation(CHARSET_INFO *collation_arg,\n              Derivation derivation_arg,\n              uint repertoire_arg)\n   :collation(collation_arg),\n    derivation(derivation_arg),\n    repertoire(repertoire_arg)\n  { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 28332889171668248265375703857713795156,
          "size": 7,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508937
        },
        {
          "func": "    uint repertoire() const { return MY_STRING_METADATA::repertoire; }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 120270694217732731454200073771895596300,
          "size": 1,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509414
        },
        {
          "func": "    size_t char_length() const { return MY_STRING_METADATA::char_length; }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 56924974304726318879916470792753787357,
          "size": 1,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508931
        },
        {
          "func": "  void fix_and_set_name_from_value(THD *thd, Derivation dv,\n                                   const Metadata metadata)\n  {\n    fix_from_value(dv, metadata);\n    set_name(thd, str_value.ptr(), str_value.length(), str_value.charset());\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 145223923482690028166112356840311921502,
          "size": 6,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509321
        },
        {
          "func": "  void fix_char_length(size_t max_char_length_arg)\n  {\n    max_length= char_to_byte_length_safe(max_char_length_arg,\n                                         collation.collation->mbmaxlen);\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 128055378885442712357673431363026385823,
          "size": 5,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509276
        },
        {
          "func": "  void fix_from_value(Derivation dv, const Metadata metadata)\n  {\n    fix_charset_and_length_from_str_value(dv, metadata);\n    // it is constant => can be used without fix_fields (and frequently used)\n    fixed= 1;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 165902672546454000048602381389207469936,
          "size": 6,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509014
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "vmf_insert_pfn_pud_prot",
        "insert_pfn_pud",
        "maybe_pud_mkwrite"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "vm_fault_t vmf_insert_pfn_pud_prot(struct vm_fault *vmf, pfn_t pfn,\n\t\t\t\t   pgprot_t pgprot, bool write)\n{\n\tunsigned long addr = vmf->address & PUD_MASK;\n\tstruct vm_area_struct *vma = vmf->vma;\n\n\t/*\n\t * If we had pud_special, we could avoid all these restrictions,\n\t * but we need to be consistent with PTEs and architectures that\n\t * can't support a 'special' bit.\n\t */\n\tBUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&\n\t\t\t!pfn_t_devmap(pfn));\n\tBUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==\n\t\t\t\t\t\t(VM_PFNMAP|VM_MIXEDMAP));\n\tBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\n\tif (addr < vma->vm_start || addr >= vma->vm_end)\n\t\treturn VM_FAULT_SIGBUS;\n\n\ttrack_pfn_insert(vma, &pgprot, pfn);\n\n\tinsert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write);\n\treturn VM_FAULT_NOPAGE;\n}",
          "project": "linux",
          "hash": 209157331707782529198757520996980655520,
          "size": 25,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364155
        },
        {
          "func": "static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,\n\t\tpud_t *pud, pfn_t pfn, pgprot_t prot, bool write)\n{\n\tstruct mm_struct *mm = vma->vm_mm;\n\tpud_t entry;\n\tspinlock_t *ptl;\n\n\tptl = pud_lock(mm, pud);\n\tif (!pud_none(*pud)) {\n\t\tif (write) {\n\t\t\tif (pud_pfn(*pud) != pfn_t_to_pfn(pfn)) {\n\t\t\t\tWARN_ON_ONCE(!is_huge_zero_pud(*pud));\n\t\t\t\tgoto out_unlock;\n\t\t\t}\n\t\t\tentry = pud_mkyoung(*pud);\n\t\t\tentry = maybe_pud_mkwrite(pud_mkdirty(entry), vma);\n\t\t\tif (pudp_set_access_flags(vma, addr, pud, entry, 1))\n\t\t\t\tupdate_mmu_cache_pud(vma, addr, pud);\n\t\t}\n\t\tgoto out_unlock;\n\t}\n\n\tentry = pud_mkhuge(pfn_t_pud(pfn, prot));\n\tif (pfn_t_devmap(pfn))\n\t\tentry = pud_mkdevmap(entry);\n\tif (write) {\n\t\tentry = pud_mkyoung(pud_mkdirty(entry));\n\t\tentry = maybe_pud_mkwrite(entry, vma);\n\t}\n\tset_pud_at(mm, addr, pud, entry);\n\tupdate_mmu_cache_pud(vma, addr, pud);\n\nout_unlock:\n\tspin_unlock(ptl);\n}",
          "project": "linux",
          "hash": 173034307180225157472608885308363813534,
          "size": 35,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364196
        },
        {
          "func": "static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma)\n{\n\tif (likely(vma->vm_flags & VM_WRITE))\n\t\tpud = pud_mkwrite(pud);\n\treturn pud;\n}",
          "project": "linux",
          "hash": 5567300536024320700807929861113141006,
          "size": 6,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364204
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "soap_xmlParseFile",
        "cleanup_xml_node",
        "is_blank"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void cleanup_xml_node(xmlNodePtr node)\n{\n\txmlNodePtr trav;\n\txmlNodePtr del = NULL;\n\n\ttrav = node->children;\n\twhile (trav != NULL) {\n\t\tif (del != NULL) {\n\t\t\txmlUnlinkNode(del);\n\t\t\txmlFreeNode(del);\n\t\t\tdel = NULL;\n\t\t}\n\t\tif (trav->type == XML_TEXT_NODE) {\n\t\t\tif (is_blank(trav->content)) {\n\t\t\t\tdel = trav;\n\t\t\t}\n\t\t} else if ((trav->type != XML_ELEMENT_NODE) &&\n\t\t           (trav->type != XML_CDATA_SECTION_NODE)) {\n\t\t\tdel = trav;\n\t\t} else if (trav->children != NULL) {\n\t\t\tcleanup_xml_node(trav);\n\t\t}\n\t\ttrav = trav->next;\n\t}\n\tif (del != NULL) {\n\t\txmlUnlinkNode(del);\n\t\txmlFreeNode(del);\n\t}\n}",
          "project": "php-src",
          "hash": 336831823560269625055179690903166043585,
          "size": 29,
          "commit_id": "fcd4b5335a6df4e0676ee32e2267ca71d70fe623",
          "message": "Fix TSRM (after afc1debb)",
          "target": 0,
          "dataset": "other",
          "idx": 285584
        },
        {
          "func": "static int is_blank(const xmlChar* str)\n{\n\twhile (*str != '\\0') {\n\t\tif (*str != ' '  && *str != 0x9 && *str != 0xa && *str != 0xd) {\n\t\t\treturn 0;\n\t\t}\n\t\tstr++;\n\t}\n\treturn 1;\n}",
          "project": "php-src",
          "hash": 255186597252804202024117709233117773393,
          "size": 10,
          "commit_id": "fcd4b5335a6df4e0676ee32e2267ca71d70fe623",
          "message": "Fix TSRM (after afc1debb)",
          "target": 0,
          "dataset": "other",
          "idx": 285590
        },
        {
          "func": "xmlDocPtr soap_xmlParseFile(const char *filename TSRMLS_DC)\n{\n\txmlParserCtxtPtr ctxt = NULL;\n\txmlDocPtr ret;\n\tzend_bool old_allow_url_fopen;\n\n/*\n\txmlInitParser();\n*/\n\n\told_allow_url_fopen = PG(allow_url_fopen);\n\tPG(allow_url_fopen) = 1;\n\tctxt = xmlCreateFileParserCtxt(filename);\n\tPG(allow_url_fopen) = old_allow_url_fopen;\n\tif (ctxt) {\n\t\tzend_bool old;\n\n\t\tctxt->keepBlanks = 0;\n\t\tctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;\n\t\tctxt->sax->comment = soap_Comment;\n\t\tctxt->sax->warning = NULL;\n\t\tctxt->sax->error = NULL;\n\t\t/*ctxt->sax->fatalError = NULL;*/\n\t\told = php_libxml_disable_entity_loader(1);\n\t\txmlParseDocument(ctxt);\n\t\tphp_libxml_disable_entity_loader(old);\n\t\tif (ctxt->wellFormed) {\n\t\t\tret = ctxt->myDoc;\n\t\t\tif (ret->URL == NULL && ctxt->directory != NULL) {\n\t\t\t\tret->URL = xmlCharStrdup(ctxt->directory);\n\t\t\t}\n\t\t} else {\n\t\t\tret = NULL;\n\t\t\txmlFreeDoc(ctxt->myDoc);\n\t\t\tctxt->myDoc = NULL;\n\t\t}\n\t\txmlFreeParserCtxt(ctxt);\n\t} else {\n\t\tret = NULL;\n\t}\n\n/*\n\txmlCleanupParser();\n*/\n\n\tif (ret) {\n\t\tcleanup_xml_node((xmlNodePtr)ret);\n\t}\n\treturn ret;\n}",
          "project": "php-src",
          "hash": 149172573949708914156035129804477784284,
          "size": 50,
          "commit_id": "fcd4b5335a6df4e0676ee32e2267ca71d70fe623",
          "message": "Fix TSRM (after afc1debb)",
          "target": 1,
          "dataset": "other",
          "idx": 198943
        },
        {
          "func": "xmlDocPtr soap_xmlParseFile(const char *filename TSRMLS_DC)\n{\n\txmlParserCtxtPtr ctxt = NULL;\n\txmlDocPtr ret;\n\tzend_bool old_allow_url_fopen;\n\n/*\n\txmlInitParser();\n*/\n\n\told_allow_url_fopen = PG(allow_url_fopen);\n\tPG(allow_url_fopen) = 1;\n\tctxt = xmlCreateFileParserCtxt(filename);\n\tPG(allow_url_fopen) = old_allow_url_fopen;\n\tif (ctxt) {\n\t\tzend_bool old;\n\n\t\tctxt->keepBlanks = 0;\n\t\tctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;\n\t\tctxt->sax->comment = soap_Comment;\n\t\tctxt->sax->warning = NULL;\n\t\tctxt->sax->error = NULL;\n\t\t/*ctxt->sax->fatalError = NULL;*/\n\t\told = php_libxml_disable_entity_loader(1 TSRMLS_CC);\n\t\txmlParseDocument(ctxt);\n\t\tphp_libxml_disable_entity_loader(old TSRMLS_CC);\n\t\tif (ctxt->wellFormed) {\n\t\t\tret = ctxt->myDoc;\n\t\t\tif (ret->URL == NULL && ctxt->directory != NULL) {\n\t\t\t\tret->URL = xmlCharStrdup(ctxt->directory);\n\t\t\t}\n\t\t} else {\n\t\t\tret = NULL;\n\t\t\txmlFreeDoc(ctxt->myDoc);\n\t\t\tctxt->myDoc = NULL;\n\t\t}\n\t\txmlFreeParserCtxt(ctxt);\n\t} else {\n\t\tret = NULL;\n\t}\n\n/*\n\txmlCleanupParser();\n*/\n\n\tif (ret) {\n\t\tcleanup_xml_node((xmlNodePtr)ret);\n\t}\n\treturn ret;\n}",
          "project": "php-src",
          "hash": 81104495453836081457129860350581051957,
          "size": 50,
          "commit_id": "fcd4b5335a6df4e0676ee32e2267ca71d70fe623",
          "message": "Fix TSRM (after afc1debb)",
          "target": 0,
          "dataset": "other",
          "idx": 285598
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ssh_bind_accept",
        "ssh_bind_accept_fd",
        "ssh_bind_import_keys"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static int ssh_bind_import_keys(ssh_bind sshbind) {\n  int rc;\n\n  if (sshbind->ecdsakey == NULL &&\n      sshbind->dsakey == NULL &&\n      sshbind->rsakey == NULL) {\n      ssh_set_error(sshbind, SSH_FATAL,\n                    \"ECDSA, DSA, or RSA host key file must be set\");\n      return SSH_ERROR;\n  }\n\n#ifdef HAVE_ECC\n  if (sshbind->ecdsa == NULL && sshbind->ecdsakey != NULL) {\n      rc = ssh_pki_import_privkey_file(sshbind->ecdsakey,\n                                       NULL,\n                                       NULL,\n                                       NULL,\n                                       &sshbind->ecdsa);\n      if (rc == SSH_ERROR || rc == SSH_EOF) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"Failed to import private ECDSA host key\");\n          return SSH_ERROR;\n      }\n\n      if (ssh_key_type(sshbind->ecdsa) != SSH_KEYTYPE_ECDSA) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"The ECDSA host key has the wrong type\");\n          ssh_key_free(sshbind->ecdsa);\n          sshbind->ecdsa = NULL;\n          return SSH_ERROR;\n      }\n  }\n#endif\n\n  if (sshbind->dsa == NULL && sshbind->dsakey != NULL) {\n      rc = ssh_pki_import_privkey_file(sshbind->dsakey,\n                                       NULL,\n                                       NULL,\n                                       NULL,\n                                       &sshbind->dsa);\n      if (rc == SSH_ERROR || rc == SSH_EOF) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"Failed to import private DSA host key\");\n          return SSH_ERROR;\n      }\n\n      if (ssh_key_type(sshbind->dsa) != SSH_KEYTYPE_DSS) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"The DSA host key has the wrong type: %d\",\n                  ssh_key_type(sshbind->dsa));\n          ssh_key_free(sshbind->dsa);\n          sshbind->dsa = NULL;\n          return SSH_ERROR;\n      }\n  }\n\n  if (sshbind->rsa == NULL && sshbind->rsakey != NULL) {\n      rc = ssh_pki_import_privkey_file(sshbind->rsakey,\n                                       NULL,\n                                       NULL,\n                                       NULL,\n                                       &sshbind->rsa);\n      if (rc == SSH_ERROR || rc == SSH_EOF) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"Failed to import private RSA host key\");\n          return SSH_ERROR;\n      }\n\n      if (ssh_key_type(sshbind->rsa) != SSH_KEYTYPE_RSA &&\n          ssh_key_type(sshbind->rsa) != SSH_KEYTYPE_RSA1) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"The RSA host key has the wrong type\");\n          ssh_key_free(sshbind->rsa);\n          sshbind->rsa = NULL;\n          return SSH_ERROR;\n      }\n  }\n\n  return SSH_OK;\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 135131792960307994107176415297779068866,
          "size": 80,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497582
        },
        {
          "func": "static socket_t bind_socket(ssh_bind sshbind, const char *hostname,\n    int port) {\n    char port_c[6];\n    struct addrinfo *ai;\n    struct addrinfo hints;\n    int opt = 1;\n    socket_t s;\n    int rc;\n\n    ZERO_STRUCT(hints);\n\n    hints.ai_flags = AI_PASSIVE;\n    hints.ai_socktype = SOCK_STREAM;\n\n    snprintf(port_c, 6, \"%d\", port);\n    rc = getaddrinfo(hostname, port_c, &hints, &ai);\n    if (rc != 0) {\n        ssh_set_error(sshbind,\n                      SSH_FATAL,\n                      \"Resolving %s: %s\", hostname, gai_strerror(rc));\n        return -1;\n    }\n\n    s = socket (ai->ai_family,\n                           ai->ai_socktype,\n                           ai->ai_protocol);\n    if (s == SSH_INVALID_SOCKET) {\n        ssh_set_error(sshbind, SSH_FATAL, \"%s\", strerror(errno));\n        freeaddrinfo (ai);\n        return -1;\n    }\n\n    if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,\n                   (char *)&opt, sizeof(opt)) < 0) {\n        ssh_set_error(sshbind,\n                      SSH_FATAL,\n                      \"Setting socket options failed: %s\",\n                      strerror(errno));\n        freeaddrinfo (ai);\n        close(s);\n        return -1;\n    }\n\n    if (bind(s, ai->ai_addr, ai->ai_addrlen) != 0) {\n        ssh_set_error(sshbind,\n                      SSH_FATAL,\n                      \"Binding to %s:%d: %s\",\n                      hostname,\n                      port,\n                      strerror(errno));\n        freeaddrinfo (ai);\n        close(s);\n        return -1;\n    }\n\n    freeaddrinfo (ai);\n    return s;\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 173339869333689413947099578402182230467,
          "size": 58,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497571
        },
        {
          "func": "int ssh_bind_listen(ssh_bind sshbind) {\n  const char *host;\n  socket_t fd;\n  int rc;\n\n  if (ssh_init() < 0) {\n    ssh_set_error(sshbind, SSH_FATAL, \"ssh_init() failed\");\n    return -1;\n  }\n\n  rc = ssh_bind_import_keys(sshbind);\n  if (rc != SSH_OK) {\n    return SSH_ERROR;\n  }\n\n  if (sshbind->bindfd == SSH_INVALID_SOCKET) {\n      host = sshbind->bindaddr;\n      if (host == NULL) {\n          host = \"0.0.0.0\";\n      }\n\n      fd = bind_socket(sshbind, host, sshbind->bindport);\n      if (fd == SSH_INVALID_SOCKET) {\n          ssh_key_free(sshbind->dsa);\n          sshbind->dsa = NULL;\n          ssh_key_free(sshbind->rsa);\n          sshbind->rsa = NULL;\n          return -1;\n      }\n      sshbind->bindfd = fd;\n\n      if (listen(fd, 10) < 0) {\n          ssh_set_error(sshbind, SSH_FATAL,\n                  \"Listening to socket %d: %s\",\n                  fd, strerror(errno));\n          close(fd);\n          ssh_key_free(sshbind->dsa);\n          sshbind->dsa = NULL;\n          ssh_key_free(sshbind->rsa);\n          sshbind->rsa = NULL;\n          return -1;\n      }\n  } else {\n      SSH_LOG(SSH_LOG_INFO, \"Using app-provided bind socket\");\n  }\n  return 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 64414208037938162023631478119560321020,
          "size": 47,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497585
        },
        {
          "func": "int ssh_bind_accept(ssh_bind sshbind, ssh_session session) {\n  socket_t fd = SSH_INVALID_SOCKET;\n  int rc;\n  if (sshbind->bindfd == SSH_INVALID_SOCKET) {\n    ssh_set_error(sshbind, SSH_FATAL,\n        \"Can't accept new clients on a not bound socket.\");\n    return SSH_ERROR;\n  }\n\n  if (session == NULL){\n      ssh_set_error(sshbind, SSH_FATAL,\"session is null\");\n      return SSH_ERROR;\n  }\n\n  fd = accept(sshbind->bindfd, NULL, NULL);\n  if (fd == SSH_INVALID_SOCKET) {\n    ssh_set_error(sshbind, SSH_FATAL,\n        \"Accepting a new connection: %s\",\n        strerror(errno));\n    return SSH_ERROR;\n  }\n  rc = ssh_bind_accept_fd(sshbind, session, fd);\n\n  if(rc == SSH_ERROR){\n#ifdef _WIN32\n      closesocket(fd);\n#else\n      close(fd);\n#endif\n      ssh_socket_free(session->socket);\n  }\n  return rc;\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 291515228790407961465346476453129936868,
          "size": 33,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497611
        },
        {
          "func": "void ssh_reseed(void){\n    struct timeval tv;\n    gettimeofday(&tv, NULL);\n    RAND_add(&tv, sizeof(tv), 0.0);\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 305542695176359193849183352525571486978,
          "size": 5,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497607
        },
        {
          "func": "void ssh_reseed(void){\n\t}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 291255402854087085271531697813318542559,
          "size": 2,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497608
        },
        {
          "func": "int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){\n    int i, rc;\n\n    if (session == NULL){\n        ssh_set_error(sshbind, SSH_FATAL,\"session is null\");\n        return SSH_ERROR;\n    }\n\n    session->server = 1;\n    session->version = 2;\n\n    /* copy options */\n    for (i = 0; i < 10; ++i) {\n      if (sshbind->wanted_methods[i]) {\n        session->opts.wanted_methods[i] = strdup(sshbind->wanted_methods[i]);\n        if (session->opts.wanted_methods[i] == NULL) {\n          return SSH_ERROR;\n        }\n      }\n    }\n\n    if (sshbind->bindaddr == NULL)\n      session->opts.bindaddr = NULL;\n    else {\n      SAFE_FREE(session->opts.bindaddr);\n      session->opts.bindaddr = strdup(sshbind->bindaddr);\n      if (session->opts.bindaddr == NULL) {\n        return SSH_ERROR;\n      }\n    }\n\n    session->common.log_verbosity = sshbind->common.log_verbosity;\n    if(sshbind->banner != NULL)\n    \tsession->opts.custombanner = strdup(sshbind->banner);\n    ssh_socket_free(session->socket);\n    session->socket = ssh_socket_new(session);\n    if (session->socket == NULL) {\n      /* perhaps it may be better to copy the error from session to sshbind */\n      ssh_set_error_oom(sshbind);\n      return SSH_ERROR;\n    }\n    ssh_socket_set_fd(session->socket, fd);\n    ssh_socket_get_poll_handle_out(session->socket);\n\n    /* We must try to import any keys that could be imported in case\n     * we are not using ssh_bind_listen (which is the other place\n     * where keys can be imported) on this ssh_bind and are instead\n     * only using ssh_bind_accept_fd to manage sockets ourselves.\n     */\n    rc = ssh_bind_import_keys(sshbind);\n    if (rc != SSH_OK) {\n      return SSH_ERROR;\n    }\n\n#ifdef HAVE_ECC\n    if (sshbind->ecdsa) {\n        session->srv.ecdsa_key = ssh_key_dup(sshbind->ecdsa);\n        if (session->srv.ecdsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n#endif\n    if (sshbind->dsa) {\n        session->srv.dsa_key = ssh_key_dup(sshbind->dsa);\n        if (session->srv.dsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n    if (sshbind->rsa) {\n        session->srv.rsa_key = ssh_key_dup(sshbind->rsa);\n        if (session->srv.rsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n    return SSH_OK;\n}",
          "target": 1,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 155342663606614956692829213292082664878,
          "size": 79,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 215904
        },
        {
          "func": "int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){\n    int i, rc;\n\n    if (session == NULL){\n        ssh_set_error(sshbind, SSH_FATAL,\"session is null\");\n        return SSH_ERROR;\n    }\n\n    session->server = 1;\n    session->version = 2;\n\n    /* copy options */\n    for (i = 0; i < 10; ++i) {\n      if (sshbind->wanted_methods[i]) {\n        session->opts.wanted_methods[i] = strdup(sshbind->wanted_methods[i]);\n        if (session->opts.wanted_methods[i] == NULL) {\n          return SSH_ERROR;\n        }\n      }\n    }\n\n    if (sshbind->bindaddr == NULL)\n      session->opts.bindaddr = NULL;\n    else {\n      SAFE_FREE(session->opts.bindaddr);\n      session->opts.bindaddr = strdup(sshbind->bindaddr);\n      if (session->opts.bindaddr == NULL) {\n        return SSH_ERROR;\n      }\n    }\n\n    session->common.log_verbosity = sshbind->common.log_verbosity;\n    if(sshbind->banner != NULL)\n    \tsession->opts.custombanner = strdup(sshbind->banner);\n    ssh_socket_free(session->socket);\n    session->socket = ssh_socket_new(session);\n    if (session->socket == NULL) {\n      /* perhaps it may be better to copy the error from session to sshbind */\n      ssh_set_error_oom(sshbind);\n      return SSH_ERROR;\n    }\n    ssh_socket_set_fd(session->socket, fd);\n    ssh_socket_get_poll_handle_out(session->socket);\n\n    /* We must try to import any keys that could be imported in case\n     * we are not using ssh_bind_listen (which is the other place\n     * where keys can be imported) on this ssh_bind and are instead\n     * only using ssh_bind_accept_fd to manage sockets ourselves.\n     */\n    rc = ssh_bind_import_keys(sshbind);\n    if (rc != SSH_OK) {\n      return SSH_ERROR;\n    }\n\n#ifdef HAVE_ECC\n    if (sshbind->ecdsa) {\n        session->srv.ecdsa_key = ssh_key_dup(sshbind->ecdsa);\n        if (session->srv.ecdsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n#endif\n    if (sshbind->dsa) {\n        session->srv.dsa_key = ssh_key_dup(sshbind->dsa);\n        if (session->srv.dsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n    if (sshbind->rsa) {\n        session->srv.rsa_key = ssh_key_dup(sshbind->rsa);\n        if (session->srv.rsa_key == NULL) {\n          ssh_set_error_oom(sshbind);\n          return SSH_ERROR;\n        }\n    }\n    /* force PRNG to change state in case we fork after ssh_bind_accept */\n    ssh_reseed();\n    return SSH_OK;\n}",
          "target": 0,
          "cwe": [
            "CWE-310"
          ],
          "project": "libssh",
          "commit_id": "e99246246b4061f7e71463f8806b9dcad65affa0",
          "hash": 50685877395540749769671536212771341726,
          "size": 81,
          "message": "security: fix for vulnerability CVE-2014-0017\n\nWhen accepting a new connection, a forking server based on libssh forks\nand the child process handles the request. The RAND_bytes() function of\nopenssl doesn't reset its state after the fork, but simply adds the\ncurrent process id (getpid) to the PRNG state, which is not guaranteed\nto be unique.\nThis can cause several children to end up with same PRNG state which is\na security issue.",
          "dataset": "other",
          "idx": 497609
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ares_getaddrinfo",
        "next_lookup",
        "next_dns_lookup",
        "as_is_first"
      ],
      "group_size": 11,
      "functions": [
        {
          "func": "static int as_is_first(const struct host_query* hquery)\n{\n  char* p;\n  int ndots = 0;\n  for (p = hquery->name; *p; p++)\n    {\n      if (*p == '.')\n        {\n          ndots++;\n        }\n    }\n  return ndots >= hquery->channel->ndots;\n}",
          "project": "c-ares",
          "hash": 237346194066420551353335228895255001524,
          "size": 13,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478390
        },
        {
          "func": "struct ares_addrinfo_node *ares__malloc_addrinfo_node()\n{\n  struct ares_addrinfo_node *node =\n      ares_malloc(sizeof(struct ares_addrinfo_node));\n  if (!node)\n    return NULL;\n\n  *node = empty_addrinfo_node;\n  return node;\n}",
          "project": "c-ares",
          "hash": 331518379725729988919523964971797931276,
          "size": 10,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478401
        },
        {
          "func": "static void next_lookup(struct host_query *hquery, int status)\n{\n  switch (*hquery->remaining_lookups)\n    {\n      case 'b':\n          /* DNS lookup */\n          if (next_dns_lookup(hquery))\n            break;\n          hquery->remaining_lookups++;\n          next_lookup(hquery, status);\n          break;\n\n      case 'f':\n          /* Host file lookup */\n          if (file_lookup(hquery) == ARES_SUCCESS)\n            {\n              end_hquery(hquery, ARES_SUCCESS);\n              break;\n            }\n          hquery->remaining_lookups++;\n          next_lookup(hquery, status);\n          break;\n      default:\n          /* No lookup left */\n         end_hquery(hquery, status);\n         break;\n    }\n}",
          "project": "c-ares",
          "hash": 249579464914117560189654227896029669445,
          "size": 28,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478393
        },
        {
          "func": "static unsigned short lookup_service(const char *service, int flags)\n{\n  const char *proto;\n  struct servent *sep;\n#ifdef HAVE_GETSERVBYNAME_R\n  struct servent se;\n  char tmpbuf[4096];\n#endif\n\n  if (service)\n    {\n      if (flags & ARES_NI_UDP)\n        proto = \"udp\";\n      else if (flags & ARES_NI_SCTP)\n        proto = \"sctp\";\n      else if (flags & ARES_NI_DCCP)\n        proto = \"dccp\";\n      else\n        proto = \"tcp\";\n#ifdef HAVE_GETSERVBYNAME_R\n      memset(&se, 0, sizeof(se));\n      sep = &se;\n      memset(tmpbuf, 0, sizeof(tmpbuf));\n#if GETSERVBYNAME_R_ARGS == 6\n      if (getservbyname_r(service, proto, &se, (void *)tmpbuf, sizeof(tmpbuf),\n                          &sep) != 0)\n        sep = NULL; /* LCOV_EXCL_LINE: buffer large so this never fails */\n#elif GETSERVBYNAME_R_ARGS == 5\n      sep =\n          getservbyname_r(service, proto, &se, (void *)tmpbuf, sizeof(tmpbuf));\n#elif GETSERVBYNAME_R_ARGS == 4\n      if (getservbyname_r(service, proto, &se, (void *)tmpbuf) != 0)\n        sep = NULL;\n#else\n      /* Lets just hope the OS uses TLS! */\n      sep = getservbyname(service, proto);\n#endif\n#else\n        /* Lets just hope the OS uses TLS! */\n#if (defined(NETWARE) && !defined(__NOVELL_LIBC__))\n      sep = getservbyname(service, (char *)proto);\n#else\n      sep = getservbyname(service, proto);\n#endif\n#endif\n      return (sep ? ntohs((unsigned short)sep->s_port) : 0);\n    }\n  return 0;\n}",
          "project": "c-ares",
          "hash": 200609651790992095530661424133344557133,
          "size": 49,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478400
        },
        {
          "func": "static void host_callback(void *arg, int status, int timeouts,\n                          unsigned char *abuf, int alen)\n{\n  struct host_query *hquery = (struct host_query*)arg;\n  int addinfostatus = ARES_SUCCESS;\n  hquery->timeouts += timeouts;\n  hquery->remaining--;\n\n  if (status == ARES_SUCCESS)\n    {\n      addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);\n    }\n  else if (status == ARES_EDESTRUCTION)\n    {\n      end_hquery(hquery, status);\n    }\n\n  if (!hquery->remaining)\n    {\n      if (addinfostatus != ARES_SUCCESS)\n        {\n          /* error in parsing result e.g. no memory */\n          end_hquery(hquery, addinfostatus);\n        }\n      else if (hquery->ai->nodes)\n        {\n          /* at least one query ended with ARES_SUCCESS */\n          end_hquery(hquery, ARES_SUCCESS);\n        }\n      else if (status == ARES_ENOTFOUND)\n        {\n          next_lookup(hquery, status);\n        }\n      else\n        {\n          end_hquery(hquery, status);\n        }\n    }\n\n  /* at this point we keep on waiting for the next query to finish */\n}",
          "project": "c-ares",
          "hash": 338428520293637615587127648198461687166,
          "size": 41,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 1,
          "dataset": "other",
          "idx": 214405
        },
        {
          "func": "static void host_callback(void *arg, int status, int timeouts,\n                          unsigned char *abuf, int alen)\n{\n  struct host_query *hquery = (struct host_query*)arg;\n  int addinfostatus = ARES_SUCCESS;\n  hquery->timeouts += timeouts;\n  hquery->remaining--;\n\n  if (status == ARES_SUCCESS)\n    {\n      addinfostatus = ares__parse_into_addrinfo(abuf, alen, hquery->ai);\n    }\n  else if (status == ARES_EDESTRUCTION)\n    {\n      end_hquery(hquery, status);\n      return;\n    }\n\n  if (!hquery->remaining)\n    {\n      if (addinfostatus != ARES_SUCCESS)\n        {\n          /* error in parsing result e.g. no memory */\n          end_hquery(hquery, addinfostatus);\n        }\n      else if (hquery->ai->nodes)\n        {\n          /* at least one query ended with ARES_SUCCESS */\n          end_hquery(hquery, ARES_SUCCESS);\n        }\n      else if (status == ARES_ENOTFOUND)\n        {\n          next_lookup(hquery, status);\n        }\n      else\n        {\n          end_hquery(hquery, status);\n        }\n    }\n\n  /* at this point we keep on waiting for the next query to finish */\n}",
          "project": "c-ares",
          "hash": 65112642692504141750909294658666282062,
          "size": 42,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478396
        },
        {
          "func": "static int fake_addrinfo(const char *name,\n                         unsigned short port,\n                         const struct ares_addrinfo_hints *hints,\n                         struct ares_addrinfo *ai,\n                         ares_addrinfo_callback callback,\n                         void *arg)\n{\n  struct ares_addrinfo_cname *cname;\n  struct ares_addrinfo_node *node;\n  ares_sockaddr addr;\n  size_t addrlen;\n  int result = 0;\n  int family = hints->ai_family;\n  if (family == AF_INET || family == AF_INET6 || family == AF_UNSPEC)\n    {\n      /* It only looks like an IP address if it's all numbers and dots. */\n      int numdots = 0, valid = 1;\n      const char *p;\n      for (p = name; *p; p++)\n        {\n          if (!ISDIGIT(*p) && *p != '.')\n            {\n              valid = 0;\n              break;\n            }\n          else if (*p == '.')\n            {\n              numdots++;\n            }\n        }\n\n      memset(&addr, 0, sizeof(addr));\n\n      /* if we don't have 3 dots, it is illegal\n       * (although inet_pton doesn't think so).\n       */\n      if (numdots != 3 || !valid)\n        result = 0;\n      else\n        result =\n            (ares_inet_pton(AF_INET, name, &addr.sa4.sin_addr) < 1 ? 0 : 1);\n\n      if (result)\n        {\n          family = addr.sa.sa_family = AF_INET;\n          addr.sa4.sin_port = htons(port);\n          addrlen = sizeof(addr.sa4);\n        }\n    }\n\n  if (family == AF_INET6 || family == AF_UNSPEC)\n    {\n      result =\n          (ares_inet_pton(AF_INET6, name, &addr.sa6.sin6_addr) < 1 ? 0 : 1);\n      addr.sa6.sin6_family = AF_INET6;\n      addr.sa6.sin6_port = htons(port);\n      addrlen = sizeof(addr.sa6);\n    }\n\n  if (!result)\n    return 0;\n\n  node = ares__malloc_addrinfo_node();\n  if (!node)\n    {\n      ares_freeaddrinfo(ai);\n      callback(arg, ARES_ENOMEM, 0, NULL);\n      return 1;\n    }\n\n  ai->nodes = node;\n\n  node->ai_addr = ares_malloc(addrlen);\n  if (!node->ai_addr)\n    {\n      ares_freeaddrinfo(ai);\n      callback(arg, ARES_ENOMEM, 0, NULL);\n      return 1;\n    }\n\n  node->ai_addrlen = (unsigned int)addrlen;\n  node->ai_family = addr.sa.sa_family;\n  if (addr.sa.sa_family == AF_INET)\n    memcpy(node->ai_addr, &addr.sa4, sizeof(addr.sa4));\n  else\n    memcpy(node->ai_addr, &addr.sa6, sizeof(addr.sa6));\n\n  if (hints->ai_flags & ARES_AI_CANONNAME)\n    {\n      cname = ares__append_addrinfo_cname(&ai->cnames);\n      if (!cname)\n        {\n          ares_freeaddrinfo(ai);\n          callback(arg, ARES_ENOMEM, 0, NULL);\n          return 1;\n        }\n\n      /* Duplicate the name, to avoid a constness violation. */\n      cname->name = ares_strdup(name);\n      if (!cname->name)\n        {\n          ares_freeaddrinfo(ai);\n          callback(arg, ARES_ENOMEM, 0, NULL);\n          return 1;\n        }\n    }\n\n  callback(arg, ARES_SUCCESS, 0, ai);\n  return 1;\n}",
          "project": "c-ares",
          "hash": 66006611725293027056403245970014345416,
          "size": 110,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478397
        },
        {
          "func": "static int file_lookup(struct host_query *hquery)\n{\n  FILE *fp;\n  int error;\n  int status;\n  const char *path_hosts = NULL;\n\n  if (hquery->hints.ai_flags & ARES_AI_ENVHOSTS)\n    {\n      path_hosts = getenv(\"CARES_HOSTS\");\n    }\n\n  if (!path_hosts)\n    {\n#ifdef WIN32\n      char PATH_HOSTS[MAX_PATH];\n      win_platform platform;\n\n      PATH_HOSTS[0] = '\\0';\n\n      platform = ares__getplatform();\n\n      if (platform == WIN_NT)\n        {\n          char tmp[MAX_PATH];\n          HKEY hkeyHosts;\n\n          if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, WIN_NS_NT_KEY, 0, KEY_READ,\n                           &hkeyHosts) == ERROR_SUCCESS)\n            {\n              DWORD dwLength = MAX_PATH;\n              RegQueryValueExA(hkeyHosts, DATABASEPATH, NULL, NULL, (LPBYTE)tmp,\n                              &dwLength);\n              ExpandEnvironmentStringsA(tmp, PATH_HOSTS, MAX_PATH);\n              RegCloseKey(hkeyHosts);\n            }\n        }\n      else if (platform == WIN_9X)\n        GetWindowsDirectoryA(PATH_HOSTS, MAX_PATH);\n      else\n        return ARES_ENOTFOUND;\n\n      strcat(PATH_HOSTS, WIN_PATH_HOSTS);\n      path_hosts = PATH_HOSTS;\n\n#elif defined(WATT32)\n      const char *PATH_HOSTS = _w32_GetHostsFile();\n\n      if (!PATH_HOSTS)\n        return ARES_ENOTFOUND;\n#endif\n      path_hosts = PATH_HOSTS;\n    }\n\n  fp = fopen(path_hosts, \"r\");\n  if (!fp)\n    {\n      error = ERRNO;\n      switch (error)\n        {\n        case ENOENT:\n        case ESRCH:\n          return ARES_ENOTFOUND;\n        default:\n          DEBUGF(fprintf(stderr, \"fopen() failed with error: %d %s\\n\", error,\n                         strerror(error)));\n          DEBUGF(fprintf(stderr, \"Error opening file: %s\\n\", path_hosts));\n          return ARES_EFILE;\n        }\n    }\n  status = ares__readaddrinfo(fp, hquery->name, hquery->port, &hquery->hints, hquery->ai);\n  fclose(fp);\n  return status;\n}",
          "project": "c-ares",
          "hash": 91599572035713631136624203713505139306,
          "size": 74,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478389
        },
        {
          "func": "static void end_hquery(struct host_query *hquery, int status)\n{\n  struct ares_addrinfo_node sentinel;\n  struct ares_addrinfo_node *next;\n  if (status == ARES_SUCCESS)\n    {\n      if (!(hquery->hints.ai_flags & ARES_AI_NOSORT))\n        {\n          sentinel.ai_next = hquery->ai->nodes;\n          ares__sortaddrinfo(hquery->channel, &sentinel);\n          hquery->ai->nodes = sentinel.ai_next;\n        }\n      next = hquery->ai->nodes;\n      /* Set port into each address (resolved separately). */\n      while (next)\n        {\n          if (next->ai_family == AF_INET)\n            {\n              (CARES_INADDR_CAST(struct sockaddr_in *, next->ai_addr))->sin_port = htons(hquery->port);\n            }\n          else\n            {\n              (CARES_INADDR_CAST(struct sockaddr_in6 *, next->ai_addr))->sin6_port = htons(hquery->port);\n            }\n          next = next->ai_next;\n        }\n    }\n  else\n    {\n      /* Clean up what we have collected by so far. */\n      ares_freeaddrinfo(hquery->ai);\n      hquery->ai = NULL;\n    }\n\n  hquery->callback(hquery->arg, status, hquery->timeouts, hquery->ai);\n  ares_free(hquery->name);\n  ares_free(hquery);\n}",
          "project": "c-ares",
          "hash": 71186623123778906237306314660113629765,
          "size": 38,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478388
        },
        {
          "func": "static int next_dns_lookup(struct host_query *hquery)\n{\n  char *s = NULL;\n  int is_s_allocated = 0;\n  int status;\n\n  /* if next_domain == -1 and as_is_first is true, try hquery->name */\n  if (hquery->next_domain == -1)\n    {\n      if (as_is_first(hquery))\n        {\n          s = hquery->name;\n        }\n      hquery->next_domain = 0;\n    }\n\n  /* if as_is_first is false, try hquery->name at last */\n  if (!s && hquery->next_domain == hquery->channel->ndomains) {\n    if (!as_is_first(hquery))\n      {\n        s = hquery->name;\n      }\n    hquery->next_domain++;\n  }\n\n  if (!s && hquery->next_domain < hquery->channel->ndomains)\n    {\n      status = ares__cat_domain(\n          hquery->name,\n          hquery->channel->domains[hquery->next_domain++],\n          &s);\n      if (status == ARES_SUCCESS)\n        {\n          is_s_allocated = 1;\n        }\n    }\n\n  if (s)\n    {\n      switch (hquery->hints.ai_family)\n        {\n          case AF_INET:\n            hquery->remaining += 1;\n            ares_query(hquery->channel, s, C_IN, T_A, host_callback, hquery);\n            break;\n          case AF_INET6:\n            hquery->remaining += 1;\n            ares_query(hquery->channel, s, C_IN, T_AAAA, host_callback, hquery);\n            break;\n          case AF_UNSPEC:\n            hquery->remaining += 2;\n            ares_query(hquery->channel, s, C_IN, T_A, host_callback, hquery);\n            ares_query(hquery->channel, s, C_IN, T_AAAA, host_callback, hquery);\n            break;\n          default: break;\n        }\n      if (is_s_allocated)\n        {\n          ares_free(s);\n        }\n      return 1;\n    }\n  else\n    {\n      assert(!hquery->ai->nodes);\n      return 0;\n    }\n}",
          "project": "c-ares",
          "hash": 178615620088609344767490760442616582817,
          "size": 68,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478399
        },
        {
          "func": "void ares_getaddrinfo(ares_channel channel,\n                      const char* name, const char* service,\n                      const struct ares_addrinfo_hints* hints,\n                      ares_addrinfo_callback callback, void* arg)\n{\n  struct host_query *hquery;\n  unsigned short port = 0;\n  int family;\n  struct ares_addrinfo *ai;\n\n  if (!hints)\n    {\n      hints = &default_hints;\n    }\n\n  family = hints->ai_family;\n\n  /* Right now we only know how to look up Internet addresses\n     and unspec means try both basically. */\n  if (family != AF_INET &&\n      family != AF_INET6 &&\n      family != AF_UNSPEC)\n    {\n      callback(arg, ARES_ENOTIMP, 0, NULL);\n      return;\n    }\n\n  if (ares__is_onion_domain(name))\n    {\n      callback(arg, ARES_ENOTFOUND, 0, NULL);\n      return;\n    }\n\n  if (service)\n    {\n      if (hints->ai_flags & ARES_AI_NUMERICSERV)\n        {\n          port = (unsigned short)strtoul(service, NULL, 0);\n          if (!port)\n            {\n              callback(arg, ARES_ESERVICE, 0, NULL);\n              return;\n            }\n        }\n      else\n        {\n          port = lookup_service(service, 0);\n          if (!port)\n            {\n              port = (unsigned short)strtoul(service, NULL, 0);\n              if (!port)\n                {\n                  callback(arg, ARES_ESERVICE, 0, NULL);\n                  return;\n                }\n            }\n        }\n    }\n\n  ai = ares__malloc_addrinfo();\n  if (!ai)\n    {\n      callback(arg, ARES_ENOMEM, 0, NULL);\n      return;\n    }\n\n  if (fake_addrinfo(name, port, hints, ai, callback, arg))\n    {\n      return;\n    }\n\n  /* Allocate and fill in the host query structure. */\n  hquery = ares_malloc(sizeof(struct host_query));\n  if (!hquery)\n    {\n      ares_freeaddrinfo(ai);\n      callback(arg, ARES_ENOMEM, 0, NULL);\n      return;\n    }\n\n  hquery->name = ares_strdup(name);\n  if (!hquery->name)\n    {\n      ares_free(hquery);\n      ares_freeaddrinfo(ai);\n      callback(arg, ARES_ENOMEM, 0, NULL);\n      return;\n    }\n\n  hquery->port = port;\n  hquery->channel = channel;\n  hquery->hints = *hints;\n  hquery->sent_family = -1; /* nothing is sent yet */\n  hquery->callback = callback;\n  hquery->arg = arg;\n  hquery->remaining_lookups = channel->lookups;\n  hquery->timeouts = 0;\n  hquery->ai = ai;\n  hquery->next_domain = -1;\n  hquery->remaining = 0;\n\n  /* Start performing lookups according to channel->lookups. */\n  next_lookup(hquery, ARES_ECONNREFUSED /* initial error code */);\n}",
          "project": "c-ares",
          "hash": 313928135751897402325324090812725212075,
          "size": 104,
          "commit_id": "1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
          "message": "Prevent possible double-free in ares_getaddrinfo() if ares_destroy() is called\n\nIn the event that ares_destroy() is called prior to ares_getaddrinfo() completing,\nit would result in an invalid read and double-free due to calling end_hquery() twice.\n\nReported By: Jann Horn @ Google Project Zero",
          "target": 0,
          "dataset": "other",
          "idx": 478394
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "lp_write",
        "lp_wait_ready",
        "lp_check_status",
        "lp_error",
        "lp_claim_parport_or_block"
      ],
      "group_size": 17,
      "functions": [
        {
          "func": "static long lp_ioctl(struct file *file, unsigned int cmd,\n\t\t\tunsigned long arg)\n{\n\tunsigned int minor;\n\tstruct timeval par_timeout;\n\tint ret;\n\n\tminor = iminor(file_inode(file));\n\tmutex_lock(&lp_mutex);\n\tswitch (cmd) {\n\tcase LPSETTIMEOUT:\n\t\tif (copy_from_user(&par_timeout, (void __user *)arg,\n\t\t\t\t\tsizeof (struct timeval))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = lp_set_timeout(minor, &par_timeout);\n\t\tbreak;\n\tdefault:\n\t\tret = lp_do_ioctl(minor, cmd, arg, (void __user *)arg);\n\t\tbreak;\n\t}\n\tmutex_unlock(&lp_mutex);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 310317011291507096778848627939386883859,
          "size": 26,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450876
        },
        {
          "func": "static int lp_do_ioctl(unsigned int minor, unsigned int cmd,\n\tunsigned long arg, void __user *argp)\n{\n\tint status;\n\tint retval = 0;\n\n#ifdef LP_DEBUG\n\tprintk(KERN_DEBUG \"lp%d ioctl, cmd: 0x%x, arg: 0x%lx\\n\", minor, cmd, arg);\n#endif\n\tif (minor >= LP_NO)\n\t\treturn -ENODEV;\n\tif ((LP_F(minor) & LP_EXIST) == 0)\n\t\treturn -ENODEV;\n\tswitch ( cmd ) {\n\t\tcase LPTIME:\n\t\t\tif (arg > UINT_MAX / HZ)\n\t\t\t\treturn -EINVAL;\n\t\t\tLP_TIME(minor) = arg * HZ/100;\n\t\t\tbreak;\n\t\tcase LPCHAR:\n\t\t\tLP_CHAR(minor) = arg;\n\t\t\tbreak;\n\t\tcase LPABORT:\n\t\t\tif (arg)\n\t\t\t\tLP_F(minor) |= LP_ABORT;\n\t\t\telse\n\t\t\t\tLP_F(minor) &= ~LP_ABORT;\n\t\t\tbreak;\n\t\tcase LPABORTOPEN:\n\t\t\tif (arg)\n\t\t\t\tLP_F(minor) |= LP_ABORTOPEN;\n\t\t\telse\n\t\t\t\tLP_F(minor) &= ~LP_ABORTOPEN;\n\t\t\tbreak;\n\t\tcase LPCAREFUL:\n\t\t\tif (arg)\n\t\t\t\tLP_F(minor) |= LP_CAREFUL;\n\t\t\telse\n\t\t\t\tLP_F(minor) &= ~LP_CAREFUL;\n\t\t\tbreak;\n\t\tcase LPWAIT:\n\t\t\tLP_WAIT(minor) = arg;\n\t\t\tbreak;\n\t\tcase LPSETIRQ: \n\t\t\treturn -EINVAL;\n\t\t\tbreak;\n\t\tcase LPGETIRQ:\n\t\t\tif (copy_to_user(argp, &LP_IRQ(minor),\n\t\t\t\t\tsizeof(int)))\n\t\t\t\treturn -EFAULT;\n\t\t\tbreak;\n\t\tcase LPGETSTATUS:\n\t\t\tif (mutex_lock_interruptible(&lp_table[minor].port_mutex))\n\t\t\t\treturn -EINTR;\n\t\t\tlp_claim_parport_or_block (&lp_table[minor]);\n\t\t\tstatus = r_str(minor);\n\t\t\tlp_release_parport (&lp_table[minor]);\n\t\t\tmutex_unlock(&lp_table[minor].port_mutex);\n\n\t\t\tif (copy_to_user(argp, &status, sizeof(int)))\n\t\t\t\treturn -EFAULT;\n\t\t\tbreak;\n\t\tcase LPRESET:\n\t\t\tlp_reset(minor);\n\t\t\tbreak;\n#ifdef LP_STATS\n\t\tcase LPGETSTATS:\n\t\t\tif (copy_to_user(argp, &LP_STAT(minor),\n\t\t\t\t\tsizeof(struct lp_stats)))\n\t\t\t\treturn -EFAULT;\n\t\t\tif (capable(CAP_SYS_ADMIN))\n\t\t\t\tmemset(&LP_STAT(minor), 0,\n\t\t\t\t\t\tsizeof(struct lp_stats));\n\t\t\tbreak;\n#endif\n \t\tcase LPGETFLAGS:\n \t\t\tstatus = LP_F(minor);\n\t\t\tif (copy_to_user(argp, &status, sizeof(int)))\n\t\t\t\treturn -EFAULT;\n\t\t\tbreak;\n\n\t\tdefault:\n\t\t\tretval = -EINVAL;\n\t}\n\treturn retval;\n}",
          "project": "linux",
          "hash": 130937153518089685760846986940114699309,
          "size": 86,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450889
        },
        {
          "func": "static void lp_release_parport(struct lp_struct *this_lp)\n{\n\tif (test_and_clear_bit(LP_PARPORT_CLAIMED, &this_lp->bits)) {\n\t\tparport_release (this_lp->dev);\n\t}\n}",
          "project": "linux",
          "hash": 325627075379842917137031662491786157013,
          "size": 6,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450872
        },
        {
          "func": "static ssize_t lp_read(struct file * file, char __user * buf,\n\t\t       size_t count, loff_t *ppos)\n{\n\tDEFINE_WAIT(wait);\n\tunsigned int minor=iminor(file_inode(file));\n\tstruct parport *port = lp_table[minor].dev->port;\n\tssize_t retval = 0;\n\tchar *kbuf = lp_table[minor].lp_buffer;\n\tint nonblock = ((file->f_flags & O_NONBLOCK) ||\n\t\t\t(LP_F(minor) & LP_ABORT));\n\n\tif (count > LP_BUFFER_SIZE)\n\t\tcount = LP_BUFFER_SIZE;\n\n\tif (mutex_lock_interruptible(&lp_table[minor].port_mutex))\n\t\treturn -EINTR;\n\n\tlp_claim_parport_or_block (&lp_table[minor]);\n\n\tparport_set_timeout (lp_table[minor].dev,\n\t\t\t     (nonblock ? PARPORT_INACTIVITY_O_NONBLOCK\n\t\t\t      : lp_table[minor].timeout));\n\n\tparport_negotiate (lp_table[minor].dev->port, IEEE1284_MODE_COMPAT);\n\tif (parport_negotiate (lp_table[minor].dev->port,\n\t\t\t       IEEE1284_MODE_NIBBLE)) {\n\t\tretval = -EIO;\n\t\tgoto out;\n\t}\n\n\twhile (retval == 0) {\n\t\tretval = parport_read (port, kbuf, count);\n\n\t\tif (retval > 0)\n\t\t\tbreak;\n\n\t\tif (nonblock) {\n\t\t\tretval = -EAGAIN;\n\t\t\tbreak;\n\t\t}\n\n\t\t/* Wait for data. */\n\n\t\tif (lp_table[minor].dev->port->irq == PARPORT_IRQ_NONE) {\n\t\t\tparport_negotiate (lp_table[minor].dev->port,\n\t\t\t\t\t   IEEE1284_MODE_COMPAT);\n\t\t\tlp_error (minor);\n\t\t\tif (parport_negotiate (lp_table[minor].dev->port,\n\t\t\t\t\t       IEEE1284_MODE_NIBBLE)) {\n\t\t\t\tretval = -EIO;\n\t\t\t\tgoto out;\n\t\t\t}\n\t\t} else {\n\t\t\tprepare_to_wait(&lp_table[minor].waitq, &wait, TASK_INTERRUPTIBLE);\n\t\t\tschedule_timeout(LP_TIMEOUT_POLLED);\n\t\t\tfinish_wait(&lp_table[minor].waitq, &wait);\n\t\t}\n\n\t\tif (signal_pending (current)) {\n\t\t\tretval = -ERESTARTSYS;\n\t\t\tbreak;\n\t\t}\n\n\t\tcond_resched ();\n\t}\n\tparport_negotiate (lp_table[minor].dev->port, IEEE1284_MODE_COMPAT);\n out:\n\tlp_release_parport (&lp_table[minor]);\n\n\tif (retval > 0 && copy_to_user (buf, kbuf, retval))\n\t\tretval = -EFAULT;\n\n\tmutex_unlock(&lp_table[minor].port_mutex);\n\n\treturn retval;\n}",
          "project": "linux",
          "hash": 154375708472708164100537430448370772239,
          "size": 76,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450894
        },
        {
          "func": "static int lp_register(int nr, struct parport *port)\n{\n\tlp_table[nr].dev = parport_register_device(port, \"lp\", \n\t\t\t\t\t\t   lp_preempt, NULL, NULL, 0,\n\t\t\t\t\t\t   (void *) &lp_table[nr]);\n\tif (lp_table[nr].dev == NULL)\n\t\treturn 1;\n\tlp_table[nr].flags |= LP_EXIST;\n\n\tif (reset)\n\t\tlp_reset(nr);\n\n\tdevice_create(lp_class, port->dev, MKDEV(LP_MAJOR, nr), NULL,\n\t\t      \"lp%d\", nr);\n\n\tprintk(KERN_INFO \"lp%d: using %s (%s).\\n\", nr, port->name, \n\t       (port->irq == PARPORT_IRQ_NONE)?\"polling\":\"interrupt-driven\");\n\n#ifdef CONFIG_LP_CONSOLE\n\tif (!nr) {\n\t\tif (port->modes & PARPORT_MODE_SAFEININT) {\n\t\t\tregister_console(&lpcons);\n\t\t\tconsole_registered = port;\n\t\t\tprintk (KERN_INFO \"lp%d: console ready\\n\", CONSOLE_LP);\n\t\t} else\n\t\t\tprintk (KERN_ERR \"lp%d: cannot run console on %s\\n\",\n\t\t\t\tCONSOLE_LP, port->name);\n\t}\n#endif\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 231515468297809346842200784678081972349,
          "size": 32,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450877
        },
        {
          "func": "static int lp_wait_ready(int minor, int nonblock)\n{\n\tint error = 0;\n\n\t/* If we're not in compatibility mode, we're ready now! */\n\tif (lp_table[minor].current_mode != IEEE1284_MODE_COMPAT) {\n\t  return (0);\n\t}\n\n\tdo {\n\t\terror = lp_check_status (minor);\n\t\tif (error && (nonblock || (LP_F(minor) & LP_ABORT)))\n\t\t\tbreak;\n\t\tif (signal_pending (current)) {\n\t\t\terror = -EINTR;\n\t\t\tbreak;\n\t\t}\n\t} while (error);\n\treturn error;\n}",
          "project": "linux",
          "hash": 165698499137128099582147548390371243788,
          "size": 20,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450886
        },
        {
          "func": "static ssize_t lp_write(struct file * file, const char __user * buf,\n\t\t        size_t count, loff_t *ppos)\n{\n\tunsigned int minor = iminor(file_inode(file));\n\tstruct parport *port = lp_table[minor].dev->port;\n\tchar *kbuf = lp_table[minor].lp_buffer;\n\tssize_t retv = 0;\n\tssize_t written;\n\tsize_t copy_size = count;\n\tint nonblock = ((file->f_flags & O_NONBLOCK) ||\n\t\t\t(LP_F(minor) & LP_ABORT));\n\n#ifdef LP_STATS\n\tif (time_after(jiffies, lp_table[minor].lastcall + LP_TIME(minor)))\n\t\tlp_table[minor].runchars = 0;\n\n\tlp_table[minor].lastcall = jiffies;\n#endif\n\n\t/* Need to copy the data from user-space. */\n\tif (copy_size > LP_BUFFER_SIZE)\n\t\tcopy_size = LP_BUFFER_SIZE;\n\n\tif (mutex_lock_interruptible(&lp_table[minor].port_mutex))\n\t\treturn -EINTR;\n\n\tif (copy_from_user (kbuf, buf, copy_size)) {\n\t\tretv = -EFAULT;\n\t\tgoto out_unlock;\n\t}\n\n \t/* Claim Parport or sleep until it becomes available\n \t */\n\tlp_claim_parport_or_block (&lp_table[minor]);\n\t/* Go to the proper mode. */\n\tlp_table[minor].current_mode = lp_negotiate (port, \n\t\t\t\t\t\t     lp_table[minor].best_mode);\n\n\tparport_set_timeout (lp_table[minor].dev,\n\t\t\t     (nonblock ? PARPORT_INACTIVITY_O_NONBLOCK\n\t\t\t      : lp_table[minor].timeout));\n\n\tif ((retv = lp_wait_ready (minor, nonblock)) == 0)\n\tdo {\n\t\t/* Write the data. */\n\t\twritten = parport_write (port, kbuf, copy_size);\n\t\tif (written > 0) {\n\t\t\tcopy_size -= written;\n\t\t\tcount -= written;\n\t\t\tbuf  += written;\n\t\t\tretv += written;\n\t\t}\n\n\t\tif (signal_pending (current)) {\n\t\t\tif (retv == 0)\n\t\t\t\tretv = -EINTR;\n\n\t\t\tbreak;\n\t\t}\n\n\t\tif (copy_size > 0) {\n\t\t\t/* incomplete write -> check error ! */\n\t\t\tint error;\n\n\t\t\tparport_negotiate (lp_table[minor].dev->port, \n\t\t\t\t\t   IEEE1284_MODE_COMPAT);\n\t\t\tlp_table[minor].current_mode = IEEE1284_MODE_COMPAT;\n\n\t\t\terror = lp_wait_ready (minor, nonblock);\n\n\t\t\tif (error) {\n\t\t\t\tif (retv == 0)\n\t\t\t\t\tretv = error;\n\t\t\t\tbreak;\n\t\t\t} else if (nonblock) {\n\t\t\t\tif (retv == 0)\n\t\t\t\t\tretv = -EAGAIN;\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tparport_yield_blocking (lp_table[minor].dev);\n\t\t\tlp_table[minor].current_mode \n\t\t\t  = lp_negotiate (port, \n\t\t\t\t\t  lp_table[minor].best_mode);\n\n\t\t} else if (need_resched())\n\t\t\tschedule ();\n\n\t\tif (count) {\n\t\t\tcopy_size = count;\n\t\t\tif (copy_size > LP_BUFFER_SIZE)\n\t\t\t\tcopy_size = LP_BUFFER_SIZE;\n\n\t\t\tif (copy_from_user(kbuf, buf, copy_size)) {\n\t\t\t\tif (retv == 0)\n\t\t\t\t\tretv = -EFAULT;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\t\n\t} while (count > 0);\n\n\tif (test_and_clear_bit(LP_PREEMPT_REQUEST, \n\t\t\t       &lp_table[minor].bits)) {\n\t\tprintk(KERN_INFO \"lp%d releasing parport\\n\", minor);\n\t\tparport_negotiate (lp_table[minor].dev->port, \n\t\t\t\t   IEEE1284_MODE_COMPAT);\n\t\tlp_table[minor].current_mode = IEEE1284_MODE_COMPAT;\n\t\tlp_release_parport (&lp_table[minor]);\n\t}\nout_unlock:\n\tmutex_unlock(&lp_table[minor].port_mutex);\n\n \treturn retv;\n}",
          "project": "linux",
          "hash": 117232957958936779529326922595402686609,
          "size": 114,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450884
        },
        {
          "func": "static int lp_check_status(int minor)\n{\n\tint error = 0;\n\tunsigned int last = lp_table[minor].last_error;\n\tunsigned char status = r_str(minor);\n\tif ((status & LP_PERRORP) && !(LP_F(minor) & LP_CAREFUL))\n\t\t/* No error. */\n\t\tlast = 0;\n\telse if ((status & LP_POUTPA)) {\n\t\tif (last != LP_POUTPA) {\n\t\t\tlast = LP_POUTPA;\n\t\t\tprintk(KERN_INFO \"lp%d out of paper\\n\", minor);\n\t\t}\n\t\terror = -ENOSPC;\n\t} else if (!(status & LP_PSELECD)) {\n\t\tif (last != LP_PSELECD) {\n\t\t\tlast = LP_PSELECD;\n\t\t\tprintk(KERN_INFO \"lp%d off-line\\n\", minor);\n\t\t}\n\t\terror = -EIO;\n\t} else if (!(status & LP_PERRORP)) {\n\t\tif (last != LP_PERRORP) {\n\t\t\tlast = LP_PERRORP;\n\t\t\tprintk(KERN_INFO \"lp%d on fire\\n\", minor);\n\t\t}\n\t\terror = -EIO;\n\t} else {\n\t\tlast = 0; /* Come here if LP_CAREFUL is set and no\n                             errors are reported. */\n\t}\n\n\tlp_table[minor].last_error = last;\n\n\tif (last != 0)\n\t\tlp_error(minor);\n\n\treturn error;\n}",
          "project": "linux",
          "hash": 53826108333373058949670796360280619913,
          "size": 38,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450874
        },
        {
          "func": "static void lp_attach (struct parport *port)\n{\n\tunsigned int i;\n\n\tswitch (parport_nr[0]) {\n\tcase LP_PARPORT_UNSPEC:\n\tcase LP_PARPORT_AUTO:\n\t\tif (parport_nr[0] == LP_PARPORT_AUTO &&\n\t\t    port->probe_info[0].class != PARPORT_CLASS_PRINTER)\n\t\t\treturn;\n\t\tif (lp_count == LP_NO) {\n\t\t\tprintk(KERN_INFO \"lp: ignoring parallel port (max. %d)\\n\",LP_NO);\n\t\t\treturn;\n\t\t}\n\t\tif (!lp_register(lp_count, port))\n\t\t\tlp_count++;\n\t\tbreak;\n\n\tdefault:\n\t\tfor (i = 0; i < LP_NO; i++) {\n\t\t\tif (port->number == parport_nr[i]) {\n\t\t\t\tif (!lp_register(i, port))\n\t\t\t\t\tlp_count++;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tbreak;\n\t}\n}",
          "project": "linux",
          "hash": 116872138336984322809423542780047067618,
          "size": 29,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450881
        },
        {
          "func": "static int lp_reset(int minor)\n{\n\tint retval;\n\tlp_claim_parport_or_block (&lp_table[minor]);\n\tw_ctr(minor, LP_PSELECP);\n\tudelay (LP_DELAY);\n\tw_ctr(minor, LP_PSELECP | LP_PINITP);\n\tretval = r_str(minor);\n\tlp_release_parport (&lp_table[minor]);\n\treturn retval;\n}",
          "project": "linux",
          "hash": 72641415785998346157674704417312057333,
          "size": 11,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450873
        },
        {
          "func": "static int lp_release(struct inode * inode, struct file * file)\n{\n\tunsigned int minor = iminor(inode);\n\n\tlp_claim_parport_or_block (&lp_table[minor]);\n\tparport_negotiate (lp_table[minor].dev->port, IEEE1284_MODE_COMPAT);\n\tlp_table[minor].current_mode = IEEE1284_MODE_COMPAT;\n\tlp_release_parport (&lp_table[minor]);\n\tkfree(lp_table[minor].lp_buffer);\n\tlp_table[minor].lp_buffer = NULL;\n\tLP_F(minor) &= ~LP_BUSY;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 100176523045059279116912805733551169117,
          "size": 13,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450885
        },
        {
          "func": "static void lp_claim_parport_or_block(struct lp_struct *this_lp)\n{\n\tif (!test_and_set_bit(LP_PARPORT_CLAIMED, &this_lp->bits)) {\n\t\tparport_claim_or_block (this_lp->dev);\n\t}\n}",
          "project": "linux",
          "hash": 154440745684791428730342145864371334759,
          "size": 6,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450883
        },
        {
          "func": "static void lp_error (int minor)\n{\n\tDEFINE_WAIT(wait);\n\tint polling;\n\n\tif (LP_F(minor) & LP_ABORT)\n\t\treturn;\n\n\tpolling = lp_table[minor].dev->port->irq == PARPORT_IRQ_NONE;\n\tif (polling) lp_release_parport (&lp_table[minor]);\n\tprepare_to_wait(&lp_table[minor].waitq, &wait, TASK_INTERRUPTIBLE);\n\tschedule_timeout(LP_TIMEOUT_POLLED);\n\tfinish_wait(&lp_table[minor].waitq, &wait);\n\tif (polling) lp_claim_parport_or_block (&lp_table[minor]);\n\telse parport_yield_blocking (lp_table[minor].dev);\n}",
          "project": "linux",
          "hash": 194182076708265289569840949840870470183,
          "size": 16,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450893
        },
        {
          "func": "static long lp_compat_ioctl(struct file *file, unsigned int cmd,\n\t\t\tunsigned long arg)\n{\n\tunsigned int minor;\n\tstruct timeval par_timeout;\n\tint ret;\n\n\tminor = iminor(file_inode(file));\n\tmutex_lock(&lp_mutex);\n\tswitch (cmd) {\n\tcase LPSETTIMEOUT:\n\t\tif (compat_get_timeval(&par_timeout, compat_ptr(arg))) {\n\t\t\tret = -EFAULT;\n\t\t\tbreak;\n\t\t}\n\t\tret = lp_set_timeout(minor, &par_timeout);\n\t\tbreak;\n#ifdef LP_STATS\n\tcase LPGETSTATS:\n\t\t/* FIXME: add an implementation if you set LP_STATS */\n\t\tret = -EINVAL;\n\t\tbreak;\n#endif\n\tdefault:\n\t\tret = lp_do_ioctl(minor, cmd, arg, compat_ptr(arg));\n\t\tbreak;\n\t}\n\tmutex_unlock(&lp_mutex);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 124506607362284007062064640513193579418,
          "size": 31,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450891
        },
        {
          "func": "static int lp_negotiate(struct parport * port, int mode)\n{\n\tif (parport_negotiate (port, mode) != 0) {\n\t\tmode = IEEE1284_MODE_COMPAT;\n\t\tparport_negotiate (port, mode);\n\t}\n\n\treturn (mode);\n}",
          "project": "linux",
          "hash": 183732070711002803500514793696458183145,
          "size": 9,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450882
        },
        {
          "func": "static int lp_set_timeout(unsigned int minor, struct timeval *par_timeout)\n{\n\tlong to_jiffies;\n\n\t/* Convert to jiffies, place in lp_table */\n\tif ((par_timeout->tv_sec < 0) ||\n\t    (par_timeout->tv_usec < 0)) {\n\t\treturn -EINVAL;\n\t}\n\tto_jiffies = DIV_ROUND_UP(par_timeout->tv_usec, 1000000/HZ);\n\tto_jiffies += par_timeout->tv_sec * (long) HZ;\n\tif (to_jiffies <= 0) {\n\t\treturn -EINVAL;\n\t}\n\tlp_table[minor].timeout = to_jiffies;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 125201676574025652251181138392245504296,
          "size": 17,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450890
        },
        {
          "func": "static int lp_open(struct inode * inode, struct file * file)\n{\n\tunsigned int minor = iminor(inode);\n\tint ret = 0;\n\n\tmutex_lock(&lp_mutex);\n\tif (minor >= LP_NO) {\n\t\tret = -ENXIO;\n\t\tgoto out;\n\t}\n\tif ((LP_F(minor) & LP_EXIST) == 0) {\n\t\tret = -ENXIO;\n\t\tgoto out;\n\t}\n\tif (test_and_set_bit(LP_BUSY_BIT_POS, &LP_F(minor))) {\n\t\tret = -EBUSY;\n\t\tgoto out;\n\t}\n\t/* If ABORTOPEN is set and the printer is offline or out of paper,\n\t   we may still want to open it to perform ioctl()s.  Therefore we\n\t   have commandeered O_NONBLOCK, even though it is being used in\n\t   a non-standard manner.  This is strictly a Linux hack, and\n\t   should most likely only ever be used by the tunelp application. */\n\tif ((LP_F(minor) & LP_ABORTOPEN) && !(file->f_flags & O_NONBLOCK)) {\n\t\tint status;\n\t\tlp_claim_parport_or_block (&lp_table[minor]);\n\t\tstatus = r_str(minor);\n\t\tlp_release_parport (&lp_table[minor]);\n\t\tif (status & LP_POUTPA) {\n\t\t\tprintk(KERN_INFO \"lp%d out of paper\\n\", minor);\n\t\t\tLP_F(minor) &= ~LP_BUSY;\n\t\t\tret = -ENOSPC;\n\t\t\tgoto out;\n\t\t} else if (!(status & LP_PSELECD)) {\n\t\t\tprintk(KERN_INFO \"lp%d off-line\\n\", minor);\n\t\t\tLP_F(minor) &= ~LP_BUSY;\n\t\t\tret = -EIO;\n\t\t\tgoto out;\n\t\t} else if (!(status & LP_PERRORP)) {\n\t\t\tprintk(KERN_ERR \"lp%d printer error\\n\", minor);\n\t\t\tLP_F(minor) &= ~LP_BUSY;\n\t\t\tret = -EIO;\n\t\t\tgoto out;\n\t\t}\n\t}\n\tlp_table[minor].lp_buffer = kmalloc(LP_BUFFER_SIZE, GFP_KERNEL);\n\tif (!lp_table[minor].lp_buffer) {\n\t\tLP_F(minor) &= ~LP_BUSY;\n\t\tret = -ENOMEM;\n\t\tgoto out;\n\t}\n\t/* Determine if the peripheral supports ECP mode */\n\tlp_claim_parport_or_block (&lp_table[minor]);\n\tif ( (lp_table[minor].dev->port->modes & PARPORT_MODE_ECP) &&\n             !parport_negotiate (lp_table[minor].dev->port, \n                                 IEEE1284_MODE_ECP)) {\n\t\tprintk (KERN_INFO \"lp%d: ECP mode\\n\", minor);\n\t\tlp_table[minor].best_mode = IEEE1284_MODE_ECP;\n\t} else {\n\t\tlp_table[minor].best_mode = IEEE1284_MODE_COMPAT;\n\t}\n\t/* Leave peripheral in compatibility mode */\n\tparport_negotiate (lp_table[minor].dev->port, IEEE1284_MODE_COMPAT);\n\tlp_release_parport (&lp_table[minor]);\n\tlp_table[minor].current_mode = IEEE1284_MODE_COMPAT;\nout:\n\tmutex_unlock(&lp_mutex);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 160925209290101545324385690617341075442,
          "size": 69,
          "commit_id": "3e21f4af170bebf47c187c1ff8bf155583c9f3b1",
          "message": "char: lp: fix possible integer overflow in lp_setup()\n\nThe lp_setup() code doesn't apply any bounds checking when passing\n\"lp=none\", and only in this case, resulting in an overflow of the\nparport_nr[] array. All versions in Git history are affected.\n\nReported-By: Roee Hay <roee.hay@hcl.com>\nCc: Ben Hutchings <ben@decadent.org.uk>\nCc: stable@vger.kernel.org\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 450875
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "split_huge_page_to_list",
        "__split_huge_page",
        "remap_page"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "int split_huge_page_to_list(struct page *page, struct list_head *list)\n{\n\tstruct page *head = compound_head(page);\n\tstruct pglist_data *pgdata = NODE_DATA(page_to_nid(head));\n\tstruct deferred_split *ds_queue = get_deferred_split_queue(head);\n\tstruct anon_vma *anon_vma = NULL;\n\tstruct address_space *mapping = NULL;\n\tint count, mapcount, extra_pins, ret;\n\tbool mlocked;\n\tunsigned long flags;\n\tpgoff_t end;\n\n\tVM_BUG_ON_PAGE(is_huge_zero_page(head), head);\n\tVM_BUG_ON_PAGE(!PageLocked(head), head);\n\tVM_BUG_ON_PAGE(!PageCompound(head), head);\n\n\tif (PageWriteback(head))\n\t\treturn -EBUSY;\n\n\tif (PageAnon(head)) {\n\t\t/*\n\t\t * The caller does not necessarily hold an mmap_sem that would\n\t\t * prevent the anon_vma disappearing so we first we take a\n\t\t * reference to it and then lock the anon_vma for write. This\n\t\t * is similar to page_lock_anon_vma_read except the write lock\n\t\t * is taken to serialise against parallel split or collapse\n\t\t * operations.\n\t\t */\n\t\tanon_vma = page_get_anon_vma(head);\n\t\tif (!anon_vma) {\n\t\t\tret = -EBUSY;\n\t\t\tgoto out;\n\t\t}\n\t\tend = -1;\n\t\tmapping = NULL;\n\t\tanon_vma_lock_write(anon_vma);\n\t} else {\n\t\tmapping = head->mapping;\n\n\t\t/* Truncated ? */\n\t\tif (!mapping) {\n\t\t\tret = -EBUSY;\n\t\t\tgoto out;\n\t\t}\n\n\t\tanon_vma = NULL;\n\t\ti_mmap_lock_read(mapping);\n\n\t\t/*\n\t\t *__split_huge_page() may need to trim off pages beyond EOF:\n\t\t * but on 32-bit, i_size_read() takes an irq-unsafe seqlock,\n\t\t * which cannot be nested inside the page tree lock. So note\n\t\t * end now: i_size itself may be changed at any moment, but\n\t\t * head page lock is good enough to serialize the trimming.\n\t\t */\n\t\tend = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE);\n\t}\n\n\t/*\n\t * Racy check if we can split the page, before unmap_page() will\n\t * split PMDs\n\t */\n\tif (!can_split_huge_page(head, &extra_pins)) {\n\t\tret = -EBUSY;\n\t\tgoto out_unlock;\n\t}\n\n\tmlocked = PageMlocked(head);\n\tunmap_page(head);\n\tVM_BUG_ON_PAGE(compound_mapcount(head), head);\n\n\t/* Make sure the page is not on per-CPU pagevec as it takes pin */\n\tif (mlocked)\n\t\tlru_add_drain();\n\n\t/* prevent PageLRU to go away from under us, and freeze lru stats */\n\tspin_lock_irqsave(&pgdata->lru_lock, flags);\n\n\tif (mapping) {\n\t\tXA_STATE(xas, &mapping->i_pages, page_index(head));\n\n\t\t/*\n\t\t * Check if the head page is present in page cache.\n\t\t * We assume all tail are present too, if head is there.\n\t\t */\n\t\txa_lock(&mapping->i_pages);\n\t\tif (xas_load(&xas) != head)\n\t\t\tgoto fail;\n\t}\n\n\t/* Prevent deferred_split_scan() touching ->_refcount */\n\tspin_lock(&ds_queue->split_queue_lock);\n\tcount = page_count(head);\n\tmapcount = total_mapcount(head);\n\tif (!mapcount && page_ref_freeze(head, 1 + extra_pins)) {\n\t\tif (!list_empty(page_deferred_list(head))) {\n\t\t\tds_queue->split_queue_len--;\n\t\t\tlist_del(page_deferred_list(head));\n\t\t}\n\t\tspin_unlock(&ds_queue->split_queue_lock);\n\t\tif (mapping) {\n\t\t\tif (PageSwapBacked(head))\n\t\t\t\t__dec_node_page_state(head, NR_SHMEM_THPS);\n\t\t\telse\n\t\t\t\t__dec_node_page_state(head, NR_FILE_THPS);\n\t\t}\n\n\t\t__split_huge_page(page, list, end, flags);\n\t\tif (PageSwapCache(head)) {\n\t\t\tswp_entry_t entry = { .val = page_private(head) };\n\n\t\t\tret = split_swap_cluster(entry);\n\t\t} else\n\t\t\tret = 0;\n\t} else {\n\t\tif (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) {\n\t\t\tpr_alert(\"total_mapcount: %u, page_count(): %u\\n\",\n\t\t\t\t\tmapcount, count);\n\t\t\tif (PageTail(page))\n\t\t\t\tdump_page(head, NULL);\n\t\t\tdump_page(page, \"total_mapcount(head) > 0\");\n\t\t\tBUG();\n\t\t}\n\t\tspin_unlock(&ds_queue->split_queue_lock);\nfail:\t\tif (mapping)\n\t\t\txa_unlock(&mapping->i_pages);\n\t\tspin_unlock_irqrestore(&pgdata->lru_lock, flags);\n\t\tremap_page(head);\n\t\tret = -EBUSY;\n\t}\n\nout_unlock:\n\tif (anon_vma) {\n\t\tanon_vma_unlock_write(anon_vma);\n\t\tput_anon_vma(anon_vma);\n\t}\n\tif (mapping)\n\t\ti_mmap_unlock_read(mapping);\nout:\n\tcount_vm_event(!ret ? THP_SPLIT_PAGE : THP_SPLIT_PAGE_FAILED);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 177093454439225671884976065861384671915,
          "size": 142,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364182
        },
        {
          "func": "static void remap_page(struct page *page)\n{\n\tint i;\n\tif (PageTransHuge(page)) {\n\t\tremove_migration_ptes(page, page, true);\n\t} else {\n\t\tfor (i = 0; i < HPAGE_PMD_NR; i++)\n\t\t\tremove_migration_ptes(page + i, page + i, true);\n\t}\n}",
          "project": "linux",
          "hash": 328353852454119527778865378294198789825,
          "size": 10,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364149
        },
        {
          "func": "static void unmap_page(struct page *page)\n{\n\tenum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_IGNORE_ACCESS |\n\t\tTTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD;\n\tbool unmap_success;\n\n\tVM_BUG_ON_PAGE(!PageHead(page), page);\n\n\tif (PageAnon(page))\n\t\tttu_flags |= TTU_SPLIT_FREEZE;\n\n\tunmap_success = try_to_unmap(page, ttu_flags);\n\tVM_BUG_ON_PAGE(!unmap_success, page);\n}",
          "project": "linux",
          "hash": 236597899933957575461287399877960079794,
          "size": 14,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364203
        },
        {
          "func": "bool can_split_huge_page(struct page *page, int *pextra_pins)\n{\n\tint extra_pins;\n\n\t/* Additional pins from page cache */\n\tif (PageAnon(page))\n\t\textra_pins = PageSwapCache(page) ? HPAGE_PMD_NR : 0;\n\telse\n\t\textra_pins = HPAGE_PMD_NR;\n\tif (pextra_pins)\n\t\t*pextra_pins = extra_pins;\n\treturn total_mapcount(page) == page_count(page) - extra_pins - 1;\n}",
          "project": "linux",
          "hash": 141971627184867522201353591812467874831,
          "size": 13,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364147
        },
        {
          "func": "int total_mapcount(struct page *page)\n{\n\tint i, compound, ret;\n\n\tVM_BUG_ON_PAGE(PageTail(page), page);\n\n\tif (likely(!PageCompound(page)))\n\t\treturn atomic_read(&page->_mapcount) + 1;\n\n\tcompound = compound_mapcount(page);\n\tif (PageHuge(page))\n\t\treturn compound;\n\tret = compound;\n\tfor (i = 0; i < HPAGE_PMD_NR; i++)\n\t\tret += atomic_read(&page[i]._mapcount) + 1;\n\t/* File pages has compound_mapcount included in _mapcount */\n\tif (!PageAnon(page))\n\t\treturn ret - compound * HPAGE_PMD_NR;\n\tif (PageDoubleMap(page))\n\t\tret -= HPAGE_PMD_NR;\n\treturn ret;\n}",
          "project": "linux",
          "hash": 308104722577897397154904188186847906736,
          "size": 22,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364159
        },
        {
          "func": "static void __split_huge_page(struct page *page, struct list_head *list,\n\t\tpgoff_t end, unsigned long flags)\n{\n\tstruct page *head = compound_head(page);\n\tpg_data_t *pgdat = page_pgdat(head);\n\tstruct lruvec *lruvec;\n\tstruct address_space *swap_cache = NULL;\n\tunsigned long offset = 0;\n\tint i;\n\n\tlruvec = mem_cgroup_page_lruvec(head, pgdat);\n\n\t/* complete memcg works before add pages to LRU */\n\tmem_cgroup_split_huge_fixup(head);\n\n\tif (PageAnon(head) && PageSwapCache(head)) {\n\t\tswp_entry_t entry = { .val = page_private(head) };\n\n\t\toffset = swp_offset(entry);\n\t\tswap_cache = swap_address_space(entry);\n\t\txa_lock(&swap_cache->i_pages);\n\t}\n\n\tfor (i = HPAGE_PMD_NR - 1; i >= 1; i--) {\n\t\t__split_huge_page_tail(head, i, lruvec, list);\n\t\t/* Some pages can be beyond i_size: drop them from page cache */\n\t\tif (head[i].index >= end) {\n\t\t\tClearPageDirty(head + i);\n\t\t\t__delete_from_page_cache(head + i, NULL);\n\t\t\tif (IS_ENABLED(CONFIG_SHMEM) && PageSwapBacked(head))\n\t\t\t\tshmem_uncharge(head->mapping->host, 1);\n\t\t\tput_page(head + i);\n\t\t} else if (!PageAnon(page)) {\n\t\t\t__xa_store(&head->mapping->i_pages, head[i].index,\n\t\t\t\t\thead + i, 0);\n\t\t} else if (swap_cache) {\n\t\t\t__xa_store(&swap_cache->i_pages, offset + i,\n\t\t\t\t\thead + i, 0);\n\t\t}\n\t}\n\n\tClearPageCompound(head);\n\n\tsplit_page_owner(head, HPAGE_PMD_ORDER);\n\n\t/* See comment in __split_huge_page_tail() */\n\tif (PageAnon(head)) {\n\t\t/* Additional pin to swap cache */\n\t\tif (PageSwapCache(head)) {\n\t\t\tpage_ref_add(head, 2);\n\t\t\txa_unlock(&swap_cache->i_pages);\n\t\t} else {\n\t\t\tpage_ref_inc(head);\n\t\t}\n\t} else {\n\t\t/* Additional pin to page cache */\n\t\tpage_ref_add(head, 2);\n\t\txa_unlock(&head->mapping->i_pages);\n\t}\n\n\tspin_unlock_irqrestore(&pgdat->lru_lock, flags);\n\n\tremap_page(head);\n\n\tfor (i = 0; i < HPAGE_PMD_NR; i++) {\n\t\tstruct page *subpage = head + i;\n\t\tif (subpage == page)\n\t\t\tcontinue;\n\t\tunlock_page(subpage);\n\n\t\t/*\n\t\t * Subpages may be freed if there wasn't any mapping\n\t\t * like if add_to_swap() is running on a lru page that\n\t\t * had its mapping zapped. And freeing these pages\n\t\t * requires taking the lru_lock so we do the put_page\n\t\t * of the tail pages after the split is complete.\n\t\t */\n\t\tput_page(subpage);\n\t}\n}",
          "project": "linux",
          "hash": 54462104535713535047534862094541104810,
          "size": 80,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364143
        },
        {
          "func": "static void __split_huge_page_tail(struct page *head, int tail,\n\t\tstruct lruvec *lruvec, struct list_head *list)\n{\n\tstruct page *page_tail = head + tail;\n\n\tVM_BUG_ON_PAGE(atomic_read(&page_tail->_mapcount) != -1, page_tail);\n\n\t/*\n\t * Clone page flags before unfreezing refcount.\n\t *\n\t * After successful get_page_unless_zero() might follow flags change,\n\t * for exmaple lock_page() which set PG_waiters.\n\t */\n\tpage_tail->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;\n\tpage_tail->flags |= (head->flags &\n\t\t\t((1L << PG_referenced) |\n\t\t\t (1L << PG_swapbacked) |\n\t\t\t (1L << PG_swapcache) |\n\t\t\t (1L << PG_mlocked) |\n\t\t\t (1L << PG_uptodate) |\n\t\t\t (1L << PG_active) |\n\t\t\t (1L << PG_workingset) |\n\t\t\t (1L << PG_locked) |\n\t\t\t (1L << PG_unevictable) |\n\t\t\t (1L << PG_dirty)));\n\n\t/* ->mapping in first tail page is compound_mapcount */\n\tVM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,\n\t\t\tpage_tail);\n\tpage_tail->mapping = head->mapping;\n\tpage_tail->index = head->index + tail;\n\n\t/* Page flags must be visible before we make the page non-compound. */\n\tsmp_wmb();\n\n\t/*\n\t * Clear PageTail before unfreezing page refcount.\n\t *\n\t * After successful get_page_unless_zero() might follow put_page()\n\t * which needs correct compound_head().\n\t */\n\tclear_compound_head(page_tail);\n\n\t/* Finally unfreeze refcount. Additional reference from page cache. */\n\tpage_ref_unfreeze(page_tail, 1 + (!PageAnon(head) ||\n\t\t\t\t\t  PageSwapCache(head)));\n\n\tif (page_is_young(head))\n\t\tset_page_young(page_tail);\n\tif (page_is_idle(head))\n\t\tset_page_idle(page_tail);\n\n\tpage_cpupid_xchg_last(page_tail, page_cpupid_last(head));\n\n\t/*\n\t * always add to the tail because some iterators expect new\n\t * pages to show after the currently processed elements - e.g.\n\t * migrate_pages\n\t */\n\tlru_add_page_tail(head, page_tail, lruvec, list);\n}",
          "project": "linux",
          "hash": 2690326593263460544583986949135098895,
          "size": 61,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364141
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "crypto_cert_subject_alt_name",
        "crypto_cert_get_dns_names",
        "map_subject_alt_name"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "static void string_list_free(string_list* list)\n{\n\t/* Note: we don't free the contents of the strings array: this */\n\t/* is handled by the caller,  either by returning this */\n\t/* content,  or freeing it itself. */\n\tfree(list->strings);\n}",
          "project": "FreeRDP",
          "hash": 20158190027491407816706054231332992893,
          "size": 7,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473463
        },
        {
          "func": "char** crypto_cert_subject_alt_name(X509* xcert, int* count, int** lengths)\n{\n\treturn crypto_cert_get_dns_names(xcert, count, lengths);\n}",
          "project": "FreeRDP",
          "hash": 235926981249995151916963096847087020554,
          "size": 4,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473435
        },
        {
          "func": "char* crypto_cert_get_email(X509* x509)\n{\n\tchar* result = 0;\n\tstring_list list;\n\tstring_list_initialize(&list);\n\tlist.maximum = 1;\n\tmap_subject_alt_name(x509, GEN_EMAIL, extract_string, &list);\n\n\tif (list.count == 0)\n\t{\n\t\tstring_list_free(&list);\n\t\treturn 0;\n\t}\n\n\tresult = _strdup(list.strings[0]);\n\tOPENSSL_free(list.strings[0]);\n\tstring_list_free(&list);\n\treturn result;\n}",
          "project": "FreeRDP",
          "hash": 247633492722307693841384954817032745149,
          "size": 19,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473444
        },
        {
          "func": "char** crypto_cert_get_dns_names(X509* x509, int* count, int** lengths)\n{\n\tint i;\n\tchar** result = 0;\n\tstring_list list;\n\tstring_list_initialize(&list);\n\tmap_subject_alt_name(x509, GEN_DNS, extract_string, &list);\n\t(*count) = list.count;\n\n\tif (list.count == 0)\n\t{\n\t\tstring_list_free(&list);\n\t\treturn NULL;\n\t}\n\n\t/* lengths are not useful,  since we converted the\n\t   strings to utf-8,  there cannot be nul-bytes in them. */\n\tresult = calloc(list.count, sizeof(*result));\n\t(*lengths) = calloc(list.count, sizeof(**lengths));\n\n\tif (!result || !(*lengths))\n\t{\n\t\tstring_list_free(&list);\n\t\tfree(result);\n\t\tfree(*lengths);\n\t\t(*lengths) = 0;\n\t\t(*count) = 0;\n\t\treturn NULL;\n\t}\n\n\tfor (i = 0; i < list.count; i++)\n\t{\n\t\tresult[i] = list.strings[i];\n\t\t(*lengths)[i] = strlen(result[i]);\n\t}\n\n\tstring_list_free(&list);\n\treturn result;\n}",
          "project": "FreeRDP",
          "hash": 127357553955080384520440557034728922314,
          "size": 39,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473459
        },
        {
          "func": "static void object_list_free(object_list* list)\n{\n\tfree(list->strings);\n}",
          "project": "FreeRDP",
          "hash": 28704612906556058015576774120980914238,
          "size": 4,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473446
        },
        {
          "func": "static void object_list_initialize(object_list* list)\n{\n\tlist->type_id = 0;\n\tlist->strings = 0;\n\tlist->allocated = 0;\n\tlist->count = 0;\n\tlist->maximum = INT_MAX;\n}",
          "project": "FreeRDP",
          "hash": 59543420300543247513210246478172196410,
          "size": 8,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473448
        },
        {
          "func": "char* crypto_cert_get_upn(X509* x509)\n{\n\tchar* result = 0;\n\tobject_list list;\n\tobject_list_initialize(&list);\n\tlist.type_id = OBJ_nid2obj(NID_ms_upn);\n\tlist.maximum = 1;\n\tmap_subject_alt_name(x509, GEN_OTHERNAME, extract_othername_object_as_string, &list);\n\n\tif (list.count == 0)\n\t{\n\t\tobject_list_free(&list);\n\t\treturn 0;\n\t}\n\n\tresult = list.strings[0];\n\tobject_list_free(&list);\n\treturn result;\n}",
          "project": "FreeRDP",
          "hash": 131707778683960650442173647907339765906,
          "size": 19,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473429
        },
        {
          "func": "static void map_subject_alt_name(X509* x509, int general_name_type, general_name_mapper_pr mapper,\n                                 void* data)\n{\n\tint i;\n\tint num;\n\tSTACK_OF(GENERAL_NAME) * gens;\n\tgens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);\n\n\tif (!gens)\n\t{\n\t\treturn;\n\t}\n\n\tnum = sk_GENERAL_NAME_num(gens);\n\n\tfor (i = 0; (i < num); i++)\n\t{\n\t\tGENERAL_NAME* name = sk_GENERAL_NAME_value(gens, i);\n\n\t\tif (name)\n\t\t{\n\t\t\tif ((general_name_type == GEN_ALL) || (general_name_type == name->type))\n\t\t\t{\n\t\t\t\tif (!mapper(name, data, i, num))\n\t\t\t\t{\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tsk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n}",
          "project": "FreeRDP",
          "hash": 271668920065952351661408059748404248540,
          "size": 33,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473436
        },
        {
          "func": "static void string_list_initialize(string_list* list)\n{\n\tlist->strings = 0;\n\tlist->allocated = 0;\n\tlist->count = 0;\n\tlist->maximum = INT_MAX;\n}",
          "project": "FreeRDP",
          "hash": 14901682138334002996032361485040202584,
          "size": 7,
          "commit_id": "8305349a943c68b1bc8c158f431dc607655aadea",
          "message": "Fixed  GHSL-2020-102 heap overflow\n\n(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)",
          "target": 0,
          "dataset": "other",
          "idx": 473445
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "php_mysqlnd_auth_write",
        "int4store",
        "ma_simple_command"
      ],
      "group_size": 20,
      "functions": [
        {
          "func": "static void free_old_query(MYSQL *mysql)\n{\n  if (mysql->fields)\n    ma_free_root(&mysql->field_alloc,MYF(0));\n  ma_init_alloc_root(&mysql->field_alloc,8192,0);\t/* Assume rowlength < 8192 */\n  mysql->fields=0;\n  mysql->field_count=0;\t\t\t\t/* For API */\n  mysql->info= 0;\n  return;\n}",
          "project": "mariadb-connector-c",
          "hash": 195053718545900700720798038659972477263,
          "size": 10,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429685
        },
        {
          "func": "mysql_list_processes(MYSQL *mysql)\n{\n  MYSQL_DATA *fields;\n  uint field_count;\n  uchar *pos;\n\n  LINT_INIT(fields);\n  if (ma_simple_command(mysql, COM_PROCESS_INFO,0,0,0,0))\n    return(NULL);\n  free_old_query(mysql);\n  pos=(uchar*) mysql->net.read_pos;\n  field_count=(uint) net_field_length(&pos);\n  if (!(fields = mysql->methods->db_read_rows(mysql,(MYSQL_FIELD*) 0,7)))\n    return(NULL);\n  if (!(mysql->fields= unpack_fields(mysql, fields, &mysql->field_alloc,\n                                     field_count, 0)))\n    return(NULL);\n  mysql->status=MYSQL_STATUS_GET_RESULT;\n  mysql->field_count=field_count;\n  return(mysql_store_result(mysql));\n}",
          "project": "mariadb-connector-c",
          "hash": 98516357705314590439017840525578099956,
          "size": 21,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429689
        },
        {
          "func": "mysql_list_fields(MYSQL *mysql, const char *table, const char *wild)\n{\n  MYSQL_RES *result;\n  MYSQL_DATA *query;\n  char buff[255];\n  int length= 0;\n\n  LINT_INIT(query);\n\n  length= snprintf(buff, 128, \"%s%c%s\", table, '\\0', wild ? wild : \"\");\n\n  if (ma_simple_command(mysql, COM_FIELD_LIST,buff,length,1,0) ||\n      !(query = mysql->methods->db_read_rows(mysql,(MYSQL_FIELD*) 0,\n                                             ma_result_set_rows(mysql))))\n    return(NULL);\n\n  free_old_query(mysql);\n  if (!(result = (MYSQL_RES *) calloc(1, sizeof(MYSQL_RES))))\n  {\n    free_rows(query);\n    return(NULL);\n  }\n  result->field_alloc=mysql->field_alloc;\n  mysql->fields=0;\n  result->eof=1;\n  result->field_count = (uint) query->rows;\n  result->fields= unpack_fields(mysql, query, &result->field_alloc,\n\t\t\t\tresult->field_count, 1);\n  if (result->fields)\n    return(result);\n\n  free(result);\n  return(NULL);\n}",
          "project": "mariadb-connector-c",
          "hash": 78321946657412755555703489205711967441,
          "size": 34,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429706
        },
        {
          "func": "void mysql_close_slow_part(MYSQL *mysql)\n{\n  if (mysql->net.pvio)\n  {\n    free_old_query(mysql);\n    mysql->status=MYSQL_STATUS_READY; /* Force command */\n    mysql->options.reconnect=0;\n    if (mysql->net.pvio && mysql->net.buff)\n      ma_simple_command(mysql, COM_QUIT,NullS,0,1,0);\n    end_server(mysql);\n  }\n}",
          "project": "mariadb-connector-c",
          "hash": 328234525684634752151361164166232750681,
          "size": 12,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429662
        },
        {
          "func": "int mthd_my_read_query_result(MYSQL *mysql)\n{\n  uchar *pos;\n  ulong field_count;\n  MYSQL_DATA *fields;\n  ulong length;\n  my_bool can_local_infile= (mysql->options.extension) && (mysql->extension->auto_local_infile != WAIT_FOR_QUERY);\n\n  if (mysql->options.extension && mysql->extension->auto_local_infile == ACCEPT_FILE_REQUEST)\n    mysql->extension->auto_local_infile= WAIT_FOR_QUERY;\n\n  if ((length = ma_net_safe_read(mysql)) == packet_error)\n  {\n    return(1);\n  }\n  free_old_query(mysql);\t\t\t/* Free old result */\nget_info:\n  pos=(uchar*) mysql->net.read_pos;\n  if ((field_count= net_field_length(&pos)) == 0)\n    return ma_read_ok_packet(mysql, pos, length);\n  if (field_count == NULL_LENGTH)\t\t/* LOAD DATA LOCAL INFILE */\n  {\n    int error=mysql_handle_local_infile(mysql, (char *)pos, can_local_infile);\n\n    if ((length=ma_net_safe_read(mysql)) == packet_error || error)\n      return(-1);\n    goto get_info;\t\t\t\t/* Get info packet */\n  }\n  if (!(mysql->server_status & SERVER_STATUS_AUTOCOMMIT))\n    mysql->server_status|= SERVER_STATUS_IN_TRANS;\n\n  mysql->extra_info= net_field_length_ll(&pos); /* Maybe number of rec */\n  if (!(fields=mysql->methods->db_read_rows(mysql,(MYSQL_FIELD*) 0,\n                                            ma_result_set_rows(mysql))))\n    return(-1);\n  if (!(mysql->fields=unpack_fields(mysql, fields, &mysql->field_alloc,\n\t\t\t\t    (uint) field_count, 1)))\n    return(-1);\n  mysql->status=MYSQL_STATUS_GET_RESULT;\n  mysql->field_count=field_count;\n  return(0);\n}",
          "project": "mariadb-connector-c",
          "hash": 42436805830013062947087346614678831156,
          "size": 42,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429680
        },
        {
          "func": "size_t \nphp_mysqlnd_net_store_length_size(uint64_t length)\n{\n\tif (length < (uint64_t) L64(251)) {\n\t\treturn 1;\n\t}\n\tif (length < (uint64_t) L64(65536)) {\n\t\treturn 3;\n\t}\n\tif (length < (uint64_t) L64(16777216)) {\n\t\treturn 4;\n\t}\n\treturn 9;",
          "project": "php-src",
          "hash": 102147847470215060372303924479382086507,
          "size": 13,
          "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132",
          "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields",
          "target": 0,
          "dataset": "other",
          "idx": 416655
        },
        {
          "func": "int STDCALL mysql_reset_connection(MYSQL *mysql)\n{\n  int rc;\n\n  /* check if connection handler is active */\n  if (IS_CONNHDLR_ACTIVE(mysql))\n  {\n    if (mysql->extension->conn_hdlr->plugin && mysql->extension->conn_hdlr->plugin->reset)\n      return(mysql->extension->conn_hdlr->plugin->reset(mysql));\n  }\n\n  /* skip result sets */\n  if (mysql->status == MYSQL_STATUS_USE_RESULT ||\n      mysql->status == MYSQL_STATUS_GET_RESULT ||\n      mysql->status & SERVER_MORE_RESULTS_EXIST)\n  {\n    mthd_my_skip_result(mysql);\n    mysql->status= MYSQL_STATUS_READY;\n  }\n\n  rc= ma_simple_command(mysql, COM_RESET_CONNECTION, 0, 0, 0, 0);\n  if (rc && mysql->options.reconnect)\n  {\n    /* There is no big sense in resetting but we need reconnect */\n    rc= ma_simple_command(mysql, COM_RESET_CONNECTION,0,0,0,0);\n  }\n  if (rc)\n    return 1;\n\n  /* reset the connection in all active statements */\n  ma_invalidate_stmts(mysql, \"mysql_reset_connection()\");\n  free_old_query(mysql);\n  mysql->status= MYSQL_STATUS_READY;\n  mysql->affected_rows= ~(my_ulonglong)0;\n  mysql->insert_id= 0;\n  return 0;\n}",
          "project": "mariadb-connector-c",
          "hash": 275860702094216651498698710865916158386,
          "size": 37,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429749
        },
        {
          "func": "int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)\n{\n  size_t item_len;\n  mysql->affected_rows= net_field_length_ll(&pos);\n  mysql->insert_id=\t  net_field_length_ll(&pos);\n  mysql->server_status=uint2korr(pos);\n  pos+=2;\n  mysql->warning_count=uint2korr(pos);\n  pos+=2;\n  if (pos < mysql->net.read_pos+length)\n  {\n    if ((item_len= net_field_length(&pos)))\n      mysql->info=(char*) pos;\n\n    /* check if server supports session tracking */\n    if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)\n    {\n      ma_clear_session_state(mysql);\n      pos+= item_len;\n\n      if (mysql->server_status & SERVER_SESSION_STATE_CHANGED)\n      {\n        int i;\n        if (pos < mysql->net.read_pos + length)\n        {\n          LIST *session_item;\n          MYSQL_LEX_STRING *str= NULL;\n          enum enum_session_state_type si_type;\n          uchar *old_pos= pos;\n          size_t item_len= net_field_length(&pos);  /* length for all items */\n\n          /* length was already set, so make sure that info will be zero terminated */\n          if (mysql->info)\n            *old_pos= 0;\n\n          while (item_len > 0)\n          {\n            size_t plen;\n            char *data;\n            old_pos= pos;\n            si_type= (enum enum_session_state_type)net_field_length(&pos);\n            switch(si_type) {\n            case SESSION_TRACK_SCHEMA:\n            case SESSION_TRACK_STATE_CHANGE:\n            case SESSION_TRACK_TRANSACTION_CHARACTERISTICS:\n            case SESSION_TRACK_SYSTEM_VARIABLES:\n              if (si_type != SESSION_TRACK_STATE_CHANGE)\n                net_field_length(&pos); /* ignore total length, item length will follow next */\n              plen= net_field_length(&pos);\n              if (!(session_item= ma_multi_malloc(0,\n                                  &session_item, sizeof(LIST),\n                                  &str, sizeof(MYSQL_LEX_STRING),\n                                  &data, plen,\n                                  NULL)))\n              {\n                ma_clear_session_state(mysql);\n                SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n                return -1;\n              }\n              str->length= plen;\n              str->str= data;\n              memcpy(str->str, (char *)pos, plen);\n              pos+= plen;\n              session_item->data= str;\n              mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);\n\n              /* in case schema has changed, we have to update mysql->db */\n              if (si_type == SESSION_TRACK_SCHEMA)\n              {\n                free(mysql->db);\n                mysql->db= malloc(plen + 1);\n                memcpy(mysql->db, str->str, plen);\n                mysql->db[plen]= 0;\n              }\n              else if (si_type == SESSION_TRACK_SYSTEM_VARIABLES)\n              {\n                my_bool set_charset= 0;\n                /* make sure that we update charset in case it has changed */\n                if (!strncmp(str->str, \"character_set_client\", str->length))\n                  set_charset= 1;\n                plen= net_field_length(&pos);\n                if (!(session_item= ma_multi_malloc(0,\n                                    &session_item, sizeof(LIST),\n                                    &str, sizeof(MYSQL_LEX_STRING),\n                                    &data, plen,\n                                    NULL)))\n                {\n                  ma_clear_session_state(mysql);\n                  SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n                  return -1;\n                }\n                str->length= plen;\n                str->str= data;\n                memcpy(str->str, (char *)pos, plen);\n                pos+= plen;\n                session_item->data= str;\n                mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);\n                if (set_charset &&\n                    strncmp(mysql->charset->csname, str->str, str->length) != 0)\n                {\n                  char cs_name[64];\n                  MARIADB_CHARSET_INFO *cs_info;\n                  memcpy(cs_name, str->str, str->length);\n                  cs_name[str->length]= 0;\n                  if ((cs_info = (MARIADB_CHARSET_INFO *)mysql_find_charset_name(cs_name)))\n                    mysql->charset= cs_info;\n                }\n              }\n              break;\n            default:\n              /* not supported yet */\n              plen= net_field_length(&pos);\n              pos+= plen;\n              break;\n            }\n            item_len-= (pos - old_pos);\n          }\n        }\n        for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++)\n        {\n          mysql->extension->session_state[i].list= list_reverse(mysql->extension->session_state[i].list);\n          mysql->extension->session_state[i].current= mysql->extension->session_state[i].list;\n        }\n      }\n    }\n  }\n  /* CONC-351: clear session state information */\n  else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)\n    ma_clear_session_state(mysql);\n  return(0);\n}",
          "project": "mariadb-connector-c",
          "hash": 76318025094495661937304907006689356074,
          "size": 131,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 1,
          "dataset": "other",
          "idx": 210193
        },
        {
          "func": "int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length)\n{\n  uchar *end= mysql->net.read_pos+length;\n  size_t item_len;\n  mysql->affected_rows= net_field_length_ll(&pos);\n  mysql->insert_id=\t  net_field_length_ll(&pos);\n  mysql->server_status=uint2korr(pos);\n  pos+=2;\n  mysql->warning_count=uint2korr(pos);\n  pos+=2;\n  if (pos > end)\n    goto corrupted;\n  if (pos < end)\n  {\n    if ((item_len= net_field_length(&pos)))\n      mysql->info=(char*) pos;\n    if (pos + item_len > end)\n      goto corrupted;\n\n    /* check if server supports session tracking */\n    if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)\n    {\n      ma_clear_session_state(mysql);\n      pos+= item_len;\n\n      if (mysql->server_status & SERVER_SESSION_STATE_CHANGED)\n      {\n        int i;\n        if (pos < end)\n        {\n          LIST *session_item;\n          MYSQL_LEX_STRING *str= NULL;\n          enum enum_session_state_type si_type;\n          uchar *old_pos= pos;\n\n          item_len= net_field_length(&pos);  /* length for all items */\n          if (pos + item_len > end)\n            goto corrupted;\n          end= pos + item_len;\n\n          /* length was already set, so make sure that info will be zero terminated */\n          if (mysql->info)\n            *old_pos= 0;\n\n          while (pos < end)\n          {\n            size_t plen;\n            char *data;\n            si_type= (enum enum_session_state_type)net_field_length(&pos);\n            switch(si_type) {\n            case SESSION_TRACK_SCHEMA:\n            case SESSION_TRACK_STATE_CHANGE:\n            case SESSION_TRACK_TRANSACTION_CHARACTERISTICS:\n            case SESSION_TRACK_SYSTEM_VARIABLES:\n              if (si_type != SESSION_TRACK_STATE_CHANGE)\n                net_field_length(&pos); /* ignore total length, item length will follow next */\n              plen= net_field_length(&pos);\n              if (pos + plen > end)\n                goto corrupted;\n              if (!(session_item= ma_multi_malloc(0,\n                                  &session_item, sizeof(LIST),\n                                  &str, sizeof(MYSQL_LEX_STRING),\n                                  &data, plen,\n                                  NULL)))\n                  goto oom;\n              str->length= plen;\n              str->str= data;\n              memcpy(str->str, (char *)pos, plen);\n              pos+= plen;\n              session_item->data= str;\n              mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);\n\n              /* in case schema has changed, we have to update mysql->db */\n              if (si_type == SESSION_TRACK_SCHEMA)\n              {\n                free(mysql->db);\n                mysql->db= malloc(plen + 1);\n                memcpy(mysql->db, str->str, plen);\n                mysql->db[plen]= 0;\n              }\n              else if (si_type == SESSION_TRACK_SYSTEM_VARIABLES)\n              {\n                my_bool set_charset= 0;\n                /* make sure that we update charset in case it has changed */\n                if (!strncmp(str->str, \"character_set_client\", str->length))\n                  set_charset= 1;\n                plen= net_field_length(&pos);\n                if (pos + plen > end)\n                  goto corrupted;\n                if (!(session_item= ma_multi_malloc(0,\n                                    &session_item, sizeof(LIST),\n                                    &str, sizeof(MYSQL_LEX_STRING),\n                                    &data, plen,\n                                    NULL)))\n                  goto oom;\n                str->length= plen;\n                str->str= data;\n                memcpy(str->str, (char *)pos, plen);\n                pos+= plen;\n                session_item->data= str;\n                mysql->extension->session_state[si_type].list= list_add(mysql->extension->session_state[si_type].list, session_item);\n                if (set_charset && str->length < CHARSET_NAME_LEN &&\n                    strncmp(mysql->charset->csname, str->str, str->length) != 0)\n                {\n                  char cs_name[CHARSET_NAME_LEN];\n                  const MARIADB_CHARSET_INFO *cs_info;\n                  memcpy(cs_name, str->str, str->length);\n                  cs_name[str->length]= 0;\n                  if ((cs_info = mysql_find_charset_name(cs_name)))\n                    mysql->charset= cs_info;\n                }\n              }\n              break;\n            default:\n              /* not supported yet */\n              plen= net_field_length(&pos);\n              if (pos + plen > end)\n                goto corrupted;\n              pos+= plen;\n              break;\n            }\n          }\n        }\n        for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++)\n        {\n          mysql->extension->session_state[i].list= list_reverse(mysql->extension->session_state[i].list);\n          mysql->extension->session_state[i].current= mysql->extension->session_state[i].list;\n        }\n      }\n    }\n  }\n  /* CONC-351: clear session state information */\n  else if (mysql->server_capabilities & CLIENT_SESSION_TRACKING)\n    ma_clear_session_state(mysql);\n  return(0);\n\noom:\n  ma_clear_session_state(mysql);\n  SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n  return -1;\n\ncorrupted:\n  ma_clear_session_state(mysql);\n  SET_CLIENT_ERROR(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0);\n  return -1;\n}",
          "project": "mariadb-connector-c",
          "hash": 291866632911754157865017334546963738553,
          "size": 146,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429686
        },
        {
          "func": "void free_rows(MYSQL_DATA *cur)\n{\n  if (cur)\n  {\n    ma_free_root(&cur->alloc,MYF(0));\n    free(cur);\n  }\n}",
          "project": "mariadb-connector-c",
          "hash": 198962061977167570955232814236589623806,
          "size": 8,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429684
        },
        {
          "func": "void mthd_my_skip_result(MYSQL *mysql)\n{\n  ulong pkt_len;\n\n  do {\n    pkt_len= ma_net_safe_read(mysql);\n    if (pkt_len == packet_error)\n      break;\n  } while (pkt_len > 8 || mysql->net.read_pos[0] != 254);\n  return;\n}",
          "project": "mariadb-connector-c",
          "hash": 203101374464425645101501422159724336895,
          "size": 11,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429733
        },
        {
          "func": "mysql_send_query(MYSQL* mysql, const char* query, unsigned long length)\n{\n  return ma_simple_command(mysql, COM_QUERY, query, length, 1,0);\n}",
          "project": "mariadb-connector-c",
          "hash": 67441807333904927140051531001455467892,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429649
        },
        {
          "func": "mysql_kill(MYSQL *mysql,ulong pid)\n{\n  char buff[12];\n  int4store(buff,pid);\n  /* if we kill our own thread, reading the response packet will fail */\n  return(ma_simple_command(mysql, COM_PROCESS_KILL,buff,4,0,0));\n}",
          "project": "mariadb-connector-c",
          "hash": 174321311947773430030587123772710182159,
          "size": 7,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429664
        },
        {
          "func": "my_bool\tSTDCALL mysql_change_user(MYSQL *mysql, const char *user,\n\t\t\t\t  const char *passwd, const char *db)\n{\n  const MARIADB_CHARSET_INFO *s_cs= mysql->charset;\n  char *s_user= mysql->user,\n       *s_passwd= mysql->passwd,\n       *s_db= mysql->db;\n  int rc;\n\n  if (mysql->options.charset_name)\n    mysql->charset= mysql_find_charset_name(mysql->options.charset_name);\n  else\n    mysql->charset=mysql_find_charset_name(MARIADB_DEFAULT_CHARSET);\n\n  mysql->user= strdup(user ? user : \"\");\n  mysql->passwd= strdup(passwd ? passwd : \"\");\n\n  /* db will be set in run_plugin_auth */\n  mysql->db= 0;\n  rc= run_plugin_auth(mysql, 0, 0, 0, db);\n\n  /* COM_CHANGE_USER always releases prepared statements, so we need to invalidate them */\n  ma_invalidate_stmts(mysql, \"mysql_change_user()\");\n\n  if (rc==0)\n  {\n    free(s_user);\n    free(s_passwd);\n    free(s_db);\n\n    if (!mysql->db && db && !(mysql->db= strdup(db)))\n    {\n      SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0);\n      rc= 1;\n    }\n  } else\n  {\n    free(mysql->user);\n    free(mysql->passwd);\n    free(mysql->db);\n\n    mysql->user= s_user;\n    mysql->passwd= s_passwd;\n    mysql->db= s_db;\n    mysql->charset= s_cs;\n  }\n  return(rc);\n}",
          "project": "mariadb-connector-c",
          "hash": 188984189105226255617793815371802728528,
          "size": 48,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429735
        },
        {
          "func": "static\nsize_t php_mysqlnd_auth_write(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)\n{\n\tzend_uchar buffer[AUTH_WRITE_BUFFER_LEN];\n\tzend_uchar *p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */\n\tint len;\n\tMYSQLND_PACKET_AUTH * packet= (MYSQLND_PACKET_AUTH *) _packet;\n\n\tDBG_ENTER(\"php_mysqlnd_auth_write\");\n\n\tif (!packet->is_change_user_packet) {\n\t\tint4store(p, packet->client_flags);\n\t\tp+= 4;\n\n\t\tint4store(p, packet->max_packet_size);\n\t\tp+= 4;\n\n\t\tint1store(p, packet->charset_no);\n\t\tp++;\n\n\t\tmemset(p, 0, 23); /* filler */\n\t\tp+= 23;\n\t}\n\n\tif (packet->send_auth_data || packet->is_change_user_packet) {\n\t\tlen = MIN(strlen(packet->user), MYSQLND_MAX_ALLOWED_USER_LEN);\n\t\tmemcpy(p, packet->user, len);\n\t\tp+= len;\n\t\t*p++ = '\\0';\n\n\t\t/* defensive coding */\n\t\tif (packet->auth_data == NULL) {\n\t\t\tpacket->auth_data_len = 0;\n\t\t}\n\t\tif (packet->auth_data_len > 0xFF) {\n\t\t\tconst char * const msg = \"Authentication data too long. \"\n\t\t\t\t\"Won't fit into the buffer and will be truncated. Authentication will thus fail\";\n\t\t\tSET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, msg);\n\t\t\tphp_error_docref(NULL TSRMLS_CC, E_WARNING, \"%s\", msg);\n\t\t\tDBG_RETURN(0);\n\t\t}\t\t\n\t\t\n\t\tint1store(p, packet->auth_data_len);\n\t\t++p;\n/*!!!!! is the buffer big enough ??? */\n\t\tif ((sizeof(buffer) - (p - buffer)) < packet->auth_data_len) {\n\t\t\tDBG_ERR(\"the stack buffer was not enough!!\");\n\t\t\tDBG_RETURN(0);\n\t\t}\n\t\tif (packet->auth_data_len) {\n\t\t\tmemcpy(p, packet->auth_data, packet->auth_data_len);\n\t\t\tp+= packet->auth_data_len;\n\t\t}\n\n\t\tif (packet->db) {\n\t\t\t/* CLIENT_CONNECT_WITH_DB should have been set */\n\t\t\tsize_t real_db_len = MIN(MYSQLND_MAX_ALLOWED_DB_LEN, packet->db_len);\n\t\t\tmemcpy(p, packet->db, real_db_len);\n\t\t\tp+= real_db_len;\n\t\t\t*p++= '\\0';\n\t\t} else if (packet->is_change_user_packet) {\n\t\t\t*p++= '\\0';\t\t\n\t\t}\n\t\t/* no \\0 for no DB */\n\n\t\tif (packet->is_change_user_packet) {\n\t\t\tif (packet->charset_no) {\n\t\t\t\tint2store(p, packet->charset_no);\n\t\t\t\tp+= 2;\n\t\t\t}\n\t\t}\n\t\t\n\t\tif (packet->auth_plugin_name) {\n\t\t\tsize_t len = MIN(strlen(packet->auth_plugin_name), sizeof(buffer) - (p - buffer) - 1);\n\t\t\tmemcpy(p, packet->auth_plugin_name, len);\n\t\t\tp+= len;\n\t\t\t*p++= '\\0';\n\t\t}\n\n\t\tif (packet->connect_attr && zend_hash_num_elements(packet->connect_attr)) {\n\t\t\tHashPosition pos_value;\n\t\t\tconst char ** entry_value;\n\t\t\tsize_t ca_payload_len = 0;\n\t\t\tzend_hash_internal_pointer_reset_ex(packet->connect_attr, &pos_value);\n\t\t\twhile (SUCCESS == zend_hash_get_current_data_ex(packet->connect_attr, (void **)&entry_value, &pos_value)) {\n\t\t\t\tchar *s_key;\n\t\t\t\tunsigned int s_len;\n\t\t\t\tunsigned long num_key;\n\t\t\t\tsize_t value_len = strlen(*entry_value);\n\t\t\t\t\n\t\t\t\tif (HASH_KEY_IS_STRING == zend_hash_get_current_key_ex(packet->connect_attr, &s_key, &s_len, &num_key, 0, &pos_value)) {\n\t\t\t\t\tca_payload_len += php_mysqlnd_net_store_length_size(s_len);\n\t\t\t\t\tca_payload_len += s_len;\n\t\t\t\t\tca_payload_len += php_mysqlnd_net_store_length_size(value_len);\n\t\t\t\t\tca_payload_len += value_len;\n\t\t\t\t}\n\t\t\t\tzend_hash_move_forward_ex(conn->options->connect_attr, &pos_value);\n\t\t\t}\n\n\t\t\tif ((sizeof(buffer) - (p - buffer)) >= (ca_payload_len + php_mysqlnd_net_store_length_size(ca_payload_len))) {\n\t\t\t\tp = php_mysqlnd_net_store_length(p, ca_payload_len);\n\n\t\t\t\tzend_hash_internal_pointer_reset_ex(packet->connect_attr, &pos_value);\n\t\t\t\twhile (SUCCESS == zend_hash_get_current_data_ex(packet->connect_attr, (void **)&entry_value, &pos_value)) {\n\t\t\t\t\tchar *s_key;\n\t\t\t\t\tunsigned int s_len;\n\t\t\t\t\tunsigned long num_key;\n\t\t\t\t\tsize_t value_len = strlen(*entry_value);\n\t\t\t\t\tif (HASH_KEY_IS_STRING == zend_hash_get_current_key_ex(packet->connect_attr, &s_key, &s_len, &num_key, 0, &pos_value)) {\n\t\t\t\t\t\t/* copy key */\n\t\t\t\t\t\tp = php_mysqlnd_net_store_length(p, s_len);\n\t\t\t\t\t\tmemcpy(p, s_key, s_len);\n\t\t\t\t\t\tp+= s_len;\n\t\t\t\t\t\t/* copy value */\n\t\t\t\t\t\tp = php_mysqlnd_net_store_length(p, value_len);\n\t\t\t\t\t\tmemcpy(p, *entry_value, value_len);\n\t\t\t\t\t\tp+= value_len;\n\t\t\t\t\t}\n\t\t\t\t\tzend_hash_move_forward_ex(conn->options->connect_attr, &pos_value);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t/* cannot put the data - skip */\n\t\t\t}\n\t\t}\n\t}\n\tif (packet->is_change_user_packet) {\n\t\tif (PASS != conn->m->simple_command(conn, COM_CHANGE_USER, buffer + MYSQLND_HEADER_SIZE, p - buffer - MYSQLND_HEADER_SIZE,\n\t\t\t\t\t\t\t\t\t\t   PROT_LAST /* the caller will handle the OK packet */,\n\t\t\t\t\t\t\t\t\t\t   packet->silent, TRUE TSRMLS_CC)) {\n\t\t\tDBG_RETURN(0);\n\t\t}\n\t\tDBG_RETURN(p - buffer - MYSQLND_HEADER_SIZE);\n\t} else {\n\t\tsize_t sent = conn->net->data->m.send_ex(conn->net, buffer, p - buffer - MYSQLND_HEADER_SIZE, conn->stats, conn->error_info TSRMLS_CC);\n\t\tif (!sent) {\n\t\t\tCONN_SET_STATE(conn, CONN_QUIT_SENT);\n\t\t}\n\t\tDBG_RETURN(sent);\n\t}",
          "project": "php-src",
          "hash": 114075198024963005465621442961939471180,
          "size": 139,
          "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132",
          "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields",
          "target": 0,
          "dataset": "other",
          "idx": 416678
        },
        {
          "func": "void ma_invalidate_stmts(MYSQL *mysql, const char *function_name)\n{\n  if (mysql->stmts)\n  {\n    LIST *li_stmt= mysql->stmts;\n\n    for (; li_stmt; li_stmt= li_stmt->next)\n    {\n      MYSQL_STMT *stmt= (MYSQL_STMT *)li_stmt->data;\n      stmt->mysql= NULL;\n      SET_CLIENT_STMT_ERROR(stmt, CR_STMT_CLOSED, SQLSTATE_UNKNOWN, function_name);\n    }\n    mysql->stmts= NULL;\n  }\n}",
          "project": "mariadb-connector-c",
          "hash": 53182753541168920515190393586156322279,
          "size": 15,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429693
        },
        {
          "func": "static void ma_clear_session_state(MYSQL *mysql)\n{\n  uint i;\n\n  if (!mysql || !mysql->extension)\n    return;\n\n  for (i= SESSION_TRACK_BEGIN; i <= SESSION_TRACK_END; i++)\n  {\n    list_free(mysql->extension->session_state[i].list, 0);\n  }\n  memset(mysql->extension->session_state, 0, sizeof(struct st_mariadb_session_state) * SESSION_TRACK_TYPES);\n}",
          "project": "mariadb-connector-c",
          "hash": 203907896303212000940535036812864321229,
          "size": 13,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429677
        },
        {
          "func": "zend_uchar *\nphp_mysqlnd_net_store_length(zend_uchar *packet, uint64_t length)\n{\n\tif (length < (uint64_t) L64(251)) {\n\t\t*packet = (zend_uchar) length;\n\t\treturn packet + 1;\n\t}\n\n\tif (length < (uint64_t) L64(65536)) {\n\t\t*packet++ = 252;\n\t\tint2store(packet,(unsigned int) length);\n\t\treturn packet + 2;\n\t}\n\n\tif (length < (uint64_t) L64(16777216)) {\n\t\t*packet++ = 253;\n\t\tint3store(packet,(ulong) length);\n\t\treturn packet + 3;\n\t}\n\t*packet++ = 254;\n\tint8store(packet, length);\n\treturn packet + 8;",
          "project": "php-src",
          "hash": 111815171582436517996243548500835477597,
          "size": 22,
          "commit_id": "28f80baf3c53e267c9ce46a2a0fadbb981585132",
          "message": "Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields",
          "target": 0,
          "dataset": "other",
          "idx": 416681
        },
        {
          "func": "static void mysql_close_memory(MYSQL *mysql)\n{\n  ma_clear_session_state(mysql);\n  free(mysql->host_info);\n  free(mysql->host);\n  free(mysql->user);\n  free(mysql->passwd);\n  free(mysql->db);\n  free(mysql->unix_socket);\n  free(mysql->server_version);\n  mysql->host_info= mysql->host= mysql->unix_socket=\n                    mysql->server_version=mysql->user=mysql->passwd=mysql->db=0;\n}",
          "project": "mariadb-connector-c",
          "hash": 299823909470805805524548764029670920429,
          "size": 13,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429671
        },
        {
          "func": "int STDCALL mysql_set_server_option(MYSQL *mysql,\n                                    enum enum_mysql_set_option option)\n{\n  char buffer[2];\n  int2store(buffer, (uint)option);\n  return(ma_simple_command(mysql, COM_SET_OPTION, buffer, sizeof(buffer), 0, 0));\n}",
          "project": "mariadb-connector-c",
          "hash": 278711197721630844368740385950522368233,
          "size": 7,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429643
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ff_layout_read_prepare_v4",
        "ff_layout_read_prepare_common",
        "ff_layout_read_record_layoutstats_start"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void ff_layout_read_prepare_v4(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tif (nfs4_setup_sequence(hdr->ds_clp,\n\t\t\t\t&hdr->args.seq_args,\n\t\t\t\t&hdr->res.seq_res,\n\t\t\t\ttask))\n\t\treturn;\n\n\tff_layout_read_prepare_common(task, hdr);\n}",
          "project": "linux",
          "hash": 226440226190759581103757914950951705523,
          "size": 12,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234422
        },
        {
          "func": "static int ff_layout_read_prepare_common(struct rpc_task *task,\n\t\t\t\t\t struct nfs_pgio_header *hdr)\n{\n\tif (unlikely(test_bit(NFS_CONTEXT_BAD, &hdr->args.context->flags))) {\n\t\trpc_exit(task, -EIO);\n\t\treturn -EIO;\n\t}\n\n\tff_layout_read_record_layoutstats_start(task, hdr);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 157729610648494303101839328390099699136,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234452
        },
        {
          "func": "static void ff_layout_read_record_layoutstats_start(struct rpc_task *task,\n\t\tstruct nfs_pgio_header *hdr)\n{\n\tif (test_and_set_bit(NFS_IOHDR_STAT, &hdr->flags))\n\t\treturn;\n\tnfs4_ff_layout_stat_io_start_read(hdr->inode,\n\t\t\tFF_LAYOUT_COMP(hdr->lseg, hdr->pgio_mirror_idx),\n\t\t\thdr->args.count,\n\t\t\ttask->tk_start);\n}",
          "project": "linux",
          "hash": 32293857655617288977544246707045501905,
          "size": 10,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234481
        },
        {
          "func": "static void ff_layout_read_prepare_v3(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tif (ff_layout_read_prepare_common(task, hdr))\n\t\treturn;\n\n\trpc_call_start(task);\n}",
          "project": "linux",
          "hash": 311339260865109808727959923669793718017,
          "size": 9,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234414
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "texImage2D",
        "imageSizeInBytes",
        "componentsPerPixel"
      ],
      "group_size": 4,
      "functions": [
        {
          "project": "Chrome",
          "commit_id": "327585cb0eab0859518643a2d00917081f7e7645",
          "target": 0,
          "func": "size_t imageSizeInBytes(unsigned width, unsigned height, unsigned format, unsigned type)\n{\n    return width * height * bytesPerComponent(type) * componentsPerPixel(format, type);\n}\n",
          "cwe": "",
          "big_vul_idx": 99009,
          "idx": 89066,
          "hash": 100191103927277428462910561057830902731
        },
        {
          "project": "Chrome",
          "commit_id": "327585cb0eab0859518643a2d00917081f7e7645",
          "target": 0,
          "func": "void WebGraphicsContext3DDefaultImpl::texImage2D(unsigned target, unsigned level, unsigned internalFormat, unsigned width, unsigned height, unsigned border, unsigned format, unsigned type, const void* pixels)\n{\n    OwnArrayPtr<uint8> zero;\n    if (!pixels) {\n        size_t size = imageSizeInBytes(width, height, format, type);\n        zero.set(new uint8[size]);\n        memset(zero.get(), 0, size);\n        pixels = zero.get();\n    }\n    glTexImage2D(target, level, internalFormat, width, height, border, format, type, pixels);\n}\n",
          "cwe": "",
          "big_vul_idx": 99028,
          "idx": 89082,
          "hash": 288715348610881210509303505688349014827
        },
        {
          "project": "Chrome",
          "commit_id": "327585cb0eab0859518643a2d00917081f7e7645",
          "target": 0,
          "func": "unsigned bytesPerComponent(unsigned type)\n{\n    switch (type) {\n    case GL_BYTE:\n    case GL_UNSIGNED_BYTE:\n        return 1;\n    case GL_SHORT:\n    case GL_UNSIGNED_SHORT:\n    case GL_UNSIGNED_SHORT_5_6_5:\n    case GL_UNSIGNED_SHORT_4_4_4_4:\n    case GL_UNSIGNED_SHORT_5_5_5_1:\n        return 2;\n    case GL_FLOAT:\n        return 4;\n    default:\n        return 4;\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 98971,
          "idx": 89030,
          "hash": 181225461820534879990745914179801188323
        },
        {
          "project": "Chrome",
          "commit_id": "327585cb0eab0859518643a2d00917081f7e7645",
          "target": 0,
          "func": "unsigned componentsPerPixel(unsigned format, unsigned type)\n{\n    switch (type) {\n    case GL_UNSIGNED_SHORT_5_6_5:\n    case GL_UNSIGNED_SHORT_4_4_4_4:\n    case GL_UNSIGNED_SHORT_5_5_5_1:\n        return 1;\n    default:\n        break;\n    }\n    switch (format) {\n    case GL_LUMINANCE:\n        return 1;\n    case GL_LUMINANCE_ALPHA:\n        return 2;\n    case GL_RGB:\n        return 3;\n    case GL_RGBA:\n    case GL_BGRA_EXT:\n        return 4;\n    default:\n        return 4;\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 98973,
          "idx": 89032,
          "hash": 323523728756380712835029241906702190867
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "SetExtensionContentSettingFromList",
        "SetExtensionContentSetting",
        "GetValueMap",
        "FindEntry"
      ],
      "group_size": 13,
      "functions": [
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::SetExtensionContentSetting(\n    const std::string& ext_id,\n    const ContentSettingsPattern& primary_pattern,\n    const ContentSettingsPattern& secondary_pattern,\n    ContentSettingsType type,\n    const content_settings::ResourceIdentifier& identifier,\n    ContentSetting setting,\n    ExtensionPrefsScope scope) {\n  {\n    base::AutoLock lock(lock_);\n    OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n    if (setting == CONTENT_SETTING_DEFAULT) {\n      map->DeleteValue(primary_pattern, secondary_pattern, type, identifier);\n    } else {\n      map->SetValue(primary_pattern, secondary_pattern, type, identifier,\n                    base::Value::CreateIntegerValue(setting));\n    }\n  }\n\n  NotifyOfContentSettingChanged(ext_id,\n                                scope != kExtensionPrefsScopeRegular);\n}\n",
          "cwe": "",
          "big_vul_idx": 113813,
          "idx": 102022,
          "hash": 84849344927467544405296447728019616117
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "ContentSettingsStore::FindEntry(const std::string& ext_id) {\n  ExtensionEntryMap::iterator i;\n  for (i = entries_.begin(); i != entries_.end(); ++i) {\n    if (i->second->id == ext_id)\n      return i;\n  }\n  return entries_.end();\n}\n",
          "cwe": "",
          "big_vul_idx": 113803,
          "idx": 102013,
          "hash": 144871821058680461837679452113349635692
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::RegisterExtension(\n    const std::string& ext_id,\n    const base::Time& install_time,\n    bool is_enabled) {\n  base::AutoLock lock(lock_);\n  ExtensionEntryMap::iterator i = FindEntry(ext_id);\n  if (i != entries_.end()) {\n    delete i->second;\n    entries_.erase(i);\n  }\n\n  ExtensionEntry* entry = new ExtensionEntry;\n  entry->id = ext_id;\n  entry->enabled = is_enabled;\n  entries_.insert(std::make_pair(install_time, entry));\n}\n",
          "cwe": "",
          "big_vul_idx": 113811,
          "idx": 102020,
          "hash": 71329738332924000295255173779941553477
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::UnregisterExtension(\n    const std::string& ext_id) {\n  bool notify = false;\n  bool notify_incognito = false;\n  {\n    base::AutoLock lock(lock_);\n    ExtensionEntryMap::iterator i = FindEntry(ext_id);\n    if (i == entries_.end())\n      return;\n    notify = !i->second->settings.empty();\n    notify_incognito = !i->second->incognito_persistent_settings.empty() ||\n                       !i->second->incognito_session_only_settings.empty();\n\n    delete i->second;\n    entries_.erase(i);\n  }\n  if (notify)\n    NotifyOfContentSettingChanged(ext_id, false);\n  if (notify_incognito)\n    NotifyOfContentSettingChanged(ext_id, true);\n}\n",
          "cwe": "",
          "big_vul_idx": 113816,
          "idx": 102025,
          "hash": 253336267348198700968344145950842188022
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 1,
          "func": "void ContentSettingsStore::ClearContentSettingsForExtension(\n    const std::string& ext_id,\n    ExtensionPrefsScope scope) {\n  bool notify = false;\n   {\n     base::AutoLock lock(lock_);\n     OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n      char ext_id_buffer[33];\n      base::strlcpy(ext_id_buffer, ext_id.c_str(), sizeof(ext_id_buffer));\n      base::debug::Alias(ext_id_buffer);\n      CHECK(false);\n     }\n     notify = !map->empty();\n     map->clear();\n  }\n  if (notify) {\n    NotifyOfContentSettingChanged(ext_id, scope != kExtensionPrefsScopeRegular);\n  }\n}\n",
          "cwe": "",
          "big_vul_idx": 184504,
          "idx": 5458,
          "hash": 265797374762752738816496693872000415093
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::ClearContentSettingsForExtension(\n    const std::string& ext_id,\n    ExtensionPrefsScope scope) {\n  bool notify = false;\n   {\n     base::AutoLock lock(lock_);\n     OriginIdentifierValueMap* map = GetValueMap(ext_id, scope);\n      // Fail gracefully in Release builds.\n      NOTREACHED();\n      return;\n     }\n     notify = !map->empty();\n     map->clear();\n  }\n  if (notify) {\n    NotifyOfContentSettingChanged(ext_id, scope != kExtensionPrefsScopeRegular);\n  }\n}\n",
          "cwe": "",
          "big_vul_idx": 184504,
          "idx": 162573,
          "hash": 12967184921243506354797539177835054040
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::NotifyOfContentSettingChanged(\n    const std::string& extension_id,\n    bool incognito) {\n  FOR_EACH_OBSERVER(\n      ContentSettingsStore::Observer,\n      observers_,\n      OnContentSettingChanged(extension_id, incognito));\n}\n",
          "cwe": "",
          "big_vul_idx": 113809,
          "idx": 102018,
          "hash": 154976950546548493239244573307163992760
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "OriginIdentifierValueMap* ContentSettingsStore::GetValueMap(\n    const std::string& ext_id,\n    ExtensionPrefsScope scope) {\n  ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n  if (i != entries_.end()) {\n    switch (scope) {\n      case kExtensionPrefsScopeRegular:\n        return &(i->second->settings);\n      case kExtensionPrefsScopeRegularOnly:\n        NOTREACHED();\n        return NULL;\n      case kExtensionPrefsScopeIncognitoPersistent:\n        return &(i->second->incognito_persistent_settings);\n      case kExtensionPrefsScopeIncognitoSessionOnly:\n        return &(i->second->incognito_session_only_settings);\n    }\n  }\n  return NULL;\n}\n",
          "cwe": "",
          "big_vul_idx": 113807,
          "idx": 102016,
          "hash": 38362777105571324642739053017074788386
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "const OriginIdentifierValueMap* ContentSettingsStore::GetValueMap(\n    const std::string& ext_id,\n    ExtensionPrefsScope scope) const {\n  ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n  if (i == entries_.end())\n    return NULL;\n\n  switch (scope) {\n    case kExtensionPrefsScopeRegular:\n      return &(i->second->settings);\n    case kExtensionPrefsScopeRegularOnly:\n      NOTREACHED();\n      return NULL;\n    case kExtensionPrefsScopeIncognitoPersistent:\n      return &(i->second->incognito_persistent_settings);\n    case kExtensionPrefsScopeIncognitoSessionOnly:\n      return &(i->second->incognito_session_only_settings);\n  }\n\n  NOTREACHED();\n  return NULL;\n}\n",
          "cwe": "",
          "big_vul_idx": 113808,
          "idx": 102017,
          "hash": 142418416636862609877378004129025837881
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "base::ListValue* ContentSettingsStore::GetSettingsForExtension(\n    const std::string& extension_id,\n    ExtensionPrefsScope scope) const {\n  base::AutoLock lock(lock_);\n  const OriginIdentifierValueMap* map = GetValueMap(extension_id, scope);\n  if (!map)\n    return NULL;\n  base::ListValue* settings = new base::ListValue();\n  OriginIdentifierValueMap::EntryMap::const_iterator it;\n  for (it = map->begin(); it != map->end(); ++it) {\n    scoped_ptr<RuleIterator> rule_iterator(\n        map->GetRuleIterator(it->first.content_type,\n                             it->first.resource_identifier,\n                             NULL));  // We already hold the lock.\n    while (rule_iterator->HasNext()) {\n      const Rule& rule = rule_iterator->Next();\n      base::DictionaryValue* setting_dict = new base::DictionaryValue();\n      setting_dict->SetString(keys::kPrimaryPatternKey,\n                              rule.primary_pattern.ToString());\n      setting_dict->SetString(keys::kSecondaryPatternKey,\n                              rule.secondary_pattern.ToString());\n      setting_dict->SetString(\n          keys::kContentSettingsTypeKey,\n          helpers::ContentSettingsTypeToString(it->first.content_type));\n      setting_dict->SetString(keys::kResourceIdentifierKey,\n                              it->first.resource_identifier);\n      ContentSetting content_setting = ValueToContentSetting(rule.value.get());\n      DCHECK_NE(CONTENT_SETTING_DEFAULT, content_setting);\n      setting_dict->SetString(\n          keys::kContentSettingKey,\n          helpers::ContentSettingToString(content_setting));\n      settings->Append(setting_dict);\n    }\n  }\n  return settings;\n}\n",
          "cwe": "",
          "big_vul_idx": 113806,
          "idx": 102015,
          "hash": 139241730344285891252776837781574289833
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::SetExtensionContentSettingFromList(\n    const std::string& extension_id,\n    const base::ListValue* list,\n    ExtensionPrefsScope scope) {\n  for (base::ListValue::const_iterator it = list->begin();\n       it != list->end(); ++it) {\n    if ((*it)->GetType() != Value::TYPE_DICTIONARY) {\n      NOTREACHED();\n      continue;\n    }\n    base::DictionaryValue* dict = static_cast<base::DictionaryValue*>(*it);\n    std::string primary_pattern_str;\n    dict->GetString(keys::kPrimaryPatternKey, &primary_pattern_str);\n    ContentSettingsPattern primary_pattern =\n        ContentSettingsPattern::FromString(primary_pattern_str);\n    DCHECK(primary_pattern.IsValid());\n\n    std::string secondary_pattern_str;\n    dict->GetString(keys::kSecondaryPatternKey, &secondary_pattern_str);\n    ContentSettingsPattern secondary_pattern =\n        ContentSettingsPattern::FromString(secondary_pattern_str);\n    DCHECK(secondary_pattern.IsValid());\n\n    std::string content_settings_type_str;\n    dict->GetString(keys::kContentSettingsTypeKey, &content_settings_type_str);\n    ContentSettingsType content_settings_type =\n        helpers::StringToContentSettingsType(content_settings_type_str);\n    DCHECK_NE(CONTENT_SETTINGS_TYPE_DEFAULT, content_settings_type);\n\n    std::string resource_identifier;\n    dict->GetString(keys::kResourceIdentifierKey, &resource_identifier);\n\n    std::string content_setting_string;\n    dict->GetString(keys::kContentSettingKey, &content_setting_string);\n    ContentSetting setting = CONTENT_SETTING_DEFAULT;\n    bool result =\n        helpers::StringToContentSetting(content_setting_string, &setting);\n    DCHECK(result);\n\n    SetExtensionContentSetting(extension_id,\n                               primary_pattern,\n                               secondary_pattern,\n                               content_settings_type,\n                               resource_identifier,\n                               setting,\n                               scope);\n  }\n}\n",
          "cwe": "",
          "big_vul_idx": 113814,
          "idx": 102023,
          "hash": 70179980667900133818009144382780628834
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::SetExtensionState(\n    const std::string& ext_id, bool is_enabled) {\n  bool notify = false;\n  bool notify_incognito = false;\n  {\n    base::AutoLock lock(lock_);\n    ExtensionEntryMap::const_iterator i = FindEntry(ext_id);\n    if (i == entries_.end())\n      return;\n    notify = !i->second->settings.empty();\n    notify_incognito = !i->second->incognito_persistent_settings.empty() ||\n                       !i->second->incognito_session_only_settings.empty();\n\n    i->second->enabled = is_enabled;\n  }\n  if (notify)\n    NotifyOfContentSettingChanged(ext_id, false);\n  if (notify_incognito)\n    NotifyOfContentSettingChanged(ext_id, true);\n}\n",
          "cwe": "",
          "big_vul_idx": 113815,
          "idx": 102024,
          "hash": 20125382622179189208306526857457148182
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "RuleIterator* ContentSettingsStore::GetRuleIterator(\n    ContentSettingsType type,\n    const content_settings::ResourceIdentifier& identifier,\n    bool incognito) const {\n  ScopedVector<RuleIterator> iterators;\n  ExtensionEntryMap::const_reverse_iterator entry;\n\n  scoped_ptr<base::AutoLock> auto_lock(new base::AutoLock(lock_));\n\n  for (entry = entries_.rbegin(); entry != entries_.rend(); ++entry) {\n    if (!entry->second->enabled)\n      continue;\n\n    if (incognito) {\n      iterators.push_back(\n          entry->second->incognito_session_only_settings.GetRuleIterator(\n              type,\n              identifier,\n              NULL));\n      iterators.push_back(\n          entry->second->incognito_persistent_settings.GetRuleIterator(\n              type,\n              identifier,\n              NULL));\n    } else {\n      iterators.push_back(\n          entry->second->settings.GetRuleIterator(type, identifier, NULL));\n    }\n  }\n  return new ConcatenationIterator(&iterators, auto_lock.release());\n}\n",
          "cwe": "",
          "big_vul_idx": 113805,
          "idx": 102014,
          "hash": 89570315413421650235602117772268834038
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "~ContentSettingsStore",
        "ContentSettingsStore",
        "OnCorrectThread"
      ],
      "group_size": 5,
      "functions": [
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "bool ContentSettingsStore::OnCorrectThread() {\n  return !BrowserThread::IsWellKnownThread(BrowserThread::UI) ||\n         BrowserThread::CurrentlyOn(BrowserThread::UI);\n}\n",
          "cwe": "",
          "big_vul_idx": 113810,
          "idx": 102019,
          "hash": 85964980237324972811762407694656373748
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::AddObserver(Observer* observer) {\n  DCHECK(OnCorrectThread());\n  observers_.AddObserver(observer);\n}\n",
          "cwe": "",
          "big_vul_idx": 113801,
          "idx": 102011,
          "hash": 274375230843812264978090509763247298972
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "ContentSettingsStore::~ContentSettingsStore() {\n  STLDeleteValues(&entries_);\n}\n",
          "cwe": "",
          "big_vul_idx": 113817,
          "idx": 102026,
          "hash": 193315584364047723290740036884479523650
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "void ContentSettingsStore::RemoveObserver(Observer* observer) {\n  DCHECK(OnCorrectThread());\n  observers_.RemoveObserver(observer);\n}\n",
          "cwe": "",
          "big_vul_idx": 113812,
          "idx": 102021,
          "hash": 288872367979228713729187696799686614287
        },
        {
          "project": "Chrome",
          "commit_id": "1a113d35a19c0ed6500fb5c0acdc35730617fb3f",
          "target": 0,
          "func": "ContentSettingsStore::ContentSettingsStore() {\n  DCHECK(OnCorrectThread());\n}\n",
          "cwe": "",
          "big_vul_idx": 113802,
          "idx": 102012,
          "hash": 99620593167027437578310083732980640293
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rsi_mac80211_cancel_roc",
        "rsi_resume_conn_channel",
        "rsi_switch_channel"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void rsi_switch_channel(struct rsi_hw *adapter,\n\t\t\t       struct ieee80211_vif *vif)\n{\n\tstruct rsi_common *common = adapter->priv;\n\tstruct ieee80211_channel *channel;\n\n\tif (common->iface_down)\n\t\treturn;\n\tif (!vif)\n\t\treturn;\n\n\tchannel = vif->bss_conf.chandef.chan;\n\n\tif (!channel)\n\t\treturn;\n\n\trsi_band_check(common, channel);\n\trsi_set_channel(common, channel);\n\trsi_dbg(INFO_ZONE, \"Switched to channel - %d\\n\", channel->hw_value);\n}",
          "project": "linux",
          "hash": 49657447112588327295626339182823740407,
          "size": 20,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461639
        },
        {
          "func": "static int rsi_mac80211_cancel_roc(struct ieee80211_hw *hw)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\n\trsi_dbg(INFO_ZONE, \"Cancel remain on channel\\n\");\n\n\tmutex_lock(&common->mutex);\n\tif (!timer_pending(&common->roc_timer)) {\n\t\tmutex_unlock(&common->mutex);\n\t\treturn 0;\n\t}\n\n\tdel_timer(&common->roc_timer);\n\n\trsi_resume_conn_channel(common);\n\tmutex_unlock(&common->mutex);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 258436340765509179612182905105279715926,
          "size": 20,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461632
        },
        {
          "func": "void rsi_roc_timeout(struct timer_list *t)\n{\n\tstruct rsi_common *common = from_timer(common, t, roc_timer);\n\n\trsi_dbg(INFO_ZONE, \"Remain on channel expired\\n\");\n\n\tmutex_lock(&common->mutex);\n\tieee80211_remain_on_channel_expired(common->priv->hw);\n\n\tif (timer_pending(&common->roc_timer))\n\t\tdel_timer(&common->roc_timer);\n\n\trsi_resume_conn_channel(common);\n\tmutex_unlock(&common->mutex);\n}",
          "project": "linux",
          "hash": 151059921459410287184034486238416954191,
          "size": 15,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461664
        },
        {
          "func": "static void rsi_resume_conn_channel(struct rsi_common *common)\n{\n\tstruct rsi_hw *adapter = common->priv;\n\tstruct ieee80211_vif *vif;\n\tint cnt;\n\n\tfor (cnt = 0; cnt < RSI_MAX_VIFS; cnt++) {\n\t\tvif = adapter->vifs[cnt];\n\t\tif (!vif)\n\t\t\tcontinue;\n\n\t\tif ((vif->type == NL80211_IFTYPE_AP) ||\n\t\t    (vif->type == NL80211_IFTYPE_P2P_GO)) {\n\t\t\trsi_switch_channel(adapter, vif);\n\t\t\tbreak;\n\t\t}\n\t\tif (((vif->type == NL80211_IFTYPE_STATION) ||\n\t\t     (vif->type == NL80211_IFTYPE_P2P_CLIENT)) &&\n\t\t    vif->bss_conf.assoc) {\n\t\t\trsi_switch_channel(adapter, vif);\n\t\t\tbreak;\n\t\t}\n\t}\n}",
          "project": "linux",
          "hash": 145343264581648018838314304350418653766,
          "size": 24,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461657
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "msf2_emac_reset",
        "msf2_emac_do_reset",
        "msf2_phy_reset",
        "msf2_phy_update_link"
      ],
      "group_size": 17,
      "functions": [
        {
          "func": "static void write_to_phy(MSF2EmacState *s)\n{\n    uint8_t reg_addr = s->regs[R_MII_ADDR] & R_MII_ADDR_REGADDR_MASK;\n    uint8_t phy_addr = (s->regs[R_MII_ADDR] >> R_MII_ADDR_PHYADDR_SHIFT) &\n                       R_MII_ADDR_REGADDR_MASK;\n    uint16_t data = s->regs[R_MII_CTL] & 0xFFFF;\n\n    if (phy_addr != PHYADDR) {\n        return;\n    }\n\n    switch (reg_addr) {\n    case MII_BMCR:\n        if (data & MII_BMCR_RESET) {\n            /* Phy reset */\n            msf2_phy_reset(s);\n            data &= ~MII_BMCR_RESET;\n        }\n        if (data & MII_BMCR_AUTOEN) {\n            /* Complete autonegotiation immediately */\n            data &= ~MII_BMCR_AUTOEN;\n            s->phy_regs[MII_BMSR] |= MII_BMSR_AN_COMP;\n        }\n        break;\n    }\n\n    s->phy_regs[reg_addr] = data;\n}",
          "project": "qemu",
          "hash": 2435123177511818004101984301770380239,
          "size": 28,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408520
        },
        {
          "func": "static void emac_write(void *opaque, hwaddr addr, uint64_t val64,\n        unsigned int size)\n{\n    MSF2EmacState *s = opaque;\n    uint32_t value = val64;\n    uint32_t enreqbits;\n    uint8_t pktcnt;\n\n    addr >>= 2;\n    switch (addr) {\n    case R_DMA_TX_CTL:\n        s->regs[addr] = value;\n        if (value & R_DMA_TX_CTL_EN_MASK) {\n            msf2_dma_tx(s);\n        }\n        break;\n    case R_DMA_RX_CTL:\n        s->regs[addr] = value;\n        if (value & R_DMA_RX_CTL_EN_MASK) {\n            s->rx_desc = s->regs[R_DMA_RX_DESC];\n            qemu_flush_queued_packets(qemu_get_queue(s->nic));\n        }\n        break;\n    case R_CFG1:\n        s->regs[addr] = value;\n        if (value & R_CFG1_RESET_MASK) {\n            msf2_emac_do_reset(s);\n        }\n        break;\n    case R_FIFO_CFG0:\n       /*\n        * For our implementation, turning on modules is instantaneous,\n        * so the states requested via the *ENREQ bits appear in the\n        * *ENRPLY bits immediately. Also the reset bits to reset PE-MCXMAC\n        * module are not emulated here since it deals with start of frames,\n        * inter-packet gap and control frames.\n        */\n        enreqbits = extract32(value, 8, 5);\n        s->regs[addr] = deposit32(value, 16, 5, enreqbits);\n        break;\n    case R_DMA_TX_DESC:\n        if (value & 0x3) {\n            qemu_log_mask(LOG_GUEST_ERROR, \"Tx Descriptor address should be\"\n                          \" 32 bit aligned\\n\");\n        }\n        /* Ignore [1:0] bits */\n        s->regs[addr] = value & ~3;\n        break;\n    case R_DMA_RX_DESC:\n        if (value & 0x3) {\n            qemu_log_mask(LOG_GUEST_ERROR, \"Rx Descriptor address should be\"\n                          \" 32 bit aligned\\n\");\n        }\n        /* Ignore [1:0] bits */\n        s->regs[addr] = value & ~3;\n        break;\n    case R_DMA_TX_STATUS:\n        if (value & R_DMA_TX_STATUS_UNDERRUN_MASK) {\n            s->regs[addr] &= ~R_DMA_TX_STATUS_UNDERRUN_MASK;\n        }\n        if (value & R_DMA_TX_STATUS_PKT_SENT_MASK) {\n            pktcnt = FIELD_EX32(s->regs[addr], DMA_TX_STATUS, PKTCNT);\n            pktcnt--;\n            s->regs[addr] = FIELD_DP32(s->regs[addr], DMA_TX_STATUS,\n                                       PKTCNT, pktcnt);\n            if (pktcnt == 0) {\n                s->regs[addr] &= ~R_DMA_TX_STATUS_PKT_SENT_MASK;\n            }\n        }\n        break;\n    case R_DMA_RX_STATUS:\n        if (value & R_DMA_RX_STATUS_OVERFLOW_MASK) {\n            s->regs[addr] &= ~R_DMA_RX_STATUS_OVERFLOW_MASK;\n        }\n        if (value & R_DMA_RX_STATUS_PKT_RCVD_MASK) {\n            pktcnt = FIELD_EX32(s->regs[addr], DMA_RX_STATUS, PKTCNT);\n            pktcnt--;\n            s->regs[addr] = FIELD_DP32(s->regs[addr], DMA_RX_STATUS,\n                                       PKTCNT, pktcnt);\n            if (pktcnt == 0) {\n                s->regs[addr] &= ~R_DMA_RX_STATUS_PKT_RCVD_MASK;\n            }\n        }\n        break;\n    case R_DMA_IRQ:\n        break;\n    case R_MII_CMD:\n        if (value & R_MII_CMD_READ_MASK) {\n            s->regs[R_MII_STS] = read_from_phy(s);\n        }\n        break;\n    case R_MII_CTL:\n        s->regs[addr] = value;\n        write_to_phy(s);\n        break;\n    case R_STA1:\n        s->regs[addr] = value;\n       /*\n        * R_STA1 [31:24] : octet 1 of mac address\n        * R_STA1 [23:16] : octet 2 of mac address\n        * R_STA1 [15:8] : octet 3 of mac address\n        * R_STA1 [7:0] : octet 4 of mac address\n        */\n        stl_be_p(s->mac_addr, value);\n        break;\n    case R_STA2:\n        s->regs[addr] = value;\n       /*\n        * R_STA2 [31:24] : octet 5 of mac address\n        * R_STA2 [23:16] : octet 6 of mac address\n        */\n        stw_be_p(s->mac_addr + 4, value >> 16);\n        break;\n    default:\n        if (addr >= ARRAY_SIZE(s->regs)) {\n            qemu_log_mask(LOG_GUEST_ERROR,\n                          \"%s: Bad offset 0x%\" HWADDR_PRIx \"\\n\", __func__,\n                          addr * 4);\n            return;\n        }\n        s->regs[addr] = value;\n        break;\n    }\n    emac_update_irq(s);\n}",
          "project": "qemu",
          "hash": 142627919697664424382763103238155423526,
          "size": 125,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408531
        },
        {
          "func": "static void emac_load_desc(MSF2EmacState *s, EmacDesc *d, hwaddr desc)\n{\n    address_space_read(&s->dma_as, desc, MEMTXATTRS_UNSPECIFIED, d, sizeof *d);\n    /* Convert from LE into host endianness. */\n    d->pktaddr = le32_to_cpu(d->pktaddr);\n    d->pktsize = le32_to_cpu(d->pktsize);\n    d->next = le32_to_cpu(d->next);\n}",
          "project": "qemu",
          "hash": 204187275545666389689651758191500588253,
          "size": 8,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408535
        },
        {
          "func": "static uint16_t read_from_phy(MSF2EmacState *s)\n{\n    uint8_t reg_addr = s->regs[R_MII_ADDR] & R_MII_ADDR_REGADDR_MASK;\n    uint8_t phy_addr = (s->regs[R_MII_ADDR] >> R_MII_ADDR_PHYADDR_SHIFT) &\n                       R_MII_ADDR_REGADDR_MASK;\n\n    if (phy_addr == PHYADDR) {\n        return s->phy_regs[reg_addr];\n    } else {\n        return 0xFFFF;\n    }\n}",
          "project": "qemu",
          "hash": 296640283957708942790458729395725489243,
          "size": 12,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408537
        },
        {
          "func": "static ssize_t emac_rx(NetClientState *nc, const uint8_t *buf, size_t size)\n{\n    MSF2EmacState *s = qemu_get_nic_opaque(nc);\n    EmacDesc d;\n    uint8_t pktcnt;\n    uint32_t status;\n\n    if (size > (s->regs[R_MAX_FRAME_LENGTH] & 0xFFFF)) {\n        return size;\n    }\n    if (!addr_filter_ok(s, buf)) {\n        return size;\n    }\n\n    emac_load_desc(s, &d, s->rx_desc);\n\n    if (d.pktsize & EMPTY_MASK) {\n        address_space_write(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n                            buf, size & PKT_SIZE);\n        d.pktsize = size & PKT_SIZE;\n        emac_store_desc(s, &d, s->rx_desc);\n        /* update received packets count */\n        status = s->regs[R_DMA_RX_STATUS];\n        pktcnt = FIELD_EX32(status, DMA_RX_STATUS, PKTCNT);\n        pktcnt++;\n        s->regs[R_DMA_RX_STATUS] = FIELD_DP32(status, DMA_RX_STATUS,\n                                              PKTCNT, pktcnt);\n        s->regs[R_DMA_RX_STATUS] |= R_DMA_RX_STATUS_PKT_RCVD_MASK;\n        s->rx_desc = d.next;\n    } else {\n        s->regs[R_DMA_RX_CTL] &= ~R_DMA_RX_CTL_EN_MASK;\n        s->regs[R_DMA_RX_STATUS] |= R_DMA_RX_STATUS_OVERFLOW_MASK;\n    }\n    emac_update_irq(s);\n    return size;\n}",
          "project": "qemu",
          "hash": 145795289411570125648461718405523924905,
          "size": 36,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408538
        },
        {
          "func": "static void msf2_phy_reset(MSF2EmacState *s)\n{\n    memset(&s->phy_regs[0], 0, sizeof(s->phy_regs));\n    s->phy_regs[MII_BMCR] = 0x1140;\n    s->phy_regs[MII_BMSR] = 0x7968;\n    s->phy_regs[MII_PHYID1] = 0x0022;\n    s->phy_regs[MII_PHYID2] = 0x1550;\n    s->phy_regs[MII_ANAR] = 0x01E1;\n    s->phy_regs[MII_ANLPAR] = 0xCDE1;\n\n    msf2_phy_update_link(s);\n}",
          "project": "qemu",
          "hash": 261913340885200105699747283455116435972,
          "size": 12,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408528
        },
        {
          "func": "static void msf2_emac_reset(DeviceState *dev)\n{\n    MSF2EmacState *s = MSS_EMAC(dev);\n\n    msf2_emac_do_reset(s);\n}",
          "project": "qemu",
          "hash": 143395039747611100025821846418462296891,
          "size": 6,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408530
        },
        {
          "func": "static void emac_set_link(NetClientState *nc)\n{\n    MSF2EmacState *s = qemu_get_nic_opaque(nc);\n\n    msf2_phy_update_link(s);\n}",
          "project": "qemu",
          "hash": 134704307068120005767148988481491840933,
          "size": 6,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408523
        },
        {
          "func": "static uint64_t emac_read(void *opaque, hwaddr addr, unsigned int size)\n{\n    MSF2EmacState *s = opaque;\n    uint32_t r = 0;\n\n    addr >>= 2;\n\n    switch (addr) {\n    case R_DMA_IRQ:\n        r = emac_get_isr(s);\n        break;\n    default:\n        if (addr >= ARRAY_SIZE(s->regs)) {\n            qemu_log_mask(LOG_GUEST_ERROR,\n                          \"%s: Bad offset 0x%\" HWADDR_PRIx \"\\n\", __func__,\n                          addr * 4);\n            return r;\n        }\n        r = s->regs[addr];\n        break;\n    }\n    return r;\n}",
          "project": "qemu",
          "hash": 135504479882235916529443679824092130533,
          "size": 23,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408540
        },
        {
          "func": "static bool addr_filter_ok(MSF2EmacState *s, const uint8_t *buf)\n{\n    /* The broadcast MAC address: FF:FF:FF:FF:FF:FF */\n    const uint8_t broadcast_addr[] = { 0xFF, 0xFF, 0xFF, 0xFF,\n                                              0xFF, 0xFF };\n    bool bcast_en = true;\n    bool mcast_en = true;\n\n    if (s->regs[R_FIFO_CFG5] & R_FIFO_CFG5_BCAST_MASK) {\n        bcast_en = true; /* Broadcast dont care for drop circuitry */\n    } else if (s->regs[R_FIFO_CFG4] & R_FIFO_CFG4_BCAST_MASK) {\n        bcast_en = false;\n    }\n\n    if (s->regs[R_FIFO_CFG5] & R_FIFO_CFG5_MCAST_MASK) {\n        mcast_en = true; /* Multicast dont care for drop circuitry */\n    } else if (s->regs[R_FIFO_CFG4] & R_FIFO_CFG4_MCAST_MASK) {\n        mcast_en = false;\n    }\n\n    if (!memcmp(buf, broadcast_addr, sizeof(broadcast_addr))) {\n        return bcast_en;\n    }\n\n    if (buf[0] & 1) {\n        return mcast_en;\n    }\n\n    return !memcmp(buf, s->mac_addr, sizeof(s->mac_addr));\n}",
          "project": "qemu",
          "hash": 271913976529453484580742580817691950705,
          "size": 30,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408532
        },
        {
          "func": "static void msf2_dma_tx(MSF2EmacState *s)\n{\n    NetClientState *nc = qemu_get_queue(s->nic);\n    hwaddr desc = s->regs[R_DMA_TX_DESC];\n    uint8_t buf[MAX_PKT_SIZE];\n    EmacDesc d;\n    int size;\n    uint8_t pktcnt;\n    uint32_t status;\n\n    if (!(s->regs[R_CFG1] & R_CFG1_TX_EN_MASK)) {\n        return;\n    }\n\n    while (1) {\n        emac_load_desc(s, &d, desc);\n        if (d.pktsize & EMPTY_MASK) {\n            break;\n        }\n        size = d.pktsize & PKT_SIZE;\n        address_space_read(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n                           buf, size);\n        /*\n         * This is very basic way to send packets. Ideally there should be\n         * a FIFO and packets should be sent out from FIFO only when\n         * R_CFG1 bit 0 is set.\n         */\n        if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {\n            nc->info->receive(nc, buf, size);\n        } else {\n            qemu_send_packet(nc, buf, size);\n        }\n        d.pktsize |= EMPTY_MASK;\n        emac_store_desc(s, &d, desc);\n        /* update sent packets count */\n        status = s->regs[R_DMA_TX_STATUS];\n        pktcnt = FIELD_EX32(status, DMA_TX_STATUS, PKTCNT);\n        pktcnt++;\n        s->regs[R_DMA_TX_STATUS] = FIELD_DP32(status, DMA_TX_STATUS,\n                                              PKTCNT, pktcnt);\n        s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_PKT_SENT_MASK;\n        desc = d.next;\n    }\n    s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_UNDERRUN_MASK;\n    s->regs[R_DMA_TX_CTL] &= ~R_DMA_TX_CTL_EN_MASK;\n}",
          "project": "qemu",
          "hash": 266996506783650672252406401947191343006,
          "size": 46,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 1,
          "dataset": "other",
          "idx": 208328
        },
        {
          "func": "static void msf2_dma_tx(MSF2EmacState *s)\n{\n    NetClientState *nc = qemu_get_queue(s->nic);\n    hwaddr desc = s->regs[R_DMA_TX_DESC];\n    uint8_t buf[MAX_PKT_SIZE];\n    EmacDesc d;\n    int size;\n    uint8_t pktcnt;\n    uint32_t status;\n\n    if (!(s->regs[R_CFG1] & R_CFG1_TX_EN_MASK)) {\n        return;\n    }\n\n    while (1) {\n        emac_load_desc(s, &d, desc);\n        if (d.pktsize & EMPTY_MASK) {\n            break;\n        }\n        size = d.pktsize & PKT_SIZE;\n        address_space_read(&s->dma_as, d.pktaddr, MEMTXATTRS_UNSPECIFIED,\n                           buf, size);\n        /*\n         * This is very basic way to send packets. Ideally there should be\n         * a FIFO and packets should be sent out from FIFO only when\n         * R_CFG1 bit 0 is set.\n         */\n        if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {\n            qemu_receive_packet(nc, buf, size);\n        } else {\n            qemu_send_packet(nc, buf, size);\n        }\n        d.pktsize |= EMPTY_MASK;\n        emac_store_desc(s, &d, desc);\n        /* update sent packets count */\n        status = s->regs[R_DMA_TX_STATUS];\n        pktcnt = FIELD_EX32(status, DMA_TX_STATUS, PKTCNT);\n        pktcnt++;\n        s->regs[R_DMA_TX_STATUS] = FIELD_DP32(status, DMA_TX_STATUS,\n                                              PKTCNT, pktcnt);\n        s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_PKT_SENT_MASK;\n        desc = d.next;\n    }\n    s->regs[R_DMA_TX_STATUS] |= R_DMA_TX_STATUS_UNDERRUN_MASK;\n    s->regs[R_DMA_TX_CTL] &= ~R_DMA_TX_CTL_EN_MASK;\n}",
          "project": "qemu",
          "hash": 673024745665237607007576976494892674,
          "size": 46,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408536
        },
        {
          "func": "static uint32_t emac_get_isr(MSF2EmacState *s)\n{\n    uint32_t ier = s->regs[R_DMA_IRQ_MASK];\n    uint32_t tx = s->regs[R_DMA_TX_STATUS] & 0xF;\n    uint32_t rx = s->regs[R_DMA_RX_STATUS] & 0xF;\n    uint32_t isr = (rx << 4) | tx;\n\n    s->regs[R_DMA_IRQ] = ier & isr;\n    return s->regs[R_DMA_IRQ];\n}",
          "project": "qemu",
          "hash": 76556053197794724458386467208649723546,
          "size": 10,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408533
        },
        {
          "func": "static void emac_store_desc(MSF2EmacState *s, EmacDesc *d, hwaddr desc)\n{\n    /* Convert from host endianness into LE. */\n    d->pktaddr = cpu_to_le32(d->pktaddr);\n    d->pktsize = cpu_to_le32(d->pktsize);\n    d->next = cpu_to_le32(d->next);\n\n    address_space_write(&s->dma_as, desc, MEMTXATTRS_UNSPECIFIED, d, sizeof *d);\n}",
          "project": "qemu",
          "hash": 111735247435558295267087719220167079599,
          "size": 9,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408525
        },
        {
          "func": "static void msf2_emac_do_reset(MSF2EmacState *s)\n{\n    memset(&s->regs[0], 0, sizeof(s->regs));\n    s->regs[R_CFG1] = 0x80000000;\n    s->regs[R_CFG2] = 0x00007000;\n    s->regs[R_IFG] = 0x40605060;\n    s->regs[R_HALF_DUPLEX] = 0x00A1F037;\n    s->regs[R_MAX_FRAME_LENGTH] = 0x00000600;\n    s->regs[R_FIFO_CFG5] = 0X3FFFF;\n\n    msf2_phy_reset(s);\n}",
          "project": "qemu",
          "hash": 301867812472469643451396628674770133451,
          "size": 12,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408522
        },
        {
          "func": "static void emac_update_irq(MSF2EmacState *s)\n{\n    bool intr = emac_get_isr(s);\n\n    qemu_set_irq(s->irq, intr);\n}",
          "project": "qemu",
          "hash": 333172412219392156233285272403604782462,
          "size": 6,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408539
        },
        {
          "func": "static void msf2_phy_update_link(MSF2EmacState *s)\n{\n    /* Autonegotiation status mirrors link status. */\n    if (qemu_get_queue(s->nic)->link_down) {\n        s->phy_regs[MII_BMSR] &= ~(MII_BMSR_AN_COMP |\n                                   MII_BMSR_LINK_ST);\n    } else {\n        s->phy_regs[MII_BMSR] |= (MII_BMSR_AN_COMP |\n                                  MII_BMSR_LINK_ST);\n    }\n}",
          "project": "qemu",
          "hash": 21239304882160056911292914400277760247,
          "size": 11,
          "commit_id": "26194a58f4eb83c5bdf4061a1628508084450ba1",
          "message": "msf2-mac: switch to use qemu_receive_packet() for loopback\n\nThis patch switches to use qemu_receive_packet() which can detect\nreentrancy and return early.\n\nThis is intended to address CVE-2021-3416.\n\nCc: Prasad J Pandit <ppandit@redhat.com>\nCc: qemu-stable@nongnu.org\nReviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>\nSigned-off-by: Jason Wang <jasowang@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 408529
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ff_layout_read_release",
        "ff_layout_resend_pnfs_read",
        "ff_layout_choose_any_ds_for_read",
        "ff_layout_choose_best_ds_for_read"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "static void ff_layout_resend_pnfs_read(struct nfs_pgio_header *hdr)\n{\n\tu32 idx = hdr->pgio_mirror_idx + 1;\n\tu32 new_idx = 0;\n\n\tif (ff_layout_choose_any_ds_for_read(hdr->lseg, idx, &new_idx))\n\t\tff_layout_send_layouterror(hdr->lseg);\n\telse\n\t\tpnfs_error_mark_layout_for_return(hdr->inode, hdr->lseg);\n\tpnfs_read_resend_pnfs(hdr, new_idx);\n}",
          "project": "linux",
          "hash": 221400344490443336390998011943132739130,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234386
        },
        {
          "func": "static void ff_layout_read_record_layoutstats_done(struct rpc_task *task,\n\t\tstruct nfs_pgio_header *hdr)\n{\n\tif (!test_and_clear_bit(NFS_IOHDR_STAT, &hdr->flags))\n\t\treturn;\n\tnfs4_ff_layout_stat_io_end_read(task,\n\t\t\tFF_LAYOUT_COMP(hdr->lseg, hdr->pgio_mirror_idx),\n\t\t\thdr->args.count,\n\t\t\thdr->res.count);\n\tset_bit(NFS_LSEG_LAYOUTRETURN, &hdr->lseg->pls_flags);\n}",
          "project": "linux",
          "hash": 180815083649218398311438273574541494211,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234432
        },
        {
          "func": "ff_layout_get_ds_for_read(struct nfs_pageio_descriptor *pgio,\n\t\t\t  u32 *best_idx)\n{\n\tstruct pnfs_layout_segment *lseg = pgio->pg_lseg;\n\tstruct nfs4_pnfs_ds *ds;\n\n\tds = ff_layout_choose_best_ds_for_read(lseg, pgio->pg_mirror_idx,\n\t\t\t\t\t       best_idx);\n\tif (ds || !pgio->pg_mirror_idx)\n\t\treturn ds;\n\treturn ff_layout_choose_best_ds_for_read(lseg, 0, best_idx);\n}",
          "project": "linux",
          "hash": 254909909558430372208815151322590055598,
          "size": 12,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234392
        },
        {
          "func": "static void ff_layout_read_count_stats(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tff_layout_read_record_layoutstats_done(task, hdr);\n\trpc_count_iostats_metrics(task,\n\t    &NFS_CLIENT(hdr->inode)->cl_metrics[NFSPROC4_CLNT_READ]);\n}",
          "project": "linux",
          "hash": 111504923297298743059264768804593840040,
          "size": 8,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234487
        },
        {
          "func": "static void ff_layout_reset_read(struct nfs_pgio_header *hdr)\n{\n\tstruct rpc_task *task = &hdr->task;\n\n\tpnfs_layoutcommit_inode(hdr->inode, false);\n\tpnfs_error_mark_layout_for_return(hdr->inode, hdr->lseg);\n\n\tif (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) {\n\t\tdprintk(\"%s Reset task %5u for i/o through MDS \"\n\t\t\t\"(req %s/%llu, %u bytes @ offset %llu)\\n\", __func__,\n\t\t\thdr->task.tk_pid,\n\t\t\thdr->inode->i_sb->s_id,\n\t\t\t(unsigned long long)NFS_FILEID(hdr->inode),\n\t\t\thdr->args.count,\n\t\t\t(unsigned long long)hdr->args.offset);\n\n\t\ttrace_pnfs_mds_fallback_read_done(hdr->inode,\n\t\t\t\thdr->args.offset, hdr->args.count,\n\t\t\t\tIOMODE_READ, NFS_I(hdr->inode)->layout,\n\t\t\t\thdr->lseg);\n\t\ttask->tk_status = pnfs_read_done_resend_to_mds(hdr);\n\t}\n}",
          "project": "linux",
          "hash": 165625786622733838658217576364489228194,
          "size": 23,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234489
        },
        {
          "func": "ff_layout_choose_valid_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t   u32 start_idx, u32 *best_idx)\n{\n\treturn ff_layout_choose_ds_for_read(lseg, start_idx, best_idx, true);\n}",
          "project": "linux",
          "hash": 183358589091286308071765017109110013908,
          "size": 5,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234413
        },
        {
          "func": "ff_layout_choose_any_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t u32 start_idx, u32 *best_idx)\n{\n\treturn ff_layout_choose_ds_for_read(lseg, start_idx, best_idx, false);\n}",
          "project": "linux",
          "hash": 265008521026144273299156386349075170732,
          "size": 5,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234463
        },
        {
          "func": "static void ff_layout_read_release(void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tff_layout_read_record_layoutstats_done(&hdr->task, hdr);\n\tif (test_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags))\n\t\tff_layout_resend_pnfs_read(hdr);\n\telse if (test_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags))\n\t\tff_layout_reset_read(hdr);\n\tpnfs_generic_rw_release(data);\n}",
          "project": "linux",
          "hash": 8856986107342943583502713801015682015,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234435
        },
        {
          "func": "ff_layout_choose_best_ds_for_read(struct pnfs_layout_segment *lseg,\n\t\t\t\t  u32 start_idx, u32 *best_idx)\n{\n\tstruct nfs4_pnfs_ds *ds;\n\n\tds = ff_layout_choose_valid_ds_for_read(lseg, start_idx, best_idx);\n\tif (ds)\n\t\treturn ds;\n\treturn ff_layout_choose_any_ds_for_read(lseg, start_idx, best_idx);\n}",
          "project": "linux",
          "hash": 147451117378478970686978877506404847386,
          "size": 10,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234387
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "mariadb_reconnect",
        "mysql_set_character_set",
        "mysql_real_query"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "my_bool STDCALL mysql_autocommit(MYSQL *mysql, my_bool mode)\n{\n  return((my_bool) mysql_real_query(mysql, (mode) ? \"SET autocommit=1\" :\n                                         \"SET autocommit=0\", 16));\n}",
          "project": "mariadb-connector-c",
          "hash": 40011449824224765253356387018160813692,
          "size": 5,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429744
        },
        {
          "func": "my_bool STDCALL mysql_commit(MYSQL *mysql)\n{\n  return((my_bool)mysql_real_query(mysql, \"COMMIT\", (unsigned long)strlen(\"COMMIT\")));\n}",
          "project": "mariadb-connector-c",
          "hash": 277806673306036671992080538600299334387,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429632
        },
        {
          "func": "mysql_query(MYSQL *mysql, const char *query)\n{\n  return mysql_real_query(mysql,query, (unsigned long) strlen(query));\n}",
          "project": "mariadb-connector-c",
          "hash": 208668653661987079458603989521521130525,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429682
        },
        {
          "func": "int STDCALL mysql_set_character_set(MYSQL *mysql, const char *csname)\n{\n  const MARIADB_CHARSET_INFO *cs;\n\n  if (!csname)\n    goto error;\n\n  if ((cs= mysql_find_charset_name(csname)))\n  {\n    char buff[64];\n\n    snprintf(buff, 63, \"SET NAMES %s\", cs->csname);\n    if (!mysql_real_query(mysql, buff, (unsigned long)strlen(buff)))\n    {\n      mysql->charset= cs;\n      return(0);\n    }\n    return(mysql->net.last_errno);\n  }\n\nerror:\n  my_set_error(mysql, CR_CANT_READ_CHARSET, SQLSTATE_UNKNOWN,\n               0, csname, \"compiled_in\");\n  return(mysql->net.last_errno);\n}",
          "project": "mariadb-connector-c",
          "hash": 308536125327576078874356108592490986962,
          "size": 25,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429715
        },
        {
          "func": "my_bool STDCALL mysql_rollback(MYSQL *mysql)\n{\n  return((my_bool)mysql_real_query(mysql, \"ROLLBACK\", (unsigned long)strlen(\"ROLLBACK\")));\n}",
          "project": "mariadb-connector-c",
          "hash": 198193360316179830187275108416911562349,
          "size": 4,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429718
        },
        {
          "func": "void my_set_error(MYSQL *mysql,\n                  unsigned int error_nr,\n                  const char *sqlstate,\n                  const char *format,\n                  ...)\n{\n  va_list ap;\n\n  const char *errmsg;\n\n  if (!format)\n  {\n    if (error_nr >= CR_MIN_ERROR && error_nr <= CR_MYSQL_LAST_ERROR)\n      errmsg= ER(error_nr);\n    else if (error_nr >= CER_MIN_ERROR && error_nr <= CR_MARIADB_LAST_ERROR)\n      errmsg= CER(error_nr);\n    else\n      errmsg= ER(CR_UNKNOWN_ERROR);\n  }\n\n  mysql->net.last_errno= error_nr;\n  ma_strmake(mysql->net.sqlstate, sqlstate, SQLSTATE_LENGTH);\n  va_start(ap, format);\n  vsnprintf(mysql->net.last_error, MYSQL_ERRMSG_SIZE - 1,\n            format ? format : errmsg, ap);\n  va_end(ap);\n  return;\n}",
          "project": "mariadb-connector-c",
          "hash": 255550454870437716355738647373684959112,
          "size": 28,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429625
        },
        {
          "func": "my_bool STDCALL mariadb_reconnect(MYSQL *mysql)\n{\n  MYSQL tmp_mysql;\n  struct my_hook_data hook_data;\n  struct mysql_async_context *ctxt= NULL;\n  LIST *li_stmt= mysql->stmts;\n\n  /* check if connection handler is active */\n  if (IS_CONNHDLR_ACTIVE(mysql))\n  {\n    if (mysql->extension->conn_hdlr->plugin && mysql->extension->conn_hdlr->plugin->reconnect)\n      return(mysql->extension->conn_hdlr->plugin->reconnect(mysql));\n  }\n\n  if (!mysql->options.reconnect ||\n      (mysql->server_status & SERVER_STATUS_IN_TRANS) || !mysql->host_info)\n  {\n   /* Allow reconnect next time */\n    mysql->server_status&= ~SERVER_STATUS_IN_TRANS;\n    my_set_error(mysql, CR_SERVER_GONE_ERROR, SQLSTATE_UNKNOWN, 0);\n    return(1);\n  }\n\n  mysql_init(&tmp_mysql);\n  tmp_mysql.free_me= 0;\n  tmp_mysql.options=mysql->options;\n  if (mysql->extension->conn_hdlr)\n  {\n    tmp_mysql.extension->conn_hdlr= mysql->extension->conn_hdlr;\n    mysql->extension->conn_hdlr= 0;\n  }\n\n  /* don't reread options from configuration files */\n  tmp_mysql.options.my_cnf_group= tmp_mysql.options.my_cnf_file= NULL;\n  if (IS_MYSQL_ASYNC_ACTIVE(mysql))\n  {\n    ctxt= mysql->options.extension->async_context;\n    hook_data.orig_mysql= mysql;\n    hook_data.new_mysql= &tmp_mysql;\n    hook_data.orig_pvio= mysql->net.pvio;\n    my_context_install_suspend_resume_hook(ctxt, my_suspend_hook, &hook_data);\n  }\n\n  if (!mysql_real_connect(&tmp_mysql,mysql->host,mysql->user,mysql->passwd,\n\t\t\t  mysql->db, mysql->port, mysql->unix_socket,\n\t\t\t  mysql->client_flag | CLIENT_REMEMBER_OPTIONS) ||\n      mysql_set_character_set(&tmp_mysql, mysql->charset->csname))\n  {\n    if (ctxt)\n      my_context_install_suspend_resume_hook(ctxt, NULL, NULL);\n    /* don't free options (CONC-118) */\n    memset(&tmp_mysql.options, 0, sizeof(struct st_mysql_options));\n    my_set_error(mysql, tmp_mysql.net.last_errno,\n                        tmp_mysql.net.sqlstate,\n                        tmp_mysql.net.last_error);\n    mysql_close(&tmp_mysql);\n    return(1);\n  }\n\n  for (;li_stmt;li_stmt= li_stmt->next)\n  {\n    MYSQL_STMT *stmt= (MYSQL_STMT *)li_stmt->data;\n\n    if (stmt->state != MYSQL_STMT_INITTED)\n    {\n      stmt->state= MYSQL_STMT_INITTED;\n      SET_CLIENT_STMT_ERROR(stmt, CR_SERVER_LOST, SQLSTATE_UNKNOWN, 0);\n    }\n  }\n\n  tmp_mysql.free_me= mysql->free_me;\n  tmp_mysql.stmts= mysql->stmts;\n  mysql->stmts= NULL;\n\n  if (ctxt)\n    my_context_install_suspend_resume_hook(ctxt, NULL, NULL);\n  /* Don't free options, we moved them to tmp_mysql */\n  memset(&mysql->options, 0, sizeof(mysql->options));\n  mysql->free_me=0;\n  mysql_close(mysql);\n  *mysql=tmp_mysql;\n  mysql->net.pvio->mysql= mysql;\n  ma_net_clear(&mysql->net);\n  mysql->affected_rows= ~(unsigned long long) 0;\n  mysql->info= 0;\n  return(0);\n}",
          "project": "mariadb-connector-c",
          "hash": 43534428296790047385030562430603162760,
          "size": 87,
          "commit_id": "2759b87d72926b7c9b5426437a7c8dd15ff57945",
          "message": "sanity checks for client-supplied OK packet content\n\nreported by Matthias Kaiser, Apple Information Security",
          "target": 0,
          "dataset": "other",
          "idx": 429675
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "kvm_resume",
        "hardware_enable_nolock",
        "kvm_arch_hardware_enable"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void hardware_enable_nolock(void *junk)\n{\n\tint cpu = raw_smp_processor_id();\n\tint r;\n\n\tif (cpumask_test_cpu(cpu, cpus_hardware_enabled))\n\t\treturn;\n\n\tcpumask_set_cpu(cpu, cpus_hardware_enabled);\n\n\tr = kvm_arch_hardware_enable();\n\n\tif (r) {\n\t\tcpumask_clear_cpu(cpu, cpus_hardware_enabled);\n\t\tatomic_inc(&hardware_enable_failed);\n\t\tpr_info(\"kvm: enabling virtualization on CPU%d failed\\n\", cpu);\n\t}\n}",
          "project": "linux",
          "hash": 263560706724937534113049149347748343735,
          "size": 18,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354793
        },
        {
          "func": "int kvm_arch_hardware_enable(void)\n{\n\t/* every s390 is virtualization enabled ;-) */\n\treturn 0;\n}",
          "project": "linux",
          "hash": 143943492953819740075059104517356620906,
          "size": 5,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354514
        },
        {
          "func": "static void kvm_resume(void)\n{\n\tif (kvm_usage_count) {\n#ifdef CONFIG_LOCKDEP\n\t\tWARN_ON(lockdep_is_held(&kvm_count_lock));\n#endif\n\t\thardware_enable_nolock(NULL);\n\t}\n}",
          "project": "linux",
          "hash": 90841378524437743140245635783206034476,
          "size": 9,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354698
        },
        {
          "func": "static int kvm_starting_cpu(unsigned int cpu)\n{\n\traw_spin_lock(&kvm_count_lock);\n\tif (kvm_usage_count)\n\t\thardware_enable_nolock(NULL);\n\traw_spin_unlock(&kvm_count_lock);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 159417518360892180577795405365108644057,
          "size": 8,
          "commit_id": "0774a964ef561b7170d8d1b1bfe6f88002b6d219",
          "message": "KVM: Fix out of range accesses to memslots\n\nReset the LRU slot if it becomes invalid when deleting a memslot to fix\nan out-of-bounds/use-after-free access when searching through memslots.\n\nExplicitly check for there being no used slots in search_memslots(), and\nin the caller of s390's approximation variant.\n\nFixes: 36947254e5f9 (\"KVM: Dynamically size memslot array based on number of used slots\")\nReported-by: Qian Cai <cai@lca.pw>\nCc: Peter Xu <peterx@redhat.com>\nSigned-off-by: Sean Christopherson <sean.j.christopherson@intel.com>\nMessage-Id: <20200320205546.2396-2-sean.j.christopherson@intel.com>\nAcked-by: Christian Borntraeger <borntraeger@de.ibm.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 354730
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "test_r_str_bits64",
        "r_str_bits64",
        "trimbits"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void trimbits(char *b) {\n\tconst int len = strlen (b);\n\tchar *one = strchr (b, '1');\n\tint pos = one ? (int)(size_t)(one - b) : len - 1;\n\tpos = (pos / 8) * 8;\n\tmemmove (b, b + pos, len - pos + 1);\n}",
          "project": "radare2",
          "hash": 250137149611511151531453188080985035917,
          "size": 7,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268960
        },
        {
          "func": "R_API int r_str_bits64(char* strout, ut64 in) {\n\tint i, bit, count = 0;\n\tcount = 0;\n\tfor (i = (sizeof (in) * 8) - 1; i >= 0; i--) {\n\t\tbit = in >> i;\n\t\tif (bit & 1) {\n\t\t\tstrout[count] = '1';\n\t\t} else {\n\t\t\tstrout[count] = '0';\n\t\t}\n\t\tcount++;\n\t}\n\tstrout[count] = '\\0';\n\t/* trim by 8 bits */\n\ttrimbits (strout);\n\treturn count;\n}",
          "project": "radare2",
          "hash": 169601071216008749437034713873681196176,
          "size": 17,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268873
        },
        {
          "func": "bool test_r_str_bits64(void) {\n\tchar buf[65];\n\t(void)r_str_bits64 (buf, 0);\n\tmu_assert_streq (buf, \"00000000\", \"binary of 0\");\n\t(void)r_str_bits64 (buf, 1);\n\tmu_assert_streq (buf, \"00000001\", \"binary of 1\");\n\t(void)r_str_bits64 (buf, 2);\n\tmu_assert_streq (buf, \"00000010\", \"binary of 2\");\n\tmu_end;\n}",
          "project": "radare2",
          "hash": 173974212266307538713308629725546730614,
          "size": 10,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269076
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "svm_mem_enc_op",
        "sev_guest_init",
        "sev_asid_new",
        "__sev_recycle_asids",
        "sev_flush_asids"
      ],
      "group_size": 42,
      "functions": [
        {
          "func": "static void sev_asid_free(int asid)\n{\n\tstruct svm_cpu_data *sd;\n\tint cpu, pos;\n\n\tmutex_lock(&sev_bitmap_lock);\n\n\tpos = asid - 1;\n\t__set_bit(pos, sev_reclaim_asid_bitmap);\n\n\tfor_each_possible_cpu(cpu) {\n\t\tsd = per_cpu(svm_data, cpu);\n\t\tsd->sev_vmcbs[pos] = NULL;\n\t}\n\n\tmutex_unlock(&sev_bitmap_lock);\n}",
          "project": "linux",
          "hash": 110051649451753639156279861145214543458,
          "size": 17,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432559
        },
        {
          "func": "static int sev_bind_asid(struct kvm *kvm, unsigned int handle, int *error)\n{\n\tstruct sev_data_activate *data;\n\tint asid = sev_get_asid(kvm);\n\tint ret;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\t/* activate ASID on the given handle */\n\tdata->handle = handle;\n\tdata->asid   = asid;\n\tret = sev_guest_activate(data, error);\n\tkfree(data);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 11078279248666113617818639032846245096,
          "size": 18,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432393
        },
        {
          "func": "static void __unregister_enc_region_locked(struct kvm *kvm,\n\t\t\t\t\t   struct enc_region *region)\n{\n\t/*\n\t * The guest may change the memory encryption attribute from C=0 -> C=1\n\t * or vice versa for this memory range. Lets make sure caches are\n\t * flushed to ensure that guest data gets written into memory with\n\t * correct C-bit.\n\t */\n\tsev_clflush_pages(region->pages, region->npages);\n\n\tsev_unpin_memory(kvm, region->pages, region->npages);\n\tlist_del(&region->list);\n\tkfree(region);\n}",
          "project": "linux",
          "hash": 332068645346374939608708697430025474041,
          "size": 15,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432439
        },
        {
          "func": "static void sev_unbind_asid(struct kvm *kvm, unsigned int handle)\n{\n\tstruct sev_data_decommission *decommission;\n\tstruct sev_data_deactivate *data;\n\n\tif (!handle)\n\t\treturn;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL);\n\tif (!data)\n\t\treturn;\n\n\t/* deactivate handle */\n\tdata->handle = handle;\n\n\t/* Guard DEACTIVATE against WBINVD/DF_FLUSH used in ASID recycling */\n\tdown_read(&sev_deactivate_lock);\n\tsev_guest_deactivate(data, NULL);\n\tup_read(&sev_deactivate_lock);\n\n\tkfree(data);\n\n\tdecommission = kzalloc(sizeof(*decommission), GFP_KERNEL);\n\tif (!decommission)\n\t\treturn;\n\n\t/* decommission handle */\n\tdecommission->handle = handle;\n\tsev_guest_decommission(decommission, NULL);\n\n\tkfree(decommission);\n}",
          "project": "linux",
          "hash": 124230634520433907125113308845834191374,
          "size": 32,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432576
        },
        {
          "func": "static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tvoid __user *measure = (void __user *)(uintptr_t)argp->data;\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_launch_measure *data;\n\tstruct kvm_sev_launch_measure params;\n\tvoid __user *p = NULL;\n\tvoid *blob = NULL;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, measure, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\t/* User wants to query the blob length */\n\tif (!params.len)\n\t\tgoto cmd;\n\n\tp = (void __user *)(uintptr_t)params.uaddr;\n\tif (p) {\n\t\tif (params.len > SEV_FW_BLOB_MAX_SIZE) {\n\t\t\tret = -EINVAL;\n\t\t\tgoto e_free;\n\t\t}\n\n\t\tret = -ENOMEM;\n\t\tblob = kmalloc(params.len, GFP_KERNEL);\n\t\tif (!blob)\n\t\t\tgoto e_free;\n\n\t\tdata->address = __psp_pa(blob);\n\t\tdata->len = params.len;\n\t}\n\ncmd:\n\tdata->handle = sev->handle;\n\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_MEASURE, data, &argp->error);\n\n\t/*\n\t * If we query the session length, FW responded with expected data.\n\t */\n\tif (!params.len)\n\t\tgoto done;\n\n\tif (ret)\n\t\tgoto e_free_blob;\n\n\tif (blob) {\n\t\tif (copy_to_user(p, blob, params.len))\n\t\t\tret = -EFAULT;\n\t}\n\ndone:\n\tparams.len = data->len;\n\tif (copy_to_user(measure, &params, sizeof(params)))\n\t\tret = -EFAULT;\ne_free_blob:\n\tkfree(blob);\ne_free:\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 79508873500671794631728108819545045296,
          "size": 68,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432541
        },
        {
          "func": "static int svm_register_enc_region(struct kvm *kvm,\n\t\t\t\t   struct kvm_enc_region *range)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct enc_region *region;\n\tint ret = 0;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\n\tregion = kzalloc(sizeof(*region), GFP_KERNEL_ACCOUNT);\n\tif (!region)\n\t\treturn -ENOMEM;\n\n\tregion->pages = sev_pin_memory(kvm, range->addr, range->size, &region->npages, 1);\n\tif (!region->pages) {\n\t\tret = -ENOMEM;\n\t\tgoto e_free;\n\t}\n\n\t/*\n\t * The guest may change the memory encryption attribute from C=0 -> C=1\n\t * or vice versa for this memory range. Lets make sure caches are\n\t * flushed to ensure that guest data gets written into memory with\n\t * correct C-bit.\n\t */\n\tsev_clflush_pages(region->pages, region->npages);\n\n\tregion->uaddr = range->addr;\n\tregion->size = range->size;\n\n\tmutex_lock(&kvm->lock);\n\tlist_add_tail(&region->list, &sev->regions_list);\n\tmutex_unlock(&kvm->lock);\n\n\treturn ret;\n\ne_free:\n\tkfree(region);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 340188249972174187229020738901262857840,
          "size": 44,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432396
        },
        {
          "func": "int svm_register_enc_region(struct kvm *kvm,\n\t\t\t    struct kvm_enc_region *range)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct enc_region *region;\n\tint ret = 0;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\n\tregion = kzalloc(sizeof(*region), GFP_KERNEL_ACCOUNT);\n\tif (!region)\n\t\treturn -ENOMEM;\n\n\tregion->pages = sev_pin_memory(kvm, range->addr, range->size, &region->npages, 1);\n\tif (IS_ERR(region->pages)) {\n\t\tret = PTR_ERR(region->pages);\n\t\tgoto e_free;\n\t}\n\n\t/*\n\t * The guest may change the memory encryption attribute from C=0 -> C=1\n\t * or vice versa for this memory range. Lets make sure caches are\n\t * flushed to ensure that guest data gets written into memory with\n\t * correct C-bit.\n\t */\n\tsev_clflush_pages(region->pages, region->npages);\n\n\tregion->uaddr = range->addr;\n\tregion->size = range->size;\n\n\tmutex_lock(&kvm->lock);\n\tlist_add_tail(&region->list, &sev->regions_list);\n\tmutex_unlock(&kvm->lock);\n\n\treturn ret;\n\ne_free:\n\tkfree(region);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 261026284960045719300334748438486467719,
          "size": 44,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463018
        },
        {
          "func": "static int svm_mem_enc_op(struct kvm *kvm, void __user *argp)\n{\n\tstruct kvm_sev_cmd sev_cmd;\n\tint r;\n\n\tif (!svm_sev_enabled())\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&sev_cmd, argp, sizeof(struct kvm_sev_cmd)))\n\t\treturn -EFAULT;\n\n\tmutex_lock(&kvm->lock);\n\n\tswitch (sev_cmd.id) {\n\tcase KVM_SEV_INIT:\n\t\tr = sev_guest_init(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_START:\n\t\tr = sev_launch_start(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_UPDATE_DATA:\n\t\tr = sev_launch_update_data(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_MEASURE:\n\t\tr = sev_launch_measure(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_FINISH:\n\t\tr = sev_launch_finish(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_GUEST_STATUS:\n\t\tr = sev_guest_status(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_DBG_DECRYPT:\n\t\tr = sev_dbg_crypt(kvm, &sev_cmd, true);\n\t\tbreak;\n\tcase KVM_SEV_DBG_ENCRYPT:\n\t\tr = sev_dbg_crypt(kvm, &sev_cmd, false);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_SECRET:\n\t\tr = sev_launch_secret(kvm, &sev_cmd);\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (copy_to_user(argp, &sev_cmd, sizeof(struct kvm_sev_cmd)))\n\t\tr = -EFAULT;\n\nout:\n\tmutex_unlock(&kvm->lock);\n\treturn r;\n}",
          "project": "linux",
          "hash": 40960850045783148870263081172067868276,
          "size": 53,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432521
        },
        {
          "func": "int svm_mem_enc_op(struct kvm *kvm, void __user *argp)\n{\n\tstruct kvm_sev_cmd sev_cmd;\n\tint r;\n\n\tif (!svm_sev_enabled())\n\t\treturn -ENOTTY;\n\n\tif (!argp)\n\t\treturn 0;\n\n\tif (copy_from_user(&sev_cmd, argp, sizeof(struct kvm_sev_cmd)))\n\t\treturn -EFAULT;\n\n\tmutex_lock(&kvm->lock);\n\n\tswitch (sev_cmd.id) {\n\tcase KVM_SEV_INIT:\n\t\tr = sev_guest_init(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_START:\n\t\tr = sev_launch_start(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_UPDATE_DATA:\n\t\tr = sev_launch_update_data(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_MEASURE:\n\t\tr = sev_launch_measure(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_FINISH:\n\t\tr = sev_launch_finish(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_GUEST_STATUS:\n\t\tr = sev_guest_status(kvm, &sev_cmd);\n\t\tbreak;\n\tcase KVM_SEV_DBG_DECRYPT:\n\t\tr = sev_dbg_crypt(kvm, &sev_cmd, true);\n\t\tbreak;\n\tcase KVM_SEV_DBG_ENCRYPT:\n\t\tr = sev_dbg_crypt(kvm, &sev_cmd, false);\n\t\tbreak;\n\tcase KVM_SEV_LAUNCH_SECRET:\n\t\tr = sev_launch_secret(kvm, &sev_cmd);\n\t\tbreak;\n\tdefault:\n\t\tr = -EINVAL;\n\t\tgoto out;\n\t}\n\n\tif (copy_to_user(argp, &sev_cmd, sizeof(struct kvm_sev_cmd)))\n\t\tr = -EFAULT;\n\nout:\n\tmutex_unlock(&kvm->lock);\n\treturn r;\n}",
          "project": "linux",
          "hash": 252759964062877013724591152636074133940,
          "size": 56,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463014
        },
        {
          "func": "void sev_hardware_teardown(void)\n{\n\tif (!svm_sev_enabled())\n\t\treturn;\n\n\tbitmap_free(sev_asid_bitmap);\n\tbitmap_free(sev_reclaim_asid_bitmap);\n\n\tsev_flush_asids();\n}",
          "project": "linux",
          "hash": 3595474365089806791872833678690839230,
          "size": 10,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463024
        },
        {
          "func": "static int __sev_dbg_decrypt(struct kvm *kvm, unsigned long src_paddr,\n\t\t\t     unsigned long dst_paddr, int sz, int *err)\n{\n\tint offset;\n\n\t/*\n\t * Its safe to read more than we are asked, caller should ensure that\n\t * destination has enough space.\n\t */\n\tsrc_paddr = round_down(src_paddr, 16);\n\toffset = src_paddr & 15;\n\tsz = round_up(sz + offset, 16);\n\n\treturn __sev_issue_dbg_cmd(kvm, src_paddr, dst_paddr, sz, err, false);\n}",
          "project": "linux",
          "hash": 42537997646210310897681143075413218426,
          "size": 15,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432503
        },
        {
          "func": "void sev_vm_destroy(struct kvm *kvm)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct list_head *head = &sev->regions_list;\n\tstruct list_head *pos, *q;\n\n\tif (!sev_guest(kvm))\n\t\treturn;\n\n\tmutex_lock(&kvm->lock);\n\n\t/*\n\t * Ensure that all guest tagged cache entries are flushed before\n\t * releasing the pages back to the system for use. CLFLUSH will\n\t * not do this, so issue a WBINVD.\n\t */\n\twbinvd_on_all_cpus();\n\n\t/*\n\t * if userspace was terminated before unregistering the memory regions\n\t * then lets unpin all the registered memory.\n\t */\n\tif (!list_empty(head)) {\n\t\tlist_for_each_safe(pos, q, head) {\n\t\t\t__unregister_enc_region_locked(kvm,\n\t\t\t\tlist_entry(pos, struct enc_region, list));\n\t\t}\n\t}\n\n\tmutex_unlock(&kvm->lock);\n\n\tsev_unbind_asid(kvm, sev->handle);\n\tsev_asid_free(sev->asid);\n}",
          "project": "linux",
          "hash": 59854663405289045336965850461540245489,
          "size": 34,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 1,
          "dataset": "other",
          "idx": 212916
        },
        {
          "func": "static void sev_vm_destroy(struct kvm *kvm)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct list_head *head = &sev->regions_list;\n\tstruct list_head *pos, *q;\n\n\tif (!sev_guest(kvm))\n\t\treturn;\n\n\tmutex_lock(&kvm->lock);\n\n\t/*\n\t * if userspace was terminated before unregistering the memory regions\n\t * then lets unpin all the registered memory.\n\t */\n\tif (!list_empty(head)) {\n\t\tlist_for_each_safe(pos, q, head) {\n\t\t\t__unregister_enc_region_locked(kvm,\n\t\t\t\tlist_entry(pos, struct enc_region, list));\n\t\t}\n\t}\n\n\tmutex_unlock(&kvm->lock);\n\n\tsev_unbind_asid(kvm, sev->handle);\n\tsev_asid_free(sev->asid);\n}",
          "project": "linux",
          "hash": 148708266910677575433322269002046744158,
          "size": 27,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432605
        },
        {
          "func": "void sev_vm_destroy(struct kvm *kvm)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct list_head *head = &sev->regions_list;\n\tstruct list_head *pos, *q;\n\n\tif (!sev_guest(kvm))\n\t\treturn;\n\n\tmutex_lock(&kvm->lock);\n\n\t/*\n\t * Ensure that all guest tagged cache entries are flushed before\n\t * releasing the pages back to the system for use. CLFLUSH will\n\t * not do this, so issue a WBINVD.\n\t */\n\twbinvd_on_all_cpus();\n\n\t/*\n\t * if userspace was terminated before unregistering the memory regions\n\t * then lets unpin all the registered memory.\n\t */\n\tif (!list_empty(head)) {\n\t\tlist_for_each_safe(pos, q, head) {\n\t\t\t__unregister_enc_region_locked(kvm,\n\t\t\t\tlist_entry(pos, struct enc_region, list));\n\t\t\tcond_resched();\n\t\t}\n\t}\n\n\tmutex_unlock(&kvm->lock);\n\n\tsev_unbind_asid(kvm, sev->handle);\n\tsev_asid_free(sev->asid);\n}",
          "project": "linux",
          "hash": 32944969904859958026118495600871042845,
          "size": 35,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463016
        },
        {
          "func": "static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tunsigned long vaddr, vaddr_end, next_vaddr, npages, pages, size, i;\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct kvm_sev_launch_update_data params;\n\tstruct sev_data_launch_update_data *data;\n\tstruct page **inpages;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\tvaddr = params.uaddr;\n\tsize = params.len;\n\tvaddr_end = vaddr + size;\n\n\t/* Lock the user memory. */\n\tinpages = sev_pin_memory(kvm, vaddr, size, &npages, 1);\n\tif (!inpages) {\n\t\tret = -ENOMEM;\n\t\tgoto e_free;\n\t}\n\n\t/*\n\t * The LAUNCH_UPDATE command will perform in-place encryption of the\n\t * memory content (i.e it will write the same memory region with C=1).\n\t * It's possible that the cache may contain the data with C=0, i.e.,\n\t * unencrypted so invalidate it first.\n\t */\n\tsev_clflush_pages(inpages, npages);\n\n\tfor (i = 0; vaddr < vaddr_end; vaddr = next_vaddr, i += pages) {\n\t\tint offset, len;\n\n\t\t/*\n\t\t * If the user buffer is not page-aligned, calculate the offset\n\t\t * within the page.\n\t\t */\n\t\toffset = vaddr & (PAGE_SIZE - 1);\n\n\t\t/* Calculate the number of pages that can be encrypted in one go. */\n\t\tpages = get_num_contig_pages(i, inpages, npages);\n\n\t\tlen = min_t(size_t, ((pages * PAGE_SIZE) - offset), size);\n\n\t\tdata->handle = sev->handle;\n\t\tdata->len = len;\n\t\tdata->address = __sme_page_pa(inpages[i]) + offset;\n\t\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_DATA, data, &argp->error);\n\t\tif (ret)\n\t\t\tgoto e_unpin;\n\n\t\tsize -= len;\n\t\tnext_vaddr = vaddr + len;\n\t}\n\ne_unpin:\n\t/* content of memory is updated, mark pages dirty */\n\tfor (i = 0; i < npages; i++) {\n\t\tset_page_dirty_lock(inpages[i]);\n\t\tmark_page_accessed(inpages[i]);\n\t}\n\t/* unlock the user pages */\n\tsev_unpin_memory(kvm, inpages, npages);\ne_free:\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 259237632331430277631833096548130017898,
          "size": 75,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432467
        },
        {
          "func": "static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tunsigned long vaddr, vaddr_end, next_vaddr, npages, pages, size, i;\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct kvm_sev_launch_update_data params;\n\tstruct sev_data_launch_update_data *data;\n\tstruct page **inpages;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\tvaddr = params.uaddr;\n\tsize = params.len;\n\tvaddr_end = vaddr + size;\n\n\t/* Lock the user memory. */\n\tinpages = sev_pin_memory(kvm, vaddr, size, &npages, 1);\n\tif (IS_ERR(inpages)) {\n\t\tret = PTR_ERR(inpages);\n\t\tgoto e_free;\n\t}\n\n\t/*\n\t * The LAUNCH_UPDATE command will perform in-place encryption of the\n\t * memory content (i.e it will write the same memory region with C=1).\n\t * It's possible that the cache may contain the data with C=0, i.e.,\n\t * unencrypted so invalidate it first.\n\t */\n\tsev_clflush_pages(inpages, npages);\n\n\tfor (i = 0; vaddr < vaddr_end; vaddr = next_vaddr, i += pages) {\n\t\tint offset, len;\n\n\t\t/*\n\t\t * If the user buffer is not page-aligned, calculate the offset\n\t\t * within the page.\n\t\t */\n\t\toffset = vaddr & (PAGE_SIZE - 1);\n\n\t\t/* Calculate the number of pages that can be encrypted in one go. */\n\t\tpages = get_num_contig_pages(i, inpages, npages);\n\n\t\tlen = min_t(size_t, ((pages * PAGE_SIZE) - offset), size);\n\n\t\tdata->handle = sev->handle;\n\t\tdata->len = len;\n\t\tdata->address = __sme_page_pa(inpages[i]) + offset;\n\t\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_DATA, data, &argp->error);\n\t\tif (ret)\n\t\t\tgoto e_unpin;\n\n\t\tsize -= len;\n\t\tnext_vaddr = vaddr + len;\n\t}\n\ne_unpin:\n\t/* content of memory is updated, mark pages dirty */\n\tfor (i = 0; i < npages; i++) {\n\t\tset_page_dirty_lock(inpages[i]);\n\t\tmark_page_accessed(inpages[i]);\n\t}\n\t/* unlock the user pages */\n\tsev_unpin_memory(kvm, inpages, npages);\ne_free:\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 169613976698129785300011515650129741913,
          "size": 75,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463021
        },
        {
          "func": "static bool __sev_recycle_asids(void)\n{\n\tint pos;\n\n\t/* Check if there are any ASIDs to reclaim before performing a flush */\n\tpos = find_next_bit(sev_reclaim_asid_bitmap,\n\t\t\t    max_sev_asid, min_sev_asid - 1);\n\tif (pos >= max_sev_asid)\n\t\treturn false;\n\n\tif (sev_flush_asids())\n\t\treturn false;\n\n\tbitmap_xor(sev_asid_bitmap, sev_asid_bitmap, sev_reclaim_asid_bitmap,\n\t\t   max_sev_asid);\n\tbitmap_zero(sev_reclaim_asid_bitmap, max_sev_asid);\n\n\treturn true;\n}",
          "project": "linux",
          "hash": 54780876933145881155257222834486811611,
          "size": 19,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432446
        },
        {
          "func": "static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)\n{\n\tunsigned long vaddr, vaddr_end, next_vaddr;\n\tunsigned long dst_vaddr;\n\tstruct page **src_p, **dst_p;\n\tstruct kvm_sev_dbg debug;\n\tunsigned long n;\n\tunsigned int size;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug)))\n\t\treturn -EFAULT;\n\n\tif (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr)\n\t\treturn -EINVAL;\n\tif (!debug.dst_uaddr)\n\t\treturn -EINVAL;\n\n\tvaddr = debug.src_uaddr;\n\tsize = debug.len;\n\tvaddr_end = vaddr + size;\n\tdst_vaddr = debug.dst_uaddr;\n\n\tfor (; vaddr < vaddr_end; vaddr = next_vaddr) {\n\t\tint len, s_off, d_off;\n\n\t\t/* lock userspace source and destination page */\n\t\tsrc_p = sev_pin_memory(kvm, vaddr & PAGE_MASK, PAGE_SIZE, &n, 0);\n\t\tif (!src_p)\n\t\t\treturn -EFAULT;\n\n\t\tdst_p = sev_pin_memory(kvm, dst_vaddr & PAGE_MASK, PAGE_SIZE, &n, 1);\n\t\tif (!dst_p) {\n\t\t\tsev_unpin_memory(kvm, src_p, n);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\t/*\n\t\t * The DBG_{DE,EN}CRYPT commands will perform {dec,en}cryption of the\n\t\t * memory content (i.e it will write the same memory region with C=1).\n\t\t * It's possible that the cache may contain the data with C=0, i.e.,\n\t\t * unencrypted so invalidate it first.\n\t\t */\n\t\tsev_clflush_pages(src_p, 1);\n\t\tsev_clflush_pages(dst_p, 1);\n\n\t\t/*\n\t\t * Since user buffer may not be page aligned, calculate the\n\t\t * offset within the page.\n\t\t */\n\t\ts_off = vaddr & ~PAGE_MASK;\n\t\td_off = dst_vaddr & ~PAGE_MASK;\n\t\tlen = min_t(size_t, (PAGE_SIZE - s_off), size);\n\n\t\tif (dec)\n\t\t\tret = __sev_dbg_decrypt_user(kvm,\n\t\t\t\t\t\t     __sme_page_pa(src_p[0]) + s_off,\n\t\t\t\t\t\t     dst_vaddr,\n\t\t\t\t\t\t     __sme_page_pa(dst_p[0]) + d_off,\n\t\t\t\t\t\t     len, &argp->error);\n\t\telse\n\t\t\tret = __sev_dbg_encrypt_user(kvm,\n\t\t\t\t\t\t     __sme_page_pa(src_p[0]) + s_off,\n\t\t\t\t\t\t     vaddr,\n\t\t\t\t\t\t     __sme_page_pa(dst_p[0]) + d_off,\n\t\t\t\t\t\t     dst_vaddr,\n\t\t\t\t\t\t     len, &argp->error);\n\n\t\tsev_unpin_memory(kvm, src_p, n);\n\t\tsev_unpin_memory(kvm, dst_p, n);\n\n\t\tif (ret)\n\t\t\tgoto err;\n\n\t\tnext_vaddr = vaddr + len;\n\t\tdst_vaddr = dst_vaddr + len;\n\t\tsize -= len;\n\t}\nerr:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 265362558599156376011885157508787748900,
          "size": 84,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432427
        },
        {
          "func": "static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)\n{\n\tunsigned long vaddr, vaddr_end, next_vaddr;\n\tunsigned long dst_vaddr;\n\tstruct page **src_p, **dst_p;\n\tstruct kvm_sev_dbg debug;\n\tunsigned long n;\n\tunsigned int size;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug)))\n\t\treturn -EFAULT;\n\n\tif (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr)\n\t\treturn -EINVAL;\n\tif (!debug.dst_uaddr)\n\t\treturn -EINVAL;\n\n\tvaddr = debug.src_uaddr;\n\tsize = debug.len;\n\tvaddr_end = vaddr + size;\n\tdst_vaddr = debug.dst_uaddr;\n\n\tfor (; vaddr < vaddr_end; vaddr = next_vaddr) {\n\t\tint len, s_off, d_off;\n\n\t\t/* lock userspace source and destination page */\n\t\tsrc_p = sev_pin_memory(kvm, vaddr & PAGE_MASK, PAGE_SIZE, &n, 0);\n\t\tif (IS_ERR(src_p))\n\t\t\treturn PTR_ERR(src_p);\n\n\t\tdst_p = sev_pin_memory(kvm, dst_vaddr & PAGE_MASK, PAGE_SIZE, &n, 1);\n\t\tif (IS_ERR(dst_p)) {\n\t\t\tsev_unpin_memory(kvm, src_p, n);\n\t\t\treturn PTR_ERR(dst_p);\n\t\t}\n\n\t\t/*\n\t\t * The DBG_{DE,EN}CRYPT commands will perform {dec,en}cryption of the\n\t\t * memory content (i.e it will write the same memory region with C=1).\n\t\t * It's possible that the cache may contain the data with C=0, i.e.,\n\t\t * unencrypted so invalidate it first.\n\t\t */\n\t\tsev_clflush_pages(src_p, 1);\n\t\tsev_clflush_pages(dst_p, 1);\n\n\t\t/*\n\t\t * Since user buffer may not be page aligned, calculate the\n\t\t * offset within the page.\n\t\t */\n\t\ts_off = vaddr & ~PAGE_MASK;\n\t\td_off = dst_vaddr & ~PAGE_MASK;\n\t\tlen = min_t(size_t, (PAGE_SIZE - s_off), size);\n\n\t\tif (dec)\n\t\t\tret = __sev_dbg_decrypt_user(kvm,\n\t\t\t\t\t\t     __sme_page_pa(src_p[0]) + s_off,\n\t\t\t\t\t\t     dst_vaddr,\n\t\t\t\t\t\t     __sme_page_pa(dst_p[0]) + d_off,\n\t\t\t\t\t\t     len, &argp->error);\n\t\telse\n\t\t\tret = __sev_dbg_encrypt_user(kvm,\n\t\t\t\t\t\t     __sme_page_pa(src_p[0]) + s_off,\n\t\t\t\t\t\t     vaddr,\n\t\t\t\t\t\t     __sme_page_pa(dst_p[0]) + d_off,\n\t\t\t\t\t\t     dst_vaddr,\n\t\t\t\t\t\t     len, &argp->error);\n\n\t\tsev_unpin_memory(kvm, src_p, n);\n\t\tsev_unpin_memory(kvm, dst_p, n);\n\n\t\tif (ret)\n\t\t\tgoto err;\n\n\t\tnext_vaddr = vaddr + len;\n\t\tdst_vaddr = dst_vaddr + len;\n\t\tsize -= len;\n\t}\nerr:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 139266061284104979989439763930667103174,
          "size": 84,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463017
        },
        {
          "func": "static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_launch_secret *data;\n\tstruct kvm_sev_launch_secret params;\n\tstruct page **pages;\n\tvoid *blob, *hdr;\n\tunsigned long n;\n\tint ret, offset;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tpages = sev_pin_memory(kvm, params.guest_uaddr, params.guest_len, &n, 1);\n\tif (!pages)\n\t\treturn -ENOMEM;\n\n\t/*\n\t * The secret must be copied into contiguous memory region, lets verify\n\t * that userspace memory pages are contiguous before we issue command.\n\t */\n\tif (get_num_contig_pages(0, pages, n) != n) {\n\t\tret = -EINVAL;\n\t\tgoto e_unpin_memory;\n\t}\n\n\tret = -ENOMEM;\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\tgoto e_unpin_memory;\n\n\toffset = params.guest_uaddr & (PAGE_SIZE - 1);\n\tdata->guest_address = __sme_page_pa(pages[0]) + offset;\n\tdata->guest_len = params.guest_len;\n\n\tblob = psp_copy_user_blob(params.trans_uaddr, params.trans_len);\n\tif (IS_ERR(blob)) {\n\t\tret = PTR_ERR(blob);\n\t\tgoto e_free;\n\t}\n\n\tdata->trans_address = __psp_pa(blob);\n\tdata->trans_len = params.trans_len;\n\n\thdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len);\n\tif (IS_ERR(hdr)) {\n\t\tret = PTR_ERR(hdr);\n\t\tgoto e_free_blob;\n\t}\n\tdata->hdr_address = __psp_pa(hdr);\n\tdata->hdr_len = params.hdr_len;\n\n\tdata->handle = sev->handle;\n\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_SECRET, data, &argp->error);\n\n\tkfree(hdr);\n\ne_free_blob:\n\tkfree(blob);\ne_free:\n\tkfree(data);\ne_unpin_memory:\n\tsev_unpin_memory(kvm, pages, n);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 90014859234449724402896520757334760640,
          "size": 68,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432582
        },
        {
          "func": "static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_launch_secret *data;\n\tstruct kvm_sev_launch_secret params;\n\tstruct page **pages;\n\tvoid *blob, *hdr;\n\tunsigned long n;\n\tint ret, offset;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tpages = sev_pin_memory(kvm, params.guest_uaddr, params.guest_len, &n, 1);\n\tif (IS_ERR(pages))\n\t\treturn PTR_ERR(pages);\n\n\t/*\n\t * The secret must be copied into contiguous memory region, lets verify\n\t * that userspace memory pages are contiguous before we issue command.\n\t */\n\tif (get_num_contig_pages(0, pages, n) != n) {\n\t\tret = -EINVAL;\n\t\tgoto e_unpin_memory;\n\t}\n\n\tret = -ENOMEM;\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\tgoto e_unpin_memory;\n\n\toffset = params.guest_uaddr & (PAGE_SIZE - 1);\n\tdata->guest_address = __sme_page_pa(pages[0]) + offset;\n\tdata->guest_len = params.guest_len;\n\n\tblob = psp_copy_user_blob(params.trans_uaddr, params.trans_len);\n\tif (IS_ERR(blob)) {\n\t\tret = PTR_ERR(blob);\n\t\tgoto e_free;\n\t}\n\n\tdata->trans_address = __psp_pa(blob);\n\tdata->trans_len = params.trans_len;\n\n\thdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len);\n\tif (IS_ERR(hdr)) {\n\t\tret = PTR_ERR(hdr);\n\t\tgoto e_free_blob;\n\t}\n\tdata->hdr_address = __psp_pa(hdr);\n\tdata->hdr_len = params.hdr_len;\n\n\tdata->handle = sev->handle;\n\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_SECRET, data, &argp->error);\n\n\tkfree(hdr);\n\ne_free_blob:\n\tkfree(blob);\ne_free:\n\tkfree(data);\ne_unpin_memory:\n\tsev_unpin_memory(kvm, pages, n);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 53229546700636566703018700337684671345,
          "size": 68,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463023
        },
        {
          "func": "static int svm_unregister_enc_region(struct kvm *kvm,\n\t\t\t\t     struct kvm_enc_region *range)\n{\n\tstruct enc_region *region;\n\tint ret;\n\n\tmutex_lock(&kvm->lock);\n\n\tif (!sev_guest(kvm)) {\n\t\tret = -ENOTTY;\n\t\tgoto failed;\n\t}\n\n\tregion = find_enc_region(kvm, range);\n\tif (!region) {\n\t\tret = -EINVAL;\n\t\tgoto failed;\n\t}\n\n\t__unregister_enc_region_locked(kvm, region);\n\n\tmutex_unlock(&kvm->lock);\n\treturn 0;\n\nfailed:\n\tmutex_unlock(&kvm->lock);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 52395066315231246157752429709320383363,
          "size": 28,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432404
        },
        {
          "func": "int svm_unregister_enc_region(struct kvm *kvm,\n\t\t\t      struct kvm_enc_region *range)\n{\n\tstruct enc_region *region;\n\tint ret;\n\n\tmutex_lock(&kvm->lock);\n\n\tif (!sev_guest(kvm)) {\n\t\tret = -ENOTTY;\n\t\tgoto failed;\n\t}\n\n\tregion = find_enc_region(kvm, range);\n\tif (!region) {\n\t\tret = -EINVAL;\n\t\tgoto failed;\n\t}\n\n\t/*\n\t * Ensure that all guest tagged cache entries are flushed before\n\t * releasing the pages back to the system for use. CLFLUSH will\n\t * not do this, so issue a WBINVD.\n\t */\n\twbinvd_on_all_cpus();\n\n\t__unregister_enc_region_locked(kvm, region);\n\n\tmutex_unlock(&kvm->lock);\n\treturn 0;\n\nfailed:\n\tmutex_unlock(&kvm->lock);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 141055903523358356197112389313038723048,
          "size": 35,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463022
        },
        {
          "func": "static int __sev_issue_dbg_cmd(struct kvm *kvm, unsigned long src,\n\t\t\t       unsigned long dst, int size,\n\t\t\t       int *error, bool enc)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_dbg *data;\n\tint ret;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\tdata->handle = sev->handle;\n\tdata->dst_addr = dst;\n\tdata->src_addr = src;\n\tdata->len = size;\n\n\tret = sev_issue_cmd(kvm,\n\t\t\t    enc ? SEV_CMD_DBG_ENCRYPT : SEV_CMD_DBG_DECRYPT,\n\t\t\t    data, error);\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 81323525278608007212218978031525821029,
          "size": 23,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432450
        },
        {
          "func": "static __init int sev_hardware_setup(void)\n{\n\tstruct sev_user_data_status *status;\n\tint rc;\n\n\t/* Maximum number of encrypted guests supported simultaneously */\n\tmax_sev_asid = cpuid_ecx(0x8000001F);\n\n\tif (!max_sev_asid)\n\t\treturn 1;\n\n\t/* Minimum ASID value that should be used for SEV guest */\n\tmin_sev_asid = cpuid_edx(0x8000001F);\n\n\t/* Initialize SEV ASID bitmaps */\n\tsev_asid_bitmap = bitmap_zalloc(max_sev_asid, GFP_KERNEL);\n\tif (!sev_asid_bitmap)\n\t\treturn 1;\n\n\tsev_reclaim_asid_bitmap = bitmap_zalloc(max_sev_asid, GFP_KERNEL);\n\tif (!sev_reclaim_asid_bitmap)\n\t\treturn 1;\n\n\tstatus = kmalloc(sizeof(*status), GFP_KERNEL);\n\tif (!status)\n\t\treturn 1;\n\n\t/*\n\t * Check SEV platform status.\n\t *\n\t * PLATFORM_STATUS can be called in any state, if we failed to query\n\t * the PLATFORM status then either PSP firmware does not support SEV\n\t * feature or SEV firmware is dead.\n\t */\n\trc = sev_platform_status(status, NULL);\n\tif (rc)\n\t\tgoto err;\n\n\tpr_info(\"SEV supported\\n\");\n\nerr:\n\tkfree(status);\n\treturn rc;\n}",
          "project": "linux",
          "hash": 40755539377558452587805772487792055067,
          "size": 44,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432414
        },
        {
          "func": "int __init sev_hardware_setup(void)\n{\n\tstruct sev_user_data_status *status;\n\tint rc;\n\n\t/* Maximum number of encrypted guests supported simultaneously */\n\tmax_sev_asid = cpuid_ecx(0x8000001F);\n\n\tif (!svm_sev_enabled())\n\t\treturn 1;\n\n\t/* Minimum ASID value that should be used for SEV guest */\n\tmin_sev_asid = cpuid_edx(0x8000001F);\n\n\t/* Initialize SEV ASID bitmaps */\n\tsev_asid_bitmap = bitmap_zalloc(max_sev_asid, GFP_KERNEL);\n\tif (!sev_asid_bitmap)\n\t\treturn 1;\n\n\tsev_reclaim_asid_bitmap = bitmap_zalloc(max_sev_asid, GFP_KERNEL);\n\tif (!sev_reclaim_asid_bitmap)\n\t\treturn 1;\n\n\tstatus = kmalloc(sizeof(*status), GFP_KERNEL);\n\tif (!status)\n\t\treturn 1;\n\n\t/*\n\t * Check SEV platform status.\n\t *\n\t * PLATFORM_STATUS can be called in any state, if we failed to query\n\t * the PLATFORM status then either PSP firmware does not support SEV\n\t * feature or SEV firmware is dead.\n\t */\n\trc = sev_platform_status(status, NULL);\n\tif (rc)\n\t\tgoto err;\n\n\tpr_info(\"SEV supported\\n\");\n\nerr:\n\tkfree(status);\n\treturn rc;\n}",
          "project": "linux",
          "hash": 337415527868549211510790630798520805883,
          "size": 44,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463019
        },
        {
          "func": "static int sev_launch_finish(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_launch_finish *data;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\tdata->handle = sev->handle;\n\tret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_FINISH, data, &argp->error);\n\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 230517921809587966444217040755934782011,
          "size": 19,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432447
        },
        {
          "func": "static int __sev_dbg_decrypt_user(struct kvm *kvm, unsigned long paddr,\n\t\t\t\t  unsigned long __user dst_uaddr,\n\t\t\t\t  unsigned long dst_paddr,\n\t\t\t\t  int size, int *err)\n{\n\tstruct page *tpage = NULL;\n\tint ret, offset;\n\n\t/* if inputs are not 16-byte then use intermediate buffer */\n\tif (!IS_ALIGNED(dst_paddr, 16) ||\n\t    !IS_ALIGNED(paddr,     16) ||\n\t    !IS_ALIGNED(size,      16)) {\n\t\ttpage = (void *)alloc_page(GFP_KERNEL);\n\t\tif (!tpage)\n\t\t\treturn -ENOMEM;\n\n\t\tdst_paddr = __sme_page_pa(tpage);\n\t}\n\n\tret = __sev_dbg_decrypt(kvm, paddr, dst_paddr, size, err);\n\tif (ret)\n\t\tgoto e_free;\n\n\tif (tpage) {\n\t\toffset = paddr & 15;\n\t\tif (copy_to_user((void __user *)(uintptr_t)dst_uaddr,\n\t\t\t\t page_address(tpage) + offset, size))\n\t\t\tret = -EFAULT;\n\t}\n\ne_free:\n\tif (tpage)\n\t\t__free_page(tpage);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 198671757318387645801257997354094409129,
          "size": 36,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432408
        },
        {
          "func": "static inline bool sev_guest(struct kvm *kvm)\n{\n#ifdef CONFIG_KVM_AMD_SEV\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\n\treturn sev->active;\n#else\n\treturn false;\n#endif\n}",
          "project": "linux",
          "hash": 197480876992807830707128069285170218193,
          "size": 10,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432510
        },
        {
          "func": "static int sev_flush_asids(void)\n{\n\tint ret, error;\n\n\t/*\n\t * DEACTIVATE will clear the WBINVD indicator causing DF_FLUSH to fail,\n\t * so it must be guarded.\n\t */\n\tdown_write(&sev_deactivate_lock);\n\n\twbinvd_on_all_cpus();\n\tret = sev_guest_df_flush(&error);\n\n\tup_write(&sev_deactivate_lock);\n\n\tif (ret)\n\t\tpr_err(\"SEV: DF_FLUSH failed, ret=%d, error=%#x\\n\", ret, error);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 12128932245247985228935987453947279645,
          "size": 20,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432455
        },
        {
          "func": "static int sev_flush_asids(void)\n{\n\tint ret, error = 0;\n\n\t/*\n\t * DEACTIVATE will clear the WBINVD indicator causing DF_FLUSH to fail,\n\t * so it must be guarded.\n\t */\n\tdown_write(&sev_deactivate_lock);\n\n\twbinvd_on_all_cpus();\n\tret = sev_guest_df_flush(&error);\n\n\tup_write(&sev_deactivate_lock);\n\n\tif (ret)\n\t\tpr_err(\"SEV: DF_FLUSH failed, ret=%d, error=%#x\\n\", ret, error);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 276288275136177449722163869277031804522,
          "size": 20,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463025
        },
        {
          "func": "static void sev_clflush_pages(struct page *pages[], unsigned long npages)\n{\n\tuint8_t *page_virtual;\n\tunsigned long i;\n\n\tif (npages == 0 || pages == NULL)\n\t\treturn;\n\n\tfor (i = 0; i < npages; i++) {\n\t\tpage_virtual = kmap_atomic(pages[i]);\n\t\tclflush_cache_range(page_virtual, PAGE_SIZE);\n\t\tkunmap_atomic(page_virtual);\n\t}\n}",
          "project": "linux",
          "hash": 81580088784001093736702684537359694761,
          "size": 14,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432469
        },
        {
          "func": "static inline bool svm_sev_enabled(void)\n{\n\treturn IS_ENABLED(CONFIG_KVM_AMD_SEV) ? max_sev_asid : 0;\n}",
          "project": "linux",
          "hash": 272729550424054117932640225614431812172,
          "size": 4,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432478
        },
        {
          "func": "static inline int sev_get_asid(struct kvm *kvm)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\n\treturn sev->asid;\n}",
          "project": "linux",
          "hash": 66850244743292985282483600543464714294,
          "size": 6,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432499
        },
        {
          "func": "static void pre_sev_run(struct vcpu_svm *svm, int cpu)\n{\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\tint asid = sev_get_asid(svm->vcpu.kvm);\n\n\t/* Assign the asid allocated with this SEV guest */\n\tsvm->vmcb->control.asid = asid;\n\n\t/*\n\t * Flush guest TLB:\n\t *\n\t * 1) when different VMCB for the same ASID is to be run on the same host CPU.\n\t * 2) or this VMCB was executed on different host CPU in previous VMRUNs.\n\t */\n\tif (sd->sev_vmcbs[asid] == svm->vmcb &&\n\t    svm->last_cpu == cpu)\n\t\treturn;\n\n\tsvm->last_cpu = cpu;\n\tsd->sev_vmcbs[asid] = svm->vmcb;\n\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;\n\tmark_dirty(svm->vmcb, VMCB_ASID);\n}",
          "project": "linux",
          "hash": 243602562275000501286938621089103105835,
          "size": 23,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432495
        },
        {
          "func": "void pre_sev_run(struct vcpu_svm *svm, int cpu)\n{\n\tstruct svm_cpu_data *sd = per_cpu(svm_data, cpu);\n\tint asid = sev_get_asid(svm->vcpu.kvm);\n\n\t/* Assign the asid allocated with this SEV guest */\n\tsvm->vmcb->control.asid = asid;\n\n\t/*\n\t * Flush guest TLB:\n\t *\n\t * 1) when different VMCB for the same ASID is to be run on the same host CPU.\n\t * 2) or this VMCB was executed on different host CPU in previous VMRUNs.\n\t */\n\tif (sd->sev_vmcbs[asid] == svm->vmcb &&\n\t    svm->vcpu.arch.last_vmentry_cpu == cpu)\n\t\treturn;\n\n\tsd->sev_vmcbs[asid] = svm->vmcb;\n\tsvm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;\n\tvmcb_mark_dirty(svm->vmcb, VMCB_ASID);\n}",
          "project": "linux",
          "hash": 82306258198673685680273555741000766863,
          "size": 22,
          "commit_id": "7be74942f184fdfba34ddd19a0d995deb34d4a03",
          "message": "KVM: SVM: Periodically schedule when unregistering regions on destroy\n\nThere may be many encrypted regions that need to be unregistered when a\nSEV VM is destroyed.  This can lead to soft lockups.  For example, on a\nhost running 4.15:\n\nwatchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]\nCPU: 206 PID: 194348 Comm: t_virtual_machi\nRIP: 0010:free_unref_page_list+0x105/0x170\n...\nCall Trace:\n [<0>] release_pages+0x159/0x3d0\n [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]\n [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]\n [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]\n [<0>] kvm_arch_destroy_vm+0x47/0x200\n [<0>] kvm_put_kvm+0x1a8/0x2f0\n [<0>] kvm_vm_release+0x25/0x30\n [<0>] do_exit+0x335/0xc10\n [<0>] do_group_exit+0x3f/0xa0\n [<0>] get_signal+0x1bc/0x670\n [<0>] do_signal+0x31/0x130\n\nAlthough the CLFLUSH is no longer issued on every encrypted region to be\nunregistered, there are no other changes that can prevent soft lockups for\nvery large SEV VMs in the latest kernel.\n\nPeriodically schedule if necessary.  This still holds kvm->lock across the\nresched, but since this only happens when the VM is destroyed this is\nassumed to be acceptable.\n\nSigned-off-by: David Rientjes <rientjes@google.com>\nMessage-Id: <alpine.DEB.2.23.453.2008251255240.2987727@chino.kir.corp.google.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 463015
        },
        {
          "func": "static int sev_guest_status(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct kvm_sev_guest_status params;\n\tstruct sev_data_guest_status *data;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tdata = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);\n\tif (!data)\n\t\treturn -ENOMEM;\n\n\tdata->handle = sev->handle;\n\tret = sev_issue_cmd(kvm, SEV_CMD_GUEST_STATUS, data, &argp->error);\n\tif (ret)\n\t\tgoto e_free;\n\n\tparams.policy = data->policy;\n\tparams.state = data->state;\n\tparams.handle = data->handle;\n\n\tif (copy_to_user((void __user *)(uintptr_t)argp->data, &params, sizeof(params)))\n\t\tret = -EFAULT;\ne_free:\n\tkfree(data);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 85899878238619361124036181960701334048,
          "size": 29,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432537
        },
        {
          "func": "static void sev_unpin_memory(struct kvm *kvm, struct page **pages,\n\t\t\t     unsigned long npages)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\n\trelease_pages(pages, npages);\n\tkvfree(pages);\n\tsev->pages_locked -= npages;\n}",
          "project": "linux",
          "hash": 171157111146673193766248062715929701601,
          "size": 9,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432496
        },
        {
          "func": "static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tstruct sev_data_launch_start *start;\n\tstruct kvm_sev_launch_start params;\n\tvoid *dh_blob, *session_blob;\n\tint *error = &argp->error;\n\tint ret;\n\n\tif (!sev_guest(kvm))\n\t\treturn -ENOTTY;\n\n\tif (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))\n\t\treturn -EFAULT;\n\n\tstart = kzalloc(sizeof(*start), GFP_KERNEL_ACCOUNT);\n\tif (!start)\n\t\treturn -ENOMEM;\n\n\tdh_blob = NULL;\n\tif (params.dh_uaddr) {\n\t\tdh_blob = psp_copy_user_blob(params.dh_uaddr, params.dh_len);\n\t\tif (IS_ERR(dh_blob)) {\n\t\t\tret = PTR_ERR(dh_blob);\n\t\t\tgoto e_free;\n\t\t}\n\n\t\tstart->dh_cert_address = __sme_set(__pa(dh_blob));\n\t\tstart->dh_cert_len = params.dh_len;\n\t}\n\n\tsession_blob = NULL;\n\tif (params.session_uaddr) {\n\t\tsession_blob = psp_copy_user_blob(params.session_uaddr, params.session_len);\n\t\tif (IS_ERR(session_blob)) {\n\t\t\tret = PTR_ERR(session_blob);\n\t\t\tgoto e_free_dh;\n\t\t}\n\n\t\tstart->session_address = __sme_set(__pa(session_blob));\n\t\tstart->session_len = params.session_len;\n\t}\n\n\tstart->handle = params.handle;\n\tstart->policy = params.policy;\n\n\t/* create memory encryption context */\n\tret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_LAUNCH_START, start, error);\n\tif (ret)\n\t\tgoto e_free_session;\n\n\t/* Bind ASID to this guest */\n\tret = sev_bind_asid(kvm, start->handle, error);\n\tif (ret)\n\t\tgoto e_free_session;\n\n\t/* return handle to userspace */\n\tparams.handle = start->handle;\n\tif (copy_to_user((void __user *)(uintptr_t)argp->data, &params, sizeof(params))) {\n\t\tsev_unbind_asid(kvm, start->handle);\n\t\tret = -EFAULT;\n\t\tgoto e_free_session;\n\t}\n\n\tsev->handle = start->handle;\n\tsev->fd = argp->sev_fd;\n\ne_free_session:\n\tkfree(session_blob);\ne_free_dh:\n\tkfree(dh_blob);\ne_free:\n\tkfree(start);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 327382084721145336609172412034880321775,
          "size": 75,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432485
        },
        {
          "func": "static int sev_asid_new(void)\n{\n\tbool retry = true;\n\tint pos;\n\n\tmutex_lock(&sev_bitmap_lock);\n\n\t/*\n\t * SEV-enabled guest must use asid from min_sev_asid to max_sev_asid.\n\t */\nagain:\n\tpos = find_next_zero_bit(sev_asid_bitmap, max_sev_asid, min_sev_asid - 1);\n\tif (pos >= max_sev_asid) {\n\t\tif (retry && __sev_recycle_asids()) {\n\t\t\tretry = false;\n\t\t\tgoto again;\n\t\t}\n\t\tmutex_unlock(&sev_bitmap_lock);\n\t\treturn -EBUSY;\n\t}\n\n\t__set_bit(pos, sev_asid_bitmap);\n\n\tmutex_unlock(&sev_bitmap_lock);\n\n\treturn pos + 1;\n}",
          "project": "linux",
          "hash": 68010888444918245818194939433088823384,
          "size": 27,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432532
        },
        {
          "func": "static int __sev_dbg_encrypt_user(struct kvm *kvm, unsigned long paddr,\n\t\t\t\t  unsigned long __user vaddr,\n\t\t\t\t  unsigned long dst_paddr,\n\t\t\t\t  unsigned long __user dst_vaddr,\n\t\t\t\t  int size, int *error)\n{\n\tstruct page *src_tpage = NULL;\n\tstruct page *dst_tpage = NULL;\n\tint ret, len = size;\n\n\t/* If source buffer is not aligned then use an intermediate buffer */\n\tif (!IS_ALIGNED(vaddr, 16)) {\n\t\tsrc_tpage = alloc_page(GFP_KERNEL);\n\t\tif (!src_tpage)\n\t\t\treturn -ENOMEM;\n\n\t\tif (copy_from_user(page_address(src_tpage),\n\t\t\t\t(void __user *)(uintptr_t)vaddr, size)) {\n\t\t\t__free_page(src_tpage);\n\t\t\treturn -EFAULT;\n\t\t}\n\n\t\tpaddr = __sme_page_pa(src_tpage);\n\t}\n\n\t/*\n\t *  If destination buffer or length is not aligned then do read-modify-write:\n\t *   - decrypt destination in an intermediate buffer\n\t *   - copy the source buffer in an intermediate buffer\n\t *   - use the intermediate buffer as source buffer\n\t */\n\tif (!IS_ALIGNED(dst_vaddr, 16) || !IS_ALIGNED(size, 16)) {\n\t\tint dst_offset;\n\n\t\tdst_tpage = alloc_page(GFP_KERNEL);\n\t\tif (!dst_tpage) {\n\t\t\tret = -ENOMEM;\n\t\t\tgoto e_free;\n\t\t}\n\n\t\tret = __sev_dbg_decrypt(kvm, dst_paddr,\n\t\t\t\t\t__sme_page_pa(dst_tpage), size, error);\n\t\tif (ret)\n\t\t\tgoto e_free;\n\n\t\t/*\n\t\t *  If source is kernel buffer then use memcpy() otherwise\n\t\t *  copy_from_user().\n\t\t */\n\t\tdst_offset = dst_paddr & 15;\n\n\t\tif (src_tpage)\n\t\t\tmemcpy(page_address(dst_tpage) + dst_offset,\n\t\t\t       page_address(src_tpage), size);\n\t\telse {\n\t\t\tif (copy_from_user(page_address(dst_tpage) + dst_offset,\n\t\t\t\t\t   (void __user *)(uintptr_t)vaddr, size)) {\n\t\t\t\tret = -EFAULT;\n\t\t\t\tgoto e_free;\n\t\t\t}\n\t\t}\n\n\t\tpaddr = __sme_page_pa(dst_tpage);\n\t\tdst_paddr = round_down(dst_paddr, 16);\n\t\tlen = round_up(size, 16);\n\t}\n\n\tret = __sev_issue_dbg_cmd(kvm, paddr, dst_paddr, len, error, true);\n\ne_free:\n\tif (src_tpage)\n\t\t__free_page(src_tpage);\n\tif (dst_tpage)\n\t\t__free_page(dst_tpage);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 44807109384765060363671957329569291103,
          "size": 76,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432438
        },
        {
          "func": "static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp)\n{\n\tstruct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;\n\tint asid, ret;\n\n\tret = -EBUSY;\n\tif (unlikely(sev->active))\n\t\treturn ret;\n\n\tasid = sev_asid_new();\n\tif (asid < 0)\n\t\treturn ret;\n\n\tret = sev_platform_init(&argp->error);\n\tif (ret)\n\t\tgoto e_free;\n\n\tsev->active = true;\n\tsev->asid = asid;\n\tINIT_LIST_HEAD(&sev->regions_list);\n\n\treturn 0;\n\ne_free:\n\tsev_asid_free(asid);\n\treturn ret;\n}",
          "project": "linux",
          "hash": 112816211679516444387194592874037827972,
          "size": 27,
          "commit_id": "d80b64ff297e40c2b6f7d7abc1b3eba70d22a068",
          "message": "KVM: SVM: Fix potential memory leak in svm_cpu_init()\n\nWhen kmalloc memory for sd->sev_vmcbs failed, we forget to free the page\nheld by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually\nthe only possible outcome here.\n\nReviewed-by: Liran Alon <liran.alon@oracle.com>\nReviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>\nSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>\nSigned-off-by: Paolo Bonzini <pbonzini@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 432601
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "remove_pending_change_notify_requests_by_mid",
        "smbd_notify_cancel_by_map",
        "change_notify_remove_request"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "void smbd_notify_cancel_by_smbreq(const struct smb_request *smbreq)\n{\n\tstruct smbd_server_connection *sconn = smbreq->sconn;\n\tstruct notify_mid_map *map;\n\n\tfor (map = sconn->smb1.notify_mid_maps; map; map = map->next) {\n\t\tif (map->req->req == smbreq) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (map == NULL) {\n\t\treturn;\n\t}\n\n\tsmbd_notify_cancel_by_map(map);\n}",
          "project": "samba",
          "hash": 197873660544430567237872443142405706058,
          "size": 17,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279693
        },
        {
          "func": "void remove_pending_change_notify_requests_by_fid(files_struct *fsp,\n\t\t\t\t\t\t  NTSTATUS status)\n{\n\tif (fsp->notify == NULL) {\n\t\treturn;\n\t}\n\n\twhile (fsp->notify->requests != NULL) {\n\t\tchange_notify_reply(fsp->notify->requests->req,\n\t\t\t\t    status, 0, NULL,\n\t\t\t\t    fsp->notify->requests->reply_fn);\n\t\tchange_notify_remove_request(fsp->conn->sconn,\n\t\t\t\t\t     fsp->notify->requests);\n\t}\n}",
          "project": "samba",
          "hash": 116435028013848744244740147800906819338,
          "size": 15,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279685
        },
        {
          "func": "static void notify_fsp(files_struct *fsp, struct timespec when,\n\t\t       uint32_t action, const char *name)\n{\n\tstruct notify_change_event *change, *changes;\n\tchar *tmp;\n\n\tif (fsp->notify == NULL) {\n\t\t/*\n\t\t * Nobody is waiting, don't queue\n\t\t */\n\t\treturn;\n\t}\n\n\t/*\n\t * Someone has triggered a notify previously, queue the change for\n\t * later.\n\t */\n\n\tif ((fsp->notify->num_changes > 1000) || (name == NULL)) {\n\t\t/*\n\t\t * The real number depends on the client buf, just provide a\n\t\t * guard against a DoS here.  If name == NULL the CN backend is\n\t\t * alerting us to a problem.  Possibly dropped events.  Clear\n\t\t * queued changes and send the catch-all response to the client\n\t\t * if a request is pending.\n\t\t */\n\t\tTALLOC_FREE(fsp->notify->changes);\n\t\tfsp->notify->num_changes = -1;\n\t\tif (fsp->notify->requests != NULL) {\n\t\t\tchange_notify_reply(fsp->notify->requests->req,\n\t\t\t\t\t    NT_STATUS_OK,\n\t\t\t\t\t    fsp->notify->requests->max_param,\n\t\t\t\t\t    fsp->notify,\n\t\t\t\t\t    fsp->notify->requests->reply_fn);\n\t\t\tchange_notify_remove_request(fsp->conn->sconn,\n\t\t\t\t\t\t     fsp->notify->requests);\n\t\t}\n\t\treturn;\n\t}\n\n\t/* If we've exceeded the server side queue or received a NULL name\n\t * from the underlying CN implementation, don't queue up any more\n\t * requests until we can send a catch-all response to the client */\n\tif (fsp->notify->num_changes == -1) {\n\t\treturn;\n\t}\n\n\tif (!(changes = talloc_realloc(\n\t\t      fsp->notify, fsp->notify->changes,\n\t\t      struct notify_change_event,\n\t\t      fsp->notify->num_changes+1))) {\n\t\tDEBUG(0, (\"talloc_realloc failed\\n\"));\n\t\treturn;\n\t}\n\n\tfsp->notify->changes = changes;\n\n\tchange = &(fsp->notify->changes[fsp->notify->num_changes]);\n\n\tif (!(tmp = talloc_strdup(changes, name))) {\n\t\tDEBUG(0, (\"talloc_strdup failed\\n\"));\n\t\treturn;\n\t}\n\n\tstring_replace(tmp, '/', '\\\\');\n\tchange->name = tmp;\t\n\n\tchange->when = when;\n\tchange->action = action;\n\tfsp->notify->num_changes += 1;\n\n\tif (fsp->notify->requests == NULL) {\n\t\t/*\n\t\t * Nobody is waiting, so don't send anything. The ot\n\t\t */\n\t\treturn;\n\t}\n\n\tif (action == NOTIFY_ACTION_OLD_NAME) {\n\t\t/*\n\t\t * We have to send the two rename events in one reply. So hold\n\t\t * the first part back.\n\t\t */\n\t\treturn;\n\t}\n\n\t/*\n\t * Someone is waiting for the change, trigger the reply immediately.\n\t *\n\t * TODO: do we have to walk the lists of requests pending?\n\t */\n\n\tchange_notify_reply(fsp->notify->requests->req,\n\t\t\t    NT_STATUS_OK,\n\t\t\t    fsp->notify->requests->max_param,\n\t\t\t    fsp->notify,\n\t\t\t    fsp->notify->requests->reply_fn);\n\n\tchange_notify_remove_request(fsp->conn->sconn, fsp->notify->requests);\n}",
          "project": "samba",
          "hash": 55414215855137377012312980613844174714,
          "size": 100,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279696
        },
        {
          "func": "static void change_notify_remove_request(struct smbd_server_connection *sconn,\n\t\t\t\t\t struct notify_change_request *remove_req)\n{\n\tfiles_struct *fsp;\n\tstruct notify_change_request *req;\n\n\t/*\n\t * Paranoia checks, the fsp referenced must must have the request in\n\t * its list of pending requests\n\t */\n\n\tfsp = remove_req->fsp;\n\tSMB_ASSERT(fsp->notify != NULL);\n\n\tfor (req = fsp->notify->requests; req; req = req->next) {\n\t\tif (req == remove_req) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (req == NULL) {\n\t\tsmb_panic(\"notify_req not found in fsp's requests\");\n\t}\n\n\tDLIST_REMOVE(fsp->notify->requests, req);\n\tDLIST_REMOVE(sconn->smb1.notify_mid_maps, req->mid_map);\n\tTALLOC_FREE(req);\n}",
          "project": "samba",
          "hash": 113917000493755922406827458330864321437,
          "size": 28,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279704
        },
        {
          "func": "bool remove_pending_change_notify_requests_by_mid(\n\tstruct smbd_server_connection *sconn, uint64_t mid)\n{\n\tstruct notify_mid_map *map;\n\n\tfor (map = sconn->smb1.notify_mid_maps; map; map = map->next) {\n\t\tif (map->mid == mid) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (map == NULL) {\n\t\treturn false;\n\t}\n\n\tsmbd_notify_cancel_by_map(map);\n\treturn true;\n}",
          "project": "samba",
          "hash": 228094122422571733736054467096417549326,
          "size": 18,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279687
        },
        {
          "func": "static void smbd_notify_cancel_by_map(struct notify_mid_map *map)\n{\n\tstruct smb_request *smbreq = map->req->req;\n\tstruct smbd_server_connection *sconn = smbreq->sconn;\n\tstruct smbd_smb2_request *smb2req = smbreq->smb2req;\n\tNTSTATUS notify_status = NT_STATUS_CANCELLED;\n\n\tif (smb2req != NULL) {\n\t\tNTSTATUS sstatus;\n\n\t\tif (smb2req->session == NULL) {\n\t\t\tsstatus = NT_STATUS_USER_SESSION_DELETED;\n\t\t} else {\n\t\t\tsstatus = smb2req->session->status;\n\t\t}\n\n\t\tif (NT_STATUS_EQUAL(sstatus, NT_STATUS_NETWORK_SESSION_EXPIRED)) {\n\t\t\tsstatus = NT_STATUS_OK;\n\t\t}\n\n\t\tif (!NT_STATUS_IS_OK(sstatus)) {\n\t\t\tnotify_status = STATUS_NOTIFY_CLEANUP;\n\t\t} else if (smb2req->tcon == NULL) {\n\t\t\tnotify_status = STATUS_NOTIFY_CLEANUP;\n\t\t} else if (!NT_STATUS_IS_OK(smb2req->tcon->status)) {\n\t\t\tnotify_status = STATUS_NOTIFY_CLEANUP;\n\t\t}\n\t}\n\n\tchange_notify_reply(smbreq, notify_status,\n\t\t\t    0, NULL, map->req->reply_fn);\n\tchange_notify_remove_request(sconn, map->req);\n}",
          "project": "samba",
          "hash": 158985065159182065461930161912048986754,
          "size": 33,
          "commit_id": "c300a85848350635e7ddd8129b31c4d439dc0f8a",
          "message": "s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.\n\nRemove knownfail entry.\n\nCVE-2020-14318\n\nBUG: https://bugzilla.samba.org/show_bug.cgi?id=14434\n\nSigned-off-by: Jeremy Allison <jra@samba.org>",
          "target": 0,
          "dataset": "other",
          "idx": 279701
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "TlsSetValue",
        "mono_loader_lock",
        "mono_loader_unlock"
      ],
      "group_size": 14,
      "functions": [
        {
          "func": "tcp_src_prompt(packet_info *pinfo, gchar *result)\n{\n    guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num));\n\n    g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, \"source (%u%s)\", port, UTF8_RIGHTWARDS_ARROW);\n}",
          "project": "wireshark",
          "hash": 243029606365869679011893096644425255357,
          "size": 6,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385197
        },
        {
          "func": "tcp_dst_prompt(packet_info *pinfo, gchar *result)\n{\n    guint32 port = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));\n\n    g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, \"destination (%s%u)\", UTF8_RIGHTWARDS_ARROW, port);\n}",
          "project": "wireshark",
          "hash": 229594618645422847498588340128012053786,
          "size": 6,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385232
        },
        {
          "func": "tcp_both_prompt(packet_info *pinfo, gchar *result)\n{\n    guint32 srcport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num)),\n            destport = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num));\n    g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, \"both (%u%s%u)\", srcport, UTF8_LEFT_RIGHT_ARROW, destport);\n}",
          "project": "wireshark",
          "hash": 223609035746124680614692817043359611066,
          "size": 6,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385255
        },
        {
          "func": "mono_loader_unlock (void)\n{\n\tmono_locks_release (&loader_mutex, LoaderLock);\n\tif (G_UNLIKELY (loader_lock_track_ownership)) {\n\t\tTlsSetValue (loader_lock_nest_id, GUINT_TO_POINTER (GPOINTER_TO_UINT (TlsGetValue (loader_lock_nest_id)) - 1));\n\t}\n}",
          "project": "mono",
          "hash": 233233954986845845596365919409106211673,
          "size": 7,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334478
        },
        {
          "func": "mono_loader_lock (void)\n{\n\tmono_locks_acquire (&loader_mutex, LoaderLock);\n\tif (G_UNLIKELY (loader_lock_track_ownership)) {\n\t\tTlsSetValue (loader_lock_nest_id, GUINT_TO_POINTER (GPOINTER_TO_UINT (TlsGetValue (loader_lock_nest_id)) + 1));\n\t}\n}",
          "project": "mono",
          "hash": 149133099918348962033482518260271943311,
          "size": 7,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334507
        },
        {
          "func": "tcp_src_value(packet_info *pinfo)\n{\n    return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_srcport, pinfo->curr_layer_num);\n}",
          "project": "wireshark",
          "hash": 269721267962870118367440272260943368013,
          "size": 4,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385200
        },
        {
          "func": "tcp_dst_value(packet_info *pinfo)\n{\n    return p_get_proto_data(pinfo->pool, pinfo, hf_tcp_dstport, pinfo->curr_layer_num);\n}",
          "project": "wireshark",
          "hash": 129362666005724023401991086809138002933,
          "size": 4,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385214
        },
        {
          "func": "mono_loader_lock_is_owned_by_self (void)\n{\n\tg_assert (loader_lock_track_ownership);\n\n\treturn GPOINTER_TO_UINT (TlsGetValue (loader_lock_nest_id)) > 0;\n}",
          "project": "mono",
          "hash": 240673674177835474670681667619621290297,
          "size": 6,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334473
        },
        {
          "func": "relate_slaves (gpointer key,\n               gpointer value,\n               gpointer data)\n{\n  ClutterDeviceManagerXI2 *manager_xi2 = data;\n  ClutterInputDevice *master, *slave;\n\n  slave = g_hash_table_lookup (manager_xi2->devices_by_id, key);\n  master = g_hash_table_lookup (manager_xi2->devices_by_id, value);\n\n  _clutter_input_device_set_associated_device (slave, master);\n  _clutter_input_device_add_slave (master, slave);\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "clutter",
          "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e",
          "hash": 11732202029626356531742516125834610434,
          "size": 13,
          "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974",
          "dataset": "other",
          "idx": 497479
        },
        {
          "func": "relate_masters (gpointer key,\n                gpointer value,\n                gpointer data)\n{\n  ClutterDeviceManagerXI2 *manager_xi2 = data;\n  ClutterInputDevice *device, *relative;\n\n  device = g_hash_table_lookup (manager_xi2->devices_by_id, key);\n  relative = g_hash_table_lookup (manager_xi2->devices_by_id, value);\n\n  _clutter_input_device_set_associated_device (device, relative);\n  _clutter_input_device_set_associated_device (relative, device);\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "clutter",
          "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e",
          "hash": 275646750222884968905318332727855387912,
          "size": 13,
          "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974",
          "dataset": "other",
          "idx": 497484
        },
        {
          "func": "mono_loader_lock_if_inited (void)\n{\n\tif (loader_lock_inited)\n\t\tmono_loader_lock ();\n}",
          "project": "mono",
          "hash": 169559412662811690103534238135039914320,
          "size": 5,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334479
        },
        {
          "func": "find_cached_memberref_sig (MonoImage *image, guint32 sig_idx)\n{\n\tgpointer res;\n\n\tmono_loader_lock ();\n\tres = g_hash_table_lookup (image->memberref_signatures, GUINT_TO_POINTER (sig_idx));\n\tmono_loader_unlock ();\n\n\treturn res;\n}",
          "project": "mono",
          "hash": 204761287727301514708150813086363835120,
          "size": 10,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334503
        },
        {
          "func": "mono_loader_unlock_if_inited (void)\n{\n\tif (loader_lock_inited)\n\t\tmono_loader_unlock ();\n}",
          "project": "mono",
          "hash": 167586732968159065909171015031580186969,
          "size": 5,
          "commit_id": "8e890a3bf80a4620e417814dc14886b1bbd17625",
          "message": "Search for dllimported shared libs in the base directory, not cwd.\n\n* loader.c: we don't search the current directory anymore for shared\nlibraries referenced in DllImport attributes, as it has a slight\nsecurity risk. We search in the same directory where the referencing\nimage was loaded from, instead. Fixes bug# 641915.",
          "target": 0,
          "dataset": "other",
          "idx": 334515
        },
        {
          "func": "clutter_device_manager_xi2_get_device (ClutterDeviceManager *manager,\n                                       gint                  id)\n{\n  ClutterDeviceManagerXI2 *manager_xi2 = CLUTTER_DEVICE_MANAGER_XI2 (manager);\n\n  return g_hash_table_lookup (manager_xi2->devices_by_id,\n                              GINT_TO_POINTER (id));\n}",
          "target": 0,
          "cwe": [
            "CWE-264"
          ],
          "project": "clutter",
          "commit_id": "e310c68d7b38d521e341f4e8a36f54303079d74e",
          "hash": 49896070100448030956265376701597052987,
          "size": 8,
          "message": "x11: trap errors when calling XIQueryDevice\n\nDevices can disappear at any time, causing XIQueryDevice\nto throw an error. At the same time, plug a memory leak.\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=701974",
          "dataset": "other",
          "idx": 497488
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "end_profiler_frame",
        "endFrame",
        "endFrameEx"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "  void endFrame(const TypedValue* /*retval*/, const char* symbol,\n                bool /*endMain*/ = false) override {\n    doTrace(symbol, true);\n  }",
          "project": "hhvm",
          "hash": 216998652212451743931488043650664066631,
          "size": 4,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219430
        },
        {
          "func": "void Profiler::endFrame(const TypedValue *retval,\n                        const char *symbol,\n                        bool endMain) {\n  if (m_stack) {\n    // special case for main() frame that's only ended by endAllFrames()\n    if (!endMain && m_stack->m_parent == nullptr) {\n      return;\n    }\n    endFrameEx(retval, symbol);\n    m_func_hash_counters[m_stack->m_hash_code]--;\n    releaseFrame();\n  }\n}",
          "project": "hhvm",
          "hash": 26587959672488513904056432004123374690,
          "size": 13,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219461
        },
        {
          "func": "  endFrameEx(const TypedValue* /*retvalue*/, const char* /*symbol*/) override {\n    sample_check();\n  }",
          "project": "hhvm",
          "hash": 273478467820533882100467124057011381506,
          "size": 3,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219310
        },
        {
          "func": "void Profiler::endFrameEx(const TypedValue* /*retval*/,\n                          const char* /*_symbol*/) {}",
          "project": "hhvm",
          "hash": 35590551211878468064778370986041065781,
          "size": 2,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219813
        },
        {
          "func": "void end_profiler_frame(Profiler *p,\n                        const TypedValue *retval,\n                        const char *symbol) {\n  p->endFrame(retval, symbol);\n}",
          "project": "hhvm",
          "hash": 236448474649344352598051191628845271714,
          "size": 5,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219590
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "input_add_uevent_modalias_var",
        "input_print_modalias",
        "input_print_modalias_bits"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int input_print_modalias_bits(char *buf, int size,\n\t\t\t\t     char name, unsigned long *bm,\n\t\t\t\t     unsigned int min_bit, unsigned int max_bit)\n{\n\tint len = 0, i;\n\n\tlen += snprintf(buf, max(size, 0), \"%c\", name);\n\tfor (i = min_bit; i < max_bit; i++)\n\t\tif (bm[BIT_WORD(i)] & BIT_MASK(i))\n\t\t\tlen += snprintf(buf + len, max(size - len, 0), \"%X,\", i);\n\treturn len;\n}",
          "project": "linux",
          "hash": 158850091406226619329147198274351263310,
          "size": 12,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353392
        },
        {
          "func": "static int input_print_modalias(char *buf, int size, struct input_dev *id,\n\t\t\t\tint add_cr)\n{\n\tint len;\n\n\tlen = snprintf(buf, max(size, 0),\n\t\t       \"input:b%04Xv%04Xp%04Xe%04X-\",\n\t\t       id->id.bustype, id->id.vendor,\n\t\t       id->id.product, id->id.version);\n\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'e', id->evbit, 0, EV_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'k', id->keybit, KEY_MIN_INTERESTING, KEY_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'r', id->relbit, 0, REL_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'a', id->absbit, 0, ABS_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'm', id->mscbit, 0, MSC_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'l', id->ledbit, 0, LED_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t's', id->sndbit, 0, SND_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'f', id->ffbit, 0, FF_MAX);\n\tlen += input_print_modalias_bits(buf + len, size - len,\n\t\t\t\t'w', id->swbit, 0, SW_MAX);\n\n\tif (add_cr)\n\t\tlen += snprintf(buf + len, max(size - len, 0), \"\\n\");\n\n\treturn len;\n}",
          "project": "linux",
          "hash": 60420096432809030050053268975505946861,
          "size": 34,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353343
        },
        {
          "func": "static int input_add_uevent_modalias_var(struct kobj_uevent_env *env,\n\t\t\t\t\t struct input_dev *dev)\n{\n\tint len;\n\n\tif (add_uevent_var(env, \"MODALIAS=\"))\n\t\treturn -ENOMEM;\n\n\tlen = input_print_modalias(&env->buf[env->buflen - 1],\n\t\t\t\t   sizeof(env->buf) - env->buflen,\n\t\t\t\t   dev, 0);\n\tif (len >= (sizeof(env->buf) - env->buflen))\n\t\treturn -ENOMEM;\n\n\tenv->buflen += len;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 258821360740180395617262343756556213176,
          "size": 17,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353380
        },
        {
          "func": "static ssize_t input_dev_show_modalias(struct device *dev,\n\t\t\t\t       struct device_attribute *attr,\n\t\t\t\t       char *buf)\n{\n\tstruct input_dev *id = to_input_dev(dev);\n\tssize_t len;\n\n\tlen = input_print_modalias(buf, PAGE_SIZE, id, 1);\n\n\treturn min_t(int, len, PAGE_SIZE);\n}",
          "project": "linux",
          "hash": 264464487934238493096880515774601896895,
          "size": 11,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353326
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "jsi_csBitGetSet",
        "jsi_csSBitGetSet",
        "jsi_csSBitSetGet"
      ],
      "group_size": 4,
      "functions": [
        {
          "project": "jsish",
          "commit_id": "858da537bde4de9d8c92466d5a866505310bc328",
          "target": 0,
          "func": "static bool jsi_csBitSetGet(int isSet, uchar *tbuf, int bits, Jsi_UWide *valPtr) {\n    union bitfield *bms = (union bitfield *)tbuf;\n    Jsi_UWide val = *valPtr;\n    union bitfield {\n        Jsi_UWide b1:1; Jsi_UWide b2:2; Jsi_UWide b3:3; Jsi_UWide b4:4; Jsi_UWide b5:5; Jsi_UWide b6:6;\n        Jsi_UWide b7:7; Jsi_UWide b8:8; Jsi_UWide b9:9; Jsi_UWide b10:10; Jsi_UWide b11:11; Jsi_UWide b12:12;\n        Jsi_UWide b13:13; Jsi_UWide b14:14; Jsi_UWide b15:15; Jsi_UWide b16:16; Jsi_UWide b17:17; \n        Jsi_UWide b18:18; Jsi_UWide b19:19; Jsi_UWide b20:20; Jsi_UWide b21:21; Jsi_UWide b22:22;\n        Jsi_UWide b23:23; Jsi_UWide b24:24; Jsi_UWide b25:25; Jsi_UWide b26:26; Jsi_UWide b27:27;\n        Jsi_UWide b28:28; Jsi_UWide b29:29; Jsi_UWide b30:30; Jsi_UWide b31:31; Jsi_UWide b32:32;\n        Jsi_UWide b33:33; Jsi_UWide b34:34; Jsi_UWide b35:35; Jsi_UWide b36:36; Jsi_UWide b37:37;\n        Jsi_UWide b38:38; Jsi_UWide b39:39; Jsi_UWide b40:40; Jsi_UWide b41:41; Jsi_UWide b42:42;\n        Jsi_UWide b43:43; Jsi_UWide b44:44; Jsi_UWide b45:45; Jsi_UWide b46:46; Jsi_UWide b47:47;\n        Jsi_UWide b48:48; Jsi_UWide b49:49; Jsi_UWide b50:50; Jsi_UWide b51:51; Jsi_UWide b52:52;\n        Jsi_UWide b53:53; Jsi_UWide b54:54; Jsi_UWide b55:55; Jsi_UWide b56:56; Jsi_UWide b57:57;\n        Jsi_UWide b58:58; Jsi_UWide b59:59; Jsi_UWide b60:60; Jsi_UWide b61:61; Jsi_UWide b62:62;\n        Jsi_UWide b63:63; Jsi_UWide b64:64;\n    };\n    if (isSet) {\n        switch (bits) {\n    #define CBSN(n) \\\n            case n: bms->b##n = val; return (bms->b##n == val)\n           CBSN(1); CBSN(2); CBSN(3); CBSN(4); CBSN(5); CBSN(6); CBSN(7); CBSN(8);\n           CBSN(9); CBSN(10); CBSN(11); CBSN(12); CBSN(13); CBSN(14); CBSN(15); CBSN(16);\n           CBSN(17); CBSN(18); CBSN(19); CBSN(20); CBSN(21); CBSN(22); CBSN(23); CBSN(24);\n           CBSN(25); CBSN(26); CBSN(27); CBSN(28); CBSN(29); CBSN(30); CBSN(31); CBSN(32);\n           CBSN(33); CBSN(34); CBSN(35); CBSN(36); CBSN(37); CBSN(38); CBSN(39); CBSN(40);\n           CBSN(41); CBSN(42); CBSN(43); CBSN(44); CBSN(45); CBSN(46); CBSN(47); CBSN(48);\n           CBSN(49); CBSN(50); CBSN(51); CBSN(52); CBSN(53); CBSN(54); CBSN(55); CBSN(56);\n           CBSN(57); CBSN(58); CBSN(59); CBSN(60); CBSN(61); CBSN(62); CBSN(63); CBSN(64);\n        }\n        assert(0);\n    }\n    switch (bits) {\n#define CBGN(n) \\\n        case n: val = bms->b##n; break\n       CBGN(1); CBGN(2); CBGN(3); CBGN(4); CBGN(5); CBGN(6); CBGN(7); CBGN(8);\n       CBGN(9); CBGN(10); CBGN(11); CBGN(12); CBGN(13); CBGN(14); CBGN(15); CBGN(16);\n       CBGN(17); CBGN(18); CBGN(19); CBGN(20); CBGN(21); CBGN(22); CBGN(23); CBGN(24);\n       CBGN(25); CBGN(26); CBGN(27); CBGN(28); CBGN(29); CBGN(30); CBGN(31); CBGN(32);\n       CBGN(33); CBGN(34); CBGN(35); CBGN(36); CBGN(37); CBGN(38); CBGN(39); CBGN(40);\n       CBGN(41); CBGN(42); CBGN(43); CBGN(44); CBGN(45); CBGN(46); CBGN(47); CBGN(48);\n       CBGN(49); CBGN(50); CBGN(51); CBGN(52); CBGN(53); CBGN(54); CBGN(55); CBGN(56);\n       CBGN(57); CBGN(58); CBGN(59); CBGN(60); CBGN(61); CBGN(62); CBGN(63); CBGN(64);\n       default: assert(0);\n    }\n    *valPtr = val;\n    return 1;\n}",
          "idx": 520862,
          "cwe": "CWE-190",
          "hash": 315040628554983887920356217431033151804,
          "dataset": "other"
        },
        {
          "project": "jsish",
          "commit_id": "858da537bde4de9d8c92466d5a866505310bc328",
          "target": 0,
          "func": "static Jsi_RC jsi_csSBitGetSet(Jsi_Interp *interp, void *vrec,  Jsi_Wide* vPtr, Jsi_OptionSpec *spec, int idx, bool isSet) {\n    Jsi_Wide *valPtr = (typeof(valPtr))vPtr;\n    int bits = spec->bits;\n    int boffs = spec->boffset;\n    if (bits<1 || bits>=64) return JSI_ERROR;\n    int ofs = (boffs/8);\n    int bo = (boffs%8); // 0 if byte-aligned\n    int Bsz = ((bits+bo+7)/8);\n    uchar *rec = (uchar*)vrec;\n#ifdef __SIZEOF_INT128__\n    typedef __int128 stvalType;\n#else\n    typedef Jsi_Wide stvalType;\n#endif\n    stvalType tbuf[2] = {};\n    uchar sbuf[20], *bptr = (uchar*)tbuf;\n    memcpy(tbuf, rec+ofs, Bsz);\n    Jsi_Wide mval = *valPtr;\n    Jsi_Wide amask = ((1LL<<(bits-1))-1LL);\n    stvalType tval = 0, kval = 0, lmask;\n    if (bo) { // If not byte aligned, get tval and shift\n        bptr = sbuf;\n        kval = tval = *(typeof(tval)*)tbuf;\n        tval >>= bo;\n        if (!isSet) {\n            mval = (Jsi_Wide)tval;\n            *(Jsi_Wide*)bptr = mval;\n        }\n    }\n        \n    if (!isSet) { // Get value.\n        if (!jsi_csSBitSetGet(0, bptr, bits, &mval))\n            return JSI_ERROR;\n        *valPtr = mval;\n        return JSI_OK;\n    }\n    \n    if (!jsi_csSBitSetGet(1, bptr, bits, &mval))\n        return JSI_ERROR;\n    if (bo) {\n        tval = (typeof(tval))mval;\n        lmask=(amask<<bo);\n        kval &= ~lmask;\n        tval <<= bo;\n        tval = (kval | tval);\n        *(typeof(tval)*)tbuf = tval;\n    }\n    memcpy(rec+ofs, tbuf, Bsz);\n\n    return JSI_OK;    \n}",
          "idx": 520912,
          "cwe": "CWE-190",
          "hash": 85793746791659603420840514709219530889,
          "dataset": "other"
        },
        {
          "project": "jsish",
          "commit_id": "858da537bde4de9d8c92466d5a866505310bc328",
          "target": 0,
          "func": "static Jsi_RC jsi_csBitGetSet(Jsi_Interp *interp, void *vrec,  Jsi_Wide* vPtr, Jsi_OptionSpec *spec, int idx, bool isSet) {\n    bool us = (spec->tname && spec->tname[0] == 'u');\n    if (!us)        \n        return jsi_csSBitGetSet(interp, vrec, vPtr, spec, idx, isSet);\n\n    if (*vPtr<0)\n        return JSI_ERROR;\n\n    Jsi_UWide *valPtr = (typeof(valPtr))vPtr;\n    int bits = spec->bits;\n    int boffs = spec->boffset;\n    if (bits<1 || bits>=64) return JSI_ERROR;\n    int ofs = (boffs/8);\n    int bo = (boffs%8); // 0 if byte-aligned\n    int Bsz = ((bits+bo+7)/8);\n    uchar *rec = (uchar*)vrec;\n#ifdef __SIZEOF_INT128__\n    typedef unsigned __int128 utvalType;\n#else\n    typedef Jsi_UWide utvalType;\n#endif\n    utvalType tbuf[2] = {};\n    uchar sbuf[20], *bptr = (uchar*)tbuf;\n    memcpy(tbuf, rec+ofs, Bsz);\n    Jsi_UWide mval;\n    Jsi_UWide amask = ((1LL<<(bits-1))-1LL);\n    utvalType tval = 0, kval = 0, lmask;\n    if (bo) { // If not byte aligned, get tval and shift\n        bptr = sbuf;\n        kval = tval = *(typeof(tval)*)tbuf;\n        tval >>= bo;\n        if (!isSet) {\n            mval = (Jsi_UWide)tval;\n            *(Jsi_UWide*)bptr = mval;\n        }\n    } else\n         mval = *valPtr;\n        \n    if (!isSet) { // Get value.\n        if (!jsi_csBitSetGet(0, bptr, bits, &mval))\n            return JSI_ERROR;\n        *valPtr = mval;\n        return JSI_OK;\n    }\n    \n    if (!jsi_csBitSetGet(1, bptr, bits, &mval))\n        return JSI_ERROR;\n    if (bo) {\n        tval = (typeof(tval))mval;\n        lmask=(amask<<bo);\n        kval &= ~lmask;\n        tval <<= bo;\n        tval = (kval | tval);\n        *(typeof(tval)*)tbuf = tval;\n    }\n    memcpy(rec+ofs, tbuf, Bsz);\n\n    return JSI_OK;    \n}",
          "idx": 520856,
          "cwe": "CWE-190",
          "hash": 233792583997789375492824257043596509458,
          "dataset": "other"
        },
        {
          "project": "jsish",
          "commit_id": "858da537bde4de9d8c92466d5a866505310bc328",
          "target": 0,
          "func": "static bool jsi_csSBitSetGet(int isSet, uchar *tbuf, int bits, Jsi_Wide *valPtr) {\n    union bitfield *bms = (union bitfield *)tbuf;\n    Jsi_Wide val = *valPtr;\n    union bitfield {\n        Jsi_Wide b1:1; Jsi_Wide b2:2; Jsi_Wide b3:3; Jsi_Wide b4:4; Jsi_Wide b5:5; Jsi_Wide b6:6;\n        Jsi_Wide b7:7; Jsi_Wide b8:8; Jsi_Wide b9:9; Jsi_Wide b10:10; Jsi_Wide b11:11; Jsi_Wide b12:12;\n        Jsi_Wide b13:13; Jsi_Wide b14:14; Jsi_Wide b15:15; Jsi_Wide b16:16; Jsi_Wide b17:17; \n        Jsi_Wide b18:18; Jsi_Wide b19:19; Jsi_Wide b20:20; Jsi_Wide b21:21; Jsi_Wide b22:22;\n        Jsi_Wide b23:23; Jsi_Wide b24:24; Jsi_Wide b25:25; Jsi_Wide b26:26; Jsi_Wide b27:27;\n        Jsi_Wide b28:28; Jsi_Wide b29:29; Jsi_Wide b30:30; Jsi_Wide b31:31; Jsi_Wide b32:32;\n        Jsi_Wide b33:33; Jsi_Wide b34:34; Jsi_Wide b35:35; Jsi_Wide b36:36; Jsi_Wide b37:37;\n        Jsi_Wide b38:38; Jsi_Wide b39:39; Jsi_Wide b40:40; Jsi_Wide b41:41; Jsi_Wide b42:42;\n        Jsi_Wide b43:43; Jsi_Wide b44:44; Jsi_Wide b45:45; Jsi_Wide b46:46; Jsi_Wide b47:47;\n        Jsi_Wide b48:48; Jsi_Wide b49:49; Jsi_Wide b50:50; Jsi_Wide b51:51; Jsi_Wide b52:52;\n        Jsi_Wide b53:53; Jsi_Wide b54:54; Jsi_Wide b55:55; Jsi_Wide b56:56; Jsi_Wide b57:57;\n        Jsi_Wide b58:58; Jsi_Wide b59:59; Jsi_Wide b60:60; Jsi_Wide b61:61; Jsi_Wide b62:62;\n        Jsi_Wide b63:63; Jsi_Wide b64:64;\n    };\n    if (isSet) {\n        switch (bits) {\n           CBSN(1); CBSN(2); CBSN(3); CBSN(4); CBSN(5); CBSN(6); CBSN(7); CBSN(8);\n           CBSN(9); CBSN(10); CBSN(11); CBSN(12); CBSN(13); CBSN(14); CBSN(15); CBSN(16);\n           CBSN(17); CBSN(18); CBSN(19); CBSN(20); CBSN(21); CBSN(22); CBSN(23); CBSN(24);\n           CBSN(25); CBSN(26); CBSN(27); CBSN(28); CBSN(29); CBSN(30); CBSN(31); CBSN(32);\n           CBSN(33); CBSN(34); CBSN(35); CBSN(36); CBSN(37); CBSN(38); CBSN(39); CBSN(40);\n           CBSN(41); CBSN(42); CBSN(43); CBSN(44); CBSN(45); CBSN(46); CBSN(47); CBSN(48);\n           CBSN(49); CBSN(50); CBSN(51); CBSN(52); CBSN(53); CBSN(54); CBSN(55); CBSN(56);\n           CBSN(57); CBSN(58); CBSN(59); CBSN(60); CBSN(61); CBSN(62); CBSN(63); CBSN(64);\n        }\n        assert(0);\n    }\n    switch (bits) {\n       CBGN(1); CBGN(2); CBGN(3); CBGN(4); CBGN(5); CBGN(6); CBGN(7); CBGN(8);\n       CBGN(9); CBGN(10); CBGN(11); CBGN(12); CBGN(13); CBGN(14); CBGN(15); CBGN(16);\n       CBGN(17); CBGN(18); CBGN(19); CBGN(20); CBGN(21); CBGN(22); CBGN(23); CBGN(24);\n       CBGN(25); CBGN(26); CBGN(27); CBGN(28); CBGN(29); CBGN(30); CBGN(31); CBGN(32);\n       CBGN(33); CBGN(34); CBGN(35); CBGN(36); CBGN(37); CBGN(38); CBGN(39); CBGN(40);\n       CBGN(41); CBGN(42); CBGN(43); CBGN(44); CBGN(45); CBGN(46); CBGN(47); CBGN(48);\n       CBGN(49); CBGN(50); CBGN(51); CBGN(52); CBGN(53); CBGN(54); CBGN(55); CBGN(56);\n       CBGN(57); CBGN(58); CBGN(59); CBGN(60); CBGN(61); CBGN(62); CBGN(63); CBGN(64);\n       default: assert(0);\n    }\n    *valPtr = val;\n    return 1;\n}",
          "idx": 520915,
          "cwe": "CWE-190",
          "hash": 144975561671138693424233026446886621647,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "LY_TREE_DFS_BEGIN",
        "LY_TREE_FOR",
        "LY_TREE_FOR_SAFE",
        "LY_CHECK_ERR_RETURN"
      ],
      "group_size": 25,
      "functions": [
        {
          "func": "lyxml_correct_elem_ns(struct ly_ctx *ctx, struct lyxml_elem *elem, struct lyxml_elem *orig, int copy_ns,\n                      int correct_attrs)\n{\n    const struct lyxml_ns *tmp_ns;\n    struct lyxml_elem *elem_root, *ns_root, *tmp, *iter;\n    struct lyxml_attr *attr;\n\n    /* find the root of elem */\n    for (elem_root = elem; elem_root->parent; elem_root = elem_root->parent);\n\n    LY_TREE_DFS_BEGIN(elem, tmp, iter) {\n        if (iter->ns) {\n            /* find the root of elem NS */\n            for (ns_root = iter->ns->parent; ns_root; ns_root = ns_root->parent);\n\n            /* elem NS is defined outside elem subtree */\n            if (ns_root != elem_root) {\n                if (copy_ns) {\n                    tmp_ns = iter->ns;\n                    /* we may have already copied the NS over? */\n                    iter->ns = lyxml_get_ns(iter, tmp_ns->prefix);\n\n                    /* we haven't copied it over, copy it now */\n                    if (!iter->ns) {\n                        iter->ns = (struct lyxml_ns *)lyxml_dup_attr(ctx, iter, (struct lyxml_attr *)tmp_ns);\n                    }\n                } else {\n                    iter->ns = NULL;\n                }\n            }\n        }\n        if (iter->content && iter->content[0] && copy_ns) {\n            lyxml_correct_content_ns(ctx, iter, orig);\n        }\n        if (correct_attrs) {\n            LY_TREE_FOR(iter->attr, attr) {\n                lyxml_correct_attr_ns(ctx, attr, elem_root, copy_ns);\n            }\n        }\n        LY_TREE_DFS_END(elem, tmp, iter);\n    }\n}",
          "project": "libyang",
          "hash": 283162333390592841335093381050743686724,
          "size": 42,
          "commit_id": "298b30ea4ebee137226acf9bb38678bd82704582",
          "message": "common FEATURE add a hard limit for recursion\n\nFixes #1453",
          "target": 0,
          "dataset": "other",
          "idx": 366031
        },
        {
          "func": "fill_yin_feature(struct lys_module *module, struct lyxml_elem *yin, struct lys_feature *f, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    const char *value;\n    struct lyxml_elem *child, *next;\n    int c_ftrs = 0, c_ext = 0, ret;\n    void *reallocated;\n\n    GETVAL(ctx, value, yin, \"name\");\n    if (lyp_check_identifier(ctx, value, LY_IDENT_FEATURE, module, NULL)) {\n        goto error;\n    }\n    f->name = lydict_insert(ctx, value, strlen(value));\n    f->module = module;\n\n    if (read_yin_common(module, NULL, f, LYEXT_PAR_FEATURE, yin, 0, unres)) {\n        goto error;\n    }\n\n    LY_TREE_FOR(yin->child, child) {\n        if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, f->ext_size, \"extensions\", \"feature\", error);\n            c_ext++;\n        } else if (!strcmp(child->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, f->iffeature_size, \"if-feature\", \"feature\", error);\n            c_ftrs++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            goto error;\n        }\n    }\n\n    if (c_ftrs) {\n        f->iffeature = calloc(c_ftrs, sizeof *f->iffeature);\n        LY_CHECK_ERR_GOTO(!f->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(f->ext, (c_ext + f->ext_size) * sizeof *f->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        f->ext = reallocated;\n\n        /* init memory */\n        memset(&f->ext[f->ext_size], 0, c_ext * sizeof *f->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* extension */\n            ret = lyp_yin_fill_ext(f, LYEXT_PAR_FEATURE, 0, 0, module, child, &f->ext, &f->ext_size, unres);\n            if (ret) {\n                goto error;\n            }\n        } else { /* if-feature */\n            ret = fill_yin_iffeature((struct lys_node *)f, 1, child, &f->iffeature[f->iffeature_size], unres);\n            f->iffeature_size++;\n            if (ret) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&f->ext, f->ext_size, c_ext + f->ext_size);\n\n    /* check for circular dependencies */\n    if (f->iffeature_size) {\n        if (unres_schema_add_node(module, unres, f, UNRES_FEATURE, NULL) == -1) {\n            goto error;\n        }\n    }\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 23072446618288366163898240985312641642,
          "size": 77,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336769
        },
        {
          "func": "fill_yin_identity(struct lys_module *module, struct lyxml_elem *yin, struct lys_ident *ident, struct unres_schema *unres)\n{\n    struct lyxml_elem *node, *next;\n    struct ly_ctx *ctx = module->ctx;\n    const char *value;\n    int rc;\n    int c_ftrs = 0, c_base = 0, c_ext = 0;\n    void *reallocated;\n\n    GETVAL(ctx, value, yin, \"name\");\n    ident->name = value;\n\n    if (read_yin_common(module, NULL, ident, LYEXT_PAR_IDENT, yin, OPT_IDENT | OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    if (dup_identities_check(ident->name, module)) {\n        goto error;\n    }\n\n    LY_TREE_FOR(yin->child, node) {\n        if (strcmp(node->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, ident->ext_size, \"extensions\", \"identity\", error);\n            c_ext++;\n        } else if (!strcmp(node->name, \"base\")) {\n            if (c_base && (module->version < 2)) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, \"base\", \"identity\");\n                goto error;\n            }\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_base, ident->base_size, \"bases\", \"identity\", error);\n            if (lyp_yin_parse_subnode_ext(module, ident, LYEXT_PAR_IDENT, node, LYEXT_SUBSTMT_BASE, c_base, unres)) {\n                goto error;\n            }\n            c_base++;\n\n        } else if ((module->version >= 2) && !strcmp(node->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, ident->iffeature_size, \"if-features\", \"identity\", error);\n            c_ftrs++;\n\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, node->name, \"identity\");\n            goto error;\n        }\n    }\n\n    if (c_base) {\n        ident->base_size = 0;\n        ident->base = calloc(c_base, sizeof *ident->base);\n        LY_CHECK_ERR_GOTO(!ident->base, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        ident->iffeature = calloc(c_ftrs, sizeof *ident->iffeature);\n        LY_CHECK_ERR_GOTO(!ident->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(ident->ext, (c_ext + ident->ext_size) * sizeof *ident->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        ident->ext = reallocated;\n\n        /* init memory */\n        memset(&ident->ext[ident->ext_size], 0, c_ext * sizeof *ident->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, node) {\n        if (strcmp(node->ns->value, LY_NSYIN)) {\n            /* extension */\n            rc = lyp_yin_fill_ext(ident, LYEXT_PAR_IDENT, 0, 0, module, node, &ident->ext, &ident->ext_size, unres);\n            if (rc) {\n                goto error;\n            }\n        } else if (!strcmp(node->name, \"base\")) {\n            GETVAL(ctx, value, node, \"name\");\n            value = transform_schema2json(module, value);\n            if (!value) {\n                goto error;\n            }\n\n            if (unres_schema_add_str(module, unres, ident, UNRES_IDENT, value) == -1) {\n                lydict_remove(ctx, value);\n                goto error;\n            }\n            lydict_remove(ctx, value);\n        } else if (!strcmp(node->name, \"if-feature\")) {\n            rc = fill_yin_iffeature((struct lys_node *)ident, 0, node, &ident->iffeature[ident->iffeature_size], unres);\n            ident->iffeature_size++;\n            if (rc) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&ident->ext, ident->ext_size, c_ext + ident->ext_size);\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 303210407653721522682644813687627927126,
          "size": 100,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336785
        },
        {
          "func": "read_yin_container(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n                   struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval;\n    struct lys_node_container *cont;\n    const char *value;\n    void *reallocated;\n    int r;\n    int c_tpdf = 0, c_must = 0, c_ftrs = 0, c_ext = 0;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    cont = calloc(1, sizeof *cont);\n    LY_CHECK_ERR_RETURN(!cont, LOGMEM(ctx), NULL);\n\n    cont->nodetype = LYS_CONTAINER;\n    cont->prev = (struct lys_node *)cont;\n    retval = (struct lys_node *)cont;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process container's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"container\", error);\n            c_ext++;\n        } else if (!strcmp(sub->name, \"presence\")) {\n            if (cont->presence) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, sub, \"value\");\n            cont->presence = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_PRESENCE, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (cont->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            cont->when = read_yin_when(module, sub, unres);\n            if (!cont->when) {\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n\n            /* data statements */\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\") ||\n                !strcmp(sub->name, \"action\") ||\n                !strcmp(sub->name, \"notification\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, cont->tpdf_size, \"typedefs\", \"container\", error);\n            c_tpdf++;\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, cont->must_size, \"musts\", \"container\", error);\n            c_must++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"container\", error);\n            c_ftrs++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        cont->tpdf = calloc(c_tpdf, sizeof *cont->tpdf);\n        LY_CHECK_ERR_GOTO(!cont->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_must) {\n        cont->must = calloc(c_must, sizeof *cont->must);\n        LY_CHECK_ERR_GOTO(!cont->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        cont->iffeature = calloc(c_ftrs, sizeof *cont->iffeature);\n        LY_CHECK_ERR_GOTO(!cont->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            r = fill_yin_typedef(module, retval, sub, &cont->tpdf[cont->tpdf_size], unres);\n            cont->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &cont->must[cont->must_size], unres);\n            cont->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &cont->iffeature[cont->iffeature_size], unres);\n            cont->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        } else if (!strcmp(sub->name, \"action\")) {\n            node = read_yin_rpc_action(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"notification\")) {\n            node = read_yin_notif(module, retval, sub, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (cont->when || cont->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (retval->ext[r]->flags & LYEXT_OPT_VALID) {\n            retval->flags |= LYS_VALID_EXT;\n            if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n                retval->flags |= LYS_VALID_EXT_SUBTREE;\n                break;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 55868768057507781729927570308714603647,
          "size": 217,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 1,
          "dataset": "other",
          "idx": 202684
        },
        {
          "func": "read_yin_case(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n              struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node_case *cs;\n    struct lys_node *retval, *node = NULL;\n    int c_ftrs = 0, c_ext = 0, ret;\n    void *reallocated;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    cs = calloc(1, sizeof *cs);\n    LY_CHECK_ERR_RETURN(!cs, LOGMEM(ctx), NULL);\n    cs->nodetype = LYS_CASE;\n    cs->prev = (struct lys_node *)cs;\n    retval = (struct lys_node *)cs;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | (!(options & LYS_PARSE_OPT_CFG_MASK) ? OPT_CFG_INHERIT : 0), unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process choice's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"case\", error);\n            c_ext++;\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\")) {\n\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"case\", error);\n            c_ftrs++;\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (cs->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            cs->when = read_yin_when(module, sub, unres);\n            if (!cs->when) {\n                goto error;\n            }\n\n            lyxml_free(ctx, sub);\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    if (c_ftrs) {\n        cs->iffeature = calloc(c_ftrs, sizeof *cs->iffeature);\n        LY_CHECK_ERR_GOTO(!cs->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            ret = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (ret) {\n                goto error;\n            }\n        } else {\n            /* if-feature */\n            ret = fill_yin_iffeature(retval, 0, sub, &cs->iffeature[cs->iffeature_size], unres);\n            cs->iffeature_size++;\n            if (ret) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && cs->when) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    lys_node_free(ctx, retval, NULL, 0);\n\n    return NULL;\n}",
          "project": "libyang",
          "hash": 263724935681497802127371327965989280613,
          "size": 151,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336755
        },
        {
          "func": "fill_yin_revision(struct lys_module *module, struct lyxml_elem *yin, struct lys_revision *rev,\n                  struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *next, *child;\n    const char *value;\n\n    GETVAL(ctx, value, yin, \"date\");\n    if (lyp_check_date(ctx, value)) {\n        goto error;\n    }\n    memcpy(rev->date, value, LY_REV_SIZE - 1);\n\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!child->ns) {\n            /* garbage */\n            continue;\n        } else if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* possible extension instance */\n            if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n                                          child, LYEXT_SUBSTMT_SELF, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(child->name, \"description\")) {\n            if (rev->dsc) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n                                          child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n                goto error;\n            }\n            rev->dsc = read_yin_subnode(ctx, child, \"text\");\n            if (!rev->dsc) {\n                goto error;\n            }\n        } else if (!strcmp(child->name, \"reference\")) {\n            if (rev->ref) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, rev, LYEXT_PAR_REVISION,\n                                          child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n                goto error;\n            }\n            rev->ref = read_yin_subnode(ctx, child, \"text\");\n            if (!rev->ref) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            goto error;\n        }\n    }\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 29093414042920482668152808587976036431,
          "size": 60,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336757
        },
        {
          "func": "read_yin_rpc_action(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n                    int options, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval;\n    struct lys_node_rpc_action *rpc;\n    int r;\n    int c_tpdf = 0, c_ftrs = 0, c_input = 0, c_output = 0, c_ext = 0;\n    void *reallocated;\n\n    if (!strcmp(yin->name, \"action\") && (module->version < 2)) {\n        LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, parent, \"action\");\n        return NULL;\n    }\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    rpc = calloc(1, sizeof *rpc);\n    LY_CHECK_ERR_RETURN(!rpc, LOGMEM(ctx), NULL);\n\n    rpc->nodetype = (!strcmp(yin->name, \"rpc\") ? LYS_RPC : LYS_ACTION);\n    rpc->prev = (struct lys_node *)rpc;\n    retval = (struct lys_node *)rpc;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process rpc's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\",\n                                          rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n            c_ext++;\n            continue;\n        } else if (!strcmp(sub->name, \"input\")) {\n            if (c_input) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            c_input++;\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n        } else if (!strcmp(sub->name, \"output\")) {\n            if (c_output) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            c_output++;\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* data statements */\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, rpc->tpdf_size, \"typedefs\",\n                                          rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n            c_tpdf++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\",\n                                          rpc->nodetype == LYS_RPC ? \"rpc\" : \"action\", error);\n            c_ftrs++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        rpc->tpdf = calloc(c_tpdf, sizeof *rpc->tpdf);\n        LY_CHECK_ERR_GOTO(!rpc->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        rpc->iffeature = calloc(c_ftrs, sizeof *rpc->iffeature);\n        LY_CHECK_ERR_GOTO(!rpc->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            r = fill_yin_typedef(module, retval, sub, &rpc->tpdf[rpc->tpdf_size], unres);\n            rpc->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &rpc->iffeature[rpc->iffeature_size], unres);\n            rpc->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"input\") || !strcmp(sub->name, \"output\")) {\n            node = read_yin_input_output(module, retval, sub, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 59707091107614957838004211761638343213,
          "size": 149,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336765
        },
        {
          "func": "read_sub_module(struct lys_module *module, struct lys_submodule *submodule, struct lyxml_elem *yin,\n                struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *next, *child, root, grps, augs, revs, exts;\n    struct lys_node *node = NULL;\n    struct lys_module *trg;\n    const char *value;\n    int i, r, ret = -1;\n    int version_flag = 0;\n    /* (sub)module substatements are ordered in groups, increment this value when moving to another group\n     * 0 - header-stmts, 1 - linkage-stmts, 2 - meta-stmts, 3 - revision-stmts, 4 - body-stmts */\n    int substmt_group;\n    /* just remember last substatement for logging */\n    const char *substmt_prev;\n    /* counters */\n    int c_imp = 0, c_rev = 0, c_tpdf = 0, c_ident = 0, c_inc = 0, c_aug = 0, c_ftrs = 0, c_dev = 0;\n    int c_ext = 0, c_extinst = 0;\n    void *reallocated;\n\n    /* to simplify code, store the module/submodule being processed as trg */\n    trg = submodule ? (struct lys_module *)submodule : module;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n    memset(&grps, 0, sizeof grps);\n    memset(&augs, 0, sizeof augs);\n    memset(&exts, 0, sizeof exts);\n    memset(&revs, 0, sizeof revs);\n\n    /*\n     * in the first run, we process elements with cardinality of 1 or 0..1 and\n     * count elements with cardinality 0..n. Data elements (choices, containers,\n     * leafs, lists, leaf-lists) are moved aside to be processed last, since we\n     * need have all top-level and groupings already prepared at that time. In\n     * the middle loop, we process other elements with carinality of 0..n since\n     * we need to allocate arrays to store them.\n     */\n    substmt_group = 0;\n    substmt_prev = NULL;\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!child->ns) {\n            /* garbage */\n            lyxml_free(ctx, child);\n            continue;\n        } else if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* possible extension instance */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_extinst, trg->ext_size, \"extension instances\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &exts, child);\n            c_extinst++;\n        } else if (!submodule && !strcmp(child->name, \"namespace\")) {\n            if (substmt_group > 0) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n\n            if (trg->ns) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"uri\");\n            trg->ns = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_NAMESPACE, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, child);\n\n            substmt_prev = \"namespace\";\n        } else if (!submodule && !strcmp(child->name, \"prefix\")) {\n            if (substmt_group > 0) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n\n            if (trg->prefix) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"value\");\n            if (lyp_check_identifier(ctx, value, LY_IDENT_PREFIX, trg, NULL)) {\n                goto error;\n            }\n            trg->prefix = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, child);\n\n            substmt_prev = \"prefix\";\n        } else if (submodule && !strcmp(child->name, \"belongs-to\")) {\n            if (substmt_group > 0) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n\n            if (trg->prefix) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"module\");\n            if (!ly_strequal(value, submodule->belongsto->name, 1)) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_NONE, NULL, value, child->name);\n                goto error;\n            }\n\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_BELONGSTO, 0, unres)) {\n                goto error;\n            }\n\n            /* get the prefix substatement, start with checks */\n            if (!child->child) {\n                LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", child->name);\n                goto error;\n            } else if (strcmp(child->child->name, \"prefix\")) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->child->name);\n                goto error;\n            } else if (child->child->next) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->child->next->name);\n                goto error;\n            }\n            /* and now finally get the value */\n            GETVAL(ctx, value, child->child, \"value\");\n            /* check here differs from a generic prefix check, since this prefix\n             * don't have to be unique\n             */\n            if (lyp_check_identifier(ctx, value, LY_IDENT_NAME, NULL, NULL)) {\n                goto error;\n            }\n            submodule->prefix = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child->child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n                goto error;\n            }\n\n            /* we are done with belongs-to */\n            lyxml_free(ctx, child);\n\n            substmt_prev = \"belongs-to\";\n\n            /* counters (statements with n..1 cardinality) */\n        } else if (!strcmp(child->name, \"import\")) {\n            if (substmt_group > 1) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 1;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_imp, trg->imp_size, \"imports\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_imp++;\n\n            substmt_prev = \"import\";\n        } else if (!strcmp(child->name, \"revision\")) {\n            if (substmt_group > 3) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 3;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_rev, trg->rev_size, \"revisions\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_rev++;\n\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &revs, child);\n\n            substmt_prev = \"revision\";\n        } else if (!strcmp(child->name, \"typedef\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, trg->tpdf_size, \"typedefs\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_tpdf++;\n\n            substmt_prev = \"typedef\";\n        } else if (!strcmp(child->name, \"identity\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ident, trg->ident_size, \"identities\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_ident++;\n\n            substmt_prev = \"identity\";\n        } else if (!strcmp(child->name, \"include\")) {\n            if (substmt_group > 1) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 1;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_inc, trg->inc_size, \"includes\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_inc++;\n\n            substmt_prev = \"include\";\n        } else if (!strcmp(child->name, \"augment\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_aug, trg->augment_size, \"augments\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_aug++;\n            /* keep augments separated, processed last */\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &augs, child);\n\n            substmt_prev = \"augment\";\n        } else if (!strcmp(child->name, \"feature\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, trg->features_size, \"features\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_ftrs++;\n\n            substmt_prev = \"feature\";\n\n            /* data statements */\n        } else if (!strcmp(child->name, \"container\") ||\n                !strcmp(child->name, \"leaf-list\") ||\n                !strcmp(child->name, \"leaf\") ||\n                !strcmp(child->name, \"list\") ||\n                !strcmp(child->name, \"choice\") ||\n                !strcmp(child->name, \"uses\") ||\n                !strcmp(child->name, \"anyxml\") ||\n                !strcmp(child->name, \"anydata\") ||\n                !strcmp(child->name, \"rpc\") ||\n                !strcmp(child->name, \"notification\")) {\n            substmt_group = 4;\n\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &root, child);\n\n            substmt_prev = \"data definition\";\n        } else if (!strcmp(child->name, \"grouping\")) {\n            substmt_group = 4;\n\n            /* keep groupings separated and process them before other data statements */\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &grps, child);\n\n            substmt_prev = \"grouping\";\n            /* optional statements */\n        } else if (!strcmp(child->name, \"description\")) {\n            if (substmt_group > 2) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 2;\n\n            if (trg->dsc) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n                goto error;\n            }\n            trg->dsc = read_yin_subnode(ctx, child, \"text\");\n            lyxml_free(ctx, child);\n            if (!trg->dsc) {\n                goto error;\n            }\n\n            substmt_prev = \"description\";\n        } else if (!strcmp(child->name, \"reference\")) {\n            if (substmt_group > 2) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 2;\n\n            if (trg->ref) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n                goto error;\n            }\n            trg->ref = read_yin_subnode(ctx, child, \"text\");\n            lyxml_free(ctx, child);\n            if (!trg->ref) {\n                goto error;\n            }\n\n            substmt_prev = \"reference\";\n        } else if (!strcmp(child->name, \"organization\")) {\n            if (substmt_group > 2) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 2;\n\n            if (trg->org) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_ORGANIZATION, 0, unres)) {\n                goto error;\n            }\n            trg->org = read_yin_subnode(ctx, child, \"text\");\n            lyxml_free(ctx, child);\n            if (!trg->org) {\n                goto error;\n            }\n\n            substmt_prev = \"organization\";\n        } else if (!strcmp(child->name, \"contact\")) {\n            if (substmt_group > 2) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n            substmt_group = 2;\n\n            if (trg->contact) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_CONTACT, 0, unres)) {\n                goto error;\n            }\n            trg->contact = read_yin_subnode(ctx, child, \"text\");\n            lyxml_free(ctx, child);\n            if (!trg->contact) {\n                goto error;\n            }\n\n            substmt_prev = \"contact\";\n        } else if (!strcmp(child->name, \"yang-version\")) {\n            if (substmt_group > 0) {\n                LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_NONE, NULL, \"Statement \\\"%s\\\" cannot appear after \\\"%s\\\" statement.\",\n                       child->name, substmt_prev);\n                goto error;\n            }\n\n            if (version_flag) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"value\");\n            if (strcmp(value, \"1\") && strcmp(value, \"1.1\")) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_NONE, NULL, value, \"yang-version\");\n                goto error;\n            }\n            version_flag = 1;\n            if (!strcmp(value, \"1\")) {\n                if (submodule) {\n                    if (module->version > 1) {\n                        LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n                        goto error;\n                    }\n                    submodule->version = 1;\n                } else {\n                    module->version = 1;\n                }\n            } else {\n                if (submodule) {\n                    if (module->version < 2) {\n                        LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n                        goto error;\n                    }\n                    submodule->version = 2;\n                } else {\n                    module->version = 2;\n                }\n            }\n\n            if (lyp_yin_parse_subnode_ext(trg, trg, LYEXT_PAR_MODULE, child, LYEXT_SUBSTMT_VERSION, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, child);\n\n            substmt_prev = \"yang-version\";\n        } else if (!strcmp(child->name, \"extension\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, trg->extensions_size, \"extensions\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_ext++;\n\n            substmt_prev = \"extension\";\n        } else if (!strcmp(child->name, \"deviation\")) {\n            substmt_group = 4;\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_dev, trg->deviation_size, \"deviations\",\n                                          submodule ? \"submodule\" : \"module\", error);\n            c_dev++;\n\n            substmt_prev = \"deviation\";\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            goto error;\n        }\n    }\n\n    /* check for mandatory statements */\n    if (submodule) {\n        if (!submodule->prefix) {\n            LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"belongs-to\", \"submodule\");\n            goto error;\n        }\n        if (!version_flag) {\n            /* check version compatibility with the main module */\n            if (module->version > 1) {\n                LOGVAL(ctx, LYE_INVER, LY_VLOG_NONE, NULL);\n                goto error;\n            }\n        }\n    } else {\n        if (!trg->ns) {\n            LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"namespace\", \"module\");\n            goto error;\n        }\n        if (!trg->prefix) {\n            LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", \"module\");\n            goto error;\n        }\n    }\n\n    /* allocate arrays for elements with cardinality of 0..n */\n    if (c_imp) {\n        trg->imp = calloc(c_imp, sizeof *trg->imp);\n        LY_CHECK_ERR_GOTO(!trg->imp, LOGMEM(ctx), error);\n    }\n    if (c_rev) {\n        trg->rev = calloc(c_rev, sizeof *trg->rev);\n        LY_CHECK_ERR_GOTO(!trg->rev, LOGMEM(ctx), error);\n    }\n    if (c_tpdf) {\n        trg->tpdf = calloc(c_tpdf, sizeof *trg->tpdf);\n        LY_CHECK_ERR_GOTO(!trg->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_ident) {\n        trg->ident = calloc(c_ident, sizeof *trg->ident);\n        LY_CHECK_ERR_GOTO(!trg->ident, LOGMEM(ctx), error);\n    }\n    if (c_inc) {\n        trg->inc = calloc(c_inc, sizeof *trg->inc);\n        LY_CHECK_ERR_GOTO(!trg->inc, LOGMEM(ctx), error);\n    }\n    if (c_aug) {\n        trg->augment = calloc(c_aug, sizeof *trg->augment);\n        LY_CHECK_ERR_GOTO(!trg->augment, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        trg->features = calloc(c_ftrs, sizeof *trg->features);\n        LY_CHECK_ERR_GOTO(!trg->features, LOGMEM(ctx), error);\n    }\n    if (c_dev) {\n        trg->deviation = calloc(c_dev, sizeof *trg->deviation);\n        LY_CHECK_ERR_GOTO(!trg->deviation, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        trg->extensions = calloc(c_ext, sizeof *trg->extensions);\n        LY_CHECK_ERR_GOTO(!trg->extensions, LOGMEM(ctx), error);\n    }\n\n    /* middle part 1 - process revision and then check whether this (sub)module was not already parsed, add it there */\n    LY_TREE_FOR_SAFE(revs.child, next, child) {\n        r = fill_yin_revision(trg, child, &trg->rev[trg->rev_size], unres);\n        trg->rev_size++;\n        if (r) {\n            goto error;\n        }\n\n        /* check uniqueness of the revision date - not required by RFC */\n        for (i = 0; i < (trg->rev_size - 1); i++) {\n            if (!strcmp(trg->rev[i].date, trg->rev[trg->rev_size - 1].date)) {\n                LOGWRN(ctx, \"Module's revisions are not unique (%s).\", trg->rev[trg->rev_size - 1].date);\n                break;\n            }\n        }\n\n        lyxml_free(ctx, child);\n    }\n\n    /* check the module with respect to the context now */\n    if (!submodule) {\n        switch (lyp_ctx_check_module(module)) {\n        case -1:\n            goto error;\n        case 0:\n            break;\n        case 1:\n            /* it's already there */\n            ret = 1;\n            goto error;\n        }\n    }\n\n    /* check first definition of extensions */\n    if (c_ext) {\n        LY_TREE_FOR_SAFE(yin->child, next, child) {\n            if (!strcmp(child->name, \"extension\")) {\n                r = fill_yin_extension(trg, child, &trg->extensions[trg->extensions_size], unres);\n                trg->extensions_size++;\n                if (r) {\n                    goto error;\n                }\n\n            }\n        }\n    }\n\n    /* middle part 2 - process nodes with cardinality of 0..n except the data nodes and augments */\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!strcmp(child->name, \"import\")) {\n            r = fill_yin_import(trg, child, &trg->imp[trg->imp_size], unres);\n            trg->imp_size++;\n            if (r) {\n                goto error;\n            }\n\n        } else if (!strcmp(child->name, \"include\")) {\n            r = fill_yin_include(module, submodule, child, &trg->inc[trg->inc_size], unres);\n            trg->inc_size++;\n            if (r) {\n                goto error;\n            }\n\n        } else if (!strcmp(child->name, \"typedef\")) {\n            r = fill_yin_typedef(trg, NULL, child, &trg->tpdf[trg->tpdf_size], unres);\n            trg->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n\n        } else if (!strcmp(child->name, \"identity\")) {\n            r = fill_yin_identity(trg, child, &trg->ident[trg->ident_size], unres);\n            trg->ident_size++;\n            if (r) {\n                goto error;\n            }\n\n        } else if (!strcmp(child->name, \"feature\")) {\n            r = fill_yin_feature(trg, child, &trg->features[trg->features_size], unres);\n            trg->features_size++;\n            if (r) {\n                goto error;\n            }\n\n        } else if (!strcmp(child->name, \"deviation\")) {\n            /* must be implemented in this case */\n            trg->implemented = 1;\n\n            r = fill_yin_deviation(trg, child, &trg->deviation[trg->deviation_size], unres);\n            trg->deviation_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    /* process extension instances */\n    if (c_extinst) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(trg->ext, (c_extinst + trg->ext_size) * sizeof *trg->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        trg->ext = reallocated;\n\n        /* init memory */\n        memset(&trg->ext[trg->ext_size], 0, c_extinst * sizeof *trg->ext);\n\n        LY_TREE_FOR_SAFE(exts.child, next, child) {\n            r = lyp_yin_fill_ext(trg, LYEXT_PAR_MODULE, 0, 0, trg, child, &trg->ext, &trg->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        }\n\n        lyp_reduce_ext_list(&trg->ext, trg->ext_size, c_ext + trg->ext_size);\n    }\n\n    /* process data nodes. Start with groupings to allow uses\n     * refer to them. Submodule's data nodes are stored in the\n     * main module data tree.\n     */\n    LY_TREE_FOR_SAFE(grps.child, next, child) {\n        node = read_yin_grouping(trg, NULL, child, 0, unres);\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, child);\n    }\n\n    /* parse data nodes, ... */\n    LY_TREE_FOR_SAFE(root.child, next, child) {\n\n        if (!strcmp(child->name, \"container\")) {\n            node = read_yin_container(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"leaf-list\")) {\n            node = read_yin_leaflist(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"leaf\")) {\n            node = read_yin_leaf(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"list\")) {\n            node = read_yin_list(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"choice\")) {\n            node = read_yin_choice(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"uses\")) {\n            node = read_yin_uses(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"anyxml\")) {\n            node = read_yin_anydata(trg, NULL, child, LYS_ANYXML, 0, unres);\n        } else if (!strcmp(child->name, \"anydata\")) {\n            node = read_yin_anydata(trg, NULL, child, LYS_ANYDATA, 0, unres);\n        } else if (!strcmp(child->name, \"rpc\")) {\n            node = read_yin_rpc_action(trg, NULL, child, 0, unres);\n        } else if (!strcmp(child->name, \"notification\")) {\n            node = read_yin_notif(trg, NULL, child, 0, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, child);\n    }\n\n    /* ... and finally augments (last, so we can augment our data, for instance) */\n    LY_TREE_FOR_SAFE(augs.child, next, child) {\n        r = fill_yin_augment(trg, NULL, child, &trg->augment[trg->augment_size], 0, unres);\n        trg->augment_size++;\n\n        if (r) {\n            goto error;\n        }\n        lyxml_free(ctx, child);\n    }\n\n    return 0;\n\nerror:\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    while (grps.child) {\n        lyxml_free(ctx, grps.child);\n    }\n    while (augs.child) {\n        lyxml_free(ctx, augs.child);\n    }\n    while (revs.child) {\n        lyxml_free(ctx, revs.child);\n    }\n    while (exts.child) {\n        lyxml_free(ctx, exts.child);\n    }\n\n    return ret;\n}",
          "project": "libyang",
          "hash": 23864015992641617212461037399150147821,
          "size": 662,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336766
        },
        {
          "func": "fill_yin_typedef(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, struct lys_tpdf *tpdf,\n                 struct unres_schema *unres)\n{\n    const char *value;\n    struct lyxml_elem *node, *next;\n    struct ly_ctx *ctx = module->ctx;\n    int rc, has_type = 0, c_ext = 0, i;\n    void *reallocated;\n\n    GETVAL(ctx, value, yin, \"name\");\n    if (lyp_check_identifier(ctx, value, LY_IDENT_TYPE, module, parent)) {\n        goto error;\n    }\n    tpdf->name = lydict_insert(ctx, value, strlen(value));\n\n    /* generic part - status, description, reference */\n    if (read_yin_common(module, NULL, tpdf, LYEXT_PAR_TPDF, yin, OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, node) {\n        if (strcmp(node->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, tpdf->ext_size, \"extensions\", \"typedef\", error);\n            c_ext++;\n            continue;\n        } else if (!strcmp(node->name, \"type\")) {\n            if (has_type) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n                goto error;\n            }\n            /* HACK for unres */\n            tpdf->type.der = (struct lys_tpdf *)node;\n            tpdf->type.parent = tpdf;\n            if (unres_schema_add_node(module, unres, &tpdf->type, UNRES_TYPE_DER_TPDF, parent) == -1) {\n                goto error;\n            }\n            has_type = 1;\n\n            /* skip lyxml_free() at the end of the loop, node was freed or at least unlinked in unres processing */\n            continue;\n        } else if (!strcmp(node->name, \"default\")) {\n            if (tpdf->dflt) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, node, \"value\");\n            tpdf->dflt = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, tpdf, LYEXT_PAR_TPDF, node, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(node->name, \"units\")) {\n            if (tpdf->units) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, node->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, node, \"name\");\n            tpdf->units = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, tpdf, LYEXT_PAR_TPDF, node, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, value);\n            goto error;\n        }\n\n        lyxml_free(ctx, node);\n    }\n\n    /* check mandatory value */\n    if (!has_type) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"type\", yin->name);\n        goto error;\n    }\n\n    /* check default value (if not defined, there still could be some restrictions\n     * that need to be checked against a default value from a derived type) */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n            unres_schema_add_node(module, unres, &tpdf->type, UNRES_TYPEDEF_DFLT, (struct lys_node *)(&tpdf->dflt)) == -1) {\n        goto error;\n    }\n\n    /* finish extensions parsing */\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(tpdf->ext, (c_ext + tpdf->ext_size) * sizeof *tpdf->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        tpdf->ext = reallocated;\n\n        /* init memory */\n        memset(&tpdf->ext[tpdf->ext_size], 0, c_ext * sizeof *tpdf->ext);\n\n        LY_TREE_FOR_SAFE(yin->child, next, node) {\n            rc = lyp_yin_fill_ext(tpdf, LYEXT_PAR_TYPE, 0, 0, module, node, &tpdf->ext, &tpdf->ext_size, unres);\n            if (rc) {\n                goto error;\n            }\n        }\n\n        lyp_reduce_ext_list(&tpdf->ext, tpdf->ext_size, c_ext + tpdf->ext_size);\n    }\n\n    for (i = 0; i < tpdf->ext_size; ++i) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (tpdf->ext[i]->flags & LYEXT_OPT_VALID) {\n            tpdf->flags |= LYS_VALID_EXT;\n            break;\n        }\n    }\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 29979432700281147848223132432589735934,
          "size": 117,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336770
        },
        {
          "func": "fill_yin_import(struct lys_module *module, struct lyxml_elem *yin, struct lys_import *imp, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *child, *next, exts;\n    const char *value;\n    int r, c_ext = 0;\n    void *reallocated;\n\n    /* init */\n    memset(&exts, 0, sizeof exts);\n\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!child->ns) {\n            /* garbage */\n            continue;\n        } else if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, imp->ext_size, \"extensions\", \"import\", error);\n            c_ext++;\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &exts, child);\n        } else if (!strcmp(child->name, \"prefix\")) {\n            GETVAL(ctx, value, child, \"value\");\n            if (lyp_check_identifier(ctx, value, LY_IDENT_PREFIX, module, NULL)) {\n                goto error;\n            }\n            imp->prefix = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_PREFIX, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(child->name, \"revision-date\")) {\n            if (imp->rev[0]) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"date\");\n            if (lyp_check_date(ctx, value)) {\n                goto error;\n            }\n            memcpy(imp->rev, value, LY_REV_SIZE - 1);\n\n            if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_REVISIONDATE, 0, unres)) {\n                goto error;\n            }\n        } else if ((module->version >= 2) && !strcmp(child->name, \"description\")) {\n            if (imp->dsc) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n                goto error;\n            }\n            imp->dsc = read_yin_subnode(ctx, child, \"text\");\n            if (!imp->dsc) {\n                goto error;\n            }\n        } else if ((module->version >= 2) && !strcmp(child->name, \"reference\")) {\n            if (imp->ref) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, imp, LYEXT_PAR_IMPORT, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n                goto error;\n            }\n            imp->ref = read_yin_subnode(ctx, child, \"text\");\n            if (!imp->ref) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            goto error;\n        }\n    }\n\n    /* check mandatory information */\n    if (!imp->prefix) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_NONE, NULL, \"prefix\", yin->name);\n        goto error;\n    }\n\n    /* process extensions */\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(imp->ext, (c_ext + imp->ext_size) * sizeof *imp->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        imp->ext = reallocated;\n\n        /* init memory */\n        memset(&imp->ext[imp->ext_size], 0, c_ext * sizeof *imp->ext);\n\n        LY_TREE_FOR_SAFE(exts.child, next, child) {\n            /* extension */\n            r = lyp_yin_fill_ext(imp, LYEXT_PAR_IMPORT, 0, 0, module, child, &imp->ext, &imp->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        }\n\n        lyp_reduce_ext_list(&imp->ext, imp->ext_size, c_ext + imp->ext_size);\n    }\n\n    GETVAL(ctx, value, yin, \"module\");\n    return lyp_check_import(module, value, imp);\n\nerror:\n    while (exts.child) {\n        lyxml_free(ctx, exts.child);\n    }\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 264509654321598332653299108821426852308,
          "size": 111,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336771
        },
        {
          "func": "read_yin_uses(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n              int options, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next;\n    struct lys_node *retval;\n    struct lys_node_uses *uses;\n    const char *value;\n    int c_ref = 0, c_aug = 0, c_ftrs = 0, c_ext = 0;\n    int r;\n    void *reallocated;\n\n    uses = calloc(1, sizeof *uses);\n    LY_CHECK_ERR_RETURN(!uses, LOGMEM(ctx), NULL);\n\n    uses->nodetype = LYS_USES;\n    uses->prev = (struct lys_node *)uses;\n    retval = (struct lys_node *)uses;\n\n    GETVAL(ctx, value, yin, \"name\");\n    uses->name = lydict_insert(ctx, value, 0);\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* get other properties of uses */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"uses\", error);\n            c_ext++;\n            continue;\n        } else if (!strcmp(sub->name, \"refine\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ref, uses->refine_size, \"refines\", \"uses\", error);\n            c_ref++;\n        } else if (!strcmp(sub->name, \"augment\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_aug, uses->augment_size, \"augments\", \"uses\", error);\n            c_aug++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"uses\", error);\n            c_ftrs++;\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (uses->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            uses->when = read_yin_when(module, sub, unres);\n            if (!uses->when) {\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* process properties with cardinality 0..n */\n    if (c_ref) {\n        uses->refine = calloc(c_ref, sizeof *uses->refine);\n        LY_CHECK_ERR_GOTO(!uses->refine, LOGMEM(ctx), error);\n    }\n    if (c_aug) {\n        uses->augment = calloc(c_aug, sizeof *uses->augment);\n        LY_CHECK_ERR_GOTO(!uses->augment, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        uses->iffeature = calloc(c_ftrs, sizeof *uses->iffeature);\n        LY_CHECK_ERR_GOTO(!uses->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"refine\")) {\n            r = fill_yin_refine(retval, sub, &uses->refine[uses->refine_size], unres);\n            uses->refine_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"augment\")) {\n            r = fill_yin_augment(module, retval, sub, &uses->augment[uses->augment_size], options, unres);\n            uses->augment_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &uses->iffeature[uses->iffeature_size], unres);\n            uses->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    if (unres_schema_add_node(module, unres, uses, UNRES_USES, NULL) == -1) {\n        goto error;\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && uses->when) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    return NULL;\n}",
          "project": "libyang",
          "hash": 285004860863246809372138985468028712083,
          "size": 143,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336772
        },
        {
          "func": "read_yin_leaflist(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n                  struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lys_node *retval;\n    struct lys_node_leaflist *llist;\n    struct lyxml_elem *sub, *next;\n    const char *value;\n    char *endptr;\n    unsigned long val;\n    int r, has_type = 0;\n    int c_must = 0, c_ftrs = 0, c_dflt = 0, c_ext = 0;\n    int f_ordr = 0, f_min = 0, f_max = 0;\n    void *reallocated;\n\n    llist = calloc(1, sizeof *llist);\n    LY_CHECK_ERR_RETURN(!llist, LOGMEM(ctx), NULL);\n\n    llist->nodetype = LYS_LEAFLIST;\n    llist->prev = (struct lys_node *)llist;\n    retval = (struct lys_node *)llist;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"leaf-list\", error);\n            c_ext++;\n            continue;\n        } else if (!strcmp(sub->name, \"type\")) {\n            if (has_type) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* HACK for unres */\n            llist->type.der = (struct lys_tpdf *)sub;\n            llist->type.parent = (struct lys_tpdf *)llist;\n            /* postpone type resolution when if-feature parsing is done since we need\n             * if-feature for check_leafref_features() */\n            has_type = 1;\n        } else if (!strcmp(sub->name, \"units\")) {\n            if (llist->units) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, sub, \"name\");\n            llist->units = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"ordered-by\")) {\n            if (f_ordr) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* just checking the flags in llist is not sufficient, we would\n             * allow multiple ordered-by statements with the \"system\" value\n             */\n            f_ordr = 1;\n\n            if (llist->flags & LYS_CONFIG_R) {\n                /* RFC 6020, 7.7.5 - ignore ordering when the list represents\n                 * state data\n                 */\n                lyxml_free(ctx, sub);\n                continue;\n            }\n\n            GETVAL(ctx, value, sub, \"value\");\n            if (!strcmp(value, \"user\")) {\n                llist->flags |= LYS_USERORDERED;\n            } else if (strcmp(value, \"system\")) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            } /* else system is the default value, so we can ignore it */\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_ORDEREDBY, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, llist->must_size, \"musts\", \"leaf-list\", error);\n            c_must++;\n            continue;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"leaf-list\", error);\n            c_ftrs++;\n            continue;\n        } else if ((module->version >= 2) && !strcmp(sub->name, \"default\")) {\n            /* read the default's extension instances */\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, c_dflt, unres)) {\n                goto error;\n            }\n\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_dflt, llist->dflt_size, \"defaults\", \"leaf-list\", error);\n            c_dflt++;\n            continue;\n\n        } else if (!strcmp(sub->name, \"min-elements\")) {\n            if (f_min) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            f_min = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            while (isspace(value[0])) {\n                value++;\n            }\n\n            /* convert it to uint32_t */\n            errno = 0;\n            endptr = NULL;\n            val = strtoul(value, &endptr, 10);\n            if (*endptr || value[0] == '-' || errno || val > UINT32_MAX) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            }\n            llist->min = (uint32_t) val;\n            if (llist->max && (llist->min > llist->max)) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"min-elements\\\" is bigger than \\\"max-elements\\\".\");\n                goto error;\n            }\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MIN, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"max-elements\")) {\n            if (f_max) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            f_max = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            while (isspace(value[0])) {\n                value++;\n            }\n\n            if (!strcmp(value, \"unbounded\")) {\n                llist->max = 0;\n            } else {\n                /* convert it to uint32_t */\n                errno = 0;\n                endptr = NULL;\n                val = strtoul(value, &endptr, 10);\n                if (*endptr || value[0] == '-' || errno || val == 0 || val > UINT32_MAX) {\n                    LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                    goto error;\n                }\n                llist->max = (uint32_t) val;\n                if (llist->min > llist->max) {\n                    LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                    LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"max-elements\\\" is smaller than \\\"min-elements\\\".\");\n                    goto error;\n                }\n            }\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MAX, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (llist->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            llist->when = read_yin_when(module, sub, unres);\n            if (!llist->when) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n\n        /* do not free sub, it could have been unlinked and stored in unres */\n    }\n\n    /* check constraints */\n    if (!has_type) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"type\", yin->name);\n        goto error;\n    }\n\n    /* middle part - process nodes with cardinality of 0..n */\n    if (c_must) {\n        llist->must = calloc(c_must, sizeof *llist->must);\n        LY_CHECK_ERR_GOTO(!llist->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        llist->iffeature = calloc(c_ftrs, sizeof *llist->iffeature);\n        LY_CHECK_ERR_GOTO(!llist->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_dflt) {\n        llist->dflt = calloc(c_dflt, sizeof *llist->dflt);\n        LY_CHECK_ERR_GOTO(!llist->dflt, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &llist->must[llist->must_size], unres);\n            llist->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &llist->iffeature[llist->iffeature_size], unres);\n            llist->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"default\")) {\n            GETVAL(ctx, value, sub, \"value\");\n\n            /* check for duplicity in case of configuration data,\n             * in case of status data duplicities are allowed */\n            if (llist->flags & LYS_CONFIG_W) {\n                for (r = 0; r < llist->dflt_size; r++) {\n                    if (ly_strequal(llist->dflt[r], value, 1)) {\n                        LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, \"default\");\n                        LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"Duplicated default value \\\"%s\\\".\", value);\n                        goto error;\n                    }\n                }\n            }\n            llist->dflt[llist->dflt_size++] = lydict_insert(ctx, value, strlen(value));\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* finalize type parsing */\n    if (unres_schema_add_node(module, unres, &llist->type, UNRES_TYPE_DER, retval) == -1) {\n        llist->type.der = NULL;\n        goto error;\n    }\n\n    if (llist->dflt_size && llist->min) {\n        LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"min-elements\", \"leaf-list\");\n        LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL,\n               \"The \\\"min-elements\\\" statement with non-zero value is forbidden on leaf-lists with the \\\"default\\\" statement.\");\n        goto error;\n    }\n\n    /* check default value (if not defined, there still could be some restrictions\n     * that need to be checked against a default value from a derived type) */\n    for (r = 0; r < llist->dflt_size; r++) {\n        if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n                (unres_schema_add_node(module, unres, &llist->type, UNRES_TYPE_DFLT,\n                                       (struct lys_node *)(&llist->dflt[r])) == -1)) {\n            goto error;\n        }\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (llist->when || llist->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n            retval->flags |= LYS_VALID_EXT;\n            break;\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    return NULL;\n}",
          "project": "libyang",
          "hash": 47871158716956981093659887429750913688,
          "size": 311,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336774
        },
        {
          "func": "read_yin_list(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n              struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lys_node *retval, *node;\n    struct lys_node_list *list;\n    struct lyxml_elem *sub, *next, root, uniq;\n    int r;\n    int c_tpdf = 0, c_must = 0, c_uniq = 0, c_ftrs = 0, c_ext = 0;\n    int f_ordr = 0, f_max = 0, f_min = 0;\n    const char *value;\n    char *auxs;\n    unsigned long val;\n    void *reallocated;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n    memset(&uniq, 0, sizeof uniq);\n\n    list = calloc(1, sizeof *list);\n    LY_CHECK_ERR_RETURN(!list, LOGMEM(ctx), NULL);\n\n    list->nodetype = LYS_LIST;\n    list->prev = (struct lys_node *)list;\n    retval = (struct lys_node *)list;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process list's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"list\", error);\n            c_ext++;\n            continue;\n\n        /* data statements */\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\") ||\n                !strcmp(sub->name, \"action\") ||\n                !strcmp(sub->name, \"notification\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"key\")) {\n            /* check cardinality 0..1 */\n            if (list->keys_size) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, list->name);\n                goto error;\n            }\n\n            /* count the number of keys */\n            GETVAL(ctx, value, sub, \"value\");\n            list->keys_str = lydict_insert(ctx, value, 0);\n            while ((value = strpbrk(value, \" \\t\\n\"))) {\n                list->keys_size++;\n                while (isspace(*value)) {\n                    value++;\n                }\n            }\n            list->keys_size++;\n            list->keys = calloc(list->keys_size, sizeof *list->keys);\n            LY_CHECK_ERR_GOTO(!list->keys, LOGMEM(ctx), error);\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_KEY, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"unique\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_uniq, list->unique_size, \"uniques\", \"list\", error);\n            c_uniq++;\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &uniq, sub);\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, list->tpdf_size, \"typedefs\", \"list\", error);\n            c_tpdf++;\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, list->must_size, \"musts\", \"list\", error);\n            c_must++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"list\", error);\n            c_ftrs++;\n\n            /* optional stetments */\n        } else if (!strcmp(sub->name, \"ordered-by\")) {\n            if (f_ordr) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* just checking the flags in llist is not sufficient, we would\n             * allow multiple ordered-by statements with the \"system\" value\n             */\n            f_ordr = 1;\n\n            if (list->flags & LYS_CONFIG_R) {\n                /* RFC 6020, 7.7.5 - ignore ordering when the list represents\n                 * state data\n                 */\n                lyxml_free(ctx, sub);\n                continue;\n            }\n\n            GETVAL(ctx, value, sub, \"value\");\n            if (!strcmp(value, \"user\")) {\n                list->flags |= LYS_USERORDERED;\n            } else if (strcmp(value, \"system\")) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            } /* else system is the default value, so we can ignore it */\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_ORDEREDBY, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"min-elements\")) {\n            if (f_min) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            f_min = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            while (isspace(value[0])) {\n                value++;\n            }\n\n            /* convert it to uint32_t */\n            errno = 0;\n            auxs = NULL;\n            val = strtoul(value, &auxs, 10);\n            if (*auxs || value[0] == '-' || errno || val > UINT32_MAX) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            }\n            list->min = (uint32_t) val;\n            if (list->max && (list->min > list->max)) {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"min-elements\\\" is bigger than \\\"max-elements\\\".\");\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MIN, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"max-elements\")) {\n            if (f_max) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            f_max = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            while (isspace(value[0])) {\n                value++;\n            }\n\n            if (!strcmp(value, \"unbounded\")) {\n                list->max = 0;;\n            } else {\n                /* convert it to uint32_t */\n                errno = 0;\n                auxs = NULL;\n                val = strtoul(value, &auxs, 10);\n                if (*auxs || value[0] == '-' || errno || val == 0 || val > UINT32_MAX) {\n                    LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                    goto error;\n                }\n                list->max = (uint32_t) val;\n                if (list->min > list->max) {\n                    LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                    LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"\\\"max-elements\\\" is smaller than \\\"min-elements\\\".\");\n                    goto error;\n                }\n            }\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MAX, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (list->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            list->when = read_yin_when(module, sub, unres);\n            if (!list->when) {\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* check - if list is configuration, key statement is mandatory\n     * (but only if we are not in a grouping or augment, then the check is deferred) */\n    for (node = retval; node && !(node->nodetype & (LYS_GROUPING | LYS_AUGMENT | LYS_EXT)); node = node->parent);\n    if (!node && (list->flags & LYS_CONFIG_W) && !list->keys_str) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"key\", \"list\");\n        goto error;\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        list->tpdf = calloc(c_tpdf, sizeof *list->tpdf);\n        LY_CHECK_ERR_GOTO(!list->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_must) {\n        list->must = calloc(c_must, sizeof *list->must);\n        LY_CHECK_ERR_GOTO(!list->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        list->iffeature = calloc(c_ftrs, sizeof *list->iffeature);\n        LY_CHECK_ERR_GOTO(!list->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            r = fill_yin_typedef(module, retval, sub, &list->tpdf[list->tpdf_size], unres);\n            list->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &list->iffeature[list->iffeature_size], unres);\n            list->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &list->must[list->must_size], unres);\n            list->must_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        } else if (!strcmp(sub->name, \"action\")) {\n            node = read_yin_rpc_action(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"notification\")) {\n            node = read_yin_notif(module, retval, sub, options, unres);\n        } else {\n            LOGINT(ctx);\n            goto error;\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    if (list->keys_str) {\n        if (unres_schema_add_node(module, unres, list, UNRES_LIST_KEYS, NULL) == -1) {\n            goto error;\n        }\n    } /* else config false list without a key, key_str presence in case of config true is checked earlier */\n\n    /* process unique statements */\n    if (c_uniq) {\n        list->unique = calloc(c_uniq, sizeof *list->unique);\n        LY_CHECK_ERR_GOTO(!list->unique, LOGMEM(ctx), error);\n\n        LY_TREE_FOR_SAFE(uniq.child, next, sub) {\n            r = fill_yin_unique(module, retval, sub, &list->unique[list->unique_size], unres);\n            list->unique_size++;\n            if (r) {\n                goto error;\n            }\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub,\n                                     LYEXT_SUBSTMT_UNIQUE, list->unique_size - 1, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        }\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (list->when || list->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n            retval->flags |= LYS_VALID_EXT;\n            if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n                retval->flags |= LYS_VALID_EXT_SUBTREE;\n                break;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    while (uniq.child) {\n        lyxml_free(ctx, uniq.child);\n    }\n\n    return NULL;\n}",
          "project": "libyang",
          "hash": 115335602041432819983754005856712723739,
          "size": 377,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336776
        },
        {
          "func": "fill_yin_extension(struct lys_module *module, struct lyxml_elem *yin, struct lys_ext *ext, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    const char *value;\n    struct lyxml_elem *child, *node, *next, *next2;\n    int c_ext = 0, rc;\n    void *reallocated;\n\n    GETVAL(ctx, value, yin, \"name\");\n\n    if (lyp_check_identifier(ctx, value, LY_IDENT_EXTENSION, module, NULL)) {\n        goto error;\n    }\n    ext->name = lydict_insert(ctx, value, strlen(value));\n\n    if (read_yin_common(module, NULL, ext, LYEXT_PAR_EXT, yin, OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, node) {\n        if (strcmp(node->ns->value, LY_NSYIN)) {\n            /* possible extension instance */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, ext->ext_size, \"extensions\", \"extension\", error);\n            c_ext++;\n        } else if (!strcmp(node->name, \"argument\")) {\n            /* argument */\n            GETVAL(ctx, value, node, \"name\");\n            ext->argument = lydict_insert(ctx, value, strlen(value));\n            if (lyp_yin_parse_subnode_ext(module, ext, LYEXT_PAR_EXT, node, LYEXT_SUBSTMT_ARGUMENT, 0, unres)) {\n                goto error;\n            }\n\n            /* yin-element */\n            LY_TREE_FOR_SAFE(node->child, next2, child) {\n                if (child->ns == node->ns && !strcmp(child->name, \"yin-element\")) {\n                    GETVAL(ctx, value, child, \"value\");\n                    if (ly_strequal(value, \"true\", 0)) {\n                        ext->flags |= LYS_YINELEM;\n                    }\n\n                    if (lyp_yin_parse_subnode_ext(module, ext, LYEXT_PAR_EXT, child, LYEXT_SUBSTMT_YINELEM, 0, unres)) {\n                        goto error;\n                    }\n                } else if (child->ns) {\n                    /* unexpected YANG statement */\n                    LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_NONE, NULL, child->name, child->name);\n                    goto error;\n                } /* else garbage, but save resource needed for unlinking */\n            }\n\n            lyxml_free(ctx, node);\n        } else {\n            /* unexpected YANG statement */\n            LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_NONE, NULL, node->name, node->name);\n            goto error;\n        }\n    }\n\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(ext->ext, (c_ext + ext->ext_size) * sizeof *ext->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        ext->ext = reallocated;\n\n        /* init memory */\n        memset(&ext->ext[ext->ext_size], 0, c_ext * sizeof *ext->ext);\n\n        /* process the extension instances of the extension itself */\n        LY_TREE_FOR_SAFE(yin->child, next, node) {\n            rc = lyp_yin_fill_ext(ext, LYEXT_PAR_EXT, 0, 0, module, node, &ext->ext, &ext->ext_size, unres);\n            if (rc) {\n                goto error;\n            }\n        }\n\n        lyp_reduce_ext_list(&ext->ext, ext->ext_size, c_ext + ext->ext_size);\n    }\n\n    /* search for plugin */\n    ext->plugin = ext_get_plugin(ext->name, ext->module->name, ext->module->rev ? ext->module->rev[0].date : NULL);\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 286134204984875195300411165637507195251,
          "size": 86,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336777
        },
        {
          "func": "read_yin_input_output(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n                      int options, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval = NULL;\n    struct lys_node_inout *inout;\n    int r;\n    int c_tpdf = 0, c_must = 0, c_ext = 0;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    inout = calloc(1, sizeof *inout);\n    LY_CHECK_ERR_RETURN(!inout, LOGMEM(ctx), NULL);\n    inout->prev = (struct lys_node *)inout;\n\n    if (!strcmp(yin->name, \"input\")) {\n        inout->nodetype = LYS_INPUT;\n        inout->name = lydict_insert(ctx, \"input\", 0);\n    } else if (!strcmp(yin->name, \"output\")) {\n        inout->nodetype = LYS_OUTPUT;\n        inout->name = lydict_insert(ctx, \"output\", 0);\n    } else {\n        LOGINT(ctx);\n        free(inout);\n        goto error;\n    }\n\n    retval = (struct lys_node *)inout;\n    retval->module = module;\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* data statements */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (!sub->ns) {\n            /* garbage */\n            lyxml_free(ctx, sub);\n        } else if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\",\n                                          inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n            c_ext++;\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, inout->tpdf_size, \"typedefs\",\n                                          inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n            c_tpdf++;\n\n        } else if ((module->version >= 2) && !strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, inout->must_size, \"musts\",\n                                          inout->nodetype == LYS_INPUT ? \"input\" : \"output\", error);\n            c_must++;\n\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    if (!root.child) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"schema-node\", strnodetype(retval->nodetype));\n        goto error;\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        inout->tpdf = calloc(c_tpdf, sizeof *inout->tpdf);\n        LY_CHECK_ERR_GOTO(!inout->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_must) {\n        inout->must = calloc(c_must, sizeof *inout->must);\n        LY_CHECK_ERR_GOTO(!inout->must, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        inout->ext = calloc(c_ext, sizeof *inout->ext);\n        LY_CHECK_ERR_GOTO(!inout->ext, LOGMEM(ctx), error);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &inout->must[inout->must_size], unres);\n            inout->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else { /* typedef */\n            r = fill_yin_typedef(module, retval, sub, &inout->tpdf[inout->tpdf_size], unres);\n            inout->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    options |= LYS_PARSE_OPT_CFG_IGNORE;\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && inout->must) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 307597432580069249223182367673754240947,
          "size": 173,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336779
        },
        {
          "func": "read_yin_choice(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n                struct unres_schema *unres)\n{\n    struct lyxml_elem *sub, *next, *dflt = NULL;\n    struct ly_ctx *const ctx = module->ctx;\n    struct lys_node *retval, *node = NULL;\n    struct lys_node_choice *choice;\n    const char *value;\n    int f_mand = 0, c_ftrs = 0, c_ext = 0, ret;\n    void *reallocated;\n\n    choice = calloc(1, sizeof *choice);\n    LY_CHECK_ERR_RETURN(!choice, LOGMEM(ctx), NULL);\n\n    choice->nodetype = LYS_CHOICE;\n    choice->prev = (struct lys_node *)choice;\n    retval = (struct lys_node *)choice;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process choice's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"choice\", error);\n            c_ext++;\n            /* keep it for later processing, skip lyxml_free() */\n            continue;\n        } else if (!strcmp(sub->name, \"container\")) {\n            if (!(node = read_yin_container(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            if (!(node = read_yin_leaflist(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            if (!(node = read_yin_leaf(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"list\")) {\n            if (!(node = read_yin_list(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"case\")) {\n            if (!(node = read_yin_case(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            if (!(node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            if (!(node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres))) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"default\")) {\n            if (dflt) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n                goto error;\n            }\n\n            dflt = sub;\n            lyxml_unlink_elem(ctx, dflt, 0);\n            continue;\n            /* skip lyxml_free() at the end of the loop, the sub node is processed later as dflt */\n\n        } else if (!strcmp(sub->name, \"mandatory\")) {\n            if (f_mand) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* just checking the flags in leaf is not sufficient, we would allow\n             * multiple mandatory statements with the \"false\" value\n             */\n            f_mand = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            if (!strcmp(value, \"true\")) {\n                choice->flags |= LYS_MAND_TRUE;\n            } else if (!strcmp(value, \"false\")) {\n                choice->flags |= LYS_MAND_FALSE;\n            } else {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            }                   /* else false is the default value, so we can ignore it */\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (choice->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            choice->when = read_yin_when(module, sub, unres);\n            if (!choice->when) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"choice\", error);\n            c_ftrs++;\n\n            /* skip lyxml_free() at the end of the loop, the sub node is processed later */\n            continue;\n        } else if (module->version >= 2 && !strcmp(sub->name, \"choice\")) {\n            if (!(node = read_yin_choice(module, retval, sub, options, unres))) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n\n        node = NULL;\n        lyxml_free(ctx, sub);\n    }\n\n    if (c_ftrs) {\n        choice->iffeature = calloc(c_ftrs, sizeof *choice->iffeature);\n        LY_CHECK_ERR_GOTO(!choice->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            ret = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (ret) {\n                goto error;\n            }\n        } else {\n            ret = fill_yin_iffeature(retval, 0, sub, &choice->iffeature[choice->iffeature_size], unres);\n            choice->iffeature_size++;\n            if (ret) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* check - default is prohibited in combination with mandatory */\n    if (dflt && (choice->flags & LYS_MAND_TRUE)) {\n        LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"default\", \"choice\");\n        LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL, \"The \\\"default\\\" statement is forbidden on choices with \\\"mandatory\\\".\");\n        goto error;\n    }\n\n    /* link default with the case */\n    if (dflt) {\n        GETVAL(ctx, value, dflt, \"value\");\n        if (unres_schema_add_str(module, unres, choice, UNRES_CHOICE_DFLT, value) == -1) {\n            goto error;\n        }\n        lyxml_free(ctx, dflt);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && choice->when) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lyxml_free(ctx, dflt);\n    lys_node_free(ctx, retval, NULL, 0);\n    return NULL;\n}",
          "project": "libyang",
          "hash": 315797547351147599913771454392714186138,
          "size": 203,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336780
        },
        {
          "func": "read_yin_anydata(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, LYS_NODE type,\n                 int options, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lys_node *retval;\n    struct lys_node_anydata *anyxml;\n    struct lyxml_elem *sub, *next;\n    const char *value;\n    int r;\n    int f_mand = 0;\n    int c_must = 0, c_ftrs = 0, c_ext = 0;\n    void *reallocated;\n\n    anyxml = calloc(1, sizeof *anyxml);\n    LY_CHECK_ERR_RETURN(!anyxml, LOGMEM(ctx), NULL);\n\n    anyxml->nodetype = type;\n    anyxml->prev = (struct lys_node *)anyxml;\n    retval = (struct lys_node *)anyxml;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n            (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT), unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"anydata\", error);\n            c_ext++;\n        } else if (!strcmp(sub->name, \"mandatory\")) {\n            if (f_mand) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* just checking the flags in leaf is not sufficient, we would allow\n             * multiple mandatory statements with the \"false\" value\n             */\n            f_mand = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            if (!strcmp(value, \"true\")) {\n                anyxml->flags |= LYS_MAND_TRUE;\n            } else if (!strcmp(value, \"false\")) {\n                anyxml->flags |= LYS_MAND_FALSE;\n            } else {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            }\n            /* else false is the default value, so we can ignore it */\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (anyxml->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            anyxml->when = read_yin_when(module, sub, unres);\n            if (!anyxml->when) {\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, anyxml->must_size, \"musts\", \"anydata\", error);\n            c_must++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"anydata\", error);\n            c_ftrs++;\n\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n */\n    if (c_must) {\n        anyxml->must = calloc(c_must, sizeof *anyxml->must);\n        LY_CHECK_ERR_GOTO(!anyxml->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        anyxml->iffeature = calloc(c_ftrs, sizeof *anyxml->iffeature);\n        LY_CHECK_ERR_GOTO(!anyxml->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &anyxml->must[anyxml->must_size], unres);\n            anyxml->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &anyxml->iffeature[anyxml->iffeature_size], unres);\n            anyxml->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (anyxml->when || anyxml->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n            retval->flags |= LYS_VALID_EXT;\n            break;\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    return NULL;\n}",
          "project": "libyang",
          "hash": 190407262843483632675530669528518292129,
          "size": 158,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336782
        },
        {
          "func": "read_yin_container(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n                   struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval;\n    struct lys_node_container *cont;\n    const char *value;\n    void *reallocated;\n    int r;\n    int c_tpdf = 0, c_must = 0, c_ftrs = 0, c_ext = 0;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    cont = calloc(1, sizeof *cont);\n    LY_CHECK_ERR_RETURN(!cont, LOGMEM(ctx), NULL);\n\n    cont->nodetype = LYS_CONTAINER;\n    cont->prev = (struct lys_node *)cont;\n    retval = (struct lys_node *)cont;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process container's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"container\", error);\n            c_ext++;\n        } else if (!strcmp(sub->name, \"presence\")) {\n            if (cont->presence) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, sub, \"value\");\n            cont->presence = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_PRESENCE, 0, unres)) {\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (cont->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            cont->when = read_yin_when(module, sub, unres);\n            if (!cont->when) {\n                lyxml_free(ctx, sub);\n                goto error;\n            }\n            lyxml_free(ctx, sub);\n\n            /* data statements */\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\") ||\n                !strcmp(sub->name, \"action\") ||\n                !strcmp(sub->name, \"notification\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, cont->tpdf_size, \"typedefs\", \"container\", error);\n            c_tpdf++;\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, cont->must_size, \"musts\", \"container\", error);\n            c_must++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"container\", error);\n            c_ftrs++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        cont->tpdf = calloc(c_tpdf, sizeof *cont->tpdf);\n        LY_CHECK_ERR_GOTO(!cont->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_must) {\n        cont->must = calloc(c_must, sizeof *cont->must);\n        LY_CHECK_ERR_GOTO(!cont->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        cont->iffeature = calloc(c_ftrs, sizeof *cont->iffeature);\n        LY_CHECK_ERR_GOTO(!cont->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            r = fill_yin_typedef(module, retval, sub, &cont->tpdf[cont->tpdf_size], unres);\n            cont->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &cont->must[cont->must_size], unres);\n            cont->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &cont->iffeature[cont->iffeature_size], unres);\n            cont->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        } else if (!strcmp(sub->name, \"action\")) {\n            node = read_yin_rpc_action(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"notification\")) {\n            node = read_yin_notif(module, retval, sub, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (cont->when || cont->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* extension instance may not yet be resolved */\n        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n             /* set flag, which represent LYEXT_OPT_VALID */\n            retval->flags |= LYS_VALID_EXT;\n            if (retval->ext[r]->flags & LYEXT_OPT_VALID_SUBTREE) {\n                retval->flags |= LYS_VALID_EXT_SUBTREE;\n                break;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 336173865557448454715868745869729551732,
          "size": 218,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336786
        },
        {
          "func": "read_yin_leaf(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n              struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lys_node *retval;\n    struct lys_node_leaf *leaf;\n    struct lyxml_elem *sub, *next;\n    const char *value;\n    int r, has_type = 0;\n    int c_must = 0, c_ftrs = 0, f_mand = 0, c_ext = 0;\n    void *reallocated;\n\n    leaf = calloc(1, sizeof *leaf);\n    LY_CHECK_ERR_RETURN(!leaf, LOGMEM(ctx), NULL);\n\n    leaf->nodetype = LYS_LEAF;\n    leaf->prev = (struct lys_node *)leaf;\n    retval = (struct lys_node *)leaf;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin,\n            OPT_IDENT | OPT_MODULE | ((options & LYS_PARSE_OPT_CFG_IGNORE) ? OPT_CFG_IGNORE :\n                (options & LYS_PARSE_OPT_CFG_NOINHERIT) ? OPT_CFG_PARSE : OPT_CFG_PARSE | OPT_CFG_INHERIT),\n            unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"leaf\", error);\n            c_ext++;\n            continue;\n        } else if (!strcmp(sub->name, \"type\")) {\n            if (has_type) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* HACK for unres */\n            leaf->type.der = (struct lys_tpdf *)sub;\n            leaf->type.parent = (struct lys_tpdf *)leaf;\n            /* postpone type resolution when if-feature parsing is done since we need\n             * if-feature for check_leafref_features() */\n            has_type = 1;\n        } else if (!strcmp(sub->name, \"default\")) {\n            if (leaf->dflt) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, sub, \"value\");\n            leaf->dflt = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_DEFAULT, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"units\")) {\n            if (leaf->units) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, sub, \"name\");\n            leaf->units = lydict_insert(ctx, value, strlen(value));\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_UNITS, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"mandatory\")) {\n            if (f_mand) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n            /* just checking the flags in leaf is not sufficient, we would allow\n             * multiple mandatory statements with the \"false\" value\n             */\n            f_mand = 1;\n\n            GETVAL(ctx, value, sub, \"value\");\n            if (!strcmp(value, \"true\")) {\n                leaf->flags |= LYS_MAND_TRUE;\n            } else if (!strcmp(value, \"false\")) {\n                leaf->flags |= LYS_MAND_FALSE;\n            } else {\n                LOGVAL(ctx, LYE_INARG, LY_VLOG_LYS, retval, value, sub->name);\n                goto error;\n            }                   /* else false is the default value, so we can ignore it */\n\n            if (lyp_yin_parse_subnode_ext(module, retval, LYEXT_PAR_NODE, sub, LYEXT_SUBSTMT_MANDATORY, 0, unres)) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"when\")) {\n            if (leaf->when) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_LYS, retval, sub->name, yin->name);\n                goto error;\n            }\n\n            leaf->when = read_yin_when(module, sub, unres);\n            if (!leaf->when) {\n                goto error;\n            }\n\n        } else if (!strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, leaf->must_size, \"musts\", \"leaf\", error);\n            c_must++;\n            continue;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"musts\", \"leaf\", error);\n            c_ftrs++;\n            continue;\n\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n\n        /* do not free sub, it could have been unlinked and stored in unres */\n    }\n\n    /* check mandatory parameters */\n    if (!has_type) {\n        LOGVAL(ctx, LYE_MISSCHILDSTMT, LY_VLOG_LYS, retval, \"type\", yin->name);\n        goto error;\n    }\n    if (leaf->dflt && (leaf->flags & LYS_MAND_TRUE)) {\n        LOGVAL(ctx, LYE_INCHILDSTMT, LY_VLOG_LYS, retval, \"mandatory\", \"leaf\");\n        LOGVAL(ctx, LYE_SPEC, LY_VLOG_PREV, NULL,\n               \"The \\\"mandatory\\\" statement is forbidden on leaf with the \\\"default\\\" statement.\");\n        goto error;\n    }\n\n    /* middle part - process nodes with cardinality of 0..n */\n    if (c_must) {\n        leaf->must = calloc(c_must, sizeof *leaf->must);\n        LY_CHECK_ERR_GOTO(!leaf->must, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        leaf->iffeature = calloc(c_ftrs, sizeof *leaf->iffeature);\n        LY_CHECK_ERR_GOTO(!leaf->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &leaf->must[leaf->must_size], unres);\n            leaf->must_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &leaf->iffeature[leaf->iffeature_size], unres);\n            leaf->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* finalize type parsing */\n    if (unres_schema_add_node(module, unres, &leaf->type, UNRES_TYPE_DER, retval) == -1) {\n        leaf->type.der = NULL;\n        goto error;\n    }\n\n    /* check default value (if not defined, there still could be some restrictions\n     * that need to be checked against a default value from a derived type) */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) &&\n            (unres_schema_add_node(module, unres, &leaf->type, UNRES_TYPE_DFLT,\n                                   (struct lys_node *)(&leaf->dflt)) == -1)) {\n        goto error;\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && (leaf->when || leaf->must)) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    for (r = 0; r < retval->ext_size; ++r) {\n        /* set flag, which represent LYEXT_OPT_VALID */\n        if (retval->ext[r] && (retval->ext[r]->flags & LYEXT_OPT_VALID)) {\n            retval->flags |= LYS_VALID_EXT;\n            break;\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    return NULL;\n}",
          "project": "libyang",
          "hash": 112837442562867612790477931862043988586,
          "size": 219,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336787
        },
        {
          "func": "read_yin_grouping(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin, int options,\n                  struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval;\n    struct lys_node_grp *grp;\n    int r;\n    int c_tpdf = 0, c_ext = 0;\n    void *reallocated;\n\n    /* init */\n    memset(&root, 0, sizeof root);\n\n    grp = calloc(1, sizeof *grp);\n    LY_CHECK_ERR_RETURN(!grp, LOGMEM(ctx), NULL);\n\n    grp->nodetype = LYS_GROUPING;\n    grp->prev = (struct lys_node *)grp;\n    retval = (struct lys_node *)grp;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE , unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"grouping\", error);\n            c_ext++;\n\n        /* data statements */\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\") ||\n                !strcmp(sub->name, \"action\") ||\n                !strcmp(sub->name, \"notification\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, grp->tpdf_size, \"typedefs\", \"grouping\", error);\n            c_tpdf++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        grp->tpdf = calloc(c_tpdf, sizeof *grp->tpdf);\n        LY_CHECK_ERR_GOTO(!grp->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else {\n            /* typedef */\n            r = fill_yin_typedef(module, retval, sub, &grp->tpdf[grp->tpdf_size], unres);\n            grp->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    if (!root.child) {\n        LOGWRN(ctx, \"Grouping \\\"%s\\\" without children.\", retval->name);\n    }\n    options |= LYS_PARSE_OPT_INGRP;\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        } else if (!strcmp(sub->name, \"action\")) {\n            node = read_yin_rpc_action(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"notification\")) {\n            node = read_yin_notif(module, retval, sub, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 15413466291165177767871103584060305603,
          "size": 142,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336790
        },
        {
          "func": "read_restr_substmt(struct lys_module *module, struct lys_restr *restr, struct lyxml_elem *yin,\n                   struct unres_schema *unres)\n{\n    struct lyxml_elem *child, *next;\n    const char *value;\n    struct ly_ctx *ctx = module->ctx;\n\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!child->ns) {\n            /* garbage */\n            continue;\n        } else if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* extension */\n            if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_SELF, 0, unres)) {\n                return EXIT_FAILURE;\n            }\n        } else if (!strcmp(child->name, \"description\")) {\n            if (restr->dsc) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                return EXIT_FAILURE;\n            }\n            if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n                return EXIT_FAILURE;\n            }\n            restr->dsc = read_yin_subnode(ctx, child, \"text\");\n            if (!restr->dsc) {\n                return EXIT_FAILURE;\n            }\n        } else if (!strcmp(child->name, \"reference\")) {\n            if (restr->ref) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                return EXIT_FAILURE;\n            }\n            if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n                return EXIT_FAILURE;\n            }\n            restr->ref = read_yin_subnode(ctx, child, \"text\");\n            if (!restr->ref) {\n                return EXIT_FAILURE;\n            }\n        } else if (!strcmp(child->name, \"error-app-tag\")) {\n            if (restr->eapptag) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                return EXIT_FAILURE;\n            }\n            if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_ERRTAG, 0, unres)) {\n                return EXIT_FAILURE;\n            }\n            GETVAL(ctx, value, child, \"value\");\n            restr->eapptag = lydict_insert(ctx, value, 0);\n        } else if (!strcmp(child->name, \"error-message\")) {\n            if (restr->emsg) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                return EXIT_FAILURE;\n            }\n            if (lyp_yin_parse_subnode_ext(module, restr, LYEXT_PAR_RESTR, child, LYEXT_SUBSTMT_ERRMSG, 0, unres)) {\n                return EXIT_FAILURE;\n            }\n            restr->emsg = read_yin_subnode(ctx, child, \"value\");\n            if (!restr->emsg) {\n                return EXIT_FAILURE;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            return EXIT_FAILURE;\n        }\n    }\n\n    return EXIT_SUCCESS;\n\nerror:\n    return EXIT_FAILURE;\n}",
          "project": "libyang",
          "hash": 93354852469643142055828412969936608221,
          "size": 73,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336793
        },
        {
          "func": "fill_yin_include(struct lys_module *module, struct lys_submodule *submodule, struct lyxml_elem *yin,\n                 struct lys_include *inc, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *child, *next, exts;\n    const char *value;\n    int r, c_ext = 0;\n    void *reallocated;\n\n    /* init */\n    memset(&exts, 0, sizeof exts);\n\n    LY_TREE_FOR_SAFE(yin->child, next, child) {\n        if (!child->ns) {\n            /* garbage */\n            continue;\n        } else if (strcmp(child->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, inc->ext_size, \"extensions\", \"include\", error);\n            c_ext++;\n            lyxml_unlink_elem(ctx, child, 2);\n            lyxml_add_child(ctx, &exts, child);\n        } else if (!strcmp(child->name, \"revision-date\")) {\n            if (inc->rev[0]) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, \"revision-date\", yin->name);\n                goto error;\n            }\n            GETVAL(ctx, value, child, \"date\");\n            if (lyp_check_date(ctx, value)) {\n                goto error;\n            }\n            memcpy(inc->rev, value, LY_REV_SIZE - 1);\n\n            if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_REVISIONDATE, 0, unres)) {\n                goto error;\n            }\n        } else if ((module->version >= 2) && !strcmp(child->name, \"description\")) {\n            if (inc->dsc) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_DESCRIPTION, 0, unres)) {\n                goto error;\n            }\n            inc->dsc = read_yin_subnode(ctx, child, \"text\");\n            if (!inc->dsc) {\n                goto error;\n            }\n        } else if ((module->version >= 2) && !strcmp(child->name, \"reference\")) {\n            if (inc->ref) {\n                LOGVAL(ctx, LYE_TOOMANY, LY_VLOG_NONE, NULL, child->name, yin->name);\n                goto error;\n            }\n            if (lyp_yin_parse_subnode_ext(module, inc, LYEXT_PAR_INCLUDE, child, LYEXT_SUBSTMT_REFERENCE, 0, unres)) {\n                goto error;\n            }\n            inc->ref = read_yin_subnode(ctx, child, \"text\");\n            if (!inc->ref) {\n                goto error;\n            }\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_NONE, NULL, child->name);\n            goto error;\n        }\n    }\n\n    /* process extensions */\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(inc->ext, (c_ext + inc->ext_size) * sizeof *inc->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        inc->ext = reallocated;\n\n        /* init memory */\n        memset(&inc->ext[inc->ext_size], 0, c_ext * sizeof *inc->ext);\n\n        LY_TREE_FOR_SAFE(exts.child, next, child) {\n            /* extension */\n            r = lyp_yin_fill_ext(inc, LYEXT_PAR_INCLUDE, 0, 0, module, child, &inc->ext, &inc->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        }\n\n        lyp_reduce_ext_list(&inc->ext, inc->ext_size, c_ext + inc->ext_size);\n    }\n\n    GETVAL(ctx, value, yin, \"module\");\n    return lyp_check_include(submodule ? (struct lys_module *)submodule : module, value, inc, unres);\n\nerror:\n    return -1;\n}",
          "project": "libyang",
          "hash": 275328397526231724343075461502239926647,
          "size": 93,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336795
        },
        {
          "func": "read_yin_notif(struct lys_module *module, struct lys_node *parent, struct lyxml_elem *yin,\n               int options, struct unres_schema *unres)\n{\n    struct ly_ctx *ctx = module->ctx;\n    struct lyxml_elem *sub, *next, root;\n    struct lys_node *node = NULL;\n    struct lys_node *retval;\n    struct lys_node_notif *notif;\n    int r;\n    int c_tpdf = 0, c_ftrs = 0, c_must = 0, c_ext = 0;\n    void *reallocated;\n\n    if (parent && (module->version < 2)) {\n        LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, parent, \"notification\");\n        return NULL;\n    }\n\n    memset(&root, 0, sizeof root);\n\n    notif = calloc(1, sizeof *notif);\n    LY_CHECK_ERR_RETURN(!notif, LOGMEM(ctx), NULL);\n\n    notif->nodetype = LYS_NOTIF;\n    notif->prev = (struct lys_node *)notif;\n    retval = (struct lys_node *)notif;\n\n    if (read_yin_common(module, parent, retval, LYEXT_PAR_NODE, yin, OPT_IDENT | OPT_MODULE, unres)) {\n        goto error;\n    }\n\n    LOGDBG(LY_LDGYIN, \"parsing %s statement \\\"%s\\\"\", yin->name, retval->name);\n\n    /* insert the node into the schema tree */\n    if (lys_node_addchild(parent, lys_main_module(module), retval, options)) {\n        goto error;\n    }\n\n    /* process rpc's specific children */\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ext, retval->ext_size, \"extensions\", \"notification\", error);\n            c_ext++;\n            continue;\n\n        /* data statements */\n        } else if (!strcmp(sub->name, \"container\") ||\n                !strcmp(sub->name, \"leaf-list\") ||\n                !strcmp(sub->name, \"leaf\") ||\n                !strcmp(sub->name, \"list\") ||\n                !strcmp(sub->name, \"choice\") ||\n                !strcmp(sub->name, \"uses\") ||\n                !strcmp(sub->name, \"grouping\") ||\n                !strcmp(sub->name, \"anyxml\") ||\n                !strcmp(sub->name, \"anydata\")) {\n            lyxml_unlink_elem(ctx, sub, 2);\n            lyxml_add_child(ctx, &root, sub);\n\n            /* array counters */\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_tpdf, notif->tpdf_size, \"typedefs\", \"notification\", error);\n            c_tpdf++;\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_ftrs, retval->iffeature_size, \"if-features\", \"notification\", error);\n            c_ftrs++;\n        } else if ((module->version >= 2) && !strcmp(sub->name, \"must\")) {\n            YIN_CHECK_ARRAY_OVERFLOW_GOTO(ctx, c_must, notif->must_size, \"musts\", \"notification\", error);\n            c_must++;\n        } else {\n            LOGVAL(ctx, LYE_INSTMT, LY_VLOG_LYS, retval, sub->name);\n            goto error;\n        }\n    }\n\n    /* middle part - process nodes with cardinality of 0..n except the data nodes */\n    if (c_tpdf) {\n        notif->tpdf = calloc(c_tpdf, sizeof *notif->tpdf);\n        LY_CHECK_ERR_GOTO(!notif->tpdf, LOGMEM(ctx), error);\n    }\n    if (c_ftrs) {\n        notif->iffeature = calloc(c_ftrs, sizeof *notif->iffeature);\n        LY_CHECK_ERR_GOTO(!notif->iffeature, LOGMEM(ctx), error);\n    }\n    if (c_must) {\n        notif->must = calloc(c_must, sizeof *notif->must);\n        LY_CHECK_ERR_GOTO(!notif->must, LOGMEM(ctx), error);\n    }\n    if (c_ext) {\n        /* some extensions may be already present from the substatements */\n        reallocated = realloc(retval->ext, (c_ext + retval->ext_size) * sizeof *retval->ext);\n        LY_CHECK_ERR_GOTO(!reallocated, LOGMEM(ctx), error);\n        retval->ext = reallocated;\n\n        /* init memory */\n        memset(&retval->ext[retval->ext_size], 0, c_ext * sizeof *retval->ext);\n    }\n\n    LY_TREE_FOR_SAFE(yin->child, next, sub) {\n        if (strcmp(sub->ns->value, LY_NSYIN)) {\n            /* extension */\n            r = lyp_yin_fill_ext(retval, LYEXT_PAR_NODE, 0, 0, module, sub, &retval->ext, &retval->ext_size, unres);\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"typedef\")) {\n            r = fill_yin_typedef(module, retval, sub, &notif->tpdf[notif->tpdf_size], unres);\n            notif->tpdf_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"if-feature\")) {\n            r = fill_yin_iffeature(retval, 0, sub, &notif->iffeature[notif->iffeature_size], unres);\n            notif->iffeature_size++;\n            if (r) {\n                goto error;\n            }\n        } else if (!strcmp(sub->name, \"must\")) {\n            r = fill_yin_must(module, sub, &notif->must[notif->must_size], unres);\n            notif->must_size++;\n            if (r) {\n                goto error;\n            }\n        }\n    }\n\n    lyp_reduce_ext_list(&retval->ext, retval->ext_size, c_ext + retval->ext_size);\n\n    /* last part - process data nodes */\n    options |= LYS_PARSE_OPT_CFG_IGNORE;\n    LY_TREE_FOR_SAFE(root.child, next, sub) {\n        if (!strcmp(sub->name, \"container\")) {\n            node = read_yin_container(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf-list\")) {\n            node = read_yin_leaflist(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"leaf\")) {\n            node = read_yin_leaf(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"list\")) {\n            node = read_yin_list(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"choice\")) {\n            node = read_yin_choice(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"uses\")) {\n            node = read_yin_uses(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"grouping\")) {\n            node = read_yin_grouping(module, retval, sub, options, unres);\n        } else if (!strcmp(sub->name, \"anyxml\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYXML, options, unres);\n        } else if (!strcmp(sub->name, \"anydata\")) {\n            node = read_yin_anydata(module, retval, sub, LYS_ANYDATA, options, unres);\n        }\n        if (!node) {\n            goto error;\n        }\n\n        lyxml_free(ctx, sub);\n    }\n\n    /* check XPath dependencies */\n    if (!(ctx->models.flags & LY_CTX_TRUSTED) && notif->must) {\n        if (options & LYS_PARSE_OPT_INGRP) {\n            if (lyxp_node_check_syntax(retval)) {\n                goto error;\n            }\n        } else {\n            if (unres_schema_add_node(module, unres, retval, UNRES_XPATH, NULL) == -1) {\n                goto error;\n            }\n        }\n    }\n\n    return retval;\n\nerror:\n    lys_node_free(ctx, retval, NULL, 0);\n    while (root.child) {\n        lyxml_free(ctx, root.child);\n    }\n    return NULL;\n}",
          "project": "libyang",
          "hash": 194930711234157440117714933618475949815,
          "size": 178,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336796
        },
        {
          "func": "lyp_yin_fill_ext(void *parent, LYEXT_PAR parent_type, LYEXT_SUBSTMT substmt, uint8_t substmt_index,\n             struct lys_module *module, struct lyxml_elem *yin, struct lys_ext_instance ***ext,\n             uint8_t *ext_size, struct unres_schema *unres)\n{\n    struct unres_ext *info;\n    int rc;\n\n    info = malloc(sizeof *info);\n    LY_CHECK_ERR_RETURN(!info, LOGMEM(module->ctx), EXIT_FAILURE);\n    lyxml_unlink(module->ctx, yin);\n    info->data.yin = yin;\n    info->datatype = LYS_IN_YIN;\n    info->parent = parent;\n    info->mod = module;\n    info->parent_type = parent_type;\n    info->substmt = substmt;\n    info->substmt_index = substmt_index;\n    info->ext_index = *ext_size;\n\n    rc = unres_schema_add_node(module, unres, ext, UNRES_EXT, (struct lys_node *)info);\n    if (!rc && !(*ext)[*ext_size]) {\n        /* extension instance is skipped */\n    } else {\n        ++(*ext_size);\n    }\n\n    return rc == -1 ? EXIT_FAILURE : EXIT_SUCCESS;\n}",
          "project": "libyang",
          "hash": 288373933368995538789084507090978474894,
          "size": 28,
          "commit_id": "a3917d95d516e3de267d3cfa5d4d3715a90e8777",
          "message": "yin parser BUGFIX invalid memory access\n\n... in case there were some unresolved\nextensions.\nFixes #1454\nFixes #1455",
          "target": 0,
          "dataset": "other",
          "idx": 336759
        },
        {
          "func": "ly_add_loaded_plugin(char *name)\n{\n    loaded_plugins = ly_realloc(loaded_plugins, (loaded_plugins_count + 2) * sizeof *loaded_plugins);\n    LY_CHECK_ERR_RETURN(!loaded_plugins, free(name); LOGMEM(NULL), );\n    ++loaded_plugins_count;\n\n    loaded_plugins[loaded_plugins_count - 1] = name;\n    loaded_plugins[loaded_plugins_count] = NULL;\n}",
          "project": "libyang",
          "hash": 124770143019807796430683696017842707483,
          "size": 9,
          "commit_id": "59a0bff1a5a2f0a0eac07e4bf94d4aea9dd3708d",
          "message": "plugins BUGFIX handle empty revision correctly\n\nFixes #1451",
          "target": 0,
          "dataset": "other",
          "idx": 413420
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "test_r_str_ansi_len",
        "r_str_ansi_len",
        "r_str_ansi_nlen",
        "__str_ansi_length"
      ],
      "group_size": 12,
      "functions": [
        {
          "func": "R_API int r_str_bounds(const char *_str, int *h) {\n\tconst char *str, *ptr;\n\tint W = 0, H = 0;\n\tint cw = 0;\n\n\tif (_str) {\n\t\tptr = str = _str;\n\t\twhile (*str) {\n\t\t\tif (*str == '\\n') {\n\t\t\t\tH++;\n\t\t\t\tcw = r_str_ansi_nlen (ptr, (size_t)(str - ptr));\n\t\t\t\tif (cw > W) {\n\t\t\t\t\tW = cw;\n\t\t\t\t}\n\t\t\t\tcw = 0;\n\t\t\t\tptr = str + 1;\n\t\t\t}\n\t\t\tstr++;\n\t\t\tcw++;\n\t\t}\n\t\tif (*str == '\\n') {// skip last newline\n\t\t\tH--;\n\t\t}\n\t\tif (h) {\n\t\t\t*h = H;\n\t\t}\n\t}\n\treturn W;\n}",
          "project": "radare2",
          "hash": 172961371563676163614597385006965488211,
          "size": 29,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269020
        },
        {
          "func": "R_API size_t r_str_utf8_codepoint(const char* s, size_t left) {\n\tif ((*s & 0x80) != 0x80) {\n\t\treturn 0;\n\t} else if ((*s & 0xe0) == 0xc0 && left >= 1) {\n\t\treturn ((*s & 0x1f) << 6) + (*(s + 1) & 0x3f);\n\t} else if ((*s & 0xf0) == 0xe0 && left >= 2) {\n\t\treturn ((*s & 0xf) << 12) + ((*(s + 1) & 0x3f) << 6) + (*(s + 2) & 0x3f);\n\t} else if ((*s & 0xf8) == 0xf0 && left >= 3) {\n\t\treturn ((*s & 0x7) << 18) + ((*(s + 1) & 0x3f) << 12) + ((*(s + 2) & 0x3f) << 6) + (*(s + 3) & 0x3f);\n\t}\n\treturn 0;\n}",
          "project": "radare2",
          "hash": 82642143776190898523180011603148462796,
          "size": 12,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269075
        },
        {
          "func": "bool test_r_str_ansi_len(void) {\n\tint len;\n\n\tlen = r_str_ansi_len (\"radare2\");\n\tmu_assert_eq (len, 7, \"len(ascii only)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[38;2;208;80;0madare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with m)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[0Jadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with J)\");\n\n\tlen = r_str_ansi_len (\"r\\x1b[42;42Hadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with H)\");\n\n\tlen = r_str_ansi_len (\"r\\xc3\\xa4\"\"dare2\");\n\tmu_assert_eq (len, 8, \"len(ascii + 2 byte utf-8 counted as 2 chars)\");\n\n\tlen = r_str_ansi_len (\"radar\\xe2\\x82\\xac\"\"2\");\n\tmu_assert_eq (len, 9, \"len(ascii + 3 byte utf-8 counted as 3 chars)\");\n\n\tlen = r_str_ansi_len (\"radar\\xf0\\x9d\\x84\\x9e\"\"2\");\n\tmu_assert_eq (len, 10, \"len(ascii + 4 byte utf-8 counted as 4 chars)\");\n\n\tmu_end;\n}",
          "project": "radare2",
          "hash": 245129988670048831657085626011348857996,
          "size": 26,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268963
        },
        {
          "func": "R_API size_t r_str_len_utf8_ansi(const char *str) {\n\tint i = 0, len = 0, fullwidths = 0;\n\twhile (str[i]) {\n\t\tchar ch = str[i];\n\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\tif (chlen > 1) {\n\t\t\ti += chlen - 1;\n\t\t} else if ((ch & 0xc0) != 0x80) { // utf8\n\t\t\tlen++;\n\t\t\tif (r_str_char_fullwidth (str + i, 4)) {\n\t\t\t\tfullwidths++;\n\t\t\t}\n\t\t}\n\t\ti++;\n\t}\n\treturn len + fullwidths;\n}",
          "project": "radare2",
          "hash": 246882952988880531618945286284081071080,
          "size": 17,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268864
        },
        {
          "func": "R_API size_t r_str_len_utf8(const char *s) {\n\tsize_t i = 0, j = 0, fullwidths = 0;\n\twhile (s[i]) {\n\t\tif ((s[i] & 0xc0) != 0x80) {\n\t\t\tj++;\n\t\t\tif (r_str_char_fullwidth (s + i, 4)) {\n\t\t\t\tfullwidths++;\n\t\t\t}\n\t\t}\n\t\ti++;\n\t}\n\treturn j + fullwidths;\n}",
          "project": "radare2",
          "hash": 316503508038150507658967101271731313672,
          "size": 13,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268842
        },
        {
          "func": "bool test_r_str_len_utf8_ansi(void) {\n\tint len;\n\n\tlen = r_str_len_utf8_ansi (\"radare2\");\n\tmu_assert_eq (len, 7, \"len(ascii only)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[38;2;208;80;0madare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with m)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[0Jadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with J)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\x1b[42;42Hadare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + ansi ending with H)\");\n\n\tlen = r_str_len_utf8_ansi (\"r\\xc3\\xa4\"\"dare2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 2 byte utf-8 counted as 1 char)\");\n\n\tlen = r_str_len_utf8_ansi (\"radar\\xe2\\x82\\xac\"\"2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 3 byte utf-8 counted as 1 char)\");\n\n\tlen = r_str_len_utf8_ansi (\"radar\\xf0\\x9d\\x84\\x9e\"\"2\");\n\tmu_assert_eq (len, 7, \"len(ascii + 4 byte utf-8 counted as 1 char)\");\n\n\tmu_end;\n}",
          "project": "radare2",
          "hash": 300615110034844303206843893313033797781,
          "size": 26,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268885
        },
        {
          "func": "static size_t __str_ansi_length(char const *str) {\n\tsize_t i = 1;\n\tif (str[0] == 0x1b) {\n\t\tif (str[1] == '[') {\n\t\t\ti++;\n\t\t\twhile (str[i] && str[i] != 'J' && str[i] != 'm' && str[i] != 'H' && str[i] != 'K') {\n\t\t\t\ti++;\n\t\t\t}\n\t\t} else if (str[1] == '#') {\n\t\t\twhile (str[i] && str[i] != 'q') {\n\t\t\t\ti++;\n\t\t\t}\n\t\t}\n\t\tif (str[i]) {\n\t\t\ti++;\n\t\t}\n\t}\n\treturn i;\n}",
          "project": "radare2",
          "hash": 200895843150089395620465295524191413400,
          "size": 19,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268870
        },
        {
          "func": "R_API bool r_str_char_fullwidth (const char* s, size_t left) {\n\tsize_t codepoint = r_str_utf8_codepoint (s, left);\n\treturn (codepoint >= 0x1100 &&\n\t\t (codepoint <= 0x115f ||                  /* Hangul Jamo init. consonants */\n\t\t\t  codepoint == 0x2329 || codepoint == 0x232a ||\n\t\t (R_BETWEEN (0x2e80, codepoint, 0xa4cf)\n\t\t\t&& codepoint != 0x303f) ||        /* CJK ... Yi */\n\t\t R_BETWEEN (0xac00, codepoint, 0xd7a3) || /* Hangul Syllables */\n\t\t R_BETWEEN (0xf900, codepoint, 0xfaff) || /* CJK Compatibility Ideographs */\n\t\t R_BETWEEN (0xfe10, codepoint, 0xfe19) || /* Vertical forms */\n\t\t R_BETWEEN (0xfe30, codepoint, 0xfe6f) || /* CJK Compatibility Forms */\n\t\t R_BETWEEN (0xff00, codepoint, 0xff60) || /* Fullwidth Forms */\n\t\t R_BETWEEN (0xffe0, codepoint, 0xffe6) ||\n\t\t R_BETWEEN (0x20000, codepoint, 0x2fffd) ||\n\t\t R_BETWEEN (0x30000, codepoint, 0x3fffd)));\n\n}",
          "project": "radare2",
          "hash": 151893148021945223497863263296321387586,
          "size": 17,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269038
        },
        {
          "func": "R_API size_t r_str_ansi_len(const char *str) {\n\treturn r_str_ansi_nlen (str, 0);\n}",
          "project": "radare2",
          "hash": 58897733689454207834188866702317919166,
          "size": 3,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268835
        },
        {
          "func": "R_API size_t r_str_ansi_nlen(const char *str, size_t slen) {\n\tsize_t i = 0, len = 0;\n\tif (slen > 0) {\n\t\twhile (str[i] && i < slen) {\n\t\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\t\tif (chlen == 1) {\n\t\t\t\tlen ++;\n\t\t\t}\n\t\t\ti += chlen;\n\t\t}\n\t\treturn len > 0 ? len: 1;\n\t}\n\twhile (str[i]) {\n\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\tif (chlen == 1) {\n\t\t\tlen ++;\n\t\t}\n\t\ti += chlen;\n\t}\n\treturn len > 0 ? len: 1;\n}",
          "project": "radare2",
          "hash": 87218290180537692850025468704473713796,
          "size": 21,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268881
        },
        {
          "func": "R_API int r_str_ansi_filter(char *str, char **out, int **cposs, int len) {\n\tint i, j, *cps;\n\n\tif (len == 0) {\n\t\treturn 0;\n\t}\n\tif (len < 0) {\n\t\tlen = strlen (str);\n\t}\n\tchar *tmp = malloc (len + 1);\n\tif (!tmp) {\n\t\treturn -1;\n\t}\n\tmemcpy (tmp, str, len + 1);\n\tcps = calloc (len + 1, sizeof (int));\n\tif (!cps) {\n\t\tfree (tmp);\n\t\treturn -1;\n\t}\n\n\tfor (i = j = 0; i < len; i++) {\n\t\tif (tmp[i] == 0x1b) {\n\t\t\tsize_t chlen = __str_ansi_length (str + i);\n\t\t\tif (chlen > 1) {\n\t\t\t\ti += chlen;\n\t\t\t\ti--;\n\t\t\t}\n\t\t} else {\n\t\t\tstr[j] = tmp[i];\n\t\t\tcps[j] = i;\n\t\t\tj++;\n\t\t}\n\t}\n\tstr[j] = tmp[i];\n\n\tif (out) {\n\t\t*out = tmp;\n\t} else {\n\t\tfree (tmp);\n\t}\n\n\tif (cposs) {\n\t\t*cposs = cps;\n\t} else {\n\t\tfree (cps);\n\t}\n\n\treturn j;\n}",
          "project": "radare2",
          "hash": 84547543664250501063876670059002389663,
          "size": 49,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269037
        },
        {
          "func": "R_API char* r_str_replace_thunked(char *str, char *clean, int *thunk, int clen,\n\t\t\t\t  const char *key, const char *val, int g) {\n\tint i, klen, vlen, slen, delta = 0, bias;\n\tchar *newstr, *scnd, *p = clean, *str_p;\n\n\tif (!str || !key || !val || !clean || !thunk) {\n\t\treturn NULL;\n\t}\n\tklen = strlen (key);\n\tvlen = strlen (val);\n\tif (klen == vlen && !strcmp (key, val)) {\n\t\treturn str;\n\t}\n\tslen = strlen (str) + 1;\n\n\tfor (i = 0; i < clen; ) {\n\t\tp = (char *)r_mem_mem (\n\t\t\t(const ut8*)clean + i, clen - i,\n\t\t\t(const ut8*)key, klen);\n\t\tif (!p) {\n\t\t\tbreak;\n\t\t}\n\t\ti = (int)(size_t)(p - clean);\n\t\t/* as the original string changes size during replacement\n\t\t * we need delta to keep track of it*/\n\t\tstr_p = str + thunk[i] + delta;\n\n\t\tint newo = thunk[i + klen] - thunk[i];\n\t\tr_str_ansi_filter (str_p, NULL, NULL, newo);\n\t\tscnd = strdup (str_p + newo);\n\t\tbias = vlen - newo;\n\n\t\tslen += bias;\n\t\t// HACK: this 32 avoids overwrites wtf\n\t\tnewstr = realloc (str, slen + klen);\n\t\tif (!newstr) {\n\t\t\teprintf (\"realloc fail\\n\");\n\t\t\tR_FREE (str);\n\t\t\tfree (scnd);\n\t\t\tbreak;\n\t\t}\n\t\tstr = newstr;\n\t\tstr_p = str + thunk[i] + delta;\n\t\tmemcpy (str_p, val, vlen);\n\t\tmemcpy (str_p + vlen, scnd, strlen (scnd) + 1);\n\t\ti += klen;\n\t\tdelta += bias;\n\t\tfree (scnd);\n\t\tif (!g) {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn str;\n}",
          "project": "radare2",
          "hash": 45113790991075915971260591637914211342,
          "size": 54,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268912
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "do_tune",
        "gch_build",
        "gch_capo",
        "gch_tr1"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static void get_over(struct SYMBOL *s)\n{\n\tstruct VOICE_S *p_voice, *p_voice2, *p_voice3;\n\tint range, voice, voice2, voice3;\nstatic char tx_wrong_dur[] = \"Wrong duration in voice overlay\";\nstatic char txt_no_note[] = \"No note in voice overlay\";\n\n\t/* treat the end of overlay */\n\tp_voice = curvoice;\n\tif (p_voice->ignore)\n\t\treturn;\n\tif (s->abc_type == ABC_T_BAR\n\t || s->u.v_over.type == V_OVER_E)  {\n\t\tif (!p_voice->last_sym) {\n\t\t\terror(1, s, txt_no_note);\n\t\t\treturn;\n\t\t}\n\t\tp_voice->last_sym->sflags |= S_BEAM_END;\n\t\tover_bar = 0;\n\t\tif (over_time < 0) {\n\t\t\terror(1, s, \"Erroneous end of voice overlap\");\n\t\t\treturn;\n\t\t}\n\t\tif (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t\tcurvoice = &voice_tb[over_voice];\n\t\tover_mxtime = 0;\n\t\tover_voice = -1;\n\t\tover_time = -1;\n\t\treturn;\n\t}\n\n\t/* treat the full overlay start */\n\tif (s->u.v_over.type == V_OVER_S) {\n\t\tover_voice = p_voice - voice_tb;\n\t\tover_time = p_voice->time;\n\t\treturn;\n\t}\n\n\t/* (here is treated a new overlay - '&') */\n\t/* create the extra voice if not done yet */\n\tif (!p_voice->last_sym) {\n\t\terror(1, s, txt_no_note);\n\t\treturn;\n\t}\n\tp_voice->last_sym->sflags |= S_BEAM_END;\n\tvoice2 = s->u.v_over.voice;\n\tp_voice2 = &voice_tb[voice2];\n\tif (parsys->voice[voice2].range < 0) {\n\t\tint clone;\n\n\t\tif (cfmt.abc2pscompat) {\n\t\t\terror(1, s, \"Cannot have %%%%abc2pscompat\");\n\t\t\tcfmt.abc2pscompat = 0;\n\t\t}\n\t\tclone = p_voice->clone >= 0;\n\t\tp_voice2->id[0] = '&';\n\t\tp_voice2->id[1] = '\\0';\n\t\tp_voice2->second = 1;\n\t\tparsys->voice[voice2].second = 1;\n\t\tp_voice2->scale = p_voice->scale;\n\t\tp_voice2->octave = p_voice->octave;\n\t\tp_voice2->transpose = p_voice->transpose;\n\t\tmemcpy(&p_voice2->key, &p_voice->key,\n\t\t\t\t\tsizeof p_voice2->key);\n\t\tmemcpy(&p_voice2->ckey, &p_voice->ckey,\n\t\t\t\t\tsizeof p_voice2->ckey);\n\t\tmemcpy(&p_voice2->okey, &p_voice->okey,\n\t\t\t\t\tsizeof p_voice2->okey);\n\t\tp_voice2->posit = p_voice->posit;\n\t\tp_voice2->staff = p_voice->staff;\n\t\tp_voice2->cstaff = p_voice->cstaff;\n\t\tp_voice2->color = p_voice->color;\n\t\tp_voice2->map_name = p_voice->map_name;\n\t\trange = parsys->voice[p_voice - voice_tb].range;\n\t\tfor (voice = 0; voice < MAXVOICE; voice++) {\n\t\t\tif (parsys->voice[voice].range > range)\n\t\t\t\tparsys->voice[voice].range += clone + 1;\n\t\t}\n\t\tparsys->voice[voice2].range = range + 1;\n\t\tvoice_link(p_voice2);\n\t\tif (clone) {\n\t\t\tfor (voice3 = MAXVOICE; --voice3 >= 0; ) {\n\t\t\t\tif (parsys->voice[voice3].range < 0)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (voice3 > 0) {\n\t\t\t\tp_voice3 = &voice_tb[voice3];\n\t\t\t\tstrcpy(p_voice3->id, p_voice2->id);\n\t\t\t\tp_voice3->second = 1;\n\t\t\t\tparsys->voice[voice3].second = 1;\n\t\t\t\tp_voice3->scale = voice_tb[p_voice->clone].scale;\n\t\t\t\tparsys->voice[voice3].range = range + 2;\n\t\t\t\tvoice_link(p_voice3);\n\t\t\t\tp_voice2->clone = voice3;\n\t\t\t} else {\n\t\t\t\terror(1, s,\n\t\t\t\t      \"Too many voices for overlay cloning\");\n\t\t\t}\n\t\t}\n\t}\n\tvoice = p_voice - voice_tb;\n//\tp_voice2->cstaff = p_voice2->staff = parsys->voice[voice2].staff\n//\t\t\t= parsys->voice[voice].staff;\n//\tif ((voice3 = p_voice2->clone) >= 0) {\n//\t\tp_voice3 = &voice_tb[voice3];\n//\t\tp_voice3->cstaff = p_voice3->staff\n//\t\t\t\t= parsys->voice[voice3].staff\n//\t\t\t\t= parsys->voice[p_voice->clone].staff;\n//\t}\n\n\tif (over_time < 0) {\t\t\t/* first '&' in a measure */\n\t\tint time;\n\n\t\tover_bar = 1;\n\t\tover_mxtime = p_voice->time;\n\t\tover_voice = voice;\n\t\ttime = p_voice2->time;\n\t\tfor (s = p_voice->last_sym; /*s*/; s = s->prev) {\n\t\t\tif (s->type == BAR\n\t\t\t || s->time <= time)\t/* (if start of tune) */\n\t\t\t\tbreak;\n\t\t}\n\t\tover_time = s->time;\n\t} else {\n\t\tif (over_mxtime == 0)\n\t\t\tover_mxtime = p_voice->time;\n\t\telse if (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t}\n\tp_voice2->time = over_time;\n\tcurvoice = p_voice2;\n}",
          "project": "abcm2ps",
          "hash": 89478143332361880739890507095670885956,
          "size": 133,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 1,
          "dataset": "other",
          "idx": 215165
        },
        {
          "func": "static void get_over(struct SYMBOL *s)\n{\n\tstruct VOICE_S *p_voice, *p_voice2, *p_voice3;\n\tint range, voice, voice2, voice3;\nstatic char tx_wrong_dur[] = \"Wrong duration in voice overlay\";\nstatic char txt_no_note[] = \"No note in voice overlay\";\n\n\t/* treat the end of overlay */\n\tp_voice = curvoice;\n\tif (p_voice->ignore)\n\t\treturn;\n\tif (s->abc_type == ABC_T_BAR\n\t || s->u.v_over.type == V_OVER_E)  {\n\t\tif (!p_voice->last_sym) {\n\t\t\terror(1, s, txt_no_note);\n\t\t\treturn;\n\t\t}\n\t\tp_voice->last_sym->sflags |= S_BEAM_END;\n\t\tover_bar = 0;\n\t\tif (over_time < 0) {\n\t\t\terror(1, s, \"Erroneous end of voice overlap\");\n\t\t\treturn;\n\t\t}\n\t\tcurvoice = &voice_tb[over_voice];\n\t\tif (p_voice->time != over_mxtime) {\n\t\t\terror(1, s, tx_wrong_dur);\n\t\t\tif (p_voice->time > over_mxtime)\n\t\t\t\tcurvoice->time = p_voice->time;\n\t\t\telse\n\t\t\t\tp_voice->time = curvoice->time;\n\t\t}\n\t\tover_mxtime = 0;\n\t\tover_voice = -1;\n\t\tover_time = -1;\n\t\treturn;\n\t}\n\n\t/* treat the full overlay start */\n\tif (s->u.v_over.type == V_OVER_S) {\n\t\tover_voice = p_voice - voice_tb;\n\t\tover_time = p_voice->time;\n\t\treturn;\n\t}\n\n\t/* (here is treated a new overlay - '&') */\n\t/* create the extra voice if not done yet */\n\tif (!p_voice->last_sym) {\n\t\terror(1, s, txt_no_note);\n\t\treturn;\n\t}\n\tp_voice->last_sym->sflags |= S_BEAM_END;\n\tvoice2 = s->u.v_over.voice;\n\tp_voice2 = &voice_tb[voice2];\n\tif (parsys->voice[voice2].range < 0) {\n\t\tint clone;\n\n\t\tif (cfmt.abc2pscompat) {\n\t\t\terror(1, s, \"Cannot have %%%%abc2pscompat\");\n\t\t\tcfmt.abc2pscompat = 0;\n\t\t}\n\t\tclone = p_voice->clone >= 0;\n\t\tp_voice2->id[0] = '&';\n\t\tp_voice2->id[1] = '\\0';\n\t\tp_voice2->second = 1;\n\t\tparsys->voice[voice2].second = 1;\n\t\tp_voice2->scale = p_voice->scale;\n\t\tp_voice2->octave = p_voice->octave;\n\t\tp_voice2->transpose = p_voice->transpose;\n\t\tmemcpy(&p_voice2->key, &p_voice->key,\n\t\t\t\t\tsizeof p_voice2->key);\n\t\tmemcpy(&p_voice2->ckey, &p_voice->ckey,\n\t\t\t\t\tsizeof p_voice2->ckey);\n\t\tmemcpy(&p_voice2->okey, &p_voice->okey,\n\t\t\t\t\tsizeof p_voice2->okey);\n\t\tp_voice2->posit = p_voice->posit;\n\t\tp_voice2->staff = p_voice->staff;\n\t\tp_voice2->cstaff = p_voice->cstaff;\n\t\tp_voice2->color = p_voice->color;\n\t\tp_voice2->map_name = p_voice->map_name;\n\t\trange = parsys->voice[p_voice - voice_tb].range;\n\t\tfor (voice = 0; voice < MAXVOICE; voice++) {\n\t\t\tif (parsys->voice[voice].range > range)\n\t\t\t\tparsys->voice[voice].range += clone + 1;\n\t\t}\n\t\tparsys->voice[voice2].range = range + 1;\n\t\tvoice_link(p_voice2);\n\t\tif (clone) {\n\t\t\tfor (voice3 = MAXVOICE; --voice3 >= 0; ) {\n\t\t\t\tif (parsys->voice[voice3].range < 0)\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (voice3 > 0) {\n\t\t\t\tp_voice3 = &voice_tb[voice3];\n\t\t\t\tstrcpy(p_voice3->id, p_voice2->id);\n\t\t\t\tp_voice3->second = 1;\n\t\t\t\tparsys->voice[voice3].second = 1;\n\t\t\t\tp_voice3->scale = voice_tb[p_voice->clone].scale;\n\t\t\t\tparsys->voice[voice3].range = range + 2;\n\t\t\t\tvoice_link(p_voice3);\n\t\t\t\tp_voice2->clone = voice3;\n\t\t\t} else {\n\t\t\t\terror(1, s,\n\t\t\t\t      \"Too many voices for overlay cloning\");\n\t\t\t}\n\t\t}\n\t}\n\tvoice = p_voice - voice_tb;\n//\tp_voice2->cstaff = p_voice2->staff = parsys->voice[voice2].staff\n//\t\t\t= parsys->voice[voice].staff;\n//\tif ((voice3 = p_voice2->clone) >= 0) {\n//\t\tp_voice3 = &voice_tb[voice3];\n//\t\tp_voice3->cstaff = p_voice3->staff\n//\t\t\t\t= parsys->voice[voice3].staff\n//\t\t\t\t= parsys->voice[p_voice->clone].staff;\n//\t}\n\n\tif (over_time < 0) {\t\t\t/* first '&' in a measure */\n\t\tint time;\n\n\t\tover_bar = 1;\n\t\tover_mxtime = p_voice->time;\n\t\tover_voice = voice;\n\t\ttime = p_voice2->time;\n\t\tfor (s = p_voice->last_sym; /*s*/; s = s->prev) {\n\t\t\tif (s->type == BAR\n\t\t\t || s->time <= time)\t/* (if start of tune) */\n\t\t\t\tbreak;\n\t\t}\n\t\tover_time = s->time;\n\t} else {\n\t\tif (over_mxtime == 0)\n\t\t\tover_mxtime = p_voice->time;\n\t\telse if (p_voice->time != over_mxtime)\n\t\t\terror(1, s, tx_wrong_dur);\n\t}\n\tp_voice2->time = over_time;\n\tcurvoice = p_voice2;\n}",
          "project": "abcm2ps",
          "hash": 106849796852152645656287252191337327464,
          "size": 138,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484351
        },
        {
          "func": "static void gch_build(struct SYMBOL *s)\n{\n\tstruct gch *gch;\n\tchar *p, *q, antype, sep;\n\tfloat w, h_ann, h_gch, y_above, y_below, y_left, y_right;\n\tfloat xspc;\n\tint l, ix, box, gch_place;\n\n\tif (s->posit.gch == SL_HIDDEN)\n\t\treturn;\n\ts->gch = getarena(sizeof *s->gch * MAXGCH);\n\tmemset(s->gch, 0, sizeof *s->gch * MAXGCH);\n\n\tif (curvoice->transpose != 0)\n\t\tgch_transpose(s);\n\tif (cfmt.capo)\n\t\tgch_capo(s);\n\n\t/* split the guitar chords / annotations\n\t * and initialize their vertical offsets */\n\tgch_place = s->posit.gch == SL_BELOW ? -1 : 1;\n\th_gch = cfmt.font_tb[cfmt.gcf].size;\n\th_ann = cfmt.font_tb[cfmt.anf].size;\n\ty_above = y_below = y_left = y_right = 0;\n\tbox = cfmt.gchordbox;\n\tp = s->text;\n\tgch = s->gch;\n\tsep = '\\n';\n\tantype = 'g';\t\t\t/* (compiler warning) */\n\tfor (;;) {\n\t\tif (sep != 'n' && strchr(\"^_<>@\", *p)) {\n\t\t\tgch->font = cfmt.anf;\n\t\t\tantype = *p++;\n\t\t\tif (antype == '@') {\n\t\t\t\tint n;\n\t\t\t\tfloat xo, yo;\n\n\t\t\t\tif (sscanf(p, \"%f,%f%n\", &xo, &yo, &n) != 2) {\n\t\t\t\t\terror(1, s, \"Error in annotation \\\"@\\\"\");\n\t\t\t\t} else {\n\t\t\t\t\tp += n;\n\t\t\t\t\tif (*p == ' ')\n\t\t\t\t\t\tp++;\n\t\t\t\t\tgch->x = xo;\n\t\t\t\t\tgch->y = yo;\n\t\t\t\t}\n\t\t\t}\n\t\t} else if (sep == '\\n') {\n\t\t\tgch->font = cfmt.gcf;\n\t\t\tgch->box = box;\n\t\t\tantype = 'g';\n\t\t} else {\n\t\t\tgch->font = (gch - 1)->font;\n\t\t\tgch->box = (gch - 1)->box;\n\t\t}\n\t\tgch->type = antype;\n\t\tswitch (antype) {\n\t\tdefault:\t\t\t\t/* guitar chord */\n\t\t\tif (gch_place < 0)\n\t\t\t\tbreak;\t\t\t/* below */\n\t\t\ty_above += h_gch;\n\t\t\tif (box)\n\t\t\t\ty_above += 2;\n\t\t\tbreak;\n\t\tcase '^':\t\t\t\t/* above */\n\t\t\ty_above += h_ann;\n\t\t\tbreak;\n\t\tcase '_':\t\t\t\t/* below */\n\t\t\tbreak;\n\t\tcase '<':\t\t\t\t/* left */\n\t\t\ty_left += h_ann * 0.5;\n\t\t\tbreak;\n\t\tcase '>':\t\t\t\t/* right */\n\t\t\ty_right += h_ann * 0.5;\n\t\t\tbreak;\n\t\tcase '@':\t\t\t\t/* absolute */\n\t\t\tif (gch->x == 0 && gch->y == 0\n\t\t\t && gch != s->gch\n\t\t\t && s->gch->type == '@') {\t/* if not 1st line */\n\t\t\t\tgch->x = (gch - 1)->x;\n\t\t\t\tgch->y = (gch - 1)->y - h_ann;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tgch->idx = p - s->text;\n\t\tfor (;;) {\n\t\t\tswitch (*p) {\n\t\t\tdefault:\n\t\t\t\tp++;\n\t\t\t\tcontinue;\n\t\t\tcase '\\\\':\n\t\t\t\tp++;\n\t\t\t\tif (*p == 'n') {\n\t\t\t\t\tp[-1] = '\\0';\n\t\t\t\t\tbreak;\t\t/* sep = 'n' */\n\t\t\t\t}\n\t\t\t\tp++;\n\t\t\t\tcontinue;\n\t\t\tcase '&':\t\t\t/* skip \"&xxx;\" */\n\t\t\t\tfor (;;) {\n\t\t\t\t\tswitch (*p) {\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tp++;\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\tcase ';':\n\t\t\t\t\t\tp++;\n\t\t\t\t\tcase '\\0':\n\t\t\t\t\tcase '\\n':\n\t\t\t\t\tcase '\\\\':\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\tcase '\\0':\n\t\t\tcase ';':\n\t\t\tcase '\\n':\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t\tsep = *p;\n\t\tif (sep == '\\0')\n\t\t\tbreak;\n\t\t*p++ = '\\0';\n\t\tgch++;\n\t\tif (gch - s->gch >= MAXGCH) {\n\t\t\terror(1, s, \"Too many guitar chords / annotations\");\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* change the accidentals in the guitar chords */\n\tfor (ix = 0, gch = s->gch; ix < MAXGCH; ix++, gch++) {\n\t\tif (gch->type == '\\0')\n\t\t\tbreak;\n\t\tif (gch->type != 'g')\n\t\t\tcontinue;\n\t\tp = s->text + gch->idx;\n\t\tq = p;\n\t\tfor (; *p != '\\0'; p++) {\n\t\t\tswitch (*p) {\n\t\t\tcase '#':\n\t\t\tcase 'b':\n\t\t\tcase '=':\n\t\t\t\tif (p == q\t/* 1st char or after a slash */\n\t\t\t\t || (p != q + 1\t/* or invert '\\' behaviour */\n\t\t\t\t  && p[-1] == '\\\\'))\n\t\t\t\t\tbreak;\n\n\t\t\t\t/* set the accidentals as unused utf-8 values\n\t\t\t\t * (see subs.c) */\n\t\t\t\tswitch (*p) {\n\t\t\t\tcase '#':\n\t\t\t\t\t*p = 0x01;\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'b':\n\t\t\t\t\t*p = 0x02;\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n/*\t\t\t\tcase '=': */\n\t\t\t\t\t*p = 0x03;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tif (p[-1] == '\\\\') {\n\t\t\t\t\tp--;\n\t\t\t\t\tl = strlen(p);\n\t\t\t\t\tmemmove(p, p + 1, l);\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase ' ':\n\t\t\tcase '/':\n\t\t\t\tq = p + 1;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t/* set the offsets and widths */\n/*fixme:utf8*/\n\tfor (ix = 0, gch = s->gch; ix < MAXGCH; ix++, gch++) {\n\t\tif (gch->type == '\\0')\n\t\t\tbreak;\n\t\tif (gch->type == '@')\n\t\t\tcontinue;\t\t/* no width */\n\t\tp = s->text + gch->idx;\n\t\tstr_font(gch->font);\n\t\tw = tex_str(p);\n\t\tgch->w = w; // + 4;\n\t\tswitch (gch->type) {\n\t\tcase '_':\t\t\t/* below */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\ty_below -= h_ann;\n\t\t\tgch->y = y_below;\n\t\t\tbreak;\n\t\tcase '^':\t\t\t/* above */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\ty_above -= h_ann;\n\t\t\tgch->y = y_above;\n\t\t\tbreak;\n\t\tdefault:\t\t\t/* guitar chord */\n\t\t\txspc = w * GCHPRE;\n\t\t\tif (xspc > 8)\n\t\t\t\txspc = 8;\n\t\t\tgch->x = -xspc;\n\t\t\tif (gch_place < 0) {\t/* below */\n\t\t\t\ty_below -= h_gch;\n\t\t\t\tgch->y = y_below;\n\t\t\t\tif (box) {\n\t\t\t\t\ty_below -= 2;\n\t\t\t\t\tgch->y -= 1;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\ty_above -= h_gch;\n\t\t\t\tgch->y = y_above;\n\t\t\t\tif (box) {\n\t\t\t\t\ty_above -= 2;\n\t\t\t\t\tgch->y -= 1;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\tcase '<':\t\t/* left */\n\t\t\tgch->x = -(w + 6);\n\t\t\ty_left -= h_ann;\n\t\t\tgch->y = y_left;\n\t\t\tbreak;\n\t\tcase '>':\t\t/* right */\n\t\t\tgch->x = 6;\n\t\t\ty_right -= h_ann;\n\t\t\tgch->y = y_right;\n\t\t\tbreak;\n\t\t}\n\t}\n}",
          "project": "abcm2ps",
          "hash": 198904723762461782356983904298016550837,
          "size": 240,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484347
        },
        {
          "func": "void do_tune(void)\n{\n\tstruct VOICE_S *p_voice;\n\tstruct SYMBOL *s, *s1, *s2;\n\tint i;\n\n\t/* initialize */\n\tlvlarena(0);\n\tnstaff = 0;\n\tstaves_found = -1;\n\tfor (i = 0; i < MAXVOICE; i++) {\n\t\tp_voice = &voice_tb[i];\n\t\ts1 = (struct SYMBOL *) getarena(sizeof *s1);\n\t\tmemset(s1, 0, sizeof *s1);\n\t\ts1->type = CLEF;\n\t\ts1->voice = i;\n\t\tif (cfmt.autoclef) {\n\t\t\ts1->u.clef.type = AUTOCLEF;\n\t\t\ts1->sflags = S_CLEF_AUTO;\n\t\t} else {\n\t\t\ts1->u.clef.type = TREBLE;\n\t\t}\n\t\ts1->u.clef.line = 2;\t\t/* treble clef on 2nd line */\n\t\tp_voice->s_clef = s1;\n\t\tp_voice->meter.wmeasure = 1;\t// M:none\n\t\tp_voice->wmeasure = 1;\n\t\tp_voice->scale = 1;\n\t\tp_voice->clone = -1;\n\t\tp_voice->over = -1;\n\t\tp_voice->posit = cfmt.posit;\n\t\tp_voice->stafflines = NULL;\n//\t\tp_voice->staffscale = 0;\n\t}\n\tcurvoice = first_voice = voice_tb;\n\treset_deco();\n\tabc2win = 0;\n\tclip_start.bar = -1;\n\tclip_end.bar = (short unsigned) ~0 >> 1;\n\n\tparsys = NULL;\n\tsystem_new();\t\t\t/* create the 1st staff system */\n\tparsys->top_voice = parsys->voice[0].range = 0;\t/* implicit voice */\n\n\tif (!epsf) {\n//fixme: 8.6.2\n#if 1\n// fixme: should already be 0\n\t\tuse_buffer = 0;\n#else\n\t\tif (cfmt.oneperpage) {\n\t\t\tuse_buffer = 0;\n\t\t\tclose_page();\n\t\t} else {\n\t\t\tif (in_page)\t\t// ??\n\t\t\t\tuse_buffer = cfmt.splittune != 1;\n\t\t}\n#endif\n\t} else {\n\t\tuse_buffer = 1;\n\t\tmarg_init();\n\t}\n\n\t/* set the duration of all notes/rests\n\t *\t(this is needed for tuplets and the feathered beams) */\n\tfor (s = parse.first_sym; s; s = s->abc_next) {\n\t\tswitch (s->abc_type) {\n\t\tcase ABC_T_EOLN:\n\t\t\tif (s->u.eoln.type == 2)\n\t\t\t\tabc2win = 1;\n\t\t\tbreak;\n\t\tcase ABC_T_NOTE:\n\t\tcase ABC_T_REST:\n\t\t\ts->dur = s->u.note.notes[0].len;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (voice_tb[0].id[0] == '\\0') {\t/* single voice */\n\t\tvoice_tb[0].id[0] = '1';\t/* implicit V:1 */\n\t\tvoice_tb[0].id[1] = '\\0';\n\t}\n\n\t/* scan the tune */\n\tfor (s = parse.first_sym; s; s = s->abc_next) {\n\t\tif (s->flags & ABC_F_LYRIC_START)\n\t\t\tcurvoice->lyric_start = curvoice->last_sym;\n\t\tswitch (s->abc_type) {\n\t\tcase ABC_T_INFO:\n\t\t\ts = get_info(s);\n\t\t\tbreak;\n\t\tcase ABC_T_PSCOM:\n\t\t\ts = process_pscomment(s);\n\t\t\tbreak;\n\t\tcase ABC_T_NOTE:\n\t\tcase ABC_T_REST:\n\t\t\tif (curvoice->space\n\t\t\t && !(s->flags & ABC_F_GRACE)) {\n\t\t\t\tcurvoice->space = 0;\n\t\t\t\ts->flags |= ABC_F_SPACE;\n\t\t\t}\n\t\t\tget_note(s);\n\t\t\tbreak;\n\t\tcase ABC_T_BAR:\n\t\t\tif (over_bar)\n\t\t\t\tget_over(s);\n\t\t\tget_bar(s);\n\t\t\tbreak;\n\t\tcase ABC_T_CLEF:\n\t\t\tget_clef(s);\n\t\t\tbreak;\n\t\tcase ABC_T_EOLN:\n\t\t\tif (cfmt.breakoneoln\n\t\t\t || (s->flags & ABC_F_SPACE))\n\t\t\t\tcurvoice->space = 1;\n\t\t\tif (cfmt.continueall || cfmt.barsperstaff\n\t\t\t || s->u.eoln.type == 1)\t/* if '\\' */\n\t\t\t\tcontinue;\n\t\t\tif (s->u.eoln.type == 0\t\t/* if normal eoln */\n\t\t\t && abc2win\n\t\t\t && parse.abc_vers != (2 << 16))\n\t\t\t\tcontinue;\n\t\t\tif (parsys->voice[curvoice - voice_tb].range == 0\n\t\t\t && curvoice->last_sym)\n\t\t\t\tcurvoice->last_sym->sflags |= S_EOLN;\n\t\t\tif (!cfmt.alignbars)\n\t\t\t\tcontinue;\t\t/* normal */\n\n\t\t\t/* align bars */\n\t\t\twhile (s->abc_next) {\t\t/* treat the lyrics */\n\t\t\t\tif (s->abc_next->abc_type != ABC_T_INFO)\n\t\t\t\t\tbreak;\n\t\t\t\tswitch (s->abc_next->text[0]) {\n\t\t\t\tcase 'w':\n\t\t\t\t\ts = get_info(s->abc_next);\n\t\t\t\t\tcontinue;\n\t\t\t\tcase 'd':\n\t\t\t\tcase 's':\n\t\t\t\t\ts = s->abc_next;\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ti = (curvoice - voice_tb) + 1;\n\t\t\tif (i < cfmt.alignbars) {\n\t\t\t\tcurvoice = &voice_tb[i];\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tgenerate();\n\t\t\tbuffer_eob(0);\n\t\t\tcurvoice = &voice_tb[0];\n\t\t\tcontinue;\n\t\tcase ABC_T_MREST: {\n\t\t\tint dur;\n\n\t\t\tdur = curvoice->wmeasure * s->u.bar.len;\n\t\t\tif (curvoice->second) {\n\t\t\t\tcurvoice->time += dur;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tsym_link(s, MREST);\n\t\t\ts->dur = dur;\n\t\t\tcurvoice->time += dur;\n\t\t\tif (s->text)\n\t\t\t\tgch_build(s);\t/* build the guitar chords */\n\t\t\tif (s->u.bar.dc.n > 0)\n\t\t\t\tdeco_cnv(&s->u.bar.dc, s, NULL);\n\t\t\tbreak;\n\t\t    }\n\t\tcase ABC_T_MREP: {\n\t\t\tint n;\n\n\t\t\ts2 = curvoice->last_sym;\n\t\t\tif (!s2 || s2->type != BAR) {\n\t\t\t\terror(1, s,\n\t\t\t\t      \"No bar before measure repeat\");\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (curvoice->ignore)\n\t\t\t\tbreak;\n\t\t\tn = s->u.bar.len;\n\t\t\tif (curvoice->second) {\n\t\t\t\tcurvoice->time += curvoice->wmeasure * n;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\ts2 = sym_add(curvoice, NOTEREST);\n\t\t\ts2->abc_type = ABC_T_REST;\n\t\t\ts2->flags |= ABC_F_INVIS;\n\t\t\ts2->dur = curvoice->wmeasure;\n\t\t\tcurvoice->time += s2->dur;\n\t\t\tif (n == 1) {\n\t\t\t\ts->abc_next->u.bar.len = n; /* <n> in the next bar */\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\twhile (--n > 0) {\n\t\t\t\ts2 = sym_add(curvoice, BAR);\n\t\t\t\ts2->u.bar.type = B_SINGLE;\n\t\t\t\tif (n == s->u.bar.len - 1)\n\t\t\t\t\ts2->u.bar.len = s->u.bar.len;\n\t\t\t\ts2 = sym_add(curvoice, NOTEREST);\n\t\t\t\ts2->abc_type = ABC_T_REST;\n\t\t\t\ts2->flags |= ABC_F_INVIS;\n\t\t\t\ts2->dur = curvoice->wmeasure;\n\t\t\t\tcurvoice->time += s2->dur;\n\t\t\t}\n\t\t\tbreak;\n\t\t    }\n\t\tcase ABC_T_V_OVER:\n\t\t\tget_over(s);\n\t\t\tcontinue;\n\t\tcase ABC_T_TUPLET:\n\t\t\tset_tuplet(s);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tcontinue;\n\t\t}\n\t\tif (s->type == 0)\n\t\t\tcontinue;\n\t\tif (curvoice->second)\n\t\t\ts->sflags |= S_SECOND;\n\t\tif (curvoice->floating)\n\t\t\ts->sflags |= S_FLOATING;\n\t}\n\n\tgen_ly(0);\n\tput_history();\n\tbuffer_eob(1);\n\tif (epsf) {\n\t\twrite_eps();\n\t} else {\n\t\twrite_buffer();\n//\t\tif (!cfmt.oneperpage && in_page)\n//\t\t\tuse_buffer = cfmt.splittune != 1;\n\t}\n\n\tif (info['X' - 'A']) {\n\t\tmemcpy(&cfmt, &dfmt, sizeof cfmt); /* restore global values */\n\t\tmemcpy(&info, &info_glob, sizeof info);\n\t\tmemcpy(deco, deco_glob, sizeof deco);\n\t\tmaps = maps_glob;\n\t\tinfo['X' - 'A'] = NULL;\n\t}\n\n\t/* free the parsing resources */\n\t{\n\t\tstruct brk_s *brk, *brk2;\n\n\t\tbrk = brks;\n\t\twhile (brk) {\n\t\t\tbrk2 = brk->next;\n\t\t\tfree(brk);\n\t\t\tbrk = brk2;\n\t\t}\n\t\tbrks = brk;\t\t/* (NULL) */\n\t}\n}",
          "project": "abcm2ps",
          "hash": 10286452578274153484723719583151117351,
          "size": 255,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484344
        },
        {
          "func": "static void gch_capo(struct SYMBOL *s)\n{\n\tchar *p = s->text, *q, *r;\n\tint i, l, li = 0;\n\tstatic const char *capo_txt = \"  (capo: %d)\";\n\tstatic signed char cap_trans[] =\n\t\t{0, 5, -2, 3, -4, 1, -6, -1, 4, -3, 2, -5};\n\n\t// search the chord symbols\n\tfor (;;) {\n\t\tif (!strchr(\"^_<>@\", *p))\n\t\t\tbreak;\n\t\tp = strchr(p, '\\n');\n\t\tif (!p)\n\t\t\treturn;\n\t\tp++;\n\t}\n\n\t// add a capo chord symbol\n\ti = p - s->text;\n\tq = strchr(p + 1, '\\n');\n\tif (q)\n\t\tl = q - p;\n\telse\n\t\tl = strlen(p);\n\tif (!capo) {\n\t\tcapo = 1;\n\t\tli = strlen(capo_txt);\n\t}\n\tr = (char *) getarena(strlen(s->text) + l + li + 1);\n\ti += l;\n\tstrncpy(r, s->text, i);\t\t// annotations + chord symbol\n\tr[i++] = '\\n';\n\tstrncpy(r + i, p, l);\t\t// capo\n\tif (li) {\n\t\tsprintf(r + i + l, capo_txt, cfmt.capo);\n\t\tl += li;\n\t}\n\tif (q)\n\t\tstrcpy(r + i + l, q);\t// ending annotations\n\ts->text = r;\n\tgch_tr1(s, i, cap_trans[cfmt.capo % 12]);\n}",
          "project": "abcm2ps",
          "hash": 297571697935838391035188625332640156407,
          "size": 43,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484342
        },
        {
          "func": "static void gch_transpose(struct SYMBOL *s)\n{\n\tint in_ch = 0;\n\tint i2 = curvoice->ckey.sf - curvoice->okey.sf;\n\tchar *o = s->text, *p = o;\n\n\t// search the chord symbols\n\tfor (;;) {\n\t\tif (in_ch || !strchr(\"^_<>@\", *p)) {\n\t\t\tgch_tr1(s, p - s->text, i2);\n\t\t\tp = s->text + (p - o);\n\t\t\to = s->text;\n\t\t\tfor (p++; *p; p++) {\n\t\t\t\tif (strchr(\"\\t;\\n\", *p))\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (!*p)\n\t\t\t\tbreak;\n\t\t\tswitch (*p) {\n\t\t\tcase '\\t':\n\t\t\t\tin_ch = 1;\n\t\t\t\tbreak;\n\t\t\tcase ';':\n\t\t\t\tin_ch = !strchr(\"^_<>@\", p[1]);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tin_ch = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t\tp = strchr(p, '\\n');\n\t\t\tif (!p)\n\t\t\t\tbreak;\n\t\t}\n\t\tp++;\n\t}\n}",
          "project": "abcm2ps",
          "hash": 197089611282988920788858462297844536403,
          "size": 37,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484350
        },
        {
          "func": "static void gch_tr1(struct SYMBOL *s, int i, int i2)\n{\n\tchar *p = &s->text[i],\n\t\t*q = p + 1,\n\t\t*new_txt;\n\tint l, latin;\n\tint n, a, i1, i3, i4;\n\tstatic const char note_names[] = \"CDEFGAB\";\n\tstatic const char *latin_names[7] =\n\t\t\t{ \"Do\", \"Ré\", \"Mi\", \"Fa\", \"Sol\", \"La\", \"Si\" };\n\tstatic const char *acc_name[5] = {\"bb\", \"b\", \"\", \"#\", \"##\"};\n\n\t/* main chord */\n\tlatin = 0;\n\tswitch (*p) {\n\tcase 'A':\n\tcase 'B':\n\t\tn = *p - 'A' + 5;\n\t\tbreak;\n\tcase 'C':\n\tcase 'E':\n\tcase 'G':\n\t\tn = *p - 'C';\n\t\tbreak;\n\tcase 'D':\n\t\tif (p[1] == 'o') {\n\t\t\tlatin++;\n\t\t\tn = 0;\t\t/* Do */\n\t\t\tbreak;\n\t\t}\n\t\tn = 1;\n\t\tbreak;\n\tcase 'F':\n\t\tif (p[1] == 'a')\n\t\t\tlatin++;\t/* Fa */\n\t\tn = 3;\n\t\tbreak;\n\tcase 'L':\n\t\tlatin++;\t\t/* La */\n\t\tn = 5;\n\t\tbreak;\n\tcase 'M':\n\t\tlatin++;\t\t/* Mi */\n\t\tn = 2;\n\t\tbreak;\n\tcase 'R':\n\t\tlatin++;\n\t\tif (p[1] != 'e')\n\t\t\tlatin++;\t/* Ré */\n\t\tn = 1;\t\t\t/* Re */\n\t\tbreak;\n\tcase 'S':\n\t\tlatin++;\n\t\tif (p[1] == 'o') {\n\t\t\tlatin++;\n\t\t\tn = 4;\t\t/* Sol */\n\t\t} else {\n\t\t\tn = 6;\t\t/* Si */\n\t\t}\n\t\tbreak;\n\tcase '/':\t\t\t// bass only\n\t\tlatin--;\n\t\tbreak;\n\tdefault:\n\t\treturn;\n\t}\n\tq += latin;\n\n\t/* allocate a new string */\n\tnew_txt = getarena(strlen(s->text) + 6);\n\tl = p - s->text;\n\tmemcpy(new_txt, s->text, l);\n\ts->text = new_txt;\n\tnew_txt += l;\n\tp = q;\n\n\tif (latin >= 0) {\t\t\t// if some chord\n\t\ta = 0;\n\t\twhile (*p == '#') {\n\t\t\ta++;\n\t\t\tp++;\n\t\t}\n\t\twhile (*p == 'b') {\n\t\t\ta--;\n\t\t\tp++;\n\t\t}\n//\t\tif (*p == '=')\n//\t\t\tp++;\n\t\ti3 = cde2fcg[n] + i2 + a * 7;\n\t\ti4 = cgd2cde[(unsigned) ((i3 + 16 * 7) % 7)];\n\t\ti1 = ((i3 + 1 + 21) / 7 + 2 - 3 + 32 * 5) % 5;\n\t\t\t\t\t\t\t/* accidental */\n\t\tif (latin == 0)\n\t\t\t*new_txt++ = note_names[i4];\n\t\telse\n\t\t\tnew_txt += sprintf(new_txt, \"%s\", latin_names[i4]);\n\t\tnew_txt += sprintf(new_txt, \"%s\", acc_name[i1]);\n\t}\n\n\t/* bass */\n\twhile (*p != '\\0' && *p != '\\n' && *p != '/')\t// skip 'm'/'dim'..\n\t\t*new_txt++ = *p++;\n\tif (*p == '/') {\n\t\t*new_txt++ = *p++;\n//fixme: latin names not treated\n\t\tq = strchr(note_names, *p);\n\t\tif (q) {\n\t\t\tp++;\n\t\t\tn = q - note_names;\n\t\t\tif (*p == '#') {\n\t\t\t\ta = 1;\n\t\t\t\tp++;\n\t\t\t} else if (*p == 'b') {\n\t\t\t\ta = -1;\n\t\t\t\tp++;\n\t\t\t} else {\n\t\t\t\ta = 0;\n\t\t\t}\n\t\t\ti3 = cde2fcg[n] + i2 + a * 7;\n\t\t\ti4 = cgd2cde[(unsigned) ((i3 + 16 * 7) % 7)];\n\t\t\ti1 = ((i3 + 1 + 21) / 7 + 2 - 3 + 32 * 5) % 5;\n\t\t\t*new_txt++ = note_names[i4];\n\t\t\tnew_txt += sprintf(new_txt, \"%s\", acc_name[i1]);\n\t\t}\n\t}\n\tstrcpy(new_txt, p);\n}",
          "project": "abcm2ps",
          "hash": 224800842001487088171705246081088169612,
          "size": 127,
          "commit_id": "2f56e1179cab6affeb8afa9d6c324008fe40d8e3",
          "message": "fix: array overflow when wrong duration in voice overlay\n\nIssue #83,",
          "target": 0,
          "dataset": "other",
          "idx": 484345
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ff_layout_write_prepare_v3",
        "ff_layout_write_prepare_common",
        "ff_layout_write_record_layoutstats_start"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int ff_layout_write_prepare_common(struct rpc_task *task,\n\t\t\t\t\t  struct nfs_pgio_header *hdr)\n{\n\tif (unlikely(test_bit(NFS_CONTEXT_BAD, &hdr->args.context->flags))) {\n\t\trpc_exit(task, -EIO);\n\t\treturn -EIO;\n\t}\n\n\tff_layout_write_record_layoutstats_start(task, hdr);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 228977133502718801944665082827458300360,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234445
        },
        {
          "func": "static void ff_layout_write_prepare_v3(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tif (ff_layout_write_prepare_common(task, hdr))\n\t\treturn;\n\n\trpc_call_start(task);\n}",
          "project": "linux",
          "hash": 285423836771742919166407497962034331057,
          "size": 9,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234406
        },
        {
          "func": "static void ff_layout_write_prepare_v4(struct rpc_task *task, void *data)\n{\n\tstruct nfs_pgio_header *hdr = data;\n\n\tif (nfs4_setup_sequence(hdr->ds_clp,\n\t\t\t\t&hdr->args.seq_args,\n\t\t\t\t&hdr->res.seq_res,\n\t\t\t\ttask))\n\t\treturn;\n\n\tff_layout_write_prepare_common(task, hdr);\n}",
          "project": "linux",
          "hash": 235163627451101528740660611843223898594,
          "size": 12,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234485
        },
        {
          "func": "static void ff_layout_write_record_layoutstats_start(struct rpc_task *task,\n\t\tstruct nfs_pgio_header *hdr)\n{\n\tif (test_and_set_bit(NFS_IOHDR_STAT, &hdr->flags))\n\t\treturn;\n\tnfs4_ff_layout_stat_io_start_write(hdr->inode,\n\t\t\tFF_LAYOUT_COMP(hdr->lseg, hdr->pgio_mirror_idx),\n\t\t\thdr->args.count,\n\t\t\ttask->tk_start);\n}",
          "project": "linux",
          "hash": 310135400152460850835504622207794171768,
          "size": 10,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234490
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "av1dmx_process",
        "av1dmx_process_buffer",
        "av1dmx_parse_vp9",
        "av1dmx_check_pid",
        "av1dmx_check_dur"
      ],
      "group_size": 12,
      "functions": [
        {
          "func": "GF_Err av1dmx_parse_av1(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tGF_Err e = GF_OK;\n\tu64 start;\n\n\tif (!ctx->is_playing) {\n\t\tctx->state.frame_state.is_first_frame = GF_TRUE;\n\t}\n\n\t/*we process each TU and extract only the necessary OBUs*/\n\tstart = gf_bs_get_position(ctx->bs);\n\tswitch (ctx->bsmode) {\n\tcase OBUs:\n\t\t//first frame loaded !\n\t\tif (ctx->state.bs && gf_bs_get_position(ctx->state.bs) && (ctx->state.obu_type == OBU_TEMPORAL_DELIMITER)) {\n\t\t\te = GF_OK;\n\t\t} else {\n\t\t\te = aom_av1_parse_temporal_unit_from_section5(ctx->bs, &ctx->state);\n\t\t}\n\t\tbreak;\n\tcase AnnexB:\n\t\t//first TU loaded !\n\t\tif (ctx->state.bs && gf_bs_get_position(ctx->state.bs)) {\n\t\t\te = GF_OK;\n\t\t} else {\n\t\t\te = aom_av1_parse_temporal_unit_from_annexb(ctx->bs, &ctx->state);\n\t\t\tif (e==GF_BUFFER_TOO_SMALL) {\n\t\t\t\tgf_av1_reset_state(&ctx->state, GF_FALSE);\n\t\t\t\tgf_bs_seek(ctx->bs, start);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\tcase IVF:\n\t\t//first frame loaded !\n\t\tif (ctx->state.bs && gf_bs_get_position(ctx->state.bs)) {\n\t\t\te = GF_OK;\n\t\t} else {\n\t\t\te = aom_av1_parse_temporal_unit_from_ivf(ctx->bs, &ctx->state);\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\te = GF_NOT_SUPPORTED;\n\t}\n\n\t//check pid state\n\tav1dmx_check_pid(filter, ctx);\n\n\tif (e) return e;\n\n\n\tif (!ctx->opid) {\n\t\tif (ctx->state.obu_type != OBU_TEMPORAL_DELIMITER) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, (\"[AV1Dmx] output pid not configured (no sequence header yet ?), skipping OBU\\n\"));\n\t\t}\n\t\tgf_av1_reset_state(&ctx->state, GF_FALSE);\n\t\treturn GF_OK;\n\t}\n\n\tif (!ctx->is_playing) {\n\t\t//don't reset state we would skip seq header obu in first frame\n\t\t//gf_av1_reset_state(&ctx->state, GF_FALSE);\n\t\treturn GF_OK;\n\t}\n\n\treturn av1dmx_parse_flush_sample(filter, ctx);\n\n}",
          "project": "gpac",
          "hash": 273581855298955648091568900274325479606,
          "size": 67,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236220
        },
        {
          "func": "static void av1dmx_check_pid(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tu8 *dsi;\n\tu32 dsi_size, crc;\n\n\t//no config or no config change\n\tif (ctx->is_av1 && !gf_list_count(ctx->state.frame_state.header_obus)) return;\n\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tav1dmx_check_dur(filter, ctx);\n\t}\n\tdsi = NULL;\n\tdsi_size = 0;\n\n\tif (ctx->vp_cfg) {\n\t\tgf_odf_vp_cfg_write(ctx->vp_cfg, &dsi, &dsi_size, ctx->vp_cfg->codec_initdata_size ? GF_TRUE : GF_FALSE);\n\t} else if (ctx->is_av1) {\n\t\t//first or config changed, compute dsi\n\t\twhile (gf_list_count(ctx->state.config->obu_array)) {\n\t\t\tGF_AV1_OBUArrayEntry *a = (GF_AV1_OBUArrayEntry*) gf_list_pop_back(ctx->state.config->obu_array);\n\t\t\tif (a->obu) gf_free(a->obu);\n\t\t\tgf_free(a);\n\t\t}\n\t\tdsi = NULL;\n\t\tdsi_size = 0;\n\t\twhile (gf_list_count(ctx->state.frame_state.header_obus)) {\n\t\t\tGF_AV1_OBUArrayEntry *a = (GF_AV1_OBUArrayEntry*) gf_list_get(ctx->state.frame_state.header_obus, 0);\n\t\t\tgf_list_add(ctx->state.config->obu_array, a);\n\t\t\tgf_list_rem(ctx->state.frame_state.header_obus, 0);\n\t\t}\n\t\tgf_odf_av1_cfg_write(ctx->state.config, &dsi, &dsi_size);\n\n\t\tif ((!ctx->fps.num || !ctx->fps.den) && ctx->state.tb_num && ctx->state.tb_den && ! ( (ctx->state.tb_num<=1) && (ctx->state.tb_den<=1) ) ) {\n\t\t\tctx->cur_fps.num = ctx->state.tb_num;\n\t\t\tctx->cur_fps.den = ctx->state.tb_den;\n\t\t}\n\n\t}\n\tcrc = gf_crc_32(dsi, dsi_size);\n\n\tif (crc == ctx->dsi_crc) {\n\t\tgf_free(dsi);\n\t\treturn;\n\t}\n\tctx->dsi_crc = crc;\n\n\t//copy properties at init or reconfig\n\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT(GF_STREAM_VISUAL));\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT(ctx->codecid));\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->cur_fps.num));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_FPS, & PROP_FRAC(ctx->cur_fps));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_WIDTH, & PROP_UINT(ctx->state.width));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_HEIGHT, & PROP_UINT(ctx->state.height));\n\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n\n\tif (dsi && dsi_size)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA_NO_COPY(dsi, dsi_size));\n\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\n\tif (ctx->is_av1) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_COLR_PRIMARIES, & PROP_UINT(ctx->state.color_primaries) );\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_COLR_TRANSFER, & PROP_UINT(ctx->state.transfer_characteristics) );\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_COLR_MX, & PROP_UINT(ctx->state.matrix_coefficients) );\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_COLR_RANGE, & PROP_BOOL(ctx->state.color_range) );\n\t}\n}",
          "project": "gpac",
          "hash": 179205899928458533149058165491804929493,
          "size": 79,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236214
        },
        {
          "func": "GF_Err av1dmx_parse_vp9(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tBool key_frame = GF_FALSE;\n\tu64 frame_size = 0, pts = 0;\n\tu64 pos, pos_ivf_hdr;\n\tu32 width = 0, height = 0, renderWidth, renderHeight;\n\tu32 num_frames_in_superframe = 0, superframe_index_size = 0, i = 0;\n\tu32 frame_sizes[VP9_MAX_FRAMES_IN_SUPERFRAME];\n\tu8 *output;\n\tGF_Err e;\n\n\tpos_ivf_hdr = gf_bs_get_position(ctx->bs);\n\te = gf_media_parse_ivf_frame_header(ctx->bs, &frame_size, &pts);\n\tif (e) return e;\n\n\tpos = gf_bs_get_position(ctx->bs);\n\tif (gf_bs_available(ctx->bs) < frame_size) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_EOS;\n\t}\n\n\tif (ctx->pts_from_file) {\n\t\tpts += ctx->cumulated_dur;\n\t\tif (ctx->last_pts && (ctx->last_pts>pts)) {\n\t\t\tpts -= ctx->cumulated_dur;\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[IVF/VP9] Corrupted timestamp \"LLU\" less than previous timestamp \"LLU\", assuming concatenation\\n\", pts, ctx->last_pts));\n\t\t\tctx->cumulated_dur = ctx->last_pts + ctx->cur_fps.den;\n\t\t\tctx->cumulated_dur -= pts;\n\t\t\tpts = ctx->cumulated_dur;\n\t\t}\n\t\tctx->last_pts = pts;\n\t}\n\n\t/*check if it is a superframe*/\n\te = gf_media_vp9_parse_superframe(ctx->bs, frame_size, &num_frames_in_superframe, frame_sizes, &superframe_index_size);\n\tif (e) {\n\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[VP9Dmx] Error parsing superframe structure\\n\"));\n\t\treturn e;\n\t}\n\n\tfor (i = 0; i < num_frames_in_superframe; ++i) {\n\t\tu64 pos2 = gf_bs_get_position(ctx->bs);\n\t\tif (gf_media_vp9_parse_sample(ctx->bs, ctx->vp_cfg, &key_frame, &width, &height, &renderWidth, &renderHeight) != GF_OK) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[VP9Dmx] Error parsing frame\\n\"));\n\t\t\treturn e;\n\t\t}\n\t\te = gf_bs_seek(ctx->bs, pos2 + frame_sizes[i]);\n\t\tif (e) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[VP9Dmx] Seek bad param (offset \"LLU\") (1)\", pos2 + frame_sizes[i]));\n\t\t\treturn e;\n\t\t}\n\t}\n\tif (gf_bs_get_position(ctx->bs) + superframe_index_size != pos + frame_size) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[VP9Dmx] Inconsistent IVF frame size of \"LLU\" bytes.\\n\", frame_size));\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"      Detected %d frames (+ %d bytes for the superframe index):\\n\", num_frames_in_superframe, superframe_index_size));\n\t\tfor (i = 0; i < num_frames_in_superframe; ++i) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"         superframe %d, size is %u bytes\\n\", i, frame_sizes[i]));\n\t\t}\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"\\n\"));\n\t}\n\te = gf_bs_seek(ctx->bs, pos + frame_size);\n\tif (e) {\n\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[VP9Dmx] Seek bad param (offset \"LLU\") (2)\", pos + frame_size));\n\t\treturn e;\n\t}\n\n\tu32 pck_size = (u32)(gf_bs_get_position(ctx->bs) - pos);\n\tassert(pck_size == frame_size);\n\n\t//check pid state\n\tav1dmx_check_pid(filter, ctx);\n\n\tif (!ctx->opid) {\n\t\treturn GF_OK;\n\t}\n\n\tif (!ctx->is_playing) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_EOS;\n\t}\n\n\tGF_FilterPacket *pck = gf_filter_pck_new_alloc(ctx->opid, pck_size, &output);\n\tif (!pck) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, pck);\n\n\tif (ctx->pts_from_file) {\n\t\tgf_filter_pck_set_cts(pck, pts);\n\t} else {\n\t\tgf_filter_pck_set_cts(pck, ctx->cts);\n\t}\n\n\n\tif (key_frame) {\n\t\tgf_filter_pck_set_sap(pck, GF_FILTER_SAP_1);\n\t}\n\n\tif (ctx->deps) {\n\t\tu8 flags = 0;\n\t\t//dependsOn\n\t\tflags = (key_frame) ? 2 : 1;\n\t\tflags <<= 2;\n\t\t//dependedOn\n\t\t//flags |= 2;\n\t\tflags <<= 2;\n\t\t//hasRedundant\n\t\t//flags |= ctx->has_redundant ? 1 : 2;\n\t\tgf_filter_pck_set_dependency_flags(pck, flags);\n\t}\n\n\tgf_bs_seek(ctx->bs, pos);\n\tgf_bs_read_data(ctx->bs, output, pck_size);\n\tgf_filter_pck_send(pck);\n\n\tav1dmx_update_cts(ctx);\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 62713025403556402800888009357318149177,
          "size": 119,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236215
        },
        {
          "func": "static Bool av1dmx_process_event(GF_Filter *filter, const GF_FilterEvent *evt)\n{\n\tu32 i;\n\tu64 file_pos = 0;\n\tGF_FilterEvent fevt;\n\tGF_AV1DmxCtx *ctx = gf_filter_get_udta(filter);\n\n\tswitch (evt->base.type) {\n\tcase GF_FEVT_PLAY:\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->is_playing = GF_TRUE;\n\t\t\tctx->cts = 0;\n\t\t}\n\t\tif (! ctx->is_file) {\n\t\t\tctx->buf_size = 0;\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tctx->start_range = evt->play.start_range;\n\t\tctx->in_seek = GF_TRUE;\n\n\t\tif (ctx->start_range) {\n\n\t\t\tif (ctx->index<0) {\n\t\t\t\tctx->index = -ctx->index;\n\t\t\t\tctx->file_loaded = GF_FALSE;\n\t\t\t\tctx->duration.den = ctx->duration.num = 0;\n\t\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_PARSER, (\"[AV1/VP9Demx] Play request from %d, building index\\n\", ctx->start_range));\n\t\t\t\tav1dmx_check_dur(filter, ctx);\n\t\t\t}\n\n\t\t\tfor (i=1; i<ctx->index_size; i++) {\n\t\t\t\tif (ctx->indexes[i].duration>ctx->start_range) {\n\t\t\t\t\tctx->cts = (u64) (ctx->indexes[i-1].duration * ctx->cur_fps.num);\n\t\t\t\t\tfile_pos = ctx->indexes[i-1].pos;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!ctx->initial_play_done) {\n\t\t\tctx->initial_play_done = GF_TRUE;\n\t\t\t//seek will not change the current source state, don't send a seek\n\t\t\tif (!file_pos)\n\t\t\t\treturn GF_TRUE;\n\t\t}\n\t\tctx->buf_size = 0;\n\t\tif (!file_pos)\n\t\t\tfile_pos = ctx->file_hdr_size;\n\n\t\t//post a seek\n\t\tGF_FEVT_INIT(fevt, GF_FEVT_SOURCE_SEEK, ctx->ipid);\n\t\tfevt.seek.start_offset = file_pos;\n\t\tgf_filter_pid_send_event(ctx->ipid, &fevt);\n\n\t\t//cancel event\n\t\treturn GF_TRUE;\n\n\tcase GF_FEVT_STOP:\n\t\t//don't cancel event\n\t\tctx->is_playing = GF_FALSE;\n\t\treturn GF_FALSE;\n\n\tcase GF_FEVT_SET_SPEED:\n\t\t//cancel event\n\t\treturn GF_TRUE;\n\tdefault:\n\t\tbreak;\n\t}\n\t//by default don't cancel event - to rework once we have downloading in place\n\treturn GF_FALSE;\n}",
          "project": "gpac",
          "hash": 151199563419142864109547595778322536027,
          "size": 70,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236219
        },
        {
          "func": "GF_Err av1dmx_process_buffer(GF_Filter *filter, GF_AV1DmxCtx *ctx, const char *data, u32 data_size, Bool is_copy)\n{\n\tu32 last_obu_end = 0;\n\tGF_Err e = GF_OK;\n\n\tif (!ctx->bs) ctx->bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs, data, data_size);\n\n#ifndef GPAC_DISABLE_LOG\n\tif (ctx->bsdbg && gf_log_tool_level_on(GF_LOG_PARSER, GF_LOG_DEBUG))\n\t\tgf_bs_set_logger(ctx->bs, av1dmx_bs_log, ctx);\n#endif\n\n\t//check ivf vs obu vs annexB\n\te = av1dmx_check_format(filter, ctx, ctx->bs, &last_obu_end);\n\tif (e) return e;\n\n\twhile (gf_bs_available(ctx->bs)) {\n\n\t\tif (ctx->is_vp9) {\n\t\t\te = av1dmx_parse_vp9(filter, ctx);\n\t\t} else if (ctx->is_av1) {\n\t\t\te = av1dmx_parse_av1(filter, ctx);\n\t\t} else {\n\t\t\te = av1dmx_parse_ivf(filter, ctx);\n\t\t}\n\n\t\tif (e!=GF_EOS)\n\t\t\tlast_obu_end = (u32) gf_bs_get_position(ctx->bs);\n\n\t\tif (e) {\n\t\t\tbreak;\n\t\t}\n\t\tif (!ctx->is_playing && ctx->opid)\n\t\t\tbreak;\n\t}\n\n\tif (is_copy && last_obu_end) {\n\t\tassert(ctx->buf_size>=last_obu_end);\n\t\tmemmove(ctx->buffer, ctx->buffer+last_obu_end, sizeof(char) * (ctx->buf_size-last_obu_end));\n\t\tctx->buf_size -= last_obu_end;\n\t}\n\tif (e==GF_EOS) return GF_OK;\n\tif (e==GF_BUFFER_TOO_SMALL) return GF_OK;\n\treturn e;\n}",
          "project": "gpac",
          "hash": 235484317529668612746088331136118347502,
          "size": 46,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236222
        },
        {
          "func": "GF_Err av1dmx_check_format(GF_Filter *filter, GF_AV1DmxCtx *ctx, GF_BitStream *bs, u32 *last_obu_end)\n{\n\tGF_Err e;\n\tif (last_obu_end) (*last_obu_end) = 0;\n\t//probing av1 bs mode\n\tif (ctx->bsmode != NOT_SET) return GF_OK;\n\n\n\tif (!ctx->state.config)\n\t\tctx->state.config = gf_odf_av1_cfg_new();\n\n\tctx->is_av1 = ctx->is_vp9 = ctx->is_vpX = GF_FALSE;\n\tctx->codecid = 0;\n\tif (ctx->vp_cfg) gf_odf_vp_cfg_del(ctx->vp_cfg);\n\tctx->vp_cfg = NULL;\n\tctx->cur_fps = ctx->fps;\n\tif (!ctx->fps.num || !ctx->fps.den) {\n\t\tctx->cur_fps.num = 25000;\n\t\tctx->cur_fps.den = 1000;\n\t}\n\n\tctx->pts_from_file = GF_FALSE;\n\tif (gf_media_probe_ivf(bs)) {\n\t\tu32 width = 0, height = 0;\n\t\tu32 codec_fourcc = 0, timebase_den = 0, timebase_num = 0, num_frames = 0;\n\t\tctx->bsmode = IVF;\n\n\t\te = gf_media_parse_ivf_file_header(bs, &width, &height, &codec_fourcc, &timebase_num, &timebase_den, &num_frames);\n\t\tif (e) return e;\n\n\t\tswitch (codec_fourcc) {\n\t\tcase GF_4CC('A', 'V', '0', '1'):\n\t\t\tctx->is_av1 = GF_TRUE;\n\t\t\tctx->codecid = GF_CODECID_AV1;\n\t\t\tbreak;\n\t\tcase GF_4CC('V', 'P', '9', '0'):\n\t\t\tctx->is_vp9 = GF_TRUE;\n\t\t\tctx->codecid = GF_CODECID_VP9;\n\t\t\tctx->vp_cfg = gf_odf_vp_cfg_new();\n\t\t\tbreak;\n\t\tcase GF_4CC('V', 'P', '8', '0'):\n\t\t\tctx->codecid = GF_CODECID_VP8;\n\t\t\tctx->vp_cfg = gf_odf_vp_cfg_new();\n\t\t\tbreak;\n\t\tcase GF_4CC('V', 'P', '1', '0'):\n\t\t\tctx->codecid = GF_CODECID_VP10;\n\t\t\tctx->vp_cfg = gf_odf_vp_cfg_new();\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[IVF] %s parsing not implemented, import might be uncomplete or broken\\n\", gf_4cc_to_str(codec_fourcc) ));\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tctx->codecid = codec_fourcc;\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[IVF] Unsupported codec FourCC %s\\n\", gf_4cc_to_str(codec_fourcc) ));\n\t\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\t\t}\n\t\tif (ctx->vp_cfg && !ctx->is_vp9) {\n\t\t\tctx->is_vpX = GF_TRUE;\n\t\t\tctx->vp_cfg->profile = 1;\n\t\t\tctx->vp_cfg->level = 10;\n\t\t\tctx->vp_cfg->bit_depth = 8;\n\t\t\t//leave the rest as 0\n\t\t}\n\n\t\tctx->state.width = ctx->state.width < width ? width : ctx->state.width;\n\t\tctx->state.height = ctx->state.height < height ? height : ctx->state.height;\n\t\tctx->state.tb_num = timebase_num;\n\t\tctx->state.tb_den = timebase_den;\n\n\t\tif ((!ctx->fps.num || !ctx->fps.den) && ctx->state.tb_num && ctx->state.tb_den && ! ( (ctx->state.tb_num<=1) && (ctx->state.tb_den<=1) ) ) {\n\t\t\tctx->cur_fps.num = ctx->state.tb_num;\n\t\t\tctx->cur_fps.den = ctx->state.tb_den;\n\t\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, (\"[AV1Dmx] Detected IVF format FPS %d/%d\\n\", ctx->cur_fps.num, ctx->cur_fps.den));\n\t\t\tctx->pts_from_file = GF_TRUE;\n\t\t} else {\n\t\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, (\"[AV1Dmx] Detected IVF format\\n\"));\n\t\t}\n\t\tctx->file_hdr_size = (u32) gf_bs_get_position(bs);\n\t\tif (last_obu_end) (*last_obu_end) = (u32) gf_bs_get_position(bs);\n\t\treturn GF_OK;\n\t} else if (gf_media_aom_probe_annexb(bs)) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[AV1Dmx] Detected Annex B format\\n\"));\n\t\tctx->bsmode = AnnexB;\n\t} else {\n\t\tgf_bs_seek(bs, 0);\n\t\te = aom_av1_parse_temporal_unit_from_section5(bs, &ctx->state);\n\t\tif (e && !gf_list_count(ctx->state.frame_state.frame_obus) ) {\n\t\t\tgf_filter_setup_failure(filter, e);\n\t\t\tctx->bsmode = UNSUPPORTED;\n\t\t\treturn e;\n\t\t}\n\t\tif (ctx->state.obu_type != OBU_TEMPORAL_DELIMITER) {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[AV1Dmx] Error OBU stream start with %s, not a temporal delimiter - NOT SUPPORTED\\n\", gf_av1_get_obu_name(ctx->state.obu_type) ));\n\t\t\tgf_filter_setup_failure(filter, e);\n\t\t\tctx->bsmode = UNSUPPORTED;\n\t\t\treturn e;\n\t\t}\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[AV1Dmx] Detected OBUs Section 5 format\\n\"));\n\t\tctx->bsmode = OBUs;\n\n\t\tgf_av1_reset_state(&ctx->state, GF_FALSE);\n\t\tgf_bs_seek(bs, 0);\n\t}\n\tctx->is_av1 = GF_TRUE;\n\tctx->state.unframed = GF_TRUE;\n\tctx->codecid = GF_CODECID_AV1;\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 38647925056818503378120941409175055268,
          "size": 106,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236221
        },
        {
          "func": "static void av1dmx_check_dur(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tFILE *stream;\n\tGF_Err e;\n\tGF_BitStream *bs;\n\tu64 duration, cur_dur, last_cdur, rate;\n\tAV1State av1state;\n\tconst char *filepath=NULL;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tfilepath = p->value.string;\n\tctx->is_file = GF_TRUE;\n\n\tif (ctx->index<0) {\n\t\tif (gf_opts_get_bool(\"temp\", \"force_indexing\")) {\n\t\t\tctx->index = 1.0;\n\t\t} else {\n\t\t\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_DOWN_SIZE);\n\t\t\tif (!p || (p->value.longuint > 100000000)) {\n\t\t\t\tGF_LOG(GF_LOG_INFO, GF_LOG_PARSER, (\"[AV1/VP9] Source file larger than 100M, skipping indexing\\n\"));\n\t\t\t} else {\n\t\t\t\tctx->index = -ctx->index;\n\t\t\t}\n\t\t}\n\t}\n\tif (ctx->index<=0)\n\t\treturn;\n\n\tstream = gf_fopen(filepath, \"rb\");\n\tif (!stream) return;\n\n\tctx->index_size = 0;\n\n\tbs = gf_bs_from_file(stream, GF_BITSTREAM_READ);\n\n\tif (ctx->file_hdr_size) {\n\t\tgf_bs_seek(bs, ctx->file_hdr_size);\n\t}\n\tgf_av1_init_state(&av1state);\n\tav1state.skip_frames = GF_TRUE;\n\tav1state.config = gf_odf_av1_cfg_new();\n\n\tduration = 0;\n\tcur_dur = last_cdur = 0;\n\twhile (gf_bs_available(bs)) {\n\t\tBool is_sap=GF_FALSE;\n\t\tu64 pts = GF_FILTER_NO_TS;\n\t\tu64 frame_start = gf_bs_get_position(bs);\n\t\tgf_av1_reset_state(&av1state, GF_FALSE);\n\n\t\t/*we process each TU and extract only the necessary OBUs*/\n\t\tswitch (ctx->bsmode) {\n\t\tcase OBUs:\n\t\t\te = aom_av1_parse_temporal_unit_from_section5(bs, &av1state);\n\t\t\tbreak;\n\t\tcase AnnexB:\n\t\t\te = aom_av1_parse_temporal_unit_from_annexb(bs, &av1state);\n\t\t\tbreak;\n\t\tcase IVF:\n\t\t\tif (ctx->is_av1) {\n\t\t\t\te = aom_av1_parse_temporal_unit_from_ivf(bs, &av1state);\n\t\t\t} else {\n\t\t\t\tu64 frame_size;\n\t\t\t\te = gf_media_parse_ivf_frame_header(bs, &frame_size, &pts);\n\t\t\t\tif (!e) gf_bs_skip_bytes(bs, frame_size);\n\t\t \t\tis_sap = GF_TRUE;\n\t\t\t}\n\t\t\tbreak;\n\t\tdefault:\n\t\t\te = GF_NOT_SUPPORTED;\n\t\t}\n\t\tif (e)\n\t\t \tbreak;\n\n\t\tif (pts != GF_FILTER_NO_TS) {\n\t\t\tduration = pts;\n\t\t\tcur_dur = pts - last_cdur;\n\t\t} else {\n\t\t\tduration += ctx->cur_fps.den;\n\t\t\tcur_dur += ctx->cur_fps.den;\n\t\t}\n\t\tif (av1state.frame_state.key_frame)\n\t\t \tis_sap = GF_TRUE;\n\n\t\t//only index at I-frame start\n\t\tif (frame_start && is_sap && (cur_dur > ctx->index * ctx->cur_fps.num) ) {\n\t\t\tif (!ctx->index_alloc_size) ctx->index_alloc_size = 10;\n\t\t\telse if (ctx->index_alloc_size == ctx->index_size) ctx->index_alloc_size *= 2;\n\t\t\tctx->indexes = gf_realloc(ctx->indexes, sizeof(AV1Idx)*ctx->index_alloc_size);\n\t\t\tctx->indexes[ctx->index_size].pos = frame_start;\n\t\t\tctx->indexes[ctx->index_size].duration = (Double) duration;\n\t\t\tctx->indexes[ctx->index_size].duration /= ctx->cur_fps.num;\n\t\t\tctx->index_size ++;\n\t\t\tlast_cdur = cur_dur;\n\t\t\tcur_dur = 0;\n\t\t}\n\t}\n\trate = gf_bs_get_position(bs);\n\tgf_bs_del(bs);\n\tgf_fclose(stream);\n\tgf_odf_av1_cfg_del(av1state.config);\n\tgf_av1_reset_state(&av1state, GF_TRUE);\n\n\tif (!ctx->duration.num || (ctx->duration.num  * ctx->cur_fps.num != duration * ctx->duration.den)) {\n\t\tctx->duration.num = (s32) duration;\n\t\tctx->duration.den = ctx->cur_fps.num;\n\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\t\tif (duration && (!gf_sys_is_test_mode() || gf_opts_get_bool(\"temp\", \"force_indexing\"))) {\n\t\t\trate *= 8 * ctx->duration.den;\n\t\t\trate /= ctx->duration.num;\n\t\t\tctx->bitrate = (u32) rate;\n\t\t}\n\t}\n\n\t//currently not supported because of OBU size field rewrite - could work on some streams but we would\n\t//need to analyse all OBUs in the stream for that\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_FALSE) );\n}",
          "project": "gpac",
          "hash": 66527526371699850120185361290627456561,
          "size": 130,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236213
        },
        {
          "func": "static GFINLINE void av1dmx_update_cts(GF_AV1DmxCtx *ctx)\n{\n\tassert(ctx->cur_fps.num);\n\tassert(ctx->cur_fps.den);\n\n\tif (ctx->timescale) {\n\t\tu64 inc = ctx->cur_fps.den;\n\t\tinc *= ctx->timescale;\n\t\tinc /= ctx->cur_fps.num;\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += ctx->cur_fps.den;\n\t}\n}",
          "project": "gpac",
          "hash": 126064430894865554566167737951610950196,
          "size": 14,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236212
        },
        {
          "func": "static GF_Err av1dmx_parse_flush_sample(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tu32 pck_size;\n\tGF_FilterPacket *pck;\n\tu8 *output;\n\n\tgf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc);\n\n\tif (!pck_size) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[AV1Dmx] no frame OBU, skipping OBU\\n\"));\n\t\treturn GF_OK;\n\t}\n\n\tpck = gf_filter_pck_new_alloc(ctx->opid, pck_size, &output);\n\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, pck);\n\n\tgf_filter_pck_set_cts(pck, ctx->cts);\n\tgf_filter_pck_set_sap(pck, ctx->state.frame_state.key_frame ? GF_FILTER_SAP_1 : 0);\n\n\tmemcpy(output, ctx->state.frame_obus, pck_size);\n\n\tif (ctx->deps) {\n\t\tu8 flags = 0;\n\t\t//dependsOn\n\t\tflags = ( ctx->state.frame_state.key_frame) ? 2 : 1;\n\t\tflags <<= 2;\n\t\t//dependedOn\n\t \tflags |= ctx->state.frame_state.refresh_frame_flags ? 1 : 2;\n\t\tflags <<= 2;\n\t\t//hasRedundant\n\t \t//flags |= ctx->has_redundant ? 1 : 2;\n\t \tgf_filter_pck_set_dependency_flags(pck, flags);\n\t}\n\n\tgf_filter_pck_send(pck);\n\n\tav1dmx_update_cts(ctx);\n\tgf_av1_reset_state(&ctx->state, GF_FALSE);\n\n\treturn GF_OK;\n\n}",
          "project": "gpac",
          "hash": 124123704759614734447704073729222685997,
          "size": 42,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 1,
          "dataset": "other",
          "idx": 195985
        },
        {
          "func": "static GF_Err av1dmx_parse_flush_sample(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tu32 pck_size;\n\tGF_FilterPacket *pck;\n\tu8 *output;\n\n\tif (!ctx->opid)\n\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\t\t\n\tgf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc);\n\n\tif (!pck_size) {\n\t\tGF_LOG(GF_LOG_DEBUG, GF_LOG_CONTAINER, (\"[AV1Dmx] no frame OBU, skipping OBU\\n\"));\n\t\treturn GF_OK;\n\t}\n\n\tpck = gf_filter_pck_new_alloc(ctx->opid, pck_size, &output);\n\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, pck);\n\n\tgf_filter_pck_set_cts(pck, ctx->cts);\n\tgf_filter_pck_set_sap(pck, ctx->state.frame_state.key_frame ? GF_FILTER_SAP_1 : 0);\n\n\tmemcpy(output, ctx->state.frame_obus, pck_size);\n\n\tif (ctx->deps) {\n\t\tu8 flags = 0;\n\t\t//dependsOn\n\t\tflags = ( ctx->state.frame_state.key_frame) ? 2 : 1;\n\t\tflags <<= 2;\n\t\t//dependedOn\n\t \tflags |= ctx->state.frame_state.refresh_frame_flags ? 1 : 2;\n\t\tflags <<= 2;\n\t\t//hasRedundant\n\t \t//flags |= ctx->has_redundant ? 1 : 2;\n\t \tgf_filter_pck_set_dependency_flags(pck, flags);\n\t}\n\n\tgf_filter_pck_send(pck);\n\n\tav1dmx_update_cts(ctx);\n\tgf_av1_reset_state(&ctx->state, GF_FALSE);\n\n\treturn GF_OK;\n\n}",
          "project": "gpac",
          "hash": 155851759706352627613263901786806712657,
          "size": 45,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236225
        },
        {
          "func": "GF_Err av1dmx_process(GF_Filter *filter)\n{\n\tGF_Err e;\n\tGF_AV1DmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck;\n\tchar *data;\n\tu32 pck_size;\n\n\tif (ctx->bsmode == UNSUPPORTED) return GF_EOS;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tav1dmx_check_dur(filter, ctx);\n\n\tif (!ctx->is_playing && ctx->opid)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\t//flush\n\t\t\twhile (ctx->buf_size) {\n\t\t\t\tu32 buf_size = ctx->buf_size;\n\t\t\t\te = av1dmx_process_buffer(filter, ctx, ctx->buffer, ctx->buf_size, GF_TRUE);\n\t\t\t\tif (e) break;\n\t\t\t\tif (buf_size == ctx->buf_size) {\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (ctx->state.bs && gf_bs_get_position(ctx->state.bs))\n\t\t\t\tav1dmx_parse_flush_sample(filter, ctx);\n\n\t\t\tctx->buf_size = 0;\n\t\t\tif (ctx->opid)\n\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\tctx->src_pck = NULL;\n\t\t\treturn GF_EOS;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\tif (ctx->opid) {\n\t\tif (!ctx->is_playing || gf_filter_pid_would_block(ctx->opid))\n\t\t\treturn GF_OK;\n\t}\n\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale) {\n\t\tBool start, end;\n\t\tu64 cts;\n\n\t\te = GF_OK;\n\n\t\tgf_filter_pck_get_framing(pck, &start, &end);\n\t\t//middle or end of frame, reaggregation\n\t\tif (!start) {\n\t\t\tif (ctx->alloc_size < ctx->buf_size + pck_size) {\n\t\t\t\tctx->alloc_size = ctx->buf_size + pck_size;\n\t\t\t\tctx->buffer = gf_realloc(ctx->buffer, ctx->alloc_size);\n\t\t\t}\n\t\t\tmemcpy(ctx->buffer+ctx->buf_size, data, pck_size);\n\t\t\tctx->buf_size += pck_size;\n\n\t\t\t//end of frame, process av1\n\t\t\tif (end) {\n\t\t\t\te = av1dmx_process_buffer(filter, ctx, ctx->buffer, ctx->buf_size, GF_TRUE);\n\t\t\t}\n\t\t\tctx->buf_size=0;\n\t\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\t\treturn e;\n\t\t}\n\t\t//flush of pending frame (might have lost something)\n\t\tif (ctx->buf_size) {\n\t\t\te = av1dmx_process_buffer(filter, ctx, ctx->buffer, ctx->buf_size, GF_TRUE);\n\t\t\tctx->buf_size = 0;\n\t\t\tif (e) return e;\n\t\t}\n\n\t\t//begining of a new frame\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t\tif (cts != GF_FILTER_NO_TS)\n\t\t\tctx->cts = cts;\n\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\tctx->src_pck = pck;\n\t\tgf_filter_pck_ref_props(&ctx->src_pck);\n\t\tctx->buf_size = 0;\n\n\t\tif (!end) {\n\t\t\tif (ctx->alloc_size < ctx->buf_size + pck_size) {\n\t\t\t\tctx->alloc_size = ctx->buf_size + pck_size;\n\t\t\t\tctx->buffer = gf_realloc(ctx->buffer, ctx->alloc_size);\n\t\t\t}\n\t\t\tmemcpy(ctx->buffer+ctx->buf_size, data, pck_size);\n\t\t\tctx->buf_size += pck_size;\n\t\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\t\treturn GF_OK;\n\t\t}\n\t\tassert(start && end);\n\t\t//process\n\t\te = av1dmx_process_buffer(filter, ctx, data, pck_size, GF_FALSE);\n\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\treturn e;\n\t}\n\n\t//not from framed stream, copy buffer\n\tif (ctx->alloc_size < ctx->buf_size + pck_size) {\n\t\tctx->alloc_size = ctx->buf_size + pck_size;\n\t\tctx->buffer = gf_realloc(ctx->buffer, ctx->alloc_size);\n\t}\n\tmemcpy(ctx->buffer+ctx->buf_size, data, pck_size);\n\tctx->buf_size += pck_size;\n\te = av1dmx_process_buffer(filter, ctx, ctx->buffer, ctx->buf_size, GF_TRUE);\n\tgf_filter_pid_drop_packet(ctx->ipid);\n\treturn e;\n}",
          "project": "gpac",
          "hash": 13379975237514725027535547774306034474,
          "size": 119,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236218
        },
        {
          "func": "GF_Err av1dmx_parse_ivf(GF_Filter *filter, GF_AV1DmxCtx *ctx)\n{\n\tGF_Err e;\n\tu32 pck_size;\n\tu64 frame_size = 0, pts = GF_FILTER_NO_TS;\n\tGF_FilterPacket *pck;\n\tu64 pos, pos_ivf_hdr;\n\tu8 *output;\n\n\tpos_ivf_hdr = gf_bs_get_position(ctx->bs);\n\te = gf_media_parse_ivf_frame_header(ctx->bs, &frame_size, &pts);\n\tif (e) return e;\n\n\tpos = gf_bs_get_position(ctx->bs);\n\tif (gf_bs_available(ctx->bs) < frame_size) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_EOS;\n\t}\n\n\tif (ctx->pts_from_file) {\n\t\tpts += ctx->cumulated_dur;\n\t\tif (ctx->last_pts && (ctx->last_pts>pts)) {\n\t\t\tpts -= ctx->cumulated_dur;\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[IVF/AV1] Corrupted timestamp \"LLU\" less than previous timestamp \"LLU\", assuming concatenation\\n\", pts, ctx->last_pts));\n\t\t\tctx->cumulated_dur = ctx->last_pts + ctx->cur_fps.den;\n\t\t\tctx->cumulated_dur -= pts;\n\t\t\tpts = ctx->cumulated_dur;\n\t\t}\n\t\tctx->last_pts = pts;\n\t}\n\n\n\t//check pid state\n\tav1dmx_check_pid(filter, ctx);\n\n\tif (!ctx->opid) {\n\t\treturn GF_OK;\n\t}\n\n\tif (!ctx->is_playing) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_EOS;\n\t}\n\n\tpck_size = (u32)frame_size;\n\tpck = gf_filter_pck_new_alloc(ctx->opid, pck_size, &output);\n\tif (!pck) {\n\t\tgf_bs_seek(ctx->bs, pos_ivf_hdr);\n\t\treturn GF_OUT_OF_MEM;\n\t}\n\tif (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, pck);\n\n\tif (ctx->pts_from_file) {\n\t\tgf_filter_pck_set_cts(pck, pts);\n\t} else {\n\t\tgf_filter_pck_set_cts(pck, ctx->cts);\n\t}\n\n\tgf_bs_seek(ctx->bs, pos);\n\tgf_bs_read_data(ctx->bs, output, pck_size);\n\n\tif (output[0] & 0x80)\n\t\tgf_filter_pck_set_sap(pck, GF_FILTER_SAP_1);\n\telse\n\t\tgf_filter_pck_set_sap(pck, GF_FILTER_SAP_NONE);\n\n\tgf_filter_pck_send(pck);\n\n\tav1dmx_update_cts(ctx);\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 227710249253003161808554207868767011852,
          "size": 71,
          "commit_id": "13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec",
          "message": "fixed #1719",
          "target": 0,
          "dataset": "other",
          "idx": 236226
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ntlm_generate_timestamp",
        "ntlm_current_time",
        "GetSystemTimeAsFileTime"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "void ntlm_current_time(BYTE* timestamp)\n{\n\tFILETIME filetime;\n\tULARGE_INTEGER time64;\n\tGetSystemTimeAsFileTime(&filetime);\n\ttime64.u.LowPart = filetime.dwLowDateTime;\n\ttime64.u.HighPart = filetime.dwHighDateTime;\n\tCopyMemory(timestamp, &(time64.QuadPart), 8);\n}",
          "project": "FreeRDP",
          "hash": 225703998966059836229608822757933918058,
          "size": 9,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424870
        },
        {
          "func": "void ntlm_generate_timestamp(NTLM_CONTEXT* context)\n{\n\tif (memcmp(context->ChallengeTimestamp, NTLM_NULL_BUFFER, 8) != 0)\n\t\tCopyMemory(context->Timestamp, context->ChallengeTimestamp, 8);\n\telse\n\t\tntlm_current_time(context->Timestamp);\n}",
          "project": "FreeRDP",
          "hash": 222441413085543285216982206722651183181,
          "size": 7,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424861
        },
        {
          "func": "gather_time_entropy(void)\n{\n#ifdef _WIN32\n  FILETIME ft;\n  GetSystemTimeAsFileTime(&ft); /* never fails */\n  return ft.dwHighDateTime ^ ft.dwLowDateTime;\n#else\n  struct timeval tv;\n  int gettimeofday_res;\n\n  gettimeofday_res = gettimeofday(&tv, NULL);\n  assert (gettimeofday_res == 0);\n\n  /* Microseconds time is <20 bits entropy */\n  return tv.tv_usec;\n#endif\n}",
          "project": "libexpat",
          "hash": 191339567346544278956108244764301587072,
          "size": 17,
          "commit_id": "c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f",
          "message": "xmlparse.c: Fix external entity infinite loop bug (CVE-2017-9233)",
          "target": 0,
          "dataset": "other",
          "idx": 308351
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "vgacon_blank",
        "vgacon_set_origin",
        "vga_set_mem_top",
        "write_vga"
      ],
      "group_size": 15,
      "functions": [
        {
          "func": "static void vga_set_palette(struct vc_data *vc, const unsigned char *table)\n{\n\tint i, j;\n\n\tvga_w(vgastate.vgabase, VGA_PEL_MSK, 0xff);\n\tfor (i = j = 0; i < 16; i++) {\n\t\tvga_w(vgastate.vgabase, VGA_PEL_IW, table[i]);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t\tvga_w(vgastate.vgabase, VGA_PEL_D, vc->vc_palette[j++] >> 2);\n\t}\n}",
          "project": "linux",
          "hash": 69161396085857593232027150743840926718,
          "size": 12,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380799
        },
        {
          "func": "static void vga_vesa_unblank(struct vgastate *state)\n{\n\t/* restore original values of VGA controller registers */\n\traw_spin_lock_irq(&vga_lock);\n\tvga_w(state->vgabase, VGA_MIS_W, vga_state.CrtMiscIO);\n\n\toutb_p(0x00, vga_video_port_reg);\t/* HorizontalTotal */\n\toutb_p(vga_state.HorizontalTotal, vga_video_port_val);\n\toutb_p(0x01, vga_video_port_reg);\t/* HorizDisplayEnd */\n\toutb_p(vga_state.HorizDisplayEnd, vga_video_port_val);\n\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\toutb_p(vga_state.StartHorizRetrace, vga_video_port_val);\n\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\toutb_p(vga_state.EndHorizRetrace, vga_video_port_val);\n\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\toutb_p(vga_state.Overflow, vga_video_port_val);\n\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\toutb_p(vga_state.StartVertRetrace, vga_video_port_val);\n\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\toutb_p(vga_state.EndVertRetrace, vga_video_port_val);\n\toutb_p(0x17, vga_video_port_reg);\t/* ModeControl */\n\toutb_p(vga_state.ModeControl, vga_video_port_val);\n\t/* ClockingMode */\n\tvga_wseq(state->vgabase, VGA_SEQ_CLOCK_MODE, vga_state.ClockingMode);\n\n\t/* restore index/control registers */\n\tvga_w(state->vgabase, VGA_SEQ_I, vga_state.SeqCtrlIndex);\n\toutb_p(vga_state.CrtCtrlIndex, vga_video_port_reg);\n\traw_spin_unlock_irq(&vga_lock);\n}",
          "project": "linux",
          "hash": 184406626081864079170054080672675019143,
          "size": 30,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380779
        },
        {
          "func": "static void vgacon_cursor(struct vc_data *c, int mode)\n{\n\tif (c->vc_mode != KD_TEXT)\n\t\treturn;\n\n\tvgacon_restore_screen(c);\n\n\tswitch (mode) {\n\tcase CM_ERASE:\n\t\twrite_vga(14, (c->vc_pos - vga_vram_base) / 2);\n\t        if (vga_video_type >= VIDEO_TYPE_VGAC)\n\t\t\tvgacon_set_cursor_size(c->state.x, 31, 30);\n\t\telse\n\t\t\tvgacon_set_cursor_size(c->state.x, 31, 31);\n\t\tbreak;\n\n\tcase CM_MOVE:\n\tcase CM_DRAW:\n\t\twrite_vga(14, (c->vc_pos - vga_vram_base) / 2);\n\t\tswitch (CUR_SIZE(c->vc_cursor_type)) {\n\t\tcase CUR_UNDERLINE:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t       c->vc_font.height -\n\t\t\t\t\t       (c->vc_font.height <\n\t\t\t\t\t\t10 ? 2 : 3),\n\t\t\t\t\t       c->vc_font.height -\n\t\t\t\t\t       (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_TWO_THIRDS:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t       c->vc_font.height / 3,\n\t\t\t\t\t       c->vc_font.height -\n\t\t\t\t\t       (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_LOWER_THIRD:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t       (c->vc_font.height * 2) / 3,\n\t\t\t\t\t       c->vc_font.height -\n\t\t\t\t\t       (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_LOWER_HALF:\n\t\t\tvgacon_set_cursor_size(c->state.x,\n\t\t\t\t\t       c->vc_font.height / 2,\n\t\t\t\t\t       c->vc_font.height -\n\t\t\t\t\t       (c->vc_font.height <\n\t\t\t\t\t\t10 ? 1 : 2));\n\t\t\tbreak;\n\t\tcase CUR_NONE:\n\t\t\tif (vga_video_type >= VIDEO_TYPE_VGAC)\n\t\t\t\tvgacon_set_cursor_size(c->state.x, 31, 30);\n\t\t\telse\n\t\t\t\tvgacon_set_cursor_size(c->state.x, 31, 31);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tvgacon_set_cursor_size(c->state.x, 1,\n\t\t\t\t\t       c->vc_font.height);\n\t\t\tbreak;\n\t\t}\n\t\tbreak;\n\t}\n}",
          "project": "linux",
          "hash": 264369143806320210804445688532246786005,
          "size": 64,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380777
        },
        {
          "func": "static void vgacon_set_palette(struct vc_data *vc, const unsigned char *table)\n{\n\tif (vga_video_type != VIDEO_TYPE_VGAC || vga_palette_blanked\n\t    || !con_is_visible(vc))\n\t\treturn;\n\tvga_set_palette(vc, table);\n}",
          "project": "linux",
          "hash": 284953449934519854768778320975724655644,
          "size": 7,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380801
        },
        {
          "func": "static void vgacon_scrolldelta(struct vc_data *c, int lines)\n{\n\tint start, end, count, soff;\n\n\tif (!lines) {\n\t\tvgacon_restore_screen(c);\n\t\treturn;\n\t}\n\n\tif (!vgacon_scrollback_cur->data)\n\t\treturn;\n\n\tif (!vgacon_scrollback_cur->save) {\n\t\tvgacon_cursor(c, CM_ERASE);\n\t\tvgacon_save_screen(c);\n\t\tc->vc_origin = (unsigned long)c->vc_screenbuf;\n\t\tvgacon_scrollback_cur->save = 1;\n\t}\n\n\tvgacon_scrollback_cur->restore = 0;\n\tstart = vgacon_scrollback_cur->cur + lines;\n\tend = start + abs(lines);\n\n\tif (start < 0)\n\t\tstart = 0;\n\n\tif (start > vgacon_scrollback_cur->cnt)\n\t\tstart = vgacon_scrollback_cur->cnt;\n\n\tif (end < 0)\n\t\tend = 0;\n\n\tif (end > vgacon_scrollback_cur->cnt)\n\t\tend = vgacon_scrollback_cur->cnt;\n\n\tvgacon_scrollback_cur->cur = start;\n\tcount = end - start;\n\tsoff = vgacon_scrollback_cur->tail -\n\t\t((vgacon_scrollback_cur->cnt - end) * c->vc_size_row);\n\tsoff -= count * c->vc_size_row;\n\n\tif (soff < 0)\n\t\tsoff += vgacon_scrollback_cur->size;\n\n\tcount = vgacon_scrollback_cur->cnt - start;\n\n\tif (count > c->vc_rows)\n\t\tcount = c->vc_rows;\n\n\tif (count) {\n\t\tint copysize;\n\n\t\tint diff = c->vc_rows - count;\n\t\tvoid *d = (void *) c->vc_visible_origin;\n\t\tvoid *s = (void *) c->vc_screenbuf;\n\n\t\tcount *= c->vc_size_row;\n\t\t/* how much memory to end of buffer left? */\n\t\tcopysize = min(count, vgacon_scrollback_cur->size - soff);\n\t\tscr_memcpyw(d, vgacon_scrollback_cur->data + soff, copysize);\n\t\td += copysize;\n\t\tcount -= copysize;\n\n\t\tif (count) {\n\t\t\tscr_memcpyw(d, vgacon_scrollback_cur->data, count);\n\t\t\td += count;\n\t\t}\n\n\t\tif (diff)\n\t\t\tscr_memcpyw(d, s, diff * c->vc_size_row);\n\t} else\n\t\tvgacon_cursor(c, CM_MOVE);\n}",
          "project": "linux",
          "hash": 64966259810882479597972966756653255745,
          "size": 73,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 1,
          "dataset": "other",
          "idx": 206374
        },
        {
          "func": "static void vga_vesa_blank(struct vgastate *state, int mode)\n{\n\t/* save original values of VGA controller registers */\n\tif (!vga_vesa_blanked) {\n\t\traw_spin_lock_irq(&vga_lock);\n\t\tvga_state.SeqCtrlIndex = vga_r(state->vgabase, VGA_SEQ_I);\n\t\tvga_state.CrtCtrlIndex = inb_p(vga_video_port_reg);\n\t\tvga_state.CrtMiscIO = vga_r(state->vgabase, VGA_MIS_R);\n\t\traw_spin_unlock_irq(&vga_lock);\n\n\t\toutb_p(0x00, vga_video_port_reg);\t/* HorizontalTotal */\n\t\tvga_state.HorizontalTotal = inb_p(vga_video_port_val);\n\t\toutb_p(0x01, vga_video_port_reg);\t/* HorizDisplayEnd */\n\t\tvga_state.HorizDisplayEnd = inb_p(vga_video_port_val);\n\t\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\t\tvga_state.StartHorizRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\t\tvga_state.EndHorizRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\t\tvga_state.Overflow = inb_p(vga_video_port_val);\n\t\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\t\tvga_state.StartVertRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\t\tvga_state.EndVertRetrace = inb_p(vga_video_port_val);\n\t\toutb_p(0x17, vga_video_port_reg);\t/* ModeControl */\n\t\tvga_state.ModeControl = inb_p(vga_video_port_val);\n\t\tvga_state.ClockingMode = vga_rseq(state->vgabase, VGA_SEQ_CLOCK_MODE);\n\t}\n\n\t/* assure that video is enabled */\n\t/* \"0x20\" is VIDEO_ENABLE_bit in register 01 of sequencer */\n\traw_spin_lock_irq(&vga_lock);\n\tvga_wseq(state->vgabase, VGA_SEQ_CLOCK_MODE, vga_state.ClockingMode | 0x20);\n\n\t/* test for vertical retrace in process.... */\n\tif ((vga_state.CrtMiscIO & 0x80) == 0x80)\n\t\tvga_w(state->vgabase, VGA_MIS_W, vga_state.CrtMiscIO & 0xEF);\n\n\t/*\n\t * Set <End of vertical retrace> to minimum (0) and\n\t * <Start of vertical Retrace> to maximum (incl. overflow)\n\t * Result: turn off vertical sync (VSync) pulse.\n\t */\n\tif (mode & VESA_VSYNC_SUSPEND) {\n\t\toutb_p(0x10, vga_video_port_reg);\t/* StartVertRetrace */\n\t\toutb_p(0xff, vga_video_port_val);\t/* maximum value */\n\t\toutb_p(0x11, vga_video_port_reg);\t/* EndVertRetrace */\n\t\toutb_p(0x40, vga_video_port_val);\t/* minimum (bits 0..3)  */\n\t\toutb_p(0x07, vga_video_port_reg);\t/* Overflow */\n\t\toutb_p(vga_state.Overflow | 0x84, vga_video_port_val);\t/* bits 9,10 of vert. retrace */\n\t}\n\n\tif (mode & VESA_HSYNC_SUSPEND) {\n\t\t/*\n\t\t * Set <End of horizontal retrace> to minimum (0) and\n\t\t *  <Start of horizontal Retrace> to maximum\n\t\t * Result: turn off horizontal sync (HSync) pulse.\n\t\t */\n\t\toutb_p(0x04, vga_video_port_reg);\t/* StartHorizRetrace */\n\t\toutb_p(0xff, vga_video_port_val);\t/* maximum */\n\t\toutb_p(0x05, vga_video_port_reg);\t/* EndHorizRetrace */\n\t\toutb_p(0x00, vga_video_port_val);\t/* minimum (0) */\n\t}\n\n\t/* restore both index registers */\n\tvga_w(state->vgabase, VGA_SEQ_I, vga_state.SeqCtrlIndex);\n\toutb_p(vga_state.CrtCtrlIndex, vga_video_port_reg);\n\traw_spin_unlock_irq(&vga_lock);\n}",
          "project": "linux",
          "hash": 169205194386474999338498297236531359746,
          "size": 69,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380793
        },
        {
          "func": "static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b,\n\t\tenum con_scroll dir, unsigned int lines)\n{\n\tunsigned long oldo;\n\tunsigned int delta;\n\n\tif (t || b != c->vc_rows || vga_is_gfx || c->vc_mode != KD_TEXT)\n\t\treturn false;\n\n\tif (!vga_hardscroll_enabled || lines >= c->vc_rows / 2)\n\t\treturn false;\n\n\tvgacon_restore_screen(c);\n\toldo = c->vc_origin;\n\tdelta = lines * c->vc_size_row;\n\tif (dir == SM_UP) {\n\t\tif (c->vc_scr_end + delta >= vga_vram_end) {\n\t\t\tscr_memcpyw((u16 *) vga_vram_base,\n\t\t\t\t    (u16 *) (oldo + delta),\n\t\t\t\t    c->vc_screenbuf_size - delta);\n\t\t\tc->vc_origin = vga_vram_base;\n\t\t\tvga_rolled_over = oldo - vga_vram_base;\n\t\t} else\n\t\t\tc->vc_origin += delta;\n\t\tscr_memsetw((u16 *) (c->vc_origin + c->vc_screenbuf_size -\n\t\t\t\t     delta), c->vc_video_erase_char,\n\t\t\t    delta);\n\t} else {\n\t\tif (oldo - delta < vga_vram_base) {\n\t\t\tscr_memmovew((u16 *) (vga_vram_end -\n\t\t\t\t\t      c->vc_screenbuf_size +\n\t\t\t\t\t      delta), (u16 *) oldo,\n\t\t\t\t     c->vc_screenbuf_size - delta);\n\t\t\tc->vc_origin = vga_vram_end - c->vc_screenbuf_size;\n\t\t\tvga_rolled_over = 0;\n\t\t} else\n\t\t\tc->vc_origin -= delta;\n\t\tc->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;\n\t\tscr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,\n\t\t\t    delta);\n\t}\n\tc->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;\n\tc->vc_visible_origin = c->vc_origin;\n\tvga_set_mem_top(c);\n\tc->vc_pos = (c->vc_pos - oldo) + c->vc_origin;\n\treturn true;\n}",
          "project": "linux",
          "hash": 6422331725750285546258064518217604095,
          "size": 47,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380794
        },
        {
          "func": "static void vgacon_set_cursor_size(int xpos, int from, int to)\n{\n\tunsigned long flags;\n\tint curs, cure;\n\n\tif ((from == cursor_size_lastfrom) && (to == cursor_size_lastto))\n\t\treturn;\n\tcursor_size_lastfrom = from;\n\tcursor_size_lastto = to;\n\n\traw_spin_lock_irqsave(&vga_lock, flags);\n\tif (vga_video_type >= VIDEO_TYPE_VGAC) {\n\t\toutb_p(VGA_CRTC_CURSOR_START, vga_video_port_reg);\n\t\tcurs = inb_p(vga_video_port_val);\n\t\toutb_p(VGA_CRTC_CURSOR_END, vga_video_port_reg);\n\t\tcure = inb_p(vga_video_port_val);\n\t} else {\n\t\tcurs = 0;\n\t\tcure = 0;\n\t}\n\n\tcurs = (curs & 0xc0) | from;\n\tcure = (cure & 0xe0) | to;\n\n\toutb_p(VGA_CRTC_CURSOR_START, vga_video_port_reg);\n\toutb_p(curs, vga_video_port_val);\n\toutb_p(VGA_CRTC_CURSOR_END, vga_video_port_reg);\n\toutb_p(cure, vga_video_port_val);\n\traw_spin_unlock_irqrestore(&vga_lock, flags);\n}",
          "project": "linux",
          "hash": 98023379548510040458660830909970450666,
          "size": 30,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380789
        },
        {
          "func": "static int vgacon_blank(struct vc_data *c, int blank, int mode_switch)\n{\n\tswitch (blank) {\n\tcase 0:\t\t/* Unblank */\n\t\tif (vga_vesa_blanked) {\n\t\t\tvga_vesa_unblank(&vgastate);\n\t\t\tvga_vesa_blanked = 0;\n\t\t}\n\t\tif (vga_palette_blanked) {\n\t\t\tvga_set_palette(c, color_table);\n\t\t\tvga_palette_blanked = false;\n\t\t\treturn 0;\n\t\t}\n\t\tvga_is_gfx = false;\n\t\t/* Tell console.c that it has to restore the screen itself */\n\t\treturn 1;\n\tcase 1:\t\t/* Normal blanking */\n\tcase -1:\t/* Obsolete */\n\t\tif (!mode_switch && vga_video_type == VIDEO_TYPE_VGAC) {\n\t\t\tvga_pal_blank(&vgastate);\n\t\t\tvga_palette_blanked = true;\n\t\t\treturn 0;\n\t\t}\n\t\tvgacon_set_origin(c);\n\t\tscr_memsetw((void *) vga_vram_base, BLANK,\n\t\t\t    c->vc_screenbuf_size);\n\t\tif (mode_switch)\n\t\t\tvga_is_gfx = true;\n\t\treturn 1;\n\tdefault:\t\t/* VESA blanking */\n\t\tif (vga_video_type == VIDEO_TYPE_VGAC) {\n\t\t\tvga_vesa_blank(&vgastate, blank - 1);\n\t\t\tvga_vesa_blanked = blank;\n\t\t}\n\t\treturn 0;\n\t}\n}",
          "project": "linux",
          "hash": 313472742106039195020032312511805944801,
          "size": 37,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380780
        },
        {
          "func": "static void vgacon_deinit(struct vc_data *c)\n{\n\t/* When closing the active console, reset video origin */\n\tif (con_is_visible(c)) {\n\t\tc->vc_visible_origin = vga_vram_base;\n\t\tvga_set_mem_top(c);\n\t}\n\n\tif (!--vgacon_refcount)\n\t\tcon_free_unimap(c);\n\tc->vc_uni_pagedir_loc = &c->vc_uni_pagedir;\n\tcon_set_default_unimap(c);\n}",
          "project": "linux",
          "hash": 233161550231503558770393112479094393957,
          "size": 13,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380791
        },
        {
          "func": "static inline void write_vga(unsigned char reg, unsigned int val)\n{\n\tunsigned int v1, v2;\n\tunsigned long flags;\n\n\t/*\n\t * ddprintk might set the console position from interrupt\n\t * handlers, thus the write has to be IRQ-atomic.\n\t */\n\traw_spin_lock_irqsave(&vga_lock, flags);\n\tv1 = reg + (val & 0xff00);\n\tv2 = reg + 1 + ((val << 8) & 0xff00);\n\toutw(v1, vga_video_port_reg);\n\toutw(v2, vga_video_port_reg);\n\traw_spin_unlock_irqrestore(&vga_lock, flags);\n}",
          "project": "linux",
          "hash": 86666845087505016899583039047087987511,
          "size": 16,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380804
        },
        {
          "func": "static inline void vga_set_mem_top(struct vc_data *c)\n{\n\twrite_vga(12, (c->vc_visible_origin - vga_vram_base) / 2);\n}",
          "project": "linux",
          "hash": 234695802227779534616768870462737489924,
          "size": 4,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380785
        },
        {
          "func": "static int vgacon_set_origin(struct vc_data *c)\n{\n\tif (vga_is_gfx ||\t/* We don't play origin tricks in graphic modes */\n\t    (console_blanked && !vga_palette_blanked))\t/* Nor we write to blanked screens */\n\t\treturn 0;\n\tc->vc_origin = c->vc_visible_origin = vga_vram_base;\n\tvga_set_mem_top(c);\n\tvga_rolled_over = 0;\n\treturn 1;\n}",
          "project": "linux",
          "hash": 76221709976647395378566495189091919731,
          "size": 10,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380798
        },
        {
          "func": "static void vgacon_save_screen(struct vc_data *c)\n{\n\tstatic int vga_bootup_console = 0;\n\n\tif (!vga_bootup_console) {\n\t\t/* This is a gross hack, but here is the only place we can\n\t\t * set bootup console parameters without messing up generic\n\t\t * console initialization routines.\n\t\t */\n\t\tvga_bootup_console = 1;\n\t\tc->state.x = screen_info.orig_x;\n\t\tc->state.y = screen_info.orig_y;\n\t}\n\n\t/* We can't copy in more than the size of the video buffer,\n\t * or we'll be copying in VGA BIOS */\n\n\tif (!vga_is_gfx)\n\t\tscr_memcpyw((u16 *) c->vc_screenbuf, (u16 *) c->vc_origin,\n\t\t\t    c->vc_screenbuf_size > vga_vram_size ? vga_vram_size : c->vc_screenbuf_size);\n}",
          "project": "linux",
          "hash": 119602094871467323630347578381677778314,
          "size": 21,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380800
        },
        {
          "func": "static void vga_pal_blank(struct vgastate *state)\n{\n\tint i;\n\n\tvga_w(state->vgabase, VGA_PEL_MSK, 0xff);\n\tfor (i = 0; i < 16; i++) {\n\t\tvga_w(state->vgabase, VGA_PEL_IW, i);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t\tvga_w(state->vgabase, VGA_PEL_D, 0);\n\t}\n}",
          "project": "linux",
          "hash": 203400436583029701202633738517513553529,
          "size": 12,
          "commit_id": "973c096f6a85e5b5f2a295126ba6928d9a6afd45",
          "message": "vgacon: remove software scrollback support\n\nYunhai Zhang recently fixed a VGA software scrollback bug in commit\nebfdfeeae8c0 (\"vgacon: Fix for missing check in scrollback handling\"),\nbut that then made people look more closely at some of this code, and\nthere were more problems on the vgacon side, but also the fbcon software\nscrollback.\n\nWe don't really have anybody who maintains this code - probably because\nnobody actually _uses_ it any more.  Sure, people still use both VGA and\nthe framebuffer consoles, but they are no longer the main user\ninterfaces to the kernel, and haven't been for decades, so these kinds\nof extra features end up bitrotting and not really being used.\n\nSo rather than try to maintain a likely unused set of code, I'll just\naggressively remove it, and see if anybody even notices.  Maybe there\nare people who haven't jumped on the whole GUI badnwagon yet, and think\nit's just a fad.  And maybe those people use the scrollback code.\n\nIf that turns out to be the case, we can resurrect this again, once\nwe've found the sucker^Wmaintainer for it who actually uses it.\n\nReported-by: NopNop Nop <nopitydays@gmail.com>\nTested-by: Willy Tarreau <w@1wt.eu>\nCc: 张云海 <zhangyunhai@nsfocus.com>\nAcked-by: Andy Lutomirski <luto@amacapital.net>\nAcked-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 380778
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "cil_reset_filecon",
        "cil_reset_context",
        "cil_reset_levelrange",
        "cil_reset_level",
        "cil_reset_cats"
      ],
      "group_size": 24,
      "functions": [
        {
          "func": "static void cil_reset_iomemcon(struct cil_iomemcon *iomemcon)\n{\n\tif (iomemcon->context_str == NULL) {\n\t\tcil_reset_context(iomemcon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 17294379785361724029176009118549344135,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416772
        },
        {
          "func": "static void cil_reset_selinuxuser(struct cil_selinuxuser *selinuxuser)\n{\n\tif (selinuxuser->range_str == NULL) {\n\t\tcil_reset_levelrange(selinuxuser->range);\n\t}\n}",
          "project": "selinux",
          "hash": 47987057994886177309731877750012583777,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416751
        },
        {
          "func": "static void cil_reset_pcidevicecon(struct cil_pcidevicecon *pcidevicecon)\n{\n\tif (pcidevicecon->context_str == NULL) {\n\t\tcil_reset_context(pcidevicecon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 119525301942122478477613140710069458408,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416753
        },
        {
          "func": "static void cil_reset_ioportcon(struct cil_ioportcon *ioportcon)\n{\n\tif (ioportcon->context_str == NULL) {\n\t\tcil_reset_context(ioportcon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 1067741166550746201659876313177568207,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416749
        },
        {
          "func": "static inline void cil_reset_levelrange(struct cil_levelrange *levelrange)\n{\n\tif (levelrange->low_str == NULL) {\n\t\tcil_reset_level(levelrange->low);\n\t}\n\n\tif (levelrange->high_str == NULL) {\n\t\tcil_reset_level(levelrange->high);\n\t}\n}",
          "project": "selinux",
          "hash": 58223510928110067588596973412546613930,
          "size": 10,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416795
        },
        {
          "func": "static inline void cil_reset_userlevel(struct cil_userlevel *userlevel)\n{\n\tif (userlevel->level_str == NULL) {\n\t\tcil_reset_level(userlevel->level);\n\t}\n}",
          "project": "selinux",
          "hash": 19439091921131468623085362525437340917,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416785
        },
        {
          "func": "static void cil_reset_genfscon(struct cil_genfscon *genfscon)\n{\n\tif (genfscon->context_str == NULL) {\n\t\tcil_reset_context(genfscon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 42647376735197218470365773424791624792,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416799
        },
        {
          "func": "static void cil_reset_devicetreecon(struct cil_devicetreecon *devicetreecon)\n{\n\tif (devicetreecon->context_str == NULL) {\n\t\tcil_reset_context(devicetreecon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 315907578779480076783953336959060130874,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416791
        },
        {
          "func": "static void cil_reset_senscat(struct cil_senscat *senscat)\n{\n\tcil_reset_cats(senscat->cats);\n}",
          "project": "selinux",
          "hash": 83999524537573071360332571034006686886,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416765
        },
        {
          "func": "static inline void cil_reset_level(struct cil_level *level)\n{\n\tcil_reset_cats(level->cats);\n}",
          "project": "selinux",
          "hash": 50903987015025178212833048707576751187,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416779
        },
        {
          "func": "static void cil_reset_filecon(struct cil_filecon *filecon)\n{\n\tif (filecon->context_str == NULL && filecon->context != NULL) {\n\t\tcil_reset_context(filecon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 140530303651107143785230409512266245108,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416770
        },
        {
          "func": "static void cil_reset_sidcontext(struct cil_sidcontext *sidcontext)\n{\n\tif (sidcontext->context_str == NULL) {\n\t\tcil_reset_context(sidcontext->context);\n\t}\n}",
          "project": "selinux",
          "hash": 22447463263912064098359945453477799690,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416794
        },
        {
          "func": "static void cil_reset_catset(struct cil_catset *catset)\n{\n\tcil_reset_cats(catset->cats);\n}",
          "project": "selinux",
          "hash": 192528959249440385364899685664343911934,
          "size": 4,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416796
        },
        {
          "func": "static inline void cil_reset_userrange(struct cil_userrange *userrange)\n{\n\tif (userrange->range_str == NULL) {\n\t\tcil_reset_levelrange(userrange->range);\n\t}\n}",
          "project": "selinux",
          "hash": 20344475556824189517246054653906967006,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416782
        },
        {
          "func": "static void cil_reset_portcon(struct cil_portcon *portcon)\n{\n\tif (portcon->context_str == NULL) {\n\t\tcil_reset_context(portcon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 32291371718995786756974044984262035491,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416778
        },
        {
          "func": "static void cil_reset_fsuse(struct cil_fsuse *fsuse)\n{\n\tif (fsuse->context_str == NULL) {\n\t\tcil_reset_context(fsuse->context);\n\t}\n}",
          "project": "selinux",
          "hash": 157014338427233394563451864436247226043,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416746
        },
        {
          "func": "static void cil_reset_ibendportcon(struct cil_ibendportcon *ibendportcon)\n{\n\tif (!ibendportcon->context_str) {\n\t\tcil_reset_context(ibendportcon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 299537236405345857665973805548268892473,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416775
        },
        {
          "func": "static void cil_reset_nodecon(struct cil_nodecon *nodecon)\n{\n\tif (nodecon->context_str == NULL) {\n\t\tcil_reset_context(nodecon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 122761695387561201818911265790074064859,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416759
        },
        {
          "func": "static inline void cil_reset_cats(struct cil_cats *cats)\n{\n\tif (cats != NULL) {\n\t\tcats->evaluated = CIL_FALSE;\n\t\tcil_list_destroy(&cats->datum_expr, CIL_FALSE);\n\t}\n}",
          "project": "selinux",
          "hash": 168046840476563336604361810946570798404,
          "size": 7,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416793
        },
        {
          "func": "static void cil_reset_netifcon(struct cil_netifcon *netifcon)\n{\n\tif (netifcon->if_context_str == NULL) {\n\t\tcil_reset_context(netifcon->if_context);\n\t}\n\n\tif (netifcon->packet_context_str == NULL) {\n\t\tcil_reset_context(netifcon->packet_context);\n\t}\n}",
          "project": "selinux",
          "hash": 266989301306506351876653892961154046816,
          "size": 10,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416776
        },
        {
          "func": "static void cil_reset_pirqcon(struct cil_pirqcon *pirqcon)\n{\n\tif (pirqcon->context_str == NULL) {\n\t\tcil_reset_context(pirqcon->context);\n\t}\n}",
          "project": "selinux",
          "hash": 84287819942665266242757458642560647373,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416763
        },
        {
          "func": "static void cil_reset_ibpkeycon(struct cil_ibpkeycon *ibpkeycon)\n{\n\tif (!ibpkeycon->context_str)\n\t\tcil_reset_context(ibpkeycon->context);\n}",
          "project": "selinux",
          "hash": 93198655059093132959911041093836448149,
          "size": 5,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416797
        },
        {
          "func": "static inline void cil_reset_context(struct cil_context *context)\n{\n\tif (context->range_str == NULL) {\n\t\tcil_reset_levelrange(context->range);\n\t}\n}",
          "project": "selinux",
          "hash": 101113658878170045320539907768714391773,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416788
        },
        {
          "func": "static void cil_reset_rangetransition(struct cil_rangetransition *rangetrans)\n{\n\tif (rangetrans->range_str == NULL) {\n\t\tcil_reset_levelrange(rangetrans->range);\n\t}\n}",
          "project": "selinux",
          "hash": 197782370229658749608993956728894127665,
          "size": 6,
          "commit_id": "c49a8ea09501ad66e799ea41b8154b6770fec2c8",
          "message": "libsepol/cil: cil_reset_classperms_set() should not reset classpermission\n\nIn struct cil_classperms_set, the set field is a pointer to a\nstruct cil_classpermission which is looked up in the symbol table.\nSince the cil_classperms_set does not create the cil_classpermission,\nit should not reset it.\n\nSet the set field to NULL instead of resetting the classpermission\nthat it points to.\n\nSigned-off-by: James Carter <jwcart2@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 416761
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "diff",
        "search",
        "matchlen"
      ],
      "group_size": 5,
      "functions": [
        {
          "project": "bsdiff4",
          "commit_id": "49a4cee2feef7deaf9d89e5e793a8824930284d7",
          "target": 0,
          "func": "static void qsufsort(off_t *I, off_t *V, unsigned char *old, off_t oldsize)\n{\n    off_t buckets[256], i, h, len;\n\n    for (i = 0; i < 256; i++)\n        buckets[i] = 0;\n    for (i = 0; i < oldsize; i++)\n        buckets[old[i]]++;\n    for (i = 1; i < 256; i++)\n        buckets[i] += buckets[i - 1];\n    for (i = 255; i > 0; i--)\n        buckets[i] = buckets[i - 1];\n    buckets[0] = 0;\n\n    for (i = 0; i < oldsize; i++)\n        I[++buckets[old[i]]] = i;\n    I[0] = oldsize;\n    for (i = 0; i < oldsize; i++)\n        V[i] = buckets[old[i]];\n    V[oldsize] = 0;\n    for (i = 1; i < 256; i++)\n        if (buckets[i] == buckets[i - 1] + 1)\n            I[buckets[i]] = -1;\n    I[0] = -1;\n\n    for (h = 1; I[0] != -(oldsize + 1); h += h) {\n        len = 0;\n        for (i = 0; i < oldsize + 1;) {\n            if (I[i] < 0) {\n                len -= I[i];\n                i -= I[i];\n            } else {\n                if (len)\n                    I[i - len] = -len;\n                len = V[I[i]] + 1 - i;\n                split(I, V, i, len, h);\n                i += len;\n                len=0;\n            }\n        }\n        if (len)\n            I[i - len] = -len;\n    }\n\n    for (i = 0; i < oldsize + 1; i++)\n        I[V[i]] = i;\n}",
          "idx": 519592,
          "cwe": "CWE-787",
          "hash": 312186853885179059534442670973859084161,
          "dataset": "other"
        },
        {
          "project": "bsdiff4",
          "commit_id": "49a4cee2feef7deaf9d89e5e793a8824930284d7",
          "target": 0,
          "func": "static void split(off_t *I, off_t *V, off_t start, off_t len, off_t h)\n{\n    off_t i, j, k, x, tmp, jj, kk;\n\n    if (len < 16) {\n        for (k = start; k < start + len; k += j) {\n            j = 1;\n            x = V[I[k] + h];\n            for (i = 1; k + i < start + len; i++) {\n                if (V[I[k + i] + h] < x) {\n                    x = V[I[k + i] + h];\n                    j = 0;\n                }\n                if (V[I[k + i] + h] == x) {\n                    tmp = I[k + j];\n                    I[k + j] = I[k + i];\n                    I[k + i] = tmp;\n                    j++;\n                }\n            }\n            for (i = 0; i < j; i++)\n                V[I[k + i]] = k + j - 1;\n            if (j == 1)\n                I[k] = -1;\n        }\n\n    } else {\n\n        jj = 0;\n        kk = 0;\n        x = V[I[start + len / 2] + h];\n        for (i = start; i < start + len; i++) {\n            if (V[I[i] + h] < x)\n                jj++;\n            if (V[I[i] + h] == x)\n                kk++;\n        }\n        jj += start;\n        kk += jj;\n\n        j = 0;\n        k = 0;\n        i = start;\n        while (i < jj) {\n            if (V[I[i] + h] < x) {\n                i++;\n            } else if (V[I[i] + h] == x) {\n                tmp = I[i];\n                I[i] = I[jj + j];\n                I[jj + j] = tmp;\n                j++;\n            } else {\n                tmp = I[i];\n                I[i] = I[kk + k];\n                I[kk + k] = tmp;\n                k++;\n            }\n        }\n\n        while (jj + j < kk) {\n            if (V[I[jj + j] + h] == x) {\n                j++;\n            } else {\n                tmp = I[jj + j];\n                I[jj + j] = I[kk + k];\n                I[kk + k] = tmp;\n                k++;\n            }\n        }\n\n        if (jj > start)\n            split(I, V, start, jj - start, h);\n\n        for (i = 0; i < kk - jj; i++)\n            V[I[jj + i]] = kk - 1;\n        if (jj == kk - 1)\n            I[jj] = -1;\n        if (start + len > kk)\n            split(I, V, kk, start + len - kk, h);\n    }\n}",
          "idx": 519596,
          "cwe": "CWE-787",
          "hash": 66430564430039357204930906409815512737,
          "dataset": "other"
        },
        {
          "project": "bsdiff4",
          "commit_id": "49a4cee2feef7deaf9d89e5e793a8824930284d7",
          "target": 0,
          "func": "static off_t matchlen(unsigned char *old, off_t oldsize,\n                      unsigned char *new, off_t newsize)\n{\n    off_t i;\n\n    for (i = 0; (i < oldsize) && (i < newsize); i++)\n        if (old[i] != new[i])\n            break;\n    return i;\n}",
          "idx": 519590,
          "cwe": "CWE-787",
          "hash": 118067552938773837291723287890347039335,
          "dataset": "other"
        },
        {
          "project": "bsdiff4",
          "commit_id": "49a4cee2feef7deaf9d89e5e793a8824930284d7",
          "target": 0,
          "func": "static PyObject* diff(PyObject* self, PyObject* args)\n{\n    off_t lastscan, lastpos, lastoffset, oldscore, scsc, overlap, Ss, lens;\n    off_t *I, *V, dblen, eblen, scan, pos, len, s, Sf, lenf, Sb, lenb, i;\n    PyObject *controlTuples, *tuple, *results, *temp;\n    Py_ssize_t origDataLength, newDataLength;\n    char *origData, *newData;\n    unsigned char *db, *eb;\n\n    if (!PyArg_ParseTuple(args, \"s#s#\",\n                          &origData, &origDataLength,\n                          &newData, &newDataLength))\n        return NULL;\n\n    /* create the control tuple */\n    controlTuples = PyList_New(0);\n    if (!controlTuples)\n        return NULL;\n\n    /* perform sort on original data */\n    I = PyMem_Malloc((origDataLength + 1) * sizeof(off_t));\n    if (!I) {\n        Py_DECREF(controlTuples);\n        return PyErr_NoMemory();\n    }\n    V = PyMem_Malloc((origDataLength + 1) * sizeof(off_t));\n    if (!V) {\n        Py_DECREF(controlTuples);\n        PyMem_Free(I);\n        return PyErr_NoMemory();\n    }\n    Py_BEGIN_ALLOW_THREADS  /* release GIL */\n    qsufsort(I, V, (unsigned char *) origData, origDataLength);\n    Py_END_ALLOW_THREADS\n    PyMem_Free(V);\n\n    /* allocate memory for the diff and extra blocks */\n    db = PyMem_Malloc(newDataLength + 1);\n    if (!db) {\n        Py_DECREF(controlTuples);\n        PyMem_Free(I);\n        return PyErr_NoMemory();\n    }\n    eb = PyMem_Malloc(newDataLength + 1);\n    if (!eb) {\n        Py_DECREF(controlTuples);\n        PyMem_Free(I);\n        PyMem_Free(db);\n        return PyErr_NoMemory();\n    }\n    dblen = 0;\n    eblen = 0;\n\n    /* perform the diff */\n    len = 0;\n    scan = 0;\n    lastscan = 0;\n    lastpos = 0;\n    lastoffset = 0;\n    pos = 0;\n    while (scan < newDataLength) {\n        oldscore = 0;\n\n        Py_BEGIN_ALLOW_THREADS  /* release GIL */\n        for (scsc = scan += len; scan < newDataLength; scan++) {\n            len = search(I, (unsigned char *) origData, origDataLength,\n                         (unsigned char *) newData + scan,\n                         newDataLength - scan, 0, origDataLength, &pos);\n            for (; scsc < scan + len; scsc++)\n                if ((scsc + lastoffset < origDataLength) &&\n                          (origData[scsc + lastoffset] == newData[scsc]))\n                    oldscore++;\n            if (((len == oldscore) && (len != 0)) || (len > oldscore + 8))\n                break;\n            if ((scan + lastoffset < origDataLength) &&\n                      (origData[scan + lastoffset] == newData[scan]))\n                oldscore--;\n        }\n        Py_END_ALLOW_THREADS\n\n        if ((len != oldscore) || (scan == newDataLength)) {\n            s = 0;\n            Sf = 0;\n            lenf = 0;\n            for (i = 0; (lastscan + i < scan) &&\n                     (lastpos + i < origDataLength);) {\n                if (origData[lastpos + i] == newData[lastscan + i])\n                    s++;\n                i++;\n                if (s * 2 - i > Sf * 2 - lenf) {\n                    Sf = s;\n                    lenf = i;\n                }\n            }\n\n            lenb = 0;\n            if (scan < newDataLength) {\n                s = 0;\n                Sb = 0;\n                for (i = 1; (scan >= lastscan + i) && (pos >= i); i++) {\n                    if (origData[pos - i] == newData[scan - i])\n                        s++;\n                    if (s * 2 - i > Sb * 2 - lenb) {\n                        Sb = s;\n                        lenb = i;\n                    }\n                }\n            }\n\n            if (lastscan + lenf > scan - lenb) {\n                overlap = (lastscan + lenf) - (scan - lenb);\n                s = 0;\n                Ss = 0;\n                lens = 0;\n                for (i = 0; i < overlap; i++) {\n                    if (newData[lastscan + lenf - overlap + i] ==\n                            origData[lastpos + lenf - overlap + i])\n                        s++;\n                    if (newData[scan - lenb + i]== origData[pos - lenb + i])\n                        s--;\n                    if (s > Ss) {\n                        Ss = s;\n                        lens = i + 1;\n                    }\n                }\n\n                lenf += lens - overlap;\n                lenb -= lens;\n            }\n\n            for (i = 0; i < lenf; i++)\n                db[dblen + i] = newData[lastscan + i] - origData[lastpos + i];\n            for (i = 0; i < (scan - lenb) - (lastscan + lenf); i++)\n                eb[eblen + i] = newData[lastscan + lenf + i];\n\n            dblen += lenf;\n            eblen += (scan - lenb) - (lastscan + lenf);\n\n            tuple = PyTuple_New(3);\n            if (!tuple) {\n                Py_DECREF(controlTuples);\n                PyMem_Free(I);\n                PyMem_Free(db);\n                PyMem_Free(eb);\n                return NULL;\n            }\n            PyTuple_SET_ITEM(tuple, 0, PyLong_FromLong(lenf));\n            PyTuple_SET_ITEM(tuple, 1,\n                    PyLong_FromLong((scan - lenb) - (lastscan + lenf)));\n            PyTuple_SET_ITEM(tuple, 2,\n                    PyLong_FromLong((pos - lenb) - (lastpos + lenf)));\n            if (PyList_Append(controlTuples, tuple) < 0) {\n                Py_DECREF(controlTuples);\n                Py_DECREF(tuple);\n                PyMem_Free(I);\n                PyMem_Free(db);\n                PyMem_Free(eb);\n                return NULL;\n            }\n            Py_DECREF(tuple);\n\n            lastscan = scan - lenb;\n            lastpos = pos - lenb;\n            lastoffset = pos - scan;\n        }\n    }\n\n    PyMem_Free(I);\n    results = PyTuple_New(3);\n    if (!results) {\n        PyMem_Free(db);\n        PyMem_Free(eb);\n        return NULL;\n    }\n    PyTuple_SET_ITEM(results, 0, controlTuples);\n    temp = PyBytes_FromStringAndSize((char *) db, dblen);\n    PyMem_Free(db);\n    if (!temp) {\n        PyMem_Free(eb);\n        Py_DECREF(results);\n        return NULL;\n    }\n    PyTuple_SET_ITEM(results, 1, temp);\n    temp = PyBytes_FromStringAndSize((char *) eb, eblen);\n    PyMem_Free(eb);\n    if (!temp) {\n        Py_DECREF(results);\n        return NULL;\n    }\n    PyTuple_SET_ITEM(results, 2, temp);\n\n    return results;\n}",
          "idx": 519597,
          "cwe": "CWE-787",
          "hash": 136576671654096117951821115191168181804,
          "dataset": "other"
        },
        {
          "project": "bsdiff4",
          "commit_id": "49a4cee2feef7deaf9d89e5e793a8824930284d7",
          "target": 0,
          "func": "static off_t search(off_t *I,\n                    unsigned char *old, off_t oldsize,\n                    unsigned char *new, off_t newsize,\n                    off_t st, off_t en, off_t *pos)\n{\n    off_t x, y;\n\n    if (en - st < 2) {\n        x = matchlen(old + I[st], oldsize - I[st], new, newsize);\n        y = matchlen(old + I[en], oldsize - I[en], new, newsize);\n\n        if (x > y) {\n            *pos = I[st];\n            return x;\n        } else {\n            *pos = I[en];\n            return y;\n        }\n    }\n\n    x = st + (en - st) / 2;\n    if (memcmp(old + I[x], new, MIN(oldsize - I[x], newsize)) < 0) {\n        return search(I, old, oldsize, new, newsize, x, en, pos);\n    } else {\n        return search(I, old, oldsize, new, newsize, st, x, pos);\n    }\n}",
          "idx": 519594,
          "cwe": "CWE-787",
          "hash": 145361571169878593493473941590284758962,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ofpbuf_use_stack",
        "ofpbuf_put",
        "put_be32"
      ],
      "group_size": 11,
      "functions": [
        {
          "func": "decode_OFPAT_RAW_DEC_NW_TTL(struct ofpbuf *out)\n{\n    uint16_t id = 0;\n    struct ofpact_cnt_ids *ids;\n    enum ofperr error = 0;\n\n    ids = ofpact_put_DEC_TTL(out);\n    ids->n_controllers = 1;\n    ofpbuf_put(out, &id, sizeof id);\n    ids = out->header;\n    ofpact_finish_DEC_TTL(out, &ids);\n    return error;\n}",
          "project": "ovs",
          "hash": 130239518441169416586243487462483186763,
          "size": 13,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280564
        },
        {
          "func": "put_be16(struct ofpbuf *b, ovs_be16 x)\n{\n    ofpbuf_put(b, &x, sizeof x);\n}",
          "project": "ovs",
          "hash": 126126618690884882217325586180178689899,
          "size": 4,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280691
        },
        {
          "func": "ofpact_copy(struct ofpbuf *out, const struct ofpact *a)\n{\n    ofpbuf_put(out, a, OFPACT_ALIGN(a->len));\n}",
          "project": "ovs",
          "hash": 318528760131616299637717263581731591457,
          "size": 4,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280714
        },
        {
          "func": "decode_NXAST_RAW_NOTE(const struct nx_action_note *nan,\n                      enum ofp_version ofp_version OVS_UNUSED,\n                      struct ofpbuf *out)\n{\n    struct ofpact_note *note;\n    unsigned int length;\n\n    length = ntohs(nan->len) - offsetof(struct nx_action_note, note);\n    note = ofpact_put_NOTE(out);\n    note->length = length;\n    ofpbuf_put(out, nan->note, length);\n    note = out->header;\n    ofpact_finish_NOTE(out, &note);\n\n    return 0;\n}",
          "project": "ovs",
          "hash": 191293389683504496358788231290077673977,
          "size": 16,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280753
        },
        {
          "func": "put_be32(struct ofpbuf *b, ovs_be32 x)\n{\n    ofpbuf_put(b, &x, sizeof x);\n}",
          "project": "ovs",
          "hash": 329313464429107578959359589517891819925,
          "size": 4,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280824
        },
        {
          "func": "encode_NOTE(const struct ofpact_note *note,\n            enum ofp_version ofp_version OVS_UNUSED, struct ofpbuf *out)\n{\n    size_t start_ofs = out->size;\n    struct nx_action_note *nan;\n\n    put_NXAST_NOTE(out);\n    out->size = out->size - sizeof nan->note;\n\n    ofpbuf_put(out, note->data, note->length);\n    pad_ofpat(out, start_ofs);\n}",
          "project": "ovs",
          "hash": 97417207261621710791117408910375387443,
          "size": 12,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280500
        },
        {
          "func": "encode_STACK_op(const struct ofpact_stack *stack_action,\n                struct nx_action_stack *nasp)\n{\n    struct ofpbuf b;\n    ovs_be16 n_bits;\n\n    nasp->offset = htons(stack_action->subfield.ofs);\n\n    ofpbuf_use_stack(&b, nasp, ntohs(nasp->len));\n    ofpbuf_put_uninit(&b, OBJECT_OFFSETOF(nasp, pad));\n    nx_put_mff_header(&b, stack_action->subfield.field, 0, false);\n    n_bits = htons(stack_action->subfield.n_bits);\n    ofpbuf_put(&b, &n_bits, sizeof n_bits);\n}",
          "project": "ovs",
          "hash": 297782608420565508923593678585242248971,
          "size": 14,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280813
        },
        {
          "func": "encode_STACK_PUSH(const struct ofpact_stack *stack,\n                  enum ofp_version ofp_version OVS_UNUSED, struct ofpbuf *out)\n{\n    encode_STACK_op(stack, put_NXAST_STACK_PUSH(out));\n}",
          "project": "ovs",
          "hash": 260078556911193373288772195673729324288,
          "size": 5,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280533
        },
        {
          "func": "encode_STACK_POP(const struct ofpact_stack *stack,\n                 enum ofp_version ofp_version OVS_UNUSED, struct ofpbuf *out)\n{\n    encode_STACK_op(stack, put_NXAST_STACK_POP(out));\n}",
          "project": "ovs",
          "hash": 7150781408595981479720323736968631036,
          "size": 5,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280570
        },
        {
          "func": "put_u32(struct ofpbuf *b, uint32_t x)\n{\n    put_be32(b, htonl(x));\n}",
          "project": "ovs",
          "hash": 176251839261200854061667342430221863559,
          "size": 4,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280486
        },
        {
          "func": "parse_noargs_dec_ttl(const struct ofpact_parse_params *pp)\n{\n    struct ofpact_cnt_ids *ids;\n    uint16_t id = 0;\n\n    ofpact_put_DEC_TTL(pp->ofpacts);\n    ofpbuf_put(pp->ofpacts, &id, sizeof id);\n    ids = pp->ofpacts->header;\n    ids->n_controllers++;\n    ofpact_finish_DEC_TTL(pp->ofpacts, &ids);\n}",
          "project": "ovs",
          "hash": 255320333385340516493091930211986922232,
          "size": 11,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280804
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "dissect_dvb_s2_modeadapt",
        "dissect_dvb_s2_bb",
        "dissect_dvb_s2_gse",
        "proto_tree_add_item"
      ],
      "group_size": 23,
      "functions": [
        {
          "func": "static int dissect_dvb_s2_gse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n    int         new_off                      = 0;\n    int         frag_len;\n    guint16     gse_hdr, data_len, padding_len, gse_proto = 0;\n\n    proto_item *ti;\n    proto_item *ttf;\n    proto_tree *dvb_s2_gse_tree, *dvb_s2_gse_ncr_tree;\n\n    tvbuff_t   *next_tvb, *data_tvb;\n    gboolean   dissected = FALSE;\n    gboolean   update_col_info = TRUE;\n\n    static int * const gse_header_bitfields[] = {\n        &hf_dvb_s2_gse_hdr_start,\n        &hf_dvb_s2_gse_hdr_stop,\n        &hf_dvb_s2_gse_hdr_labeltype,\n        &hf_dvb_s2_gse_hdr_length,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_INFO, \" GSE\");\n\n    /* get the GSE header */\n    gse_hdr = tvb_get_ntohs(tvb, DVB_S2_GSE_OFFS_HDR);\n\n    /* check if this is just padding, which takes up the rest of the frame */\n    if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) &&\n        BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS) &&\n        BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n\n        padding_len = tvb_reported_length(tvb);\n        proto_tree_add_uint_format(tree, hf_dvb_s2_gse_padding, tvb, new_off, padding_len, padding_len,\n                                   \"DVB-S2 GSE Padding, Length: %d\", padding_len);\n        col_append_str(pinfo->cinfo, COL_INFO, \" pad\");\n        new_off += padding_len;\n\n        return new_off;\n    } else {\n        /* Not padding, parse as a GSE Header */\n        new_off += 2;\n        frag_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK)+2;\n        ti = proto_tree_add_item(tree, proto_dvb_s2_gse, tvb, 0, frag_len, ENC_NA);\n        dvb_s2_gse_tree = proto_item_add_subtree(ti, ett_dvb_s2_gse);\n\n        proto_tree_add_bitmask_with_flags(dvb_s2_gse_tree, tvb, DVB_S2_GSE_OFFS_HDR, hf_dvb_s2_gse_hdr,\n            ett_dvb_s2_gse_hdr, gse_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_TFS);\n\n        /* Get the fragment ID for reassembly */\n        guint8 fragid = tvb_get_guint8(tvb, new_off);\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            /* Not a start or end packet, add only the fragid */\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_fragid, tvb, new_off, 1, ENC_BIG_ENDIAN);\n\n            new_off += 1;\n        }\n        if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            /* Start packet, add the fragment size */\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_totlength, tvb, new_off, 2, ENC_BIG_ENDIAN);\n            col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n\n            new_off += 2;\n        }\n        if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n            /* Start packet, decode the header */\n            gse_proto = tvb_get_ntohs(tvb, new_off);\n\n            /* Protocol Type */\n            if (gse_proto <= 1535) {\n                /* Type 1 (Next-Header Type field) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_next_header, tvb, new_off, 2, ENC_BIG_ENDIAN);\n            }\n            else {\n                /* Type 2 (EtherType compatible Type Fields) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_ethertype, tvb, new_off, 2, ENC_BIG_ENDIAN);\n            }\n            new_off += 2;\n\n            if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n                /* 6 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"6 \");\n\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label6, tvb, new_off, 6, ENC_NA);\n\n                new_off += 6;\n            } else if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) &&\n                       BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n                /* 3 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"3 \");\n\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label3, tvb, new_off, 3, ENC_BIG_ENDIAN);\n\n                new_off += 3;\n            } else {\n                /* 0 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"0 \");\n            }\n            if (gse_proto < 0x0600 && gse_proto >= 0x100) {\n                /* Only display optional extension headers */\n                /* TODO: needs to be tested */\n\n                /* TODO: implementation needs to be checked (len of ext-header??) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_exthdr, tvb, new_off, 1, ENC_BIG_ENDIAN);\n\n                new_off += 1;\n            }\n        }\n        else\n        {\n            /* correct cinfo */\n            col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n        }\n\n        next_tvb = tvb_new_subset_remaining(tvb, new_off);\n\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE) - DVB_S2_GSE_CRC32_LEN;\n        } else {\n            data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE);\n        }\n\n        data_tvb = NULL;\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            fragment_head *dvbs2_frag_head = NULL;\n            int offset = new_off;\n            if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n                offset -= 2; /* re-include GSE type in reassembled data */\n                data_len += 2;\n            }\n            dvbs2_frag_head = fragment_add_seq_next(&dvbs2_reassembly_table, tvb, offset,\n                pinfo, fragid, NULL, data_len, BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS));\n\n            if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                dvbs2_frag_head = fragment_end_seq_next(&dvbs2_reassembly_table, pinfo, fragid, NULL);\n\n            data_tvb = process_reassembled_data(tvb, new_off, pinfo, \"Reassembled DVB-S2\",\n                dvbs2_frag_head, &dvbs2_frag_items, &update_col_info, tree);\n        }\n\n        if (data_tvb != NULL) {\n            /* We have a reassembled packet. Extract the gse_proto from it. */\n            gse_proto = tvb_get_ntohs(data_tvb, 0);\n            /* And then remove it from the reassembled data */\n            data_tvb = tvb_new_subset_remaining(data_tvb, 2);\n        } else {\n            data_tvb = tvb_new_subset_length(tvb, new_off, data_len);\n        }\n\n        switch (gse_proto) {\n            case ETHERTYPE_IP:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(ip_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case ETHERTYPE_IPv6:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(ipv6_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case ETHERTYPE_VLAN:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case DVB_RCS2_SIGNAL_TABLE:\n                call_dissector(dvb_s2_table_handle, data_tvb, pinfo, tree);\n                new_off += data_len;\n                dissected = TRUE;\n                break;\n\n            case DVB_RCS2_NCR:\n                ttf = proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_ncr, tvb, new_off, data_len, ENC_NA);\n                dvb_s2_gse_ncr_tree = proto_item_add_subtree(ttf, ett_dvb_s2_gse_ncr);\n                proto_tree_add_item(dvb_s2_gse_ncr_tree, hf_dvb_s2_gse_data, tvb, new_off, data_len, ENC_NA);\n                new_off += data_len;\n                dissected = TRUE;\n                break;\n\n            default:\n                /* Not handled! TODO: expert info? */\n                break;\n        }\n\n        if (!dissected) {\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_data, tvb, new_off, data_len, ENC_NA);\n            new_off += data_len;\n        }\n\n        /* add crc32 if last fragment */\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_crc32, tvb, new_off, DVB_S2_GSE_CRC32_LEN, ENC_BIG_ENDIAN);\n            new_off += DVB_S2_GSE_CRC32_LEN;\n        }\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 332483595863232337377912983497727022384,
          "size": 210,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 0,
          "dataset": "other",
          "idx": 283347
        },
        {
          "func": "static int dissect_dvb_s2_gse(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo, int bytes_available)\n{\n    int         new_off                      = 0;\n    int         frag_len;\n    guint16     gse_hdr, data_len, padding_len, gse_proto = 0;\n\n    proto_item *ti;\n    proto_item *ttf;\n    proto_tree *dvb_s2_gse_tree, *dvb_s2_gse_ncr_tree;\n\n    tvbuff_t   *next_tvb, *data_tvb;\n    gboolean   dissected = FALSE;\n    gboolean   update_col_info = TRUE;\n\n    static int * const gse_header_bitfields[] = {\n        &hf_dvb_s2_gse_hdr_start,\n        &hf_dvb_s2_gse_hdr_stop,\n        &hf_dvb_s2_gse_hdr_labeltype,\n        &hf_dvb_s2_gse_hdr_length,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_INFO, \" GSE\");\n\n    /* get the GSE header */\n    gse_hdr = tvb_get_ntohs(tvb, cur_off + DVB_S2_GSE_OFFS_HDR);\n\n    /* check if this is just padding, which takes up the rest of the frame */\n    if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) &&\n        BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS) &&\n        BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n\n        padding_len = bytes_available;\n        proto_tree_add_uint_format(tree, hf_dvb_s2_gse_padding, tvb, cur_off + new_off, padding_len, padding_len,\n                                   \"DVB-S2 GSE Padding, Length: %d\", padding_len);\n        col_append_str(pinfo->cinfo, COL_INFO, \" pad\");\n        new_off += padding_len;\n\n        return new_off;\n    } else {\n        /* Not padding, parse as a GSE Header */\n        new_off += 2;\n        frag_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK)+2;\n        ti = proto_tree_add_item(tree, proto_dvb_s2_gse, tvb, cur_off, frag_len, ENC_NA);\n        dvb_s2_gse_tree = proto_item_add_subtree(ti, ett_dvb_s2_gse);\n\n        proto_tree_add_bitmask_with_flags(dvb_s2_gse_tree, tvb, cur_off + DVB_S2_GSE_OFFS_HDR, hf_dvb_s2_gse_hdr,\n            ett_dvb_s2_gse_hdr, gse_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_TFS);\n\n        /* Get the fragment ID for reassembly */\n        guint8 fragid = tvb_get_guint8(tvb, cur_off + new_off);\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            /* Not a start or end packet, add only the fragid */\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_fragid, tvb, cur_off + new_off, 1, ENC_BIG_ENDIAN);\n\n            new_off += 1;\n        }\n        if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            /* Start packet, add the fragment size */\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_totlength, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n            col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n\n            new_off += 2;\n        }\n        if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n            /* Start packet, decode the header */\n            gse_proto = tvb_get_ntohs(tvb, cur_off + new_off);\n\n            /* Protocol Type */\n            if (gse_proto <= 1535) {\n                /* Type 1 (Next-Header Type field) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_next_header, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n            }\n            else {\n                /* Type 2 (EtherType compatible Type Fields) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_proto_ethertype, tvb, cur_off + new_off, 2, ENC_BIG_ENDIAN);\n            }\n            new_off += 2;\n\n            if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) && BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n                /* 6 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"6 \");\n\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label6, tvb, cur_off + new_off, 6, ENC_NA);\n\n                new_off += 6;\n            } else if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS1) &&\n                       BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_LABELTYPE_POS2)) {\n                /* 3 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"3 \");\n\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_label3, tvb, cur_off + new_off, 3, ENC_BIG_ENDIAN);\n\n                new_off += 3;\n            } else {\n                /* 0 byte label */\n                if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                    col_append_str(pinfo->cinfo, COL_INFO, \"0 \");\n            }\n            if (gse_proto < 0x0600 && gse_proto >= 0x100) {\n                /* Only display optional extension headers */\n                /* TODO: needs to be tested */\n\n                /* TODO: implementation needs to be checked (len of ext-header??) */\n                proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_exthdr, tvb, cur_off + new_off, 1, ENC_BIG_ENDIAN);\n\n                new_off += 1;\n            }\n        }\n        else\n        {\n            /* correct cinfo */\n            col_append_str(pinfo->cinfo, COL_INFO, \"(frag) \");\n        }\n\n        next_tvb = tvb_new_subset_remaining(tvb, cur_off + new_off);\n\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE) - DVB_S2_GSE_CRC32_LEN;\n        } else {\n            data_len = (gse_hdr & DVB_S2_GSE_HDR_LENGTH_MASK) - (new_off - DVB_S2_GSE_MINSIZE);\n        }\n\n        data_tvb = NULL;\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) || BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            fragment_head *dvbs2_frag_head = NULL;\n            int offset = cur_off + new_off;\n            if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_START_POS)) {\n                offset -= 2; /* re-include GSE type in reassembled data */\n                data_len += 2;\n            }\n            dvbs2_frag_head = fragment_add_seq_next(&dvbs2_reassembly_table, tvb, offset,\n                pinfo, fragid, NULL, data_len, BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_STOP_POS));\n\n            if (BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS))\n                dvbs2_frag_head = fragment_end_seq_next(&dvbs2_reassembly_table, pinfo, fragid, NULL);\n\n            data_tvb = process_reassembled_data(tvb, cur_off + new_off, pinfo, \"Reassembled DVB-S2\",\n                dvbs2_frag_head, &dvbs2_frag_items, &update_col_info, tree);\n        }\n\n        if (data_tvb != NULL) {\n            /* We have a reassembled packet. Extract the gse_proto from it. */\n            gse_proto = tvb_get_ntohs(data_tvb, 0);\n            /* And then remove it from the reassembled data */\n            data_tvb = tvb_new_subset_remaining(data_tvb, 2);\n        } else {\n            data_tvb = tvb_new_subset_length(tvb, cur_off + new_off, data_len);\n        }\n\n        switch (gse_proto) {\n            case ETHERTYPE_IP:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(ip_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case ETHERTYPE_IPv6:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(ipv6_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case ETHERTYPE_VLAN:\n                if (dvb_s2_full_dissection)\n                {\n                    new_off += call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);\n                    dissected = TRUE;\n                }\n                break;\n\n            case DVB_RCS2_SIGNAL_TABLE:\n                call_dissector(dvb_s2_table_handle, data_tvb, pinfo, tree);\n                new_off += data_len;\n                dissected = TRUE;\n                break;\n\n            case DVB_RCS2_NCR:\n                ttf = proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_ncr, tvb, cur_off + new_off, data_len, ENC_NA);\n                dvb_s2_gse_ncr_tree = proto_item_add_subtree(ttf, ett_dvb_s2_gse_ncr);\n                proto_tree_add_item(dvb_s2_gse_ncr_tree, hf_dvb_s2_gse_data, tvb, cur_off + new_off, data_len, ENC_NA);\n                new_off += data_len;\n                dissected = TRUE;\n                break;\n\n            default:\n                /* Not handled! TODO: expert info? */\n                break;\n        }\n\n        if (!dissected) {\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_data, tvb, cur_off + new_off, data_len, ENC_NA);\n            new_off += data_len;\n        }\n\n        /* add crc32 if last fragment */\n        if (BIT_IS_CLEAR(gse_hdr, DVB_S2_GSE_HDR_START_POS) && BIT_IS_SET(gse_hdr, DVB_S2_GSE_HDR_STOP_POS)) {\n            proto_tree_add_item(dvb_s2_gse_tree, hf_dvb_s2_gse_crc32, tvb, cur_off + new_off, DVB_S2_GSE_CRC32_LEN, ENC_BIG_ENDIAN);\n            new_off += DVB_S2_GSE_CRC32_LEN;\n        }\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 239216512787203232815472442179418930376,
          "size": 210,
          "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)",
          "target": 0,
          "dataset": "other",
          "idx": 475260
        },
        {
          "func": "mptcp_analysis_add_subflows(packet_info *pinfo _U_,  tvbuff_t *tvb,\n    proto_tree *parent_tree, struct mptcp_analysis* mptcpd)\n{\n    wmem_list_frame_t *it;\n    proto_tree *tree;\n    proto_item *item;\n\n    item=proto_tree_add_item(parent_tree, hf_mptcp_analysis_subflows, tvb, 0, 0, ENC_NA);\n    PROTO_ITEM_SET_GENERATED(item);\n\n    tree=proto_item_add_subtree(item, ett_mptcp_analysis_subflows);\n\n    /* for the analysis, we set each subflow tcp stream id */\n    for(it = wmem_list_head(mptcpd->subflows); it != NULL; it = wmem_list_frame_next(it)) {\n        struct tcp_analysis *sf = (struct tcp_analysis *)wmem_list_frame_data(it);\n        proto_item *subflow_item;\n        subflow_item=proto_tree_add_uint(tree, hf_mptcp_analysis_subflows_stream_id, tvb, 0, 0, sf->stream);\n        PROTO_ITEM_SET_HIDDEN(subflow_item);\n\n        proto_item_append_text(item, \" %d\", sf->stream);\n    }\n\n    PROTO_ITEM_SET_GENERATED(item);\n}",
          "project": "wireshark",
          "hash": 229540375069498975967414832924739189284,
          "size": 24,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385204
        },
        {
          "func": "static guint8 compute_crc8(tvbuff_t *p, guint8 len, guint8 offset)\n{\n    int    i;\n    guint8 crc = 0, tmp;\n\n    for (i = 0; i < len; i++) {\n        tmp = tvb_get_guint8(p, offset++);\n        crc = crc8_table[crc ^ tmp];\n    }\n    return crc;\n}",
          "project": "wireshark",
          "hash": 86277274294827179960284729000500653909,
          "size": 11,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 0,
          "dataset": "other",
          "idx": 283345
        },
        {
          "func": "dissect_tcpopt_md5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_tree *field_tree;\n    proto_item *item;\n    proto_item *length_item;\n    int offset = 0, optlen = tvb_reported_length(tvb);\n\n    item = proto_tree_add_item(tree, proto_tcp_option_md5, tvb, offset, -1, ENC_NA);\n    field_tree = proto_item_add_subtree(item, ett_tcp_opt_md5);\n\n    col_append_lstr(pinfo->cinfo, COL_INFO, \" MD5\", COL_ADD_LSTR_TERMINATOR);\n    proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n                        offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n                                      offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, optlen, TCPOLEN_MD5))\n        return tvb_captured_length(tvb);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_md5_digest, tvb,\n                        offset + 2, optlen - 2, ENC_NA);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 229530356732808834061798770817848972068,
          "size": 24,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385186
        },
        {
          "func": "dnp3_append_2item_text(proto_item *item1, proto_item *item2, const gchar *text)\n{\n  proto_item_append_text(item1, \"%s\", text);\n  proto_item_append_text(item2, \"%s\", text);\n}",
          "project": "wireshark",
          "hash": 172275225429037143393024449344197922195,
          "size": 5,
          "commit_id": "618661b22e34a59b21117db723d8ff91e064d4ba",
          "message": "dnp: plug a memory leak.\n\nIf we're throwing away the data, *throw away the data* - free it, as\nwe're not using it as the backing data for a tvbuff.",
          "target": 0,
          "dataset": "other",
          "idx": 335505
        },
        {
          "func": "rvbd_probe_resp_add_info(proto_item *pitem, packet_info *pinfo, tvbuff_t *tvb, int ip_offset, guint16 port)\n{\n    proto_item_append_text(pitem, \", Server Steelhead: %s:%u\", tvb_ip_to_str(tvb, ip_offset), port);\n\n    col_prepend_fstr(pinfo->cinfo, COL_INFO, \"SA+, \");\n}",
          "project": "wireshark",
          "hash": 35361955294164077367943438059540926693,
          "size": 6,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385198
        },
        {
          "func": "static gboolean test_dvb_s2_crc(tvbuff_t *tvb, guint offset) {\n\n    guint8 input8;\n\n    /* only check BB Header and return */\n    if (tvb_captured_length(tvb) < (offset + DVB_S2_BB_HEADER_LEN))\n        return FALSE;\n\n    input8 = tvb_get_guint8(tvb, offset + DVB_S2_BB_OFFS_CRC);\n\n    if (compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, offset) != input8)\n        return FALSE;\n    else\n        return TRUE;\n}",
          "project": "wireshark",
          "hash": 178223073981686552311440261799744038755,
          "size": 15,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 0,
          "dataset": "other",
          "idx": 283343
        },
        {
          "func": "print_pdu_tracking_data(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tcp_tree, struct tcp_multisegment_pdu *msp)\n{\n    proto_item *item;\n\n    col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, \"[Continuation to #%u] \", msp->first_frame);\n    item=proto_tree_add_uint(tcp_tree, hf_tcp_continuation_to,\n        tvb, 0, 0, msp->first_frame);\n    PROTO_ITEM_SET_GENERATED(item);\n}",
          "project": "wireshark",
          "hash": 317886403689526237342760239131645238935,
          "size": 9,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385185
        },
        {
          "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n    proto_item *ti;\n    proto_tree *dvb_s2_bb_tree;\n\n    guint8      input8, matype1;\n    guint8      sync_flag = 0;\n    guint16     input16, bb_data_len = 0, user_packet_length;\n\n    int         sub_dissected        = 0, flag_is_ms = 0, new_off = 0;\n\n    static int * const bb_header_bitfields[] = {\n        &hf_dvb_s2_bb_matype1_gs,\n        &hf_dvb_s2_bb_matype1_mis,\n        &hf_dvb_s2_bb_matype1_acm,\n        &hf_dvb_s2_bb_matype1_issyi,\n        &hf_dvb_s2_bb_matype1_npd,\n        &hf_dvb_s2_bb_matype1_low_ro,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n    col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n    /* create display subtree for the protocol */\n    ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, 0, DVB_S2_BB_HEADER_LEN, ENC_NA);\n    dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n    matype1 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n    new_off += 1;\n\n    if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n        flag_is_ms = 1;\n\n    proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n        ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n    input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n\n    if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n        _use_low_rolloff_value = 0;\n    }\n    if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n      _use_low_rolloff_value = 1;\n    }\n    if (_use_low_rolloff_value) {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n                           DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    } else {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n                           DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    }\n\n    input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE2);\n    new_off += 1;\n    if (flag_is_ms) {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n                                   input8);\n    } else {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n    }\n\n    user_packet_length = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_UPL);\n    new_off += 2;\n\n    proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n                               DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n                               (guint16) input16, (guint16) input16 / 8);\n\n    bb_data_len = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_DFL);\n    bb_data_len /= 8;\n    new_off += 2;\n\n    proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n                               DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n    new_off += 1;\n    sync_flag = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_SYNC);\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n    new_off += 2;\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n    new_off += 1;\n    proto_tree_add_checksum(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n        compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, 0), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n    switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n    case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n        /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n        if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n        }\n        if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n        }\n        if (user_packet_length != 0x0000) {\n            expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n                \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n        }\n\n\n        if (dvb_s2_df_dissection) {\n            while (bb_data_len) {\n                if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n                    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, new_off, bb_data_len, ENC_NA);\n                    bb_data_len = 0;\n                    new_off += DVB_S2_BB_EIP_CRC32_LEN;\n                } else {\n                    /* start DVB-GSE dissector */\n                    sub_dissected = dissect_dvb_s2_gse(tvb_new_subset_length(tvb, new_off, bb_data_len), pinfo, tree, NULL);\n                    new_off += sub_dissected;\n\n                    if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n                        bb_data_len -= sub_dissected;\n                        if (bb_data_len < DVB_S2_GSE_MINSIZE)\n                            bb_data_len = 0;\n                    }\n                }\n            }\n        } else {\n            proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, new_off, bb_data_len, ENC_NA);\n            new_off += bb_data_len;\n        }\n        break;\n\n    case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    default:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n        break;\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 210796043791253976716955079241114200072,
          "size": 147,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 1,
          "dataset": "other",
          "idx": 198763
        },
        {
          "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo)\n{\n    proto_item *ti;\n    proto_tree *dvb_s2_bb_tree;\n\n    guint8      input8, matype1;\n    guint8      sync_flag = 0;\n    guint16     input16, bb_data_len = 0, user_packet_length;\n\n    int         sub_dissected        = 0, flag_is_ms = 0, new_off = 0;\n\n    static int * const bb_header_bitfields[] = {\n        &hf_dvb_s2_bb_matype1_gs,\n        &hf_dvb_s2_bb_matype1_mis,\n        &hf_dvb_s2_bb_matype1_acm,\n        &hf_dvb_s2_bb_matype1_issyi,\n        &hf_dvb_s2_bb_matype1_npd,\n        &hf_dvb_s2_bb_matype1_low_ro,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n    col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n    /* create display subtree for the protocol */\n    ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, cur_off, DVB_S2_BB_HEADER_LEN, ENC_NA);\n    dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n    matype1 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n    new_off += 1;\n\n    if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n        flag_is_ms = 1;\n\n    proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n        ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n    input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n\n    if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n        _use_low_rolloff_value = 0;\n    }\n    if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n      _use_low_rolloff_value = 1;\n    }\n    if (_use_low_rolloff_value) {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n                           cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    } else {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n                           cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    }\n\n    input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE2);\n    new_off += 1;\n    if (flag_is_ms) {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n                                   input8);\n    } else {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n    }\n\n    user_packet_length = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_UPL);\n    new_off += 2;\n\n    proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n                               cur_off + DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n                               (guint16) input16, (guint16) input16 / 8);\n\n    bb_data_len = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_DFL);\n    bb_data_len /= 8;\n    new_off += 2;\n\n    proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n                               cur_off + DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n    new_off += 1;\n    sync_flag = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_SYNC);\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, cur_off + DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n    new_off += 2;\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, cur_off + DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n    new_off += 1;\n    proto_tree_add_checksum(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n        compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, cur_off), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n    switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n    case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n        /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n        if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n        }\n        if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n        }\n        if (user_packet_length != 0x0000) {\n            expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n                \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n        }\n\n\n        if (dvb_s2_df_dissection) {\n            while (bb_data_len) {\n                if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n                    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n                    bb_data_len = 0;\n                    new_off += DVB_S2_BB_EIP_CRC32_LEN;\n                } else {\n                    /* start DVB-GSE dissector */\n                    sub_dissected = dissect_dvb_s2_gse(tvb, cur_off + new_off, tree, pinfo, bb_data_len);\n                    new_off += sub_dissected;\n\n                    if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n                        bb_data_len -= sub_dissected;\n                        if (bb_data_len < DVB_S2_GSE_MINSIZE)\n                            bb_data_len = 0;\n                    }\n                }\n            }\n        } else {\n            proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n            new_off += bb_data_len;\n        }\n        break;\n\n    case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    default:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, cur_off + new_off,bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n        break;\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 308318766763033510949212779797367389554,
          "size": 147,
          "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)",
          "target": 1,
          "dataset": "other",
          "idx": 214056
        },
        {
          "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n    proto_item *ti;\n    proto_tree *dvb_s2_bb_tree;\n\n    guint8      input8, matype1;\n    guint8      sync_flag = 0;\n    guint16     input16, bb_data_len = 0, user_packet_length;\n\n    int         sub_dissected        = 0, flag_is_ms = 0, new_off = 0;\n\n    static int * const bb_header_bitfields[] = {\n        &hf_dvb_s2_bb_matype1_gs,\n        &hf_dvb_s2_bb_matype1_mis,\n        &hf_dvb_s2_bb_matype1_acm,\n        &hf_dvb_s2_bb_matype1_issyi,\n        &hf_dvb_s2_bb_matype1_npd,\n        &hf_dvb_s2_bb_matype1_low_ro,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n    col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n    /* create display subtree for the protocol */\n    ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, 0, DVB_S2_BB_HEADER_LEN, ENC_NA);\n    dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n    matype1 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n    new_off += 1;\n\n    if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n        flag_is_ms = 1;\n\n    proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n        ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n    input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE1);\n\n    if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n        _use_low_rolloff_value = 0;\n    }\n    if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n      _use_low_rolloff_value = 1;\n    }\n    if (_use_low_rolloff_value) {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n                           DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    } else {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n                           DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    }\n\n    input8 = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_MATYPE2);\n    new_off += 1;\n    if (flag_is_ms) {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n                                   input8);\n    } else {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n    }\n\n    user_packet_length = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_UPL);\n    new_off += 2;\n\n    proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n                               DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n                               (guint16) input16, (guint16) input16 / 8);\n\n    bb_data_len = input16 = tvb_get_ntohs(tvb, DVB_S2_BB_OFFS_DFL);\n    bb_data_len /= 8;\n    new_off += 2;\n\n    proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n                               DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n    new_off += 1;\n    sync_flag = tvb_get_guint8(tvb, DVB_S2_BB_OFFS_SYNC);\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n    new_off += 2;\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n    new_off += 1;\n    proto_tree_add_checksum(dvb_s2_bb_tree, tvb, DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n        compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, 0), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n    switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n    case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n        /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n        if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n        }\n        if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n        }\n        if (user_packet_length != 0x0000) {\n            expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n                \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n        }\n\n\n        if (dvb_s2_df_dissection) {\n            while (bb_data_len) {\n                if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n                    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, new_off, bb_data_len, ENC_NA);\n                    bb_data_len = 0;\n                    new_off += DVB_S2_BB_EIP_CRC32_LEN;\n                } else {\n                    /* start DVB-GSE dissector */\n                    sub_dissected = dissect_dvb_s2_gse(tvb_new_subset_length(tvb, new_off, bb_data_len), pinfo, tree, NULL);\n                    new_off += sub_dissected;\n\n                    if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n                        bb_data_len -= sub_dissected;\n                        if (bb_data_len < DVB_S2_GSE_MINSIZE)\n                            bb_data_len = 0;\n                    } else {\n                        bb_data_len = 0;\n                    }\n                }\n            }\n        } else {\n            proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, new_off, bb_data_len, ENC_NA);\n            new_off += bb_data_len;\n        }\n        break;\n\n    case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    default:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n        break;\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 330364968381030963517562341505385463003,
          "size": 149,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 0,
          "dataset": "other",
          "idx": 283344
        },
        {
          "func": "static int dissect_dvb_s2_bb(tvbuff_t *tvb, int cur_off, proto_tree *tree, packet_info *pinfo)\n{\n    proto_item *ti;\n    proto_tree *dvb_s2_bb_tree;\n\n    guint8      input8, matype1;\n    guint8      sync_flag = 0;\n    guint16     input16, bb_data_len = 0, user_packet_length;\n\n    int         sub_dissected        = 0, flag_is_ms = 0, new_off = 0;\n\n    static int * const bb_header_bitfields[] = {\n        &hf_dvb_s2_bb_matype1_gs,\n        &hf_dvb_s2_bb_matype1_mis,\n        &hf_dvb_s2_bb_matype1_acm,\n        &hf_dvb_s2_bb_matype1_issyi,\n        &hf_dvb_s2_bb_matype1_npd,\n        &hf_dvb_s2_bb_matype1_low_ro,\n        NULL\n    };\n\n    col_append_str(pinfo->cinfo, COL_PROTOCOL, \"BB \");\n    col_append_str(pinfo->cinfo, COL_INFO, \"Baseband \");\n\n    /* create display subtree for the protocol */\n    ti = proto_tree_add_item(tree, proto_dvb_s2_bb, tvb, cur_off, DVB_S2_BB_HEADER_LEN, ENC_NA);\n    dvb_s2_bb_tree = proto_item_add_subtree(ti, ett_dvb_s2_bb);\n\n    matype1 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n    new_off += 1;\n\n    if (BIT_IS_CLEAR(matype1, DVB_S2_BB_MIS_POS))\n        flag_is_ms = 1;\n\n    proto_tree_add_bitmask_with_flags(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1, hf_dvb_s2_bb_matype1,\n        ett_dvb_s2_bb_matype1, bb_header_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n\n    input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE1);\n\n    if ((pinfo->fd->num == 1) && (_use_low_rolloff_value != 0)) {\n        _use_low_rolloff_value = 0;\n    }\n    if (((input8 & 0x03) == 3) && !_use_low_rolloff_value) {\n      _use_low_rolloff_value = 1;\n    }\n    if (_use_low_rolloff_value) {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_low_ro, tvb,\n                           cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    } else {\n       proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_matype1_high_ro, tvb,\n                           cur_off + DVB_S2_BB_OFFS_MATYPE1, 1, ENC_BIG_ENDIAN);\n    }\n\n    input8 = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_MATYPE2);\n    new_off += 1;\n    if (flag_is_ms) {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"Input Stream Identifier (ISI): %d\",\n                                   input8);\n    } else {\n        proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_matype2, tvb,\n                                   cur_off + DVB_S2_BB_OFFS_MATYPE2, 1, input8, \"reserved\");\n    }\n\n    user_packet_length = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_UPL);\n    new_off += 2;\n\n    proto_tree_add_uint_format(dvb_s2_bb_tree, hf_dvb_s2_bb_upl, tvb,\n                               cur_off + DVB_S2_BB_OFFS_UPL, 2, input16, \"User Packet Length: %d bits (%d bytes)\",\n                               (guint16) input16, (guint16) input16 / 8);\n\n    bb_data_len = input16 = tvb_get_ntohs(tvb, cur_off + DVB_S2_BB_OFFS_DFL);\n    bb_data_len /= 8;\n    new_off += 2;\n\n    proto_tree_add_uint_format_value(dvb_s2_bb_tree, hf_dvb_s2_bb_dfl, tvb,\n                               cur_off + DVB_S2_BB_OFFS_DFL, 2, input16, \"%d bits (%d bytes)\", input16, input16 / 8);\n\n    new_off += 1;\n    sync_flag = tvb_get_guint8(tvb, cur_off + DVB_S2_BB_OFFS_SYNC);\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_sync, tvb, cur_off + DVB_S2_BB_OFFS_SYNC, 1, ENC_BIG_ENDIAN);\n\n    new_off += 2;\n    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_syncd, tvb, cur_off + DVB_S2_BB_OFFS_SYNCD, 2, ENC_BIG_ENDIAN);\n\n    new_off += 1;\n    proto_tree_add_checksum(dvb_s2_bb_tree, tvb, cur_off + DVB_S2_BB_OFFS_CRC, hf_dvb_s2_bb_crc, hf_dvb_s2_bb_crc_status, &ei_dvb_s2_bb_crc, pinfo,\n        compute_crc8(tvb, DVB_S2_BB_HEADER_LEN - 1, cur_off), ENC_NA, PROTO_CHECKSUM_VERIFY);\n\n    switch (matype1 & DVB_S2_BB_TSGS_MASK) {\n    case DVB_S2_BB_TSGS_GENERIC_CONTINUOUS:\n        /* Check GSE constraints on the BB header per 9.2.1 of ETSI TS 102 771 */\n        if (BIT_IS_SET(matype1, DVB_S2_BB_ISSYI_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_issy_invalid);\n        }\n        if (BIT_IS_SET(matype1, DVB_S2_BB_NPD_POS)) {\n            expert_add_info(pinfo, ti, &ei_dvb_s2_bb_npd_invalid);\n        }\n        if (user_packet_length != 0x0000) {\n            expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_upl_invalid,\n                \"UPL is 0x%04x. It must be 0x0000 for GSE packets.\", user_packet_length);\n        }\n\n\n        if (dvb_s2_df_dissection) {\n            while (bb_data_len) {\n                if (sync_flag == DVB_S2_BB_SYNC_EIP_CRC32 && bb_data_len == DVB_S2_BB_EIP_CRC32_LEN) {\n                    proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_eip_crc32, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n                    bb_data_len = 0;\n                    new_off += DVB_S2_BB_EIP_CRC32_LEN;\n                } else {\n                    /* start DVB-GSE dissector */\n                    sub_dissected = dissect_dvb_s2_gse(tvb, cur_off + new_off, tree, pinfo, bb_data_len);\n                    new_off += sub_dissected;\n\n                    if ((sub_dissected <= bb_data_len) && (sub_dissected >= DVB_S2_GSE_MINSIZE)) {\n                        bb_data_len -= sub_dissected;\n                        if (bb_data_len < DVB_S2_GSE_MINSIZE)\n                            bb_data_len = 0;\n                    } else {\n                        bb_data_len = 0;\n                    }\n                }\n            }\n        } else {\n            proto_tree_add_item(dvb_s2_bb_tree, hf_dvb_s2_bb_df, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n            new_off += bb_data_len;\n        }\n        break;\n\n    case DVB_S2_BB_TSGS_GENERIC_PACKETIZED:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_packetized, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    case DVB_S2_BB_TSGS_TRANSPORT_STREAM:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_transport, tvb, cur_off + new_off, bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        break;\n\n    default:\n        proto_tree_add_item(tree, hf_dvb_s2_bb_reserved, tvb, cur_off + new_off,bb_data_len, ENC_NA);\n        new_off += bb_data_len;\n        expert_add_info(pinfo, ti, &ei_dvb_s2_bb_reserved);\n        break;\n    }\n\n    return new_off;\n}",
          "project": "wireshark",
          "hash": 292878332668751229125261027041642584721,
          "size": 149,
          "commit_id": "0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.\n\n\n(cherry picked from commit 0137c24d60934f131b25506a88c9464e4dc827de)",
          "target": 0,
          "dataset": "other",
          "idx": 475261
        },
        {
          "func": "dissect_tcpopt_mss(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_item *item;\n    proto_tree *exp_tree;\n    proto_item *length_item;\n    int offset = 0;\n    guint32 mss;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_mss, tvb, offset, -1, ENC_NA);\n    exp_tree = proto_item_add_subtree(item, ett_tcp_option_mss);\n\n    proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_MSS))\n        return tvb_captured_length(tvb);\n\n    proto_tree_add_item_ret_uint(exp_tree, hf_tcp_option_mss_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN, &mss);\n    proto_item_append_text(item, \": %u bytes\", mss);\n    tcp_info_append_uint(pinfo, \"MSS\", mss);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 232438216178225219490428027693659376926,
          "size": 23,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385178
        },
        {
          "func": "dissect_tcpopt_echo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_tree *field_tree;\n    proto_item *item;\n    proto_item *length_item;\n    guint32 echo;\n    int offset = 0;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_echo, tvb, offset, -1, ENC_NA);\n    field_tree = proto_item_add_subtree(item, ett_tcp_opt_echo);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n                        offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n                        offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_ECHO))\n        return tvb_captured_length(tvb);\n\n    proto_tree_add_item_ret_uint(field_tree, hf_tcp_option_echo, tvb,\n                        offset + 2, 4, ENC_BIG_ENDIAN, &echo);\n\n    proto_item_append_text(item, \": %u\", echo);\n    tcp_info_append_uint(pinfo, \"ECHO\", echo);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 90281857778135584085831143555859834102,
          "size": 27,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385182
        },
        {
          "func": "dissect_tcpopt_cc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_tree *field_tree;\n    proto_item *item;\n    proto_item *length_item;\n    int offset = 0;\n    guint32 cc;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_cc, tvb, offset, -1, ENC_NA);\n    field_tree = proto_item_add_subtree(item, ett_tcp_opt_cc);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n                        offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n                        offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_CC))\n        return tvb_captured_length(tvb);\n\n    proto_tree_add_item_ret_uint(field_tree, hf_tcp_option_cc, tvb,\n                        offset + 2, 4, ENC_BIG_ENDIAN, &cc);\n\n    tcp_info_append_uint(pinfo, \"CC\", cc);\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 310857710779264305685913829554533078653,
          "size": 25,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385190
        },
        {
          "func": "dissect_tcpopt_sack_perm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_item *item;\n    proto_tree *exp_tree;\n    proto_item *length_item;\n    int offset = 0;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_sack_perm, tvb, offset, -1, ENC_NA);\n    exp_tree = proto_item_add_subtree(item, ett_tcp_option_sack_perm);\n\n    proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n    tcp_info_append_uint(pinfo, \"SACK_PERM\", TRUE);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_SACK_PERM))\n        return tvb_captured_length(tvb);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 37583654037644651258534690389342268178,
          "size": 20,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385218
        },
        {
          "func": "dissect_tcpopt_user_to(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_item *tf;\n    proto_tree *field_tree;\n    proto_item *length_item;\n    guint16 to;\n    int offset = 0;\n\n    tf = proto_tree_add_item(tree, proto_tcp_option_user_to, tvb, offset, -1, ENC_NA);\n    field_tree = proto_item_add_subtree(tf, ett_tcp_option_user_to);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n                        offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n                                      offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_USER_TO))\n        return tvb_captured_length(tvb);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_user_to_granularity, tvb, offset + 2, 2, ENC_BIG_ENDIAN);\n    to = tvb_get_ntohs(tvb, offset + 2) & 0x7FFF;\n    proto_tree_add_item(field_tree, hf_tcp_option_user_to_val, tvb, offset + 2, 2, ENC_BIG_ENDIAN);\n\n    tcp_info_append_uint(pinfo, \"USER_TO\", to);\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 57629197246312946152418648770168822844,
          "size": 26,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385222
        },
        {
          "func": "dissect_tcpopt_qs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_tree *field_tree;\n    proto_item *item;\n    proto_item *length_item;\n    guint8 rate;\n    int offset = 0;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_qs, tvb, offset, -1, ENC_NA);\n    field_tree = proto_item_add_subtree(item, ett_tcp_opt_qs);\n\n    proto_tree_add_item(field_tree, hf_tcp_option_kind, tvb,\n                        offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(field_tree, hf_tcp_option_len, tvb,\n                                      offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), TCPOLEN_QS))\n        return tvb_captured_length(tvb);\n\n    rate = tvb_get_guint8(tvb, offset + 2) & 0x0f;\n    col_append_lstr(pinfo->cinfo, COL_INFO,\n        \" QSresp=\", val_to_str_ext_const(rate, &qs_rate_vals_ext, \"Unknown\"),\n        COL_ADD_LSTR_TERMINATOR);\n    proto_tree_add_item(field_tree, hf_tcp_option_qs_rate, tvb,\n                        offset + 2, 1, ENC_BIG_ENDIAN);\n    proto_tree_add_item(field_tree, hf_tcp_option_qs_ttl_diff, tvb,\n                        offset + 3, 1, ENC_BIG_ENDIAN);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 102026317412875715497011472030359010166,
          "size": 30,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385229
        },
        {
          "func": "dissect_tcpopt_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)\n{\n    proto_item *item;\n    proto_tree *exp_tree;\n    int offset = 0, optlen = tvb_reported_length(tvb);\n\n    item = proto_tree_add_item(tree, proto_tcp_option_unknown, tvb, offset, -1, ENC_NA);\n    exp_tree = proto_item_add_subtree(item, ett_tcp_unknown_opt);\n\n    proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n    proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n    if (optlen > 2)\n        proto_tree_add_item(exp_tree, hf_tcp_option_unknown_payload, tvb, offset + 2, optlen - 2, ENC_NA);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 59727358969455991189456479393865057491,
          "size": 16,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385240
        },
        {
          "func": "dissect_tcpopt_default_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, int ett)\n{\n    proto_item *item;\n    proto_tree *exp_tree;\n    proto_item *length_item;\n    int offset = 0;\n\n    item = proto_tree_add_item(tree, proto, tvb, offset, -1, ENC_NA);\n    exp_tree = proto_item_add_subtree(item, ett);\n\n    proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n    length_item = proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n    if (!tcp_option_len_check(length_item, pinfo, tvb_reported_length(tvb), 2))\n        return tvb_captured_length(tvb);\n\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 238363883239916033955174161570019592520,
          "size": 18,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385244
        },
        {
          "func": "dissect_tcpopt_tfo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)\n{\n    proto_item *item;\n    proto_tree *exp_tree;\n    int offset = 0;\n\n    item = proto_tree_add_item(tree, proto_tcp_option_tfo, tvb, offset, -1, ENC_NA);\n    exp_tree = proto_item_add_subtree(item, ett_tcp_option_exp);\n    proto_tree_add_item(exp_tree, hf_tcp_option_kind, tvb, offset, 1, ENC_BIG_ENDIAN);\n    proto_tree_add_item(exp_tree, hf_tcp_option_len, tvb, offset + 1, 1, ENC_BIG_ENDIAN);\n\n    dissect_tcpopt_tfo_payload(tvb, offset, tvb_reported_length(tvb), pinfo, exp_tree, data);\n    return tvb_captured_length(tvb);\n}",
          "project": "wireshark",
          "hash": 27277478292117465627477490514233762438,
          "size": 14,
          "commit_id": "7f3fe6164a68b76d9988c4253b24d43f498f1753",
          "message": "TCP: do not use an unknown status when the checksum is 0xffff\n\nOtherwise it triggers an assert when adding the column as the field is\ndefined as BASE_NONE and not BASE_DEC or BASE_HEX. Thus an unknown value\n(not in proto_checksum_vals[)array) cannot be represented.\nMark the checksum as bad even if we process the packet.\nCloses #16816\n\nConflicts:\n\tepan/dissectors/packet-tcp.c",
          "target": 0,
          "dataset": "other",
          "idx": 385265
        },
        {
          "func": "static int dissect_dvb_s2_modeadapt(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)\n{\n    int         cur_off = 0, modeadapt_len, modeadapt_type, matched_headers = 0;\n\n    proto_item *ti, *tf;\n    proto_tree *dvb_s2_modeadapt_tree;\n    proto_tree *dvb_s2_modeadapt_acm_tree;\n\n    unsigned int modcod, mc;\n    static int * const modeadapt_acm_bitfields[] = {\n        &hf_dvb_s2_modeadapt_acm_fecframe,\n        &hf_dvb_s2_modeadapt_acm_pilot,\n        &hf_dvb_s2_modeadapt_acm_modcod,\n        NULL\n    };\n\n    /* Check that there's enough data */\n    if (tvb_captured_length(tvb) < DVB_S2_MODEADAPT_MINSIZE)\n        return 0;\n\n    /* There are four different mode adaptation formats, with different\n       length headers. Two of them have a sync byte at the beginning, but\n       the other two do not. In every case, the mode adaptation header is\n       followed by the baseband header, which is protected by a CRC-8.\n       The CRC-8 is weak protection, so it can match by accident, leading\n       to an ambiguity in identifying which format is in use. We will\n       check for ambiguity and report it. */\n    /* Try L.1 format: no header. */\n    if (test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L1SIZE)) {\n        matched_headers++;\n        modeadapt_type = DVB_S2_MODEADAPT_TYPE_L1;\n        modeadapt_len = DVB_S2_MODEADAPT_L1SIZE;\n    }\n\n    /* Try L.2 format: header includes sync byte */\n    if ((tvb_get_guint8(tvb, DVB_S2_MODEADAPT_OFFS_SYNCBYTE) == DVB_S2_MODEADAPT_SYNCBYTE) &&\n        test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L2SIZE)) {\n        matched_headers++;\n        modeadapt_type = DVB_S2_MODEADAPT_TYPE_L2;\n        modeadapt_len = DVB_S2_MODEADAPT_L2SIZE;\n    }\n\n    /* Try L.3 format: header includes sync byte */\n    if ((tvb_get_guint8(tvb, DVB_S2_MODEADAPT_OFFS_SYNCBYTE) == DVB_S2_MODEADAPT_SYNCBYTE) &&\n        test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L3SIZE)) {\n        matched_headers++;\n        modeadapt_type = DVB_S2_MODEADAPT_TYPE_L3;\n        modeadapt_len = DVB_S2_MODEADAPT_L3SIZE;\n    }\n\n    /* Try L.4 format: header does not include sync byte */\n    if (test_dvb_s2_crc(tvb, DVB_S2_MODEADAPT_L4SIZE)) {\n        matched_headers++;\n        modeadapt_type = DVB_S2_MODEADAPT_TYPE_L4;\n        modeadapt_len = DVB_S2_MODEADAPT_L4SIZE;\n    }\n\n    if (matched_headers == 0) {\n        /* This does not look like a DVB-S2-BB frame at all. We are a\n           heuristic dissector, so we should just punt and let another\n           dissector have a try at this one. */\n        return 0;\n    }\n\n    col_set_str(pinfo->cinfo, COL_PROTOCOL, \"DVB-S2 \");\n    col_set_str(pinfo->cinfo, COL_INFO,     \"DVB-S2 \");\n\n    /* If there's a mode adaptation header, create display subtree for it */\n    if (modeadapt_len > 0) {\n        /* ti = proto_tree_add_item(tree, proto_dvb_s2_modeadapt, tvb, 0, modeadapt_len, ENC_NA); */\n        ti = proto_tree_add_protocol_format(tree, proto_dvb_s2_modeadapt, tvb, 0, modeadapt_len,\n            \"DVB-S2 Mode Adaptation Header L.%d\", modeadapt_type);\n        dvb_s2_modeadapt_tree = proto_item_add_subtree(ti, ett_dvb_s2_modeadapt);\n\n        if (matched_headers > 1) {\n            expert_add_info_format(pinfo, ti, &ei_dvb_s2_bb_header_ambiguous,\n                \"Mode adaptation header format is ambiguous. Assuming L.%d\", modeadapt_type);\n        }\n\n        /* SYNC byte if used in this header format; value has already been checked */\n        if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L2 ||\n            modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3) {\n            proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_sync, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n            cur_off++;\n        }\n\n        /* ACM byte and subfields if used in this header format */\n        if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L2 ||\n            modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3 ||\n            modeadapt_type == DVB_S2_MODEADAPT_TYPE_L4) {\n            mc = tvb_get_guint8(tvb, 1);\n            //mc = tvb_get_letohs(tvb, 0);\n            if (mc & 0x80) {\n                modcod = 0x80;\n                modcod |= ((mc & 0x1F) << 2);\n                modcod |= ((mc & 0x40) >> 5);\n                tf = proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_acm, tvb,\n                        DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, ENC_BIG_ENDIAN);\n\n                dvb_s2_modeadapt_acm_tree = proto_item_add_subtree(tf, ett_dvb_s2_modeadapt_acm);\n\n                proto_tree_add_item(dvb_s2_modeadapt_acm_tree, hf_dvb_s2_modeadapt_acm_pilot, tvb,\n                        DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, ENC_BIG_ENDIAN);\n                proto_tree_add_uint_format_value(dvb_s2_modeadapt_acm_tree, hf_dvb_s2_modeadapt_acm_modcod_s2x, tvb,\n                        DVB_S2_MODEADAPT_OFFS_ACMBYTE, 1, mc, \"DVBS2X %s(%d)\", modeadapt_modcods[modcod].strptr, modcod);\n            } else {\n                proto_tree_add_bitmask_with_flags(dvb_s2_modeadapt_tree, tvb, DVB_S2_MODEADAPT_OFFS_ACMBYTE, hf_dvb_s2_modeadapt_acm,\n                        ett_dvb_s2_modeadapt_acm, modeadapt_acm_bitfields, ENC_BIG_ENDIAN, BMT_NO_FLAGS);\n            }\n            cur_off++;\n        }\n\n        /* CNI and Frame No if used in this header format */\n        if (modeadapt_type == DVB_S2_MODEADAPT_TYPE_L3 ||\n            modeadapt_type == DVB_S2_MODEADAPT_TYPE_L4) {\n            proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_cni, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n            cur_off++;\n\n            proto_tree_add_item(dvb_s2_modeadapt_tree, hf_dvb_s2_modeadapt_frameno, tvb, cur_off, 1, ENC_BIG_ENDIAN);\n            cur_off++;\n        }\n    }\n\n    /* start DVB-BB dissector */\n    cur_off += dissect_dvb_s2_bb(tvb_new_subset_remaining(tvb, cur_off), pinfo, tree, NULL);\n\n    return cur_off;\n}",
          "project": "wireshark",
          "hash": 242884105123716874533443846056283316493,
          "size": 128,
          "commit_id": "0137c24d60934f131b25506a88c9464e4dc827de",
          "message": "DVB-S2-BB: Prevent infinite loop\n\nCommit 4bf4ee88f0544727e7f89f3f288c6afd2f650a4c removed an else\nstatement that broke out of the BBFrame processing loop. Without\nit, infinite loops might be possible if the GSE frames have bit errors\nin the length field.",
          "target": 0,
          "dataset": "other",
          "idx": 283342
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "sm501_2d_engine_write",
        "sm501_2d_operation",
        "get_fb_addr"
      ],
      "group_size": 16,
      "functions": [
        {
          "func": "static inline void hwc_invalidate(SM501State *s, int crt)\n{\n    int w = get_width(s, crt);\n    int h = get_height(s, crt);\n    int bpp = get_bpp(s, crt);\n    int start = get_hwc_y(s, crt);\n    int end = MIN(h, start + SM501_HWC_HEIGHT) + 1;\n\n    start *= w * bpp;\n    end *= w * bpp;\n\n    memory_region_set_dirty(&s->local_mem_region,\n                            get_fb_addr(s, crt) + start, end - start);\n}",
          "project": "qemu",
          "hash": 49211853481247619002959759084523246825,
          "size": 14,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367039
        },
        {
          "func": "static void sm501_2d_engine_write(void *opaque, hwaddr addr,\n                                  uint64_t value, unsigned size)\n{\n    SM501State *s = (SM501State *)opaque;\n    SM501_DPRINTF(\"sm501 2d engine regs : write addr=%x, val=%x\\n\",\n                  (unsigned)addr, (unsigned)value);\n\n    switch (addr) {\n    case SM501_2D_SOURCE:\n        s->twoD_source = value;\n        break;\n    case SM501_2D_DESTINATION:\n        s->twoD_destination = value;\n        break;\n    case SM501_2D_DIMENSION:\n        s->twoD_dimension = value;\n        break;\n    case SM501_2D_CONTROL:\n        s->twoD_control = value;\n\n        /* do 2d operation if start flag is set. */\n        if (value & 0x80000000) {\n            sm501_2d_operation(s);\n            s->twoD_control &= ~0x80000000; /* start flag down */\n        }\n\n        break;\n    case SM501_2D_PITCH:\n        s->twoD_pitch = value;\n        break;\n    case SM501_2D_FOREGROUND:\n        s->twoD_foreground = value;\n        break;\n    case SM501_2D_BACKGROUND:\n        s->twoD_background = value;\n        break;\n    case SM501_2D_STRETCH:\n        s->twoD_stretch = value;\n        break;\n    case SM501_2D_COLOR_COMPARE:\n        s->twoD_color_compare = value;\n        break;\n    case SM501_2D_COLOR_COMPARE_MASK:\n        s->twoD_color_compare_mask = value;\n        break;\n    case SM501_2D_MASK:\n        s->twoD_mask = value;\n        break;\n    case SM501_2D_CLIP_TL:\n        s->twoD_clip_tl = value;\n        break;\n    case SM501_2D_CLIP_BR:\n        s->twoD_clip_br = value;\n        break;\n    case SM501_2D_MONO_PATTERN_LOW:\n        s->twoD_mono_pattern_low = value;\n        break;\n    case SM501_2D_MONO_PATTERN_HIGH:\n        s->twoD_mono_pattern_high = value;\n        break;\n    case SM501_2D_WINDOW_WIDTH:\n        s->twoD_window_width = value;\n        break;\n    case SM501_2D_SOURCE_BASE:\n        s->twoD_source_base = value;\n        break;\n    case SM501_2D_DESTINATION_BASE:\n        s->twoD_destination_base = value;\n        break;\n    case SM501_2D_ALPHA:\n        s->twoD_alpha = value;\n        break;\n    case SM501_2D_WRAP:\n        s->twoD_wrap = value;\n        break;\n    case SM501_2D_STATUS:\n        /* ignored, writing 0 should clear interrupt status */\n        break;\n    default:\n        qemu_log_mask(LOG_UNIMP, \"sm501: not implemented 2d engine register \"\n                      \"write. addr=%\" HWADDR_PRIx\n                      \", val=%\" PRIx64 \"\\n\", addr, value);\n    }\n}",
          "project": "qemu",
          "hash": 105892952783258788960856014032481353334,
          "size": 84,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367022
        },
        {
          "func": "static inline uint32_t get_hwc_y(SM501State *state, int crt)\n{\n    uint32_t location = crt ? state->dc_crt_hwc_location\n                            : state->dc_panel_hwc_location;\n    return (location & 0x07FF0000) >> 16;\n}",
          "project": "qemu",
          "hash": 160459258730664320496076582458424436667,
          "size": 6,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367041
        },
        {
          "func": "static inline int get_depth_index(DisplaySurface *surface)\n{\n    switch (surface_bits_per_pixel(surface)) {\n    default:\n    case 8:\n        return 0;\n    case 15:\n        return 1;\n    case 16:\n        return 2;\n    case 32:\n        if (is_surface_bgr(surface)) {\n            return 4;\n        } else {\n            return 3;\n        }\n    }\n}",
          "project": "qemu",
          "hash": 297176416044820571830937427545108877922,
          "size": 18,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367043
        },
        {
          "func": "static inline uint32_t get_hwc_x(SM501State *state, int crt)\n{\n    uint32_t location = crt ? state->dc_crt_hwc_location\n                            : state->dc_panel_hwc_location;\n    return location & 0x000007FF;\n}",
          "project": "qemu",
          "hash": 315111674068672371369231021285203866338,
          "size": 6,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367032
        },
        {
          "func": "static inline int get_height(SM501State *s, int crt)\n{\n    int height = crt ? s->dc_crt_v_total : s->dc_panel_v_total;\n    return (height & 0x00000FFF) + 1;\n}",
          "project": "qemu",
          "hash": 314738027251647568342834821331471116979,
          "size": 5,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367042
        },
        {
          "func": "static inline int is_hwc_enabled(SM501State *state, int crt)\n{\n    uint32_t addr = crt ? state->dc_crt_hwc_addr : state->dc_panel_hwc_addr;\n    return addr & SM501_HWC_EN;\n}",
          "project": "qemu",
          "hash": 52911544485249073061907614747222957354,
          "size": 5,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367044
        },
        {
          "func": "static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,\n                                  uint64_t value, unsigned size)\n{\n    SM501State *s = (SM501State *)opaque;\n    SM501_DPRINTF(\"sm501 disp ctrl regs : write addr=%x, val=%x\\n\",\n                  (unsigned)addr, (unsigned)value);\n\n    switch (addr) {\n    case SM501_DC_PANEL_CONTROL:\n        s->dc_panel_control = value & 0x0FFF73FF;\n        break;\n    case SM501_DC_PANEL_PANNING_CONTROL:\n        s->dc_panel_panning_control = value & 0xFF3FFF3F;\n        break;\n    case SM501_DC_PANEL_COLOR_KEY:\n        /* Not implemented yet */\n        break;\n    case SM501_DC_PANEL_FB_ADDR:\n        s->dc_panel_fb_addr = value & 0x8FFFFFF0;\n        if (value & 0x8000000) {\n            qemu_log_mask(LOG_UNIMP, \"Panel external memory not supported\\n\");\n        }\n        s->do_full_update = true;\n        break;\n    case SM501_DC_PANEL_FB_OFFSET:\n        s->dc_panel_fb_offset = value & 0x3FF03FF0;\n        break;\n    case SM501_DC_PANEL_FB_WIDTH:\n        s->dc_panel_fb_width = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_PANEL_FB_HEIGHT:\n        s->dc_panel_fb_height = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_PANEL_TL_LOC:\n        s->dc_panel_tl_location = value & 0x07FF07FF;\n        break;\n    case SM501_DC_PANEL_BR_LOC:\n        s->dc_panel_br_location = value & 0x07FF07FF;\n        break;\n\n    case SM501_DC_PANEL_H_TOT:\n        s->dc_panel_h_total = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_PANEL_H_SYNC:\n        s->dc_panel_h_sync = value & 0x00FF0FFF;\n        break;\n    case SM501_DC_PANEL_V_TOT:\n        s->dc_panel_v_total = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_PANEL_V_SYNC:\n        s->dc_panel_v_sync = value & 0x003F0FFF;\n        break;\n\n    case SM501_DC_PANEL_HWC_ADDR:\n        value &= 0x8FFFFFF0;\n        if (value != s->dc_panel_hwc_addr) {\n            hwc_invalidate(s, 0);\n            s->dc_panel_hwc_addr = value;\n        }\n        break;\n    case SM501_DC_PANEL_HWC_LOC:\n        value &= 0x0FFF0FFF;\n        if (value != s->dc_panel_hwc_location) {\n            hwc_invalidate(s, 0);\n            s->dc_panel_hwc_location = value;\n        }\n        break;\n    case SM501_DC_PANEL_HWC_COLOR_1_2:\n        s->dc_panel_hwc_color_1_2 = value;\n        break;\n    case SM501_DC_PANEL_HWC_COLOR_3:\n        s->dc_panel_hwc_color_3 = value & 0x0000FFFF;\n        break;\n\n    case SM501_DC_VIDEO_CONTROL:\n        s->dc_video_control = value & 0x00037FFF;\n        break;\n\n    case SM501_DC_CRT_CONTROL:\n        s->dc_crt_control = value & 0x0003FFFF;\n        break;\n    case SM501_DC_CRT_FB_ADDR:\n        s->dc_crt_fb_addr = value & 0x8FFFFFF0;\n        if (value & 0x8000000) {\n            qemu_log_mask(LOG_UNIMP, \"CRT external memory not supported\\n\");\n        }\n        s->do_full_update = true;\n        break;\n    case SM501_DC_CRT_FB_OFFSET:\n        s->dc_crt_fb_offset = value & 0x3FF03FF0;\n        break;\n    case SM501_DC_CRT_H_TOT:\n        s->dc_crt_h_total = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_CRT_H_SYNC:\n        s->dc_crt_h_sync = value & 0x00FF0FFF;\n        break;\n    case SM501_DC_CRT_V_TOT:\n        s->dc_crt_v_total = value & 0x0FFF0FFF;\n        break;\n    case SM501_DC_CRT_V_SYNC:\n        s->dc_crt_v_sync = value & 0x003F0FFF;\n        break;\n\n    case SM501_DC_CRT_HWC_ADDR:\n        value &= 0x8FFFFFF0;\n        if (value != s->dc_crt_hwc_addr) {\n            hwc_invalidate(s, 1);\n            s->dc_crt_hwc_addr = value;\n        }\n        break;\n    case SM501_DC_CRT_HWC_LOC:\n        value &= 0x0FFF0FFF;\n        if (value != s->dc_crt_hwc_location) {\n            hwc_invalidate(s, 1);\n            s->dc_crt_hwc_location = value;\n        }\n        break;\n    case SM501_DC_CRT_HWC_COLOR_1_2:\n        s->dc_crt_hwc_color_1_2 = value;\n        break;\n    case SM501_DC_CRT_HWC_COLOR_3:\n        s->dc_crt_hwc_color_3 = value & 0x0000FFFF;\n        break;\n\n    case SM501_DC_PANEL_PALETTE ... SM501_DC_PANEL_PALETTE + 0x400 * 3 - 4:\n        sm501_palette_write(opaque, addr - SM501_DC_PANEL_PALETTE, value);\n        break;\n\n    default:\n        qemu_log_mask(LOG_UNIMP, \"sm501: not implemented disp ctrl register \"\n                      \"write. addr=%\" HWADDR_PRIx\n                      \", val=%\" PRIx64 \"\\n\", addr, value);\n    }\n}",
          "project": "qemu",
          "hash": 76155965093107486801739365570345389669,
          "size": 135,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367051
        },
        {
          "func": "static inline int get_bpp(SM501State *s, int crt)\n{\n    int bpp = crt ? s->dc_crt_control : s->dc_panel_control;\n    return 1 << (bpp & 3);\n}",
          "project": "qemu",
          "hash": 74150363724103389218376743923423681513,
          "size": 5,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367028
        },
        {
          "func": "static inline int get_width(SM501State *s, int crt)\n{\n    int width = crt ? s->dc_crt_h_total : s->dc_panel_h_total;\n    return (width & 0x00000FFF) + 1;\n}",
          "project": "qemu",
          "hash": 72598563128143567110701545177639403368,
          "size": 5,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367037
        },
        {
          "func": "static void sm501_palette_write(void *opaque, hwaddr addr,\n                                uint32_t value)\n{\n    SM501State *s = (SM501State *)opaque;\n    SM501_DPRINTF(\"sm501 palette write addr=%x, val=%x\\n\",\n                  (int)addr, value);\n\n    /* TODO : consider BYTE/WORD access */\n    /* TODO : consider endian */\n\n    assert(range_covers_byte(0, 0x400 * 3, addr));\n    *(uint32_t *)&s->dc_palette[addr] = value;\n    s->do_full_update = true;\n}",
          "project": "qemu",
          "hash": 299348227447027593925553329038089657088,
          "size": 14,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367040
        },
        {
          "func": "static void sm501_update_display(void *opaque)\n{\n    SM501State *s = (SM501State *)opaque;\n    DisplaySurface *surface = qemu_console_surface(s->con);\n    DirtyBitmapSnapshot *snap;\n    int y, c_x = 0, c_y = 0;\n    int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;\n    int width = get_width(s, crt);\n    int height = get_height(s, crt);\n    int src_bpp = get_bpp(s, crt);\n    int dst_bpp = surface_bytes_per_pixel(surface);\n    int dst_depth_index = get_depth_index(surface);\n    draw_line_func *draw_line = NULL;\n    draw_hwc_line_func *draw_hwc_line = NULL;\n    int full_update = 0;\n    int y_start = -1;\n    ram_addr_t offset;\n    uint32_t *palette;\n    uint8_t hwc_palette[3 * 3];\n    uint8_t *hwc_src = NULL;\n\n    if (!((crt ? s->dc_crt_control : s->dc_panel_control)\n          & SM501_DC_CRT_CONTROL_ENABLE)) {\n        return;\n    }\n\n    palette = (uint32_t *)(crt ? &s->dc_palette[SM501_DC_CRT_PALETTE -\n                                                SM501_DC_PANEL_PALETTE]\n                               : &s->dc_palette[0]);\n\n    /* choose draw_line function */\n    switch (src_bpp) {\n    case 1:\n        draw_line = draw_line8_funcs[dst_depth_index];\n        break;\n    case 2:\n        draw_line = draw_line16_funcs[dst_depth_index];\n        break;\n    case 4:\n        draw_line = draw_line32_funcs[dst_depth_index];\n        break;\n    default:\n        qemu_log_mask(LOG_GUEST_ERROR, \"sm501: update display\"\n                      \"invalid control register value.\\n\");\n        return;\n    }\n\n    /* set up to draw hardware cursor */\n    if (is_hwc_enabled(s, crt)) {\n        /* choose cursor draw line function */\n        draw_hwc_line = draw_hwc_line_funcs[dst_depth_index];\n        hwc_src = get_hwc_address(s, crt);\n        c_x = get_hwc_x(s, crt);\n        c_y = get_hwc_y(s, crt);\n        get_hwc_palette(s, crt, hwc_palette);\n    }\n\n    /* adjust console size */\n    if (s->last_width != width || s->last_height != height) {\n        qemu_console_resize(s->con, width, height);\n        surface = qemu_console_surface(s->con);\n        s->last_width = width;\n        s->last_height = height;\n        full_update = 1;\n    }\n\n    /* someone else requested a full update */\n    if (s->do_full_update) {\n        s->do_full_update = false;\n        full_update = 1;\n    }\n\n    /* draw each line according to conditions */\n    offset = get_fb_addr(s, crt);\n    snap = memory_region_snapshot_and_clear_dirty(&s->local_mem_region,\n              offset, width * height * src_bpp, DIRTY_MEMORY_VGA);\n    for (y = 0; y < height; y++, offset += width * src_bpp) {\n        int update, update_hwc;\n\n        /* check if hardware cursor is enabled and we're within its range */\n        update_hwc = draw_hwc_line && c_y <= y && y < c_y + SM501_HWC_HEIGHT;\n        update = full_update || update_hwc;\n        /* check dirty flags for each line */\n        update |= memory_region_snapshot_get_dirty(&s->local_mem_region, snap,\n                                                   offset, width * src_bpp);\n\n        /* draw line and change status */\n        if (update) {\n            uint8_t *d = surface_data(surface);\n            d +=  y * width * dst_bpp;\n\n            /* draw graphics layer */\n            draw_line(d, s->local_mem + offset, width, palette);\n\n            /* draw hardware cursor */\n            if (update_hwc) {\n                draw_hwc_line(d, hwc_src, width, hwc_palette, c_x, y - c_y);\n            }\n\n            if (y_start < 0) {\n                y_start = y;\n            }\n        } else {\n            if (y_start >= 0) {\n                /* flush to display */\n                dpy_gfx_update(s->con, 0, y_start, width, y - y_start);\n                y_start = -1;\n            }\n        }\n    }\n    g_free(snap);\n\n    /* complete flush to display */\n    if (y_start >= 0) {\n        dpy_gfx_update(s->con, 0, y_start, width, y - y_start);\n    }\n}",
          "project": "qemu",
          "hash": 297137882338984229453453035036409106954,
          "size": 117,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367030
        },
        {
          "func": "static void sm501_2d_operation(SM501State *s)\n{\n    int cmd = (s->twoD_control >> 16) & 0x1F;\n    int rtl = s->twoD_control & BIT(27);\n    int format = (s->twoD_stretch >> 20) & 0x3;\n    int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */\n    /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */\n    int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;\n    int rop = s->twoD_control & 0xFF;\n    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;\n    int dst_y = s->twoD_destination & 0xFFFF;\n    int width = (s->twoD_dimension >> 16) & 0x1FFF;\n    int height = s->twoD_dimension & 0xFFFF;\n    uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;\n    uint8_t *dst = s->local_mem + dst_base;\n    int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;\n    int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;\n    int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);\n\n    if ((s->twoD_stretch >> 16) & 0xF) {\n        qemu_log_mask(LOG_UNIMP, \"sm501: only XY addressing is supported.\\n\");\n        return;\n    }\n\n    if (rop_mode == 0) {\n        if (rop != 0xcc) {\n            /* Anything other than plain copies are not supported */\n            qemu_log_mask(LOG_UNIMP, \"sm501: rop3 mode with rop %x is not \"\n                          \"supported.\\n\", rop);\n        }\n    } else {\n        if (rop2_source_is_pattern && rop != 0x5) {\n            /* For pattern source, we support only inverse dest */\n            qemu_log_mask(LOG_UNIMP, \"sm501: rop2 source being the pattern and \"\n                          \"rop %x is not supported.\\n\", rop);\n        } else {\n            if (rop != 0x5 && rop != 0xc) {\n                /* Anything other than plain copies or inverse dest is not\n                 * supported */\n                qemu_log_mask(LOG_UNIMP, \"sm501: rop mode %x is not \"\n                              \"supported.\\n\", rop);\n            }\n        }\n    }\n\n    if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {\n        qemu_log_mask(LOG_UNIMP, \"sm501: only local memory is supported.\\n\");\n        return;\n    }\n\n    switch (cmd) {\n    case 0x00: /* copy area */\n    {\n        int src_x = (s->twoD_source >> 16) & 0x01FFF;\n        int src_y = s->twoD_source & 0xFFFF;\n        uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;\n        uint8_t *src = s->local_mem + src_base;\n        int src_pitch = s->twoD_pitch & 0x1FFF;\n\n#define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \\\n        int y, x, index_d, index_s;                                           \\\n        for (y = 0; y < height; y++) {                              \\\n            for (x = 0; x < width; x++) {                           \\\n                _pixel_type val;                                              \\\n                                                                              \\\n                if (rtl) {                                                    \\\n                    index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp;   \\\n                    index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp;   \\\n                } else {                                                      \\\n                    index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp;   \\\n                    index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \\\n                }                                                             \\\n                if (rop_mode == 1 && rop == 5) {                              \\\n                    /* Invert dest */                                         \\\n                    val = ~*(_pixel_type *)&dst[index_d];                     \\\n                } else {                                                      \\\n                    val = *(_pixel_type *)&src[index_s];                      \\\n                }                                                             \\\n                *(_pixel_type *)&dst[index_d] = val;                          \\\n            }                                                                 \\\n        }                                                                     \\\n    }\n        switch (format) {\n        case 0:\n            COPY_AREA(1, uint8_t, rtl);\n            break;\n        case 1:\n            COPY_AREA(2, uint16_t, rtl);\n            break;\n        case 2:\n            COPY_AREA(4, uint32_t, rtl);\n            break;\n        }\n        break;\n    }\n    case 0x01: /* fill rectangle */\n    {\n        uint32_t color = s->twoD_foreground;\n\n#define FILL_RECT(_bpp, _pixel_type) {                                      \\\n        int y, x;                                                           \\\n        for (y = 0; y < height; y++) {                            \\\n            for (x = 0; x < width; x++) {                         \\\n                int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \\\n                *(_pixel_type *)&dst[index] = (_pixel_type)color;           \\\n            }                                                               \\\n        }                                                                   \\\n    }\n\n        switch (format) {\n        case 0:\n            FILL_RECT(1, uint8_t);\n            break;\n        case 1:\n            color = cpu_to_le16(color);\n            FILL_RECT(2, uint16_t);\n            break;\n        case 2:\n            color = cpu_to_le32(color);\n            FILL_RECT(4, uint32_t);\n            break;\n        }\n        break;\n    }\n    default:\n        qemu_log_mask(LOG_UNIMP, \"sm501: not implemented 2D operation: %d\\n\",\n                      cmd);\n        return;\n    }\n\n    if (dst_base >= get_fb_addr(s, crt) &&\n        dst_base <= get_fb_addr(s, crt) + fb_len) {\n        int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +\n                          dst_x + width) * (1 << format));\n        if (dst_len) {\n            memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);\n        }\n    }\n}",
          "project": "qemu",
          "hash": 231921026198244072541449258178431781416,
          "size": 139,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 1,
          "dataset": "other",
          "idx": 204867
        },
        {
          "func": "static void sm501_2d_operation(SM501State *s)\n{\n    int cmd = (s->twoD_control >> 16) & 0x1F;\n    int rtl = s->twoD_control & BIT(27);\n    int format = (s->twoD_stretch >> 20) & 0x3;\n    int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */\n    /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */\n    int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;\n    int rop = s->twoD_control & 0xFF;\n    unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;\n    unsigned int dst_y = s->twoD_destination & 0xFFFF;\n    unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;\n    unsigned int height = s->twoD_dimension & 0xFFFF;\n    uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;\n    unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;\n    int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;\n    int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);\n\n    if ((s->twoD_stretch >> 16) & 0xF) {\n        qemu_log_mask(LOG_UNIMP, \"sm501: only XY addressing is supported.\\n\");\n        return;\n    }\n\n    if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {\n        qemu_log_mask(LOG_UNIMP, \"sm501: only local memory is supported.\\n\");\n        return;\n    }\n\n    if (!dst_pitch) {\n        qemu_log_mask(LOG_GUEST_ERROR, \"sm501: Zero dest pitch.\\n\");\n        return;\n    }\n\n    if (!width || !height) {\n        qemu_log_mask(LOG_GUEST_ERROR, \"sm501: Zero size 2D op.\\n\");\n        return;\n    }\n\n    if (rtl) {\n        dst_x -= width - 1;\n        dst_y -= height - 1;\n    }\n\n    if (dst_base >= get_local_mem_size(s) || dst_base +\n        (dst_x + width + (dst_y + height) * (dst_pitch + width)) *\n        (1 << format) >= get_local_mem_size(s)) {\n        qemu_log_mask(LOG_GUEST_ERROR, \"sm501: 2D op dest is outside vram.\\n\");\n        return;\n    }\n\n    switch (cmd) {\n    case 0: /* BitBlt */\n    {\n        unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;\n        unsigned int src_y = s->twoD_source & 0xFFFF;\n        uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;\n        unsigned int src_pitch = s->twoD_pitch & 0x1FFF;\n\n        if (!src_pitch) {\n            qemu_log_mask(LOG_GUEST_ERROR, \"sm501: Zero src pitch.\\n\");\n            return;\n        }\n\n        if (rtl) {\n            src_x -= width - 1;\n            src_y -= height - 1;\n        }\n\n        if (src_base >= get_local_mem_size(s) || src_base +\n            (src_x + width + (src_y + height) * (src_pitch + width)) *\n            (1 << format) >= get_local_mem_size(s)) {\n            qemu_log_mask(LOG_GUEST_ERROR,\n                          \"sm501: 2D op src is outside vram.\\n\");\n            return;\n        }\n\n        if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {\n            /* Invert dest, is there a way to do this with pixman? */\n            unsigned int x, y, i;\n            uint8_t *d = s->local_mem + dst_base;\n\n            for (y = 0; y < height; y++) {\n                i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);\n                for (x = 0; x < width; x++, i += (1 << format)) {\n                    switch (format) {\n                    case 0:\n                        d[i] = ~d[i];\n                        break;\n                    case 1:\n                        *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];\n                        break;\n                    case 2:\n                        *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];\n                        break;\n                    }\n                }\n            }\n        } else {\n            /* Do copy src for unimplemented ops, better than unpainted area */\n            if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||\n                (!rop_mode && rop != 0xcc)) {\n                qemu_log_mask(LOG_UNIMP,\n                              \"sm501: rop%d op %x%s not implemented\\n\",\n                              (rop_mode ? 2 : 3), rop,\n                              (rop2_source_is_pattern ?\n                                  \" with pattern source\" : \"\"));\n            }\n            /* Check for overlaps, this could be made more exact */\n            uint32_t sb, se, db, de;\n            sb = src_base + src_x + src_y * (width + src_pitch);\n            se = sb + width + height * (width + src_pitch);\n            db = dst_base + dst_x + dst_y * (width + dst_pitch);\n            de = db + width + height * (width + dst_pitch);\n            if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {\n                /* regions may overlap: copy via temporary */\n                int llb = width * (1 << format);\n                int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));\n                uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *\n                                         height);\n                pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,\n                           src_pitch * (1 << format) / sizeof(uint32_t),\n                           tmp_stride, 8 * (1 << format), 8 * (1 << format),\n                           src_x, src_y, 0, 0, width, height);\n                pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],\n                           tmp_stride,\n                           dst_pitch * (1 << format) / sizeof(uint32_t),\n                           8 * (1 << format), 8 * (1 << format),\n                           0, 0, dst_x, dst_y, width, height);\n                g_free(tmp);\n            } else {\n                pixman_blt((uint32_t *)&s->local_mem[src_base],\n                           (uint32_t *)&s->local_mem[dst_base],\n                           src_pitch * (1 << format) / sizeof(uint32_t),\n                           dst_pitch * (1 << format) / sizeof(uint32_t),\n                           8 * (1 << format), 8 * (1 << format),\n                           src_x, src_y, dst_x, dst_y, width, height);\n            }\n        }\n        break;\n    }\n    case 1: /* Rectangle Fill */\n    {\n        uint32_t color = s->twoD_foreground;\n\n        if (format == 2) {\n            color = cpu_to_le32(color);\n        } else if (format == 1) {\n            color = cpu_to_le16(color);\n        }\n\n        pixman_fill((uint32_t *)&s->local_mem[dst_base],\n                    dst_pitch * (1 << format) / sizeof(uint32_t),\n                    8 * (1 << format), dst_x, dst_y, width, height, color);\n        break;\n    }\n    default:\n        qemu_log_mask(LOG_UNIMP, \"sm501: not implemented 2D operation: %d\\n\",\n                      cmd);\n        return;\n    }\n\n    if (dst_base >= get_fb_addr(s, crt) &&\n        dst_base <= get_fb_addr(s, crt) + fb_len) {\n        int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +\n                          dst_x + width) * (1 << format));\n        if (dst_len) {\n            memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);\n        }\n    }\n}",
          "project": "qemu",
          "hash": 193599277263988750788636095730957842514,
          "size": 170,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367048
        },
        {
          "func": "static inline void get_hwc_palette(SM501State *state, int crt, uint8_t *palette)\n{\n    int i;\n    uint32_t color_reg;\n    uint16_t rgb565;\n\n    for (i = 0; i < 3; i++) {\n        if (i + 1 == 3) {\n            color_reg = crt ? state->dc_crt_hwc_color_3\n                            : state->dc_panel_hwc_color_3;\n        } else {\n            color_reg = crt ? state->dc_crt_hwc_color_1_2\n                            : state->dc_panel_hwc_color_1_2;\n        }\n\n        if (i + 1 == 2) {\n            rgb565 = (color_reg >> 16) & 0xFFFF;\n        } else {\n            rgb565 = color_reg & 0xFFFF;\n        }\n        palette[i * 3 + 0] = ((rgb565 >> 11) * 527 + 23) >> 6; /* r */\n        palette[i * 3 + 1] = (((rgb565 >> 5) & 0x3f) * 259 + 33) >> 6; /* g */\n        palette[i * 3 + 2] = ((rgb565 & 0x1f) * 527 + 23) >> 6; /* b */\n    }\n}",
          "project": "qemu",
          "hash": 234605290825547818258321512605029953833,
          "size": 25,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367033
        },
        {
          "func": "static ram_addr_t get_fb_addr(SM501State *s, int crt)\n{\n    return (crt ? s->dc_crt_fb_addr : s->dc_panel_fb_addr) & 0x3FFFFF0;\n}",
          "project": "qemu",
          "hash": 65919623857096050051872707777007043422,
          "size": 4,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367046
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "Item_date_literal_for_invalid_dates",
        "Item_date_literal",
        "Item_temporal_literal"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "  Item_date_literal_for_invalid_dates(THD *thd, MYSQL_TIME *ltime)\n   :Item_date_literal(thd, ltime) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 229380278239657614383198296314294260978,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508998
        },
        {
          "func": "  Item_temporal_literal(THD *thd, MYSQL_TIME *ltime): Item_basic_constant(thd)\n  {\n    collation.set(&my_charset_numeric, DERIVATION_NUMERIC, MY_REPERTOIRE_ASCII);\n    decimals= 0;\n    cached_time= *ltime;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 333902726742250299444990778797733486790,
          "size": 6,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508961
        },
        {
          "func": "  Item_datetime_literal(THD *thd, MYSQL_TIME *ltime, uint dec_arg):\n    Item_temporal_literal(thd, ltime, dec_arg)\n  {\n    max_length= MAX_DATETIME_WIDTH + (decimals ? decimals + 1 : 0);\n    fixed= 1;\n    // See the comment on maybe_null in Item_date_literal\n    maybe_null= !ltime->month || !ltime->day;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 128106558223069508848112850381952981028,
          "size": 8,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509119
        },
        {
          "func": "  Item_time_literal(THD *thd, MYSQL_TIME *ltime, uint dec_arg):\n    Item_temporal_literal(thd, ltime, dec_arg)\n  {\n    max_length= MIN_TIME_WIDTH + (decimals ? decimals + 1 : 0);\n    fixed= 1;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 109292535260091574556332471936288918796,
          "size": 6,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509153
        },
        {
          "func": "  Item_date_literal(THD *thd, MYSQL_TIME *ltime)\n    :Item_temporal_literal(thd, ltime)\n  {\n    max_length= MAX_DATE_WIDTH;\n    fixed= 1;\n    /*\n      If date has zero month or day, it can return NULL in case of\n      NO_ZERO_DATE or NO_ZERO_IN_DATE.\n      We can't just check the current sql_mode here in constructor,\n      because sql_mode can change in case of prepared statements\n      between PREPARE and EXECUTE.\n    */\n    maybe_null= !ltime->month || !ltime->day;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 282667106903706339638738501080787819043,
          "size": 14,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508935
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "find_impl",
        "xmlXPathEval",
        "xmlXPathEvalExpr",
        "xmlXPathOptimizeExpression"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": " */\nxmlXPathObjectPtr\nxmlXPathEval(const xmlChar *str, xmlXPathContextPtr ctx) {\n    xmlXPathParserContextPtr ctxt;\n    xmlXPathObjectPtr res;\n\n    CHECK_CTXT(ctx)\n\n    xmlXPathInit();\n\n    ctxt = xmlXPathNewParserContext(str, ctx);\n    if (ctxt == NULL)\n        return NULL;\n    xmlXPathEvalExpr(ctxt);\n\n    if (ctxt->error != XPATH_EXPRESSION_OK) {\n\tres = NULL;\n    } else {\n\tres = valuePop(ctxt);\n        if (res == NULL) {\n            xmlGenericError(xmlGenericErrorContext,\n                \"xmlXPathCompiledEval: No result on the stack.\\n\");\n        } else if (ctxt->valueNr > 0) {\n            xmlGenericError(xmlGenericErrorContext,\n                \"xmlXPathCompiledEval: %d object(s) left on the stack.\\n\",\n                ctxt->valueNr);\n        }\n    }\n\n    xmlXPathFreeParserContext(ctxt);",
          "project": "libxml2",
          "hash": 15397346949911455492662650263481010792,
          "size": 30,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385350
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 1,
          "func": "static XMLSharedNodeList* find_impl(xmlXPathContext* ctxt, const string& xpath)\n{\n\txmlXPathObject* result = xmlXPathEval((const xmlChar*)xpath.c_str(), ctxt);\n\n\tif (!result) {\n\t\txmlXPathFreeContext(ctxt);\n\t\txmlFreeDoc(ctxt->doc);\n\n\t\tthrow XMLException(\"Invalid XPath: \" + xpath);\n\t}\n\n\tif (result->type != XPATH_NODESET) {\n\t\txmlXPathFreeObject(result);\n\t\txmlXPathFreeContext(ctxt);\n\t\txmlFreeDoc(ctxt->doc);\n\n\t\tthrow XMLException(\"Only nodeset result types are supported.\");\n\t}\n\n\txmlNodeSet* nodeset = result->nodesetval;\n\tXMLSharedNodeList* nodes = new XMLSharedNodeList();\n\tif (nodeset) {\n\t\tfor (int i = 0; i < nodeset->nodeNr; ++i) {\n\t\t\tXMLNode* node = readnode(nodeset->nodeTab[i]);\n\t\t\tnodes->push_back(boost::shared_ptr<XMLNode>(node));\n\t\t}\n\t} else {\n\t\t// return empty set\n\t}\n\n\txmlXPathFreeObject(result);\n\n\treturn nodes;\n}",
          "idx": 217254,
          "cwe": "CWE-416",
          "hash": 54268186819182218721269174810414224706,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "static XMLSharedNodeList* find_impl(xmlXPathContext* ctxt, const string& xpath)\n{\n\txmlXPathObject* result = xmlXPathEval((const xmlChar*)xpath.c_str(), ctxt);\n\n\tif (!result) {\n\t\txmlFreeDoc(ctxt->doc);\n\t\txmlXPathFreeContext(ctxt);\n\n\t\tthrow XMLException(\"Invalid XPath: \" + xpath);\n\t}\n\n\tif (result->type != XPATH_NODESET) {\n\t\txmlXPathFreeObject(result);\n\t\txmlFreeDoc(ctxt->doc);\n\t\txmlXPathFreeContext(ctxt);\n\n\t\tthrow XMLException(\"Only nodeset result types are supported.\");\n\t}\n\n\txmlNodeSet* nodeset = result->nodesetval;\n\tXMLSharedNodeList* nodes = new XMLSharedNodeList();\n\tif (nodeset) {\n\t\tfor (int i = 0; i < nodeset->nodeNr; ++i) {\n\t\t\tXMLNode* node = readnode(nodeset->nodeTab[i]);\n\t\t\tnodes->push_back(boost::shared_ptr<XMLNode>(node));\n\t\t}\n\t} else {\n\t\t// return empty set\n\t}\n\n\txmlXPathFreeObject(result);\n\n\treturn nodes;\n}",
          "idx": 519644,
          "cwe": "CWE-416",
          "hash": 16148318620035569612064845448555816656,
          "dataset": "other"
        },
        {
          "func": "\nstatic void\nxmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op)\n{\n    /*\n    * Try to rewrite \"descendant-or-self::node()/foo\" to an optimized\n    * internal representation.\n    */\n\n    if ((op->op == XPATH_OP_COLLECT /* 11 */) &&\n        (op->ch1 != -1) &&\n        (op->ch2 == -1 /* no predicate */))\n    {\n        xmlXPathStepOpPtr prevop = &comp->steps[op->ch1];\n\n        if ((prevop->op == XPATH_OP_COLLECT /* 11 */) &&\n            ((xmlXPathAxisVal) prevop->value ==\n                AXIS_DESCENDANT_OR_SELF) &&\n            (prevop->ch2 == -1) &&\n            ((xmlXPathTestVal) prevop->value2 == NODE_TEST_TYPE) &&\n            ((xmlXPathTypeVal) prevop->value3 == NODE_TYPE_NODE))\n        {\n            /*\n            * This is a \"descendant-or-self::node()\" without predicates.\n            * Try to eliminate it.\n            */\n\n            switch ((xmlXPathAxisVal) op->value) {\n                case AXIS_CHILD:\n                case AXIS_DESCENDANT:\n                    /*\n                    * Convert \"descendant-or-self::node()/child::\" or\n                    * \"descendant-or-self::node()/descendant::\" to\n                    * \"descendant::\"\n                    */\n                    op->ch1   = prevop->ch1;\n                    op->value = AXIS_DESCENDANT;\n                    break;\n                case AXIS_SELF:\n                case AXIS_DESCENDANT_OR_SELF:\n                    /*\n                    * Convert \"descendant-or-self::node()/self::\" or\n                    * \"descendant-or-self::node()/descendant-or-self::\" to\n                    * to \"descendant-or-self::\"\n                    */\n                    op->ch1   = prevop->ch1;\n                    op->value = AXIS_DESCENDANT_OR_SELF;\n                    break;\n                default:\n                    break;\n            }\n\t}\n    }\n\n    /* OP_VALUE has invalid ch1. */\n    if (op->op == XPATH_OP_VALUE)\n        return;\n\n    /* Recurse */\n    if (op->ch1 != -1)\n        xmlXPathOptimizeExpression(comp, &comp->steps[op->ch1]);\n    if (op->ch2 != -1)",
          "project": "libxml2",
          "hash": 217837651282250935525823086582739608231,
          "size": 62,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385372
        },
        {
          "func": " */\nstatic int\nxmlXPathCompiledEvalInternal(xmlXPathCompExprPtr comp,\n\t\t\t     xmlXPathContextPtr ctxt,\n\t\t\t     xmlXPathObjectPtr *resObjPtr,\n\t\t\t     int toBool)\n{\n    xmlXPathParserContextPtr pctxt;\n    xmlXPathObjectPtr resObj;\n#ifndef LIBXML_THREAD_ENABLED\n    static int reentance = 0;\n#endif\n    int res;\n\n    CHECK_CTXT_NEG(ctxt)\n\n    if (comp == NULL)\n\treturn(-1);\n    xmlXPathInit();\n\n#ifndef LIBXML_THREAD_ENABLED\n    reentance++;\n    if (reentance > 1)\n\txmlXPathDisableOptimizer = 1;\n#endif\n\n#ifdef DEBUG_EVAL_COUNTS\n    comp->nb++;\n    if ((comp->string != NULL) && (comp->nb > 100)) {\n\tfprintf(stderr, \"100 x %s\\n\", comp->string);\n\tcomp->nb = 0;\n    }\n#endif\n    pctxt = xmlXPathCompParserContext(comp, ctxt);\n    res = xmlXPathRunEval(pctxt, toBool);\n\n    if (pctxt->error != XPATH_EXPRESSION_OK) {\n        resObj = NULL;\n    } else {\n        resObj = valuePop(pctxt);\n        if (resObj == NULL) {\n            if (!toBool)\n                xmlGenericError(xmlGenericErrorContext,\n                    \"xmlXPathCompiledEval: No result on the stack.\\n\");\n        } else if (pctxt->valueNr > 0) {\n            xmlGenericError(xmlGenericErrorContext,\n                \"xmlXPathCompiledEval: %d object(s) left on the stack.\\n\",\n                pctxt->valueNr);\n        }\n    }\n\n    if (resObjPtr)\n        *resObjPtr = resObj;\n    else\n        xmlXPathReleaseObject(ctxt, resObj);\n\n    pctxt->comp = NULL;\n    xmlXPathFreeParserContext(pctxt);\n#ifndef LIBXML_THREAD_ENABLED\n    reentance--;\n#endif\n",
          "project": "libxml2",
          "hash": 23977613311806536704883727357632897099,
          "size": 62,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385366
        },
        {
          "func": " */\nxmlXPathCompExprPtr\nxmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {\n    xmlXPathParserContextPtr pctxt;\n    xmlXPathCompExprPtr comp;\n\n#ifdef XPATH_STREAMING\n    comp = xmlXPathTryStreamCompile(ctxt, str);\n    if (comp != NULL)\n        return(comp);\n#endif\n\n    xmlXPathInit();\n\n    pctxt = xmlXPathNewParserContext(str, ctxt);\n    if (pctxt == NULL)\n        return NULL;\n    xmlXPathCompileExpr(pctxt, 1);\n\n    if( pctxt->error != XPATH_EXPRESSION_OK )\n    {\n        xmlXPathFreeParserContext(pctxt);\n        return(NULL);\n    }\n\n    if (*pctxt->cur != 0) {\n\t/*\n\t * aleksey: in some cases this line prints *second* error message\n\t * (see bug #78858) and probably this should be fixed.\n\t * However, we are not sure that all error messages are printed\n\t * out in other places. It's not critical so we leave it as-is for now\n\t */\n\txmlXPatherror(pctxt, __FILE__, __LINE__, XPATH_EXPR_ERROR);\n\tcomp = NULL;\n    } else {\n\tcomp = pctxt->comp;\n\tpctxt->comp = NULL;\n    }\n    xmlXPathFreeParserContext(pctxt);\n\n    if (comp != NULL) {\n\tcomp->expr = xmlStrdup(str);\n#ifdef DEBUG_EVAL_COUNTS\n\tcomp->string = xmlStrdup(str);\n\tcomp->nb = 0;\n#endif\n\tif ((comp->nbStep > 1) && (comp->last >= 0)) {\n\t    xmlXPathOptimizeExpression(comp, &comp->steps[comp->last]);\n\t}\n    }",
          "project": "libxml2",
          "hash": 146219488063183863687061976661089820292,
          "size": 50,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385358
        },
        {
          "func": " */\nvoid\nxmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {\n#ifdef XPATH_STREAMING\n    xmlXPathCompExprPtr comp;\n#endif\n\n    if (ctxt == NULL) return;\n\n#ifdef XPATH_STREAMING\n    comp = xmlXPathTryStreamCompile(ctxt->context, ctxt->base);\n    if (comp != NULL) {\n        if (ctxt->comp != NULL)\n\t    xmlXPathFreeCompExpr(ctxt->comp);\n        ctxt->comp = comp;\n    } else\n#endif\n    {\n\txmlXPathCompileExpr(ctxt, 1);\n        CHECK_ERROR;\n\n        /* Check for trailing characters. */\n        if (*ctxt->cur != 0)\n            XP_ERROR(XPATH_EXPR_ERROR);\n\n\tif ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0))\n\t    xmlXPathOptimizeExpression(ctxt->comp,\n\t\t&ctxt->comp->steps[ctxt->comp->last]);\n    }\n",
          "project": "libxml2",
          "hash": 61204497316746030956175928442524571737,
          "size": 30,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385322
        },
        {
          "func": " */\nvoid\nxmlXPathFreeParserContext(xmlXPathParserContextPtr ctxt) {\n    int i;\n\n    if (ctxt->valueTab != NULL) {\n        for (i = 0; i < ctxt->valueNr; i++) {\n            if (ctxt->context)\n                xmlXPathReleaseObject(ctxt->context, ctxt->valueTab[i]);\n            else\n                xmlXPathFreeObject(ctxt->valueTab[i]);\n        }\n        xmlFree(ctxt->valueTab);\n    }\n    if (ctxt->comp != NULL) {\n#ifdef XPATH_STREAMING\n\tif (ctxt->comp->stream != NULL) {\n\t    xmlFreePatternList(ctxt->comp->stream);\n\t    ctxt->comp->stream = NULL;\n\t}\n#endif\n\txmlXPathFreeCompExpr(ctxt->comp);\n    }",
          "project": "libxml2",
          "hash": 313070256777369079216055804346982777932,
          "size": 23,
          "commit_id": "0f3b843b3534784ef57a4f9b874238aa1fda5a73",
          "message": "Fix XPath stack frame logic\n\nMove the calls to xmlXPathSetFrame and xmlXPathPopFrame around in\nxmlXPathCompOpEvalPositionalPredicate to make sure that the context\nobject on the stack is actually protected. Otherwise, memory corruption\ncan occur when calling sloppily coded XPath extension functions.\n\nFixes bug 783160.",
          "target": 0,
          "dataset": "other",
          "idx": 385368
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "random_big_prime",
        "is_probably_prime",
        "MR_primality_test",
        "ModularPower"
      ],
      "group_size": 6,
      "functions": [
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 0,
          "func": "UnsignedBigInteger random_number(const UnsignedBigInteger& min, const UnsignedBigInteger& max_excluded)\n{\n    ASSERT(min < max_excluded);\n    auto range = max_excluded.minus(min);\n    UnsignedBigInteger base;\n    auto size = range.trimmed_length() * sizeof(u32) + 2;\n    // \"+2\" is intentional (see below).\n    // Also, if we're about to crash anyway, at least produce a nice error:\n    ASSERT(size < 8 * MiB);\n    u8 buf[size];\n    AK::fill_with_random(buf, size);\n    UnsignedBigInteger random { buf, size };\n    // At this point, `random` is a large number, in the range [0, 256^size).\n    // To get down to the actual range, we could just compute random % range.\n    // This introduces \"modulo bias\". However, since we added 2 to `size`,\n    // we know that the generated range is at least 65536 times as large as the\n    // required range! This means that the modulo bias is only 0.0015%, if all\n    // inputs are chosen adversarially. Let's hope this is good enough.\n    auto divmod = random.divided_by(range);\n    // The proper way to fix this is to restart if `divmod.quotient` is maximal.\n    return divmod.remainder.plus(min);\n}",
          "idx": 519158,
          "cwe": "CWE-120",
          "hash": 318674707994639862887917054544112435500,
          "dataset": "other"
        },
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 1,
          "func": "static bool MR_primality_test(UnsignedBigInteger n, const Vector<UnsignedBigInteger, 256>& tests)\n{\n    // Written using Wikipedia:\n    // https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test#Miller%E2%80%93Rabin_test\n    ASSERT(!(n < 4));\n    auto predecessor = n.minus({ 1 });\n    auto d = predecessor;\n    size_t r = 0;\n\n    {\n        auto div_result = d.divided_by(2);\n        while (div_result.remainder == 0) {\n            d = div_result.quotient;\n            div_result = d.divided_by(2);\n            ++r;\n        }\n    }\n    if (r == 0) {\n        // n - 1 is odd, so n was even. But there is only one even prime:\n        return n == 2;\n    }\n\n    for (auto a : tests) {\n        // Technically: ASSERT(2 <= a && a <= n - 2)\n        ASSERT(a < n);\n        auto x = ModularPower(a, d, n);\n        if (x == 1 || x == predecessor)\n            continue;\n        bool skip_this_witness = false;\n        // r − 1 iterations.\n        for (size_t i = 0; i < r - 1; ++i) {\n            x = ModularPower(x, 2, n);\n            if (x == predecessor) {\n                skip_this_witness = true;\n                break;\n            }\n        }\n        if (skip_this_witness)\n            continue;\n        return false; // \"composite\"\n    }\n\n    return true; // \"probably prime\"\n}",
          "idx": 217238,
          "cwe": "CWE-120",
          "hash": 179391134827512981723637669244439395484,
          "dataset": "other"
        },
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 0,
          "func": "static bool MR_primality_test(UnsignedBigInteger n, const Vector<UnsignedBigInteger, 256>& tests)\n{\n    // Written using Wikipedia:\n    // https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test#Miller%E2%80%93Rabin_test\n    ASSERT(!(n < 4));\n    auto predecessor = n.minus({ 1 });\n    auto d = predecessor;\n    size_t r = 0;\n\n    {\n        auto div_result = d.divided_by(2);\n        while (div_result.remainder == 0) {\n            d = div_result.quotient;\n            div_result = d.divided_by(2);\n            ++r;\n        }\n    }\n    if (r == 0) {\n        // n - 1 is odd, so n was even. But there is only one even prime:\n        return n == 2;\n    }\n\n    for (auto& a : tests) {\n        // Technically: ASSERT(2 <= a && a <= n - 2)\n        ASSERT(a < n);\n        auto x = ModularPower(a, d, n);\n        if (x == 1 || x == predecessor)\n            continue;\n        bool skip_this_witness = false;\n        // r − 1 iterations.\n        for (size_t i = 0; i < r - 1; ++i) {\n            x = ModularPower(x, 2, n);\n            if (x == predecessor) {\n                skip_this_witness = true;\n                break;\n            }\n        }\n        if (skip_this_witness)\n            continue;\n        return false; // \"composite\"\n    }\n\n    return true; // \"probably prime\"\n}",
          "idx": 519155,
          "cwe": "CWE-120",
          "hash": 295059986924029830016313633716285228943,
          "dataset": "other"
        },
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 0,
          "func": "bool is_probably_prime(const UnsignedBigInteger& p)\n{\n    // Is it a small number?\n    if (p < 49) {\n        u32 p_value = p.words()[0];\n        // Is it a very small prime?\n        if (p_value == 2 || p_value == 3 || p_value == 5 || p_value == 7)\n            return true;\n        // Is it the multiple of a very small prime?\n        if (p_value % 2 == 0 || p_value % 3 == 0 || p_value % 5 == 0 || p_value % 7 == 0)\n            return false;\n        // Then it must be a prime, but not a very small prime, like 37.\n        return true;\n    }\n\n    Vector<UnsignedBigInteger, 256> tests;\n    // Make some good initial guesses that are guaranteed to find all primes < 2^64.\n    tests.append(UnsignedBigInteger(2));\n    tests.append(UnsignedBigInteger(3));\n    tests.append(UnsignedBigInteger(5));\n    tests.append(UnsignedBigInteger(7));\n    tests.append(UnsignedBigInteger(11));\n    tests.append(UnsignedBigInteger(13));\n    UnsignedBigInteger seventeen { 17 };\n    for (size_t i = tests.size(); i < 256; ++i) {\n        tests.append(random_number(seventeen, p.minus(2)));\n    }\n    // Miller-Rabin's \"error\" is 8^-k. In adversarial cases, it's 4^-k.\n    // With 200 random numbers, this would mean an error of about 2^-400.\n    // So we don't need to worry too much about the quality of the random numbers.\n\n    return MR_primality_test(p, tests);\n}",
          "idx": 519157,
          "cwe": "CWE-120",
          "hash": 303144258765638568217567976170648422907,
          "dataset": "other"
        },
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 0,
          "func": "UnsignedBigInteger random_big_prime(size_t bits)\n{\n    ASSERT(bits >= 33);\n    UnsignedBigInteger min = UnsignedBigInteger::from_base10(\"6074001000\").shift_left(bits - 33);\n    UnsignedBigInteger max = UnsignedBigInteger { 1 }.shift_left(bits).minus(1);\n    for (;;) {\n        auto p = random_number(min, max);\n        if ((p.words()[0] & 1) == 0) {\n            // An even number is definitely not a large prime.\n            continue;\n        }\n        if (is_probably_prime(p))\n            return p;\n    }\n}",
          "idx": 519162,
          "cwe": "CWE-120",
          "hash": 15687903180148109465653092026404669397,
          "dataset": "other"
        },
        {
          "project": "serenity",
          "commit_id": "48fbf6a88d4822a1e5470cf08f29464511bd72c1",
          "target": 0,
          "func": "UnsignedBigInteger ModularPower(const UnsignedBigInteger& b, const UnsignedBigInteger& e, const UnsignedBigInteger& m)\n{\n    if (m == 1)\n        return 0;\n\n    UnsignedBigInteger ep { e };\n    UnsignedBigInteger base { b };\n    UnsignedBigInteger exp { 1 };\n\n    UnsignedBigInteger temp_1;\n    UnsignedBigInteger temp_2;\n    UnsignedBigInteger temp_3;\n    UnsignedBigInteger temp_4;\n    UnsignedBigInteger temp_multiply;\n    UnsignedBigInteger temp_quotient;\n    UnsignedBigInteger temp_remainder;\n\n    while (!(ep < 1)) {\n        if (ep.words()[0] % 2 == 1) {\n            // exp = (exp * base) % m;\n            UnsignedBigInteger::multiply_without_allocation(exp, base, temp_1, temp_2, temp_3, temp_4, temp_multiply);\n            UnsignedBigInteger::divide_without_allocation(temp_multiply, m, temp_1, temp_2, temp_3, temp_4, temp_quotient, temp_remainder);\n            exp.set_to(temp_remainder);\n        }\n\n        // ep = ep / 2;\n        UnsignedBigInteger::divide_u16_without_allocation(ep, 2, temp_quotient, temp_remainder);\n        ep.set_to(temp_quotient);\n\n        // base = (base * base) % m;\n        UnsignedBigInteger::multiply_without_allocation(base, base, temp_1, temp_2, temp_3, temp_4, temp_multiply);\n        UnsignedBigInteger::divide_without_allocation(temp_multiply, m, temp_1, temp_2, temp_3, temp_4, temp_quotient, temp_remainder);\n        base.set_to(temp_remainder);\n    }\n    return exp;\n}",
          "idx": 519156,
          "cwe": "CWE-120",
          "hash": 323652663057392381248334462293780609113,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "delayed_free_task",
        "free_task",
        "release_task_stack",
        "free_thread_stack"
      ],
      "group_size": 14,
      "functions": [
        {
          "func": "void __weak arch_release_task_struct(struct task_struct *tsk)\n{\n}",
          "project": "linux",
          "hash": 178878164510362685562963763581695892096,
          "size": 3,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293717
        },
        {
          "func": "void free_task(struct task_struct *tsk)\n{\n\tscs_release(tsk);\n\n#ifndef CONFIG_THREAD_INFO_IN_TASK\n\t/*\n\t * The task is finally done with both the stack and thread_info,\n\t * so free both.\n\t */\n\trelease_task_stack(tsk);\n#else\n\t/*\n\t * If the task had a separate stack allocation, it should be gone\n\t * by now.\n\t */\n\tWARN_ON_ONCE(refcount_read(&tsk->stack_refcount) != 0);\n#endif\n\trt_mutex_debug_task_free(tsk);\n\tftrace_graph_exit_task(tsk);\n\tarch_release_task_struct(tsk);\n\tif (tsk->flags & PF_KTHREAD)\n\t\tfree_kthread_struct(tsk);\n\tfree_task_struct(tsk);\n}",
          "project": "linux",
          "hash": 204860648129297551546894762060680524874,
          "size": 24,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293705
        },
        {
          "func": "void put_task_stack(struct task_struct *tsk)\n{\n\tif (refcount_dec_and_test(&tsk->stack_refcount))\n\t\trelease_task_stack(tsk);\n}",
          "project": "linux",
          "hash": 47375553025110082232307730801809545754,
          "size": 5,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293716
        },
        {
          "func": "static inline void free_task_struct(struct task_struct *tsk)\n{\n\tkmem_cache_free(task_struct_cachep, tsk);\n}",
          "project": "linux",
          "hash": 240269885863574603491225126330427503157,
          "size": 4,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293673
        },
        {
          "func": "void __put_task_struct(struct task_struct *tsk)\n{\n\tWARN_ON(!tsk->exit_state);\n\tWARN_ON(refcount_read(&tsk->usage));\n\tWARN_ON(tsk == current);\n\n\tio_uring_free(tsk);\n\tcgroup_free(tsk);\n\ttask_numa_free(tsk, true);\n\tsecurity_task_free(tsk);\n\texit_creds(tsk);\n\tdelayacct_tsk_free(tsk);\n\tput_signal_struct(tsk->signal);\n\n\tif (!profile_handoff_task(tsk))\n\t\tfree_task(tsk);\n}",
          "project": "linux",
          "hash": 219873827166979006101262636184699260463,
          "size": 17,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293664
        },
        {
          "func": "static void mmdrop_async(struct mm_struct *mm)\n{\n\tif (unlikely(atomic_dec_and_test(&mm->mm_count))) {\n\t\tINIT_WORK(&mm->async_put_work, mmdrop_async_fn);\n\t\tschedule_work(&mm->async_put_work);\n\t}\n}",
          "project": "linux",
          "hash": 48640535268283294199782867056893964272,
          "size": 7,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293668
        },
        {
          "func": "static void free_thread_stack(struct task_struct *tsk)\n{\n\tkmem_cache_free(thread_stack_cache, tsk->stack);\n}",
          "project": "linux",
          "hash": 312303175618061311683749964165846341822,
          "size": 4,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293659
        },
        {
          "func": "static inline void free_thread_stack(struct task_struct *tsk)\n{\n#ifdef CONFIG_VMAP_STACK\n\tstruct vm_struct *vm = task_stack_vm_area(tsk);\n\n\tif (vm) {\n\t\tint i;\n\n\t\tfor (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)\n\t\t\tmemcg_kmem_uncharge_page(vm->pages[i], 0);\n\n\t\tfor (i = 0; i < NR_CACHED_STACKS; i++) {\n\t\t\tif (this_cpu_cmpxchg(cached_stacks[i],\n\t\t\t\t\tNULL, tsk->stack_vm_area) != NULL)\n\t\t\t\tcontinue;\n\n\t\t\treturn;\n\t\t}\n\n\t\tvfree_atomic(tsk->stack);\n\t\treturn;\n\t}\n#endif\n\n\t__free_pages(virt_to_page(tsk->stack), THREAD_SIZE_ORDER);\n}",
          "project": "linux",
          "hash": 237378295918759014443437886979064401756,
          "size": 26,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293694
        },
        {
          "func": "static void release_task_stack(struct task_struct *tsk)\n{\n\tif (WARN_ON(tsk->state != TASK_DEAD))\n\t\treturn;  /* Better to leak the stack than to free prematurely */\n\n\taccount_kernel_stack(tsk, -1);\n\tfree_thread_stack(tsk);\n\ttsk->stack = NULL;\n#ifdef CONFIG_VMAP_STACK\n\ttsk->stack_vm_area = NULL;\n#endif\n}",
          "project": "linux",
          "hash": 312699088568944488479292764031952936873,
          "size": 12,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293696
        },
        {
          "func": "static void account_kernel_stack(struct task_struct *tsk, int account)\n{\n\tvoid *stack = task_stack_page(tsk);\n\tstruct vm_struct *vm = task_stack_vm_area(tsk);\n\n\n\t/* All stack pages are in the same node. */\n\tif (vm)\n\t\tmod_lruvec_page_state(vm->pages[0], NR_KERNEL_STACK_KB,\n\t\t\t\t      account * (THREAD_SIZE / 1024));\n\telse\n\t\tmod_lruvec_slab_state(stack, NR_KERNEL_STACK_KB,\n\t\t\t\t      account * (THREAD_SIZE / 1024));\n}",
          "project": "linux",
          "hash": 257916025676168192754527698101924183339,
          "size": 14,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293686
        },
        {
          "func": "static void __delayed_free_task(struct rcu_head *rhp)\n{\n\tstruct task_struct *tsk = container_of(rhp, struct task_struct, rcu);\n\n\tfree_task(tsk);\n}",
          "project": "linux",
          "hash": 96633240730792133603587881814603945289,
          "size": 6,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293638
        },
        {
          "func": "static __always_inline void delayed_free_task(struct task_struct *tsk)\n{\n\tif (IS_ENABLED(CONFIG_MEMCG))\n\t\tcall_rcu(&tsk->rcu, __delayed_free_task);\n\telse\n\t\tfree_task(tsk);\n}",
          "project": "linux",
          "hash": 246231539372659290208161012985748615737,
          "size": 7,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293672
        },
        {
          "func": "static inline void put_signal_struct(struct signal_struct *sig)\n{\n\tif (refcount_dec_and_test(&sig->sigcnt))\n\t\tfree_signal_struct(sig);\n}",
          "project": "linux",
          "hash": 230873831481255496698657162843354998495,
          "size": 5,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293663
        },
        {
          "func": "static inline void free_signal_struct(struct signal_struct *sig)\n{\n\ttaskstats_tgid_free(sig);\n\tsched_autogroup_exit(sig);\n\t/*\n\t * __mmdrop is not safe to call from softirq context on x86 due to\n\t * pgd_dtor so postpone it to the async context\n\t */\n\tif (sig->oom_mm)\n\t\tmmdrop_async(sig->oom_mm);\n\tkmem_cache_free(signal_cachep, sig);\n}",
          "project": "linux",
          "hash": 63807950727592270091592729976286542850,
          "size": 12,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293658
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "r_str_is_bool",
        "r_str_is_true",
        "r_str_casecmp"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "R_API bool r_str_is_bool(const char *val) {\n\treturn r_str_is_true (val) || r_str_is_false (val);\n}",
          "project": "radare2",
          "hash": 79516922044337113871302780258506301854,
          "size": 3,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269079
        },
        {
          "func": "R_API int r_str_casecmp(const char *s1, const char *s2) {\n#ifdef _MSC_VER\n\treturn stricmp (s1, s2);\n#else\n\treturn strcasecmp (s1, s2);\n#endif\n}",
          "project": "radare2",
          "hash": 329290754416988569277034297149091754333,
          "size": 7,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268839
        },
        {
          "func": "R_API bool r_str_is_true(const char *s) {\n\treturn !r_str_casecmp (\"yes\", s)\n\t\t|| !r_str_casecmp (\"on\", s)\n\t\t|| !r_str_casecmp (\"true\", s)\n\t\t|| !r_str_casecmp (\"1\", s);\n}",
          "project": "radare2",
          "hash": 101725634936234610594664039120782744710,
          "size": 6,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269080
        },
        {
          "func": "R_API bool r_str_is_false(const char *s) {\n\treturn !r_str_casecmp (\"no\", s)\n\t\t|| !r_str_casecmp (\"off\", s)\n\t\t|| !r_str_casecmp (\"false\", s)\n\t\t|| !r_str_casecmp (\"0\", s)\n\t\t|| !*s;\n}",
          "project": "radare2",
          "hash": 13612440070113323045282564977751967500,
          "size": 7,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268895
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "nfs4_proc_create_session",
        "_nfs4_proc_create_session",
        "nfs4_verify_channel_attrs",
        "nfs4_verify_back_channel_attrs"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static int nfs4_verify_channel_attrs(struct nfs41_create_session_args *args,\n\t\t\t\t     struct nfs41_create_session_res *res)\n{\n\tint ret;\n\n\tret = nfs4_verify_fore_channel_attrs(args, res);\n\tif (ret)\n\t\treturn ret;\n\treturn nfs4_verify_back_channel_attrs(args, res);\n}",
          "project": "linux",
          "hash": 266510953336912229479592963968256532827,
          "size": 10,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431361
        },
        {
          "func": "static int _nfs4_proc_create_session(struct nfs_client *clp,\n\t\tconst struct cred *cred)\n{\n\tstruct nfs4_session *session = clp->cl_session;\n\tstruct nfs41_create_session_args args = {\n\t\t.client = clp,\n\t\t.clientid = clp->cl_clientid,\n\t\t.seqid = clp->cl_seqid,\n\t\t.cb_program = NFS4_CALLBACK,\n\t};\n\tstruct nfs41_create_session_res res;\n\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CREATE_SESSION],\n\t\t.rpc_argp = &args,\n\t\t.rpc_resp = &res,\n\t\t.rpc_cred = cred,\n\t};\n\tint status;\n\n\tnfs4_init_channel_attrs(&args, clp->cl_rpcclient);\n\targs.flags = (SESSION4_PERSIST | SESSION4_BACK_CHAN);\n\n\tstatus = rpc_call_sync(session->clp->cl_rpcclient, &msg,\n\t\t\t       RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN);\n\ttrace_nfs4_create_session(clp, status);\n\n\tswitch (status) {\n\tcase -NFS4ERR_STALE_CLIENTID:\n\tcase -NFS4ERR_DELAY:\n\tcase -ETIMEDOUT:\n\tcase -EACCES:\n\tcase -EAGAIN:\n\t\tgoto out;\n\t}\n\n\tclp->cl_seqid++;\n\tif (!status) {\n\t\t/* Verify the session's negotiated channel_attrs values */\n\t\tstatus = nfs4_verify_channel_attrs(&args, &res);\n\t\t/* Increment the clientid slot sequence id */\n\t\tif (status)\n\t\t\tgoto out;\n\t\tnfs4_update_session(session, &res);\n\t}\nout:\n\treturn status;\n}",
          "project": "linux",
          "hash": 133204535520018525969067538801389583522,
          "size": 48,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 430993
        },
        {
          "func": "static int nfs4_verify_fore_channel_attrs(struct nfs41_create_session_args *args,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tstruct nfs4_channel_attrs *sent = &args->fc_attrs;\n\tstruct nfs4_channel_attrs *rcvd = &res->fc_attrs;\n\n\tif (rcvd->max_resp_sz > sent->max_resp_sz)\n\t\treturn -EINVAL;\n\t/*\n\t * Our requested max_ops is the minimum we need; we're not\n\t * prepared to break up compounds into smaller pieces than that.\n\t * So, no point even trying to continue if the server won't\n\t * cooperate:\n\t */\n\tif (rcvd->max_ops < sent->max_ops)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs == 0)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs > NFS4_MAX_SLOT_TABLE)\n\t\trcvd->max_reqs = NFS4_MAX_SLOT_TABLE;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 38463496589113317805269675468759555652,
          "size": 22,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431035
        },
        {
          "func": "static void nfs4_init_channel_attrs(struct nfs41_create_session_args *args,\n\t\t\t\t    struct rpc_clnt *clnt)\n{\n\tunsigned int max_rqst_sz, max_resp_sz;\n\tunsigned int max_bc_payload = rpc_max_bc_payload(clnt);\n\tunsigned int max_bc_slots = rpc_num_bc_slots(clnt);\n\n\tmax_rqst_sz = NFS_MAX_FILE_IO_SIZE + nfs41_maxwrite_overhead;\n\tmax_resp_sz = NFS_MAX_FILE_IO_SIZE + nfs41_maxread_overhead;\n\n\t/* Fore channel attributes */\n\targs->fc_attrs.max_rqst_sz = max_rqst_sz;\n\targs->fc_attrs.max_resp_sz = max_resp_sz;\n\targs->fc_attrs.max_ops = NFS4_MAX_OPS;\n\targs->fc_attrs.max_reqs = max_session_slots;\n\n\tdprintk(\"%s: Fore Channel : max_rqst_sz=%u max_resp_sz=%u \"\n\t\t\"max_ops=%u max_reqs=%u\\n\",\n\t\t__func__,\n\t\targs->fc_attrs.max_rqst_sz, args->fc_attrs.max_resp_sz,\n\t\targs->fc_attrs.max_ops, args->fc_attrs.max_reqs);\n\n\t/* Back channel attributes */\n\targs->bc_attrs.max_rqst_sz = max_bc_payload;\n\targs->bc_attrs.max_resp_sz = max_bc_payload;\n\targs->bc_attrs.max_resp_sz_cached = 0;\n\targs->bc_attrs.max_ops = NFS4_MAX_BACK_CHANNEL_OPS;\n\targs->bc_attrs.max_reqs = max_t(unsigned short, max_session_cb_slots, 1);\n\tif (args->bc_attrs.max_reqs > max_bc_slots)\n\t\targs->bc_attrs.max_reqs = max_bc_slots;\n\n\tdprintk(\"%s: Back Channel : max_rqst_sz=%u max_resp_sz=%u \"\n\t\t\"max_resp_sz_cached=%u max_ops=%u max_reqs=%u\\n\",\n\t\t__func__,\n\t\targs->bc_attrs.max_rqst_sz, args->bc_attrs.max_resp_sz,\n\t\targs->bc_attrs.max_resp_sz_cached, args->bc_attrs.max_ops,\n\t\targs->bc_attrs.max_reqs);\n}",
          "project": "linux",
          "hash": 18210667889500818106398555889191412805,
          "size": 38,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431071
        },
        {
          "func": "static int nfs4_verify_back_channel_attrs(struct nfs41_create_session_args *args,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tstruct nfs4_channel_attrs *sent = &args->bc_attrs;\n\tstruct nfs4_channel_attrs *rcvd = &res->bc_attrs;\n\n\tif (!(res->flags & SESSION4_BACK_CHAN))\n\t\tgoto out;\n\tif (rcvd->max_rqst_sz > sent->max_rqst_sz)\n\t\treturn -EINVAL;\n\tif (rcvd->max_resp_sz < sent->max_resp_sz)\n\t\treturn -EINVAL;\n\tif (rcvd->max_resp_sz_cached > sent->max_resp_sz_cached)\n\t\treturn -EINVAL;\n\tif (rcvd->max_ops > sent->max_ops)\n\t\treturn -EINVAL;\n\tif (rcvd->max_reqs > sent->max_reqs)\n\t\treturn -EINVAL;\nout:\n\treturn 0;\n}",
          "project": "linux",
          "hash": 86134186865172260243225302940714184311,
          "size": 21,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431362
        },
        {
          "func": "int nfs4_proc_create_session(struct nfs_client *clp, const struct cred *cred)\n{\n\tint status;\n\tunsigned *ptr;\n\tstruct nfs4_session *session = clp->cl_session;\n\n\tdprintk(\"--> %s clp=%p session=%p\\n\", __func__, clp, session);\n\n\tstatus = _nfs4_proc_create_session(clp, cred);\n\tif (status)\n\t\tgoto out;\n\n\t/* Init or reset the session slot tables */\n\tstatus = nfs4_setup_session_slot_tables(session);\n\tdprintk(\"slot table setup returned %d\\n\", status);\n\tif (status)\n\t\tgoto out;\n\n\tptr = (unsigned *)&session->sess_id.data[0];\n\tdprintk(\"%s client>seqid %d sessionid %u:%u:%u:%u\\n\", __func__,\n\t\tclp->cl_seqid, ptr[0], ptr[1], ptr[2], ptr[3]);\nout:\n\tdprintk(\"<-- %s\\n\", __func__);\n\treturn status;\n}",
          "project": "linux",
          "hash": 277132752299906564156097443324441133079,
          "size": 25,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431497
        },
        {
          "func": "static void nfs4_update_session(struct nfs4_session *session,\n\t\tstruct nfs41_create_session_res *res)\n{\n\tnfs4_copy_sessionid(&session->sess_id, &res->sessionid);\n\t/* Mark client id and session as being confirmed */\n\tsession->clp->cl_exchange_flags |= EXCHGID4_FLAG_CONFIRMED_R;\n\tset_bit(NFS4_SESSION_ESTABLISHED, &session->session_state);\n\tsession->flags = res->flags;\n\tmemcpy(&session->fc_attrs, &res->fc_attrs, sizeof(session->fc_attrs));\n\tif (res->flags & SESSION4_BACK_CHAN)\n\t\tmemcpy(&session->bc_attrs, &res->bc_attrs,\n\t\t\t\tsizeof(session->bc_attrs));\n}",
          "project": "linux",
          "hash": 74970151861589890047695037603655286360,
          "size": 13,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431408
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "cli_scanxar",
        "xar_get_toc_data_values",
        "xar_get_numeric_from_xml_element"
      ],
      "group_size": 11,
      "functions": [
        {
          "func": "static int xar_cleanup_temp_file(cli_ctx *ctx, int fd, char * tmpname)\n{\n    int rc = CL_SUCCESS;\n    if (fd > -1)\n        close(fd);\n    if (tmpname != NULL) {\n        if (!ctx->engine->keeptmp) {\n            if (cli_unlink(tmpname)) {\n                cli_dbgmsg(\"cli_scanxar: error unlinking tmpfile %s\\n\", tmpname); \n                rc = CL_EUNLINK;\n            }\n        }\n        free(tmpname);\n    }\n    return rc;\n}",
          "project": "clamav-devel",
          "hash": 75249852686141599046506092970096971981,
          "size": 16,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390685
        },
        {
          "func": "static void xar_hash_update(void * hash_ctx, void * data, unsigned long size, int hash)\n{\n    if (!hash_ctx || !data || !size)\n        return;\n\n    switch (hash) {\n    case XAR_CKSUM_NONE:\n    case XAR_CKSUM_OTHER:\n        return;\n    }\n\n    cl_update_hash(hash_ctx, data, size);\n}",
          "project": "clamav-devel",
          "hash": 284001925521670430375654841780794105400,
          "size": 13,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390688
        },
        {
          "func": "static void * xar_hash_init(int hash, void **sc, void **mc)\n{\n    if (!sc && !mc)\n        return NULL;\n    switch (hash) {\n    case XAR_CKSUM_SHA1:\n        *sc = cl_hash_init(\"sha1\");\n        if (!(*sc)) {\n            return NULL;\n        }\n\n        return *sc;\n    case XAR_CKSUM_MD5:\n        *mc = cl_hash_init(\"md5\");\n        if (!(*mc)) {\n            return NULL;\n        }\n\n        return *mc;\n    case XAR_CKSUM_OTHER:\n    case XAR_CKSUM_NONE:\n    default:\n        return NULL;\n    }\n}",
          "project": "clamav-devel",
          "hash": 178031145895934483930951694005816827087,
          "size": 25,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390692
        },
        {
          "func": "static int xar_hash_check(int hash, const void * result, const void * expected)\n{\n    int len;\n\n    if (!result || !expected)\n        return 1;\n    switch (hash) {\n    case XAR_CKSUM_SHA1:\n        len = SHA1_HASH_SIZE;\n        break;\n    case XAR_CKSUM_MD5:\n        len = CLI_HASH_MD5;\n        break;\n    case XAR_CKSUM_OTHER:\n    case XAR_CKSUM_NONE:\n    default:\n        return 1;\n    }\n    return memcmp(result, expected, len);\n}",
          "project": "clamav-devel",
          "hash": 16464750489424958099095161220741826057,
          "size": 20,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 1,
          "dataset": "other",
          "idx": 206998
        },
        {
          "func": "static int xar_hash_check(int hash, const void * result, const void * expected)\n{\n    int len;\n\n    if (!result || !expected)\n        return 1;\n    switch (hash) {\n    case XAR_CKSUM_SHA1:\n        len = CLI_HASHLEN_SHA1;\n        break;\n    case XAR_CKSUM_MD5:\n        len = CLI_HASHLEN_MD5;\n        break;\n    case XAR_CKSUM_OTHER:\n    case XAR_CKSUM_NONE:\n    default:\n        return 1;\n    }\n    return memcmp(result, expected, len);\n}",
          "project": "clamav-devel",
          "hash": 298399301874156136344056006861919253944,
          "size": 20,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390690
        },
        {
          "func": "static int xar_get_toc_data_values(xmlTextReaderPtr reader, size_t *length, size_t *offset, size_t *size, int *encoding,\n                                   unsigned char ** a_cksum, int * a_hash, unsigned char ** e_cksum, int * e_hash)\n{\n    const xmlChar *name;\n    int indata = 0, inea = 0;\n    int rc, gotoffset=0, gotlength=0, gotsize=0;\n\n    *a_cksum = NULL;\n    *a_hash = XAR_CKSUM_NONE;\n    *e_cksum = NULL;\n    *e_hash = XAR_CKSUM_NONE;\n    *encoding = CL_TYPE_ANY;\n\n    rc = xmlTextReaderRead(reader);\n    while (rc == 1) {\n        name = xmlTextReaderConstLocalName(reader);\n        if (indata || inea) {\n            /*  cli_dbgmsg(\"cli_scanxar: xmlTextReaderRead read %s\\n\", name); */\n            if (xmlStrEqual(name, (const xmlChar *)\"offset\") && \n                xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                if (CL_SUCCESS == xar_get_numeric_from_xml_element(reader, offset))\n                    gotoffset=1;\n\n            } else if (xmlStrEqual(name, (const xmlChar *)\"length\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                if (CL_SUCCESS == xar_get_numeric_from_xml_element(reader, length))\n                    gotlength=1;\n\n            } else if (xmlStrEqual(name, (const xmlChar *)\"size\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                if (CL_SUCCESS == xar_get_numeric_from_xml_element(reader, size))\n                    gotsize=1;\n\n            } else if (xmlStrEqual(name, (const xmlChar *)\"archived-checksum\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                cli_dbgmsg(\"cli_scanxar: <archived-checksum>:\\n\");\n                xar_get_checksum_values(reader, a_cksum, a_hash);\n                \n            } else if ((xmlStrEqual(name, (const xmlChar *)\"extracted-checksum\") ||\n                        xmlStrEqual(name, (const xmlChar *)\"unarchived-checksum\")) &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                cli_dbgmsg(\"cli_scanxar: <extracted-checksum>:\\n\");\n                xar_get_checksum_values(reader, e_cksum, e_hash);\n\n            } else if (xmlStrEqual(name, (const xmlChar *)\"encoding\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                xmlChar * style = xmlTextReaderGetAttribute(reader, (const xmlChar *)\"style\");\n                if (style == NULL) {\n                    cli_dbgmsg(\"cli_scaxar: xmlTextReaderGetAttribute no style attribute \"\n                               \"for encoding element\\n\");\n                    *encoding = CL_TYPE_ANY;\n                } else if (xmlStrEqual(style, (const xmlChar *)\"application/x-gzip\")) {\n                    cli_dbgmsg(\"cli_scanxar: encoding = application/x-gzip.\\n\");\n                    *encoding = CL_TYPE_GZ; \n                } else if (xmlStrEqual(style, (const xmlChar *)\"application/octet-stream\")) {\n                    cli_dbgmsg(\"cli_scanxar: encoding = application/octet-stream.\\n\");\n                    *encoding = CL_TYPE_ANY; \n                } else if (xmlStrEqual(style, (const xmlChar *)\"application/x-bzip2\")) {\n                    cli_dbgmsg(\"cli_scanxar: encoding = application/x-bzip2.\\n\");\n                    *encoding = CL_TYPE_BZ;\n                } else if (xmlStrEqual(style, (const xmlChar *)\"application/x-lzma\")) {\n                    cli_dbgmsg(\"cli_scanxar: encoding = application/x-lzma.\\n\");\n                    *encoding = CL_TYPE_7Z;\n                 } else if (xmlStrEqual(style, (const xmlChar *)\"application/x-xz\")) {\n                    cli_dbgmsg(\"cli_scanxar: encoding = application/x-xz.\\n\");\n                    *encoding = CL_TYPE_XZ;\n                } else {\n                    cli_dbgmsg(\"cli_scaxar: unknown style value=%s for encoding element\\n\", style);\n                    *encoding = CL_TYPE_ANY;\n                }\n                if (style != NULL)\n                    xmlFree(style);\n\n           } else if (indata && xmlStrEqual(name, (const xmlChar *)\"data\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_END_ELEMENT) {\n                break;\n\n            } else if (inea && xmlStrEqual(name, (const xmlChar *)\"ea\") &&\n                       xmlTextReaderNodeType(reader) == XML_READER_TYPE_END_ELEMENT) {\n                break;\n            }\n            \n        } else {\n            if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n                if (xmlStrEqual(name, (const xmlChar *)\"data\")) {\n                    cli_dbgmsg(\"cli_scanxar: xmlTextReaderRead read <data>\\n\");\n                    indata = 1;\n                } else if (xmlStrEqual(name, (const xmlChar *)\"ea\")) {\n                    cli_dbgmsg(\"cli_scanxar: xmlTextReaderRead read <ea>\\n\");\n                    inea = 1;\n                }\n            } else if ((xmlTextReaderNodeType(reader) == XML_READER_TYPE_END_ELEMENT) &&\n                       xmlStrEqual(name, (const xmlChar *)\"xar\")) {\n                cli_dbgmsg(\"cli_scanxar: finished parsing xar TOC.\\n\");   \n                break;\n            }\n        }\n        rc = xmlTextReaderRead(reader);\n    }\n    \n    if (gotoffset && gotlength && gotsize) {\n        rc = CL_SUCCESS;\n    }\n    else if (0 == gotoffset + gotlength + gotsize)\n        rc = CL_BREAK;\n    else\n        rc = CL_EFORMAT;\n\n    return rc;\n}",
          "project": "clamav-devel",
          "hash": 102653424820925841262555234476601874539,
          "size": 110,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390687
        },
        {
          "func": "static int xar_scan_subdocuments(xmlTextReaderPtr reader, cli_ctx *ctx)\n{\n    int rc = CL_SUCCESS, subdoc_len, fd;\n    xmlChar * subdoc;\n    const xmlChar *name;\n    char * tmpname;\n\n    while (xmlTextReaderRead(reader) == 1) {\n        name = xmlTextReaderConstLocalName(reader);\n        if (name == NULL) {\n            cli_dbgmsg(\"cli_scanxar: xmlTextReaderConstLocalName() no name.\\n\");\n            rc = CL_EFORMAT;\n            break;\n        }\n        if (xmlStrEqual(name, (const xmlChar *)\"toc\") && \n            xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)\n            return CL_SUCCESS;\n        if (xmlStrEqual(name, (const xmlChar *)\"subdoc\") && \n            xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT) {\n            subdoc = xmlTextReaderReadInnerXml(reader);\n            if (subdoc == NULL) {\n                cli_dbgmsg(\"cli_scanxar: no content in subdoc element.\\n\");\n                xmlTextReaderNext(reader);\n                continue;\n            }\n            subdoc_len = xmlStrlen(subdoc);\n            cli_dbgmsg(\"cli_scanxar: in-memory scan of xml subdocument, len %i.\\n\", subdoc_len);\n            rc = cli_mem_scandesc(subdoc, subdoc_len, ctx);\n            if (rc == CL_VIRUS && SCAN_ALL)\n                rc = CL_SUCCESS;\n            \n            /* make a file to leave if --leave-temps in effect */\n            if(ctx->engine->keeptmp) {\n                if ((rc = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {\n                    cli_dbgmsg(\"cli_scanxar: Can't create temporary file for subdocument.\\n\");\n                } else {\n                    cli_dbgmsg(\"cli_scanxar: Writing subdoc to temp file %s.\\n\", tmpname);\n                    if (cli_writen(fd, subdoc, subdoc_len) < 0) {\n                        cli_dbgmsg(\"cli_scanxar: cli_writen error writing subdoc temporary file.\\n\");\n                        rc = CL_EWRITE;\n                    }\n                    rc = xar_cleanup_temp_file(ctx, fd, tmpname);\n                }\n            }\n\n            xmlFree(subdoc);\n            if (rc != CL_SUCCESS)\n                return rc;\n            xmlTextReaderNext(reader);\n        }        \n    }\n    return rc;\n}",
          "project": "clamav-devel",
          "hash": 3448610867985354337000629770249118702,
          "size": 53,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390693
        },
        {
          "func": "static int xar_get_numeric_from_xml_element(xmlTextReaderPtr reader, size_t * value)\n{\n    const xmlChar * numstr;\n    ssize_t numval;\n\n    if (xmlTextReaderRead(reader) == 1 && xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT) {\n        numstr = xmlTextReaderConstValue(reader);\n        if (numstr) {\n            numval = atol((const char *)numstr);\n            if (numval < 0) {\n                cli_dbgmsg(\"cli_scanxar: XML element value %li\\n\", *value);\n                return CL_EFORMAT;\n            }\n            *value = numval;\n            return CL_SUCCESS;\n        }\n    }\n    cli_dbgmsg(\"cli_scanxar: No text for XML element\\n\");\n    return CL_EFORMAT;\n}",
          "project": "clamav-devel",
          "hash": 203146065281075354208308568415269831507,
          "size": 20,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390694
        },
        {
          "func": "static void xar_hash_final(void * hash_ctx, void * result, int hash)\n{\n    if (!hash_ctx || !result)\n        return;\n\n    switch (hash) {\n    case XAR_CKSUM_OTHER:\n    case XAR_CKSUM_NONE:\n        return;\n    }\n\n    cl_finish_hash(hash_ctx, result);\n}",
          "project": "clamav-devel",
          "hash": 211205057933858471625379548920718965896,
          "size": 13,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390689
        },
        {
          "func": "static void xar_get_checksum_values(xmlTextReaderPtr reader, unsigned char ** cksum, int * hash)\n{\n    xmlChar * style = xmlTextReaderGetAttribute(reader, (const xmlChar *)\"style\");\n    const xmlChar * xmlval;\n\n    *hash = XAR_CKSUM_NONE;\n    if (style == NULL) {\n        cli_dbgmsg(\"cli_scaxar: xmlTextReaderGetAttribute no style attribute \"\n                   \"for checksum element\\n\");\n    } else {\n        cli_dbgmsg(\"cli_scanxar: checksum algorithm is %s.\\n\", style);        \n        if (0 == xmlStrcasecmp(style, (const xmlChar *)\"sha1\")) {\n            *hash = XAR_CKSUM_SHA1;\n        } else if (0 == xmlStrcasecmp(style, (const xmlChar *)\"md5\")) {\n            *hash = XAR_CKSUM_MD5;\n        } else {\n            cli_dbgmsg(\"cli_scanxar: checksum algorithm %s is unsupported.\\n\", style);\n            *hash = XAR_CKSUM_OTHER;\n        }\n    }\n    if (style != NULL)\n        xmlFree(style);\n\n    if (xmlTextReaderRead(reader) == 1 && xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT) {\n        xmlval = xmlTextReaderConstValue(reader);\n        if (xmlval) {\n            cli_dbgmsg(\"cli_scanxar: checksum value is %s.\\n\", xmlval);\n            if (*hash == XAR_CKSUM_SHA1 && xmlStrlen(xmlval) == 2 * CLI_HASHLEN_SHA1 ||\n                *hash == XAR_CKSUM_MD5 && xmlStrlen(xmlval) == 2 * CLI_HASHLEN_MD5)\n                {\n                    *cksum = xmlStrdup(xmlval); \n                } \n            else\n                {\n                    cli_dbgmsg(\"cli_scanxar: checksum type is unknown or length is invalid.\\n\");\n                    *hash = XAR_CKSUM_OTHER;\n                    *cksum = NULL;\n                }\n        } else {\n            *cksum = NULL;\n            cli_dbgmsg(\"cli_scanxar: xmlTextReaderConstValue() returns NULL for checksum value.\\n\");           \n        }\n    }\n    else\n        cli_dbgmsg(\"cli_scanxar: No text for XML checksum element.\\n\");\n}",
          "project": "clamav-devel",
          "hash": 12714023224432776650168353506659776513,
          "size": 46,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390691
        },
        {
          "func": "int cli_scanxar(cli_ctx *ctx)\n{\n    int rc = CL_SUCCESS;\n    unsigned int cksum_fails = 0;\n    unsigned int extract_errors = 0;\n#if HAVE_LIBXML2\n    int fd = -1;\n    struct xar_header hdr;\n    fmap_t *map = *ctx->fmap;\n    size_t length, offset, size, at;\n    int encoding;\n    z_stream strm;\n    char *toc, *tmpname;\n    xmlTextReaderPtr reader = NULL;\n    int a_hash, e_hash;\n    unsigned char *a_cksum = NULL, *e_cksum = NULL;\n    void *a_hash_ctx = NULL, *e_hash_ctx = NULL;\n    char result[SHA1_HASH_SIZE];\n\n    memset(&strm, 0x00, sizeof(z_stream));\n\n    /* retrieve xar header */\n    if (fmap_readn(*ctx->fmap, &hdr, 0, sizeof(hdr)) != sizeof(hdr)) {\n        cli_dbgmsg(\"cli_scanxar: Invalid header, too short.\\n\");\n        return CL_EFORMAT;\n    }\n    hdr.magic = be32_to_host(hdr.magic);\n\n    if (hdr.magic == XAR_HEADER_MAGIC) {\n        cli_dbgmsg(\"cli_scanxar: Matched magic\\n\");\n    }\n    else {\n        cli_dbgmsg(\"cli_scanxar: Invalid magic\\n\");\n        return CL_EFORMAT;\n    }\n    hdr.size = be16_to_host(hdr.size);\n    hdr.version = be16_to_host(hdr.version);\n    hdr.toc_length_compressed = be64_to_host(hdr.toc_length_compressed);\n    hdr.toc_length_decompressed = be64_to_host(hdr.toc_length_decompressed);\n    hdr.chksum_alg = be32_to_host(hdr.chksum_alg);\n\n    /* cli_dbgmsg(\"hdr.magic %x\\n\", hdr.magic); */\n    /* cli_dbgmsg(\"hdr.size %i\\n\", hdr.size); */\n    /* cli_dbgmsg(\"hdr.version %i\\n\", hdr.version); */\n    /* cli_dbgmsg(\"hdr.toc_length_compressed %lu\\n\", hdr.toc_length_compressed); */\n    /* cli_dbgmsg(\"hdr.toc_length_decompressed %lu\\n\", hdr.toc_length_decompressed); */\n    /* cli_dbgmsg(\"hdr.chksum_alg %i\\n\", hdr.chksum_alg); */\n \n    /* Uncompress TOC */\n    strm.next_in = (unsigned char *)fmap_need_off_once(*ctx->fmap, hdr.size, hdr.toc_length_compressed);\n    if (strm.next_in == NULL) {\n        cli_dbgmsg(\"cli_scanxar: fmap_need_off_once fails on TOC.\\n\");\n        return CL_EREAD;\n    }\n    strm.avail_in = hdr.toc_length_compressed; \n    toc = cli_malloc(hdr.toc_length_decompressed+1);\n    if (toc == NULL) {\n        cli_dbgmsg(\"cli_scanxar: cli_malloc fails on TOC decompress buffer.\\n\");\n        return CL_EMEM;\n    }\n    toc[hdr.toc_length_decompressed] = '\\0';\n    strm.avail_out = hdr.toc_length_decompressed;\n    strm.next_out = (unsigned char *)toc;\n    rc = inflateInit(&strm);\n    if (rc != Z_OK) {\n        cli_dbgmsg(\"cli_scanxar:inflateInit error %i \\n\", rc);\n        rc = CL_EFORMAT;\n        goto exit_toc;\n    }    \n    rc = inflate(&strm, Z_SYNC_FLUSH);\n    if (rc != Z_OK && rc != Z_STREAM_END) {\n        cli_dbgmsg(\"cli_scanxar:inflate error %i \\n\", rc);\n        rc = CL_EFORMAT;\n        goto exit_toc;\n    }\n    rc = inflateEnd(&strm);\n    if (rc != Z_OK) {\n        cli_dbgmsg(\"cli_scanxar:inflateEnd error %i \\n\", rc);\n        rc = CL_EFORMAT;\n        goto exit_toc;\n    }\n\n    if (hdr.toc_length_decompressed != strm.total_out) {\n        cli_dbgmsg(\"TOC decompress length %\" PRIu64 \" does not match amount decompressed %lu\\n\",\n                   hdr.toc_length_decompressed, strm.total_out);\n        toc[strm.total_out] = '\\0';\n        hdr.toc_length_decompressed = strm.total_out;\n    }\n\n    /* cli_dbgmsg(\"cli_scanxar: TOC xml:\\n%s\\n\", toc); */\n    /* printf(\"cli_scanxar: TOC xml:\\n%s\\n\", toc); */\n    /* cli_dbgmsg(\"cli_scanxar: TOC end:\\n\"); */\n    /* printf(\"cli_scanxar: TOC end:\\n\"); */\n\n    /* scan the xml */\n    cli_dbgmsg(\"cli_scanxar: scanning xar TOC xml in memory.\\n\"); \n    rc = cli_mem_scandesc(toc, hdr.toc_length_decompressed, ctx);\n    if (rc != CL_SUCCESS) {\n        if (rc != CL_VIRUS || !SCAN_ALL)\n            goto exit_toc;        \n    }\n\n    /* make a file to leave if --leave-temps in effect */\n    if(ctx->engine->keeptmp) {\n        if ((rc = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {\n            cli_dbgmsg(\"cli_scanxar: Can't create temporary file for TOC.\\n\");\n            goto exit_toc;\n        }\n        if (cli_writen(fd, toc, hdr.toc_length_decompressed) < 0) {\n            cli_dbgmsg(\"cli_scanxar: cli_writen error writing TOC.\\n\");\n            rc = CL_EWRITE;\n            xar_cleanup_temp_file(ctx, fd, tmpname);\n            goto exit_toc;\n        }\n        rc = xar_cleanup_temp_file(ctx, fd, tmpname);\n        if (rc != CL_SUCCESS)\n            goto exit_toc;\n    }\n\n    reader = xmlReaderForMemory(toc, hdr.toc_length_decompressed, \"noname.xml\", NULL, CLAMAV_MIN_XMLREADER_FLAGS);\n    if (reader == NULL) {\n        cli_dbgmsg(\"cli_scanxar: xmlReaderForMemory error for TOC\\n\");\n        goto exit_toc;\n    }\n\n    rc = xar_scan_subdocuments(reader, ctx);\n    if (rc != CL_SUCCESS) {\n        cli_dbgmsg(\"xar_scan_subdocuments returns %i.\\n\", rc);\n        goto exit_reader;\n    }\n\n    /* Walk the TOC XML and extract files */\n    fd = -1;\n    tmpname = NULL;\n    while (CL_SUCCESS == (rc = xar_get_toc_data_values(reader, &length, &offset, &size, &encoding,\n                                                       &a_cksum, &a_hash, &e_cksum, &e_hash))) {\n        int do_extract_cksum = 1;\n        unsigned char * blockp;\n        void *a_sc, *e_sc;\n        void *a_mc, *e_mc;\n        char * expected;\n\n        /* clean up temp file from previous loop iteration */\n        if (fd > -1 && tmpname) {\n            rc = xar_cleanup_temp_file(ctx, fd, tmpname);\n            if (rc != CL_SUCCESS)\n                goto exit_reader;\n        }\n\n        at = offset + hdr.toc_length_compressed + hdr.size;\n\n        if ((rc = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {\n            cli_dbgmsg(\"cli_scanxar: Can't generate temporary file.\\n\");\n            goto exit_reader;\n        }\n\n        cli_dbgmsg(\"cli_scanxar: decompress into temp file:\\n%s, size %zu,\\n\"\n                   \"from xar heap offset %zu length %zu\\n\",\n                   tmpname, size, offset, length);\n\n\n        a_hash_ctx = xar_hash_init(a_hash, &a_sc, &a_mc);\n        e_hash_ctx = xar_hash_init(e_hash, &e_sc, &e_mc);\n\n        switch (encoding) {\n        case CL_TYPE_GZ:\n            /* inflate gzip directly because file segments do not contain magic */\n            memset(&strm, 0, sizeof(strm));\n            if ((rc = inflateInit(&strm)) != Z_OK) {\n                cli_dbgmsg(\"cli_scanxar: InflateInit failed: %d\\n\", rc);\n                rc = CL_EFORMAT;\n                extract_errors++;\n                break;\n            }\n            \n            while ((size_t)at < map->len && (unsigned long)at < offset+hdr.toc_length_compressed+hdr.size+length) {\n                unsigned long avail_in;\n                void * next_in;\n                unsigned int bytes = MIN(map->len - at, map->pgsz);\n                bytes = MIN(length, bytes);\n                if(!(strm.next_in = next_in = (void*)fmap_need_off_once(map, at, bytes))) {\n                    cli_dbgmsg(\"cli_scanxar: Can't read %u bytes @ %lu.\\n\", bytes, (long unsigned)at);\n                    inflateEnd(&strm);\n                    rc = CL_EREAD;\n                    goto exit_tmpfile;\n                }\n                at += bytes;\n                strm.avail_in = avail_in = bytes;\n                do {\n                    int inf, outsize = 0;\n                    unsigned char buff[FILEBUFF];\n                    strm.avail_out = sizeof(buff);\n                    strm.next_out = buff;\n                    inf = inflate(&strm, Z_SYNC_FLUSH);\n                    if (inf != Z_OK && inf != Z_STREAM_END && inf != Z_BUF_ERROR) {\n                        cli_dbgmsg(\"cli_scanxar: inflate error %i %s.\\n\", inf, strm.msg?strm.msg:\"\");\n                        rc = CL_EFORMAT;\n                        extract_errors++;\n                        break;\n                    }\n\n                    bytes = sizeof(buff) - strm.avail_out;\n\n                    if (e_hash_ctx != NULL)\n                        xar_hash_update(e_hash_ctx, buff, bytes, e_hash);\n                   \n                    if (cli_writen(fd, buff, bytes) < 0) {\n                        cli_dbgmsg(\"cli_scanxar: cli_writen error file %s.\\n\", tmpname);\n                        inflateEnd(&strm);\n                        rc = CL_EWRITE;\n                        goto exit_tmpfile;\n                    }\n                    outsize += sizeof(buff) - strm.avail_out;\n                    if (cli_checklimits(\"cli_scanxar\", ctx, outsize, 0, 0) != CL_CLEAN) {\n                        break;\n                    }\n                    if (inf == Z_STREAM_END) {\n                        break;\n                    }\n                } while (strm.avail_out == 0);\n\n                if (rc != CL_SUCCESS)\n                    break;\n\n                avail_in -= strm.avail_in;\n                if (a_hash_ctx != NULL)\n                    xar_hash_update(a_hash_ctx, next_in, avail_in, a_hash);\n            }\n\n            inflateEnd(&strm);\n            break;\n        case CL_TYPE_7Z:\n#define CLI_LZMA_OBUF_SIZE 1024*1024\n#define CLI_LZMA_HDR_SIZE LZMA_PROPS_SIZE+8\n#define CLI_LZMA_IBUF_SIZE CLI_LZMA_OBUF_SIZE>>2 /* estimated compression ratio 25% */\n            {\n                struct CLI_LZMA lz;\n                unsigned long in_remaining = MIN(length, map->len - at);\n                unsigned long out_size = 0;\n                unsigned char * buff = __lzma_wrap_alloc(NULL, CLI_LZMA_OBUF_SIZE);\n                int lret;\n\n                if (length > in_remaining)\n                    length = in_remaining;\n\n                memset(&lz, 0, sizeof(lz));\n                if (buff == NULL) {\n                    cli_dbgmsg(\"cli_scanxar: memory request for lzma decompression buffer fails.\\n\");\n                    rc = CL_EMEM;\n                    goto exit_tmpfile;\n                    \n                }\n\n                blockp = (void*)fmap_need_off_once(map, at, CLI_LZMA_HDR_SIZE);\n                if (blockp == NULL) {\n                    char errbuff[128];\n                    cli_strerror(errno, errbuff, sizeof(errbuff));\n                    cli_dbgmsg(\"cli_scanxar: Can't read %i bytes @ %li, errno:%s.\\n\",\n                               CLI_LZMA_HDR_SIZE, at, errbuff);\n                    rc = CL_EREAD;\n                    __lzma_wrap_free(NULL, buff);\n                    goto exit_tmpfile;\n                }\n\n                lz.next_in = blockp;\n                lz.avail_in = CLI_LZMA_HDR_SIZE;\n\n                if (a_hash_ctx != NULL)\n                    xar_hash_update(a_hash_ctx, blockp, CLI_LZMA_HDR_SIZE, a_hash);\n\n                lret = cli_LzmaInit(&lz, 0);\n                if (lret != LZMA_RESULT_OK) {\n                    cli_dbgmsg(\"cli_scanxar: cli_LzmaInit() fails: %i.\\n\", lret);\n                    rc = CL_EFORMAT;\n                    __lzma_wrap_free(NULL, buff);\n                    extract_errors++;\n                    break;\n                }\n\n                at += CLI_LZMA_HDR_SIZE;\n                in_remaining -= CLI_LZMA_HDR_SIZE;\n                while ((size_t)at < map->len && (unsigned long)at < offset+hdr.toc_length_compressed+hdr.size+length) {\n                    SizeT avail_in;\n                    SizeT avail_out;\n                    void * next_in;\n                    unsigned long in_consumed;\n\n                    lz.next_out = buff;\n                    lz.avail_out = CLI_LZMA_OBUF_SIZE;\n                    lz.avail_in = avail_in = MIN(CLI_LZMA_IBUF_SIZE, in_remaining);\n                    lz.next_in = next_in = (void*)fmap_need_off_once(map, at, lz.avail_in);\n                    if (lz.next_in == NULL) {\n                        char errbuff[128];\n                        cli_strerror(errno, errbuff, sizeof(errbuff));\n                        cli_dbgmsg(\"cli_scanxar: Can't read %li bytes @ %li, errno: %s.\\n\",\n                                   lz.avail_in, at, errbuff);\n                        rc = CL_EREAD;\n                        __lzma_wrap_free(NULL, buff);\n                        cli_LzmaShutdown(&lz);\n                        goto exit_tmpfile;\n                    }\n\n                    lret = cli_LzmaDecode(&lz);\n                    if (lret != LZMA_RESULT_OK && lret != LZMA_STREAM_END) {\n                        cli_dbgmsg(\"cli_scanxar: cli_LzmaDecode() fails: %i.\\n\", lret);\n                        rc = CL_EFORMAT;\n                        extract_errors++;\n                        break;\n                    }\n\n                    in_consumed = avail_in - lz.avail_in;\n                    in_remaining -= in_consumed;\n                    at += in_consumed;\n                    avail_out = CLI_LZMA_OBUF_SIZE - lz.avail_out;\n                    \n                    if (avail_out == 0)\n                        cli_dbgmsg(\"cli_scanxar: cli_LzmaDecode() produces no output for \"\n                                   \"avail_in %llu, avail_out %llu.\\n\",\n                                   (long long unsigned)avail_in, (long long unsigned)avail_out);\n\n                    if (a_hash_ctx != NULL)\n                        xar_hash_update(a_hash_ctx, next_in, in_consumed, a_hash);                    \n                    if (e_hash_ctx != NULL)\n                        xar_hash_update(e_hash_ctx, buff, avail_out, e_hash);\n\n                    /* Write a decompressed block. */\n                    /* cli_dbgmsg(\"Writing %li bytes to LZMA decompress temp file, \" */\n                    /*            \"consumed %li of %li available compressed bytes.\\n\", */\n                    /*            avail_out, in_consumed, avail_in); */\n\n                    if (cli_writen(fd, buff, avail_out) < 0) {\n                        cli_dbgmsg(\"cli_scanxar: cli_writen error writing lzma temp file for %llu bytes.\\n\",\n                                   (long long unsigned)avail_out);\n                        __lzma_wrap_free(NULL, buff);\n                        cli_LzmaShutdown(&lz);\n                        rc = CL_EWRITE;\n                        goto exit_tmpfile;\n                    }\n\n                    /* Check file size limitation. */\n                    out_size += avail_out;\n                    if (cli_checklimits(\"cli_scanxar\", ctx, out_size, 0, 0) != CL_CLEAN) {\n                        break;\n                    }\n\n                    if (lret == LZMA_STREAM_END)\n                        break;\n                }\n\n                cli_LzmaShutdown(&lz);\n                __lzma_wrap_free(NULL, buff);\n            }\n            break; \n        case CL_TYPE_ANY:\n        default:\n        case CL_TYPE_BZ:\n        case CL_TYPE_XZ:\n            /* for uncompressed, bzip2, xz, and unknown, just pull the file, cli_magic_scandesc does the rest */\n            do_extract_cksum = 0;\n            {\n                size_t writelen = MIN(map->len - at, length);\n\n                if (ctx->engine->maxfilesize)\n                    writelen = MIN((size_t)(ctx->engine->maxfilesize), writelen);\n                    \n                if (!(blockp = (void*)fmap_need_off_once(map, at, writelen))) {\n                    char errbuff[128];\n                    cli_strerror(errno, errbuff, sizeof(errbuff));\n                    cli_dbgmsg(\"cli_scanxar: Can't read %zu bytes @ %zu, errno:%s.\\n\",\n                               writelen, at, errbuff);\n                    rc = CL_EREAD;\n                    goto exit_tmpfile;\n                }\n                \n                if (a_hash_ctx != NULL)\n                    xar_hash_update(a_hash_ctx, blockp, writelen, a_hash);\n                \n                if (cli_writen(fd, blockp, writelen) < 0) {\n                    cli_dbgmsg(\"cli_scanxar: cli_writen error %zu bytes @ %li.\\n\", writelen, at);\n                    rc = CL_EWRITE;\n                    goto exit_tmpfile;\n                }\n                /*break;*/\n            }          \n        } /* end of switch */\n\n        if (rc == CL_SUCCESS) {\n            if (a_hash_ctx != NULL) {\n                xar_hash_final(a_hash_ctx, result, a_hash);\n                a_hash_ctx = NULL;\n            } else {\n                cli_dbgmsg(\"cli_scanxar: archived-checksum missing.\\n\");\n                cksum_fails++;\n            }\n            if (a_cksum != NULL) {\n                expected = cli_hex2str((char *)a_cksum);\n                if (xar_hash_check(a_hash, result, expected) != 0) {\n                    cli_dbgmsg(\"cli_scanxar: archived-checksum mismatch.\\n\");\n                    cksum_fails++;\n                } else {\n                    cli_dbgmsg(\"cli_scanxar: archived-checksum matched.\\n\");                \n                }\n                free(expected);\n            }\n\n            if (e_hash_ctx != NULL) {\n                xar_hash_final(e_hash_ctx, result, e_hash);\n                e_hash_ctx = NULL;\n            } else {\n                cli_dbgmsg(\"cli_scanxar: extracted-checksum(unarchived-checksum) missing.\\n\");\n                cksum_fails++;\n            }\n            if (e_cksum != NULL) {\n                if (do_extract_cksum) {\n                    expected = cli_hex2str((char *)e_cksum);\n                    if (xar_hash_check(e_hash, result, expected) != 0) {\n                        cli_dbgmsg(\"cli_scanxar: extracted-checksum mismatch.\\n\");\n                        cksum_fails++;\n                    } else {\n                        cli_dbgmsg(\"cli_scanxar: extracted-checksum matched.\\n\");                \n                    }\n                    free(expected);\n                }\n            }\n        \n            rc = cli_magic_scandesc(fd, ctx);\n            if (rc != CL_SUCCESS) {\n                if (rc == CL_VIRUS) {\n                    cli_dbgmsg(\"cli_scanxar: Infected with %s\\n\", cli_get_last_virus(ctx));\n                    if (!SCAN_ALL)\n                        goto exit_tmpfile;\n                } else if (rc != CL_BREAK) {\n                    cli_dbgmsg(\"cli_scanxar: cli_magic_scandesc error %i\\n\", rc);\n                    goto exit_tmpfile;\n                }\n            }\n        }\n        \n        if (a_cksum != NULL) {\n            xmlFree(a_cksum);\n            a_cksum = NULL;\n        }\n        if (e_cksum != NULL) {\n            xmlFree(e_cksum);\n            e_cksum = NULL;\n        }\n    }\n\n exit_tmpfile:\n    xar_cleanup_temp_file(ctx, fd, tmpname);\n    if (a_hash_ctx != NULL)\n        xar_hash_final(a_hash_ctx, result, a_hash);\n    if (e_hash_ctx != NULL)\n        xar_hash_final(e_hash_ctx, result, e_hash);\n \n exit_reader:\n    if (a_cksum != NULL)\n        xmlFree(a_cksum);   \n    if (e_cksum != NULL)\n        xmlFree(e_cksum);\n    xmlTextReaderClose(reader);\n    xmlFreeTextReader(reader);\n\n exit_toc:\n    free(toc);\n    if (rc == CL_BREAK)\n        rc = CL_SUCCESS;\n#else\n    cli_dbgmsg(\"cli_scanxar: can't scan xar files, need libxml2.\\n\");\n#endif\n    if (cksum_fails + extract_errors != 0) {\n        cli_dbgmsg(\"cli_scanxar: %u checksum errors and %u extraction errors.\\n\",\n                    cksum_fails, extract_errors);\n    }\n\n    return rc;\n}",
          "project": "clamav-devel",
          "hash": 63844451803940368534812304900745450586,
          "size": 477,
          "commit_id": "d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6",
          "message": "bb11588 - fix out of bounds read.",
          "target": 0,
          "dataset": "other",
          "idx": 390686
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "mt_input_configured",
        "mt_touch_input_configured",
        "mt_post_parse"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void mt_post_parse_default_settings(struct mt_device *td,\n\t\t\t\t\t   struct mt_application *app)\n{\n\t__s32 quirks = app->quirks;\n\n\t/* unknown serial device needs special quirks */\n\tif (list_is_singular(&app->mt_usages)) {\n\t\tquirks |= MT_QUIRK_ALWAYS_VALID;\n\t\tquirks &= ~MT_QUIRK_NOT_SEEN_MEANS_UP;\n\t\tquirks &= ~MT_QUIRK_VALID_IS_INRANGE;\n\t\tquirks &= ~MT_QUIRK_VALID_IS_CONFIDENCE;\n\t\tquirks &= ~MT_QUIRK_CONTACT_CNT_ACCURATE;\n\t}\n\n\tapp->quirks = quirks;\n}",
          "project": "linux",
          "hash": 58152714186148892912353046127509225987,
          "size": 16,
          "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25",
          "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier <maz@kernel.org>\nSigned-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 458393
        },
        {
          "func": "static void mt_post_parse(struct mt_device *td, struct mt_application *app)\n{\n\tif (!app->have_contact_count)\n\t\tapp->quirks &= ~MT_QUIRK_CONTACT_CNT_ACCURATE;\n}",
          "project": "linux",
          "hash": 213504921520913391093751786629722542600,
          "size": 5,
          "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25",
          "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier <maz@kernel.org>\nSigned-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 458347
        },
        {
          "func": "static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tchar *name;\n\tconst char *suffix = NULL;\n\tstruct mt_report_data *rdata;\n\tstruct mt_application *mt_application = NULL;\n\tstruct hid_report *report;\n\tint ret;\n\n\tlist_for_each_entry(report, &hi->reports, hidinput_list) {\n\t\trdata = mt_find_report_data(td, report);\n\t\tif (!rdata) {\n\t\t\thid_err(hdev, \"failed to allocate data for report\\n\");\n\t\t\treturn -ENOMEM;\n\t\t}\n\n\t\tmt_application = rdata->application;\n\n\t\tif (rdata->is_mt_collection) {\n\t\t\tret = mt_touch_input_configured(hdev, hi,\n\t\t\t\t\t\t\tmt_application);\n\t\t\tif (ret)\n\t\t\t\treturn ret;\n\t\t}\n\t}\n\n\tswitch (hi->application) {\n\tcase HID_GD_KEYBOARD:\n\tcase HID_GD_KEYPAD:\n\tcase HID_GD_MOUSE:\n\tcase HID_DG_TOUCHPAD:\n\tcase HID_GD_SYSTEM_CONTROL:\n\tcase HID_CP_CONSUMER_CONTROL:\n\tcase HID_GD_WIRELESS_RADIO_CTLS:\n\tcase HID_GD_SYSTEM_MULTIAXIS:\n\t\t/* already handled by hid core */\n\t\tbreak;\n\tcase HID_DG_TOUCHSCREEN:\n\t\t/* we do not set suffix = \"Touchscreen\" */\n\t\thi->input->name = hdev->name;\n\t\tbreak;\n\tcase HID_DG_STYLUS:\n\t\t/* force BTN_STYLUS to allow tablet matching in udev */\n\t\t__set_bit(BTN_STYLUS, hi->input->keybit);\n\t\tbreak;\n\tcase HID_VD_ASUS_CUSTOM_MEDIA_KEYS:\n\t\tsuffix = \"Custom Media Keys\";\n\t\tbreak;\n\tcase HID_DG_PEN:\n\t\tsuffix = \"Stylus\";\n\t\tbreak;\n\tdefault:\n\t\tsuffix = \"UNKNOWN\";\n\t\tbreak;\n\t}\n\n\tif (suffix) {\n\t\tname = devm_kzalloc(&hi->input->dev,\n\t\t\t\t    strlen(hdev->name) + strlen(suffix) + 2,\n\t\t\t\t    GFP_KERNEL);\n\t\tif (name) {\n\t\t\tsprintf(name, \"%s %s\", hdev->name, suffix);\n\t\t\thi->input->name = name;\n\t\t}\n\t}\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 266436603296759703726440869455037074673,
          "size": 69,
          "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25",
          "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier <maz@kernel.org>\nSigned-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 458354
        },
        {
          "func": "static int mt_touch_input_configured(struct hid_device *hdev,\n\t\t\t\t     struct hid_input *hi,\n\t\t\t\t     struct mt_application *app)\n{\n\tstruct mt_device *td = hid_get_drvdata(hdev);\n\tstruct mt_class *cls = &td->mtclass;\n\tstruct input_dev *input = hi->input;\n\tint ret;\n\n\tif (!td->maxcontacts)\n\t\ttd->maxcontacts = MT_DEFAULT_MAXCONTACT;\n\n\tmt_post_parse(td, app);\n\tif (td->serial_maybe)\n\t\tmt_post_parse_default_settings(td, app);\n\n\tif (cls->is_indirect)\n\t\tapp->mt_flags |= INPUT_MT_POINTER;\n\n\tif (app->quirks & MT_QUIRK_NOT_SEEN_MEANS_UP)\n\t\tapp->mt_flags |= INPUT_MT_DROP_UNUSED;\n\n\t/* check for clickpads */\n\tif ((app->mt_flags & INPUT_MT_POINTER) &&\n\t    (app->buttons_count == 1))\n\t\ttd->is_buttonpad = true;\n\n\tif (td->is_buttonpad)\n\t\t__set_bit(INPUT_PROP_BUTTONPAD, input->propbit);\n\n\tapp->pending_palm_slots = devm_kcalloc(&hi->input->dev,\n\t\t\t\t\t       BITS_TO_LONGS(td->maxcontacts),\n\t\t\t\t\t       sizeof(long),\n\t\t\t\t\t       GFP_KERNEL);\n\tif (!app->pending_palm_slots)\n\t\treturn -ENOMEM;\n\n\tret = input_mt_init_slots(input, td->maxcontacts, app->mt_flags);\n\tif (ret)\n\t\treturn ret;\n\n\tapp->mt_flags = 0;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 283822497685535133601448597004996256847,
          "size": 44,
          "commit_id": "35556bed836f8dc07ac55f69c8d17dce3e7f0e25",
          "message": "HID: core: Sanitize event code and type when mapping input\n\nWhen calling into hid_map_usage(), the passed event code is\nblindly stored as is, even if it doesn't fit in the associated bitmap.\n\nThis event code can come from a variety of sources, including devices\nmasquerading as input devices, only a bit more \"programmable\".\n\nInstead of taking the event code at face value, check that it actually\nfits the corresponding bitmap, and if it doesn't:\n- spit out a warning so that we know which device is acting up\n- NULLify the bitmap pointer so that we catch unexpected uses\n\nCode paths that can make use of untrusted inputs can now check\nthat the mapping was indeed correct and bail out if not.\n\nCc: stable@vger.kernel.org\nSigned-off-by: Marc Zyngier <maz@kernel.org>\nSigned-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 458406
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "const_item_cache",
        "Used_tables_and_const_cache",
        "Item_args"
      ],
      "group_size": 17,
      "functions": [
        {
          "func": "  Used_tables_and_const_cache()\n   :used_tables_cache(0),\n    const_item_cache(true)\n  { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 70170292268823126681646886511297141458,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509027
        },
        {
          "func": "  Used_tables_and_const_cache(const Used_tables_and_const_cache *other)\n   :used_tables_cache(other->used_tables_cache),\n    const_item_cache(other->const_item_cache)\n  { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 129347766320708436552887556270497611520,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509279
        },
        {
          "func": "  Item_func_or_sum(THD *thd, List<Item> &list):\n    Item_result_field(thd), Item_args(thd, list) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 93801493894189936125723614342375676583,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508993
        },
        {
          "func": "  Item_args(THD *thd, List<Item> &list)\n  {\n    set_arguments(thd, list);\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 107473002294933021114198266023758839804,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509015
        },
        {
          "func": "  Item_args(THD *thd, Item *a, Item *b, Item *c, Item *d)\n  {\n    arg_count= 0;\n    if ((args= (Item**) thd_alloc(thd, sizeof(Item*) * 4)))\n    {\n      arg_count= 4;\n      args[0]= a; args[1]= b; args[2]= c; args[3]= d;\n    }\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 98758509636609230532018393515442874480,
          "size": 9,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509052
        },
        {
          "func": "  Item_args(THD *thd, Item *a, Item *b, Item *c, Item *d, Item* e)\n  {\n    arg_count= 5;\n    if ((args= (Item**) thd_alloc(thd, sizeof(Item*) * 5)))\n    {\n      arg_count= 5;\n      args[0]= a; args[1]= b; args[2]= c; args[3]= d; args[4]= e;\n    }\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 82753295150051949649760613834725297095,
          "size": 9,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509113
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item *a, Item *b, Item *c, Item *d, Item *e):\n    Item_result_field(thd), Item_args(thd, a, b, c, d, e) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 29791013221365034714959362410181658469,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509156
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item *a, Item *b, Item *c, Item *d):\n    Item_result_field(thd), Item_args(thd, a, b, c, d) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 253063585750248010350977435121311080952,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509267
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item *a, Item *b):\n    Item_result_field(thd), Item_args(a, b) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 188631549360207284087954855294399784867,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509311
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item *a, Item *b, Item *c):\n    Item_result_field(thd), Item_args(thd, a, b, c) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 130706807230659488529929597216420655911,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509325
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item *a): Item_result_field(thd), Item_args(a) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 119541379773122882135542307744678575193,
          "size": 1,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509354
        },
        {
          "func": "  Item_func_or_sum(THD *thd): Item_result_field(thd), Item_args() {}",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 50476602307086361413307091018138685320,
          "size": 1,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509436
        },
        {
          "func": "  Item_args(THD *thd, Item *a, Item *b, Item *c)\n  {\n    arg_count= 0;\n    if ((args= (Item**) thd_alloc(thd, sizeof(Item*) * 3)))\n    {\n      arg_count= 3;\n      args[0]= a; args[1]= b; args[2]= c;\n    }\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 2322469865541057066563100503472676470,
          "size": 9,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509463
        },
        {
          "func": "  Item_args(void)\n    :args(NULL), arg_count(0)\n  { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 61081988329386483319425005015179181665,
          "size": 3,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509004
        },
        {
          "func": "  Item_args(Item *a)\n    :args(tmp_arg), arg_count(1)\n  {\n    args[0]= a;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 39732291047470280382794240015165951105,
          "size": 5,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509295
        },
        {
          "func": "  Item_args(Item *a, Item *b)\n    :args(tmp_arg), arg_count(2)\n  {\n    args[0]= a; args[1]= b;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 59211100634841026195075519384401584121,
          "size": 5,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509315
        },
        {
          "func": "  Item_func_or_sum(THD *thd, Item_func_or_sum *item):\n    Item_result_field(thd, item), Item_args(thd, item),\n    Used_tables_and_const_cache(item) { }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 151721658218341219919413360088132809029,
          "size": 3,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509355
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ff_layout_read_done_cb",
        "ff_layout_async_handle_error",
        "ff_layout_async_handle_error_v3"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static int ff_layout_commit_done_cb(struct rpc_task *task,\n\t\t\t\t     struct nfs_commit_data *data)\n{\n\tint err;\n\n\tif (task->tk_status < 0) {\n\t\tff_layout_io_track_ds_error(data->lseg, data->ds_commit_index,\n\t\t\t\t\t    data->args.offset, data->args.count,\n\t\t\t\t\t    &data->res.op_status, OP_COMMIT,\n\t\t\t\t\t    task->tk_status);\n\t\ttrace_ff_layout_commit_error(data);\n\t}\n\n\terr = ff_layout_async_handle_error(task, NULL, data->ds_clp,\n\t\t\t\t\t   data->lseg, data->ds_commit_index);\n\n\ttrace_nfs4_pnfs_commit_ds(data, err);\n\tswitch (err) {\n\tcase -NFS4ERR_RESET_TO_PNFS:\n\t\tpnfs_generic_prepare_to_resend_writes(data);\n\t\treturn -EAGAIN;\n\tcase -NFS4ERR_RESET_TO_MDS:\n\t\tpnfs_generic_prepare_to_resend_writes(data);\n\t\treturn -EAGAIN;\n\tcase -EAGAIN:\n\t\trpc_restart_call_prepare(task);\n\t\treturn -EAGAIN;\n\t}\n\n\tff_layout_set_layoutcommit(data->inode, data->lseg, data->lwb);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 106318797871217730338365737523274006652,
          "size": 33,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234437
        },
        {
          "func": "static int ff_layout_async_handle_error_v3(struct rpc_task *task,\n\t\t\t\t\t   struct pnfs_layout_segment *lseg,\n\t\t\t\t\t   u32 idx)\n{\n\tstruct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);\n\n\tswitch (task->tk_status) {\n\t/* File access problems. Don't mark the device as unavailable */\n\tcase -EACCES:\n\tcase -ESTALE:\n\tcase -EISDIR:\n\tcase -EBADHANDLE:\n\tcase -ELOOP:\n\tcase -ENOSPC:\n\t\tbreak;\n\tcase -EJUKEBOX:\n\t\tnfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);\n\t\tgoto out_retry;\n\tdefault:\n\t\tdprintk(\"%s DS connection error %d\\n\", __func__,\n\t\t\ttask->tk_status);\n\t\tnfs4_delete_deviceid(devid->ld, devid->nfs_client,\n\t\t\t\t&devid->deviceid);\n\t}\n\t/* FIXME: Need to prevent infinite looping here. */\n\treturn -NFS4ERR_RESET_TO_PNFS;\nout_retry:\n\ttask->tk_status = 0;\n\trpc_restart_call_prepare(task);\n\trpc_delay(task, NFS_JUKEBOX_RETRY_TIME);\n\treturn -EAGAIN;\n}",
          "project": "linux",
          "hash": 50022064211193577675270940169020858967,
          "size": 32,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234394
        },
        {
          "func": "static int ff_layout_write_done_cb(struct rpc_task *task,\n\t\t\t\tstruct nfs_pgio_header *hdr)\n{\n\tloff_t end_offs = 0;\n\tint err;\n\n\tif (task->tk_status < 0) {\n\t\tff_layout_io_track_ds_error(hdr->lseg, hdr->pgio_mirror_idx,\n\t\t\t\t\t    hdr->args.offset, hdr->args.count,\n\t\t\t\t\t    &hdr->res.op_status, OP_WRITE,\n\t\t\t\t\t    task->tk_status);\n\t\ttrace_ff_layout_write_error(hdr);\n\t}\n\n\terr = ff_layout_async_handle_error(task, hdr->args.context->state,\n\t\t\t\t\t   hdr->ds_clp, hdr->lseg,\n\t\t\t\t\t   hdr->pgio_mirror_idx);\n\n\ttrace_nfs4_pnfs_write(hdr, err);\n\tclear_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags);\n\tclear_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags);\n\tswitch (err) {\n\tcase -NFS4ERR_RESET_TO_PNFS:\n\t\tset_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags);\n\t\treturn task->tk_status;\n\tcase -NFS4ERR_RESET_TO_MDS:\n\t\tset_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags);\n\t\treturn task->tk_status;\n\tcase -EAGAIN:\n\t\treturn -EAGAIN;\n\t}\n\n\tif (hdr->res.verf->committed == NFS_FILE_SYNC ||\n\t    hdr->res.verf->committed == NFS_DATA_SYNC)\n\t\tend_offs = hdr->mds_offset + (loff_t)hdr->res.count;\n\n\t/* Note: if the write is unstable, don't set end_offs until commit */\n\tff_layout_set_layoutcommit(hdr->inode, hdr->lseg, end_offs);\n\n\t/* zero out fattr since we don't care DS attr at all */\n\thdr->fattr.valid = 0;\n\tif (task->tk_status >= 0)\n\t\tnfs_writeback_update_inode(hdr);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 168398118774376998007428881702397687610,
          "size": 46,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234478
        },
        {
          "func": "static void ff_layout_io_track_ds_error(struct pnfs_layout_segment *lseg,\n\t\t\t\t\tu32 idx, u64 offset, u64 length,\n\t\t\t\t\tu32 *op_status, int opnum, int error)\n{\n\tstruct nfs4_ff_layout_mirror *mirror;\n\tu32 status = *op_status;\n\tint err;\n\n\tif (status == 0) {\n\t\tswitch (error) {\n\t\tcase -ETIMEDOUT:\n\t\tcase -EPFNOSUPPORT:\n\t\tcase -EPROTONOSUPPORT:\n\t\tcase -EOPNOTSUPP:\n\t\tcase -ECONNREFUSED:\n\t\tcase -ECONNRESET:\n\t\tcase -EHOSTDOWN:\n\t\tcase -EHOSTUNREACH:\n\t\tcase -ENETUNREACH:\n\t\tcase -EADDRINUSE:\n\t\tcase -ENOBUFS:\n\t\tcase -EPIPE:\n\t\tcase -EPERM:\n\t\t\t*op_status = status = NFS4ERR_NXIO;\n\t\t\tbreak;\n\t\tcase -EACCES:\n\t\t\t*op_status = status = NFS4ERR_ACCESS;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn;\n\t\t}\n\t}\n\n\tmirror = FF_LAYOUT_COMP(lseg, idx);\n\terr = ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout),\n\t\t\t\t       mirror, offset, length, status, opnum,\n\t\t\t\t       GFP_NOIO);\n\n\tswitch (status) {\n\tcase NFS4ERR_DELAY:\n\tcase NFS4ERR_GRACE:\n\t\tbreak;\n\tcase NFS4ERR_NXIO:\n\t\tff_layout_mark_ds_unreachable(lseg, idx);\n\t\t/*\n\t\t * Don't return the layout if this is a read and we still\n\t\t * have layouts to try\n\t\t */\n\t\tif (opnum == OP_READ)\n\t\t\tbreak;\n\t\tfallthrough;\n\tdefault:\n\t\tpnfs_error_mark_layout_for_return(lseg->pls_layout->plh_inode,\n\t\t\t\t\t\t  lseg);\n\t}\n\n\tdprintk(\"%s: err %d op %d status %u\\n\", __func__, err, opnum, status);\n}",
          "project": "linux",
          "hash": 220799155530918833183643254086886191150,
          "size": 58,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234389
        },
        {
          "func": "static int ff_layout_async_handle_error(struct rpc_task *task,\n\t\t\t\t\tstruct nfs4_state *state,\n\t\t\t\t\tstruct nfs_client *clp,\n\t\t\t\t\tstruct pnfs_layout_segment *lseg,\n\t\t\t\t\tu32 idx)\n{\n\tint vers = clp->cl_nfs_mod->rpc_vers->number;\n\n\tif (task->tk_status >= 0) {\n\t\tff_layout_mark_ds_reachable(lseg, idx);\n\t\treturn 0;\n\t}\n\n\t/* Handle the case of an invalid layout segment */\n\tif (!pnfs_is_valid_lseg(lseg))\n\t\treturn -NFS4ERR_RESET_TO_PNFS;\n\n\tswitch (vers) {\n\tcase 3:\n\t\treturn ff_layout_async_handle_error_v3(task, lseg, idx);\n\tcase 4:\n\t\treturn ff_layout_async_handle_error_v4(task, state, clp,\n\t\t\t\t\t\t       lseg, idx);\n\tdefault:\n\t\t/* should never happen */\n\t\tWARN_ON_ONCE(1);\n\t\treturn 0;\n\t}\n}",
          "project": "linux",
          "hash": 215930583568728152231241471725064740567,
          "size": 29,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234436
        },
        {
          "func": "static int ff_layout_read_done_cb(struct rpc_task *task,\n\t\t\t\tstruct nfs_pgio_header *hdr)\n{\n\tint err;\n\n\tif (task->tk_status < 0) {\n\t\tff_layout_io_track_ds_error(hdr->lseg, hdr->pgio_mirror_idx,\n\t\t\t\t\t    hdr->args.offset, hdr->args.count,\n\t\t\t\t\t    &hdr->res.op_status, OP_READ,\n\t\t\t\t\t    task->tk_status);\n\t\ttrace_ff_layout_read_error(hdr);\n\t}\n\n\terr = ff_layout_async_handle_error(task, hdr->args.context->state,\n\t\t\t\t\t   hdr->ds_clp, hdr->lseg,\n\t\t\t\t\t   hdr->pgio_mirror_idx);\n\n\ttrace_nfs4_pnfs_read(hdr, err);\n\tclear_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags);\n\tclear_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags);\n\tswitch (err) {\n\tcase -NFS4ERR_RESET_TO_PNFS:\n\t\tset_bit(NFS_IOHDR_RESEND_PNFS, &hdr->flags);\n\t\treturn task->tk_status;\n\tcase -NFS4ERR_RESET_TO_MDS:\n\t\tset_bit(NFS_IOHDR_RESEND_MDS, &hdr->flags);\n\t\treturn task->tk_status;\n\tcase -EAGAIN:\n\t\tgoto out_eagain;\n\t}\n\n\treturn 0;\nout_eagain:\n\trpc_restart_call_prepare(task);\n\treturn -EAGAIN;\n}",
          "project": "linux",
          "hash": 330872505513758726857852614562189654275,
          "size": 36,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234498
        },
        {
          "func": "static int ff_layout_async_handle_error_v4(struct rpc_task *task,\n\t\t\t\t\t   struct nfs4_state *state,\n\t\t\t\t\t   struct nfs_client *clp,\n\t\t\t\t\t   struct pnfs_layout_segment *lseg,\n\t\t\t\t\t   u32 idx)\n{\n\tstruct pnfs_layout_hdr *lo = lseg->pls_layout;\n\tstruct inode *inode = lo->plh_inode;\n\tstruct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);\n\tstruct nfs4_slot_table *tbl = &clp->cl_session->fc_slot_table;\n\n\tswitch (task->tk_status) {\n\tcase -NFS4ERR_BADSESSION:\n\tcase -NFS4ERR_BADSLOT:\n\tcase -NFS4ERR_BAD_HIGH_SLOT:\n\tcase -NFS4ERR_DEADSESSION:\n\tcase -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:\n\tcase -NFS4ERR_SEQ_FALSE_RETRY:\n\tcase -NFS4ERR_SEQ_MISORDERED:\n\t\tdprintk(\"%s ERROR %d, Reset session. Exchangeid \"\n\t\t\t\"flags 0x%x\\n\", __func__, task->tk_status,\n\t\t\tclp->cl_exchange_flags);\n\t\tnfs4_schedule_session_recovery(clp->cl_session, task->tk_status);\n\t\tbreak;\n\tcase -NFS4ERR_DELAY:\n\tcase -NFS4ERR_GRACE:\n\t\trpc_delay(task, FF_LAYOUT_POLL_RETRY_MAX);\n\t\tbreak;\n\tcase -NFS4ERR_RETRY_UNCACHED_REP:\n\t\tbreak;\n\t/* Invalidate Layout errors */\n\tcase -NFS4ERR_PNFS_NO_LAYOUT:\n\tcase -ESTALE:           /* mapped NFS4ERR_STALE */\n\tcase -EBADHANDLE:       /* mapped NFS4ERR_BADHANDLE */\n\tcase -EISDIR:           /* mapped NFS4ERR_ISDIR */\n\tcase -NFS4ERR_FHEXPIRED:\n\tcase -NFS4ERR_WRONG_TYPE:\n\t\tdprintk(\"%s Invalid layout error %d\\n\", __func__,\n\t\t\ttask->tk_status);\n\t\t/*\n\t\t * Destroy layout so new i/o will get a new layout.\n\t\t * Layout will not be destroyed until all current lseg\n\t\t * references are put. Mark layout as invalid to resend failed\n\t\t * i/o and all i/o waiting on the slot table to the MDS until\n\t\t * layout is destroyed and a new valid layout is obtained.\n\t\t */\n\t\tpnfs_destroy_layout(NFS_I(inode));\n\t\trpc_wake_up(&tbl->slot_tbl_waitq);\n\t\tgoto reset;\n\t/* RPC connection errors */\n\tcase -ECONNREFUSED:\n\tcase -EHOSTDOWN:\n\tcase -EHOSTUNREACH:\n\tcase -ENETUNREACH:\n\tcase -EIO:\n\tcase -ETIMEDOUT:\n\tcase -EPIPE:\n\t\tdprintk(\"%s DS connection error %d\\n\", __func__,\n\t\t\ttask->tk_status);\n\t\tnfs4_delete_deviceid(devid->ld, devid->nfs_client,\n\t\t\t\t&devid->deviceid);\n\t\trpc_wake_up(&tbl->slot_tbl_waitq);\n\t\tfallthrough;\n\tdefault:\n\t\tif (ff_layout_avoid_mds_available_ds(lseg))\n\t\t\treturn -NFS4ERR_RESET_TO_PNFS;\nreset:\n\t\tdprintk(\"%s Retry through MDS. Error %d\\n\", __func__,\n\t\t\ttask->tk_status);\n\t\treturn -NFS4ERR_RESET_TO_MDS;\n\t}\n\ttask->tk_status = 0;\n\treturn -EAGAIN;\n}",
          "project": "linux",
          "hash": 286251947122498055108704360251986480348,
          "size": 74,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234424
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "check_bugs",
        "taa_select_mitigation",
        "mds_select_mitigation"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static void __init mds_print_mitigation(void)\n{\n\tif (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off())\n\t\treturn;\n\n\tpr_info(\"%s\\n\", mds_strings[mds_mitigation]);\n}",
          "project": "linux",
          "hash": 280770500787910336824923803341770506427,
          "size": 7,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338782
        },
        {
          "func": "static void __init taa_select_mitigation(void)\n{\n\tu64 ia32_cap;\n\n\tif (!boot_cpu_has_bug(X86_BUG_TAA)) {\n\t\ttaa_mitigation = TAA_MITIGATION_OFF;\n\t\treturn;\n\t}\n\n\t/* TSX previously disabled by tsx=off */\n\tif (!boot_cpu_has(X86_FEATURE_RTM)) {\n\t\ttaa_mitigation = TAA_MITIGATION_TSX_DISABLED;\n\t\tgoto out;\n\t}\n\n\tif (cpu_mitigations_off()) {\n\t\ttaa_mitigation = TAA_MITIGATION_OFF;\n\t\treturn;\n\t}\n\n\t/*\n\t * TAA mitigation via VERW is turned off if both\n\t * tsx_async_abort=off and mds=off are specified.\n\t */\n\tif (taa_mitigation == TAA_MITIGATION_OFF &&\n\t    mds_mitigation == MDS_MITIGATION_OFF)\n\t\tgoto out;\n\n\tif (boot_cpu_has(X86_FEATURE_MD_CLEAR))\n\t\ttaa_mitigation = TAA_MITIGATION_VERW;\n\telse\n\t\ttaa_mitigation = TAA_MITIGATION_UCODE_NEEDED;\n\n\t/*\n\t * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.\n\t * A microcode update fixes this behavior to clear CPU buffers. It also\n\t * adds support for MSR_IA32_TSX_CTRL which is enumerated by the\n\t * ARCH_CAP_TSX_CTRL_MSR bit.\n\t *\n\t * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode\n\t * update is required.\n\t */\n\tia32_cap = x86_read_arch_cap_msr();\n\tif ( (ia32_cap & ARCH_CAP_MDS_NO) &&\n\t    !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))\n\t\ttaa_mitigation = TAA_MITIGATION_UCODE_NEEDED;\n\n\t/*\n\t * TSX is enabled, select alternate mitigation for TAA which is\n\t * the same as MDS. Enable MDS static branch to clear CPU buffers.\n\t *\n\t * For guests that can't determine whether the correct microcode is\n\t * present on host, enable the mitigation for UCODE_NEEDED as well.\n\t */\n\tstatic_branch_enable(&mds_user_clear);\n\n\tif (taa_nosmt || cpu_mitigations_auto_nosmt())\n\t\tcpu_smt_disable(false);\n\n\t/*\n\t * Update MDS mitigation, if necessary, as the mds_user_clear is\n\t * now enabled for TAA mitigation.\n\t */\n\tif (mds_mitigation == MDS_MITIGATION_OFF &&\n\t    boot_cpu_has_bug(X86_BUG_MDS)) {\n\t\tmds_mitigation = MDS_MITIGATION_FULL;\n\t\tmds_select_mitigation();\n\t}\nout:\n\tpr_info(\"%s\\n\", taa_strings[taa_mitigation]);\n}",
          "project": "linux",
          "hash": 164904901481830093158124385210891913323,
          "size": 71,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338795
        },
        {
          "func": "void __init check_bugs(void)\n{\n\tidentify_boot_cpu();\n\n\t/*\n\t * identify_boot_cpu() initialized SMT support information, let the\n\t * core code know.\n\t */\n\tcpu_smt_check_topology();\n\n\tif (!IS_ENABLED(CONFIG_SMP)) {\n\t\tpr_info(\"CPU: \");\n\t\tprint_cpu_info(&boot_cpu_data);\n\t}\n\n\t/*\n\t * Read the SPEC_CTRL MSR to account for reserved bits which may\n\t * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD\n\t * init code as it is not enumerated and depends on the family.\n\t */\n\tif (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))\n\t\trdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);\n\n\t/* Allow STIBP in MSR_SPEC_CTRL if supported */\n\tif (boot_cpu_has(X86_FEATURE_STIBP))\n\t\tx86_spec_ctrl_mask |= SPEC_CTRL_STIBP;\n\n\t/* Select the proper CPU mitigations before patching alternatives: */\n\tspectre_v1_select_mitigation();\n\tspectre_v2_select_mitigation();\n\tssb_select_mitigation();\n\tl1tf_select_mitigation();\n\tmds_select_mitigation();\n\ttaa_select_mitigation();\n\n\t/*\n\t * As MDS and TAA mitigations are inter-related, print MDS\n\t * mitigation until after TAA mitigation selection is done.\n\t */\n\tmds_print_mitigation();\n\n\tarch_smt_update();\n\n#ifdef CONFIG_X86_32\n\t/*\n\t * Check whether we are able to run this kernel safely on SMP.\n\t *\n\t * - i386 is no longer supported.\n\t * - In order to run on anything without a TSC, we need to be\n\t *   compiled for a i486.\n\t */\n\tif (boot_cpu_data.x86 < 4)\n\t\tpanic(\"Kernel requires i486+ for 'invlpg' and other features\");\n\n\tinit_utsname()->machine[1] =\n\t\t'0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);\n\talternative_instructions();\n\n\tfpu__init_check_bugs();\n#else /* CONFIG_X86_64 */\n\talternative_instructions();\n\n\t/*\n\t * Make sure the first 2MB area is not mapped by huge pages\n\t * There are typically fixed size MTRRs in there and overlapping\n\t * MTRRs into large pages causes slow downs.\n\t *\n\t * Right now we don't do that with gbpages because there seems\n\t * very little benefit for that case.\n\t */\n\tif (!direct_gbpages)\n\t\tset_memory_4k((unsigned long)__va(0), 1);\n#endif\n}",
          "project": "linux",
          "hash": 76335874925632396404664250494341450697,
          "size": 74,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338794
        },
        {
          "func": "static void __init spectre_v1_select_mitigation(void)\n{\n\tif (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {\n\t\tspectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;\n\t\treturn;\n\t}\n\n\tif (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {\n\t\t/*\n\t\t * With Spectre v1, a user can speculatively control either\n\t\t * path of a conditional swapgs with a user-controlled GS\n\t\t * value.  The mitigation is to add lfences to both code paths.\n\t\t *\n\t\t * If FSGSBASE is enabled, the user can put a kernel address in\n\t\t * GS, in which case SMAP provides no protection.\n\t\t *\n\t\t * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the\n\t\t *\t   FSGSBASE enablement patches have been merged. ]\n\t\t *\n\t\t * If FSGSBASE is disabled, the user can only put a user space\n\t\t * address in GS.  That makes an attack harder, but still\n\t\t * possible if there's no SMAP protection.\n\t\t */\n\t\tif (!smap_works_speculatively()) {\n\t\t\t/*\n\t\t\t * Mitigation can be provided from SWAPGS itself or\n\t\t\t * PTI as the CR3 write in the Meltdown mitigation\n\t\t\t * is serializing.\n\t\t\t *\n\t\t\t * If neither is there, mitigate with an LFENCE to\n\t\t\t * stop speculation through swapgs.\n\t\t\t */\n\t\t\tif (boot_cpu_has_bug(X86_BUG_SWAPGS) &&\n\t\t\t    !boot_cpu_has(X86_FEATURE_PTI))\n\t\t\t\tsetup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);\n\n\t\t\t/*\n\t\t\t * Enable lfences in the kernel entry (non-swapgs)\n\t\t\t * paths, to prevent user entry from speculatively\n\t\t\t * skipping swapgs.\n\t\t\t */\n\t\t\tsetup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);\n\t\t}\n\t}\n\n\tpr_info(\"%s\\n\", spectre_v1_strings[spectre_v1_mitigation]);\n}",
          "project": "linux",
          "hash": 168535794606349637416505184367991382173,
          "size": 47,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338786
        },
        {
          "func": "static void __init mds_select_mitigation(void)\n{\n\tif (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {\n\t\tmds_mitigation = MDS_MITIGATION_OFF;\n\t\treturn;\n\t}\n\n\tif (mds_mitigation == MDS_MITIGATION_FULL) {\n\t\tif (!boot_cpu_has(X86_FEATURE_MD_CLEAR))\n\t\t\tmds_mitigation = MDS_MITIGATION_VMWERV;\n\n\t\tstatic_branch_enable(&mds_user_clear);\n\n\t\tif (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&\n\t\t    (mds_nosmt || cpu_mitigations_auto_nosmt()))\n\t\t\tcpu_smt_disable(false);\n\t}\n}",
          "project": "linux",
          "hash": 212321058658908919627083140446984070305,
          "size": 18,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338799
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "dccp_init",
        "dccp_mib_init",
        "snmp_mib_init"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static void __exit dccp_fini(void)\n{\n\tdccp_mib_exit();\n\tfree_pages((unsigned long)dccp_hashinfo.bhash,\n\t\t   get_order(dccp_hashinfo.bhash_size *\n\t\t\t     sizeof(struct inet_bind_hashbucket)));\n\tfree_pages((unsigned long)dccp_hashinfo.ehash,\n\t\t   get_order(dccp_hashinfo.ehash_size *\n\t\t\t     sizeof(struct inet_ehash_bucket)));\n\tinet_ehash_locks_free(&dccp_hashinfo);\n\tkmem_cache_destroy(dccp_hashinfo.bind_bucket_cachep);\n\tdccp_ackvec_exit();\n\tdccp_sysctl_exit();\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740",
          "hash": 190055893379003472168334972294472966259,
          "size": 14,
          "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n    \nThanks to Eugene Teo for reporting this problem.\n    \nSigned-off-by: Eugene Teo <eugenete@kernel.sg>\nSigned-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>\nSigned-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488796
        },
        {
          "func": "static inline int dccp_mib_init(void)\n{\n\treturn snmp_mib_init((void**)dccp_statistics, sizeof(struct dccp_mib));\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740",
          "hash": 164086936351459293495267536318594293464,
          "size": 4,
          "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n    \nThanks to Eugene Teo for reporting this problem.\n    \nSigned-off-by: Eugene Teo <eugenete@kernel.sg>\nSigned-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>\nSigned-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488798
        },
        {
          "func": "static int __init dccp_init(void)\n{\n\tunsigned long goal;\n\tint ehash_order, bhash_order, i;\n\tint rc = -ENOBUFS;\n\n\tBUILD_BUG_ON(sizeof(struct dccp_skb_cb) >\n\t\t     FIELD_SIZEOF(struct sk_buff, cb));\n\n\tdccp_hashinfo.bind_bucket_cachep =\n\t\tkmem_cache_create(\"dccp_bind_bucket\",\n\t\t\t\t  sizeof(struct inet_bind_bucket), 0,\n\t\t\t\t  SLAB_HWCACHE_ALIGN, NULL);\n\tif (!dccp_hashinfo.bind_bucket_cachep)\n\t\tgoto out;\n\n\t/*\n\t * Size and allocate the main established and bind bucket\n\t * hash tables.\n\t *\n\t * The methodology is similar to that of the buffer cache.\n\t */\n\tif (num_physpages >= (128 * 1024))\n\t\tgoal = num_physpages >> (21 - PAGE_SHIFT);\n\telse\n\t\tgoal = num_physpages >> (23 - PAGE_SHIFT);\n\n\tif (thash_entries)\n\t\tgoal = (thash_entries *\n\t\t\tsizeof(struct inet_ehash_bucket)) >> PAGE_SHIFT;\n\tfor (ehash_order = 0; (1UL << ehash_order) < goal; ehash_order++)\n\t\t;\n\tdo {\n\t\tdccp_hashinfo.ehash_size = (1UL << ehash_order) * PAGE_SIZE /\n\t\t\t\t\tsizeof(struct inet_ehash_bucket);\n\t\twhile (dccp_hashinfo.ehash_size &\n\t\t       (dccp_hashinfo.ehash_size - 1))\n\t\t\tdccp_hashinfo.ehash_size--;\n\t\tdccp_hashinfo.ehash = (struct inet_ehash_bucket *)\n\t\t\t__get_free_pages(GFP_ATOMIC, ehash_order);\n\t} while (!dccp_hashinfo.ehash && --ehash_order > 0);\n\n\tif (!dccp_hashinfo.ehash) {\n\t\tDCCP_CRIT(\"Failed to allocate DCCP established hash table\");\n\t\tgoto out_free_bind_bucket_cachep;\n\t}\n\n\tfor (i = 0; i < dccp_hashinfo.ehash_size; i++) {\n\t\tINIT_HLIST_HEAD(&dccp_hashinfo.ehash[i].chain);\n\t\tINIT_HLIST_HEAD(&dccp_hashinfo.ehash[i].twchain);\n\t}\n\n\tif (inet_ehash_locks_alloc(&dccp_hashinfo))\n\t\t\tgoto out_free_dccp_ehash;\n\n\tbhash_order = ehash_order;\n\n\tdo {\n\t\tdccp_hashinfo.bhash_size = (1UL << bhash_order) * PAGE_SIZE /\n\t\t\t\t\tsizeof(struct inet_bind_hashbucket);\n\t\tif ((dccp_hashinfo.bhash_size > (64 * 1024)) &&\n\t\t    bhash_order > 0)\n\t\t\tcontinue;\n\t\tdccp_hashinfo.bhash = (struct inet_bind_hashbucket *)\n\t\t\t__get_free_pages(GFP_ATOMIC, bhash_order);\n\t} while (!dccp_hashinfo.bhash && --bhash_order >= 0);\n\n\tif (!dccp_hashinfo.bhash) {\n\t\tDCCP_CRIT(\"Failed to allocate DCCP bind hash table\");\n\t\tgoto out_free_dccp_locks;\n\t}\n\n\tfor (i = 0; i < dccp_hashinfo.bhash_size; i++) {\n\t\tspin_lock_init(&dccp_hashinfo.bhash[i].lock);\n\t\tINIT_HLIST_HEAD(&dccp_hashinfo.bhash[i].chain);\n\t}\n\n\trc = dccp_mib_init();\n\tif (rc)\n\t\tgoto out_free_dccp_bhash;\n\n\trc = dccp_ackvec_init();\n\tif (rc)\n\t\tgoto out_free_dccp_mib;\n\n\trc = dccp_sysctl_init();\n\tif (rc)\n\t\tgoto out_ackvec_exit;\n\n\tdccp_timestamping_init();\nout:\n\treturn rc;\nout_ackvec_exit:\n\tdccp_ackvec_exit();\nout_free_dccp_mib:\n\tdccp_mib_exit();\nout_free_dccp_bhash:\n\tfree_pages((unsigned long)dccp_hashinfo.bhash, bhash_order);\n\tdccp_hashinfo.bhash = NULL;\nout_free_dccp_locks:\n\tinet_ehash_locks_free(&dccp_hashinfo);\nout_free_dccp_ehash:\n\tfree_pages((unsigned long)dccp_hashinfo.ehash, ehash_order);\n\tdccp_hashinfo.ehash = NULL;\nout_free_bind_bucket_cachep:\n\tkmem_cache_destroy(dccp_hashinfo.bind_bucket_cachep);\n\tdccp_hashinfo.bind_bucket_cachep = NULL;\n\tgoto out;\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740",
          "hash": 328252653652822182901531598760031729982,
          "size": 109,
          "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n    \nThanks to Eugene Teo for reporting this problem.\n    \nSigned-off-by: Eugene Teo <eugenete@kernel.sg>\nSigned-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>\nSigned-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488805
        },
        {
          "func": "snmp_init()\n{\n  snmp_mib_init();\n  process_start(&snmp_process, NULL);\n}",
          "project": "contiki-ng",
          "hash": 302207721629871095598808499346739555224,
          "size": 5,
          "commit_id": "12c824386ab60de757de5001974d73b32e19ad71",
          "message": "Refactored SNMP engine after vulnerabilities",
          "target": 0,
          "dataset": "other",
          "idx": 224956
        },
        {
          "func": "snmp_mib_init(void)\n{\n  list_init(snmp_mib);\n}",
          "project": "contiki-ng",
          "hash": 199964273214820744309972483913192659544,
          "size": 4,
          "commit_id": "12c824386ab60de757de5001974d73b32e19ad71",
          "message": "Refactored SNMP engine after vulnerabilities",
          "target": 0,
          "dataset": "other",
          "idx": 224930
        },
        {
          "func": "static inline void dccp_mib_exit(void)\n{\n\tsnmp_mib_free((void**)dccp_statistics);\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "3e8a0a559c66ee9e7468195691a56fefc3589740",
          "hash": 25836332755363829221843816390968203489,
          "size": 4,
          "message": "dccp: change L/R must have at least one byte in the dccpsf_val field\n    \nThanks to Eugene Teo for reporting this problem.\n    \nSigned-off-by: Eugene Teo <eugenete@kernel.sg>\nSigned-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>\nSigned-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "dataset": "other",
          "idx": 488802
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "cpu_show_itlb_multihit",
        "cpu_show_common",
        "itlb_multihit_show_state"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static ssize_t tsx_async_abort_show_state(char *buf)\n{\n\tif ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||\n\t    (taa_mitigation == TAA_MITIGATION_OFF))\n\t\treturn sprintf(buf, \"%s\\n\", taa_strings[taa_mitigation]);\n\n\tif (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {\n\t\treturn sprintf(buf, \"%s; SMT Host state unknown\\n\",\n\t\t\t       taa_strings[taa_mitigation]);\n\t}\n\n\treturn sprintf(buf, \"%s; SMT %s\\n\", taa_strings[taa_mitigation],\n\t\t       sched_smt_active() ? \"vulnerable\" : \"disabled\");\n}",
          "project": "linux",
          "hash": 104708513657214179616846996395406457780,
          "size": 14,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338785
        },
        {
          "func": "ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)\n{\n\treturn cpu_show_common(dev, attr, buf, X86_BUG_TAA);\n}",
          "project": "linux",
          "hash": 236998040862335715449383732030417267316,
          "size": 4,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338791
        },
        {
          "func": "static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,\n\t\t\t       char *buf, unsigned int bug)\n{\n\tif (!boot_cpu_has_bug(bug))\n\t\treturn sprintf(buf, \"Not affected\\n\");\n\n\tswitch (bug) {\n\tcase X86_BUG_CPU_MELTDOWN:\n\t\tif (boot_cpu_has(X86_FEATURE_PTI))\n\t\t\treturn sprintf(buf, \"Mitigation: PTI\\n\");\n\n\t\tif (hypervisor_is_type(X86_HYPER_XEN_PV))\n\t\t\treturn sprintf(buf, \"Unknown (XEN PV detected, hypervisor mitigation required)\\n\");\n\n\t\tbreak;\n\n\tcase X86_BUG_SPECTRE_V1:\n\t\treturn sprintf(buf, \"%s\\n\", spectre_v1_strings[spectre_v1_mitigation]);\n\n\tcase X86_BUG_SPECTRE_V2:\n\t\treturn sprintf(buf, \"%s%s%s%s%s%s\\n\", spectre_v2_strings[spectre_v2_enabled],\n\t\t\t       ibpb_state(),\n\t\t\t       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? \", IBRS_FW\" : \"\",\n\t\t\t       stibp_state(),\n\t\t\t       boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? \", RSB filling\" : \"\",\n\t\t\t       spectre_v2_module_string());\n\n\tcase X86_BUG_SPEC_STORE_BYPASS:\n\t\treturn sprintf(buf, \"%s\\n\", ssb_strings[ssb_mode]);\n\n\tcase X86_BUG_L1TF:\n\t\tif (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))\n\t\t\treturn l1tf_show_state(buf);\n\t\tbreak;\n\n\tcase X86_BUG_MDS:\n\t\treturn mds_show_state(buf);\n\n\tcase X86_BUG_TAA:\n\t\treturn tsx_async_abort_show_state(buf);\n\n\tcase X86_BUG_ITLB_MULTIHIT:\n\t\treturn itlb_multihit_show_state(buf);\n\n\tdefault:\n\t\tbreak;\n\t}\n\n\treturn sprintf(buf, \"Vulnerable\\n\");\n}",
          "project": "linux",
          "hash": 95682371023483428363749884475800348152,
          "size": 50,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338798
        },
        {
          "func": "ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)\n{\n\treturn cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);\n}",
          "project": "linux",
          "hash": 4530321038342188693603711881396914185,
          "size": 4,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338788
        },
        {
          "func": "static ssize_t mds_show_state(char *buf)\n{\n\tif (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {\n\t\treturn sprintf(buf, \"%s; SMT Host state unknown\\n\",\n\t\t\t       mds_strings[mds_mitigation]);\n\t}\n\n\tif (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {\n\t\treturn sprintf(buf, \"%s; SMT %s\\n\", mds_strings[mds_mitigation],\n\t\t\t       (mds_mitigation == MDS_MITIGATION_OFF ? \"vulnerable\" :\n\t\t\t        sched_smt_active() ? \"mitigated\" : \"disabled\"));\n\t}\n\n\treturn sprintf(buf, \"%s; SMT %s\\n\", mds_strings[mds_mitigation],\n\t\t       sched_smt_active() ? \"vulnerable\" : \"disabled\");\n}",
          "project": "linux",
          "hash": 195159808629626755671724994198411283574,
          "size": 16,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338797
        },
        {
          "func": "static ssize_t itlb_multihit_show_state(char *buf)\n{\n\tif (itlb_multihit_kvm_mitigation)\n\t\treturn sprintf(buf, \"KVM: Mitigation: Split huge pages\\n\");\n\telse\n\t\treturn sprintf(buf, \"KVM: Vulnerable\\n\");\n}",
          "project": "linux",
          "hash": 247261437386362177109715730807061065997,
          "size": 7,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338784
        },
        {
          "func": "static ssize_t itlb_multihit_show_state(char *buf)\n{\n\treturn sprintf(buf, \"Processor vulnerable\\n\");\n}",
          "project": "linux",
          "hash": 38382346743495850530974314169520436007,
          "size": 4,
          "commit_id": "4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf",
          "message": "x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.\n\nCurrently, it is possible to enable indirect branch speculation even after\nit was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the\nPR_GET_SPECULATION_CTRL command gives afterwards an incorrect result\n(force-disabled when it is in fact enabled). This also is inconsistent\nvs. STIBP and the documention which cleary states that\nPR_SPEC_FORCE_DISABLE cannot be undone.\n\nFix this by actually enforcing force-disabled indirect branch\nspeculation. PR_SPEC_ENABLE called after PR_SPEC_FORCE_DISABLE now fails\nwith -EPERM as described in the documentation.\n\nFixes: 9137bb27e60e (\"x86/speculation: Add prctl() control for indirect branch speculation\")\nSigned-off-by: Anthony Steinhauser <asteinhauser@google.com>\nSigned-off-by: Thomas Gleixner <tglx@linutronix.de>\nCc: stable@vger.kernel.org",
          "target": 0,
          "dataset": "other",
          "idx": 338796
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "recv_files",
        "discard_receive_data",
        "receive_data"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void discard_receive_data(int f_in, OFF_T length)\n{\n\treceive_data(f_in, NULL, -1, 0, NULL, -1, length);\n}",
          "project": "rsync",
          "hash": 114352644162312922294073732524964751395,
          "size": 4,
          "commit_id": "5509597decdbd7b91994210f700329d8a35e70a1",
          "message": "Check daemon filter against fnamecmp in recv_files().",
          "target": 0,
          "dataset": "other",
          "idx": 331483
        },
        {
          "func": "static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,\n\t\t\tconst char *fname, int fd, OFF_T total_size)\n{\n\tstatic char file_sum1[MAX_DIGEST_LEN];\n\tstruct map_struct *mapbuf;\n\tstruct sum_struct sum;\n\tint sum_len;\n\tint32 len;\n\tOFF_T offset = 0;\n\tOFF_T offset2;\n\tchar *data;\n\tint32 i;\n\tchar *map = NULL;\n\n#ifdef SUPPORT_PREALLOCATION\n\tif (preallocate_files && fd != -1 && total_size > 0 && (!inplace || total_size > size_r)) {\n\t\t/* Try to preallocate enough space for file's eventual length.  Can\n\t\t * reduce fragmentation on filesystems like ext4, xfs, and NTFS. */\n\t\tif ((preallocated_len = do_fallocate(fd, 0, total_size)) < 0)\n\t\t\trsyserr(FWARNING, errno, \"do_fallocate %s\", full_fname(fname));\n\t} else\n#endif\n\tif (inplace) {\n#ifdef HAVE_FTRUNCATE\n\t\t/* The most compatible way to create a sparse file is to start with no length. */\n\t\tif (sparse_files > 0 && whole_file && fd >= 0 && do_ftruncate(fd, 0) == 0)\n\t\t\tpreallocated_len = 0;\n\t\telse\n#endif\n\t\t\tpreallocated_len = size_r;\n\t} else\n\t\tpreallocated_len = 0;\n\n\tread_sum_head(f_in, &sum);\n\n\tif (fd_r >= 0 && size_r > 0) {\n\t\tint32 read_size = MAX(sum.blength * 2, 16*1024);\n\t\tmapbuf = map_file(fd_r, size_r, read_size, sum.blength);\n\t\tif (DEBUG_GTE(DELTASUM, 2)) {\n\t\t\trprintf(FINFO, \"recv mapped %s of size %s\\n\",\n\t\t\t\tfname_r, big_num(size_r));\n\t\t}\n\t} else\n\t\tmapbuf = NULL;\n\n\tsum_init(xfersum_type, checksum_seed);\n\n\tif (append_mode > 0) {\n\t\tOFF_T j;\n\t\tsum.flength = (OFF_T)sum.count * sum.blength;\n\t\tif (sum.remainder)\n\t\t\tsum.flength -= sum.blength - sum.remainder;\n\t\tif (append_mode == 2 && mapbuf) {\n\t\t\tfor (j = CHUNK_SIZE; j < sum.flength; j += CHUNK_SIZE) {\n\t\t\t\tif (INFO_GTE(PROGRESS, 1))\n\t\t\t\t\tshow_progress(offset, total_size);\n\t\t\t\tsum_update(map_ptr(mapbuf, offset, CHUNK_SIZE),\n\t\t\t\t\t   CHUNK_SIZE);\n\t\t\t\toffset = j;\n\t\t\t}\n\t\t\tif (offset < sum.flength) {\n\t\t\t\tint32 len = (int32)(sum.flength - offset);\n\t\t\t\tif (INFO_GTE(PROGRESS, 1))\n\t\t\t\t\tshow_progress(offset, total_size);\n\t\t\t\tsum_update(map_ptr(mapbuf, offset, len), len);\n\t\t\t}\n\t\t}\n\t\toffset = sum.flength;\n\t\tif (fd != -1 && (j = do_lseek(fd, offset, SEEK_SET)) != offset) {\n\t\t\trsyserr(FERROR_XFER, errno, \"lseek of %s returned %s, not %s\",\n\t\t\t\tfull_fname(fname), big_num(j), big_num(offset));\n\t\t\texit_cleanup(RERR_FILEIO);\n\t\t}\n\t}\n\n\twhile ((i = recv_token(f_in, &data)) != 0) {\n\t\tif (INFO_GTE(PROGRESS, 1))\n\t\t\tshow_progress(offset, total_size);\n\n\t\tif (allowed_lull)\n\t\t\tmaybe_send_keepalive(time(NULL), MSK_ALLOW_FLUSH | MSK_ACTIVE_RECEIVER);\n\n\t\tif (i > 0) {\n\t\t\tif (DEBUG_GTE(DELTASUM, 3)) {\n\t\t\t\trprintf(FINFO,\"data recv %d at %s\\n\",\n\t\t\t\t\ti, big_num(offset));\n\t\t\t}\n\n\t\t\tstats.literal_data += i;\n\t\t\tcleanup_got_literal = 1;\n\n\t\t\tsum_update(data, i);\n\n\t\t\tif (fd != -1 && write_file(fd, 0, offset, data, i) != i)\n\t\t\t\tgoto report_write_error;\n\t\t\toffset += i;\n\t\t\tcontinue;\n\t\t}\n\n\t\ti = -(i+1);\n\t\toffset2 = i * (OFF_T)sum.blength;\n\t\tlen = sum.blength;\n\t\tif (i == (int)sum.count-1 && sum.remainder != 0)\n\t\t\tlen = sum.remainder;\n\n\t\tstats.matched_data += len;\n\n\t\tif (DEBUG_GTE(DELTASUM, 3)) {\n\t\t\trprintf(FINFO,\n\t\t\t\t\"chunk[%d] of size %ld at %s offset=%s%s\\n\",\n\t\t\t\ti, (long)len, big_num(offset2), big_num(offset),\n\t\t\t\tupdating_basis_or_equiv && offset == offset2 ? \" (seek)\" : \"\");\n\t\t}\n\n\t\tif (mapbuf) {\n\t\t\tmap = map_ptr(mapbuf,offset2,len);\n\n\t\t\tsee_token(map, len);\n\t\t\tsum_update(map, len);\n\t\t}\n\n\t\tif (updating_basis_or_equiv) {\n\t\t\tif (offset == offset2 && fd != -1) {\n\t\t\t\tif (skip_matched(fd, offset, map, len) < 0)\n\t\t\t\t\tgoto report_write_error;\n\t\t\t\toffset += len;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tif (fd != -1 && map && write_file(fd, 0, offset, map, len) != (int)len)\n\t\t\tgoto report_write_error;\n\t\toffset += len;\n\t}\n\n\tif (fd != -1 && offset > 0) {\n\t\tif (sparse_files > 0) {\n\t\t\tif (sparse_end(fd, offset) != 0)\n\t\t\t\tgoto report_write_error;\n\t\t} else if (flush_write_file(fd) < 0) {\n\t\t    report_write_error:\n\t\t\trsyserr(FERROR_XFER, errno, \"write failed on %s\", full_fname(fname));\n\t\t\texit_cleanup(RERR_FILEIO);\n\t\t}\n\t}\n\n#ifdef HAVE_FTRUNCATE\n\t/* inplace: New data could be shorter than old data.\n\t * preallocate_files: total_size could have been an overestimate.\n\t *     Cut off any extra preallocated zeros from dest file. */\n\tif ((inplace || preallocated_len > offset) && fd != -1 && do_ftruncate(fd, offset) < 0) {\n\t\trsyserr(FERROR_XFER, errno, \"ftruncate failed on %s\",\n\t\t\tfull_fname(fname));\n\t}\n#endif\n\n\tif (INFO_GTE(PROGRESS, 1))\n\t\tend_progress(total_size);\n\n\tsum_len = sum_end(file_sum1);\n\n\tif (mapbuf)\n\t\tunmap_file(mapbuf);\n\n\tread_buf(f_in, sender_file_sum, sum_len);\n\tif (DEBUG_GTE(DELTASUM, 2))\n\t\trprintf(FINFO,\"got file_sum\\n\");\n\tif (fd != -1 && memcmp(file_sum1, sender_file_sum, sum_len) != 0)\n\t\treturn 0;\n\treturn 1;\n}",
          "project": "rsync",
          "hash": 100059875466960767778580851539656074765,
          "size": 170,
          "commit_id": "5509597decdbd7b91994210f700329d8a35e70a1",
          "message": "Check daemon filter against fnamecmp in recv_files().",
          "target": 0,
          "dataset": "other",
          "idx": 331481
        },
        {
          "func": "int recv_files(int f_in, int f_out, char *local_name)\n{\n\tint fd1,fd2;\n\tSTRUCT_STAT st;\n\tint iflags, xlen;\n\tchar *fname, fbuf[MAXPATHLEN];\n\tchar xname[MAXPATHLEN];\n\tchar fnametmp[MAXPATHLEN];\n\tchar *fnamecmp, *partialptr;\n\tchar fnamecmpbuf[MAXPATHLEN];\n\tuchar fnamecmp_type;\n\tstruct file_struct *file;\n\tint itemizing = am_server ? logfile_format_has_i : stdout_format_has_i;\n\tenum logcode log_code = log_before_transfer ? FLOG : FINFO;\n\tint max_phase = protocol_version >= 29 ? 2 : 1;\n\tint dflt_perms = (ACCESSPERMS & ~orig_umask);\n#ifdef SUPPORT_ACLS\n\tconst char *parent_dirname = \"\";\n#endif\n\tint ndx, recv_ok;\n\n\tif (DEBUG_GTE(RECV, 1))\n\t\trprintf(FINFO, \"recv_files(%d) starting\\n\", cur_flist->used);\n\n\tif (delay_updates)\n\t\tdelayed_bits = bitbag_create(cur_flist->used + 1);\n\n\twhile (1) {\n\t\tcleanup_disable();\n\n\t\t/* This call also sets cur_flist. */\n\t\tndx = read_ndx_and_attrs(f_in, f_out, &iflags, &fnamecmp_type,\n\t\t\t\t\t xname, &xlen);\n\t\tif (ndx == NDX_DONE) {\n\t\t\tif (!am_server && INFO_GTE(PROGRESS, 2) && cur_flist) {\n\t\t\t\tset_current_file_index(NULL, 0);\n\t\t\t\tend_progress(0);\n\t\t\t}\n\t\t\tif (inc_recurse && first_flist) {\n\t\t\t\tif (read_batch) {\n\t\t\t\t\tndx = first_flist->used + first_flist->ndx_start;\n\t\t\t\t\tgen_wants_ndx(ndx, first_flist->flist_num);\n\t\t\t\t}\n\t\t\t\tflist_free(first_flist);\n\t\t\t\tif (first_flist)\n\t\t\t\t\tcontinue;\n\t\t\t} else if (read_batch && first_flist) {\n\t\t\t\tndx = first_flist->used;\n\t\t\t\tgen_wants_ndx(ndx, first_flist->flist_num);\n\t\t\t}\n\t\t\tif (++phase > max_phase)\n\t\t\t\tbreak;\n\t\t\tif (DEBUG_GTE(RECV, 1))\n\t\t\t\trprintf(FINFO, \"recv_files phase=%d\\n\", phase);\n\t\t\tif (phase == 2 && delay_updates)\n\t\t\t\thandle_delayed_updates(local_name);\n\t\t\twrite_int(f_out, NDX_DONE);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (ndx - cur_flist->ndx_start >= 0)\n\t\t\tfile = cur_flist->files[ndx - cur_flist->ndx_start];\n\t\telse\n\t\t\tfile = dir_flist->files[cur_flist->parent_ndx];\n\t\tfname = local_name ? local_name : f_name(file, fbuf);\n\n\t\tif (daemon_filter_list.head\n\t\t    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {\n\t\t\trprintf(FERROR, \"attempt to hack rsync failed.\\n\");\n\t\t\texit_cleanup(RERR_PROTOCOL);\n\t\t}\n\n\t\tif (DEBUG_GTE(RECV, 1))\n\t\t\trprintf(FINFO, \"recv_files(%s)\\n\", fname);\n\n#ifdef SUPPORT_XATTRS\n\t\tif (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers\n\t\t && !(want_xattr_optim && BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE)))\n\t\t\trecv_xattr_request(file, f_in);\n#endif\n\n\t\tif (!(iflags & ITEM_TRANSFER)) {\n\t\t\tmaybe_log_item(file, iflags, itemizing, xname);\n#ifdef SUPPORT_XATTRS\n\t\t\tif (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers\n\t\t\t && !BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE))\n\t\t\t\tset_file_attrs(fname, file, NULL, fname, 0);\n#endif\n\t\t\tif (iflags & ITEM_IS_NEW) {\n\t\t\t\tstats.created_files++;\n\t\t\t\tif (S_ISREG(file->mode)) {\n\t\t\t\t\t/* Nothing further to count. */\n\t\t\t\t} else if (S_ISDIR(file->mode))\n\t\t\t\t\tstats.created_dirs++;\n#ifdef SUPPORT_LINKS\n\t\t\t\telse if (S_ISLNK(file->mode))\n\t\t\t\t\tstats.created_symlinks++;\n#endif\n\t\t\t\telse if (IS_DEVICE(file->mode))\n\t\t\t\t\tstats.created_devices++;\n\t\t\t\telse\n\t\t\t\t\tstats.created_specials++;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t\tif (phase == 2) {\n\t\t\trprintf(FERROR,\n\t\t\t\t\"got transfer request in phase 2 [%s]\\n\",\n\t\t\t\twho_am_i());\n\t\t\texit_cleanup(RERR_PROTOCOL);\n\t\t}\n\n\t\tif (file->flags & FLAG_FILE_SENT) {\n\t\t\tif (csum_length == SHORT_SUM_LENGTH) {\n\t\t\t\tif (keep_partial && !partial_dir)\n\t\t\t\t\tmake_backups = -make_backups; /* prevents double backup */\n\t\t\t\tif (append_mode)\n\t\t\t\t\tsparse_files = -sparse_files;\n\t\t\t\tappend_mode = -append_mode;\n\t\t\t\tcsum_length = SUM_LENGTH;\n\t\t\t\tredoing = 1;\n\t\t\t}\n\t\t} else {\n\t\t\tif (csum_length != SHORT_SUM_LENGTH) {\n\t\t\t\tif (keep_partial && !partial_dir)\n\t\t\t\t\tmake_backups = -make_backups;\n\t\t\t\tif (append_mode)\n\t\t\t\t\tsparse_files = -sparse_files;\n\t\t\t\tappend_mode = -append_mode;\n\t\t\t\tcsum_length = SHORT_SUM_LENGTH;\n\t\t\t\tredoing = 0;\n\t\t\t}\n\t\t\tif (iflags & ITEM_IS_NEW)\n\t\t\t\tstats.created_files++;\n\t\t}\n\n\t\tif (!am_server && INFO_GTE(PROGRESS, 1))\n\t\t\tset_current_file_index(file, ndx);\n\t\tstats.xferred_files++;\n\t\tstats.total_transferred_size += F_LENGTH(file);\n\n\t\tcleanup_got_literal = 0;\n\n\t\tif (read_batch) {\n\t\t\tint wanted = redoing\n\t\t\t\t   ? we_want_redo(ndx)\n\t\t\t\t   : gen_wants_ndx(ndx, cur_flist->flist_num);\n\t\t\tif (!wanted) {\n\t\t\t\trprintf(FINFO,\n\t\t\t\t\t\"(Skipping batched update for%s \\\"%s\\\")\\n\",\n\t\t\t\t\tredoing ? \" resend of\" : \"\",\n\t\t\t\t\tfname);\n\t\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\t\tfile->flags |= FLAG_FILE_SENT;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\n\t\tremember_initial_stats();\n\n\t\tif (!do_xfers) { /* log the transfer */\n\t\t\tlog_item(FCLIENT, file, iflags, NULL);\n\t\t\tif (read_batch)\n\t\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\tcontinue;\n\t\t}\n\t\tif (write_batch < 0) {\n\t\t\tlog_item(FCLIENT, file, iflags, NULL);\n\t\t\tif (!am_server)\n\t\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\tif (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_SUCCESS, ndx);\n\t\t\tcontinue;\n\t\t}\n\n\t\tpartialptr = partial_dir ? partial_dir_fname(fname) : fname;\n\n\t\tif (protocol_version >= 29) {\n\t\t\tswitch (fnamecmp_type) {\n\t\t\tcase FNAMECMP_FNAME:\n\t\t\t\tfnamecmp = fname;\n\t\t\t\tbreak;\n\t\t\tcase FNAMECMP_PARTIAL_DIR:\n\t\t\t\tfnamecmp = partialptr;\n\t\t\t\tbreak;\n\t\t\tcase FNAMECMP_BACKUP:\n\t\t\t\tfnamecmp = get_backup_name(fname);\n\t\t\t\tbreak;\n\t\t\tcase FNAMECMP_FUZZY:\n\t\t\t\tif (file->dirname) {\n\t\t\t\t\tpathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);\n\t\t\t\t\tfnamecmp = fnamecmpbuf;\n\t\t\t\t} else\n\t\t\t\t\tfnamecmp = xname;\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tif (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {\n\t\t\t\t\tfnamecmp_type -= FNAMECMP_FUZZY + 1;\n\t\t\t\t\tif (file->dirname) {\n\t\t\t\t\t\tstringjoin(fnamecmpbuf, sizeof fnamecmpbuf,\n\t\t\t\t\t\t\t   basis_dir[fnamecmp_type], \"/\", file->dirname, \"/\", xname, NULL);\n\t\t\t\t\t} else\n\t\t\t\t\t\tpathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);\n\t\t\t\t} else if (fnamecmp_type >= basis_dir_cnt) {\n\t\t\t\t\trprintf(FERROR,\n\t\t\t\t\t\t\"invalid basis_dir index: %d.\\n\",\n\t\t\t\t\t\tfnamecmp_type);\n\t\t\t\t\texit_cleanup(RERR_PROTOCOL);\n\t\t\t\t} else\n\t\t\t\t\tpathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);\n\t\t\t\tfnamecmp = fnamecmpbuf;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif (!fnamecmp || (daemon_filter_list.head\n\t\t\t  && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {\n\t\t\t\tfnamecmp = fname;\n\t\t\t\tfnamecmp_type = FNAMECMP_FNAME;\n\t\t\t}\n\t\t} else {\n\t\t\t/* Reminder: --inplace && --partial-dir are never\n\t\t\t * enabled at the same time. */\n\t\t\tif (inplace && make_backups > 0) {\n\t\t\t\tif (!(fnamecmp = get_backup_name(fname)))\n\t\t\t\t\tfnamecmp = fname;\n\t\t\t\telse\n\t\t\t\t\tfnamecmp_type = FNAMECMP_BACKUP;\n\t\t\t} else if (partial_dir && partialptr)\n\t\t\t\tfnamecmp = partialptr;\n\t\t\telse\n\t\t\t\tfnamecmp = fname;\n\t\t}\n\n\t\t/* open the file */\n\t\tfd1 = do_open(fnamecmp, O_RDONLY, 0);\n\n\t\tif (fd1 == -1 && protocol_version < 29) {\n\t\t\tif (fnamecmp != fname) {\n\t\t\t\tfnamecmp = fname;\n\t\t\t\tfd1 = do_open(fnamecmp, O_RDONLY, 0);\n\t\t\t}\n\n\t\t\tif (fd1 == -1 && basis_dir[0]) {\n\t\t\t\t/* pre-29 allowed only one alternate basis */\n\t\t\t\tpathjoin(fnamecmpbuf, sizeof fnamecmpbuf,\n\t\t\t\t\t basis_dir[0], fname);\n\t\t\t\tfnamecmp = fnamecmpbuf;\n\t\t\t\tfd1 = do_open(fnamecmp, O_RDONLY, 0);\n\t\t\t}\n\t\t}\n\n\t\tupdating_basis_or_equiv = inplace\n\t\t    && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP);\n\n\t\tif (fd1 == -1) {\n\t\t\tst.st_mode = 0;\n\t\t\tst.st_size = 0;\n\t\t} else if (do_fstat(fd1,&st) != 0) {\n\t\t\trsyserr(FERROR_XFER, errno, \"fstat %s failed\",\n\t\t\t\tfull_fname(fnamecmp));\n\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\tclose(fd1);\n\t\t\tif (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_NO_SEND, ndx);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (fd1 != -1 && S_ISDIR(st.st_mode) && fnamecmp == fname) {\n\t\t\t/* this special handling for directories\n\t\t\t * wouldn't be necessary if robust_rename()\n\t\t\t * and the underlying robust_unlink could cope\n\t\t\t * with directories\n\t\t\t */\n\t\t\trprintf(FERROR_XFER, \"recv_files: %s is a directory\\n\",\n\t\t\t\tfull_fname(fnamecmp));\n\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\tclose(fd1);\n\t\t\tif (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_NO_SEND, ndx);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (fd1 != -1 && !S_ISREG(st.st_mode)) {\n\t\t\tclose(fd1);\n\t\t\tfd1 = -1;\n\t\t}\n\n\t\t/* If we're not preserving permissions, change the file-list's\n\t\t * mode based on the local permissions and some heuristics. */\n\t\tif (!preserve_perms) {\n\t\t\tint exists = fd1 != -1;\n#ifdef SUPPORT_ACLS\n\t\t\tconst char *dn = file->dirname ? file->dirname : \".\";\n\t\t\tif (parent_dirname != dn\n\t\t\t && strcmp(parent_dirname, dn) != 0) {\n\t\t\t\tdflt_perms = default_perms_for_dir(dn);\n\t\t\t\tparent_dirname = dn;\n\t\t\t}\n#endif\n\t\t\tfile->mode = dest_mode(file->mode, st.st_mode,\n\t\t\t\t\t       dflt_perms, exists);\n\t\t}\n\n\t\t/* We now check to see if we are writing the file \"inplace\" */\n\t\tif (inplace)  {\n\t\t\tfd2 = do_open(fname, O_WRONLY|O_CREAT, 0600);\n\t\t\tif (fd2 == -1) {\n\t\t\t\trsyserr(FERROR_XFER, errno, \"open %s failed\",\n\t\t\t\t\tfull_fname(fname));\n\t\t\t} else if (updating_basis_or_equiv)\n\t\t\t\tcleanup_set(NULL, NULL, file, fd1, fd2);\n\t\t} else {\n\t\t\tfd2 = open_tmpfile(fnametmp, fname, file);\n\t\t\tif (fd2 != -1)\n\t\t\t\tcleanup_set(fnametmp, partialptr, file, fd1, fd2);\n\t\t}\n\n\t\tif (fd2 == -1) {\n\t\t\tdiscard_receive_data(f_in, F_LENGTH(file));\n\t\t\tif (fd1 != -1)\n\t\t\t\tclose(fd1);\n\t\t\tif (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_NO_SEND, ndx);\n\t\t\tcontinue;\n\t\t}\n\n\t\t/* log the transfer */\n\t\tif (log_before_transfer)\n\t\t\tlog_item(FCLIENT, file, iflags, NULL);\n\t\telse if (!am_server && INFO_GTE(NAME, 1) && INFO_EQ(PROGRESS, 1))\n\t\t\trprintf(FINFO, \"%s\\n\", fname);\n\n\t\t/* recv file data */\n\t\trecv_ok = receive_data(f_in, fnamecmp, fd1, st.st_size,\n\t\t\t\t       fname, fd2, F_LENGTH(file));\n\n\t\tlog_item(log_code, file, iflags, NULL);\n\n\t\tif (fd1 != -1)\n\t\t\tclose(fd1);\n\t\tif (close(fd2) < 0) {\n\t\t\trsyserr(FERROR, errno, \"close failed on %s\",\n\t\t\t\tfull_fname(fnametmp));\n\t\t\texit_cleanup(RERR_FILEIO);\n\t\t}\n\n\t\tif ((recv_ok && (!delay_updates || !partialptr)) || inplace) {\n\t\t\tif (partialptr == fname)\n\t\t\t\tpartialptr = NULL;\n\t\t\tif (!finish_transfer(fname, fnametmp, fnamecmp,\n\t\t\t\t\t     partialptr, file, recv_ok, 1))\n\t\t\t\trecv_ok = -1;\n\t\t\telse if (fnamecmp == partialptr) {\n\t\t\t\tdo_unlink(partialptr);\n\t\t\t\thandle_partial_dir(partialptr, PDIR_DELETE);\n\t\t\t}\n\t\t} else if (keep_partial && partialptr) {\n\t\t\tif (!handle_partial_dir(partialptr, PDIR_CREATE)) {\n\t\t\t\trprintf(FERROR,\n\t\t\t\t    \"Unable to create partial-dir for %s -- discarding %s.\\n\",\n\t\t\t\t    local_name ? local_name : f_name(file, NULL),\n\t\t\t\t    recv_ok ? \"completed file\" : \"partial file\");\n\t\t\t\tdo_unlink(fnametmp);\n\t\t\t\trecv_ok = -1;\n\t\t\t} else if (!finish_transfer(partialptr, fnametmp, fnamecmp, NULL,\n\t\t\t\t\t\t    file, recv_ok, !partial_dir))\n\t\t\t\trecv_ok = -1;\n\t\t\telse if (delay_updates && recv_ok) {\n\t\t\t\tbitbag_set_bit(delayed_bits, ndx);\n\t\t\t\trecv_ok = 2;\n\t\t\t} else\n\t\t\t\tpartialptr = NULL;\n\t\t} else\n\t\t\tdo_unlink(fnametmp);\n\n\t\tcleanup_disable();\n\n\t\tif (read_batch)\n\t\t\tfile->flags |= FLAG_FILE_SENT;\n\n\t\tswitch (recv_ok) {\n\t\tcase 2:\n\t\t\tbreak;\n\t\tcase 1:\n\t\t\tif (remove_source_files || inc_recurse\n\t\t\t || (preserve_hard_links && F_IS_HLINKED(file)))\n\t\t\t\tsend_msg_int(MSG_SUCCESS, ndx);\n\t\t\tbreak;\n\t\tcase 0: {\n\t\t\tenum logcode msgtype = redoing ? FERROR_XFER : FWARNING;\n\t\t\tif (msgtype == FERROR_XFER || INFO_GTE(NAME, 1)) {\n\t\t\t\tchar *errstr, *redostr, *keptstr;\n\t\t\t\tif (!(keep_partial && partialptr) && !inplace)\n\t\t\t\t\tkeptstr = \"discarded\";\n\t\t\t\telse if (partial_dir)\n\t\t\t\t\tkeptstr = \"put into partial-dir\";\n\t\t\t\telse\n\t\t\t\t\tkeptstr = \"retained\";\n\t\t\t\tif (msgtype == FERROR_XFER) {\n\t\t\t\t\terrstr = \"ERROR\";\n\t\t\t\t\tredostr = \"\";\n\t\t\t\t} else {\n\t\t\t\t\terrstr = \"WARNING\";\n\t\t\t\t\tredostr = read_batch ? \" (may try again)\"\n\t\t\t\t\t\t\t     : \" (will try again)\";\n\t\t\t\t}\n\t\t\t\trprintf(msgtype,\n\t\t\t\t\t\"%s: %s failed verification -- update %s%s.\\n\",\n\t\t\t\t\terrstr, local_name ? f_name(file, NULL) : fname,\n\t\t\t\t\tkeptstr, redostr);\n\t\t\t}\n\t\t\tif (!redoing) {\n\t\t\t\tif (read_batch)\n\t\t\t\t\tflist_ndx_push(&batch_redo_list, ndx);\n\t\t\t\tsend_msg_int(MSG_REDO, ndx);\n\t\t\t\tfile->flags |= FLAG_FILE_SENT;\n\t\t\t} else if (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_NO_SEND, ndx);\n\t\t\tbreak;\n\t\t    }\n\t\tcase -1:\n\t\t\tif (inc_recurse)\n\t\t\t\tsend_msg_int(MSG_NO_SEND, ndx);\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (make_backups < 0)\n\t\tmake_backups = -make_backups;\n\n\tif (phase == 2 && delay_updates) /* for protocol_version < 29 */\n\t\thandle_delayed_updates(local_name);\n\n\tif (DEBUG_GTE(RECV, 1))\n\t\trprintf(FINFO,\"recv_files finished\\n\");\n\n\treturn 0;\n}",
          "project": "rsync",
          "hash": 244732624564333247167184328379269669359,
          "size": 436,
          "commit_id": "5509597decdbd7b91994210f700329d8a35e70a1",
          "message": "Check daemon filter against fnamecmp in recv_files().",
          "target": 0,
          "dataset": "other",
          "idx": 331482
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "udp_poll",
        "first_packet_length",
        "udp_rmem_release"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "int udp_ioctl(struct sock *sk, int cmd, unsigned long arg)\n{\n\tswitch (cmd) {\n\tcase SIOCOUTQ:\n\t{\n\t\tint amount = sk_wmem_alloc_get(sk);\n\n\t\treturn put_user(amount, (int __user *)arg);\n\t}\n\n\tcase SIOCINQ:\n\t{\n\t\tint amount = max_t(int, 0, first_packet_length(sk));\n\n\t\treturn put_user(amount, (int __user *)arg);\n\t}\n\n\tdefault:\n\t\treturn -ENOIOCTLCMD;\n\t}\n\n\treturn 0;\n}",
          "project": "net",
          "hash": 120962100401498763170457169314375584625,
          "size": 23,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468965
        },
        {
          "func": "void udp_destruct_sock(struct sock *sk)\n{\n\t/* reclaim completely the forward allocated memory */\n\tstruct udp_sock *up = udp_sk(sk);\n\tunsigned int total = 0;\n\tstruct sk_buff *skb;\n\n\tskb_queue_splice_tail_init(&sk->sk_receive_queue, &up->reader_queue);\n\twhile ((skb = __skb_dequeue(&up->reader_queue)) != NULL) {\n\t\ttotal += skb->truesize;\n\t\tkfree_skb(skb);\n\t}\n\tudp_rmem_release(sk, total, 0, true);\n\n\tinet_sock_destruct(sk);\n}",
          "project": "net",
          "hash": 116880709217895828331023872406156009191,
          "size": 16,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468945
        },
        {
          "func": "void udp_skb_destructor(struct sock *sk, struct sk_buff *skb)\n{\n\tprefetch(&skb->data);\n\tudp_rmem_release(sk, udp_skb_truesize(skb), 1, false);\n}",
          "project": "net",
          "hash": 199481324456231259283204727422534667667,
          "size": 5,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468964
        },
        {
          "func": "static int udp_skb_truesize(struct sk_buff *skb)\n{\n\treturn udp_skb_scratch(skb)->_tsize_state & ~UDP_SKB_IS_STATELESS;\n}",
          "project": "net",
          "hash": 6159384903572035018144194830241980933,
          "size": 4,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 469010
        },
        {
          "func": "static void udp_rmem_release(struct sock *sk, int size, int partial,\n\t\t\t     bool rx_queue_lock_held)\n{\n\tstruct udp_sock *up = udp_sk(sk);\n\tstruct sk_buff_head *sk_queue;\n\tint amt;\n\n\tif (likely(partial)) {\n\t\tup->forward_deficit += size;\n\t\tsize = up->forward_deficit;\n\t\tif (size < (sk->sk_rcvbuf >> 2) &&\n\t\t    !skb_queue_empty(&up->reader_queue))\n\t\t\treturn;\n\t} else {\n\t\tsize += up->forward_deficit;\n\t}\n\tup->forward_deficit = 0;\n\n\t/* acquire the sk_receive_queue for fwd allocated memory scheduling,\n\t * if the called don't held it already\n\t */\n\tsk_queue = &sk->sk_receive_queue;\n\tif (!rx_queue_lock_held)\n\t\tspin_lock(&sk_queue->lock);\n\n\n\tsk->sk_forward_alloc += size;\n\tamt = (sk->sk_forward_alloc - partial) & ~(SK_MEM_QUANTUM - 1);\n\tsk->sk_forward_alloc -= amt;\n\n\tif (amt)\n\t\t__sk_mem_reduce_allocated(sk, amt >> SK_MEM_QUANTUM_SHIFT);\n\n\tatomic_sub(size, &sk->sk_rmem_alloc);\n\n\t/* this can save us from acquiring the rx queue lock on next receive */\n\tskb_queue_splice_tail_init(sk_queue, &up->reader_queue);\n\n\tif (!rx_queue_lock_held)\n\t\tspin_unlock(&sk_queue->lock);\n}",
          "project": "net",
          "hash": 105722958314149919733039418185314064127,
          "size": 41,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468975
        },
        {
          "func": "static int first_packet_length(struct sock *sk)\n{\n\tstruct sk_buff_head *rcvq = &udp_sk(sk)->reader_queue;\n\tstruct sk_buff_head *sk_queue = &sk->sk_receive_queue;\n\tstruct sk_buff *skb;\n\tint total = 0;\n\tint res;\n\n\tspin_lock_bh(&rcvq->lock);\n\tskb = __first_packet_length(sk, rcvq, &total);\n\tif (!skb && !skb_queue_empty(sk_queue)) {\n\t\tspin_lock(&sk_queue->lock);\n\t\tskb_queue_splice_tail_init(sk_queue, rcvq);\n\t\tspin_unlock(&sk_queue->lock);\n\n\t\tskb = __first_packet_length(sk, rcvq, &total);\n\t}\n\tres = skb ? skb->len : -1;\n\tif (total)\n\t\tudp_rmem_release(sk, total, 1, false);\n\tspin_unlock_bh(&rcvq->lock);\n\treturn res;\n}",
          "project": "net",
          "hash": 322205601108753937201992705031139158101,
          "size": 23,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468962
        },
        {
          "func": "static void udp_skb_dtor_locked(struct sock *sk, struct sk_buff *skb)\n{\n\tprefetch(&skb->data);\n\tudp_rmem_release(sk, udp_skb_truesize(skb), 1, true);\n}",
          "project": "net",
          "hash": 292787375836543840733900810221168422654,
          "size": 5,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468978
        },
        {
          "func": "unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait)\n{\n\tunsigned int mask = datagram_poll(file, sock, wait);\n\tstruct sock *sk = sock->sk;\n\n\tif (!skb_queue_empty(&udp_sk(sk)->reader_queue))\n\t\tmask |= POLLIN | POLLRDNORM;\n\n\tsock_rps_record_flow(sk);\n\n\t/* Check for false positives due to checksum errors */\n\tif ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) &&\n\t    !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1)\n\t\tmask &= ~(POLLIN | POLLRDNORM);\n\n\treturn mask;\n\n}",
          "project": "net",
          "hash": 230401472447803839373376035104255326912,
          "size": 18,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 469006
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "_snapshotNameImpl",
        "getHeuristicTypeName",
        "getNameIfExists"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "std::string JSObject::getHeuristicTypeName(GC *gc) {\n  PointerBase *const base = gc->getPointerBase();\n  if (auto constructorVal = tryGetNamedNoAlloc(\n          this, base, Predefined::getSymbolID(Predefined::constructor))) {\n    if (auto *constructor = dyn_vmcast<JSObject>(*constructorVal)) {\n      auto name = constructor->getNameIfExists(base);\n      // If the constructor's name doesn't exist, or it is just the object\n      // constructor, attempt to find a different name.\n      if (!name.empty() && name != \"Object\")\n        return name;\n    }\n  }\n\n  std::string name = getVT()->base.snapshotMetaData.defaultNameForNode(this);\n  // A constructor's name was not found, check if the object is in dictionary\n  // mode.\n  if (getClass(base)->isDictionary()) {\n    return name + \"(Dictionary)\";\n  }\n\n  // If it's not an Object, the CellKind is most likely good enough on its own\n  if (getKind() != CellKind::ObjectKind) {\n    return name;\n  }\n\n  // If the object isn't a dictionary, and it has only a few property names,\n  // make the name based on those property names.\n  std::vector<std::string> propertyNames;\n  HiddenClass::forEachPropertyNoAlloc(\n      getClass(base),\n      base,\n      [gc, &propertyNames](SymbolID id, NamedPropertyDescriptor) {\n        if (InternalProperty::isInternal(id)) {\n          // Internal properties aren't user-visible, skip them.\n          return;\n        }\n        propertyNames.emplace_back(gc->convertSymbolToUTF8(id));\n      });\n  // NOTE: One option is to sort the property names before truncation, to\n  // reduce the number of groups; however, by not sorting them it makes it\n  // easier to spot sets of objects with the same properties but in different\n  // orders, and thus find HiddenClass optimizations to make.\n\n  // For objects with a lot of properties but aren't in dictionary mode yet,\n  // keep the number displayed small.\n  constexpr int kMaxPropertiesForTypeName = 5;\n  bool truncated = false;\n  if (propertyNames.size() > kMaxPropertiesForTypeName) {\n    propertyNames.erase(\n        propertyNames.begin() + kMaxPropertiesForTypeName, propertyNames.end());\n    truncated = true;\n  }\n  // The final name should look like Object(a, b, c).\n  if (propertyNames.empty()) {\n    // Don't add parentheses for objects with no properties.\n    return name;\n  }\n  name += \"(\";\n  bool first = true;\n  for (const auto &prop : propertyNames) {\n    if (!first) {\n      name += \", \";\n    }\n    first = false;\n    name += prop;\n  }\n  if (truncated) {\n    // No need to check for comma edge case because this only happens for\n    // greater than one property.\n    static_assert(\n        kMaxPropertiesForTypeName >= 1,\n        \"Property truncation should not happen for 0 properties\");\n    name += \", ...\";\n  }\n  name += \")\";\n  return name;\n}",
          "project": "hermes",
          "hash": 12586279669668606067802000336333479755,
          "size": 77,
          "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da",
          "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911.  This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug.  The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a",
          "target": 0,
          "dataset": "other",
          "idx": 230263
        },
        {
          "func": "std::string JSObject::getNameIfExists(PointerBase *base) {\n  // Try \"displayName\" first, if it is defined.\n  if (auto nameVal = tryGetNamedNoAlloc(\n          this, base, Predefined::getSymbolID(Predefined::displayName))) {\n    if (auto *name = dyn_vmcast<StringPrimitive>(*nameVal)) {\n      return converter(name);\n    }\n  }\n  // Next, use \"name\" if it is defined.\n  if (auto nameVal = tryGetNamedNoAlloc(\n          this, base, Predefined::getSymbolID(Predefined::name))) {\n    if (auto *name = dyn_vmcast<StringPrimitive>(*nameVal)) {\n      return converter(name);\n    }\n  }\n  // There is no other way to access the \"name\" property on an object.\n  return \"\";\n}",
          "project": "hermes",
          "hash": 234964102134813904610779888039415598461,
          "size": 18,
          "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da",
          "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911.  This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug.  The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a",
          "target": 0,
          "dataset": "other",
          "idx": 230209
        },
        {
          "func": "std::string JSObject::_snapshotNameImpl(GCCell *cell, GC *gc) {\n  auto *const self = vmcast<JSObject>(cell);\n  return self->getHeuristicTypeName(gc);\n}",
          "project": "hermes",
          "hash": 48077880543902754098911231243701628391,
          "size": 4,
          "commit_id": "fe52854cdf6725c2eaa9e125995da76e6ceb27da",
          "message": "[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.\n\nSummary:\nThe change in the hermes repository fixes the security vulnerability\nCVE-2020-1911.  This vulnerability only affects applications which\nallow evaluation of uncontrolled, untrusted JavaScript code not\nshipped with the app, so React Native apps will generally not be affected.\n\nThis revision includes a test for the bug.  The test is generic JSI\ncode, so it is included in the hermes and react-native repositories.\n\nChangelog: [Internal]\n\nReviewed By: tmikov\n\nDifferential Revision: D23322992\n\nfbshipit-source-id: 4e88c974afe1ad33a263f9cac03e9dc98d33649a",
          "target": 0,
          "dataset": "other",
          "idx": 230239
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ctnetlink_nlmsg_size",
        "ctnetlink_secctx_size",
        "nla_total_size",
        "ctnetlink_proto_size"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)\n{\n\treturn NLMSG_ALIGN(sizeof(struct nfgenmsg))\n\t       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */\n\t       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */\n\t       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */\n\t       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */\n\t       + ctnetlink_acct_size(ct)\n\t       + ctnetlink_timestamp_size(ct)\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */\n\t       + nla_total_size(0) /* CTA_PROTOINFO */\n\t       + nla_total_size(0) /* CTA_HELP */\n\t       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */\n\t       + ctnetlink_secctx_size(ct)\n#if IS_ENABLED(CONFIG_NF_NAT)\n\t       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */\n\t       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_ZONES\n\t       + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */\n#endif\n\t       + ctnetlink_proto_size(ct)\n\t       + ctnetlink_label_size(ct)\n\t       ;\n}",
          "project": "linux",
          "hash": 10508667409239925453713131944438936864,
          "size": 30,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394192
        },
        {
          "func": "static inline int ctnetlink_secctx_size(const struct nf_conn *ct)\n{\n#ifdef CONFIG_NF_CONNTRACK_SECMARK\n\tint len, ret;\n\n\tret = security_secid_to_secctx(ct->secmark, NULL, &len);\n\tif (ret)\n\t\treturn 0;\n\n\treturn nla_total_size(0) /* CTA_SECCTX */\n\t       + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */\n#else\n\treturn 0;\n#endif\n}",
          "project": "linux",
          "hash": 120117122907379011975926738167909948965,
          "size": 15,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394256
        },
        {
          "func": "static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)\n{\n\tif (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))\n\t\treturn 0;\n\treturn 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */\n\t       + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */\n\t       + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */\n\t       ;\n}",
          "project": "linux",
          "hash": 209742134164270150457682267534773323570,
          "size": 9,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394157
        },
        {
          "func": "ctnetlink_glue_build_size(const struct nf_conn *ct)\n{\n\treturn 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */\n\t       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */\n\t       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */\n\t       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */\n\t       + nla_total_size(0) /* CTA_PROTOINFO */\n\t       + nla_total_size(0) /* CTA_HELP */\n\t       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */\n\t       + ctnetlink_secctx_size(ct)\n#if IS_ENABLED(CONFIG_NF_NAT)\n\t       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */\n\t       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\t       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */\n#endif\n#ifdef CONFIG_NF_CONNTRACK_ZONES\n\t       + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */\n#endif\n\t       + ctnetlink_proto_size(ct)\n\t       ;\n}",
          "project": "linux",
          "hash": 11624736612410175409698437205778309312,
          "size": 26,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394229
        },
        {
          "func": "static inline int ctnetlink_label_size(const struct nf_conn *ct)\n{\n\tstruct nf_conn_labels *labels = nf_ct_labels_find(ct);\n\n\tif (!labels)\n\t\treturn 0;\n\treturn nla_total_size(sizeof(labels->bits));\n}",
          "project": "linux",
          "hash": 100893474637785996937883921194205667491,
          "size": 8,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394249
        },
        {
          "func": "static size_t ctnetlink_proto_size(const struct nf_conn *ct)\n{\n\tconst struct nf_conntrack_l4proto *l4proto;\n\tsize_t len, len4 = 0;\n\n\tlen = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);\n\tlen *= 3u; /* ORIG, REPLY, MASTER */\n\n\tl4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));\n\tlen += l4proto->nlattr_size;\n\tif (l4proto->nlattr_tuple_size) {\n\t\tlen4 = l4proto->nlattr_tuple_size();\n\t\tlen4 *= 3u; /* ORIG, REPLY, MASTER */\n\t}\n\n\treturn len + len4;\n}",
          "project": "linux",
          "hash": 147783029463433981062373150270326550127,
          "size": 17,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394196
        },
        {
          "func": "static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)\n{\n#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP\n\tif (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))\n\t\treturn 0;\n\treturn nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));\n#else\n\treturn 0;\n#endif\n}",
          "project": "linux",
          "hash": 258757370984477944418178129779359369313,
          "size": 10,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394198
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "SetResampleFilter",
        "ScaleResampleFilter",
        "ClampUpAxes"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "MagickExport void SetResampleFilter(ResampleFilter *resample_filter,\n  const FilterType filter)\n{\n  ResizeFilter\n     *resize_filter;\n\n  assert(resample_filter != (ResampleFilter *) NULL);\n  assert(resample_filter->signature == MagickCoreSignature);\n\n  resample_filter->do_interpolate = MagickFalse;\n  resample_filter->filter = filter;\n\n  /* Default cylindrical filter is a Cubic Keys filter */\n  if ( filter == UndefinedFilter )\n    resample_filter->filter = RobidouxFilter;\n\n  if ( resample_filter->filter == PointFilter ) {\n    resample_filter->do_interpolate = MagickTrue;\n    return;  /* EWA turned off - nothing more to do */\n  }\n\n  resize_filter = AcquireResizeFilter(resample_filter->image,\n    resample_filter->filter,MagickTrue,resample_filter->exception);\n  if (resize_filter == (ResizeFilter *) NULL) {\n    (void) ThrowMagickException(resample_filter->exception,GetMagickModule(),\n         ModuleError, \"UnableToSetFilteringValue\",\n         \"Fall back to Interpolated 'Point' filter\");\n    resample_filter->filter = PointFilter;\n    resample_filter->do_interpolate = MagickTrue;\n    return;  /* EWA turned off - nothing more to do */\n  }\n\n  /* Get the practical working support for the filter,\n   * after any API call blur factors have been accoded for.\n   */\n#if EWA\n  resample_filter->support = GetResizeFilterSupport(resize_filter);\n#else\n  resample_filter->support = 2.0;  /* fixed support size for HQ-EWA */\n#endif\n\n#if FILTER_LUT\n  /* Fill the LUT with the weights from the selected filter function */\n  { int\n       Q;\n    double\n       r_scale;\n\n    /* Scale radius so the filter LUT covers the full support range */\n    r_scale = resample_filter->support*sqrt(1.0/(double)WLUT_WIDTH);\n    for(Q=0; Q<WLUT_WIDTH; Q++)\n      resample_filter->filter_lut[Q] = (double)\n           GetResizeFilterWeight(resize_filter,sqrt((double)Q)*r_scale);\n\n    /* finished with the resize filter */\n    resize_filter = DestroyResizeFilter(resize_filter);\n  }\n#else\n  /* save the filter and the scaled ellipse bounds needed for filter */\n  resample_filter->filter_def = resize_filter;\n  resample_filter->F = resample_filter->support*resample_filter->support;\n#endif\n\n  /*\n    Adjust the scaling of the default unit circle\n    This assumes that any real scaling changes will always\n    take place AFTER the filter method has been initialized.\n  */\n  ScaleResampleFilter(resample_filter, 1.0, 0.0, 0.0, 1.0);\n\n#if 0\n  /*\n    This is old code kept as a reference only. Basically it generates\n    a Gaussian bell curve, with sigma = 0.5 if the support is 2.0\n\n    Create Normal Gaussian 2D Filter Weighted Lookup Table.\n    A normal EWA guassual lookup would use   exp(Q*ALPHA)\n    where  Q = distance squared from 0.0 (center) to 1.0 (edge)\n    and    ALPHA = -4.0*ln(2.0)  ==>  -2.77258872223978123767\n    The table is of length 1024, and equates to support radius of 2.0\n    thus needs to be scaled by  ALPHA*4/1024 and any blur factor squared\n\n    The it comes from reference code provided by Fred Weinhaus.\n  */\n  r_scale = -2.77258872223978123767/(WLUT_WIDTH*blur*blur);\n  for(Q=0; Q<WLUT_WIDTH; Q++)\n    resample_filter->filter_lut[Q] = exp((double)Q*r_scale);\n  resample_filter->support = WLUT_WIDTH;\n#endif\n\n#if FILTER_LUT\n#if defined(MAGICKCORE_OPENMP_SUPPORT)\n  #pragma omp single\n#endif\n  {\n    if (IsStringTrue(GetImageArtifact(resample_filter->image,\n        \"resample:verbose\")) != MagickFalse)\n      {\n        int\n          Q;\n        double\n          r_scale;\n\n        /* Debug output of the filter weighting LUT\n          Gnuplot the LUT data, the x scale index has been adjusted\n            plot [0:2][-.2:1] \"lut.dat\" with lines\n          The filter values should be normalized for comparision\n        */\n        printf(\"#\\n\");\n        printf(\"# Resampling Filter LUT (%d values) for '%s' filter\\n\",\n                   WLUT_WIDTH, CommandOptionToMnemonic(MagickFilterOptions,\n                   resample_filter->filter) );\n        printf(\"#\\n\");\n        printf(\"# Note: values in table are using a squared radius lookup.\\n\");\n        printf(\"# As such its distribution is not uniform.\\n\");\n        printf(\"#\\n\");\n        printf(\"# The X value is the support distance for the Y weight\\n\");\n        printf(\"# so you can use gnuplot to plot this cylindrical filter\\n\");\n        printf(\"#    plot [0:2][-.2:1] \\\"lut.dat\\\" with lines\\n\");\n        printf(\"#\\n\");\n\n        /* Scale radius so the filter LUT covers the full support range */\n        r_scale = resample_filter->support*sqrt(1.0/(double)WLUT_WIDTH);\n        for(Q=0; Q<WLUT_WIDTH; Q++)\n          printf(\"%8.*g %.*g\\n\",\n              GetMagickPrecision(),sqrt((double)Q)*r_scale,\n              GetMagickPrecision(),resample_filter->filter_lut[Q] );\n        printf(\"\\n\\n\"); /* generate a 'break' in gnuplot if multiple outputs */\n      }\n    /* Output the above once only for each image, and each setting\n    (void) DeleteImageArtifact(resample_filter->image,\"resample:verbose\");\n    */\n  }\n#endif /* FILTER_LUT */\n  return;\n}",
          "project": "ImageMagick",
          "hash": 272635026819998067997891334203445004129,
          "size": 136,
          "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3195",
          "target": 0,
          "dataset": "other",
          "idx": 406506
        },
        {
          "func": "MagickExport void ScaleResampleFilter(ResampleFilter *resample_filter,\n  const double dux,const double duy,const double dvx,const double dvy)\n{\n  double A,B,C,F;\n\n  assert(resample_filter != (ResampleFilter *) NULL);\n  assert(resample_filter->signature == MagickCoreSignature);\n\n  resample_filter->limit_reached = MagickFalse;\n\n  /* A 'point' filter forces use of interpolation instead of area sampling */\n  if ( resample_filter->filter == PointFilter )\n    return; /* EWA turned off - nothing to do */\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"# -----\\n\" );\n  (void) FormatLocaleFile(stderr, \"dux=%lf; dvx=%lf;   duy=%lf; dvy=%lf;\\n\",\n       dux, dvx, duy, dvy);\n#endif\n\n  /* Find Ellipse Coefficents such that\n        A*u^2 + B*u*v + C*v^2 = F\n     With u,v relative to point around which we are resampling.\n     And the given scaling dx,dy vectors in u,v space\n         du/dx,dv/dx   and  du/dy,dv/dy\n  */\n#if EWA\n  /* Direct conversion of derivatives into elliptical coefficients\n     However when magnifying images, the scaling vectors will be small\n     resulting in a ellipse that is too small to sample properly.\n     As such we need to clamp the major/minor axis to a minumum of 1.0\n     to prevent it getting too small.\n  */\n#if EWA_CLAMP\n  { double major_mag,\n           minor_mag,\n           major_x,\n           major_y,\n           minor_x,\n           minor_y;\n\n  ClampUpAxes(dux,dvx,duy,dvy, &major_mag, &minor_mag,\n                &major_x, &major_y, &minor_x, &minor_y);\n  major_x *= major_mag;  major_y *= major_mag;\n  minor_x *= minor_mag;  minor_y *= minor_mag;\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"major_x=%lf; major_y=%lf;  minor_x=%lf; minor_y=%lf;\\n\",\n        major_x, major_y, minor_x, minor_y);\n#endif\n  A = major_y*major_y+minor_y*minor_y;\n  B = -2.0*(major_x*major_y+minor_x*minor_y);\n  C = major_x*major_x+minor_x*minor_x;\n  F = major_mag*minor_mag;\n  F *= F; /* square it */\n  }\n#else /* raw unclamped EWA */\n  A = dvx*dvx+dvy*dvy;\n  B = -2.0*(dux*dvx+duy*dvy);\n  C = dux*dux+duy*duy;\n  F = dux*dvy-duy*dvx;\n  F *= F; /* square it */\n#endif /* EWA_CLAMP */\n\n#else /* HQ_EWA */\n  /*\n    This Paul Heckbert's \"Higher Quality EWA\" formula, from page 60 in his\n    thesis, which adds a unit circle to the elliptical area so as to do both\n    Reconstruction and Prefiltering of the pixels in the resampling.  It also\n    means it is always likely to have at least 4 pixels within the area of the\n    ellipse, for weighted averaging.  No scaling will result with F == 4.0 and\n    a circle of radius 2.0, and F smaller than this means magnification is\n    being used.\n\n    NOTE: This method produces a very blury result at near unity scale while\n    producing perfect results for strong minitification and magnifications.\n\n    However filter support is fixed to 2.0 (no good for Windowed Sinc filters)\n  */\n  A = dvx*dvx+dvy*dvy+1;\n  B = -2.0*(dux*dvx+duy*dvy);\n  C = dux*dux+duy*duy+1;\n  F = A*C - B*B/4;\n#endif\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"A=%lf; B=%lf; C=%lf; F=%lf\\n\", A,B,C,F);\n\n  /* Figure out the various information directly about the ellipse.\n     This information currently not needed at this time, but may be\n     needed later for better limit determination.\n\n     It is also good to have as a record for future debugging\n  */\n  { double alpha, beta, gamma, Major, Minor;\n    double Eccentricity, Ellipse_Area, Ellipse_Angle;\n\n    alpha = A+C;\n    beta  = A-C;\n    gamma = sqrt(beta*beta + B*B );\n\n    if ( alpha - gamma <= MagickEpsilon )\n      Major=MagickMaximumValue;\n    else\n      Major=sqrt(2*F/(alpha - gamma));\n    Minor = sqrt(2*F/(alpha + gamma));\n\n    (void) FormatLocaleFile(stderr, \"# Major=%lf; Minor=%lf\\n\", Major, Minor );\n\n    /* other information about ellipse include... */\n    Eccentricity = Major/Minor;\n    Ellipse_Area = MagickPI*Major*Minor;\n    Ellipse_Angle = atan2(B, A-C);\n\n    (void) FormatLocaleFile(stderr, \"# Angle=%lf   Area=%lf\\n\",\n         (double) RadiansToDegrees(Ellipse_Angle), Ellipse_Area);\n  }\n#endif\n\n  /* If one or both of the scaling vectors is impossibly large\n     (producing a very large raw F value), we may as well not bother\n     doing any form of resampling since resampled area is very large.\n     In this case some alternative means of pixel sampling, such as\n     the average of the whole image is needed to get a reasonable\n     result. Calculate only as needed.\n  */\n  if ( (4*A*C - B*B) > MagickMaximumValue ) {\n    resample_filter->limit_reached = MagickTrue;\n    return;\n  }\n\n  /* Scale ellipse to match the filters support\n     (that is, multiply F by the square of the support)\n     Simplier to just multiply it by the support twice!\n  */\n  F *= resample_filter->support;\n  F *= resample_filter->support;\n\n  /* Orthogonal bounds of the ellipse */\n  resample_filter->Ulimit = sqrt(C*F/(A*C-0.25*B*B));\n  resample_filter->Vlimit = sqrt(A*F/(A*C-0.25*B*B));\n\n  /* Horizontally aligned parallelogram fitted to Ellipse */\n  resample_filter->Uwidth = sqrt(F/A); /* Half of the parallelogram width */\n  resample_filter->slope = -B/(2.0*A); /* Reciprocal slope of the parallelogram */\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"Ulimit=%lf; Vlimit=%lf; UWidth=%lf; Slope=%lf;\\n\",\n           resample_filter->Ulimit, resample_filter->Vlimit,\n           resample_filter->Uwidth, resample_filter->slope );\n#endif\n\n  /* Check the absolute area of the parallelogram involved.\n   * This limit needs more work, as it is too slow for larger images\n   * with tiled views of the horizon.\n  */\n  if ( (resample_filter->Uwidth * resample_filter->Vlimit)\n         > (4.0*resample_filter->image_area)) {\n    resample_filter->limit_reached = MagickTrue;\n    return;\n  }\n\n  /* Scale ellipse formula to directly index the Filter Lookup Table */\n  { double scale;\n#if FILTER_LUT\n    /* scale so that F = WLUT_WIDTH; -- hardcoded */\n    scale = (double)WLUT_WIDTH/F;\n#else\n    /* scale so that F = resample_filter->F (support^2) */\n    scale = resample_filter->F/F;\n#endif\n    resample_filter->A = A*scale;\n    resample_filter->B = B*scale;\n    resample_filter->C = C*scale;\n  }\n}",
          "project": "ImageMagick",
          "hash": 231019287981565352051359680228225257165,
          "size": 175,
          "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3195",
          "target": 1,
          "dataset": "other",
          "idx": 208186
        },
        {
          "func": "MagickExport void ScaleResampleFilter(ResampleFilter *resample_filter,\n  const double dux,const double duy,const double dvx,const double dvy)\n{\n  double A,B,C,F;\n\n  assert(resample_filter != (ResampleFilter *) NULL);\n  assert(resample_filter->signature == MagickCoreSignature);\n\n  resample_filter->limit_reached = MagickFalse;\n\n  /* A 'point' filter forces use of interpolation instead of area sampling */\n  if ( resample_filter->filter == PointFilter )\n    return; /* EWA turned off - nothing to do */\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"# -----\\n\" );\n  (void) FormatLocaleFile(stderr, \"dux=%lf; dvx=%lf;   duy=%lf; dvy=%lf;\\n\",\n       dux, dvx, duy, dvy);\n#endif\n\n  /* Find Ellipse Coefficents such that\n        A*u^2 + B*u*v + C*v^2 = F\n     With u,v relative to point around which we are resampling.\n     And the given scaling dx,dy vectors in u,v space\n         du/dx,dv/dx   and  du/dy,dv/dy\n  */\n#if EWA\n  /* Direct conversion of derivatives into elliptical coefficients\n     However when magnifying images, the scaling vectors will be small\n     resulting in a ellipse that is too small to sample properly.\n     As such we need to clamp the major/minor axis to a minumum of 1.0\n     to prevent it getting too small.\n  */\n#if EWA_CLAMP\n  { double major_mag,\n           minor_mag,\n           major_x,\n           major_y,\n           minor_x,\n           minor_y;\n\n  ClampUpAxes(dux,dvx,duy,dvy, &major_mag, &minor_mag,\n                &major_x, &major_y, &minor_x, &minor_y);\n  major_x *= major_mag;  major_y *= major_mag;\n  minor_x *= minor_mag;  minor_y *= minor_mag;\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"major_x=%lf; major_y=%lf;  minor_x=%lf; minor_y=%lf;\\n\",\n        major_x, major_y, minor_x, minor_y);\n#endif\n  A = major_y*major_y+minor_y*minor_y;\n  B = -2.0*(major_x*major_y+minor_x*minor_y);\n  C = major_x*major_x+minor_x*minor_x;\n  F = major_mag*minor_mag;\n  F *= F; /* square it */\n  }\n#else /* raw unclamped EWA */\n  A = dvx*dvx+dvy*dvy;\n  B = -2.0*(dux*dvx+duy*dvy);\n  C = dux*dux+duy*duy;\n  F = dux*dvy-duy*dvx;\n  F *= F; /* square it */\n#endif /* EWA_CLAMP */\n\n#else /* HQ_EWA */\n  /*\n    This Paul Heckbert's \"Higher Quality EWA\" formula, from page 60 in his\n    thesis, which adds a unit circle to the elliptical area so as to do both\n    Reconstruction and Prefiltering of the pixels in the resampling.  It also\n    means it is always likely to have at least 4 pixels within the area of the\n    ellipse, for weighted averaging.  No scaling will result with F == 4.0 and\n    a circle of radius 2.0, and F smaller than this means magnification is\n    being used.\n\n    NOTE: This method produces a very blury result at near unity scale while\n    producing perfect results for strong minitification and magnifications.\n\n    However filter support is fixed to 2.0 (no good for Windowed Sinc filters)\n  */\n  A = dvx*dvx+dvy*dvy+1;\n  B = -2.0*(dux*dvx+duy*dvy);\n  C = dux*dux+duy*duy+1;\n  F = A*C - B*B/4;\n#endif\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"A=%lf; B=%lf; C=%lf; F=%lf\\n\", A,B,C,F);\n\n  /* Figure out the various information directly about the ellipse.\n     This information currently not needed at this time, but may be\n     needed later for better limit determination.\n\n     It is also good to have as a record for future debugging\n  */\n  { double alpha, beta, gamma, Major, Minor;\n    double Eccentricity, Ellipse_Area, Ellipse_Angle;\n\n    alpha = A+C;\n    beta  = A-C;\n    gamma = sqrt(beta*beta + B*B );\n\n    if ( alpha - gamma <= MagickEpsilon )\n      Major=MagickMaximumValue;\n    else\n      Major=sqrt(2*F/(alpha - gamma));\n    Minor = sqrt(2*F/(alpha + gamma));\n\n    (void) FormatLocaleFile(stderr, \"# Major=%lf; Minor=%lf\\n\", Major, Minor );\n\n    /* other information about ellipse include... */\n    Eccentricity = Major/Minor;\n    Ellipse_Area = MagickPI*Major*Minor;\n    Ellipse_Angle = atan2(B, A-C);\n\n    (void) FormatLocaleFile(stderr, \"# Angle=%lf   Area=%lf\\n\",\n         (double) RadiansToDegrees(Ellipse_Angle), Ellipse_Area);\n  }\n#endif\n\n  /* If one or both of the scaling vectors is impossibly large\n     (producing a very large raw F value), we may as well not bother\n     doing any form of resampling since resampled area is very large.\n     In this case some alternative means of pixel sampling, such as\n     the average of the whole image is needed to get a reasonable\n     result. Calculate only as needed.\n  */\n  if ( (4*A*C - B*B) > MagickMaximumValue ) {\n    resample_filter->limit_reached = MagickTrue;\n    return;\n  }\n\n  /* Scale ellipse to match the filters support\n     (that is, multiply F by the square of the support)\n     Simplier to just multiply it by the support twice!\n  */\n  F *= resample_filter->support;\n  F *= resample_filter->support;\n\n  /* Orthogonal bounds of the ellipse */\n  resample_filter->Ulimit = sqrt(C*F/(A*C-0.25*B*B));\n  resample_filter->Vlimit = sqrt(A*F/(A*C-0.25*B*B));\n\n  /* Horizontally aligned parallelogram fitted to Ellipse */\n  resample_filter->Uwidth = sqrt(F/A); /* Half of the parallelogram width */\n  resample_filter->slope = -B/(2.0*A); /* Reciprocal slope of the parallelogram */\n\n#if DEBUG_ELLIPSE\n  (void) FormatLocaleFile(stderr, \"Ulimit=%lf; Vlimit=%lf; UWidth=%lf; Slope=%lf;\\n\",\n           resample_filter->Ulimit, resample_filter->Vlimit,\n           resample_filter->Uwidth, resample_filter->slope );\n#endif\n\n  /* Check the absolute area of the parallelogram involved.\n   * This limit needs more work, as it is too slow for larger images\n   * with tiled views of the horizon.\n  */\n  if ( (resample_filter->Uwidth * resample_filter->Vlimit)\n         > (4.0*resample_filter->image_area)) {\n    resample_filter->limit_reached = MagickTrue;\n    return;\n  }\n\n  /* Scale ellipse formula to directly index the Filter Lookup Table */\n  { double scale;\n#if FILTER_LUT\n    /* scale so that F = WLUT_WIDTH; -- hardcoded */\n    scale=(double) WLUT_WIDTH*PerceptibleReciprocal(F);\n#else\n    /* scale so that F = resample_filter->F (support^2) */\n    scale=resample_filter->F*PerceptibleReciprocal(F);\n#endif\n    resample_filter->A = A*scale;\n    resample_filter->B = B*scale;\n    resample_filter->C = C*scale;\n  }\n}",
          "project": "ImageMagick",
          "hash": 159696077506715638875467992554706158674,
          "size": 175,
          "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3195",
          "target": 0,
          "dataset": "other",
          "idx": 406508
        },
        {
          "func": "static inline void ClampUpAxes(const double dux,\n\t\t\t       const double dvx,\n\t\t\t       const double duy,\n\t\t\t       const double dvy,\n\t\t\t       double *major_mag,\n\t\t\t       double *minor_mag,\n\t\t\t       double *major_unit_x,\n\t\t\t       double *major_unit_y,\n\t\t\t       double *minor_unit_x,\n\t\t\t       double *minor_unit_y)\n{\n  /*\n   * ClampUpAxes takes an input 2x2 matrix\n   *\n   * [ a b ] = [ dux duy ]\n   * [ c d ] = [ dvx dvy ]\n   *\n   * and computes from it the major and minor axis vectors [major_x,\n   * major_y] and [minor_x,minor_y] of the smallest ellipse containing\n   * both the unit disk and the ellipse which is the image of the unit\n   * disk by the linear transformation\n   *\n   * [ dux duy ] [S] = [s]\n   * [ dvx dvy ] [T] = [t]\n   *\n   * (The vector [S,T] is the difference between a position in output\n   * space and [X,Y]; the vector [s,t] is the difference between a\n   * position in input space and [x,y].)\n   */\n  /*\n   * Output:\n   *\n   * major_mag is the half-length of the major axis of the \"new\"\n   * ellipse.\n   *\n   * minor_mag is the half-length of the minor axis of the \"new\"\n   * ellipse.\n   *\n   * major_unit_x is the x-coordinate of the major axis direction vector\n   * of both the \"old\" and \"new\" ellipses.\n   *\n   * major_unit_y is the y-coordinate of the major axis direction vector.\n   *\n   * minor_unit_x is the x-coordinate of the minor axis direction vector.\n   *\n   * minor_unit_y is the y-coordinate of the minor axis direction vector.\n   *\n   * Unit vectors are useful for computing projections, in particular,\n   * to compute the distance between a point in output space and the\n   * center of a unit disk in output space, using the position of the\n   * corresponding point [s,t] in input space. Following the clamping,\n   * the square of this distance is\n   *\n   * ( ( s * major_unit_x + t * major_unit_y ) / major_mag )^2\n   * +\n   * ( ( s * minor_unit_x + t * minor_unit_y ) / minor_mag )^2\n   *\n   * If such distances will be computed for many [s,t]'s, it makes\n   * sense to actually compute the reciprocal of major_mag and\n   * minor_mag and multiply them by the above unit lengths.\n   *\n   * Now, if you want to modify the input pair of tangent vectors so\n   * that it defines the modified ellipse, all you have to do is set\n   *\n   * newdux = major_mag * major_unit_x\n   * newdvx = major_mag * major_unit_y\n   * newduy = minor_mag * minor_unit_x = minor_mag * -major_unit_y\n   * newdvy = minor_mag * minor_unit_y = minor_mag *  major_unit_x\n   *\n   * and use these tangent vectors as if they were the original ones.\n   * Usually, this is a drastic change in the tangent vectors even if\n   * the singular values are not clamped; for example, the minor axis\n   * vector always points in a direction which is 90 degrees\n   * counterclockwise from the direction of the major axis vector.\n   */\n  /*\n   * Discussion:\n   *\n   * GOAL: Fix things so that the pullback, in input space, of a disk\n   * of radius r in output space is an ellipse which contains, at\n   * least, a disc of radius r. (Make this hold for any r>0.)\n   *\n   * ESSENCE OF THE METHOD: Compute the product of the first two\n   * factors of an SVD of the linear transformation defining the\n   * ellipse and make sure that both its columns have norm at least 1.\n   * Because rotations and reflexions map disks to themselves, it is\n   * not necessary to compute the third (rightmost) factor of the SVD.\n   *\n   * DETAILS: Find the singular values and (unit) left singular\n   * vectors of Jinv, clampling up the singular values to 1, and\n   * multiply the unit left singular vectors by the new singular\n   * values in order to get the minor and major ellipse axis vectors.\n   *\n   * Image resampling context:\n   *\n   * The Jacobian matrix of the transformation at the output point\n   * under consideration is defined as follows:\n   *\n   * Consider the transformation (x,y) -> (X,Y) from input locations\n   * to output locations. (Anthony Thyssen, elsewhere in resample.c,\n   * uses the notation (u,v) -> (x,y).)\n   *\n   * The Jacobian matrix of the transformation at (x,y) is equal to\n   *\n   *   J = [ A, B ] = [ dX/dx, dX/dy ]\n   *       [ C, D ]   [ dY/dx, dY/dy ]\n   *\n   * that is, the vector [A,C] is the tangent vector corresponding to\n   * input changes in the horizontal direction, and the vector [B,D]\n   * is the tangent vector corresponding to input changes in the\n   * vertical direction.\n   *\n   * In the context of resampling, it is natural to use the inverse\n   * Jacobian matrix Jinv because resampling is generally performed by\n   * pulling pixel locations in the output image back to locations in\n   * the input image. Jinv is\n   *\n   *   Jinv = [ a, b ] = [ dx/dX, dx/dY ]\n   *          [ c, d ]   [ dy/dX, dy/dY ]\n   *\n   * Note: Jinv can be computed from J with the following matrix\n   * formula:\n   *\n   *   Jinv = 1/(A*D-B*C) [  D, -B ]\n   *                      [ -C,  A ]\n   *\n   * What we do is modify Jinv so that it generates an ellipse which\n   * is as close as possible to the original but which contains the\n   * unit disk. This can be accomplished as follows:\n   *\n   * Let\n   *\n   *   Jinv = U Sigma V^T\n   *\n   * be an SVD decomposition of Jinv. (The SVD is not unique, but the\n   * final ellipse does not depend on the particular SVD.)\n   *\n   * We could clamp up the entries of the diagonal matrix Sigma so\n   * that they are at least 1, and then set\n   *\n   *   Jinv = U newSigma V^T.\n   *\n   * However, we do not need to compute V for the following reason:\n   * V^T is an orthogonal matrix (that is, it represents a combination\n   * of rotations and reflexions) so that it maps the unit circle to\n   * itself. For this reason, the exact value of V does not affect the\n   * final ellipse, and we can choose V to be the identity\n   * matrix. This gives\n   *\n   *   Jinv = U newSigma.\n   *\n   * In the end, we return the two diagonal entries of newSigma\n   * together with the two columns of U.\n   */\n  /*\n   * ClampUpAxes was written by Nicolas Robidoux and Chantal Racette\n   * of Laurentian University with insightful suggestions from Anthony\n   * Thyssen and funding from the National Science and Engineering\n   * Research Council of Canada. It is distinguished from its\n   * predecessors by its efficient handling of degenerate cases.\n   *\n   * The idea of clamping up the EWA ellipse's major and minor axes so\n   * that the result contains the reconstruction kernel filter support\n   * is taken from Andreas Gustaffson's Masters thesis \"Interactive\n   * Image Warping\", Helsinki University of Technology, Faculty of\n   * Information Technology, 59 pages, 1993 (see Section 3.6).\n   *\n   * The use of the SVD to clamp up the singular values of the\n   * Jacobian matrix of the pullback transformation for EWA resampling\n   * is taken from the astrophysicist Craig DeForest.  It is\n   * implemented in his PDL::Transform code (PDL = Perl Data\n   * Language).\n   */\n  const double a = dux;\n  const double b = duy;\n  const double c = dvx;\n  const double d = dvy;\n  /*\n   * n is the matrix Jinv * transpose(Jinv). Eigenvalues of n are the\n   * squares of the singular values of Jinv.\n   */\n  const double aa = a*a;\n  const double bb = b*b;\n  const double cc = c*c;\n  const double dd = d*d;\n  /*\n   * Eigenvectors of n are left singular vectors of Jinv.\n   */\n  const double n11 = aa+bb;\n  const double n12 = a*c+b*d;\n  const double n21 = n12;\n  const double n22 = cc+dd;\n  const double det = a*d-b*c;\n  const double twice_det = det+det;\n  const double frobenius_squared = n11+n22;\n  const double discriminant =\n    (frobenius_squared+twice_det)*(frobenius_squared-twice_det);\n  /*\n   * In exact arithmetic, discriminant can't be negative. In floating\n   * point, it can, because of the bad conditioning of SVD\n   * decompositions done through the associated normal matrix.\n   */\n  const double sqrt_discriminant =\n    sqrt(discriminant > 0.0 ? discriminant : 0.0);\n  /*\n   * s1 is the largest singular value of the inverse Jacobian\n   * matrix. In other words, its reciprocal is the smallest singular\n   * value of the Jacobian matrix itself.\n   * If s1 = 0, both singular values are 0, and any orthogonal pair of\n   * left and right factors produces a singular decomposition of Jinv.\n   */\n  /*\n   * Initially, we only compute the squares of the singular values.\n   */\n  const double s1s1 = 0.5*(frobenius_squared+sqrt_discriminant);\n  /*\n   * s2 the smallest singular value of the inverse Jacobian\n   * matrix. Its reciprocal is the largest singular value of the\n   * Jacobian matrix itself.\n   */\n  const double s2s2 = 0.5*(frobenius_squared-sqrt_discriminant);\n  const double s1s1minusn11 = s1s1-n11;\n  const double s1s1minusn22 = s1s1-n22;\n  /*\n   * u1, the first column of the U factor of a singular decomposition\n   * of Jinv, is a (non-normalized) left singular vector corresponding\n   * to s1. It has entries u11 and u21. We compute u1 from the fact\n   * that it is an eigenvector of n corresponding to the eigenvalue\n   * s1^2.\n   */\n  const double s1s1minusn11_squared = s1s1minusn11*s1s1minusn11;\n  const double s1s1minusn22_squared = s1s1minusn22*s1s1minusn22;\n  /*\n   * The following selects the largest row of n-s1^2 I as the one\n   * which is used to find the eigenvector. If both s1^2-n11 and\n   * s1^2-n22 are zero, n-s1^2 I is the zero matrix.  In that case,\n   * any vector is an eigenvector; in addition, norm below is equal to\n   * zero, and, in exact arithmetic, this is the only case in which\n   * norm = 0. So, setting u1 to the simple but arbitrary vector [1,0]\n   * if norm = 0 safely takes care of all cases.\n   */\n  const double temp_u11 =\n    ( (s1s1minusn11_squared>=s1s1minusn22_squared) ? n12 : s1s1minusn22 );\n  const double temp_u21 =\n    ( (s1s1minusn11_squared>=s1s1minusn22_squared) ? s1s1minusn11 : n21 );\n  const double norm = sqrt(temp_u11*temp_u11+temp_u21*temp_u21);\n  /*\n   * Finalize the entries of first left singular vector (associated\n   * with the largest singular value).\n   */\n  const double u11 = ( (norm>0.0) ? temp_u11/norm : 1.0 );\n  const double u21 = ( (norm>0.0) ? temp_u21/norm : 0.0 );\n  /*\n   * Clamp the singular values up to 1.\n   */\n  *major_mag = ( (s1s1<=1.0) ? 1.0 : sqrt(s1s1) );\n  *minor_mag = ( (s2s2<=1.0) ? 1.0 : sqrt(s2s2) );\n  /*\n   * Return the unit major and minor axis direction vectors.\n   */\n  *major_unit_x = u11;\n  *major_unit_y = u21;\n  *minor_unit_x = -u21;\n  *minor_unit_y = u11;\n}",
          "project": "ImageMagick",
          "hash": 3821216432839019935069421826917237175,
          "size": 265,
          "commit_id": "8d25d94a363b104acd6ff23df7470aeedb806c51",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3195",
          "target": 0,
          "dataset": "other",
          "idx": 406503
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "reoptimize",
        "sort_and_filter_keyuse",
        "generate_derived_keys",
        "generate_derived_keys_for_table"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "void JOIN::save_query_plan(Join_plan_state *save_to)\n{\n  DYNAMIC_ARRAY tmp_keyuse;\n  /* Swap the current and the backup keyuse internal arrays. */\n  tmp_keyuse= keyuse;\n  keyuse= save_to->keyuse; /* keyuse is reset to an empty array. */\n  save_to->keyuse= tmp_keyuse;\n\n  for (uint i= 0; i < table_count; i++)\n  {\n    save_to->join_tab_keyuse[i]= join_tab[i].keyuse;\n    join_tab[i].keyuse= NULL;\n    save_to->join_tab_checked_keys[i]= join_tab[i].checked_keys;\n    join_tab[i].checked_keys.clear_all();\n  }\n  memcpy((uchar*) save_to->best_positions, (uchar*) best_positions,\n         sizeof(POSITION) * (table_count + 1));\n  memset((uchar*) best_positions, 0, sizeof(POSITION) * (table_count + 1));\n  \n  /* Save SJM nests */\n  List_iterator<TABLE_LIST> it(select_lex->sj_nests);\n  TABLE_LIST *tlist;\n  SJ_MATERIALIZATION_INFO **p_info= save_to->sj_mat_info;\n  while ((tlist= it++))\n  {\n    *(p_info++)= tlist->sj_mat_info;\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 162011539998697303733224577679114086727,
          "size": 28,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508603
        },
        {
          "func": "void optimize_keyuse(JOIN *join, DYNAMIC_ARRAY *keyuse_array)\n{\n  KEYUSE *end,*keyuse= dynamic_element(keyuse_array, 0, KEYUSE*);\n\n  for (end= keyuse+ keyuse_array->elements ; keyuse < end ; keyuse++)\n  {\n    table_map map;\n    /*\n      If we find a ref, assume this table matches a proportional\n      part of this table.\n      For example 100 records matching a table with 5000 records\n      gives 5000/100 = 50 records per key\n      Constant tables are ignored.\n      To avoid bad matches, we don't make ref_table_rows less than 100.\n    */\n    keyuse->ref_table_rows= ~(ha_rows) 0;\t// If no ref\n    if (keyuse->used_tables &\n\t(map= (keyuse->used_tables & ~join->const_table_map &\n\t       ~OUTER_REF_TABLE_BIT)))\n    {\n      uint n_tables= my_count_bits(map);\n      if (n_tables == 1)\t\t\t// Only one table\n      {\n        DBUG_ASSERT(!(map & PSEUDO_TABLE_BITS)); // Must be a real table\n        Table_map_iterator it(map);\n        int tablenr= it.next_bit();\n        DBUG_ASSERT(tablenr != Table_map_iterator::BITMAP_END);\n\tTABLE *tmp_table=join->table[tablenr];\n        if (tmp_table) // already created\n          keyuse->ref_table_rows= MY_MAX(tmp_table->file->stats.records, 100);\n      }\n    }\n    /*\n      Outer reference (external field) is constant for single executing\n      of subquery\n    */\n    if (keyuse->used_tables == OUTER_REF_TABLE_BIT)\n      keyuse->ref_table_rows= 1;\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 120929170831977725675266114752273713348,
          "size": 40,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508690
        },
        {
          "func": "void JOIN::reset_query_plan()\n{\n  for (uint i= 0; i < table_count; i++)\n  {\n    join_tab[i].keyuse= NULL;\n    join_tab[i].checked_keys.clear_all();\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 261841307357917191129910538949682751948,
          "size": 8,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508466
        },
        {
          "func": "bool generate_derived_keys_for_table(KEYUSE *keyuse, uint count, uint keys)\n{\n  TABLE *table= keyuse->table;\n  if (table->alloc_keys(keys))\n    return TRUE;\n  uint key_count= 0;\n  KEYUSE *first_keyuse= keyuse;\n  uint prev_part= keyuse->keypart;\n  uint parts= 0;\n  uint i= 0;\n\n  for ( ; i < count && key_count < keys; )\n  {\n    do\n    {\n      keyuse->key= table->s->keys;\n      keyuse->keypart_map= (key_part_map) (1 << parts);     \n      keyuse++;\n      i++;\n    } \n    while (i < count && keyuse->used_tables == first_keyuse->used_tables &&\n           keyuse->keypart == prev_part);\n    parts++;\n    if (i < count && keyuse->used_tables == first_keyuse->used_tables)\n    {\n      prev_part= keyuse->keypart;\n    }\n    else\n    {\n      KEYUSE *save_first_keyuse= first_keyuse;\n      if (table->check_tmp_key(table->s->keys, parts,\n                               get_next_field_for_derived_key_simple,\n                               (uchar *) &first_keyuse))\n\n      {\n        first_keyuse= save_first_keyuse;\n        if (table->add_tmp_key(table->s->keys, parts, \n                               get_next_field_for_derived_key, \n                               (uchar *) &first_keyuse,\n                               FALSE))\n          return TRUE;\n        table->reginfo.join_tab->keys.set_bit(table->s->keys);\n      }\n      else\n      {\n        /* Mark keyuses for this key to be excluded */\n        for (KEYUSE *curr=save_first_keyuse; curr < keyuse; curr++)\n\t{\n          curr->key= MAX_KEY;\n        }\n      }\n      first_keyuse= keyuse;\n      key_count++;\n      parts= 0;\n      prev_part= keyuse->keypart;\n    }\n  }             \n\n  return FALSE;\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 230294648487314583666233567836385950967,
          "size": 60,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508604
        },
        {
          "func": "JOIN::reoptimize(Item *added_where, table_map join_tables,\n                 Join_plan_state *save_to)\n{\n  DYNAMIC_ARRAY added_keyuse;\n  SARGABLE_PARAM *sargables= 0; /* Used only as a dummy parameter. */\n  uint org_keyuse_elements;\n\n  /* Re-run the REF optimizer to take into account the new conditions. */\n  if (update_ref_and_keys(thd, &added_keyuse, join_tab, table_count, added_where,\n                          ~outer_join, select_lex, &sargables))\n  {\n    delete_dynamic(&added_keyuse);\n    return REOPT_ERROR;\n  }\n\n  if (!added_keyuse.elements)\n  {\n    delete_dynamic(&added_keyuse);\n    return REOPT_OLD_PLAN;\n  }\n\n  if (save_to)\n    save_query_plan(save_to);\n  else\n    reset_query_plan();\n\n  if (!keyuse.buffer &&\n      my_init_dynamic_array(&keyuse, sizeof(KEYUSE), 20, 64,\n                            MYF(MY_THREAD_SPECIFIC)))\n  {\n    delete_dynamic(&added_keyuse);\n    return REOPT_ERROR;\n  }\n\n  org_keyuse_elements= save_to ? save_to->keyuse.elements : keyuse.elements;\n  allocate_dynamic(&keyuse, org_keyuse_elements + added_keyuse.elements);\n\n  /* If needed, add the access methods from the original query plan. */\n  if (save_to)\n  {\n    DBUG_ASSERT(!keyuse.elements);\n    keyuse.elements= save_to->keyuse.elements;\n    if (size_t e= keyuse.elements)\n      memcpy(keyuse.buffer,\n             save_to->keyuse.buffer, e * keyuse.size_of_element);\n  }\n\n  /* Add the new access methods to the keyuse array. */\n  memcpy(keyuse.buffer + keyuse.elements * keyuse.size_of_element,\n         added_keyuse.buffer,\n         (size_t) added_keyuse.elements * added_keyuse.size_of_element);\n  keyuse.elements+= added_keyuse.elements;\n  /* added_keyuse contents is copied, and it is no longer needed. */\n  delete_dynamic(&added_keyuse);\n\n  if (sort_and_filter_keyuse(thd, &keyuse, true))\n    return REOPT_ERROR;\n  optimize_keyuse(this, &keyuse);\n\n  if (optimize_semijoin_nests(this, join_tables))\n    return REOPT_ERROR;\n\n  /* Re-run the join optimizer to compute a new query plan. */\n  if (choose_plan(this, join_tables))\n    return REOPT_ERROR;\n\n  return REOPT_NEW_PLAN;\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 75666197854928182620552515543537699218,
          "size": 68,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508423
        },
        {
          "func": "bool sort_and_filter_keyuse(THD *thd, DYNAMIC_ARRAY *keyuse,\n                            bool skip_unprefixed_keyparts)\n{\n  KEYUSE key_end, *prev, *save_pos, *use;\n  uint found_eq_constant, i;\n\n  DBUG_ASSERT(keyuse->elements);\n\n  my_qsort(keyuse->buffer, keyuse->elements, sizeof(KEYUSE),\n           (qsort_cmp) sort_keyuse);\n\n  bzero((char*) &key_end, sizeof(key_end));    /* Add for easy testing */\n  if (insert_dynamic(keyuse, (uchar*) &key_end))\n    return TRUE;\n\n  if (optimizer_flag(thd, OPTIMIZER_SWITCH_DERIVED_WITH_KEYS))\n    generate_derived_keys(keyuse);\n\n  use= save_pos= dynamic_element(keyuse,0,KEYUSE*);\n  prev= &key_end;\n  found_eq_constant= 0;\n  for (i=0 ; i < keyuse->elements-1 ; i++,use++)\n  {\n    if (!use->is_for_hash_join())\n    {\n      if (!(use->used_tables & ~OUTER_REF_TABLE_BIT) && \n          use->optimize != KEY_OPTIMIZE_REF_OR_NULL)\n        use->table->const_key_parts[use->key]|= use->keypart_map;\n      if (use->keypart != FT_KEYPART)\n      {\n        if (use->key == prev->key && use->table == prev->table)\n        {\n          if ((prev->keypart+1 < use->keypart && skip_unprefixed_keyparts) ||\n              (prev->keypart == use->keypart && found_eq_constant))\n            continue;\t\t\t\t/* remove */\n        }\n        else if (use->keypart != 0 && skip_unprefixed_keyparts)\n          continue; /* remove - first found must be 0 */\n      }\n\n      prev= use;\n      found_eq_constant= !use->used_tables;\n      use->table->reginfo.join_tab->checked_keys.set_bit(use->key);\n    }\n    /*\n      Old gcc used a memcpy(), which is undefined if save_pos==use:\n      http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19410\n      http://gcc.gnu.org/bugzilla/show_bug.cgi?id=39480\n      This also disables a valgrind warning, so better to have the test.\n    */\n    if (save_pos != use)\n      *save_pos= *use;\n    /* Save ptr to first use */\n    if (!use->table->reginfo.join_tab->keyuse)\n      use->table->reginfo.join_tab->keyuse= save_pos;\n    save_pos++;\n  }\n  i= (uint) (save_pos-(KEYUSE*) keyuse->buffer);\n  (void) set_dynamic(keyuse,(uchar*) &key_end,i);\n  keyuse->elements= i;\n\n  return FALSE;\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 270395890466385312065376189926284758775,
          "size": 63,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508612
        },
        {
          "func": "bool generate_derived_keys(DYNAMIC_ARRAY *keyuse_array)\n{\n  KEYUSE *keyuse= dynamic_element(keyuse_array, 0, KEYUSE*);\n  uint elements= keyuse_array->elements;\n  TABLE *prev_table= 0;\n  for (uint i= 0; i < elements; i++, keyuse++)\n  {\n    if (!keyuse->table)\n      break;\n    KEYUSE *first_table_keyuse= NULL;\n    table_map last_used_tables= 0;\n    uint count= 0;\n    uint keys= 0;\n    TABLE_LIST *derived= NULL;\n    if (keyuse->table != prev_table)\n      derived= keyuse->table->pos_in_table_list;\n    while (derived && derived->is_materialized_derived())\n    {\n      if (keyuse->table != prev_table)\n      {\n        prev_table= keyuse->table;\n        while (keyuse->table == prev_table && keyuse->key != MAX_KEY)\n\t{\n          keyuse++;\n          i++;\n        }\n        if (keyuse->table != prev_table)\n\t{\n          keyuse--;\n          i--;\n          derived= NULL;\n          continue;\n        }\n        first_table_keyuse= keyuse;\n        last_used_tables= keyuse->used_tables;\n        count= 0;\n        keys= 0;\n      }\n      else if (keyuse->used_tables != last_used_tables)\n      {\n        keys++;\n        last_used_tables= keyuse->used_tables;\n      }\n      count++;\n      keyuse++;\n      i++;\n      if (keyuse->table != prev_table)\n      {\n        if (generate_derived_keys_for_table(first_table_keyuse, count, ++keys))\n          return TRUE;\n        keyuse--;\n        i--;\n\tderived= NULL;\n      }\n    }\n  }\n  return FALSE;\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 297768314615660910310727454257539309288,
          "size": 58,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508639
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "didFinishSpeaking",
        "handleSpeakingCompleted",
        "fireEvent",
        "executionContext"
      ],
      "group_size": 22,
      "functions": [
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::resume()\n{\n    if (!currentSpeechUtterance())\n        return;\n    m_platformSpeechSynthesizer->resume();\n}\n",
          "cwe": "",
          "big_vul_idx": 129900,
          "idx": 116225,
          "hash": 211830265481063403535988771688867702984
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "void AudioContext::resolvePromisesForSuspendOnMainThread()\n{\n    ASSERT(isMainThread());\n    AutoLocker locker(this);\n\n    if (m_destinationNode)\n        stopRendering();\n\n    for (auto& resolver : m_suspendResolvers) {\n        if (m_contextState == Closed) {\n            resolver->reject(\n                DOMException::create(InvalidStateError, \"Cannot suspend a context that has been closed\"));\n        } else {\n            resolver->resolve();\n        }\n    }\n\n    m_suspendResolvers.clear();\n}\n",
          "cwe": "",
          "big_vul_idx": 139685,
          "idx": 124833,
          "hash": 118943594186034240752100234636332638888
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 1,
          "func": "void SpeechSynthesis::handleSpeakingCompleted(SpeechSynthesisUtterance* utterance, bool errorOccurred)\n {\n     ASSERT(utterance);\n \n     bool didJustFinishCurrentUtterance = false;\n    if (utterance == currentSpeechUtterance()) {\n        m_utteranceQueue.removeFirst();\n        didJustFinishCurrentUtterance = true;\n    }\n\n    fireEvent(errorOccurred ? EventTypeNames::error : EventTypeNames::end, utterance, 0, String());\n\n    if (didJustFinishCurrentUtterance && !m_utteranceQueue.isEmpty())\n        startSpeakingImmediately();\n}\n",
          "cwe": "",
          "big_vul_idx": 185386,
          "idx": 6244,
          "hash": 51064366369637881630682008748783014232
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::handleSpeakingCompleted(SpeechSynthesisUtterance* utterance, bool errorOccurred)\n {\n     ASSERT(utterance);\n \n    // Keep the utterance around long enough to fire an event on it in case m_utteranceQueue\n    // is holding the last reference to it.\n    RefPtrWillBeRawPtr<SpeechSynthesisUtterance> protect(utterance);\n\n     bool didJustFinishCurrentUtterance = false;\n    if (utterance == currentSpeechUtterance()) {\n        m_utteranceQueue.removeFirst();\n        didJustFinishCurrentUtterance = true;\n    }\n\n    fireEvent(errorOccurred ? EventTypeNames::error : EventTypeNames::end, utterance, 0, String());\n\n    if (didJustFinishCurrentUtterance && !m_utteranceQueue.isEmpty())\n        startSpeakingImmediately();\n}\n",
          "cwe": "",
          "big_vul_idx": 185386,
          "idx": 163331,
          "hash": 23380105532145118333362184433256570897
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::boundaryEventOccurred(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance, SpeechBoundary boundary, unsigned charIndex)\n{\n    DEFINE_STATIC_LOCAL(const String, wordBoundaryString, (\"word\"));\n    DEFINE_STATIC_LOCAL(const String, sentenceBoundaryString, (\"sentence\"));\n\n    switch (boundary) {\n    case SpeechWordBoundary:\n        fireEvent(EventTypeNames::boundary, static_cast<SpeechSynthesisUtterance*>(utterance->client()), charIndex, wordBoundaryString);\n        break;\n    case SpeechSentenceBoundary:\n        fireEvent(EventTypeNames::boundary, static_cast<SpeechSynthesisUtterance*>(utterance->client()), charIndex, sentenceBoundaryString);\n        break;\n    default:\n        ASSERT_NOT_REACHED();\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 129886,
          "idx": 116211,
          "hash": 99679462228640680760071758425709711418
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "void AudioContext::startRendering()\n{\n    ASSERT(isMainThread());\n    ASSERT(m_destinationNode);\n\n    if (m_contextState == Suspended) {\n        destination()->startRendering();\n        setContextState(Running);\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 139688,
          "idx": 124836,
          "hash": 142662764461032600377284385191665947202
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::fireEvent(const AtomicString& type, SpeechSynthesisUtterance* utterance, unsigned long charIndex, const String& name)\n{\n    if (!executionContext()->activeDOMObjectsAreStopped())\n        utterance->dispatchEvent(SpeechSynthesisEvent::create(type, charIndex, (currentTime() - utterance->startTime()), name));\n}\n",
          "cwe": "",
          "big_vul_idx": 129894,
          "idx": 116219,
          "hash": 332886004579278944427313270883617145253
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::speakingErrorOccurred(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance)\n{\n    if (utterance->client())\n        handleSpeakingCompleted(static_cast<SpeechSynthesisUtterance*>(utterance->client()), true);\n}\n",
          "cwe": "",
          "big_vul_idx": 129904,
          "idx": 116229,
          "hash": 231677242442625066328288469107298179746
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::didStartSpeaking(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance)\n{\n    if (utterance->client())\n        fireEvent(EventTypeNames::start, static_cast<SpeechSynthesisUtterance*>(utterance->client()), 0, String());\n}\n",
          "cwe": "",
          "big_vul_idx": 129892,
          "idx": 116217,
          "hash": 9214081021639232300638298244261428429
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "ScriptPromise AudioContext::resumeContext(ScriptState* scriptState)\n{\n    ASSERT(isMainThread());\n    AutoLocker locker(this);\n\n    if (isOfflineContext()) {\n        return ScriptPromise::rejectWithDOMException(\n            scriptState,\n            DOMException::create(\n                InvalidStateError,\n                \"cannot resume an OfflineAudioContext\"));\n    }\n\n    RefPtrWillBeRawPtr<ScriptPromiseResolver> resolver = ScriptPromiseResolver::create(scriptState);\n    ScriptPromise promise = resolver->promise();\n\n    if (m_destinationNode)\n        startRendering();\n\n    m_resumeResolvers.append(resolver);\n\n    return promise;\n}\n",
          "cwe": "",
          "big_vul_idx": 139686,
          "idx": 124834,
          "hash": 318570413813050108211516841774464416601
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "SpeechSynthesisUtterance* SpeechSynthesis::currentSpeechUtterance() const\n{\n    if (!m_utteranceQueue.isEmpty())\n        return m_utteranceQueue.first().get();\n    return 0;\n}\n",
          "cwe": "",
          "big_vul_idx": 129889,
          "idx": 116214,
          "hash": 168156307974646343211506977179694426483
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "void AudioContext::setContextState(AudioContextState newState)\n{\n    ASSERT(isMainThread());\n\n    switch (newState) {\n    case Suspended:\n        ASSERT(m_contextState == Running);\n        break;\n    case Running:\n        ASSERT(m_contextState == Suspended);\n        break;\n    case Closed:\n        ASSERT(m_contextState != Closed);\n        break;\n    }\n\n    if (newState == m_contextState) {\n        return;\n    }\n\n    m_contextState = newState;\n\n    if (executionContext())\n        executionContext()->postTask(createSameThreadTask(&AudioContext::notifyStateChange, this));\n}\n",
          "cwe": "",
          "big_vul_idx": 139687,
          "idx": 124835,
          "hash": 287189053384613982133619486169028517125
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "void AudioContext::stopRendering()\n{\n    ASSERT(isMainThread());\n    ASSERT(m_destinationNode);\n    ASSERT(!isOfflineContext());\n\n    if (m_contextState == Running) {\n        destination()->stopRendering();\n        setContextState(Suspended);\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 139691,
          "idx": 124839,
          "hash": 21252299144639789814578235777964790818
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "ExecutionContext* SpeechSynthesis::executionContext() const\n{\n    return ContextLifecycleObserver::executionContext();\n}\n",
          "cwe": "",
          "big_vul_idx": 129893,
          "idx": 116218,
          "hash": 333478678279043922693098382899862568553
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "ExecutionContext* AudioContext::executionContext() const\n{\n    return m_isStopScheduled ? 0 : ActiveDOMObject::executionContext();\n}\n",
          "cwe": "",
          "big_vul_idx": 139655,
          "idx": 124805,
          "hash": 184737248806572005970236803996746836487
        },
        {
          "project": "Chrome",
          "commit_id": "6834289784ed45b5524de0fb7ef43ae283b0d6d3",
          "target": 0,
          "func": "void AudioContext::fireCompletionEvent()\n{\n    ASSERT(isMainThread());\n    if (!isMainThread())\n        return;\n\n    AudioBuffer* renderedBuffer = m_renderTarget.get();\n\n    setContextState(Closed);\n\n    ASSERT(renderedBuffer);\n    if (!renderedBuffer)\n        return;\n\n    if (executionContext()) {\n        dispatchEvent(OfflineAudioCompletionEvent::create(renderedBuffer));\n        m_offlineResolver->resolve(renderedBuffer);\n    }\n}\n",
          "cwe": "",
          "big_vul_idx": 139656,
          "idx": 124806,
          "hash": 152452498610149100042179351223628836058
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::speak(SpeechSynthesisUtterance* utterance, ExceptionState& exceptionState)\n{\n    if (!utterance) {\n        exceptionState.throwTypeError(\"Invalid utterance argument\");\n        return;\n    }\n\n    m_utteranceQueue.append(utterance);\n\n    if (m_utteranceQueue.size() == 1)\n        startSpeakingImmediately();\n}\n",
          "cwe": "",
          "big_vul_idx": 129902,
          "idx": 116227,
          "hash": 334525451552508820490739815215112912633
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "bool SpeechSynthesis::speaking() const\n{\n    return currentSpeechUtterance();\n}\n",
          "cwe": "",
          "big_vul_idx": 129903,
          "idx": 116228,
          "hash": 264136037019701147145396860730088626650
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::startSpeakingImmediately()\n{\n    SpeechSynthesisUtterance* utterance = currentSpeechUtterance();\n    ASSERT(utterance);\n\n    utterance->setStartTime(monotonicallyIncreasingTime());\n    m_isPaused = false;\n    m_platformSpeechSynthesizer->speak(utterance->platformUtterance());\n}\n",
          "cwe": "",
          "big_vul_idx": 129905,
          "idx": 116230,
          "hash": 272953521684895724697749690104131444667
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::didFinishSpeaking(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance)\n{\n    if (utterance->client())\n        handleSpeakingCompleted(static_cast<SpeechSynthesisUtterance*>(utterance->client()), false);\n}\n",
          "cwe": "",
          "big_vul_idx": 129890,
          "idx": 116215,
          "hash": 336613363302777058118338465950575464528
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::voicesDidChange()\n{\n    m_voiceList.clear();\n    if (!executionContext()->activeDOMObjectsAreStopped())\n        dispatchEvent(Event::create(EventTypeNames::voiceschanged));\n}\n",
          "cwe": "",
          "big_vul_idx": 129907,
          "idx": 116232,
          "hash": 206142822381456278081516244950130128741
        },
        {
          "project": "Chrome",
          "commit_id": "9a3dbf43f97aa7cb6b4399f9b11ce1de20f0680f",
          "target": 0,
          "func": "void SpeechSynthesis::didResumeSpeaking(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance)\n{\n    m_isPaused = false;\n    if (utterance->client())\n        fireEvent(EventTypeNames::resume, static_cast<SpeechSynthesisUtterance*>(utterance->client()), 0, String());\n}\n",
          "cwe": "",
          "big_vul_idx": 129891,
          "idx": 116216,
          "hash": 99913652828689165379332448190660030838
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "h2_stream_out_prepare",
        "add_buffered_data",
        "H2_STREAM_OUT_LOG"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void prep_output(h2_stream *stream) {\n    conn_rec *c = stream->session->c;\n    if (!stream->out_buffer) {\n        stream->out_buffer = apr_brigade_create(stream->pool, c->bucket_alloc);\n    }\n}",
          "project": "httpd",
          "hash": 40136342181080009612585093025690477718,
          "size": 6,
          "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244",
          "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68",
          "target": 0,
          "dataset": "other",
          "idx": 284256
        },
        {
          "func": "static void H2_STREAM_OUT_LOG(int lvl, h2_stream *s, const char *tag)\n{\n    if (APLOG_C_IS_LEVEL(s->session->c, lvl)) {\n        conn_rec *c = s->session->c;\n        char buffer[4 * 1024];\n        apr_size_t len, bmax = sizeof(buffer)/sizeof(buffer[0]);\n        \n        len = h2_util_bb_print(buffer, bmax, tag, \"\", s->out_buffer);\n        ap_log_cerror(APLOG_MARK, lvl, 0, c, \n                      H2_STRM_MSG(s, \"out-buffer(%s)\"), len? buffer : \"empty\");\n    }\n}",
          "project": "httpd",
          "hash": 4454358511278732331951495783433715179,
          "size": 12,
          "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244",
          "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68",
          "target": 0,
          "dataset": "other",
          "idx": 284236
        },
        {
          "func": "apr_status_t h2_stream_out_prepare(h2_stream *stream, apr_off_t *plen, \n                                   int *peos, h2_headers **pheaders)\n{\n    apr_status_t status = APR_SUCCESS;\n    apr_off_t requested, missing, max_chunk = H2_DATA_CHUNK_SIZE;\n    conn_rec *c;\n    int complete, was_closed = 0;\n\n    ap_assert(stream);\n    \n    if (stream->rst_error) {\n        *plen = 0;\n        *peos = 1;\n        return APR_ECONNRESET;\n    }\n    \n    c = stream->session->c;\n    prep_output(stream);\n\n    /* determine how much we'd like to send. We cannot send more than\n     * is requested. But we can reduce the size in case the master\n     * connection operates in smaller chunks. (TSL warmup) */\n    if (stream->session->io.write_size > 0) {\n        max_chunk = stream->session->io.write_size - H2_FRAME_HDR_LEN; \n    }\n    requested = (*plen > 0)? H2MIN(*plen, max_chunk) : max_chunk;\n    \n    /* count the buffered data until eos or a headers bucket */\n    status = add_buffered_data(stream, requested, plen, peos, &complete, pheaders);\n    \n    if (status == APR_EAGAIN) {\n        /* TODO: ugly, someone needs to retrieve the response first */\n        h2_mplx_m_keep_active(stream->session->mplx, stream);\n        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,\n                      H2_STRM_MSG(stream, \"prep, response eagain\"));\n        return status;\n    }\n    else if (status != APR_SUCCESS) {\n        return status;\n    }\n    \n    if (pheaders && *pheaders) {\n        return APR_SUCCESS;\n    }\n    \n    /* If there we do not have enough buffered data to satisfy the requested\n     * length *and* we counted the _complete_ buffer (and did not stop in the middle\n     * because of meta data there), lets see if we can read more from the\n     * output beam */\n    missing = H2MIN(requested, stream->max_mem) - *plen;\n    if (complete && !*peos && missing > 0) {\n        apr_status_t rv = APR_EOF;\n        \n        if (stream->output) {\n            H2_STREAM_OUT_LOG(APLOG_TRACE2, stream, \"pre\");\n            h2_beam_log(stream->output, c, APLOG_TRACE2, \"pre read output\");\n            rv = h2_beam_receive(stream->output, stream->out_buffer,\n                                 APR_NONBLOCK_READ, stream->max_mem - *plen, &was_closed);\n            H2_STREAM_OUT_LOG(APLOG_TRACE2, stream, \"post\");\n            h2_beam_log(stream->output, c, APLOG_TRACE2, \"post read output\");\n        }\n        \n        if (rv == APR_SUCCESS) {\n            /* count the buffer again, now that we have read output */\n            status = add_buffered_data(stream, requested, plen, peos, &complete, pheaders);\n        }\n        else if (APR_STATUS_IS_EOF(rv)) {\n            apr_bucket *eos = apr_bucket_eos_create(c->bucket_alloc);\n            APR_BRIGADE_INSERT_TAIL(stream->out_buffer, eos);\n            *peos = 1;\n        }\n        else if (APR_STATUS_IS_EAGAIN(rv)) {\n            /* we set this is the status of this call only if there\n             * is no buffered data, see check below */\n        }\n        else {\n            /* real error reading. Give this back directly, even though\n             * we may have something buffered. */\n            status = rv;\n        }\n    }\n    \n    if (status == APR_SUCCESS) {\n        if (*peos || *plen) {\n            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,\n                          H2_STRM_MSG(stream, \"prepare, len=%ld eos=%d\"),\n                          (long)*plen, *peos);\n        }\n        else {\n            status = was_closed? APR_EOF : APR_EAGAIN;\n            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,\n                          H2_STRM_MSG(stream, \"prepare, no data\"));\n        }\n    }\n    return status;\n}",
          "project": "httpd",
          "hash": 290708227288198158575844724080324981344,
          "size": 96,
          "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244",
          "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68",
          "target": 0,
          "dataset": "other",
          "idx": 284272
        },
        {
          "func": "static apr_status_t add_buffered_data(h2_stream *stream, apr_off_t requested,\n                                      apr_off_t *plen, int *peos, int *is_all, \n                                      h2_headers **pheaders)\n{\n    apr_bucket *b, *e;\n    \n    *peos = 0;\n    *plen = 0;\n    *is_all = 0;\n    if (pheaders) {\n        *pheaders = NULL;\n    }\n\n    H2_STREAM_OUT_LOG(APLOG_TRACE2, stream, \"add_buffered_data\");\n    b = APR_BRIGADE_FIRST(stream->out_buffer);\n    while (b != APR_BRIGADE_SENTINEL(stream->out_buffer)) {\n        e = APR_BUCKET_NEXT(b);\n        if (APR_BUCKET_IS_METADATA(b)) {\n            if (APR_BUCKET_IS_FLUSH(b)) {\n                APR_BUCKET_REMOVE(b);\n                apr_bucket_destroy(b);\n            }\n            else if (APR_BUCKET_IS_EOS(b)) {\n                *peos = 1;\n                return APR_SUCCESS;\n            }\n            else if (H2_BUCKET_IS_HEADERS(b)) {\n                if (*plen > 0) {\n                    /* data before the response, can only return up to here */\n                    return APR_SUCCESS;\n                }\n                else if (pheaders) {\n                    *pheaders = h2_bucket_headers_get(b);\n                    APR_BUCKET_REMOVE(b);\n                    apr_bucket_destroy(b);\n                    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c,\n                                  H2_STRM_MSG(stream, \"prep, -> response %d\"), \n                                  (*pheaders)->status);\n                    return APR_SUCCESS;\n                }\n                else {\n                    return APR_EAGAIN;\n                }\n            }\n        }\n        else if (b->length == 0) {\n            APR_BUCKET_REMOVE(b);\n            apr_bucket_destroy(b);\n        }\n        else {\n            ap_assert(b->length != (apr_size_t)-1);\n            *plen += b->length;\n            if (*plen >= requested) {\n                *plen = requested;\n                return APR_SUCCESS;\n            }\n        }\n        b = e;\n    }\n    *is_all = 1;\n    return APR_SUCCESS;\n}",
          "project": "httpd",
          "hash": 51145852825175780237413583367581077395,
          "size": 62,
          "commit_id": "f990e5ecad40b100a8a5c7c1033c46044a9cb244",
          "message": "mod_htt2: fix incomplete sync with latest changes in github, adjust version number.\n\n\n\ngit-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889119 13f79535-47bb-0310-9956-ffa450edef68",
          "target": 0,
          "dataset": "other",
          "idx": 284250
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ASSERT_EQ",
        "addIndex",
        "runQuery"
      ],
      "group_size": 363,
      "functions": [
        {
          "func": "TEST_F(QueryPlannerTest, PlansForMultipleIndexesOnTheSameKeyPatternAreGenerated) {\n    CollatorInterfaceMock reverseCollator(CollatorInterfaceMock::MockType::kReverseString);\n    CollatorInterfaceMock equalCollator(CollatorInterfaceMock::MockType::kAlwaysEqual);\n    addIndex(BSON(\"a\" << 1), &reverseCollator, \"reverse\"_sd);\n    addIndex(BSON(\"a\" << 1), &equalCollator, \"forward\"_sd);\n\n    runQuery(BSON(\"a\" << 1));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {name: 'reverse'}}}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {name: 'forward'}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 198455623842677816529388024126112735953,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392969
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrInexactWithExact2) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 'foo'}, {a: /bar/}, {b: 'foo'}, {b: /bar/}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {or: {nodes: [\"\n        \"{ixscan: {filter: {$or:[{a:'foo'},{a:/bar/}]},\"\n        \"pattern: {a: 1}}},\"\n        \"{ixscan: {filter: {$or:[{b:'foo'},{b:/bar/}]},\"\n        \"pattern: {b: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 121851799113668835604488149568830179506,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392948
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintValid) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHint(BSONObj(), fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 80260565493629234458422808208166681699,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392949
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintElemMatch) {\n    // true means multikey\n    addIndex(fromjson(\"{'a.b': 1}\"), true);\n    runQueryHint(fromjson(\"{'a.b': 1, a: {$elemMatch: {b: 2}}}\"), fromjson(\"{'a.b': 1}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{a:{$elemMatch:{b:2}}}, {'a.b': 1}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {'a.b': 1}, bounds: \"\n        \"{'a.b': [[2, 2, true, true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$elemMatch:{b:2}}}, \"\n        \"node: {ixscan: {filter: null, pattern: {'a.b': 1}, bounds: \"\n        \"{'a.b': [[1, 1, true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 208788891778337833415501622287396895159,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392950
        },
        {
          "func": "TEST_F(QueryPlannerTest, CoveredOrUniqueIndexLookup) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1),\n             false,  // multikey\n             false,  // sparse,\n             true);  // unique\n\n    runQuerySortProj(fromjson(\"{a: 1, b: 1}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 181558871967494917879506872330818680867,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392951
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectCompoundInsteadThreeCompoundIndices) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << -1 << \"b\" << -1 << \"d\" << 1));\n    runQuery(fromjson(\"{a: 1, b: 1, c: 1, d: 1}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{c:1},{d:1}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{a:1},{b:1}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {c:1,d:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,c:-1,b:-1,d:1}}}}}\");\n}",
          "project": "mongo",
          "hash": 56171061150211752971823251648158435172,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392952
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSkipWithIndex) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"a\" << 5), 8, 0);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{skip: {n: 8, node: {cscan: {dir: 1, filter: {a: 5}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {skip: {n: 8, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 43554898719219323611706682011882093421,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392953
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSort) {\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"c\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a:1}, {b:1}]}\"), fromjson(\"{c:1}\"), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, c: 1}}}, {ixscan: {pattern: {b: 1, c: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 304608409789006145410705713397100329782,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392954
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseIndexDir) {\n    addIndex(BSON(\"a\" << -1));\n\n    // Because the index is descending, the min is numerically larger than the max.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: -1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 8}\"),\n                 fromjson(\"{a: 2}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: -1}}}}}\");\n}",
          "project": "mongo",
          "hash": 125156759562937299237711571070140397694,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392956
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrElemMatchObjectBeneathAnd) {\n    // true means multikey\n    addIndex(BSON(\"a.b\" << 1), true);\n    runQuery(\n        fromjson(\"{$or: [{'a.b': 0, a: {$elemMatch: {b: {$lte: 1}}}},\"\n                 \"{a: {$elemMatch: {b: {$gte: 4}}}}]}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {$and:[{a:{$elemMatch:{b:{$lte:1}}}},{'a.b':0}]},\"\n        \"node: {ixscan: {filter: null, pattern: {'a.b': 1}, \"\n        \"bounds: {'a.b': [[-Infinity,1,true,true]]}}}}},\"\n        \"{fetch: {filter: {a:{$elemMatch:{b:{$gte:4}}}}, node: \"\n        \"{ixscan: {filter: null, pattern: {'a.b': 1},\"\n        \"bounds: {'a.b': [[4,Infinity,true,true]]}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {a:{$elemMatch:{b:{$lte:1}}}},\"\n        \"node: {ixscan: {filter: null, pattern: {'a.b': 1}, \"\n        \"bounds: {'a.b': [[0,0,true,true]]}}}}},\"\n        \"{fetch: {filter: {a:{$elemMatch:{b:{$gte:4}}}}, node: \"\n        \"{ixscan: {filter: null, pattern: {'a.b': 1},\"\n        \"bounds: {'a.b': [[4,Infinity,true,true]]}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 181527015787656973917680646316306299266,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392957
        },
        {
          "func": "TEST_F(QueryPlannerTest, UniqueIndexLookupBelowOrBelowAnd) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1),\n             false,  // multikey\n             false,  // sparse,\n             true);  // unique\n\n    runQuery(fromjson(\"{e: 1, $or: [{a: 1, b: 1}, {c: 1, d: 1}]}\"));\n\n    // Only two plans because we throw out plans for the right branch of the $or that do not\n    // use equality over the unique index.\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{fetch: {filter: {e: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {a: 1}, node: {ixscan: {pattern: {b: 1}}}}},\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {e: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}}}}},\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}}\"\n        \"]}}}}\");\n}",
          "project": "mongo",
          "hash": 52588037895952951347109009505852321196,
          "size": 27,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392960
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSortEqualityFirstSortSecond) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    // Run an empty query, sort {b: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{b: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 1, b: 1}\"),\n                 fromjson(\"{a: 1, b: 2}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 21219611244008279236198559574896527764,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392961
        },
        {
          "func": "TEST_F(QueryPlannerTest, DoublyContainedOr) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{$or: [{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}, {d: 8}]}, {e: 9}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {e: 9}, node: {or: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}]}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 295041144891101498662123554239506488915,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392962
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicLimitNoIndex) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"x\" << 5), 0, -3);\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{limit: {n: 3, node: {cscan: {dir: 1, filter: {x: 5}}}}}\");\n}",
          "project": "mongo",
          "hash": 254294725460736824874547505476587464790,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392963
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCannotCompoundFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"a.c\" << 1 << \"a.b\" << 1), multikey);\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{'a.b': 5}, {$or: [{'a.c': 6}, {d: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {'a.c': 1, 'a.b': 1}, bounds: {'a.c': [[6, 6, true, true]], 'a.b': \"\n        \"[['MinKey', 'MaxKey', true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 29540912720737471750019215660318320637,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392964
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOnlyOneBranchCanUseIndex) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:1}, {b:2}]}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 306862859382702101704454013802556213843,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392965
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoKeepWithIndexedSort) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1, 2]}}\"), BSON(\"b\" << 1), BSONObj(), 0, 1);\n\n    // cscan solution exists but we didn't turn on the \"always include a collscan.\"\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, b: 1}}}, {ixscan: {pattern: {a: 1, b: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 135593506136778899895372036752482372004,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392966
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd6) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$in:[1]},b:{$in:[1]}}, {a:{$in:[1,5]},b:{$in:[1,5]}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a:1,b:1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[1,1,true,true]]}}}, \"\n        \"{ixscan: {pattern: {a:1,b:1}, bounds: \"\n        \"{a: [[1,1,true,true], [5,5,true,true]], \"\n        \" b: [[1,1,true,true], [5,5,true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 285352732317452116289367520200409281972,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392967
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd2) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$gt:2,$lt:10}}, {a:{$gt:0,$lt:15}}, {a:{$gt:20}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a:1}, bounds: {a: [[2,10,false,false]]}}}, \"\n        \"{ixscan: {pattern: {a:1}, bounds: {a: [[0,15,false,false]]}}}, \"\n        \"{ixscan: {pattern: {a:1}, bounds: \"\n        \"{a: [[20,Infinity,false,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 282003058567225016454846367400133573468,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392968
        },
        {
          "func": "TEST_F(QueryPlannerTest, PlannerAddsFetchToIxscanForCountWhenFetchFilterNonempty) {\n    params.options = QueryPlannerParams::IS_COUNT;\n    addIndex(BSON(\"x\" << 1));\n    runQuery(BSON(\"y\" << 3 << \"x\" << 5));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {y: 3}, node: {ixscan: \"\n        \"{pattern: {x: 1}, bounds: {x: [[5,5,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 270349135524847438804280100205822850245,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392970
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrNotPredicateIsLeadingFieldInBothBranchesIndexIntersection) {\n    params.options = QueryPlannerParams::INCLUDE_COLLSCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{$nor: [{a: 5}]}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(6);\n    // The filter is {$not: {a: 5}}, but there is no way to write a BSON expression that will parse\n    // to that MatchExpression.\n    assertSolutionExists(\n        \"{fetch: {node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], c: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    // The AND_HASH stage is not really needed, since the predicate {a: 5} is covered by the indexed\n    // OR.\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [[6, 6, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], c: [[7, 7, true, true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [[6, 6, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], c: [[7, 7, true, true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], c: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 133642935940917176662062021108660170205,
          "size": 51,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392971
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrNaturalHint) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHint(fromjson(\"{$or: [{a:1}, {a:3}]}\"), fromjson(\"{$natural:1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 1865491846805003053665503949778414955,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392973
        },
        {
          "func": "TEST_F(QueryPlannerTest, SnapshotUseId) {\n    params.options = QueryPlannerParams::SNAPSHOT_USE_ID;\n\n    addIndex(BSON(\"a\" << 1));\n    runQuerySnapshot(fromjson(\"{a: {$gt: 0}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$gt:0}}, node: \"\n        \"{ixscan: {filter: null, pattern: {_id: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 333301148259395283688982947776999369092,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392974
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationTypeOperator) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$type: 16}}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 257471595677310198167228440611286154681,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392975
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterNestedProjCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1 << \"b.c\" << 1);\n    addIndex(BSON(\"a\" << 1 << \"b.c\" << 1));\n\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), fromjson(\"{_id: 0, a: 1, 'b.c': 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, 'b.c': 1 }, type: 'default', node: \"\n        \"{sharding_filter: {node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, 'b.c': 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 17018540278954353104665224830406999671,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392976
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOr) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 186660324589391123840831133164117743543,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392977
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectBasicTwoPredCompoundMatchesIdxOrder2) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a:1, b:1}\"));\n\n    assertNumSolutions(3U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: {b:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 327508292717420954844687111566340891558,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392978
        },
        {
          "func": "TEST_F(QueryPlannerTest, SolutionSetStableWhenOrEnumerationLimitIsReached) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"d\" << 1));\n    addIndex(BSON(\"e\" << 1));\n    addIndex(BSON(\"f\" << 1));\n    addIndex(BSON(\"f\" << 1 << \"y\" << 1));\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"x\" << 1));\n\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {$or: [{a: 1, b: 1, c: 1}, {d: 1, e: 1, f: 1}]}}\"));\n\n    assertNumSolutions(10U);\n\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {b: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {a: \"\n        \"1}}}}}, {fetch: {filter: {e: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {d: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {b: \"\n        \"1}}}}}, {fetch: {filter: {e: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {d: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, b: {$eq: 1} }, node: {ixscan: {pattern: {c: \"\n        \"1}}}}}, {fetch: {filter: {e: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {d: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, b: {$eq: 1} }, node: {ixscan: {pattern: {c: \"\n        \"1, x: 1}}}}}, {fetch: {filter: {e: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {d: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {b: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {a: \"\n        \"1}}}}}, {fetch: {filter: {d: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {e: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {b: \"\n        \"1}}}}}, {fetch: {filter: {d: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {e: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, b: {$eq: 1} }, node: {ixscan: {pattern: {c: \"\n        \"1}}}}}, {fetch: {filter: {d: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {e: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, b: {$eq: 1} }, node: {ixscan: {pattern: {c: \"\n        \"1, x: 1}}}}}, {fetch: {filter: {d: {$eq: 1}, f: {$eq: 1} }, node: {ixscan: {pattern: {e: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {b: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {a: \"\n        \"1}}}}}, {fetch: {filter: {d: {$eq: 1}, e: {$eq: 1} }, node: {ixscan: {pattern: {f: \"\n        \"1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {a: {$eq: 1}, c: {$eq: 1} }, node: {ixscan: {pattern: {b: \"\n        \"1}}}}}, {fetch: {filter: {d: {$eq: 1}, e: {$eq: 1} }, node: {ixscan: {pattern: {f: \"\n        \"1}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 111447291020624182952308140967815206000,
          "size": 57,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392979
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: /foo/}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {a: /foo/}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: {a: /foo/}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 1721131087690443165402550830441622189,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392980
        },
        {
          "func": "TEST_F(QueryPlannerTest, TooManyToExplodeOr) {\n    addIndex(BSON(\"a\" << 1 << \"e\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"e\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"e\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"e\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: {$in: [1,2,3,4,5,6]},\"\n                              \"b: {$in: [1,2,3,4,5,6]}},\"\n                              \"{c: {$in: [1,2,3,4,5,6]},\"\n                              \"d: {$in: [1,2,3,4,5,6]}}]}\"),\n                     BSON(\"e\" << 1),\n                     BSONObj());\n\n    // We cap the # of ixscans we're willing to create, so we don't get explosion. Instead\n    // we get 5 different solutions which all use a blocking sort.\n    assertNumSolutions(5U);\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{or: {nodes: [\"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, e: 1}}}}},\"\n        \"{fetch: {node: {ixscan: {pattern: {c: 1, e: 1}}}}}]}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{or: {nodes: [\"\n        \"{fetch: {node: {ixscan: {pattern: {b: 1, e: 1}}}}},\"\n        \"{fetch: {node: {ixscan: {pattern: {c: 1, e: 1}}}}}]}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{or: {nodes: [\"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, e: 1}}}}},\"\n        \"{fetch: {node: {ixscan: {pattern: {d: 1, e: 1}}}}}]}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{or: {nodes: [\"\n        \"{fetch: {node: {ixscan: {pattern: {b: 1, e: 1}}}}},\"\n        \"{fetch: {node: {ixscan: {pattern: {d: 1, e: 1}}}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 256571774132281737223534625893788359343,
          "size": 39,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392981
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotTrimIxisectAndHashWithOrChild) {\n    params.options = QueryPlannerParams::CANNOT_TRIM_IXISECT;\n    params.options |= QueryPlannerParams::INDEX_INTERSECTION;\n    params.options |= QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{c: 1, $or: [{a: 1}, {b: 1, d: 1}]}\"));\n\n    assertNumSolutions(3U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: {c: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {d: 1}, node: {ixscan: {filter: null,\"\n        \"pattern: {b: 1}, bounds: {b: [[1,1,true,true]]}}}}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1},\"\n        \"bounds: {a: [[1,1,true,true]]}}}]}}}}\");\n\n    assertSolutionExists(\n        \"{fetch: {filter: {$or:[{b:1,d:1},{a:1}]}, node:\"\n        \"{ixscan: {filter: null, pattern: {c: 1}}}}}\");\n\n    assertSolutionExists(\n        \"{fetch: {filter: {c:1,$or:[{a:1},{b:1,d:1}]}, node:{andHash:{nodes:[\"\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {d:1}, node: {ixscan: {pattern: {b: 1}}}}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}]}},\"\n        \"{ixscan: {filter: null, pattern: {c: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 86853219372656470344511613642272737214,
          "size": 31,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392982
        },
        {
          "func": "TEST_F(QueryPlannerTest, EqCanUseHashedIndexWithRegex) {\n    addIndex(BSON(\"a\"\n                  << \"hashed\"));\n    runQuery(fromjson(\"{a: {$eq: /abc/}}\"));\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n}",
          "project": "mongo",
          "hash": 329184939987602600701929125985720067854,
          "size": 6,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392983
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedRangeStrGT) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$gt: 'a'}}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [['MinKey','a',true,true], \"\n        \"[{},'MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 16473380221722057748412641445386411996,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392984
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrCombineWithAnd) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {$and: [{c: 7}, {d: 8}]}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, d: 1, a: 1}, bounds: {c: [[7, 7, true, true]], d: [[8, 8, true, \"\n        \"true]], a: [[5, 5, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 311708074705498963752449838217220008251,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392985
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSort) {\n    addIndex(BSON(\"x\" << 1));\n    runQuerySortProj(BSONObj(), BSON(\"x\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen:\"\n        \"{node: {cscan: {dir: 1, filter: {}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 217265805864792420472348568227788134682,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392986
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantExplodeWithEmptyBounds2) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$gt: 3, $lt: 0}}\"), BSON(\"b\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a:1,b:1,c:1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 19533249080697270634894586683073855428,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392987
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrElemMatchObject) {\n    // true means multikey\n    addIndex(BSON(\"a.b\" << 1), true);\n    runQuery(\n        fromjson(\"{$or: [{a: {$elemMatch: {b: {$lte: 1}}}},\"\n                 \"{a: {$elemMatch: {b: {$gte: 4}}}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {a:{$elemMatch:{b:{$gte:4}}}}, node: \"\n        \"{ixscan: {filter: null, pattern: {'a.b': 1}}}}},\"\n        \"{fetch: {filter: {a:{$elemMatch:{b:{$lte:1}}}}, node: \"\n        \"{ixscan: {filter: null, pattern: {'a.b': 1}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 315969726725406376553296370162391589634,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392988
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldIndexIntersection) {\n    params.options = QueryPlannerParams::INCLUDE_COLLSCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 113082058653984962432990439989387551304,
          "size": 29,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392989
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicCompound) {\n    addIndex(BSON(\"x\" << 1 << \"y\" << 1));\n    runQuery(fromjson(\"{ x : 5, y: 10}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1, y: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 105814914349035462271666363771612204247,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392990
        },
        {
          "func": "TEST_F(QueryPlannerTest, RootedOrOfAndDontCollapseDifferentBounds) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 1, b: 2}, {c: 3, d: 4}, {a: 1, b: 99}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [[1,1,true,true]], b: [[99,99,true,true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, d: 1}, filter: null,\"\n        \"bounds: {c: [[3,3,true,true]], d: [[4,4,true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 72171021966273478200249639131774740917,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392991
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoSplitLimitedSortAsCommandBatchSize) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {a: 1}, sort: {b: 1}, batchSize: 3}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1}, node: {ixscan: \"\n        \"{filter: null, pattern: {b: 1}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: {fetch: {filter: null,\"\n        \"node: {ixscan: {pattern: {a: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 89611039149358332783786100965974241560,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392992
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrWithExactAndInexact3) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{a: {$in: [/z/, /x/]}}, {a: 'w'},\"\n                 \"{b: {$exists: false}}, {b: {$in: ['p']}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {filter: {$or:[{a:{$in:[/z/, /x/]}}, {a:'w'}]}, \"\n        \"pattern: {a: 1}}}, \"\n        \"{fetch: {filter: {$or:[{b:{$exists:false}}, {b:{$eq:'p'}}]},\"\n        \"node: {ixscan: {filter: null, pattern: {b: 1}}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 330275366425900250861806301466654184146,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392993
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrWithExactAndInexact) {\n    addIndex(BSON(\"name\" << 1));\n    runQuery(fromjson(\"{name: {$in: ['thomas', /^alexand(er|ra)/]}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: {name: {$in: ['thomas', /^alexand(er|ra)/]}}, \"\n        \"pattern: {name: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 80207113361846877295728454726582812225,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392994
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortReverseSubtreeContainedOr) {\n    addIndex(BSON(\"a\" << 1 << \"e\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"e\" << -1));\n    addIndex(BSON(\"d\" << 1 << \"e\" << -1));\n    runQueryAsCommand(fromjson(\n        \"{find: 'testns', filter: {$or: [{a: 1}, {b: 1, $or: [{c: 1}, {d: 1}]}]}, sort: {e: 1}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {e: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, e: 1}, dir: 1}}, {fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {c: 1, e: -1}, dir: -1}}, {ixscan: {pattern: {d: 1, e: -1}, dir: \"\n        \"-1}}]}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 257909252366485045235124496144368749923,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392995
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedRangeStrGTE) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$gte: 'a'}}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [['MinKey','a',true,false], \"\n        \"[{},'MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 171392284488014382554287816096243117123,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392996
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinBadHintSelectsReverseIndex) {\n    // There are both ascending and descending indices on 'a'.\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << -1));\n\n    // A query hinting on {a: 1} is bad if min is {a: 8} and {a: 2} because this\n    // min/max pairing requires a descending index.\n    runInvalidQueryFull(BSONObj(),\n                        BSONObj(),\n                        BSONObj(),\n                        0,\n                        0,\n                        fromjson(\"{a: 1}\"),\n                        fromjson(\"{a: 8}\"),\n                        fromjson(\"{a: 2}\"),\n                        false);\n}",
          "project": "mongo",
          "hash": 188808043404630753684467616325081895391,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392997
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCompoundTrailingFields) {\n    MultikeyPaths multikeyPaths{{}, {0U}, {}};\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1 << \"c\" << 1), multikeyPaths);\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1, c: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]], c: [[7, 7, true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 63749766463167541448626050265849282862,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392998
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintInvalid) {\n    addIndex(BSON(\"a\" << 1));\n    runInvalidQueryHint(BSONObj(), fromjson(\"{b: 1}\"));\n}",
          "project": "mongo",
          "hash": 254027827072996822099551485740747826636,
          "size": 4,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392999
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeMustReverseScans2) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << -1));\n    runQuerySortProj(fromjson(\"{a: {$in: [1, 2]}, b: {$in: [3, 4]}}\"), BSON(\"c\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a:1, b:1, c:-1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:-1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:-1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:-1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 253692919097848429964890428623868225272,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393000
        },
        {
          "func": "TEST_F(QueryPlannerTest, InWithoutSort) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    // No sort means we don't bother to blow up the bounds.\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1, 2]}}\"), BSONObj(), BSONObj(), 0, 1);\n\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 179176570109185465288913271039293422577,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393001
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOnePredicateIsLeadingField) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {b: 6}, {$or: [{c: 7}, {d: 8}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], c: [[7, 7, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, d: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], d: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{c: 7}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], c: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{c: 7}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, d: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], d: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 204881056938452422231519917956654328764,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393002
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndHashRequiresKeepMutations) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    params.options |= QueryPlannerParams::INDEX_INTERSECTION;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{a: {$gte: 0}, b: {$gte: 0}}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{fetch: {filter: {a: {$gte: 0}}, node: {ixscan: {pattern: {b: 1}}}}}\");\n    assertSolutionExists(\"{fetch: {filter: {b: {$gte: 0}}, node: {ixscan: {pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {keep: {node: {andHash: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1}}},\"\n        \"{ixscan: {pattern: {b: 1}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 201750723870327355456982862463363885595,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393003
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrInexactCoveredMultikey) {\n    // true means multikey\n    addIndex(BSON(\"names\" << 1), true);\n    runQuery(fromjson(\"{$or: [{names: 'dave'}, {names: /joe/}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{names: 'dave'}, {names: /joe/}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {names: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 147805261840231643687455081438597065978,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393004
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoKeepWithGeoNear) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    addIndex(BSON(\"a\"\n                  << \"2d\"));\n    runQuery(fromjson(\"{a: {$near: [0,0], $maxDistance:0.3 }}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{geoNear2d: {a: '2d'}}\");\n}",
          "project": "mongo",
          "hash": 46587417641888873059257343524561468977,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393005
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldInBothBranchesIndexIntersection) {\n    params.options = QueryPlannerParams::INCLUDE_COLLSCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(6);\n    assertSolutionExists(\n        \"{fetch: {node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [[7, 7, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    // The AND_HASH stage is not really needed, since the predicate {a: 5} is covered by the indexed\n    // OR.\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [[7, 7, true, \"\n        \"true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [[7, 7, true, \"\n        \"true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 292357845707641846819653086566596803916,
          "size": 48,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393006
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundMultikeyBounds) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1), true);\n    runQuery(fromjson(\"{a: 1, b: 3}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {filter: {$and:[{a:1},{b:3}]}, dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null, \"\n        \"pattern: {a:1,b:1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[3,3,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 65080053636428819698754824329221170690,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393007
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexBoundsOrOfNegations) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a: {$ne: 3}}, {a: {$ne: 4}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [['MinKey','MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 308495835767918118845200146424409035317,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393008
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterHashProjNotCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\"\n                           << \"hashed\");\n    addIndex(BSON(\"a\"\n                  << \"hashed\"));\n\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), fromjson(\"{_id : 0, a : 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0,a: 1}, type: 'simple', node: \"\n        \"{sharding_filter : {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {pattern: {a: 'hashed'}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 256607511838731294561951487423280807566,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393009
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationElemMatchValue) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {$gt: 3, $lt: 10}}}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 301863786277944404947064628795464270349,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393011
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortReverseScanOneIndex) {\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"c\" << -1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {$or: [{a: 1}, {b: 1}]}, sort: {c: 1}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, c: 1}, dir: 1}}, {ixscan: {pattern: {b: 1, c: -1}, dir: \"\n        \"-1}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 246771225247675752168497710062761102402,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393012
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSortInequalityFirstSortSecond) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    // Run an empty query, sort {b: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{b: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 1, b: 1}\"),\n                 fromjson(\"{a: 2, b: 2}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 340009197622907316766942197406348903425,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393013
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterBasicIndex) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1);\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{b: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sharding_filter: {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {pattern: {b: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 280036162655895132848721440302903005488,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393014
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd5) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{a:{$gt:1,$lt:5}, c:6}, \"\n                 \"{a:3, b:{$gt:1,$lt:2}, c:{$gt:0,$lt:10}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c:6}, node: {ixscan: {pattern: {a:1,b:1}, \"\n        \"bounds: {a: [[1,5,false,false]], \"\n        \"b: [['MinKey','MaxKey',true,true]]}}}}}, \"\n        \"{fetch: {filter: {$and:[{c:{$lt:10}},{c:{$gt:0}}]}, node: \"\n        \"{ixscan: {pattern: {a:1,b:1}, \"\n        \" bounds: {a:[[3,3,true,true]], b:[[1,2,false,false]]}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 315864866036752405754514415109542515448,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393015
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinNoMatchingIndexDir) {\n    addIndex(BSON(\"a\" << -1));\n    runInvalidQueryHintMinMax(BSONObj(), fromjson(\"{a: 2}\"), BSONObj(), fromjson(\"{a: 8}\"));\n}",
          "project": "mongo",
          "hash": 47116083361197320502349107660036890275,
          "size": 4,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393016
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOfAndCollapseIdenticalScansTwoFilters) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{c: 1, $or: [{a:1, b:2, d:3}, {a:1, b:2, e:4}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {c: 1}, node: {fetch: {filter: {$or:[{e:4},{d:3}]},\"\n        \"node: {ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 94573423014970399571799794720696452894,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393017
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrBelowElemMatchInexactCovered) {\n    // true means multikey\n    addIndex(BSON(\"a.b\" << 1), true);\n    runQuery(fromjson(\"{a: {$elemMatch: {$or: [{b: 'x'}, {b: /z/}]}}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$elemMatch: {$or: [{b: 'x'}, {b: /z/}]}}},\"\n        \"node: {ixscan: {filter: null, pattern: {'a.b': 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 249421474257303892820494755838651214778,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393018
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCanUseIndex) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a: {$_internalExprEq: 1}}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a: 1}, bounds: {a: \"\n        \"[[1,1,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 82706706519063471628812327978665828108,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393019
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexWithEqualityPredicatesProvidesSort) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: 1, b: 1}\"), fromjson(\"{b: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null,\"\n        \"pattern: {a: 1, b: 1}, \"\n        \"bounds: {a:[[1,1,true,true]], b:[[1,1,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 288207533621246512419167638735060929032,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393020
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectBasicTwoPredCompound) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{a:1, b:1, c:1}\"));\n\n    // There's an andSorted not andHash because the two seeks are point intervals.\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1, c:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 149844425839868898647380989459656924885,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393021
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSortElim) {\n    addIndex(BSON(\"x\" << 1));\n    // query, sort, proj\n    runQuerySortProj(fromjson(\"{ x : {$gt: 1}}\"), fromjson(\"{x: 1}\"), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {x: {$gt: 1}}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 229306703282193775966730898380016579819,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393022
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotTrimIxisectParam) {\n    params.options = QueryPlannerParams::CANNOT_TRIM_IXISECT;\n    params.options |= QueryPlannerParams::INDEX_INTERSECTION;\n    params.options |= QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{a: 1, b: 1, c: 1}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\n        \"{fetch: {filter: {b: 1, c: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1, c: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1,b:1,c:1}, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 11676837453775382192995946067663770705,
          "size": 22,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393023
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSoftLimitWithIndex) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"a\" << 5), 0, 5);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: 5}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 136573306049577053991198550483676659906,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393024
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrEnumerationLimit2) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1));\n\n    // 3 $or clauses, and a few other preds. Each $or clause can\n    // generate up to the max number of allowed $or enumerations.\n    runQuery(\n        fromjson(\"{$or: [{a: 1, b: 1, c: 1, d: 1},\"\n                 \"{a: 2, b: 2, c: 2, d: 2},\"\n                 \"{a: 3, b: 3, c: 3, d: 3}]}\"));\n\n    assertNumSolutions(internalQueryEnumerationMaxOrSolutions.load());\n}",
          "project": "mongo",
          "hash": 186926425248054729013655628157880001452,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393025
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeIxscanWithFilter) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuerySortProj(fromjson(\"{$and: [{b: {$regex: 'foo', $options: 'i'}},\"\n                              \"{a: {$in: [1, 2]}}]}\"),\n                     BSON(\"b\" << 1),\n                     BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a:1, b:1},\"\n        \"filter: {b: {$regex: 'foo', $options: 'i'}}}},\"\n        \"{ixscan: {pattern: {a:1, b:1},\"\n        \"filter: {b: {$regex: 'foo', $options: 'i'}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 323321915181604253517702372309211591566,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393026
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCannotCompoundTrailingFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"d\" << 1 << \"a.b\" << 1 << \"a.c\" << 1), multikey);\n    addIndex(BSON(\"e\" << 1));\n\n    runQuery(fromjson(\"{$and: [{'a.b': 5}, {$or: [{$and: [{'a.c': 6}, {d: 7}]}, {e: 8}]}]}\"));\n    assertNumSolutions(2);\n    std::vector<std::string> alternates;\n    alternates.push_back(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {d: 1, 'a.b': 1, 'a.c': 1}, bounds: {d: [[7, 7, true, true]], 'a.b': \"\n        \"[['MinKey', 'MaxKey', true, true]], 'a.c': [[6, 6, true, true]]}}},\"\n        \"{ixscan: {pattern: {e: 1}, bounds: {e: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    alternates.push_back(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {d: 1, 'a.b': 1, 'a.c': 1}, bounds: {d: [[7, 7, true, true]], 'a.b': \"\n        \"[[5, 5, true, true]], 'a.c': [['MinKey', 'MaxKey', true, true]]}}},\"\n        \"{ixscan: {pattern: {e: 1}, bounds: {e: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertHasOneSolutionOf(alternates);\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 108806431802968283830709725783603164546,
          "size": 23,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393027
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicLimitWithIndex) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"a\" << 5), 0, -5);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{limit: {n: 5, node: {cscan: {dir: 1, filter: {a: 5}}}}}\");\n    assertSolutionExists(\n        \"{limit: {n: 5, node: {fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 216680114454975719460616136600135480327,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393028
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrEnumerationLimit) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    // 6 $or clauses, each with 2 indexed predicates\n    // means 2^6 = 64 possibilities. We should hit the limit.\n    runQuery(\n        fromjson(\"{$or: [{a: 1, b: 1},\"\n                 \"{a: 2, b: 2},\"\n                 \"{a: 3, b: 3},\"\n                 \"{a: 4, b: 4},\"\n                 \"{a: 5, b: 5},\"\n                 \"{a: 6, b: 6}]}\"));\n\n    assertNumSolutions(internalQueryEnumerationMaxOrSolutions.load());\n}",
          "project": "mongo",
          "hash": 12563365889603733115756717927688492969,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393029
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOneChildUsesPredicate) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 88302958427687332050141195064404650386,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393030
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintValidWithSort) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortHint(fromjson(\"{a: 100, b: 200}\"), fromjson(\"{b: 1}\"), fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {filter: {b: 200}, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 263561557685358682501691940568755512181,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393031
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoMergeSortIfNoSortWanted) {\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"c\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a:1}, {b:1}]}\"), BSONObj(), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$or: [{a:1}, {b:1}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a: 1, c: 1}}}, \"\n        \"{ixscan: {filter: null, pattern: {b: 1, c: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 176414212959603994818548590698874808730,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393032
        },
        {
          "func": "TEST_F(QueryPlannerTest, SortElimTrailingFields) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuerySortProj(fromjson(\"{a: 5}\"), BSON(\"b\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {a: 5}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1, c: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 16987594989702138190093065652549352375,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393033
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectCompoundInsteadUnusedField) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuery(fromjson(\"{a: 1, b: 1}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\n        \"{fetch: {filter: {b:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,b:1,c:1}}}}}\");\n}",
          "project": "mongo",
          "hash": 2712004810855055011353504534437315710,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393034
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeMustReverseScans) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1 << \"d\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$in: [1, 2]}, b: {$in: [3, 4]}}\"), BSON(\"c\" << -1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: -1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a:1, b:1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a:1, b:1, c:1, d:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 146769320426054888791981351758308396900,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393035
        },
        {
          "func": "TEST_F(QueryPlannerTest, MutationsFromFetchWithSort) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: 5}\"), fromjson(\"{b:1}\"), BSONObj());\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a:1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 130562391370393391067840268791278074530,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393036
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxValid) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHintMinMax(BSONObj(), BSONObj(), BSONObj(), fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 325431969958168753245260824478048698244,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393037
        },
        {
          "func": "TEST_F(QueryPlannerTest, NaturalSortAndHint) {\n    addIndex(BSON(\"x\" << 1));\n\n    // Non-empty query, -1 sort, no hint.\n    runQuerySortHint(fromjson(\"{x: {$exists: true}}\"), BSON(\"$natural\" << -1), BSONObj());\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: -1}}\");\n\n    // Non-empty query, 1 sort, no hint.\n    runQuerySortHint(fromjson(\"{x: {$exists: true}}\"), BSON(\"$natural\" << 1), BSONObj());\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n\n    // Non-empty query, -1 sort, -1 hint.\n    runQuerySortHint(\n        fromjson(\"{x: {$exists: true}}\"), BSON(\"$natural\" << -1), BSON(\"$natural\" << -1));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: -1}}\");\n\n    // Non-empty query, 1 sort, 1 hint.\n    runQuerySortHint(\n        fromjson(\"{x: {$exists: true}}\"), BSON(\"$natural\" << 1), BSON(\"$natural\" << 1));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n\n    // Empty query, -1 sort, no hint.\n    runQuerySortHint(BSONObj(), BSON(\"$natural\" << -1), BSONObj());\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: -1}}\");\n\n    // Empty query, 1 sort, no hint.\n    runQuerySortHint(BSONObj(), BSON(\"$natural\" << 1), BSONObj());\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n\n    // Empty query, -1 sort, -1 hint.\n    runQuerySortHint(BSONObj(), BSON(\"$natural\" << -1), BSON(\"$natural\" << -1));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: -1}}\");\n\n    // Empty query, 1 sort, 1 hint.\n    runQuerySortHint(BSONObj(), BSON(\"$natural\" << 1), BSON(\"$natural\" << 1));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 148941295028424344356570677567516792118,
          "size": 45,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393038
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxBadHint) {\n    addIndex(BSON(\"b\" << 1));\n    runInvalidQueryHintMinMax(BSONObj(), fromjson(\"{b: 1}\"), BSONObj(), fromjson(\"{a: 1}\"));\n}",
          "project": "mongo",
          "hash": 279565397587732800378386422663635996357,
          "size": 4,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393039
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrWithExactAndInexact2) {\n    addIndex(BSON(\"name\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{name: {$in: ['thomas', /^alexand(er|ra)/]}},\"\n                 \"{name: {$exists: false}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{name: {$in: ['thomas', /^alexand(er|ra)/]}},\"\n        \"{name: {$exists: false}}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {name: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 54825404466061056502205623957494387581,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393040
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintedNotCoveredProjectionIndexFilteredOut) {\n    params.options = QueryPlannerParams::NO_UNCOVERED_PROJECTIONS;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQueryAsCommand(fromjson(\n        \"{find: 'testns', filter: {a: 1}, projection: {a: 1, b: 1, _id: 0}, hint: {a: 1}}\"));\n    assertNumSolutions(0U);\n}",
          "project": "mongo",
          "hash": 110178675444283869993985129460021496947,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393041
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOfAndCollapseIndenticalScansWithFilter) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{c: 1, $or: [{a:1, b:2}, {a:1, b:2, d:3}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {a: 1, b: 1}},\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]},\"\n        \"filter: null}}}\");\n}",
          "project": "mongo",
          "hash": 294247082396239864461305151826020065402,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393042
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectCompoundInsteadBasic) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{a: 1, b: 1}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\n        \"{fetch: {filter: {b:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,b:1}}}}}\");\n}",
          "project": "mongo",
          "hash": 236236628014254833218246422530933693806,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393043
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeOrForSort) {\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"c\" << 1));\n\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {a: 2}, {b: 2}]}\"), BSON(\"c\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {bounds: {a: [[1,1,true,true]], \"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {a:1, c:1}}},\"\n        \"{ixscan: {bounds: {a: [[2,2,true,true]], \"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {a:1, c:1}}},\"\n        \"{ixscan: {bounds: {b: [[2,2,true,true]], \"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {b:1, c:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 301197963884544668691151903362937749703,
          "size": 22,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393044
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantExplodeOrForSort) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"c\" << 1));\n\n    runQuerySortProj(fromjson(\"{$or: [{a: {$in: [1, 2]}}, {d: 3}]}\"), BSON(\"c\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}}},\"\n        \"{ixscan: {pattern: {d: 1, c: 1}}}]}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 313534492925381290023987760478354537661,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393046
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationAndIndexOnEqualityAndNegationBranches) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortProj(fromjson(\"{$and: [{a: 1}, {b: 2}, {b: {$ne: 1}}]}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}, \"\n        \"bounds: {a: [[1,1,true,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {b: 1}, \"\n        \"bounds: {b: [[2,2,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 90428922145846670203658811574386682602,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393047
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexIsMultikey) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    constexpr bool isMultikey = true;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1), isMultikey);\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1, b: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 67824370838596103314249133757458924945,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393048
        },
        {
          "func": "TEST_F(QueryPlannerTest, NestedContainedOrOneChildUsesPredicate) {\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"d\" << 1));\n    addIndex(BSON(\"f\" << 1));\n    addIndex(BSON(\"g\" << 1 << \"a\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: 5}, {$or: [{$and: [{b: 6}, {$or: [{c: 7}, {d: 8}]}]}, \"\n                 \"{$and: [{e: 9}, {$or: [{f: 10}, {g: 11}]}]}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {b: 6}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[8, 8, true, true]]}}}\"\n        \"]}}}},\"\n        \"{fetch: {filter: {e: 9}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {f: 1}, bounds: {f: [[10, 10, true, true]]}}},\"\n        \"{ixscan: {pattern: {g: 1, a: 1}, bounds: {g: [[11, 11, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 182504597930256776552086401266519197264,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393049
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCannotCombineLeadingFields) {\n    MultikeyPaths multikeyPaths{{0U}};\n    addIndex(BSON(\"a\" << 1), multikeyPaths);\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{a: {$lte: 10}}, {b: 6}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[-Infinity, 10, true, true]]}}},\"\n        \"{ixscan: {pattern: {b: 1}, bounds: {b: [[6, 6, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{a: {$lte: 10}}, {b: 6}]}, node: \"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[0, Infinity, true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 204700848872716995336126661421749812209,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393050
        },
        {
          "func": "TEST_F(QueryPlannerTest, KeyPatternOverflowsInt) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << -2147483649LL));\n\n    runQuerySortProj(fromjson(\"{a: {$gte: 3, $lte: 5}}\"), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a: -2147483649}, \"\n        \"bounds: {a: [[3, 5, true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 21619438660311298596378788499241154021,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393051
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationCantUseSparseIndex) {\n    // false means not multikey, true means sparse\n    addIndex(BSON(\"i\" << 1), false, true);\n    runQuery(fromjson(\"{i: {$ne: 4}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 224491270161673708968355837627632586833,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393052
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotTrimIxisectParamBeneathOr) {\n    params.options = QueryPlannerParams::CANNOT_TRIM_IXISECT;\n    params.options |= QueryPlannerParams::INDEX_INTERSECTION;\n    params.options |= QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{d: 1, $or: [{a: 1}, {b: 1, c: 1}]}\"));\n\n    assertNumSolutions(3U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: {d: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {filter: null,\"\n        \"pattern: {b: 1}, bounds: {b: [[1,1,true,true]]}}}}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1},\"\n        \"bounds: {a: [[1,1,true,true]]}}}]}}}}\");\n\n    assertSolutionExists(\n        \"{fetch: {filter: {d: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {b: 1}, node: {ixscan: {filter: null,\"\n        \"pattern: {c: 1}, bounds: {c: [[1,1,true,true]]}}}}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1},\"\n        \"bounds: {a: [[1,1,true,true]]}}}]}}}}\");\n\n    assertSolutionExists(\n        \"{fetch: {filter: {d: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {b: 1, c: 1}, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {b: 1}}},\"\n        \"{ixscan: {filter: null, pattern: {c: 1}}}]}}}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 287878070076194237041234257702319431461,
          "size": 34,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393053
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOfAndCollapseIndenticalScans) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{c: 1, $or: [{a:1, b:2}, {a:1, b:2}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {a: 1, b: 1}},\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]},\"\n        \"filter: null}}}\");\n}",
          "project": "mongo",
          "hash": 314626882257712031420936932308636629115,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393054
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterCompoundProjCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1 << \"b\" << 1);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), fromjson(\"{_id: 0, a: 1, b: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1 }, type: 'coveredIndex', node: \"\n        \"{sharding_filter: {node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 132556060129769586873550761639238046074,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393055
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantUseHashedIndexToProvideSort) {\n    addIndex(BSON(\"x\"\n                  << \"hashed\"));\n    runQuerySortProj(BSONObj(), BSON(\"x\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen:\"\n        \"{node: {cscan: {dir: 1, filter: {}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 80397399340831779005679673679813319935,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393056
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsBounds) {\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{b: {$exists: true}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: true}}, node: \"\n        \"{ixscan: {pattern: {b: 1}, bounds: \"\n        \"{b: [['MinKey', 'MaxKey', true, true]]}}}}}\");\n\n    // This ends up being a double negation, which we currently don't index.\n    runQuery(fromjson(\"{b: {$not: {$exists: false}}}\"));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n\n    runQuery(fromjson(\"{b: {$exists: false}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: false}}, node: \"\n        \"{ixscan: {pattern: {b: 1}, bounds: \"\n        \"{b: [[null, null, true, true]]}}}}}\");\n\n    runQuery(fromjson(\"{b: {$not: {$exists: true}}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: false}}, node: \"\n        \"{ixscan: {pattern: {b: 1}, bounds: \"\n        \"{b: [[null, null, true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 322497916871602623416434372546885465071,
          "size": 32,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393057
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationAndIndexOnEquality) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{$and: [{a: 1}, {b: {$ne: 1}}]}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1},\"\n        \"bounds: {a: [[1,1,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 169209607824306825659158708761227391471,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393059
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationOrNotIn) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {b: {$nin: [1]}}]}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 318778560782654500883962009180987063611,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393060
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexOrCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(\n        fromjson(\"{$or: [{a: /0/}, {a: /1/}]}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {$or: [{a: /0/}, {a: /1/}]}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: {$or: [{a: /0/}, {a: /1/}]}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 63497059621928700789167414524087467836,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393061
        },
        {
          "func": "TEST_F(QueryPlannerTest, InCompoundIndexFirst) {\n    addIndex(fromjson(\"{a: 1, b: 1}\"));\n    runQuery(fromjson(\"{a: {$in: [1, 2]}, b: 3}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {b: 3, a: {$in: [1, 2]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 117938382842480105477250149398010167016,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393062
        },
        {
          "func": "TEST_F(QueryPlannerTest, GreaterThanEqual) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << BSON(\"$gte\" << 5)));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: {$gte: 5}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 336276631503935954118167664468931309404,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393063
        },
        {
          "func": "TEST_F(QueryPlannerTest, EnumerateNestedOr2) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1));\n    addIndex(BSON(\"e\" << 1));\n    addIndex(BSON(\"f\" << 1));\n\n    runQuery(fromjson(\"{a: 1, b: 1, $or: [{c: 1, d: 1}, {e: 1, f: 1}]}\"));\n\n    assertNumSolutions(6U);\n\n    // Four possibilities from indexing the $or.\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1, b: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {d: 1}, node: {ixscan: {pattern: {c: 1}}}}},\"\n        \"{fetch: {filter: {f: 1}, node: {ixscan: {pattern: {e: 1}}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1, b: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}},\"\n        \"{fetch: {filter: {f: 1}, node: {ixscan: {pattern: {e: 1}}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1, b: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {d: 1}, node: {ixscan: {pattern: {c: 1}}}}},\"\n        \"{fetch: {filter: {e: 1}, node: {ixscan: {pattern: {f: 1}}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1, b: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}},\"\n        \"{fetch: {filter: {e: 1}, node: {ixscan: {pattern: {f: 1}}}}}\"\n        \"]}}}}\");\n\n    // Two possibilties from outside the $or.\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {a: 1}}}}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 278769644651541766488468533379689396940,
          "size": 39,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393065
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexFilterAppliedTrue) {\n    params.indexFiltersApplied = true;\n\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << 5));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: 5}}}\");\n    assertSolutionExists(\"{fetch: {filter: null, node: {ixscan: {pattern: {x: 1}}}}}\");\n\n    // Check indexFilterApplied in query solutions;\n    for (auto it = solns.begin(); it != solns.end(); ++it) {\n        QuerySolution* soln = it->get();\n        ASSERT_EQUALS(params.indexFiltersApplied, soln->indexFilterApplied);\n    }\n}",
          "project": "mongo",
          "hash": 189658958116736798977957814322350794991,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393066
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsTrueSparseIndex) {\n    addIndex(BSON(\"x\" << 1), false, true);\n\n    runQuery(fromjson(\"{x: {$exists: true}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 240231571515747403968780181209208071828,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393067
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexBoundsUnindexedSortHint) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortHint(fromjson(\"{$or: [{a: 1}, {a: 2}]}\"), BSON(\"b\" << 1), BSON(\"a\" << 1));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: {fetch: \"\n        \"{filter: null, node: {ixscan: {filter: null, \"\n        \"pattern: {a:1}, bounds: {a: [[1,1,true,true], [2,2,true,true]]}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 49557392537646226373039605865187272673,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393068
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrCombineLeadingFieldsMoveToAnd) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{$and: [{a: {$lte: 10}}, {b: 6}]}, {c: 7}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[0, 10, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[0, Infinity, \"\n        \"true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{a: {$lte: 10}}, {b: 6}]}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[0, Infinity, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 179941219093230375067489261424761317843,
          "size": 21,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393069
        },
        {
          "func": "TEST_F(QueryPlannerTest, MultipleContainedOrWithIndexIntersectionEnabled) {\n    params.options = QueryPlannerParams::INCLUDE_COLLSCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"e\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}, {$or: [{d: 8}, {e: 9}]}]}\"));\n\n    assertNumSolutions(6U);\n\n    // Non-ixisect solutions.\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{d: 8}, {e: 9}], a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {b: 1, a: 1},\"\n        \"bounds: {b: [[6,6,true,true]], a: [[5,5,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {c: 1}, bounds: {c: [[7,7,true,true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}], a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {d: 1, a: 1},\"\n        \"bounds: {d: [[8,8,true,true]], a: [[5,5,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {e: 1}, bounds: {e: [[9,9,true,true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{$or: [{b: 6}, {c: 7}]}, {$or: [{d: 8}, {e: 9}]}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}, bounds: {a: [[5,5,true,true]]}}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n\n    // Ixisect solutions.\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{d: 8}, {e: 9}]}, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {b: 1, a: 1},\"\n        \"bounds: {b: [[6,6,true,true]], a: [[5,5,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {c: 1}, bounds: {c: [[7,7,true,true]]}}}\"\n        \"]}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1}, bounds: {a: [[5,5,true,true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {d: 1, a: 1},\"\n        \"bounds: {d: [[8,8,true,true]], a: [[5,5,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {e: 1}, bounds: {e: [[9,9,true,true]]}}}\"\n        \"]}},\"\n        \"{ixscan: {filter: null, pattern: {a: 1}, bounds: {a: [[5,5,true,true]]}}}\"\n        \"]}}}}\");\n}",
          "project": "mongo",
          "hash": 143544704585300300963806837761999254985,
          "size": 50,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393070
        },
        {
          "func": "TEST_F(QueryPlannerTest, CoveredSkipWithIndex) {\n    addIndex(fromjson(\"{a: 1, b: 1}\"));\n\n    runQuerySortProjSkipNToReturn(\n        fromjson(\"{a: 5}\"), BSONObj(), fromjson(\"{_id: 0, a: 1, b: 1}\"), 8, 0);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{skip: {n: 8, node: {cscan: {dir: 1, filter: {a: 5}}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, \"\n        \"node: {skip: {n: 8, node: {ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 5210377698578808862033022787247383907,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393071
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoPlansElemMatch) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"arr.x\" << 1 << \"a\" << 1));\n\n    runQuery(\n        fromjson(\"{arr: { $elemMatch : { x : 5 , y : 5 } },\"\n                 \" a : 55 , b : { $in : [ 1 , 5 , 8 ] } }\"));\n\n    // 2 indexed solns and one non-indexed\n    ASSERT_EQUALS(getNumSolutions(), 3U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[55,55,true,true]], b: [[1,1,true,true], \"\n        \"[5,5,true,true], [8,8,true,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{arr:{$elemMatch:{x:5,y:5}}},\"\n        \"{b:{$in:[1,5,8]}}]}, \"\n        \"node: {ixscan: {pattern: {'arr.x':1,a:1}, bounds: \"\n        \"{'arr.x': [[5,5,true,true]], 'a':[[55,55,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 118984698218554988999959333737391584356,
          "size": 21,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393072
        },
        {
          "func": "TEST_F(QueryPlannerTest, RootedOrOfAndCollapseIndenticalScans) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{$or: [{a:1, b:2}, {a:1, b:2}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a: 1, b: 1}},\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]},\"\n        \"filter: null}}}\");\n}",
          "project": "mongo",
          "hash": 166710255973449787152827913505784783652,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393073
        },
        {
          "func": "TEST_F(QueryPlannerTest, EqualityIndexScan) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << 5));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: 5}}}\");\n    assertSolutionExists(\"{fetch: {filter: null, node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 326092435937096363734738875172309593404,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393074
        },
        {
          "func": "TEST_F(QueryPlannerTest, MinBadHint) {\n    addIndex(BSON(\"b\" << 1));\n    runInvalidQueryHintMinMax(BSONObj(), fromjson(\"{b: 1}\"), fromjson(\"{a: 1}\"), BSONObj());\n}",
          "project": "mongo",
          "hash": 190896516882203812977861984773346693680,
          "size": 4,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393075
        },
        {
          "func": "TEST_F(QueryPlannerTest, InCantUseHashedIndexWithRegex) {\n    addIndex(BSON(\"a\"\n                  << \"hashed\"));\n    runQuery(fromjson(\"{a: {$in: [/abc/]}}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n}",
          "project": "mongo",
          "hash": 54941173205593023570748747854296584564,
          "size": 6,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393076
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCannotCombineTrailingFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1), multikey);\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{$and: [{a: {$lte: 10}}, {b: 6}]}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    std::vector<std::string> alternates;\n    alternates.push_back(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[-Infinity, 10, \"\n        \"true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    alternates.push_back(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[0, Infinity, \"\n        \"true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertHasOneSolutionOf(alternates);\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 234746786509050281467708164526401986588,
          "size": 24,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393077
        },
        {
          "func": "TEST_F(QueryPlannerTest, MinValid) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHintMinMax(BSONObj(), BSONObj(), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 215685150172519314550076586708974278625,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393078
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsFalseOnUnindexedField) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(fromjson(\"{x: 1, y: {$exists: false}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 258544296604760320003781636372786603135,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393079
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoKeepWithMergeSort) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$in: [1, 2]}}\"), BSON(\"b\" << 1), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {mergeSort: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1},\"\n        \"bounds: {a: [[1,1,true,true]], b: [['MinKey','MaxKey',true,true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1},\"\n        \"bounds: {a: [[2,2,true,true]], b: [['MinKey','MaxKey',true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 281277428925317092296859584141107029258,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393080
        },
        {
          "func": "TEST_F(QueryPlannerTest, EquivalentAndsOne) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{$and: [{a: 1}, {b: {$all: [10, 20]}}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$and:[{a:1},{b:10},{b:20}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 203947649638564956088069352970299332139,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393081
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexBoundsIndexedSort) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {a: 2}]}\"), BSON(\"a\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {filter: {$or:[{a:1},{a:2}]}, dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null, \"\n        \"pattern: {a:1}, bounds: {a: [[1,1,true,true], [2,2,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 120980686074387831921221065078965824456,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393082
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrCombineLeadingFields) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{a: {$lte: 10}}, {b: 6}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[0, 10, true, true]]}}},\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[0, Infinity, \"\n        \"true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{a: {$lte: 10}}, {b: 6}]}, node: \"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[0, Infinity, true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 8865997958710290982057721444453019203,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393083
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationElemMatchObject2) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {j: {$ne: 1}}}}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 274970740790647541508240656247791061209,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393084
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrCollapsesToSingleScan3) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHint(fromjson(\"{$or: [{a:1},{a:3}]}\"), fromjson(\"{a:1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [[1,1,true,true], [3,3,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 236976622139717227175467876454793846369,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393085
        },
        {
          "func": "TEST_F(QueryPlannerTest, SimpleOr) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 20}, {a: 21}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$or: [{a: 20}, {a: 21}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a:1}}}}}\");\n}",
          "project": "mongo",
          "hash": 132340635615388957326144182701125024965,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393086
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSort) {\n    addIndex(BSON(\"a\" << 1));\n\n    // Run an empty query, sort {a: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 2}\"),\n                 fromjson(\"{a: 8}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 207247680011754907183128321285004596295,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393087
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotIntersectSubnodes) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$or: [{a: 1}, {b: 1}], $or: [{c: 1}, {d: 1}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{c: 1}, {d: 1}]}, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a: 1}}},\"\n        \"{ixscan: {filter: null, pattern: {b: 1}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{a: 1}, {b: 1}]}, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {c: 1}}},\"\n        \"{ixscan: {filter: null, pattern: {d: 1}}}\"\n        \"]}}}}\");\n}",
          "project": "mongo",
          "hash": 96296272792594088194661105123571262934,
          "size": 21,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393088
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrWithAndChild) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 20}, {$and: [{a:1}, {b:7}]}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}, \"\n        \"{fetch: {filter: {b: 7}, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 336051970745652966577623280357161794801,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393089
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectManySelfIntersections) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    // True means multikey.\n    addIndex(BSON(\"a\" << 1), true);\n\n    // This one goes to 11.\n    runQuery(fromjson(\"{a:1, a:2, a:3, a:4, a:5, a:6, a:7, a:8, a:9, a:10, a:11}\"));\n\n    // But this one only goes to 10.\n    assertSolutionExists(\n        \"{fetch: {filter: {a:11}, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 1\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 2\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 3\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 4\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 5\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 6\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 7\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 8\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"        // 9\n        \"{ixscan: {filter: null, pattern: {a:1}}}]}}}}\");  // 10\n}",
          "project": "mongo",
          "hash": 128154009910910669420129969422000203694,
          "size": 22,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393090
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd4) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{a:{$gt:1,$lt:5}, b:{$gt:0,$lt:3}, c:6}, \"\n                 \"{a:3, b:{$gt:1,$lt:2}, c:{$gt:0,$lt:10}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c:6}, node: {ixscan: {pattern: {a:1,b:1}, \"\n        \"bounds: {a: [[1,5,false,false]], b: [[0,3,false,false]]}}}}}, \"\n        \"{fetch: {filter: {$and:[{c:{$lt:10}},{c:{$gt:0}}]}, node: \"\n        \"{ixscan: {pattern: {a:1,b:1}, \"\n        \" bounds: {a:[[3,3,true,true]], b:[[1,2,false,false]]}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 314269255720389838652249571268809778403,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393091
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsLastFieldMissing) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuery(fromjson(\"{a: 5, b: {$gt: 7}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: \"\n        \"{a: [[5,5,true,true]], b: [[7,Infinity,false,true]], \"\n        \" c: [['MinKey','MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 14580253076646201879303519621129531453,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393092
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationSanityCheckTwoChildrenOneIndexEach) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {a: 1, $or: [{b: 1}, {c: 2}]}}\"));\n\n    assertNumSolutions(3U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [{ixscan: {pattern: {a: 1, b: 1}}}, {ixscan: \"\n        \"{pattern: {a: 1, c: 1}}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}}, {c: {$eq: 2}}]}, node: {ixscan: {pattern: {a: 1, \"\n        \"b: 1}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}}, {c: {$eq: 2}}]}, node: {ixscan: {pattern: {a: 1, \"\n        \"c: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 136357904830911574059266309454618808282,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393093
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndOfAnd) {\n    addIndex(BSON(\"x\" << 1));\n    runQuery(fromjson(\"{$and: [ {$and: [ {x: 2.5}]}, {x: {$gt: 1}}, {x: {$lt: 3}} ] }\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 92957565637392107287247459206695280722,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393094
        },
        {
          "func": "TEST_F(QueryPlannerTest, EqualityIndexScanWithTrailingFields) {\n    addIndex(BSON(\"x\" << 1 << \"y\" << 1));\n\n    runQuery(BSON(\"x\" << 5));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: 5}}}\");\n    assertSolutionExists(\"{fetch: {filter: null, node: {ixscan: {pattern: {x: 1, y: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 94604599607497996008766425326439876819,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393095
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldMoveToAndWithFilter) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{fetch: {filter: {c: 7}, node: {ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, \"\n        \"true]], b: [[6, 6, true, \"\n        \"true]]}}}}},\"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[5, 5, true, true]], d: [[8, 8, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[5, 5, true, true]], d: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 69992925967680897263237800751296478895,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393096
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCombineTrailingFields) {\n    MultikeyPaths multikeyPaths{{0U}, {}};\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1), multikeyPaths);\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{$and: [{a: {$lte: 10}}, {b: 6}]}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[0, 10, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 252184710683510687707732199477476903995,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393097
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultiplePredicates) {\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"b\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {b: 6}, {$or: [{c: 7}, {d: 8}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {c: 1, a: 1, b: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]], b: [[6, 6, true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1, b: 1, a: 1}, bounds: {d: [[8, 8, true, true]], b: [[6, 6, true, \"\n        \"true]], a: [[5, 5, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 88937427857987812214739886446817430514,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393098
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionDoesNotUseCoveredIxscanIfDisabled) {\n    params.options &= ~QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 67096756890534520138498288143847481766,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393099
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationAndIndexOnInequality) {\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortProj(fromjson(\"{$and: [{a: 1}, {b: {$ne: 1}}]}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: {ixscan: {pattern: {b:1}, \"\n        \"bounds: {b: [['MinKey',1,true,false], \"\n        \"[1,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 104707670049001259389543063048121966590,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393100
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexFilterAppliedDefault) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << 5));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: 5}}}\");\n    assertSolutionExists(\"{fetch: {filter: null, node: {ixscan: {pattern: {x: 1}}}}}\");\n\n    // Check indexFilterApplied in query solutions;\n    for (auto it = solns.begin(); it != solns.end(); ++it) {\n        QuerySolution* soln = it->get();\n        ASSERT_FALSE(soln->indexFilterApplied);\n    }\n}",
          "project": "mongo",
          "hash": 68683081860518375518372909711333411770,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393101
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintValidWithPredicate) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHint(fromjson(\"{a: {$gt: 1}}\"), fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 114440008817823715890532637685348792734,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393102
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantExplodeWithEmptyBounds) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$in: []}}\"), BSON(\"b\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 151694033800007838348726534410531802976,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393103
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortReverseScanOneIndexNotExplodeForSort) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << -1 << \"b\" << -1));\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {$or: [{a: 1, b: 1}, {a: {$lt: 0}}]}, sort: {a: -1}}\"));\n\n    assertNumSolutions(5U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: -1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: -1, b: -1}, dir: 1}}, {ixscan: {pattern: {a: 1}, dir: -1}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}, dir: -1}}}}, {ixscan: \"\n        \"{pattern: {a: 1}, dir: -1}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}, dir: -1}}}}, {ixscan: \"\n        \"{pattern: {a: -1, b: -1}, dir: 1}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: -1, b: -1}, dir: 1}}, {ixscan: {pattern: {a: -1, b: -1}, dir: \"\n        \"1}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 205284572304512423122804778369769674489,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393104
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndWithOrWithOneIndex) {\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{b:1}, {c:7}], a:20}\"));\n\n    // Logical rewrite gives us at least one of these:\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    size_t matches = 0;\n    matches += numSolutionMatches(\n        \"{fetch: {filter: {$or: [{b: 1}, {c: 7}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    matches += numSolutionMatches(\n        \"{or: {filter: null, nodes: [\"\n        \"{fetch: {filter: {b:1}, node: {\"\n        \"ixscan: {filter: null, pattern: {a:1}}}}},\"\n        \"{fetch: {filter: {c:7}, node: {\"\n        \"ixscan: {filter: null, pattern: {a:1}}}}}]}}\");\n    ASSERT_GREATER_THAN_OR_EQUALS(matches, 1U);\n}",
          "project": "mongo",
          "hash": 51247089642623315446635160600220763636,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393105
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndWithNestedNE) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a: {$gt: -1, $lt: 1, $ne: 0}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [[-1,0,false,false], \"\n        \"[0,1,false,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 181397326204497552481354510134768743553,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393106
        },
        {
          "func": "TEST_F(QueryPlannerTest, InCompoundIndexLast) {\n    addIndex(fromjson(\"{a: 1, b: 1}\"));\n    runQuery(fromjson(\"{a: 3, b: {$in: [1, 2]}}\"));\n\n    assertNumSolutions(2U);\n    // TODO: update filter in cscan solution when SERVER-12024 is implemented\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: 3, b: {$in: [1, 2]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 25930871364075823668237546908957554849,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393107
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOnePredicateIsLeadingFieldMoveToAnd) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1 << \"d\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"e\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {b: 6}, {$or: [{$and: [{c: 7}, {d: 8}]}, {e: 9}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1, d: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, \"\n        \"true, true]], c: [[7, 7, true, true]], d: [[8, 8, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, e: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], e: [[9, 9, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{c: 7}, {d: 8}]}, {e: 9}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1, d: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, \"\n        \"true, true]], c: [['MinKey', 'MaxKey', true, true]], d: [['MinKey', 'MaxKey', true, \"\n        \"true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{c: 7}, {d: 8}]}, {e: 9}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, e: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], e: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 112559289622790329075782054940952515177,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393108
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintOnNonUniqueIndex) {\n    params.options = QueryPlannerParams::INDEX_INTERSECTION;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1),\n             false,  // multikey\n             false,  // sparse,\n             true);  // unique\n\n    runQueryHint(fromjson(\"{a: 1, b: 1}\"), BSON(\"a\" << 1));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {b: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 224866965562239345031883546879691035582,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393109
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsFalse) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(fromjson(\"{x: {$exists: false}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 227594385996837949211728398260286870129,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393110
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsIntersectRanges) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    runQuery(fromjson(\"{a: {$gt: 1, $lt: 10}, c: {$gt: 1, $lt: 10}}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1,b:1,c:1}, \"\n        \"bounds: {a: [[1,10,false,false]], \"\n        \"b: [['MinKey','MaxKey',true,true]], \"\n        \"c: [[1,10,false,false]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1,c:1}, \"\n        \"bounds: {a: [[1,10,false,false]], \"\n        \"c: [[1,10,false,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 85055604089079010422131829598692069913,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393111
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectSortFromAndHash) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: 1, b:{$gt: 1}}\"), fromjson(\"{b:1}\"), BSONObj());\n\n    // This provides the sort.\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n\n    // Rearrange the preds, shouldn't matter.\n    runQuerySortProj(fromjson(\"{b: 1, a:{$lt: 7}}\"), fromjson(\"{b:1}\"), BSONObj());\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 28696748727592543561130985684629145600,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393112
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectDisableAndHash) {\n    bool oldEnableHashIntersection = internalQueryPlannerEnableHashIntersection.load();\n\n    // Turn index intersection on but disable hash-based intersection.\n    internalQueryPlannerEnableHashIntersection.store(false);\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{a: {$gt: 1}, b: 1, c: 1}\"));\n\n    // We should do an AND_SORT intersection of {b: 1} and {c: 1}, but no AND_HASH plans.\n    assertNumSolutions(4U);\n    assertSolutionExists(\n        \"{fetch: {filter: {b: 1, c: 1}, node: {ixscan: \"\n        \"{pattern: {a: 1}, bounds: {a: [[1,Infinity,false,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$gt:1},c:1}, node: {ixscan: \"\n        \"{pattern: {b: 1}, bounds: {b: [[1,1,true,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$gt:1},b:1}, node: {ixscan: \"\n        \"{pattern: {c: 1}, bounds: {c: [[1,1,true,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$gt:1}}, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {b:1}}},\"\n        \"{ixscan: {filter: null, pattern: {c:1}}}]}}}}\");\n\n    // Restore the old value of the has intersection switch.\n    internalQueryPlannerEnableHashIntersection.store(oldEnableHashIntersection);\n}",
          "project": "mongo",
          "hash": 2741026491913753697350982249706160109,
          "size": 32,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393114
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionDoesNotConsiderNonHintedIndices) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}, hint: {_id: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {_id: 1}, \"\n        \"bounds: {_id: [['MinKey', 'MaxKey', true, true]]}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 269430267631611915312885807690905614074,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393115
        },
        {
          "func": "TEST_F(QueryPlannerTest, SkipAndSoftLimit) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"x\" << BSON(\"$lte\" << 4)), 7, 2);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{skip: {n: 7, node: \"\n        \"{cscan: {dir: 1, filter: {x: {$lte: 4}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {skip: {n: 7, node: \"\n        \"{ixscan: {filter: null, pattern: {x: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 19195583342749883536600700774447572747,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393116
        },
        {
          "func": "TEST_F(QueryPlannerTest, SparseIndexIgnoreForSort) {\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    runQuerySortProj(BSONObj(), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 285116630948301740183124799453291865231,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393117
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoKeepWithNToReturn) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: 1}\"), fromjson(\"{b: 1}\"), BSONObj(), 0, 3);\n\n    assertSolutionExists(\n        \"{ensureSorted: {pattern: {b: 1}, node: \"\n        \"{or: {nodes: [\"\n        \"{sort: {pattern: {b: 1}, limit: 3, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}}}}}}}}}, \"\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}}}}}}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 47535862105249636382089692049132519826,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393118
        },
        {
          "func": "TEST_F(QueryPlannerTest, NestedContainedOr) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"e\" << 1 << \"a\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {$and: [{c: 7}, {$or: [{d: 8}, {e: 9}]}]}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{fetch: {filter: {c: 7}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {d: 1, a: 1}, bounds: {d: [[8, 8, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {e: 1, a: 1}, bounds: {e: [[9, 9, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 312090570179748625350709009432784232356,
          "size": 21,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393119
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonTopLevelIndexedNegation) {\n    addIndex(BSON(\"state\" << 1));\n    addIndex(BSON(\"is_draft\" << 1));\n    addIndex(BSON(\"published_date\" << 1));\n    addIndex(BSON(\"newsroom_id\" << 1));\n\n    BSONObj queryObj = fromjson(\n        \"{$and:[{$or:[{is_draft:false},{creator_id:1}]},\"\n        \"{$or:[{state:3,is_draft:false},\"\n        \"{published_date:{$ne:null}}]},\"\n        \"{newsroom_id:{$in:[1]}}]}\");\n    runQuery(queryObj);\n}",
          "project": "mongo",
          "hash": 18628006739077539370574963735698974218,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393120
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationElemMatchObject) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {j: 1}}}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 47104090888158532563672915398649406454,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393121
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexBoundsAndWithNestedOr) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$and: [{a: 1, $or: [{a: 2}, {a: 3}]}]}\"));\n\n    // Given that the index over 'a' isn't multikey, we ideally won't generate any solutions\n    // since we know the query describes an empty set if 'a' isn't multikey.  Any solutions\n    // below are \"this is how it currently works\" instead of \"this is how it should work.\"\n\n    // It's kind of iffy to look for indexed solutions so we don't...\n    size_t matches = 0;\n    matches += numSolutionMatches(\n        \"{cscan: {dir: 1, filter: \"\n        \"{$or: [{a: 2, a:1}, {a: 3, a:1}]}}}\");\n    matches += numSolutionMatches(\n        \"{cscan: {dir: 1, filter: \"\n        \"{$and: [{$or: [{a: 2}, {a: 3}]}, {a: 1}]}}}\");\n    ASSERT_GREATER_THAN_OR_EQUALS(matches, 1U);\n}",
          "project": "mongo",
          "hash": 159002609811706012158833029323994655703,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393122
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrCollapsesToSingleScan2) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$lt:2}}, {a:{$lt:4}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [[-Infinity,4,true,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 38262344488296403139276575465236163256,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393123
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$gt:2,$lt:10}}, {a:{$gt:0,$lt:5}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a:1}, bounds: {a: [[2,10,false,false]]}}}, \"\n        \"{ixscan: {pattern: {a:1}, bounds: \"\n        \"{a: [[0,5,false,false]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 71104803924299292643580863808461969409,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393125
        },
        {
          "func": "TEST_F(QueryPlannerTest, NinUsesMultikeyIndex) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n    runQuery(fromjson(\"{a: {$nin: [4, 10]}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$nin:[4,10]}}, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [['MinKey',4,true,false],\"\n        \"[4,10,false,false],\"\n        \"[10,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 189075725688925288294691147759767024117,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393126
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithoutProjectionUsesCollscan) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(BSONObj());\n    assertNumSolutions(1);\n    assertSolutionExists(\"{cscan: {dir: 1}}}\");\n}",
          "project": "mongo",
          "hash": 165684767679492404304197809872900206566,
          "size": 6,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393127
        },
        {
          "func": "TEST_F(QueryPlannerTest, Mod) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuery(fromjson(\"{a: {$mod: [2, 0]}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: {$mod: [2, 0]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: {a: {$mod: [2, 0]}}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 94133996522280422417840378664704840339,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393128
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCompoundFields) {\n    MultikeyPaths multikeyPaths{{0U}, {0U}};\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1), multikeyPaths);\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 179274665551208333571071153583077013705,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393129
        },
        {
          "func": "TEST_F(QueryPlannerTest, NaturalHint) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortHint(BSON(\"a\" << 1), BSON(\"b\" << 1), BSON(\"$natural\" << 1));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {filter: {a: 1}, dir: 1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 32972094775364650856806941277453852330,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393130
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationIndexForSort) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$ne: 1}}\"), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}, \"\n        \"bounds: {a: [['MinKey',1,true,false], \"\n        \"[1,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 311373871131537740093799403318532880270,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393131
        },
        {
          "func": "TEST_F(QueryPlannerTest, SparseIndexPreferCompoundIndexForSort) {\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    addIndex(fromjson(\"{a: 1, b: 1}\"));\n    runQuerySortProj(BSONObj(), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 210933572012156853282452468185686296489,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393132
        },
        {
          "func": "TEST_F(QueryPlannerTest, ProjNonCovering) {\n    addIndex(BSON(\"x\" << 1));\n    runQuerySortProj(fromjson(\"{ x : {$gt: 1}}\"), BSONObj(), fromjson(\"{x: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {x: 1}, node: {cscan: \"\n        \"{dir: 1, filter: {x: {$gt: 1}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {x: 1}, node: {fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {x: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 291102650667039666966913997383414551345,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393133
        },
        {
          "func": "TEST_F(QueryPlannerTest, HintedBlockingSortIndexFilteredOut) {\n    params.options = QueryPlannerParams::NO_BLOCKING_SORT;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {a: 1, b: 1}, sort: {b: 1}, hint: {a: 1}}\"));\n    assertNumSolutions(0U);\n}",
          "project": "mongo",
          "hash": 208017026680893034377949748665036955433,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393134
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsStringBounds) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{a: {$gt: 'foo'}, b: {$gte: 'bar'}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null, pattern: \"\n        \"{a: 1, b: 1}, bounds: {a: [['foo',{},false,false]], \"\n        \"b:[['bar',{},true,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 19022480509473876679059075551135185938,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393135
        },
        {
          "func": "TEST_F(QueryPlannerTest,\n       EmptyQueryWithProjectionDoesNotUseCoveredIxscanOnDotttedNonMultikeyIndexIfDisabled) {\n    params.options &= ~QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a.b\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, 'a.b': 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, 'a.b': 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 39463928021061846426497787279457730487,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393136
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatePredOnCompoundIndex) {\n    addIndex(BSON(\"x\" << 1 << \"a\" << 1));\n    runQuery(fromjson(\"{x: 1, a: {$ne: 1}, b: {$ne: 2}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {x:1,a:1}, bounds: \"\n        \"{x: [[1,1,true,true]], \"\n        \"a: [['MinKey',1,true,false], [1,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 340265329963639780111056058294837163796,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393137
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexInCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$in: [/foo/, /bar/]}}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {a:{$in:[/foo/,/bar/]}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: {a:{$in:[/foo/,/bar/]}}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 272861909429850640186217357412211547583,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393138
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCompoundTrailingFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1 << \"c\" << 1), multikey);\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1, c: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]], c: [[7, 7, true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 235350325707264513663024522844480001883,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393139
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseSort) {\n    addIndex(BSON(\"a\" << 1));\n\n    // Run an empty query, sort {a: -1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: -1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 2}\"),\n                 fromjson(\"{a: 8}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: -1, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 154133800178629729706759664177027670038,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393140
        },
        {
          "func": "TEST_F(QueryPlannerTest, PrefixRegex) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a: /^foo/}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: /^foo/}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 86716536525162325629780804228716712691,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393141
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicatesAreLeadingFields) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: {$gte: 0}}, {a: {$lte: 10}}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[0, 10, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[0, 10, true, true]], c: [[7, 7, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[0, 10, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[0, 10, true, true]], c: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 314772004902643906786386325300005948948,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393143
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotTrimIxisectParamSelfIntersection) {\n    params.options = QueryPlannerParams::CANNOT_TRIM_IXISECT;\n    params.options = QueryPlannerParams::INDEX_INTERSECTION;\n    params.options |= QueryPlannerParams::NO_TABLE_SCAN;\n\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n\n    runQuery(fromjson(\"{a: {$all: [1, 2, 3]}}\"));\n\n    assertNumSolutions(4U);\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{a:2}, {a:3}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{a:1}, {a:3}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and: [{a:2}, {a:3}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1},\"\n        \"bounds: {a: [[1,1,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {a:1},\"\n        \"bounds: {a: [[2,2,true,true]]}}},\"\n        \"{ixscan: {filter: null, pattern: {a:1},\"\n        \"bounds: {a: [[3,3,true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 321730225155722303971865047915520983628,
          "size": 29,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393144
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationSanityCheckTwoChildrenTwoIndexesEach) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {a: 1, $or: [{b: 1, c: 1}, {b: 2, c: 2}]}}\"));\n\n    assertNumSolutions(6U);\n\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {c: {$eq: 1} }, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {b: {$eq: 1} }, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {c: {$eq: 1} }, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [{fetch: {filter: {b: {$eq: 1} }, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}]}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}, c: {$eq: 1}}, {b: {$eq: 2}, c: {$eq: 2}}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}, c: {$eq: 1}}, {b: {$eq: 2}, c: {$eq: 2}}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 285125256619263256245324705150972080721,
          "size": 30,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393145
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsTrue) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(fromjson(\"{x: {$exists: true}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 215187873589315216592901979553385568822,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393146
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortReverseIxscanBelowFetch) {\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n    addIndex(BSON(\"b\" << 1 << \"d\" << -1));\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {$or: [{a: 1}, {b: 1, c: 1}]}, sort: {d: 1}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {d: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, d: 1}, dir: 1}}, {fetch: {node: {ixscan: {pattern: {b: 1, d: \"\n        \"-1}, dir: -1}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 82165649784077631158535975188816161366,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393147
        },
        {
          "func": "TEST_F(QueryPlannerTest, InSparseIndex) {\n    addIndex(fromjson(\"{a: 1}\"),\n             false,  // multikey\n             true);  // sparse\n    runQuery(fromjson(\"{a: {$in: [null]}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: {$eq: null}}}}\");\n}",
          "project": "mongo",
          "hash": 161401535817456127043855244231103474093,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393148
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoTableScanOrWithAndChild) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 20}, {$and: [{a:1}, {b:7}]}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}, \"\n        \"{fetch: {filter: {b: 7}, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 184625780542982313268379852965947497499,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393149
        },
        {
          "func": "TEST_F(QueryPlannerTest, LessThanEqual) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << BSON(\"$lte\" << 5)));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: {$lte: 5}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 48548720472398212390079240085558142800,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393150
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndWithUnindexedOrChild) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a:20, $or: [{b:1}, {c:7}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n\n    // Logical rewrite means we could get one of these two outcomes:\n    size_t matches = 0;\n    matches += numSolutionMatches(\n        \"{fetch: {filter: {$or: [{b: 1}, {c: 7}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    matches += numSolutionMatches(\n        \"{or: {filter: null, nodes: [\"\n        \"{fetch: {filter: {b:1}, node: {\"\n        \"ixscan: {filter: null, pattern: {a:1}}}}},\"\n        \"{fetch: {filter: {c:7}, node: {\"\n        \"ixscan: {filter: null, pattern: {a:1}}}}}]}}\");\n    ASSERT_GREATER_THAN_OR_EQUALS(matches, 1U);\n}",
          "project": "mongo",
          "hash": 217071064264483469147999168340712153094,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393151
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrIntersect) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: {$gte: 5}}, {$or: [{b: 6}, {$and: [{c: 7}, {a: {$lte: 8}}]}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, Infinity, \"\n        \"true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 8, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 219269843606528417929541137086835169921,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393152
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicatesAreLeadingFieldsMoveToAnd) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n\n    runQuery(fromjson(\n        \"{$and: [{a: {$gte: 0}}, {a: {$lte: 10}}, {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[0, 10, true, true]], b: [[6, 6, \"\n        \"true, true]], c: [[7, 7, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[0, 10, true, true]], d: [[8, 8, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[0, 10, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]], c: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[0, 10, true, true]], d: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 52297236962623610797940964974594353064,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393153
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionDoesNotUseCoveredIxscanOnCompoundIndexIfDisabled) {\n    params.options &= ~QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1, c: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, c: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 284368121696452654522558531405027962742,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393154
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundFieldsOrder) {\n    addIndex(BSON(\"x\" << 1 << \"y\" << 1 << \"z\" << 1));\n    runQuery(fromjson(\"{ x : 5, z: 10, y:1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1, y: 1, z: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 251476823645389948597701305906415393207,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393155
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseIndexDirSort) {\n    addIndex(BSON(\"a\" << -1));\n\n    // Min/max specifies a forward scan with bounds [{a: 8}, {a: 2}]. Asking for\n    // an ascending sort reverses the direction of the scan to [{a: 2}, {a: 8}].\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 8}\"),\n                 fromjson(\"{a: 2}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {filter: null, dir: -1,\"\n        \"pattern: {a: -1}}}}}\");\n}",
          "project": "mongo",
          "hash": 243775843498881033257027231717119105251,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393156
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterCollScan) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1);\n    addIndex(BSON(\"a\" << 1));\n\n    runQuery(fromjson(\"{b: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sharding_filter: {node: \"\n        \"{cscan: {dir: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 295161209025689723701040013431749949033,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393157
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexIsGeo) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\"\n                  << \"2dsphere\"));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 179802140775363423863920912413842380631,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393159
        },
        {
          "func": "TEST_F(QueryPlannerTest, IndexBoundsUnindexedSort) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {a: 2}]}\"), BSON(\"b\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {filter: {$or:[{a:1},{a:2}]}, dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b:1}, limit: 0, node: {sortKeyGen: {node: {fetch: \"\n        \"{filter: null, node: {ixscan: {filter: null, \"\n        \"pattern: {a:1}, bounds: {a: [[1,1,true,true], [2,2,true,true]]}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 9277367493605477143732042837924376781,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393160
        },
        {
          "func": "TEST_F(QueryPlannerTest, PrefixRegexCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: /^foo/}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {a: /^foo/}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 311431270902625889692529502282541159186,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393161
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCannotCombineLeadingFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"a\" << 1), multikey);\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{a: {$lte: 10}}, {b: 6}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[-Infinity, 10, true, true]]}}},\"\n        \"{ixscan: {pattern: {b: 1}, bounds: {b: [[6, 6, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{a: {$lte: 10}}, {b: 6}]}, node: \"\n        \"{ixscan: {pattern: {a: 1}, bounds: {a: [[0, Infinity, true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 302802874574040760957486237515939397161,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393162
        },
        {
          "func": "TEST_F(QueryPlannerTest, EnumerateNestedOr) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{d: 1, $or: [{a: 1, b: 1}, {c: 1}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{fetch: {filter: {d: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}}}}},\"\n        \"{ixscan: {pattern: {c: 1}}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {d: 1}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {a: 1}, node: {ixscan: {pattern: {b: 1}}}}},\"\n        \"{ixscan: {pattern: {c: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 154207944156356859619878163763149502029,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393163
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeRootedOrForSortWorksWithShardingFilter) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    params.options |= QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"c\" << 1);\n\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {a: 3}]}\"), fromjson(\"{b: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sharding_filter: {node: {fetch: {filter: null, node: {mergeSort: {nodes: [\"\n        \"{ixscan:  {pattern: {a:1,b:1}, filter: null, bounds: {a: [[1,1,true,true]], b: \"\n        \"[['MinKey','MaxKey',true,true]]}}},\"\n        \"{ixscan:  {pattern: {a:1,b:1}, filter: null, bounds: {a: [[3,3,true,true]], b: \"\n        \"[['MinKey','MaxKey',true,true]]}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 223056328393791071858081114501692468349,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393164
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSortBooleanIndexKeyPattern) {\n    addIndex(BSON(\"a\" << true));\n    runQuerySortProj(fromjson(\"{ a : 5 }\"), BSON(\"a\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {a: 5}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: true}}}}}\");\n}",
          "project": "mongo",
          "hash": 196353157435157459969239543022343631520,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393165
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsTrueOnUnindexedField) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(fromjson(\"{x: 1, y: {$exists: true}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 173077958261379426221333356423824656169,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393166
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsMiddleFieldMissing) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuery(fromjson(\"{a: 1, c: {$lt: 3}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [['MinKey','MaxKey',true,true]], \"\n        \" c: [[-Infinity,3,true,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 95066557517224502906487325929496091023,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393167
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoPlans) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuery(fromjson(\"{a:1, b:{$gt:2,$lt:2}}\"));\n\n    // 2 indexed solns and one non-indexed\n    ASSERT_EQUALS(getNumSolutions(), 3U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$and:[{b:{$lt:2}},{a:1},{b:{$gt:2}}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{b:{$lt:2}},{b:{$gt:2}}]}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 151034042724149636564765890778143225684,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393168
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeOrForSort2) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"d\" << 1 << \"c\" << 1));\n\n    runQuerySortProj(\n        fromjson(\"{$or: [{a: 1, b: {$in: [1, 2]}}, {d: 3}]}\"), BSON(\"c\" << 1), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {bounds: {a: [[1,1,true,true]], b: [[1,1,true,true]],\"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {a:1, b:1, c:1}}},\"\n        \"{ixscan: {bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]],\"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {a:1, b:1, c:1}}},\"\n        \"{ixscan: {bounds: {d: [[3,3,true,true]], \"\n        \"c: [['MinKey','MaxKey',true,true]]},\"\n        \"pattern: {d:1, c:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 116077711498581484002411100225355116222,
          "size": 23,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393169
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrOfAndCollapseIndenticalScansWithFilter2) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{c: 1, $or: [{a:{$gte:1,$lte:1}, b:2}, {a:1, b:2, d:3}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {c: 1}, node: {fetch: {filter: null, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}},\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]},\"\n        \"filter: null}}}}}\");\n}",
          "project": "mongo",
          "hash": 234793157774344462037389906774123165371,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393170
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldAndTrailingField) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 166977247108111645114169261503301330735,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393171
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectBasicTwoPred) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{a:1, b:{$gt: 1}}\"));\n\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 23026182779594714780989019582842878633,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393172
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexIsSparse) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    constexpr bool isMultikey = false;\n    constexpr bool isSparse = true;\n    addIndex(BSON(\"a\" << 1), isMultikey, isSparse);\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1, b: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 221169555752755985523274736351666854391,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393173
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortEvenIfSameIndex) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a:1}, {a:7}]}\"), fromjson(\"{b:1}\"), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    // TODO the second solution should be mergeSort rather than just sort\n}",
          "project": "mongo",
          "hash": 321491436300512563726301236595896610381,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393175
        },
        {
          "func": "TEST_F(QueryPlannerTest, InBasic) {\n    addIndex(fromjson(\"{a: 1}\"));\n    runQuery(fromjson(\"{a: {$in: [1, 2]}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: {$in: [1, 2]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 318849519797985624060386969991928165203,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393177
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoRegexSameFieldCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(\n        fromjson(\"{$and: [{a: /0/}, {a: /1/}]}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {$and:[{a:/0/},{a:/1/}]}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: {$and:[{a:/0/},{a:/1/}]}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 315269374129082715172937789155598021540,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393178
        },
        {
          "func": "TEST_F(QueryPlannerTest, ReverseScanForSort) {\n    addIndex(BSON(\"_id\" << 1));\n    runQuerySortProj(BSONObj(), fromjson(\"{_id: -1}\"), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {_id: -1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {_id: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 85714287407402125314839246392292272967,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393179
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedRangeIntGT) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$gt: 5}}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [['MinKey',5,true,true], \"\n        \"[Infinity,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 306130653680980354433799517842382479410,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393180
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrCollapsesToSingleScan) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$gt:2}}, {a:{$gt:0}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [[0,Infinity,false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 306765206728189923926291631380796683142,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393181
        },
        {
          "func": "TEST_F(QueryPlannerTest, ThreeRegexSameFieldMultikey) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n    runQuery(fromjson(\"{$and: [{a: /0/}, {a: /1/}, {a: /2/}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 4U);\n    assertSolutionExists(\"{cscan: {filter: {$and:[{a:/0/},{a:/1/},{a:/2/}]}, dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{a:/0/},{a:/1/},{a:/2/}]}, node: {ixscan: \"\n        \"{pattern: {a: 1}, filter: null, \"\n        \"bounds: {a: [['', {}, true, false], [/0/, /0/, true, true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{a:/1/},{a:/0/},{a:/2/}]}, node: {ixscan: \"\n        \"{pattern: {a: 1}, filter: null, \"\n        \"bounds: {a: [['', {}, true, false], [/1/, /1/, true, true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{a:/2/},{a:/0/},{a:/1/}]}, node: {ixscan: \"\n        \"{pattern: {a: 1}, filter: null, \"\n        \"bounds: {a: [['', {}, true, false], [/2/, /2/, true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 43238156433451253146193749748567081545,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393182
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotMergeSort) {\n    addIndex(BSON(\"a\" << 1 << \"c\" << -1));\n    addIndex(BSON(\"b\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {$or: [{a: 1}, {b: 1}]}, sort: {c: 1}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {c: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {or: {nodes: [{ixscan: {pattern: {a: 1, c: -1}, dir: -1}}, {ixscan: \"\n        \"{pattern: {b: 1}, dir: 1}}]}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 208153405307421163058306753422198229061,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393183
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSoftLimitNoIndex) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"x\" << 5), 0, 3);\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: 5}}}\");\n}",
          "project": "mongo",
          "hash": 77372661973811270140762705533366912985,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393184
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoNegatedRanges) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(\n        fromjson(\"{$and: [{i: {$not: {$lte: 'b'}}}, \"\n                 \"{i: {$not: {$gte: 'f'}}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [['MinKey','',true,false], \"\n        \"['b','f',false,false], \"\n        \"[{},'MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 153249551047060386727096438447639269570,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393185
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationTopLevel) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$ne: 1}}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [['MinKey',1,true,false], \"\n        \"[1,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 168192228741273659772125581646255615807,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393186
        },
        {
          "func": "TEST_F(QueryPlannerTest, FloatingPointInKeyPattern) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << -0.1));\n\n    runQuerySortProj(fromjson(\"{a: {$gte: 3, $lte: 5}}\"), fromjson(\"{a: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a: -0.1}, \"\n        \"bounds: {a: [[3, 5, true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 286691476812444589773697367642737715463,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393187
        },
        {
          "func": "TEST_F(QueryPlannerTest, SkipAndLimit) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"x\" << BSON(\"$lte\" << 4)), 7, -2);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{limit: {n: 2, node: {skip: {n: 7, node: \"\n        \"{cscan: {dir: 1, filter: {x: {$lte: 4}}}}}}}}\");\n    assertSolutionExists(\n        \"{limit: {n: 2, node: {fetch: {filter: null, node: \"\n        \"{skip: {n: 7, node: {ixscan: {filter: null, pattern: {x: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 265422249042537165994666638062500637878,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393188
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoRegexCompoundIndexCovering) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: /0/, b: /1/}\"), BSONObj(), fromjson(\"{_id: 0, a: 1, b: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {$and:[{a:/0/},{b:/1/}]}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{ixscan: {filter: {$and:[{a:/0/},{b:/1/}]}, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 192605243810301198641322872099575383686,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393189
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCannotUseMultikeyFieldOfIndex) {\n    MultikeyPaths multikeyPaths{{0U}};\n    addIndex(BSON(\"a.b\" << 1), multikeyPaths);\n    runQuery(fromjson(\"{'a.b': {$_internalExprEq: 1}}\"));\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {'a.b': {$_internalExprEq: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 100633174443057579879212358774571304395,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393190
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMultikeyCompoundFields) {\n    const bool multikey = true;\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1), multikey);\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[5, 5, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 15375010445291283421528413986698638330,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393191
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrInexactWithExact) {\n    addIndex(BSON(\"name\" << 1));\n    runQuery(fromjson(\"{$or: [{name: 'thomas'}, {name: /^alexand(er|ra)/}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {filter:\"\n        \"{$or: [{name: 'thomas'}, {name: /^alexand(er|ra)/}]},\"\n        \"pattern: {name: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 151745332370733700431467502224240564773,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393192
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCanUseSparseIndex) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    runQuery(fromjson(\"{a: {$_internalExprEq: 1}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}, bounds: {a: [[1,1,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 161330988553834747839259936575264480054,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393193
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationCantUseSparseIndex2) {\n    // false means not multikey, true means sparse\n    addIndex(BSON(\"i\" << 1 << \"j\" << 1), false, true);\n    runQuery(fromjson(\"{i: 4, j: {$ne: 5}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {i:1,j:1}, bounds: \"\n        \"{i: [[4,4,true,true]], j: [['MinKey','MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 334795813909830717694429663507788993879,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393194
        },
        {
          "func": "TEST_F(QueryPlannerTest, LessThan) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << BSON(\"$lt\" << 5)));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: {$lt: 5}}}}\");\n    assertSolutionExists(\"{fetch: {filter: null, node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 324792856112295364093025757115356456477,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393195
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrNotNextInIndex) {\n    addIndex(BSON(\"b\" << 1 << \"d\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, d: 1, a: 1}, bounds: {b: [[6, 6, true, true]], d: [['MinKey', \"\n        \"'MaxKey', true, true]], a: [[5, 5, true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 175993236333193109990671788757594357590,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393196
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCanUseHashedIndexWithRegex) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(BSON(\"a\"\n                  << \"hashed\"));\n    runQuery(fromjson(\"{a: {$_internalExprEq: /abc/}}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$_internalExprEq: /abc/}}, node: {ixscan: {filter: null, pattern: \"\n        \"{a: 'hashed'}}}}}\");\n}",
          "project": "mongo",
          "hash": 58810176882044022760209544165295739635,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393200
        },
        {
          "func": "TEST_F(QueryPlannerTest, MergeSortReverseScans) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {$or: [{a: 1, b: 1}, {a: {$lt: 0}}]}, sort: {a: -1}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a: -1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}, dir: -1}}}}, {ixscan: \"\n        \"{pattern: {a: 1}, dir: -1}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 223713562483828822373120244123509385617,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393201
        },
        {
          "func": "TEST_F(QueryPlannerTest, SkipEvaluatesAfterFetchWithPredicate) {\n    addIndex(fromjson(\"{a: 1}\"));\n\n    runQuerySkipNToReturn(fromjson(\"{a: 5, b: 7}\"), 8, 0);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{skip: {n: 8, node: {cscan: {dir: 1, filter: {a: 5, b: 7}}}}}\");\n\n    // When a plan includes a fetch with no predicate, the skip should execute first, so we avoid\n    // fetching a document that we will always discard. When the fetch does have a predicate (as in\n    // this case), however, that optimization would be invalid; we need to fetch the document and\n    // evaluate the filter to determine if the document should count towards the number of skipped\n    // documents.\n    assertSolutionExists(\n        \"{skip: {n: 8, node: {fetch: {filter: {b: 7}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 56590584602232051647119691815967789600,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393202
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantExplodeMetaSort) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\"\n                      << \"text\"));\n    runQuerySortProj(fromjson(\"{a: {$in: [1, 2]}, b: {$in: [3, 4]}}\"),\n                     fromjson(\"{c: {$meta: 'textScore'}}\"),\n                     fromjson(\"{c: {$meta: 'textScore'}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {c:{$meta:'textScore'}}, node: \"\n        \"{sort: {pattern: {c:{$meta:'textScore'}}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{cscan: {filter: {a:{$in:[1,2]},b:{$in:[3,4]}}, dir: 1}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 210713691270574875350164270103377551829,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393203
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrWithoutEnoughIndices) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 20}, {b: 21}]}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$or: [{a: 20}, {b: 21}]}}}\");\n}",
          "project": "mongo",
          "hash": 206972381442052191498477780518053794189,
          "size": 6,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393204
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCoveredIxscanIfEnabled) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1},\"\n        \"bounds: {a: [['MinKey', 'MaxKey', true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 10868820168502603564336929929614977513,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393205
        },
        {
          "func": "TEST_F(QueryPlannerTest, EquivalentAndsTwo) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{$and: [{a: 1, b: 10}, {a: 1, b: 20}]}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$and:[{a:1},{a:1},{b:10},{b:20}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 247502227033580830208306005591349752334,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393206
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSkipNoIndex) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySkipNToReturn(BSON(\"x\" << 5), 3, 0);\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{skip: {n: 3, node: {cscan: {dir: 1, filter: {x: 5}}}}}\");\n}",
          "project": "mongo",
          "hash": 64753601750188874452901028644740317866,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393207
        },
        {
          "func": "TEST_F(QueryPlannerTest, SortElimCompound) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{ a : 5 }\"), BSON(\"b\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {a: 5}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 95767658245122191095296789867015347747,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393208
        },
        {
          "func": "TEST_F(QueryPlannerTest, NinCantUseMultikeyIndex) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n    runQuery(fromjson(\"{a: {$nin: [4, /foobar/]}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 139310992598856673397374984907313661204,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393209
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrNotPredicateIsLeadingFieldIndexIntersection) {\n    params.options = QueryPlannerParams::INCLUDE_COLLSCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{$nor: [{a: 5}]}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(4);\n    // The filter is {$not: {a: 5}}, but there is no way to write a BSON expression that will parse\n    // to that MatchExpression.\n    assertSolutionExists(\n        \"{fetch: {node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andHash: {nodes: [\"\n        \"{or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [[6, 6, true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}]}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [['MinKey', 5, true, false], [5, 'MaxKey', \"\n        \"false, true]], b: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 78719646834053107602690510991454415008,
          "size": 32,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393210
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterNoIndexNotCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\"\n                           << \"hashed\");\n    addIndex(BSON(\"b\" << 1));\n\n    runQuerySortProj(fromjson(\"{b: 1}\"), BSONObj(), fromjson(\"{_id : 0, a : 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0,a: 1}, type: 'simple', node: \"\n        \"{sharding_filter : {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {pattern: {b: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 30287526048141003541512583871605285257,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393211
        },
        {
          "func": "TEST_F(QueryPlannerTest, TwoPredicatesAnding) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(fromjson(\"{$and: [ {x: {$gt: 1}}, {x: {$lt: 3}} ] }\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 160215520489601922129923979062527756653,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393212
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSelectCorrectlyOrderedIndex) {\n    // There are both ascending and descending indices on 'a'.\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << -1));\n\n    // The ordering of min and max means that we *must* use the descending index.\n    runQueryFull(BSONObj(),\n                 BSONObj(),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 8}\"),\n                 fromjson(\"{a: 2}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: -1}}}}}\");\n\n    // If we switch the ordering, then we use the ascending index.\n    // The ordering of min and max means that we *must* use the descending index.\n    runQueryFull(BSONObj(),\n                 BSONObj(),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 2}\"),\n                 fromjson(\"{a: 8}\"),\n                 false);\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 235364431847662062598757596126103551765,
          "size": 34,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393213
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundMissingField) {\n    addIndex(BSON(\"x\" << 1 << \"y\" << 1 << \"z\" << 1));\n    runQuery(fromjson(\"{ x : 5, z: 10}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {x: 1, y: 1, z: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 268638335118842772406663936192729859412,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393214
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOnlyOneBranchCanUseIndexHinted) {\n    addIndex(BSON(\"a\" << 1));\n    runQueryHint(fromjson(\"{$or: [{a:1}, {b:2}]}\"), fromjson(\"{a:1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {$or:[{a:1},{b:2}]}, node: {ixscan: \"\n        \"{pattern: {a:1}, bounds: \"\n        \"{a: [['MinKey','MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 844428593714537003033668038639165152,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393215
        },
        {
          "func": "TEST_F(QueryPlannerTest, SortKeyMetaProjection) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySortProj(BSONObj(), fromjson(\"{a: 1}\"), fromjson(\"{b: {$meta: 'sortKey'}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{proj: {spec: {b: {$meta: 'sortKey'}}, node: \"\n        \"{sort: {limit: 0, pattern: {a: 1}, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {b: {$meta: 'sortKey'}}, node: \"\n        \"{sortKeyGen: {node: {fetch: {filter: null, node: \"\n        \"{ixscan: {pattern: {a: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 237092162179255154896430698318702011975,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393216
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicSortWithIndexablePred) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuerySortProj(fromjson(\"{ a : 5 }\"), BSON(\"b\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 3U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {a: 5}}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {ixscan: \"\n        \"{filter: null, pattern: {b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 270126948759373489440274037281626483011,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393217
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCannotCompoundTrailingFields) {\n    MultikeyPaths multikeyPaths{{}, {0U}, {0U}};\n    addIndex(BSON(\"d\" << 1 << \"a.b\" << 1 << \"a.c\" << 1), multikeyPaths);\n    addIndex(BSON(\"e\" << 1));\n\n    runQuery(fromjson(\"{$and: [{'a.b': 5}, {$or: [{$and: [{'a.c': 6}, {d: 7}]}, {e: 8}]}]}\"));\n    assertNumSolutions(2);\n    // When we have path-level multikey info, we ensure that predicates are assigned in order of\n    // index position.\n    assertSolutionExists(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{fetch: {filter: {'a.c': 6}, node: {ixscan: {pattern: {d: 1, 'a.b': 1, 'a.c': 1}, bounds: \"\n        \"{d: [[7, 7, true, true]], 'a.b': [[5, 5, true, true]], 'a.c': [['MinKey', 'MaxKey', true, \"\n        \"true]]}}}}},\"\n        \"{ixscan: {pattern: {e: 1}, bounds: {e: [[8, 8, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 194124131615109613155608141746836300771,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393218
        },
        {
          "func": "TEST_F(QueryPlannerTest, NEOnMultikeyIndex) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n    runQuery(fromjson(\"{a: {$ne: 3}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$ne:3}}, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [['MinKey',3,true,false],\"\n        \"[3,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 195703923024323525090410956645776603360,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393219
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsTrueSparseIndexOnOtherField) {\n    addIndex(BSON(\"x\" << 1), false, true);\n\n    runQuery(fromjson(\"{x: 1, y: {$exists: true}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 96578923105475870390769497387857170937,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393221
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCoveredIxscanOnCompoundIndexIfEnabled) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1, c: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, c: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1, c: 1}, bounds:\"\n        \"{a: [['MinKey', 'MaxKey', true, true]], b: [['MinKey', 'MaxKey', true, true]],\"\n        \"c: [['MinKey', 'MaxKey', true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 65788526622789342512446821883119801746,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393222
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCannotCombineTrailingFields) {\n    MultikeyPaths multikeyPaths{{}, {0U}};\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1), multikeyPaths);\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(\n        fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{$and: [{a: {$lte: 10}}, {b: 6}]}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    std::vector<std::string> alternates;\n    alternates.push_back(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[-Infinity, 10, \"\n        \"true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    alternates.push_back(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [[0, Infinity, \"\n        \"true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertHasOneSolutionOf(alternates);\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 318338111642482582800051922432935491150,
          "size": 24,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393223
        },
        {
          "func": "TEST_F(QueryPlannerTest, InBasicOrEquivalent) {\n    addIndex(fromjson(\"{a: 1}\"));\n    runQuery(fromjson(\"{$or: [{a: 1}, {a: 2}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$or: [{a: 1}, {a: 2}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, \"\n        \"node: {ixscan: {pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 306757085151648739285713856991045558199,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393224
        },
        {
          "func": "TEST_F(QueryPlannerTest, UniqueIndexLookupBelowOr) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1),\n             false,  // multikey\n             false,  // sparse,\n             true);  // unique\n\n    runQuery(fromjson(\"{$or: [{a: 1, b: 1}, {c: 1, d: 1}]}\"));\n\n    // Only two plans because we throw out plans for the right branch of the $or that do not\n    // use equality over the unique index.\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {a: 1}, node: {ixscan: {pattern: {b: 1}}}}},\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}}]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: 1}, node: {ixscan: {pattern: {a: 1}}}}},\"\n        \"{fetch: {filter: {c: 1}, node: {ixscan: {pattern: {d: 1}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 226569899534658630229660343689250815206,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393225
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectCanBeVeryBig) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    addIndex(BSON(\"d\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{ 'a' : null, 'b' : 94, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 98, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 1, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 2, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 7, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 9, 'c' : null, 'd' : null },\"\n                 \"{ 'a' : null, 'b' : 16, 'c' : null, 'd' : null }]}\"));\n\n    assertNumSolutions(internalQueryEnumerationMaxOrSolutions.load());\n}",
          "project": "mongo",
          "hash": 9299196349185270280283034298215587880,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393226
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterBasicProjCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1);\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), fromjson(\"{_id : 0, a : 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, type: 'coveredIndex', node: \"\n        \"{sharding_filter: {node: \"\n        \"{ixscan: {pattern: {a: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 113640684696618958161039581142048098838,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393227
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrAllThreeTightnesses) {\n    addIndex(BSON(\"names\" << 1));\n    runQuery(\n        fromjson(\"{$or: [{names: 'frank'}, {names: /^al(ice)|(ex)/},\"\n                 \"{names: {$elemMatch: {$eq: 'thomas'}}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: \"\n        \"{$or: [{names: 'frank'}, {names: /^al(ice)|(ex)/},\"\n        \"{names: {$elemMatch: {$eq: 'thomas'}}}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {names: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 76054873363046234122938585051691634558,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393228
        },
        {
          "func": "TEST_F(QueryPlannerTest, SortElimTrailingFieldsReverse) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1 << \"d\" << 1));\n    runQuerySortProj(fromjson(\"{a: 5, b: 6}\"), BSON(\"c\" << -1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {c: -1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {a: 5, b: 6}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, dir: -1, pattern: {a: 1, b: 1, c: 1, d: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 233987492566321264599110097497755083359,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393229
        },
        {
          "func": "TEST_F(QueryPlannerTest, Snapshot) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySnapshot(fromjson(\"{a: {$gt: 0}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {filter: {a: {$gt: 0}}, dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 7170949193140007369903571950806473724,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393230
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantUseTextIndexToProvideSort) {\n    addIndex(BSON(\"x\" << 1 << \"_fts\"\n                      << \"text\"\n                      << \"_ftsx\"\n                      << 1));\n    runQuerySortProj(BSONObj(), BSON(\"x\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1, filter: {}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 242662865878506734203566027376475142253,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393231
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundMultikeyBoundsNoIntersect) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1), true);\n    runQuery(fromjson(\"{a: 1, b: {$gt: 3, $lte: 5}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b:{$gt:3}}, node: {ixscan: {filter: null, \"\n        \"pattern: {a:1,b:1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[-Infinity,5,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 182947058509243366376748797604966455943,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393232
        },
        {
          "func": "TEST_F(QueryPlannerTest, UniqueIndexLookup) {\n    params.options = QueryPlannerParams::INDEX_INTERSECTION;\n    params.options |= QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1),\n             false,  // multikey\n             false,  // sparse,\n             true);  // unique\n\n    runQuery(fromjson(\"{a: 1, b: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 178839466912917964846012794667942939529,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393233
        },
        {
          "func": "TEST_F(QueryPlannerTest, InWithSort) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1, 2]}}\"), BSON(\"b\" << 1), BSONObj(), 0, 1);\n\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 1, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, b: 1}}}, {ixscan: {pattern: {a: 1, b: 1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 273755553949269817428905661298829130989,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393234
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedRangeIntGTE) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$gte: 5}}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [['MinKey',5,true,false], \"\n        \"[Infinity,'MaxKey',false,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 3448141573223037376539295803701781455,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393235
        },
        {
          "func": "TEST_F(QueryPlannerTest, InWithSortAndLimitTrailingField) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << -1 << \"c\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1, 2]}, b: {$gte: 0}}\"),\n                                  fromjson(\"{b: -1}\"),\n                                  BSONObj(),  // no projection\n                                  0,          // no skip\n                                  -1);        // .limit(1)\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {b:-1}, limit: 1, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{limit: {n: 1, node: {fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a:1,b:-1,c:1}}}, \"\n        \" {ixscan: {pattern: {a:1,b:-1,c:1}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 182146240797766507358268848548597485782,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393236
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldInIndex) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [[7, 7, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[5, 5, true, true]], c: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 225963543493379286480617356294114060219,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393237
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterKeyPrefixIndexCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"_id\" << 1));\n\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), fromjson(\"{a : 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{proj: {spec: {a: 1}, type: 'coveredIndex', node: \"\n        \"{sharding_filter : {node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, _id: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 297620939790682734755562987155996044242,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393238
        },
        {
          "func": "TEST_F(QueryPlannerTest, RootedOrOfAndCollapseTwoScansButNotThird) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1));\n    runQuery(fromjson(\"{$or: [{a: 1, b: 2}, {c: 3, d: 4}, {a: 1, b: 2}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, d: 1}, filter: null,\"\n        \"bounds: {c: [[3,3,true,true]], d: [[4,4,true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 28195936180963258348567439769441523171,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393239
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationOr) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(fromjson(\"{$or: [{a: 1}, {b: {$ne: 1}}]}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 224463110277626159335491728539604931698,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393240
        },
        {
          "func": "TEST_F(QueryPlannerTest, ManyInWithSort) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1 << \"d\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1, 2]}, b:{$in:[1,2]}, c:{$in:[1,2]}}\"),\n                                  BSON(\"d\" << 1),\n                                  BSONObj(),\n                                  0,\n                                  1);\n\n    assertSolutionExists(\n        \"{sort: {pattern: {d: 1}, limit: 1, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {mergeSort: {nodes: \"\n        \"[{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 321714766832778506105148206851118285899,
          "size": 22,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393241
        },
        {
          "func": "TEST_F(QueryPlannerTest, SplitLimitedSort) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: 1}\"), fromjson(\"{b: 1}\"), BSONObj(), 0, 3);\n\n    assertNumSolutions(2U);\n    // First solution has no blocking stage; no need to split.\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b: 1}}}}}\");\n    // Second solution has a blocking sort with a limit: it gets split and\n    // joined with an OR stage.\n    assertSolutionExists(\n        \"{ensureSorted: {pattern: {b: 1}, node: \"\n        \"{or: {nodes: [\"\n        \"{sort: {pattern: {b: 1}, limit: 3, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}}}}}}}}}, \"\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}}}}}}}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 244343410673275345691539793170292777230,
          "size": 23,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393242
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationSanityCheckTwoChildrenDifferentNumSolutions) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {a: 1, $or: [{b: 1}, {b: 2, c: 2}]}}\"));\n\n    assertNumSolutions(4U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [{ixscan: {pattern: {a: 1, b: 1}}}, {fetch: \"\n        \"{filter: {c: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [{ixscan: {pattern: {a: 1, b: 1}}}, {fetch: \"\n        \"{filter: {b: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}}, {b: {$eq: 2}, c: {$eq: 2}}]}, node: {ixscan: \"\n        \"{pattern: {a: 1, b: 1}}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: {$eq: 1}}, {b: {$eq: 2}, c: {$eq: 2}}]}, node: {ixscan: \"\n        \"{pattern: {a: 1, c: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 113916296173215800031368142004172515382,
          "size": 23,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393244
        },
        {
          "func": "TEST_F(QueryPlannerTest, ThreeRegexSameFieldCovering) {\n    addIndex(BSON(\"a\" << 1));\n    runQuerySortProj(\n        fromjson(\"{$and: [{a: /0/}, {a: /1/}, {a: /2/}]}\"), BSONObj(), fromjson(\"{_id: 0, a: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {$and:[{a:/0/},{a:/1/},{a:/2/}]}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{ixscan: {filter: {$and:[{a:/0/},{a:/1/},{a:/2/}]}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 153107348566801693994050438169893219254,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393245
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsFalseSparseIndexOnOtherField) {\n    addIndex(BSON(\"x\" << 1), false, true);\n\n    runQuery(fromjson(\"{x: 1, y: {$exists: false}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\"{fetch: {node: {ixscan: {pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 329405160526919277810374197042528639061,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393246
        },
        {
          "func": "TEST_F(QueryPlannerTest, TooManyToExplode) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1 << \"d\" << 1));\n    runQuerySortProjSkipNToReturn(fromjson(\"{a: {$in: [1,2,3,4,5,6]},\"\n                                           \"b:{$in:[1,2,3,4,5,6,7,8]},\"\n                                           \"c:{$in:[1,2,3,4,5,6,7,8]}}\"),\n                                  BSON(\"d\" << 1),\n                                  BSONObj(),\n                                  0,\n                                  1);\n\n    // We cap the # of ixscans we're willing to create.\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{sort: {pattern: {d: 1}, limit: 1, node: {sortKeyGen: \"\n        \"{node: {cscan: {dir: 1}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {d: 1}, limit: 1, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1, c:1, d:1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 174897599360843013237859339899311051244,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393247
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectBasicTwoPredCompoundMatchesIdxOrder1) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{a:1, b:1}\"));\n\n    assertNumSolutions(3U);\n\n    assertSolutionExists(\n        \"{fetch: {filter: {b:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {a:1}}},\"\n        \"{ixscan: {filter: null, pattern: {b:1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 262535984780057536678420307738828511339,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393249
        },
        {
          "func": "TEST_F(QueryPlannerTest, CannotSnapshotWithGeoNear) {\n    // Snapshot is skipped with geonear queries.\n    addIndex(BSON(\"a\"\n                  << \"2d\"));\n    runQuerySnapshot(fromjson(\"{a: {$near: [0,0]}}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{geoNear2d: {a: '2d'}}\");\n}",
          "project": "mongo",
          "hash": 174758414770418918464730071548361354992,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393250
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundAndNonCompoundIndices) {\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1), true);\n    runQuery(fromjson(\"{a: 1, b: {$gt: 2, $lt: 2}}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 3U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$and:[{b:{$lt:2}},{b:{$gt:2}}]}, node: \"\n        \"{ixscan: {pattern: {a:1}, bounds: {a: [[1,1,true,true]]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b:{$gt:2}}, node: \"\n        \"{ixscan: {pattern: {a:1,b:1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[-Infinity,2,true,false]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 100976914605888038753037488244398650517,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393251
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsRangeAndEquality) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{a: {$gt: 8}, b: 6}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[8,Infinity,false,true]], b:[[6,6,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 303913323491822068072328094607254401805,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393252
        },
        {
          "func": "TEST_F(QueryPlannerTest, SortKeyMetaProjectionCovered) {\n    addIndex(BSON(\"a\" << 1));\n\n    runQuerySortProj(\n        BSONObj(), fromjson(\"{a: 1}\"), fromjson(\"{_id: 0, a: 1, b: {$meta: 'sortKey'}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: {$meta: 'sortKey'}}, node: \"\n        \"{sort: {limit: 0, pattern: {a: 1}, node: \"\n        \"{sortKeyGen: {node: \"\n        \"{cscan: {dir: 1}}}}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: {$meta: 'sortKey'}}, node: \"\n        \"{sortKeyGen: {node: \"\n        \"{ixscan: {pattern: {a: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 242166331468940430880233709378215765089,
          "size": 17,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393253
        },
        {
          "func": "TEST_F(QueryPlannerTest, AndSortedRequiresKeepMutations) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    params.options |= QueryPlannerParams::INDEX_INTERSECTION;\n\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    runQuery(fromjson(\"{a: 2, b: 3}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\"{fetch: {filter: {a: 2}, node: {ixscan: {pattern: {b: 1}}}}}\");\n    assertSolutionExists(\"{fetch: {filter: {b: 3}, node: {ixscan: {pattern: {a: 1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {keep: {node: {andSorted: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1}}},\"\n        \"{ixscan: {pattern: {b: 1}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 253260122049949321831971579853336369142,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393254
        },
        {
          "func": "TEST_F(QueryPlannerTest, CompoundIndexBoundsEqualityThenIn) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{a: 5, b: {$in: [2,6,11]}}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {filter: null, pattern: \"\n        \"{a: 1, b: 1}, bounds: {a: [[5,5,true,true]], \"\n        \"b:[[2,2,true,true],[6,6,true,true],[11,11,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 78441643973693397503121918533120937642,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393255
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCanUseHashedIndex) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(BSON(\"a\"\n                  << \"hashed\"));\n    runQuery(fromjson(\"{a: {$_internalExprEq: 1}}\"));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$_internalExprEq: 1}}, node: {ixscan: {filter: null, pattern: {a: \"\n        \"'hashed'}}}}}\");\n}",
          "project": "mongo",
          "hash": 45470536484900512823885057839057168384,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393256
        },
        {
          "func": "TEST_F(QueryPlannerTest, ShardFilterBasicCovered) {\n    params.options = QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"a\" << 1);\n    addIndex(BSON(\"a\" << 1));\n\n    runQuery(fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {node: \"\n        \"{sharding_filter: {node: \"\n        \"{ixscan: {pattern: {a: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 238744588386417890390600708409490648755,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393257
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfNoCoveredIxscans) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {a: 1}, node:\"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 290928087262263208529349436503578400209,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393258
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexIsPartial) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    AlwaysFalseMatchExpression matchExpr;\n    addIndex(BSON(\"a\" << 1), &matchExpr);\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 211604223019744552254625915390710138285,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393259
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoFetchNoKeep) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    addIndex(BSON(\"x\" << 1));\n    // query, sort, proj\n    runQuerySortProj(fromjson(\"{ x : {$gt: 1}}\"), BSONObj(), fromjson(\"{_id: 0, x: 1}\"));\n\n    // cscan is a soln but we override the params that say to include it.\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, x: 1}, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 277376313941274197280489738479057459039,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393260
        },
        {
          "func": "TEST_F(QueryPlannerTest, RootedOrOfAndCollapseTwoScansButNotThirdWithFilters) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1));\n    runQuery(fromjson(\"{$or: [{a:1, b:2, e:5}, {c:3, d:4}, {a:1, b:2, f:6}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{fetch: {filter: {$or: [{f:6},{e:5}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]}}}}},\"\n        \"{ixscan: {pattern: {c: 1, d: 1}, filter: null,\"\n        \"bounds: {c: [[3,3,true,true]], d: [[4,4,true,true]]}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 202393875852333046546800452343344317933,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393261
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexAnd) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{a: /foo/, b: 2}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {$and: [{b: 2}, {a: /foo/}]}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: {a: /foo/}, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 220691407855418747782596468263328542908,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393262
        },
        {
          "func": "TEST_F(QueryPlannerTest, SparseIndexForQuery) {\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    runQuerySortProj(fromjson(\"{a: 1}\"), BSONObj(), BSONObj());\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: 1}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 253238169784656761122932246735508259773,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393263
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExplodeForSortWorksWithShardingFilter) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    params.options |= QueryPlannerParams::INCLUDE_SHARD_FILTER;\n    params.shardKey = BSON(\"c\" << 1);\n\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: {$in: [1, 3]}}\"), fromjson(\"{b: 1}\"), BSONObj());\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sharding_filter: {node: {fetch: {filter: null, node: {mergeSort: {nodes: [\"\n        \"{ixscan:  {pattern: {a:1,b:1}, filter: null, bounds: {a: [[1,1,true,true]], b: \"\n        \"[['MinKey','MaxKey',true,true]]}}},\"\n        \"{ixscan:  {pattern: {a:1,b:1}, filter: null, bounds: {a: [[3,3,true,true]], b: \"\n        \"[['MinKey','MaxKey',true,true]]}}}]}}}}}}\");\n}",
          "project": "mongo",
          "hash": 334860856459779809487785211062748929787,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393264
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExprEqCanUseSparseIndexForEqualityToNull) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    runQuery(fromjson(\"{a: {$_internalExprEq: null}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$_internalExprEq: null}}, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}, bounds: {a: [[null,null,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 272938113521193643590583578514502893559,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393265
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegex) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{a: /foo/}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {a: /foo/}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: {a: /foo/}, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 58888288642162884179227581976788910826,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393266
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantUseHashedIndexToProvideSortWithIndexablePred) {\n    addIndex(BSON(\"x\"\n                  << \"hashed\"));\n    runQuerySortProj(BSON(\"x\" << BSON(\"$in\" << BSON_ARRAY(0 << 1))), BSON(\"x\" << 1), BSONObj());\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {pattern: {x: 'hashed'}}}}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {x: 1}, limit: 0, node: {sortKeyGen: {node:\"\n        \"{cscan: {dir: 1, filter: {x: {$in: [0, 1]}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 182456968720263497029298469352426557002,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393267
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectCompoundInsteadUnusedField2) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"d\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    runQuery(fromjson(\"{a: 1, c: 1}\"));\n\n    assertNumSolutions(3U);\n    assertSolutionExists(\n        \"{fetch: {filter: {c:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,b:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {c:1,d:1}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: \"\n        \"{ixscan: {filter: null, pattern: {a:1,b:1,c:1}}}}}\");\n}",
          "project": "mongo",
          "hash": 277064692569477904442279866369232506178,
          "size": 18,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393268
        },
        {
          "func": "TEST_F(QueryPlannerTest, GreaterThan) {\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSON(\"x\" << BSON(\"$gt\" << 5)));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {x: {$gt: 5}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 289483424517436880639404561237405340033,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393269
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectSubtreeAndPred) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n    runQuery(fromjson(\"{a: 1, $or: [{b:1}, {c:1}]}\"));\n\n    // This (can be) rewritten to $or:[ {a:1, b:1}, {c:1, d:1}].  We don't look for the various\n    // single $or solutions as that's tested elsewhere.  We look for the intersect solution,\n    // where each AND inside of the root OR is an and_sorted.\n    size_t matches = 0;\n    matches += numSolutionMatches(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {'a':1}}},\"\n        \"{ixscan: {filter: null, pattern: {'b':1}}}]}},\"\n        \"{andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {'a':1}}},\"\n        \"{ixscan: {filter: null, pattern: {'c':1}}}]}}]}}}}\");\n    matches += numSolutionMatches(\n        \"{fetch: {filter: null, node: {andHash: {nodes:[\"\n        \"{or: {nodes: [{ixscan:{filter:null, pattern:{b:1}}},\"\n        \"{ixscan:{filter:null, pattern:{c:1}}}]}},\"\n        \"{ixscan:{filter: null, pattern:{a:1}}}]}}}}\");\n    ASSERT_GREATER_THAN_OR_EQUALS(matches, 1U);\n}",
          "project": "mongo",
          "hash": 169707938116751669836765944772245757198,
          "size": 26,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393270
        },
        {
          "func": "TEST_F(QueryPlannerTest, NorWithSingleChildCanUseIndexAfterComplementingBounds) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$nor: [{a: {$lt: 3}}]}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: {pattern: {a: 1}, bounds:\"\n        \"{a: [['MinKey', -Infinity, true, false], [3, 'MaxKey', true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 222772881100399348754526516748782218758,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393271
        },
        {
          "func": "TEST_F(QueryPlannerTest, CantUseCompound) {\n    addIndex(BSON(\"x\" << 1 << \"y\" << 1));\n    runQuery(fromjson(\"{ y: 10}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{cscan: {dir: 1, filter: {y: 10}}}\");\n}",
          "project": "mongo",
          "hash": 161850587053192943290220532687269000036,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393272
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrNot) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{$nor: [{a: 5}]}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [[6, 6, true, true]], a: [['MinKey', 5, \"\n        \"true, false], [5, 'MaxKey', false, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [['MinKey', 5, \"\n        \"true, false], [5, 'MaxKey', false, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 40906831780605085557890608155888552053,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393273
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldForOneOrBranch) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"c\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{b: 6}, {c: 7}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]]}}},\"\n        \"{ixscan: {pattern: {c: 1}, bounds: {c: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{b: 6}, {c: 7}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 332840356974925368121906284476087523787,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393274
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPushdownIndexedExpr) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuery(\n        fromjson(\"{$expr: {$and: [{$eq: ['$d', 'd']}, {$eq: ['$a', 'a']}]},\"\n                 \"$or: [{b: 'b'}, {b: 'c'}]}\"));\n    assertNumSolutions(3);\n    // When we have path-level multikey info, we ensure that predicates are assigned in order of\n    // index position.\n    assertSolutionExists(\n        \"{fetch: {node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null, bounds: {a: [['a', 'a', true, true]], b: \"\n        \"[['b', 'b', true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, b: 1}, filter: null, bounds: {a: [['a', 'a', true, true]], b: \"\n        \"[['c', 'c', true, true]]}}}]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}, filter: null,\"\n        \"bounds: {a: [['a', 'a', true, true]], b: [['MinKey', 'MaxKey', true, true]]}}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 149743931258119654374504120786715859700,
          "size": 20,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393275
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrOfAnd3) {\n    addIndex(BSON(\"a\" << 1));\n    runQuery(fromjson(\"{$or: [{a:{$gt:1,$lt:5},b:6}, {a:3,b:{$gt:0,$lt:10}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b:6}, node: {ixscan: {pattern: {a:1}, \"\n        \"bounds: {a: [[1,5,false,false]]}}}}}, \"\n        \"{fetch: {filter: {$and:[{b:{$lt:10}},{b:{$gt:0}}]}, node: \"\n        \"{ixscan: {pattern: {a:1}, bounds: {a:[[3,3,true,true]]}}}}}]}}\");\n}",
          "project": "mongo",
          "hash": 151604592393962253782661805812009278522,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393276
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationRegexWithIndexablePred) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{$and: [{i: {$not: /o/}}, {i: 2}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {i:1}, \"\n        \"bounds: {i: [[2,2,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 86867644659377621293169401998836685194,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393277
        },
        {
          "func": "TEST_F(QueryPlannerTest, RootedOrOfAndCollapseScansExistingOrFilter) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuery(fromjson(\"{$or: [{a:1, b:2, $or: [{c:3}, {d:4}]}, {a:1, b:2, e:5}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{e:5},{c:3},{d:4}]}, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1, b: 1}, \"\n        \"bounds: {a: [[1,1,true,true]], b: [[2,2,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 183025019723817036462755753860747723810,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393278
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsBoundsCompound) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    runQuery(fromjson(\"{a: 1, b: {$exists: true}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: true}}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [['MinKey','MaxKey',true,true]]}}}}}\");\n\n    // This ends up being a double negation, which we currently don't index.\n    runQuery(fromjson(\"{a: 1, b: {$not: {$exists: false}}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [['MinKey','MaxKey',true,true]]}}}}}\");\n\n    runQuery(fromjson(\"{a: 1, b: {$exists: false}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: false}}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[null,null,true,true]]}}}}}\");\n\n    runQuery(fromjson(\"{a: 1, b: {$not: {$exists: true}}}\"));\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {b: {$exists: false}}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1}, bounds: \"\n        \"{a: [[1,1,true,true]], b: [[null,null,true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 125158764882493274109982582992109673579,
          "size": 35,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393279
        },
        {
          "func": "TEST_F(QueryPlannerTest, IntersectElemMatch) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::INDEX_INTERSECTION;\n    addIndex(BSON(\"a.b\" << 1));\n    addIndex(BSON(\"a.c\" << 1));\n    runQuery(fromjson(\"{a : {$elemMatch: {b:1, c:1}}}\"));\n    assertSolutionExists(\n        \"{fetch: {filter: {a:{$elemMatch:{b:1, c:1}}},\"\n        \"node: {andSorted: {nodes: [\"\n        \"{ixscan: {filter: null, pattern: {'a.b':1}}},\"\n        \"{ixscan: {filter: null, pattern: {'a.c':1}}}]}}}}\");\n}",
          "project": "mongo",
          "hash": 320964980053163143904843670034929075538,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393280
        },
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexIsText) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a\"\n                  << \"text\"));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 117629946431208117782871010324019852525,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393281
        },
        {
          "func": "TEST_F(QueryPlannerTest, InvalidUtf8CodePointDoesNotLeadToInvalidIndexBoundsInvariantFailure) {\n    params.options &= ~QueryPlannerParams::INCLUDE_COLLSCAN;\n    addIndex(BSON(\"a\" << 1));\n\n    // This UTF-8 is encoded correctly in the sense that it maps to a sequence of code points. The\n    // code point 0x110000 is considered invalid. This does not result in an error because it does\n    // not trigger a bounds building invariant.\n    auto invalidCodePoint = std::string{\"\\xf4\\x90\\x80\\x80\"};\n    auto findCommandWithInvalidCodepoint = BSON(\"find\"\n                                                << \"testns\"\n                                                << \"filter\"\n                                                << BSON(\"a\" << BSON(\"$regex\" << invalidCodePoint)));\n    runQueryAsCommand(findCommandWithInvalidCodepoint);\n}",
          "project": "mongo",
          "hash": 2842056339844703032411095636280103734,
          "size": 14,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393282
        },
        {
          "func": "TEST_F(QueryPlannerTest, SparseIndexHintForSort) {\n    addIndex(fromjson(\"{a: 1}\"), false, true);\n    runQuerySortHint(BSONObj(), fromjson(\"{a: 1}\"), fromjson(\"{a: 1}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 271294755955914177493512984844352591951,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393283
        },
        {
          "func": "TEST_F(QueryPlannerTest, OrTwoInexactFetch) {\n    // true means multikey\n    addIndex(BSON(\"names\" << 1), true);\n    runQuery(\n        fromjson(\"{$or: [{names: {$elemMatch: {$eq: 'alexandra'}}},\"\n                 \"{names: {$elemMatch: {$eq: 'thomas'}}}]}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: \"\n        \"{$or: [{names: {$elemMatch: {$eq: 'alexandra'}}},\"\n        \"{names: {$elemMatch: {$eq: 'thomas'}}}]}, \"\n        \"node: {ixscan: {filter: null, pattern: {names: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 201166907590471533337364087775876821525,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393284
        },
        {
          "func": "TEST_F(QueryPlannerTest, SkipEvaluatesBeforeFetchForIndexedOr) {\n    addIndex(fromjson(\"{a: 1}\"));\n\n    runQuerySkipNToReturn(fromjson(\"{$or: [{a: 5}, {a: 7}]}\"), 8, 0);\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{skip: {n: 8, node: \"\n        \"{cscan: {dir: 1, filter: {$or: [{a: 5}, {a: 7}]}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {skip: {n: 8, node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 77768869984828107986831215769734579067,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393285
        },
        {
          "func": "TEST_F(QueryPlannerTest, PlannerUsesCoveredIxscanForCountWhenIndexSatisfiesQuery) {\n    params.options = QueryPlannerParams::IS_COUNT;\n    addIndex(BSON(\"x\" << 1));\n    runQuery(BSON(\"x\" << 5));\n    ASSERT_EQUALS(getNumSolutions(), 1U);\n    assertSolutionExists(\"{ixscan: {pattern: {x: 1}, bounds: {x: [[5,5,true,true]]}}}\");\n}",
          "project": "mongo",
          "hash": 175842747209697880545730983573002847492,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393286
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationRegexPrefix) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: /^a/}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 69077011353031366389395586070589039072,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393287
        },
        {
          "func": "TEST_F(QueryPlannerTest, BasicCovering) {\n    addIndex(BSON(\"x\" << 1));\n    // query, sort, proj\n    runQuerySortProj(fromjson(\"{ x : {$gt: 1}}\"), BSONObj(), fromjson(\"{_id: 0, x: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, x: 1}, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, x: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {x:{$gt:1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 54294114790576939730099398654716730000,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393288
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCombineLeadingFields) {\n    MultikeyPaths multikeyPaths{{}, {0U}};\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1), multikeyPaths);\n    addIndex(BSON(\"b\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: {$gte: 0}}, {$or: [{a: {$lte: 10}}, {b: 6}]}]}\"));\n    assertNumSolutions(3);\n    assertSolutionExists(\n        \"{fetch: {filter: {a: {$gte: 0}}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[0, 10, true, true]]}}},\"\n        \"{ixscan: {pattern: {b: 1}, bounds: {b: [[6, 6, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{a: {$lte: 10}}, {b: 6}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, c: 1}, bounds: {a: [[0, Infinity, true, true]], c: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 155281092184074099208446772794504907544,
          "size": 19,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393289
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrMoveToNot) {\n    addIndex(BSON(\"b\" << 1 << \"a\" << 1));\n    addIndex(BSON(\"c\" << 1 << \"a\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{$nor: [{b: 6}]}, {c: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {b: 1, a: 1}, bounds: {b: [['MinKey', 6, true, false], [6, 'MaxKey', \"\n        \"false, true]], a: [[5, 5, true, true]]}}},\"\n        \"{ixscan: {pattern: {c: 1, a: 1}, bounds: {c: [[7, 7, true, true]], a: [[5, 5, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 213729539101166010940035631948644649879,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393290
        },
        {
          "func": "TEST_F(QueryPlannerTest, DottedFieldCovering) {\n    addIndex(BSON(\"a.b\" << 1));\n    runQuerySortProj(fromjson(\"{'a.b': 5}\"), BSONObj(), fromjson(\"{_id: 0, 'a.b': 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, 'a.b': 1}, node: \"\n        \"{cscan: {dir: 1, filter: {'a.b': 5}}}}}\");\n    // SERVER-2104\n    // assertSolutionExists(\"{proj: {spec: {_id: 0, 'a.b': 1}, node: {'a.b': 1}}}\");\n}",
          "project": "mongo",
          "hash": 252303085438880243877553443544280490680,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393291
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoSplitLimitedSortAsCommand) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"b\" << 1));\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', filter: {a: 1}, sort: {b: 1}, limit: 3}\"));\n\n    assertNumSolutions(2U);\n    assertSolutionExists(\n        \"{limit: {n: 3, node: {fetch: {filter: {a:1}, node: \"\n        \"{ixscan: {filter: null, pattern: {b: 1}}}}}}}\");\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 3, node: {sortKeyGen: {node: {fetch: {filter: null,\"\n        \"node: {ixscan: {pattern: {a: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 208303354247039405446907084050815185041,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393292
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexAndCovering) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    runQuerySortProj(fromjson(\"{a: /foo/, b: 2}\"), BSONObj(), fromjson(\"{_id: 0, a: 1, b: 1}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{cscan: {dir: 1, filter: {$and: [{b: 2}, {a: /foo/}]}}}}}\");\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1, b: 1}, node: \"\n        \"{ixscan: {filter: {a: /foo/}, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 50345321256951567932018564632635588385,
          "size": 12,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393293
        },
        {
          "func": "TEST_F(QueryPlannerTest, MinMaxSameValue) {\n    addIndex(BSON(\"a\" << 1));\n    runInvalidQueryHintMinMax(BSONObj(), BSONObj(), fromjson(\"{a: 1}\"), fromjson(\"{a: 1}\"));\n}",
          "project": "mongo",
          "hash": 270178985969896263715797926918091708170,
          "size": 4,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393294
        },
        {
          "func": "TEST_F(QueryPlannerTest, ExistsFalseSparseIndex) {\n    addIndex(BSON(\"x\" << 1), false, true);\n\n    runQuery(fromjson(\"{x: {$exists: false}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 192831850574511324727515642837668113665,
          "size": 8,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393295
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonPrefixRegexMultikey) {\n    // true means multikey\n    addIndex(BSON(\"a\" << 1), true);\n    runQuery(fromjson(\"{a: /foo/}\"));\n\n    ASSERT_EQUALS(getNumSolutions(), 2U);\n    assertSolutionExists(\"{cscan: {filter: {a: /foo/}, dir: 1}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {a: /foo/}, node: {ixscan: \"\n        \"{pattern: {a: 1}, filter: null}}}}\");\n}",
          "project": "mongo",
          "hash": 69943051380359601589589594005310129476,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393296
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationMod) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$mod: [2, 1]}}}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 81887573140276528337016371224942700995,
          "size": 7,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393297
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPredicateIsLeadingFieldMoveToAnd) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{a: 5}, {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}]}\"));\n    assertNumSolutions(4);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[5, 5, true, true]], b: [[6, 6, true, \"\n        \"true]], c: [[7, 7, true, true]]}}},\"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[5, 5, true, true]], d: [[8, 8, true, \"\n        \"true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, b: 1, c: 1}, bounds: {a: [[5, 5, true, true]], b: [['MinKey', \"\n        \"'MaxKey', true, true]], c: [['MinKey', 'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [{$and: [{b: 6}, {c: 7}]}, {d: 8}]}, node: \"\n        \"{ixscan: {pattern: {a: 1, d: 1}, bounds: {a: [[5, 5, true, true]], d: [['MinKey', \"\n        \"'MaxKey', true, true]]}}}\"\n        \"}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 329185874310788888285730414331445617593,
          "size": 25,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393298
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCannotCompoundFields) {\n    MultikeyPaths multikeyPaths{{0U}, {0U}};\n    addIndex(BSON(\"a.c\" << 1 << \"a.b\" << 1), multikeyPaths);\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{'a.b': 5}, {$or: [{'a.c': 6}, {d: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {'a.c': 1, 'a.b': 1}, bounds: {'a.c': [[6, 6, true, true]], 'a.b': \"\n        \"[['MinKey', 'MaxKey', true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 128192171279796328968104090575707264706,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393299
        },
        {
          "func": "TEST_F(QueryPlannerTest, ContainedOrPathLevelMultikeyCompoundDottedFields) {\n    MultikeyPaths multikeyPaths{{1U}, {1U}};\n    addIndex(BSON(\"a.c\" << 1 << \"a.b\" << 1), multikeyPaths);\n    addIndex(BSON(\"d\" << 1));\n\n    runQuery(fromjson(\"{$and: [{'a.b': 5}, {$or: [{'a.c': 6}, {d: 7}]}]}\"));\n    assertNumSolutions(2);\n    assertSolutionExists(\n        \"{fetch: {filter: {'a.b': 5}, node: {or: {nodes: [\"\n        \"{ixscan: {pattern: {'a.c': 1, 'a.b': 1}, bounds: {'a.c': [[6, 6, true, true]], 'a.b': \"\n        \"[[5, 5, true, true]]}}},\"\n        \"{ixscan: {pattern: {d: 1}, bounds: {d: [[7, 7, true, true]]}}}\"\n        \"]}}}}\");\n    assertSolutionExists(\"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 114385200911064273267741817409224876858,
          "size": 15,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393300
        },
        {
          "func": "TEST_F(QueryPlannerTest,\n       EmptyQueryWithProjectionUsesCoveredIxscanOnDotttedNonMultikeyIndexIfEnabled) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    addIndex(BSON(\"a.b\" << 1));\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, 'a.b': 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, 'a.b': 1}, node: \"\n        \"{ixscan: {filter: null, pattern: {'a.b': 1},\"\n        \"bounds: {'a.b': [['MinKey', 'MaxKey', true, true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 219074790107576118062412206525868185878,
          "size": 11,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393301
        },
        {
          "func": "TEST_F(QueryPlannerTest, BoundsTypeMinKeyMaxKey) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    addIndex(BSON(\"a\" << 1));\n\n    runQuery(fromjson(\"{a: {$type: -1}}\"));\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}, bounds:\"\n        \"{a: [['MinKey','MinKey',true,true]]}}}}}\");\n\n    runQuery(fromjson(\"{a: {$type: 127}}\"));\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {pattern: {a: 1}, bounds:\"\n        \"{a: [['MaxKey','MaxKey',true,true]]}}}}}\");\n}",
          "project": "mongo",
          "hash": 243178631725294320876220545840102311377,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393302
        },
        {
          "func": "TEST_F(QueryPlannerTest, NonTopLevelIndexedNegationMinQuery) {\n    addIndex(BSON(\"state\" << 1));\n    addIndex(BSON(\"is_draft\" << 1));\n    addIndex(BSON(\"published_date\" << 1));\n\n    // This is the min query to reproduce SERVER-13714\n    BSONObj queryObj = fromjson(\"{$or:[{state:1, is_draft:1}, {published_date:{$ne: 1}}]}\");\n    runQuery(queryObj);\n}",
          "project": "mongo",
          "hash": 59434301988047124918282199792627962780,
          "size": 9,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393303
        },
        {
          "func": "TEST_F(QueryPlannerTest, ElemMatchObjectNegationInArray) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$elemMatch: {j: {$not: {$in: [[1]]}}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 301725357979501597480213941733140904552,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422530
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseIndexDirSort) {\n    addIndex(BSON(\"a\" << -1));\n\n    // Min/max specifies a forward scan with bounds [{a: 8}, {a: 2}]. Asking for\n    // an ascending sort reverses the direction of the scan to [{a: 2}, {a: 8}].\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 8}\"),\n                 fromjson(\"{a: 2}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{fetch: {node: {ixscan: {filter: null, dir: -1,\"\n        \"pattern: {a: -1}}}}}\");\n}",
          "project": "mongo",
          "hash": 52759261307879691642349311864530017080,
          "size": 19,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422531
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSort) {\n    addIndex(BSON(\"a\" << 1));\n\n    // Run an empty query, sort {a: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 2}\"),\n                 fromjson(\"{a: 8}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 171731007345135026512018999321537926630,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422548
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedElemMatchObjectEqArray) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {j: [1]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 106807169162194675404291430126893313680,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422553
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationEqArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$eq: [1, 2]}}}\"));\n\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 176044595574816834483662292120521115972,
          "size": 6,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422577
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseSort) {\n    addIndex(BSON(\"a\" << 1));\n\n    // Run an empty query, sort {a: -1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: -1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 2}\"),\n                 fromjson(\"{a: 8}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: -1, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 144775994354736890012054191785138395635,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422598
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSelectCorrectlyOrderedIndex) {\n    // There are both ascending and descending indices on 'a'.\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << -1));\n\n    // The ordering of min and max means that we *must* use the descending index.\n    runQueryFull(\n        BSONObj(), BSONObj(), BSONObj(), 0, 0, BSONObj(), fromjson(\"{a: 8}\"), fromjson(\"{a: 2}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: -1}}}}}\");\n\n    // If we switch the ordering, then we use the ascending index.\n    // The ordering of min and max means that we *must* use the descending index.\n    runQueryFull(\n        BSONObj(), BSONObj(), BSONObj(), 0, 0, BSONObj(), fromjson(\"{a: 2}\"), fromjson(\"{a: 8}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 87050822718152877832565251751125122477,
          "size": 20,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422614
        },
        {
          "func": "TEST_F(QueryPlannerTest, ElemMatchValueNegationEqArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$elemMatch: {$not: {$eq: [1]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 83775658184517174026849386902532558819,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422616
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegationInArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$in: [1, [1, 2]]}}}\"));\n\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 279648609605579823707071567700419614936,
          "size": 6,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422622
        },
        {
          "func": "TEST_F(QueryPlannerTest, ElemMatchObjectNegationEqArray) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$elemMatch: {j: {$ne: [1]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 300827346379378327848576982402894704019,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422640
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinReverseIndexDir) {\n    addIndex(BSON(\"a\" << -1));\n\n    // Because the index is descending, the min is numerically larger than the max.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{a: -1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 8}\"),\n                 fromjson(\"{a: 2}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, dir: 1, pattern: {a: -1}}}}}\");\n}",
          "project": "mongo",
          "hash": 263682038692500832574526899130310056639,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422641
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedElemMatchValueEqArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {$eq: [1]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 263620425667224883259005898122669314763,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422655
        },
        {
          "func": "TEST_F(QueryPlannerTest, ElemMatchValueNegationInArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$elemMatch: {$not: {$in: [[1]]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 68475187401535216593166835815033951959,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422665
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedElemMatchObjectInArray) {\n    addIndex(BSON(\"i.j\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {j: {$in: [[1]]}}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 254419850265064827291049506299864389320,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422669
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinBadHintSelectsReverseIndex) {\n    // There are both ascending and descending indices on 'a'.\n    addIndex(BSON(\"a\" << 1));\n    addIndex(BSON(\"a\" << -1));\n\n    // A query hinting on {a: 1} is bad if min is {a: 8} and {a: 2} because this\n    // min/max pairing requires a descending index.\n    runInvalidQueryFull(BSONObj(),\n                        BSONObj(),\n                        BSONObj(),\n                        0,\n                        0,\n                        fromjson(\"{a: 1}\"),\n                        fromjson(\"{a: 8}\"),\n                        fromjson(\"{a: 2}\"));\n}",
          "project": "mongo",
          "hash": 28157185506823626119452032742196254038,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422675
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSortInequalityFirstSortSecond) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    // Run an empty query, sort {b: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{b: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 1, b: 1}\"),\n                 fromjson(\"{a: 2, b: 2}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{sort: {pattern: {b: 1}, limit: 0, node: {sortKeyGen: {node: \"\n        \"{fetch: {node: \"\n        \"{ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 323642933439668116381512192073258559765,
          "size": 19,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422676
        },
        {
          "func": "TEST_F(QueryPlannerTest, MaxMinSortEqualityFirstSortSecond) {\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n\n    // Run an empty query, sort {b: 1}, max/min arguments.\n    runQueryFull(BSONObj(),\n                 fromjson(\"{b: 1}\"),\n                 BSONObj(),\n                 0,\n                 0,\n                 BSONObj(),\n                 fromjson(\"{a: 1, b: 1}\"),\n                 fromjson(\"{a: 1, b: 2}\"));\n\n    assertNumSolutions(1);\n    assertSolutionExists(\"{fetch: {node: {ixscan: {filter: null, pattern: {a: 1, b: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 158008272772826678805230892209160078817,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422687
        },
        {
          "func": "TEST_F(QueryPlannerTest, NegatedElemMatchValueInArray) {\n    addIndex(BSON(\"i\" << 1));\n    runQuery(fromjson(\"{i: {$not: {$elemMatch: {$in: [[1]]}}}}\"));\n    assertHasOnlyCollscan();\n}",
          "project": "mongo",
          "hash": 154877265717508584451250076485643803793,
          "size": 5,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422688
        },
        {
          "func": "TEST_F(QueryPlannerTest, NToReturnHackWithFindCommand) {\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', sort: {a:1}, ntoreturn:3}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{ensureSorted: {pattern: {a: 1}, node: \"\n        \"{or: {nodes: [\"\n        \"{sort: {limit:3, pattern: {a:1}, node: {sortKeyGen: {node: {cscan: {dir:1}}}}}}, \"\n        \"{sort: {limit:0, pattern: {a:1}, node: {sortKeyGen: {node: {cscan: {dir:1}}}}}}\"\n        \"]}}}}\");\n}",
          "project": "mongo",
          "hash": 253569964028454982379754381623470841138,
          "size": 13,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392947
        },
        {
          "func": "TEST_F(QueryPlannerTest, NToReturnHackWithSingleBatch) {\n    params.options |= QueryPlannerParams::SPLIT_LIMITED_SORT;\n\n    runQueryAsCommand(fromjson(\"{find: 'testns', sort: {a:1}, ntoreturn:3, singleBatch:true}\"));\n\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{sort: {pattern: {a:1}, limit:3, node: {sortKeyGen: {node: \"\n        \"{cscan: {dir:1, filter: {}}}}}}}\");\n}",
          "project": "mongo",
          "hash": 193009886617362016199398427674325904470,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393064
        },
        {
          "func": "TEST_IMPL(utf8_decode1_overrun) {\n  const char* p;\n  char b[1];\n\n  /* Single byte. */\n  p = b;\n  b[0] = 0x7F;\n  ASSERT_EQ(0x7F, uv__utf8_decode1(&p, b + 1));\n  ASSERT_EQ(p, b + 1);\n\n  /* Multi-byte. */\n  p = b;\n  b[0] = 0xC0;\n  ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));\n  ASSERT_EQ(p, b + 1);\n\n  return 0;\n}",
          "project": "libuv",
          "hash": 191201424006364742227765802834063248060,
          "size": 18,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 326146
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationDoesPrioritizeLockstepIteration) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    ASSERT_EQ(internalQueryEnumerationMaxOrSolutions.load(), 10);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n\n    // For this query and the above indexes, each clause of the $or has three options to choose\n    // from, for a total of 3 * 3 * 3 = 27 possible enumerations for just that $or sub-branch.\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {a: 1, $or: [{b: 1, c: 1, d: 1}, {b: 2, c: 2, d: 2}, \"\n                 \"{b: 3, c: 3, d: 3}]}}\"));\n\n    // The $or enumeration is limited to 10, and then we have three plans where just the {a: 1}\n    // predicate is indexed.\n    assertNumSolutions(13U);\n\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 1}, d: {$eq: 1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2}, d: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}} \"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 1}, d: {$eq: 1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2}, d: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}} \"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 1}, c: {$eq: 1}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2}, c: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}} \"\n        \"]}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 1}, c: {$eq: 1}, d: {$eq: 1}}, \"\n        \"{b: {$eq: 2}, c: {$eq: 2}, d: {$eq: 2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 138190832869173379176856823647358948538,
          "size": 43,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392972
        },
        {
          "func": "TEST_F(QueryPlannerTest, NormalOrEnumerationDoesNotPrioritizeLockstepIteration) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    ASSERT_EQ(internalQueryEnumerationMaxOrSolutions.load(), 10);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n\n    // For this query and the above indexes, each clause of the $or has three options to choose\n    // from, for a total of 3 * 3 * 3 = 27 possible enumerations for just that $or sub-branch.\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {a: 1, $or: [{b: 1, c: 1, d: 1}, {b: 2, c: 2, d: 2}, \"\n                 \"{b: 3, c: 3, d: 3}]}}\"));\n\n    // The $or enumeration is limited to 10, and then we have three plans where just the {a: 1}\n    // predicate is indexed.\n    assertNumSolutions(13U);\n\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 1}, d: {$eq: 1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2}, d: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}} \"\n        \"]}}\");\n    // Because we did not set the 'ENUMERATE_OR_CHILDREN_LOCKSTEP' flag, we don't expect this\n    // solution to be generated. This is in contrast to the next test case.\n    ASSERT_THROWS(\n        assertSolutionExists(\n            \"{or: {nodes: [\"\n            \"{fetch: {filter: {b: {$eq: 1}, c: {$eq: 1}}, node: {ixscan: {pattern: {a: 1, d: \"\n            \"1}}}}}, \"\n            \"{fetch: {filter: {b: {$eq: 2}, c: {$eq: 2}}, node: {ixscan: {pattern: {a: 1, d: \"\n            \"1}}}}}, \"\n            \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: \"\n            \"1}}}}} \"\n            \"]}}\"),\n        unittest::TestAssertionFailureException);\n\n    // We still expect to generate the solutions which don't index the $or.\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 1}, c: {$eq: 1}, d: {$eq: 1}}, \"\n        \"{b: {$eq: 2}, c: {$eq: 2}, d: {$eq: 2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 127599942447419113041252219928399911091,
          "size": 45,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393058
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationDoesPrioritizeLockstepIterationMixedChildren) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    ASSERT_EQ(internalQueryEnumerationMaxOrSolutions.load(), 10);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"d\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"e\" << 1));\n\n    // For this query and the above indexes, each clause of the $or has a varying number options to\n    // choose from, for a total of 2 * 3 * 4 * 2 = 48 possible enumerations for just that $or\n    // sub-branch.\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {\"\n                 \" a: 1,\"\n                 \" $or: [\"\n                 \" {b: 2.1, c: 2.1},\"\n                 \" {b: 3, c: 3, d: 3},\"\n                 \" {b: 4, c: 4, d: 4, e: 4},\"\n                 \" {b: 2.2, c: 2.2}\"\n                 \"]}}\"));\n\n    // The $or enumeration is limited to 10, and then we have four plans where just the {a: 1}\n    // predicate is indexed.\n    assertNumSolutions(14U);\n\n    // Lockstep enumerations. Definitely expected.\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}\"\n        \"]}}\");\n    // Everyone advances one more time, no longer lock step.\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}\"\n        \"]}}\");\n    // Normal enumeration. Here we observe an interesting phenomena. Before we get into plan\n    // enumeration, the query is parsed and \"normalized\". This process involves putting the query in\n    // a canonical order, in part so that similar queries can be recognized as such for caching. In\n    // this case, it orders the $or children by their respective number of children. So our original\n    // query will be enumerated as if it were typed in this order:\n    // {a: 1,\n    //  $or: [\n    //    {b: 2.1, c: 2.1},\n    //    {b: 2.2, c: 2.2},\n    //    {b: 3, c: 3, d: 3},\n    //    {b: 4, c: 4, d: 4, e: 4}\n    //  ]\n    // }\n    // Here are the exact plans:\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, d: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, d: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 3}, c: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, e: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, d: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, e: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, e: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, e: 1}}}}}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \"{fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \"{fetch: {filter: {c: {$eq: 3}, d: {$eq: 3}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \"{fetch: {filter: {b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}},\"\n        \" node: {ixscan: {pattern: {a: 1, e: 1}}}}}\"\n        \"]}}\");\n\n    // Now to the solutions which don't index the $or.\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 2.1}, c: {$eq: 2.1}}, \"\n        \"{b: {$eq: 2.2}, c: {$eq: 2.2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}}, \"\n        \"{b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 2.1}, c: {$eq: 2.1}}, \"\n        \"{b: {$eq: 2.2}, c: {$eq: 2.2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}}, \"\n        \"{b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 2.1}, c: {$eq: 2.1}}, \"\n        \"{b: {$eq: 2.2}, c: {$eq: 2.2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}}, \"\n        \"{b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, d: 1}}}}}}\");\n    assertSolutionExists(\n        \"{fetch: {filter: {$or: [\"\n        \"{b: {$eq: 2.1}, c: {$eq: 2.1}}, \"\n        \"{b: {$eq: 2.2}, c: {$eq: 2.2}}, \"\n        \"{b: {$eq: 3}, c: {$eq: 3}, d: {$eq: 3}}, \"\n        \"{b: {$eq: 4}, c: {$eq: 4}, d: {$eq: 4}, e: {$eq: 4}} \"\n        \"]}, node: {ixscan: {pattern: {a: 1, e: 1}}}}}}\");\n}",
          "project": "mongo",
          "hash": 71606015114333085332408170473625445736,
          "size": 153,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393198
        },
        {
          "func": "TEST_F(QueryPlannerTest, LockstepOrEnumerationApplysToEachOrInTree) {\n    params.options =\n        QueryPlannerParams::NO_TABLE_SCAN | QueryPlannerParams::ENUMERATE_OR_CHILDREN_LOCKSTEP;\n    ASSERT_EQ(internalQueryEnumerationMaxOrSolutions.load(), 10);\n    addIndex(BSON(\"a\" << 1 << \"b\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"c\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"x\" << 1));\n    addIndex(BSON(\"a\" << 1 << \"y\" << 1));\n\n    // For this query and the above indexes, each clause of the $or has 2 indexes to choose from,\n    // for a total of 2 * 2 * 2 * 2 = 16 possible enumerations for just that $or sub-branch.\n    runQueryAsCommand(\n        fromjson(\"{find: 'testns', filter: {\"\n                 \" a: 1,\"\n                 \" $or: [\"\n                 \" {b: 2.1, c: 2.1},\"\n                 \" {b: 2.2, c: 2.2},\"\n                 \" {$and: [\"\n                 \"  {unindexed: 'thisPredicateToEnsureNestedOrsAreNotCombined'},\"\n                 \"  {$or: [\"\n                 \"    {x: 3.0, y: 3.0},\"\n                 \"    {x: 3.1, y: 3.1}\"\n                 \"  ]}\"\n                 \" ]}\"\n                 \"]}}\"));\n\n    // The $or enumeration is limited to 10, and then we have 4 plans where just the {a: 1}\n    // predicate is indexed.\n    assertNumSolutions(14U);\n\n    // Both lockstep enumerations should be present.\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \" {fetch: {filter: {c: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \" {fetch: {filter: {c: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, b: 1}}}}}, \"\n        \" {fetch: {\"\n        \"  filter: {unindexed: {$eq: 'thisPredicateToEnsureNestedOrsAreNotCombined'}},\"\n        \"  node: {\"\n        \"   or: {nodes: [\"\n        \"    {fetch: {filter: {y: {$eq: 3.0}}, node: {ixscan: {pattern: {a: 1, x: 1}}}}},\"\n        \"    {fetch: {filter: {y: {$eq: 3.1}}, node: {ixscan: {pattern: {a: 1, x: 1}}}}}\"\n        \"  ]}}\"\n        \" }}\"\n        \"]}}\");\n    assertSolutionExists(\n        \"{or: {nodes: [\"\n        \" {fetch: {filter: {b: {$eq: 2.1}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \" {fetch: {filter: {b: {$eq: 2.2}}, node: {ixscan: {pattern: {a: 1, c: 1}}}}}, \"\n        \" {fetch: {\"\n        \"  filter: {unindexed: {$eq: 'thisPredicateToEnsureNestedOrsAreNotCombined'}},\"\n        \"  node: {\"\n        \"   or: {nodes: [\"\n        \"    {fetch: {filter: {x: {$eq: 3.0}}, node: {ixscan: {pattern: {a: 1, y: 1}}}}},\"\n        \"    {fetch: {filter: {x: {$eq: 3.1}}, node: {ixscan: {pattern: {a: 1, y: 1}}}}}\"\n        \"  ]}}\"\n        \" }}\"\n        \"]}}\");\n}",
          "project": "mongo",
          "hash": 305320307847511139289598197006264807849,
          "size": 58,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393199
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoTableScanBasic) {\n    params.options = QueryPlannerParams::NO_TABLE_SCAN;\n    runQuery(BSONObj());\n    assertNumSolutions(0U);\n\n    addIndex(BSON(\"x\" << 1));\n\n    runQuery(BSONObj());\n    assertNumSolutions(0U);\n\n    runQuery(fromjson(\"{x: {$gte: 0}}\"));\n    assertNumSolutions(1U);\n    assertSolutionExists(\n        \"{fetch: {filter: null, node: {ixscan: \"\n        \"{filter: null, pattern: {x: 1}}}}}\");\n}",
          "project": "mongo",
          "hash": 156953879945149079560798668435408448677,
          "size": 16,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393010
        },
        {
          "func": "TEST_F(QueryPlannerTest, NoMutationsForCollscan) {\n    params.options = QueryPlannerParams::KEEP_MUTATIONS;\n    runQuery(fromjson(\"\"));\n    assertSolutionExists(\"{cscan: {dir: 1}}\");\n}",
          "project": "mongo",
          "hash": 119749621657519559928418224758871722815,
          "size": 5,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 393248
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rawsock_tx_work",
        "rawsock_report_error",
        "rawsock_write_queue_purge"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static void rawsock_report_error(struct sock *sk, int err)\n{\n\tpr_debug(\"sk=%p err=%d\\n\", sk, err);\n\n\tsk->sk_shutdown = SHUTDOWN_MASK;\n\tsk->sk_err = -err;\n\tsk->sk_error_report(sk);\n\n\trawsock_write_queue_purge(sk);\n}",
          "project": "linux",
          "hash": 245998130896381748651117715245493241490,
          "size": 10,
          "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041",
          "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 319219
        },
        {
          "func": "static void rawsock_data_exchange_complete(void *context, struct sk_buff *skb,\n\t\t\t\t\t   int err)\n{\n\tstruct sock *sk = (struct sock *) context;\n\n\tBUG_ON(in_irq());\n\n\tpr_debug(\"sk=%p err=%d\\n\", sk, err);\n\n\tif (err)\n\t\tgoto error;\n\n\terr = rawsock_add_header(skb);\n\tif (err)\n\t\tgoto error_skb;\n\n\terr = sock_queue_rcv_skb(sk, skb);\n\tif (err)\n\t\tgoto error_skb;\n\n\tspin_lock_bh(&sk->sk_write_queue.lock);\n\tif (!skb_queue_empty(&sk->sk_write_queue))\n\t\tschedule_work(&nfc_rawsock(sk)->tx_work);\n\telse\n\t\tnfc_rawsock(sk)->tx_work_scheduled = false;\n\tspin_unlock_bh(&sk->sk_write_queue.lock);\n\n\tsock_put(sk);\n\treturn;\n\nerror_skb:\n\tkfree_skb(skb);\n\nerror:\n\trawsock_report_error(sk, err);\n\tsock_put(sk);\n}",
          "project": "linux",
          "hash": 110051069936394327206475216324016531000,
          "size": 37,
          "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041",
          "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 319222
        },
        {
          "func": "static void rawsock_tx_work(struct work_struct *work)\n{\n\tstruct sock *sk = to_rawsock_sk(work);\n\tstruct nfc_dev *dev = nfc_rawsock(sk)->dev;\n\tu32 target_idx = nfc_rawsock(sk)->target_idx;\n\tstruct sk_buff *skb;\n\tint rc;\n\n\tpr_debug(\"sk=%p target_idx=%u\\n\", sk, target_idx);\n\n\tif (sk->sk_shutdown & SEND_SHUTDOWN) {\n\t\trawsock_write_queue_purge(sk);\n\t\treturn;\n\t}\n\n\tskb = skb_dequeue(&sk->sk_write_queue);\n\n\tsock_hold(sk);\n\trc = nfc_data_exchange(dev, target_idx, skb,\n\t\t\t       rawsock_data_exchange_complete, sk);\n\tif (rc) {\n\t\trawsock_report_error(sk, rc);\n\t\tsock_put(sk);\n\t}\n}",
          "project": "linux",
          "hash": 223599683806282363453270540410922770133,
          "size": 25,
          "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041",
          "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 319211
        },
        {
          "func": "static int rawsock_add_header(struct sk_buff *skb)\n{\n\t*(u8 *)skb_push(skb, NFC_HEADER_SIZE) = 0;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 219181297283455318634560520674922386341,
          "size": 6,
          "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041",
          "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 319210
        },
        {
          "func": "static void rawsock_write_queue_purge(struct sock *sk)\n{\n\tpr_debug(\"sk=%p\\n\", sk);\n\n\tspin_lock_bh(&sk->sk_write_queue.lock);\n\t__skb_queue_purge(&sk->sk_write_queue);\n\tnfc_rawsock(sk)->tx_work_scheduled = false;\n\tspin_unlock_bh(&sk->sk_write_queue.lock);\n}",
          "project": "linux",
          "hash": 113994571361944169038639830521104877975,
          "size": 9,
          "commit_id": "26896f01467a28651f7a536143fe5ac8449d4041",
          "message": "net/nfc/rawsock.c: add CAP_NET_RAW check.\n\nWhen creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.\n\nSigned-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 319216
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "_ff_layout_free_lseg",
        "ff_layout_free_mirror_array",
        "ff_layout_put_mirror",
        "ff_layout_free_mirror"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static void ff_layout_free_mirror_array(struct nfs4_ff_layout_segment *fls)\n{\n\tu32 i;\n\n\tfor (i = 0; i < fls->mirror_array_cnt; i++)\n\t\tff_layout_put_mirror(fls->mirror_array[i]);\n}",
          "project": "linux",
          "hash": 202853652078142817100138280602868936903,
          "size": 7,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234393
        },
        {
          "func": "ff_layout_free_layoutstats(struct nfs4_xdr_opaque_data *opaque)\n{\n\tstruct nfs4_ff_layout_mirror *mirror = opaque->data;\n\n\tff_layout_put_mirror(mirror);\n}",
          "project": "linux",
          "hash": 41022782296286178043257841028601189437,
          "size": 6,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234438
        },
        {
          "func": "static void ff_layout_put_mirror(struct nfs4_ff_layout_mirror *mirror)\n{\n\tif (mirror != NULL && refcount_dec_and_test(&mirror->ref))\n\t\tff_layout_free_mirror(mirror);\n}",
          "project": "linux",
          "hash": 331231389817443296763726719989660248577,
          "size": 5,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234467
        },
        {
          "func": "static void _ff_layout_free_lseg(struct nfs4_ff_layout_segment *fls)\n{\n\tif (fls) {\n\t\tff_layout_free_mirror_array(fls);\n\t\tkfree(fls);\n\t}\n}",
          "project": "linux",
          "hash": 286331158025702105393697719811112058889,
          "size": 7,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234454
        },
        {
          "func": "static void ff_layout_free_mirror(struct nfs4_ff_layout_mirror *mirror)\n{\n\tconst struct cred\t*cred;\n\n\tff_layout_remove_mirror(mirror);\n\tkfree(mirror->fh_versions);\n\tcred = rcu_access_pointer(mirror->ro_cred);\n\tput_cred(cred);\n\tcred = rcu_access_pointer(mirror->rw_cred);\n\tput_cred(cred);\n\tnfs4_ff_layout_put_deviceid(mirror->mirror_ds);\n\tkfree(mirror);\n}",
          "project": "linux",
          "hash": 320275016961296103626526590820150554159,
          "size": 13,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234444
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "huge_node",
        "interleave_nid",
        "interleave_nodes"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "int mpol_misplaced(struct page *page, struct vm_area_struct *vma, unsigned long addr)\n{\n\tstruct mempolicy *pol;\n\tstruct zoneref *z;\n\tint curnid = page_to_nid(page);\n\tunsigned long pgoff;\n\tint thiscpu = raw_smp_processor_id();\n\tint thisnid = cpu_to_node(thiscpu);\n\tint polnid = NUMA_NO_NODE;\n\tint ret = -1;\n\n\tpol = get_vma_policy(vma, addr);\n\tif (!(pol->flags & MPOL_F_MOF))\n\t\tgoto out;\n\n\tswitch (pol->mode) {\n\tcase MPOL_INTERLEAVE:\n\t\tpgoff = vma->vm_pgoff;\n\t\tpgoff += (addr - vma->vm_start) >> PAGE_SHIFT;\n\t\tpolnid = offset_il_node(pol, pgoff);\n\t\tbreak;\n\n\tcase MPOL_PREFERRED:\n\t\tif (pol->flags & MPOL_F_LOCAL)\n\t\t\tpolnid = numa_node_id();\n\t\telse\n\t\t\tpolnid = pol->v.preferred_node;\n\t\tbreak;\n\n\tcase MPOL_BIND:\n\n\t\t/*\n\t\t * allows binding to multiple nodes.\n\t\t * use current page if in policy nodemask,\n\t\t * else select nearest allowed node, if any.\n\t\t * If no allowed nodes, use current [!misplaced].\n\t\t */\n\t\tif (node_isset(curnid, pol->v.nodes))\n\t\t\tgoto out;\n\t\tz = first_zones_zonelist(\n\t\t\t\tnode_zonelist(numa_node_id(), GFP_HIGHUSER),\n\t\t\t\tgfp_zone(GFP_HIGHUSER),\n\t\t\t\t&pol->v.nodes);\n\t\tpolnid = zone_to_nid(z->zone);\n\t\tbreak;\n\n\tdefault:\n\t\tBUG();\n\t}\n\n\t/* Migrate the page towards the node whose CPU is referencing it */\n\tif (pol->flags & MPOL_F_MORON) {\n\t\tpolnid = thisnid;\n\n\t\tif (!should_numa_migrate_memory(current, page, curnid, thiscpu))\n\t\t\tgoto out;\n\t}\n\n\tif (curnid != polnid)\n\t\tret = polnid;\nout:\n\tmpol_cond_put(pol);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 12619917744861324322722649927099847632,
          "size": 65,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366722
        },
        {
          "func": "vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd)\n{\n\tstruct vm_area_struct *vma = vmf->vma;\n\tstruct anon_vma *anon_vma = NULL;\n\tstruct page *page;\n\tunsigned long haddr = vmf->address & HPAGE_PMD_MASK;\n\tint page_nid = NUMA_NO_NODE, this_nid = numa_node_id();\n\tint target_nid, last_cpupid = -1;\n\tbool page_locked;\n\tbool migrated = false;\n\tbool was_writable;\n\tint flags = 0;\n\n\tvmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);\n\tif (unlikely(!pmd_same(pmd, *vmf->pmd)))\n\t\tgoto out_unlock;\n\n\t/*\n\t * If there are potential migrations, wait for completion and retry\n\t * without disrupting NUMA hinting information. Do not relock and\n\t * check_same as the page may no longer be mapped.\n\t */\n\tif (unlikely(pmd_trans_migrating(*vmf->pmd))) {\n\t\tpage = pmd_page(*vmf->pmd);\n\t\tif (!get_page_unless_zero(page))\n\t\t\tgoto out_unlock;\n\t\tspin_unlock(vmf->ptl);\n\t\tput_and_wait_on_page_locked(page);\n\t\tgoto out;\n\t}\n\n\tpage = pmd_page(pmd);\n\tBUG_ON(is_huge_zero_page(page));\n\tpage_nid = page_to_nid(page);\n\tlast_cpupid = page_cpupid_last(page);\n\tcount_vm_numa_event(NUMA_HINT_FAULTS);\n\tif (page_nid == this_nid) {\n\t\tcount_vm_numa_event(NUMA_HINT_FAULTS_LOCAL);\n\t\tflags |= TNF_FAULT_LOCAL;\n\t}\n\n\t/* See similar comment in do_numa_page for explanation */\n\tif (!pmd_savedwrite(pmd))\n\t\tflags |= TNF_NO_GROUP;\n\n\t/*\n\t * Acquire the page lock to serialise THP migrations but avoid dropping\n\t * page_table_lock if at all possible\n\t */\n\tpage_locked = trylock_page(page);\n\ttarget_nid = mpol_misplaced(page, vma, haddr);\n\tif (target_nid == NUMA_NO_NODE) {\n\t\t/* If the page was locked, there are no parallel migrations */\n\t\tif (page_locked)\n\t\t\tgoto clear_pmdnuma;\n\t}\n\n\t/* Migration could have started since the pmd_trans_migrating check */\n\tif (!page_locked) {\n\t\tpage_nid = NUMA_NO_NODE;\n\t\tif (!get_page_unless_zero(page))\n\t\t\tgoto out_unlock;\n\t\tspin_unlock(vmf->ptl);\n\t\tput_and_wait_on_page_locked(page);\n\t\tgoto out;\n\t}\n\n\t/*\n\t * Page is misplaced. Page lock serialises migrations. Acquire anon_vma\n\t * to serialises splits\n\t */\n\tget_page(page);\n\tspin_unlock(vmf->ptl);\n\tanon_vma = page_lock_anon_vma_read(page);\n\n\t/* Confirm the PMD did not change while page_table_lock was released */\n\tspin_lock(vmf->ptl);\n\tif (unlikely(!pmd_same(pmd, *vmf->pmd))) {\n\t\tunlock_page(page);\n\t\tput_page(page);\n\t\tpage_nid = NUMA_NO_NODE;\n\t\tgoto out_unlock;\n\t}\n\n\t/* Bail if we fail to protect against THP splits for any reason */\n\tif (unlikely(!anon_vma)) {\n\t\tput_page(page);\n\t\tpage_nid = NUMA_NO_NODE;\n\t\tgoto clear_pmdnuma;\n\t}\n\n\t/*\n\t * Since we took the NUMA fault, we must have observed the !accessible\n\t * bit. Make sure all other CPUs agree with that, to avoid them\n\t * modifying the page we're about to migrate.\n\t *\n\t * Must be done under PTL such that we'll observe the relevant\n\t * inc_tlb_flush_pending().\n\t *\n\t * We are not sure a pending tlb flush here is for a huge page\n\t * mapping or not. Hence use the tlb range variant\n\t */\n\tif (mm_tlb_flush_pending(vma->vm_mm)) {\n\t\tflush_tlb_range(vma, haddr, haddr + HPAGE_PMD_SIZE);\n\t\t/*\n\t\t * change_huge_pmd() released the pmd lock before\n\t\t * invalidating the secondary MMUs sharing the primary\n\t\t * MMU pagetables (with ->invalidate_range()). The\n\t\t * mmu_notifier_invalidate_range_end() (which\n\t\t * internally calls ->invalidate_range()) in\n\t\t * change_pmd_range() will run after us, so we can't\n\t\t * rely on it here and we need an explicit invalidate.\n\t\t */\n\t\tmmu_notifier_invalidate_range(vma->vm_mm, haddr,\n\t\t\t\t\t      haddr + HPAGE_PMD_SIZE);\n\t}\n\n\t/*\n\t * Migrate the THP to the requested node, returns with page unlocked\n\t * and access rights restored.\n\t */\n\tspin_unlock(vmf->ptl);\n\n\tmigrated = migrate_misplaced_transhuge_page(vma->vm_mm, vma,\n\t\t\t\tvmf->pmd, pmd, vmf->address, page, target_nid);\n\tif (migrated) {\n\t\tflags |= TNF_MIGRATED;\n\t\tpage_nid = target_nid;\n\t} else\n\t\tflags |= TNF_MIGRATE_FAIL;\n\n\tgoto out;\nclear_pmdnuma:\n\tBUG_ON(!PageLocked(page));\n\twas_writable = pmd_savedwrite(pmd);\n\tpmd = pmd_modify(pmd, vma->vm_page_prot);\n\tpmd = pmd_mkyoung(pmd);\n\tif (was_writable)\n\t\tpmd = pmd_mkwrite(pmd);\n\tset_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd);\n\tupdate_mmu_cache_pmd(vma, vmf->address, vmf->pmd);\n\tunlock_page(page);\nout_unlock:\n\tspin_unlock(vmf->ptl);\n\nout:\n\tif (anon_vma)\n\t\tpage_unlock_anon_vma_read(anon_vma);\n\n\tif (page_nid != NUMA_NO_NODE)\n\t\ttask_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR,\n\t\t\t\tflags);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 132203028383069923274811645271219124372,
          "size": 155,
          "commit_id": "c444eb564fb16645c172d550359cb3d75fe8a040",
          "message": "mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()\n\nWrite protect anon page faults require an accurate mapcount to decide\nif to break the COW or not. This is implemented in the THP path with\nreuse_swap_page() ->\npage_trans_huge_map_swapcount()/page_trans_huge_mapcount().\n\nIf the COW triggers while the other processes sharing the page are\nunder a huge pmd split, to do an accurate reading, we must ensure the\nmapcount isn't computed while it's being transferred from the head\npage to the tail pages.\n\nreuse_swap_cache() already runs serialized by the page lock, so it's\nenough to add the page lock around __split_huge_pmd_locked too, in\norder to add the missing serialization.\n\nNote: the commit in \"Fixes\" is just to facilitate the backporting,\nbecause the code before such commit didn't try to do an accurate THP\nmapcount calculation and it instead used the page_count() to decide if\nto COW or not. Both the page_count and the pin_count are THP-wide\nrefcounts, so they're inaccurate if used in\nreuse_swap_page(). Reverting such commit (besides the unrelated fix to\nthe local anon_vma assignment) would have also opened the window for\nmemory corruption side effects to certain workloads as documented in\nsuch commit header.\n\nSigned-off-by: Andrea Arcangeli <aarcange@redhat.com>\nSuggested-by: Jann Horn <jannh@google.com>\nReported-by: Jann Horn <jannh@google.com>\nAcked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\nFixes: 6d0a07edd17c (\"mm: thp: calculate the mapcount correctly for THP pages during WP faults\")\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 364133
        },
        {
          "func": "static unsigned interleave_nodes(struct mempolicy *policy)\n{\n\tunsigned next;\n\tstruct task_struct *me = current;\n\n\tnext = next_node_in(me->il_prev, policy->v.nodes);\n\tif (next < MAX_NUMNODES)\n\t\tme->il_prev = next;\n\treturn next;\n}",
          "project": "linux",
          "hash": 149195202327445055361198298232043071262,
          "size": 10,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366777
        },
        {
          "func": "static int policy_node(gfp_t gfp, struct mempolicy *policy,\n\t\t\t\t\t\t\t\tint nd)\n{\n\tif (policy->mode == MPOL_PREFERRED && !(policy->flags & MPOL_F_LOCAL))\n\t\tnd = policy->v.preferred_node;\n\telse {\n\t\t/*\n\t\t * __GFP_THISNODE shouldn't even be used with the bind policy\n\t\t * because we might easily break the expectation to stay on the\n\t\t * requested node and not break the policy.\n\t\t */\n\t\tWARN_ON_ONCE(policy->mode == MPOL_BIND && (gfp & __GFP_THISNODE));\n\t}\n\n\treturn nd;\n}",
          "project": "linux",
          "hash": 108580191718506093481218838044673339684,
          "size": 16,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366719
        },
        {
          "func": "int huge_node(struct vm_area_struct *vma, unsigned long addr, gfp_t gfp_flags,\n\t\t\t\tstruct mempolicy **mpol, nodemask_t **nodemask)\n{\n\tint nid;\n\n\t*mpol = get_vma_policy(vma, addr);\n\t*nodemask = NULL;\t/* assume !MPOL_BIND */\n\n\tif (unlikely((*mpol)->mode == MPOL_INTERLEAVE)) {\n\t\tnid = interleave_nid(*mpol, vma, addr,\n\t\t\t\t\thuge_page_shift(hstate_vma(vma)));\n\t} else {\n\t\tnid = policy_node(gfp_flags, *mpol, numa_node_id());\n\t\tif ((*mpol)->mode == MPOL_BIND)\n\t\t\t*nodemask = &(*mpol)->v.nodes;\n\t}\n\treturn nid;\n}",
          "project": "linux",
          "hash": 312498223746569468978896545015823998416,
          "size": 18,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366727
        },
        {
          "func": "unsigned int mempolicy_slab_node(void)\n{\n\tstruct mempolicy *policy;\n\tint node = numa_mem_id();\n\n\tif (in_interrupt())\n\t\treturn node;\n\n\tpolicy = current->mempolicy;\n\tif (!policy || policy->flags & MPOL_F_LOCAL)\n\t\treturn node;\n\n\tswitch (policy->mode) {\n\tcase MPOL_PREFERRED:\n\t\t/*\n\t\t * handled MPOL_F_LOCAL above\n\t\t */\n\t\treturn policy->v.preferred_node;\n\n\tcase MPOL_INTERLEAVE:\n\t\treturn interleave_nodes(policy);\n\n\tcase MPOL_BIND: {\n\t\tstruct zoneref *z;\n\n\t\t/*\n\t\t * Follow bind policy behavior and start allocation at the\n\t\t * first node.\n\t\t */\n\t\tstruct zonelist *zonelist;\n\t\tenum zone_type highest_zoneidx = gfp_zone(GFP_KERNEL);\n\t\tzonelist = &NODE_DATA(node)->node_zonelists[ZONELIST_FALLBACK];\n\t\tz = first_zones_zonelist(zonelist, highest_zoneidx,\n\t\t\t\t\t\t\t&policy->v.nodes);\n\t\treturn z->zone ? zone_to_nid(z->zone) : node;\n\t}\n\n\tdefault:\n\t\tBUG();\n\t}\n}",
          "project": "linux",
          "hash": 80893426873703429771882183743761649303,
          "size": 41,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366766
        },
        {
          "func": "static unsigned offset_il_node(struct mempolicy *pol, unsigned long n)\n{\n\tunsigned nnodes = nodes_weight(pol->v.nodes);\n\tunsigned target;\n\tint i;\n\tint nid;\n\n\tif (!nnodes)\n\t\treturn numa_node_id();\n\ttarget = (unsigned int)n % nnodes;\n\tnid = first_node(pol->v.nodes);\n\tfor (i = 0; i < target; i++)\n\t\tnid = next_node(nid, pol->v.nodes);\n\treturn nid;\n}",
          "project": "linux",
          "hash": 100221722718028293196433189331722134041,
          "size": 15,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366757
        },
        {
          "func": "static inline unsigned interleave_nid(struct mempolicy *pol,\n\t\t struct vm_area_struct *vma, unsigned long addr, int shift)\n{\n\tif (vma) {\n\t\tunsigned long off;\n\n\t\t/*\n\t\t * for small pages, there is no difference between\n\t\t * shift and PAGE_SHIFT, so the bit-shift is safe.\n\t\t * for huge pages, since vm_pgoff is in units of small\n\t\t * pages, we need to shift off the always 0 bits to get\n\t\t * a useful offset.\n\t\t */\n\t\tBUG_ON(shift < PAGE_SHIFT);\n\t\toff = vma->vm_pgoff >> (shift - PAGE_SHIFT);\n\t\toff += (addr - vma->vm_start) >> shift;\n\t\treturn offset_il_node(pol, off);\n\t} else\n\t\treturn interleave_nodes(pol);\n}",
          "project": "linux",
          "hash": 170979787322273916187442747184986020715,
          "size": 20,
          "commit_id": "aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd",
          "message": "mm: mempolicy: require at least one nodeid for MPOL_PREFERRED\n\nUsing an empty (malformed) nodelist that is not caught during mount option\nparsing leads to a stack-out-of-bounds access.\n\nThe option string that was used was: \"mpol=prefer:,\".  However,\nMPOL_PREFERRED requires a single node number, which is not being provided\nhere.\n\nAdd a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's\nnodeid.\n\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nReported-by: Entropy Moe <3ntr0py1337@gmail.com>\nReported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nSigned-off-by: Randy Dunlap <rdunlap@infradead.org>\nSigned-off-by: Andrew Morton <akpm@linux-foundation.org>\nTested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com\nCc: Lee Schermerhorn <lee.schermerhorn@hp.com>\nLink: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 366795
        },
        {
          "func": "static void *get_any_partial(struct kmem_cache *s, gfp_t flags,\n\t\tstruct kmem_cache_cpu *c)\n{\n#ifdef CONFIG_NUMA\n\tstruct zonelist *zonelist;\n\tstruct zoneref *z;\n\tstruct zone *zone;\n\tenum zone_type high_zoneidx = gfp_zone(flags);\n\tvoid *object;\n\tunsigned int cpuset_mems_cookie;\n\n\t/*\n\t * The defrag ratio allows a configuration of the tradeoffs between\n\t * inter node defragmentation and node local allocations. A lower\n\t * defrag_ratio increases the tendency to do local allocations\n\t * instead of attempting to obtain partial slabs from other nodes.\n\t *\n\t * If the defrag_ratio is set to 0 then kmalloc() always\n\t * returns node local objects. If the ratio is higher then kmalloc()\n\t * may return off node objects because partial slabs are obtained\n\t * from other nodes and filled up.\n\t *\n\t * If /sys/kernel/slab/xx/remote_node_defrag_ratio is set to 100\n\t * (which makes defrag_ratio = 1000) then every (well almost)\n\t * allocation will first attempt to defrag slab caches on other nodes.\n\t * This means scanning over all nodes to look for partial slabs which\n\t * may be expensive if we do it every time we are trying to find a slab\n\t * with available objects.\n\t */\n\tif (!s->remote_node_defrag_ratio ||\n\t\t\tget_cycles() % 1024 > s->remote_node_defrag_ratio)\n\t\treturn NULL;\n\n\tdo {\n\t\tcpuset_mems_cookie = read_mems_allowed_begin();\n\t\tzonelist = node_zonelist(mempolicy_slab_node(), flags);\n\t\tfor_each_zone_zonelist(zone, z, zonelist, high_zoneidx) {\n\t\t\tstruct kmem_cache_node *n;\n\n\t\t\tn = get_node(s, zone_to_nid(zone));\n\n\t\t\tif (n && cpuset_zone_allowed(zone, flags) &&\n\t\t\t\t\tn->nr_partial > s->min_partial) {\n\t\t\t\tobject = get_partial_node(s, n, c, flags);\n\t\t\t\tif (object) {\n\t\t\t\t\t/*\n\t\t\t\t\t * Don't check read_mems_allowed_retry()\n\t\t\t\t\t * here - if mems_allowed was updated in\n\t\t\t\t\t * parallel, that was a harmless race\n\t\t\t\t\t * between allocation and the cpuset\n\t\t\t\t\t * update\n\t\t\t\t\t */\n\t\t\t\t\treturn object;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} while (read_mems_allowed_retry(cpuset_mems_cookie));\n#endif\t/* CONFIG_NUMA */\n\treturn NULL;\n}",
          "project": "linux",
          "hash": 179076462256864204335457287863320755598,
          "size": 60,
          "commit_id": "fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8",
          "message": "mm: slub: add missing TID bump in kmem_cache_alloc_bulk()\n\nWhen kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu\nfreelist of length M, and N > M > 0, it will first remove the M elements\nfrom the percpu freelist, then call ___slab_alloc() to allocate the next\nelement and repopulate the percpu freelist. ___slab_alloc() can re-enable\nIRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()\nto properly commit the freelist head change.\n\nFix it by unconditionally bumping c->tid when entering the slowpath.\n\nCc: stable@vger.kernel.org\nFixes: ebe909e0fdb3 (\"slub: improve bulk alloc strategy\")\nSigned-off-by: Jann Horn <jannh@google.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280155
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "str_ireplace",
        "str_replace",
        "str_duplicate"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "Variant str_replace(const Variant& search, const Variant& replace,\n                    const String& subject, int64_t& count, bool caseSensitive) {\n  count = 0;\n  if (search.isArray()) {\n    String ret = subject;\n    int c = 0;\n\n    Array searchArr = search.toArray();\n    if (replace.isArray()) {\n      Array replArr = replace.toArray();\n      ArrayIter replIter(replArr);\n      for (ArrayIter iter(searchArr); iter; ++iter) {\n        if (replIter) {\n          ret = string_replace(ret, iter.second().toString(),\n                               replIter.second().toString(),\n                               c, caseSensitive);\n          ++replIter;\n        } else {\n          ret = string_replace(ret, iter.second().toString(),\n                               \"\", c, caseSensitive);\n        }\n        count +=c;\n      }\n      return ret;\n    }\n\n    String repl = replace.toString();\n    for (ArrayIter iter(searchArr); iter; ++iter) {\n      ret = string_replace(ret, iter.second().toString(), repl, c,\n                           caseSensitive);\n      count += c;\n    }\n    return ret;\n  }\n\n  int icount;\n  auto ret = string_replace(subject, search.toString(), replace.toString(),\n                            icount, caseSensitive);\n  count = icount;\n  return ret;\n}",
          "project": "hhvm",
          "hash": 216059312763947109888822410058019371036,
          "size": 41,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219077
        },
        {
          "func": "Variant str_replace(const Variant& search, const Variant& replace,\n                    const Variant& subject, int64_t& count) {\n  Variant ret;\n  count = 0;\n  if (LIKELY(search.isString() && replace.isString() && subject.isString())) {\n    int icount;\n    // Short-cut for the most common (and simplest) case\n    ret = string_replace(subject.asCStrRef(), search.asCStrRef(),\n                         replace.asCStrRef(), icount, true);\n    count = icount;\n  } else {\n    // search, replace, and subject can all be arrays. str_replace() reduces all\n    // the valid combinations to multiple string_replace() calls.\n    ret = str_replace(search, replace, subject, count, true);\n  }\n  return ret;\n}",
          "project": "hhvm",
          "hash": 285712075938378105538132047442290051685,
          "size": 17,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219311
        },
        {
          "func": "Variant str_replace(const Variant& search, const Variant& replace,\n                    const Variant& subject, int64_t& count, bool caseSensitive) {\n  count = 0;\n  if (subject.isArray()) {\n    Array arr = subject.toArray();\n    Array ret = Array::CreateDArray();\n    int64_t c;\n    for (ArrayIter iter(arr); iter; ++iter) {\n      if (iter.second().isArray() || iter.second().is(KindOfObject)) {\n        ret.set(iter.first(), iter.second());\n        continue;\n      }\n\n      auto const replaced = str_replace(\n        search, replace, iter.second().toString(), c, caseSensitive\n      ).toString();\n      ret.set(iter.first(), replaced);\n      count += c;\n    }\n    return ret;\n  }\n  return str_replace(search, replace, subject.toString(), count,\n                     caseSensitive);\n}",
          "project": "hhvm",
          "hash": 265315493050731396315299461931811480777,
          "size": 24,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219723
        },
        {
          "func": "rb_str_resurrect(VALUE str)\n{\n    return str_replace(str_alloc(rb_cString), str);\n}",
          "project": "ruby",
          "hash": 104299486604202026756054780286449281008,
          "size": 4,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336844
        },
        {
          "func": "str_duplicate(VALUE klass, VALUE str)\n{\n    VALUE dup = str_alloc(klass);\n    str_replace(dup, str);\n    return dup;\n}",
          "project": "ruby",
          "hash": 128535815632492018737622795984903275099,
          "size": 6,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336850
        },
        {
          "func": "rb_str_dup(VALUE str)\n{\n    return str_duplicate(rb_obj_class(str), str);\n}",
          "project": "ruby",
          "hash": 299235992125038409717920340519102088403,
          "size": 4,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336983
        },
        {
          "func": "Variant str_ireplace(const Variant& search, const Variant& replace,\n                     const Variant& subject, int64_t& count) {\n  Variant ret = str_replace(search, replace, subject, count, false);\n  return ret;\n}",
          "project": "hhvm",
          "hash": 265287117474309509757073617779422346375,
          "size": 5,
          "commit_id": "08193b7f0cd3910256e00d599f0f3eb2519c44ca",
          "message": "security fixes\n\nhttps://hhvm.com/blog/2021/02/25/security-update.html",
          "target": 0,
          "dataset": "other",
          "idx": 219442
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "rb_enc_set_index",
        "str_enc_copy",
        "rb_enc_cr_str_copy_for_substr",
        "OBJ_INFECT",
        "str_new3"
      ],
      "group_size": 21,
      "functions": [
        {
          "func": "rb_sym_to_s(VALUE sym)\n{\n    ID id = SYM2ID(sym);\n\n    return str_new3(rb_cString, rb_id2str(id));\n}",
          "project": "ruby",
          "hash": 272569114656758638817880869778183999898,
          "size": 6,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 337044
        },
        {
          "func": "str_new_shared(VALUE klass, VALUE str)\n{\n    return str_replace_shared(str_alloc(klass), str);\n}",
          "project": "ruby",
          "hash": 198276397197341217487306503827028187965,
          "size": 4,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336888
        },
        {
          "func": "rb_enc_cr_str_exact_copy(VALUE dest, VALUE src)\n{\n    str_enc_copy(dest, src);\n    ENC_CODERANGE_SET(dest, ENC_CODERANGE(src));\n}",
          "project": "ruby",
          "hash": 230756521039512649974889463459358786946,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336927
        },
        {
          "func": "rb_enc_cr_str_copy_for_substr(VALUE dest, VALUE src)\n{\n    /* this function is designed for copying encoding and coderange\n     * from src to new string \"dest\" which is made from the part of src.\n     */\n    str_enc_copy(dest, src);\n    switch (ENC_CODERANGE(src)) {\n      case ENC_CODERANGE_7BIT:\n\tENC_CODERANGE_SET(dest, ENC_CODERANGE_7BIT);\n\tbreak;\n      case ENC_CODERANGE_VALID:\n\tif (!rb_enc_asciicompat(STR_ENC_GET(src)) ||\n\t    search_nonascii(RSTRING_PTR(dest), RSTRING_END(dest)))\n\t    ENC_CODERANGE_SET(dest, ENC_CODERANGE_VALID);\n\telse\n\t    ENC_CODERANGE_SET(dest, ENC_CODERANGE_7BIT);\n\tbreak;\n      default:\n\tif (RSTRING_LEN(dest) == 0) {\n\t    if (!rb_enc_asciicompat(STR_ENC_GET(src)))\n\t\tENC_CODERANGE_SET(dest, ENC_CODERANGE_VALID);\n\t    else\n\t\tENC_CODERANGE_SET(dest, ENC_CODERANGE_7BIT);\n\t}\n\tbreak;\n    }\n}",
          "project": "ruby",
          "hash": 104488782374456473641454431178270051154,
          "size": 27,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336984
        },
        {
          "func": "rb_str_each_byte(VALUE str)\n{\n    long i;\n\n    RETURN_ENUMERATOR(str, 0, 0);\n    for (i=0; i<RSTRING_LEN(str); i++) {\n\trb_yield(INT2FIX(RSTRING_PTR(str)[i] & 0xff));\n    }\n    return str;\n}",
          "project": "ruby",
          "hash": 335617782185342356793078754179787447866,
          "size": 10,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 337028
        },
        {
          "func": "rb_str_setbyte(VALUE str, VALUE index, VALUE value)\n{\n    long pos = NUM2LONG(index);\n    int byte = NUM2INT(value);\n\n    rb_str_modify(str);\n\n    if (pos < -RSTRING_LEN(str) || RSTRING_LEN(str) <= pos)\n        rb_raise(rb_eIndexError, \"index %ld out of string\", pos);\n    if (pos < 0)\n        pos += RSTRING_LEN(str);\n\n    RSTRING_PTR(str)[pos] = byte;\n\n    return value;\n}",
          "project": "ruby",
          "hash": 136418538749039439714202829770272273633,
          "size": 16,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336892
        },
        {
          "func": "rb_str_clear(VALUE str)\n{\n    str_discard(str);\n    STR_SET_EMBED(str);\n    STR_SET_EMBED_LEN(str, 0);\n    RSTRING_PTR(str)[0] = 0;\n    if (rb_enc_asciicompat(STR_ENC_GET(str)))\n\tENC_CODERANGE_SET(str, ENC_CODERANGE_7BIT);\n    else\n\tENC_CODERANGE_SET(str, ENC_CODERANGE_VALID);\n    return str;\n}",
          "project": "ruby",
          "hash": 8057027112330741719885751841677109397,
          "size": 12,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336842
        },
        {
          "func": "str_new4(VALUE klass, VALUE str)\n{\n    VALUE str2;\n\n    str2 = str_alloc(klass);\n    STR_SET_NOEMBED(str2);\n    RSTRING(str2)->as.heap.len = RSTRING_LEN(str);\n    RSTRING(str2)->as.heap.ptr = RSTRING_PTR(str);\n    if (STR_SHARED_P(str)) {\n\tVALUE shared = RSTRING(str)->as.heap.aux.shared;\n\tassert(OBJ_FROZEN(shared));\n\tFL_SET(str2, ELTS_SHARED);\n\tRSTRING(str2)->as.heap.aux.shared = shared;\n    }\n    else {\n\tFL_SET(str, ELTS_SHARED);\n\tRSTRING(str)->as.heap.aux.shared = str2;\n    }\n    rb_enc_cr_str_exact_copy(str2, str);\n    OBJ_INFECT(str2, str);\n    return str2;\n}",
          "project": "ruby",
          "hash": 96590205618352977329725748548250293392,
          "size": 22,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336965
        },
        {
          "func": "rb_str_hash_m(VALUE str)\n{\n    st_index_t hval = rb_str_hash(str);\n    return INT2FIX(hval);\n}",
          "project": "ruby",
          "hash": 118425606038890645694626491439994384962,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336894
        },
        {
          "func": "rb_str_ord(VALUE s)\n{\n    unsigned int c;\n\n    c = rb_enc_codepoint(RSTRING_PTR(s), RSTRING_END(s), STR_ENC_GET(s));\n    return UINT2NUM(c);\n}",
          "project": "ruby",
          "hash": 41992758220581853168365485380010420868,
          "size": 7,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336963
        },
        {
          "func": "rb_str_chop(VALUE str)\n{\n    VALUE str2 = rb_str_new5(str, RSTRING_PTR(str), chopped_length(str));\n    rb_enc_cr_str_copy_for_substr(str2, str);\n    OBJ_INFECT(str2, str);\n    return str2;\n}",
          "project": "ruby",
          "hash": 172373213666350823047478669813328230389,
          "size": 7,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 337015
        },
        {
          "func": "rb_enc_str_buf_cat(VALUE str, const char *ptr, long len, rb_encoding *ptr_enc)\n{\n    return rb_enc_cr_str_buf_cat(str, ptr, len,\n        rb_enc_to_index(ptr_enc), ENC_CODERANGE_UNKNOWN, NULL);\n}",
          "project": "ruby",
          "hash": 228357360117987925827936335936897605418,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336899
        },
        {
          "func": "rb_str_buf_append(VALUE str, VALUE str2)\n{\n    int str2_cr;\n\n    str2_cr = ENC_CODERANGE(str2);\n\n    rb_enc_cr_str_buf_cat(str, RSTRING_PTR(str2), RSTRING_LEN(str2),\n        ENCODING_GET(str2), str2_cr, &str2_cr);\n\n    OBJ_INFECT(str, str2);\n    ENC_CODERANGE_SET(str2, str2_cr);\n\n    return str;\n}",
          "project": "ruby",
          "hash": 239756740825869741701573697747997918934,
          "size": 14,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 337033
        },
        {
          "func": "str_new3(VALUE klass, VALUE str)\n{\n    return str_new_shared(klass, str);\n}",
          "project": "ruby",
          "hash": 108105753539293234869995329039502318927,
          "size": 4,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336814
        },
        {
          "func": "ip_cancel_eval_core(interp, msg, flag)\n    Tcl_Interp *interp;\n    VALUE msg;\n    int flag;\n{\n#if TCL_MAJOR_VERSION < 8 || (TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION < 6)\n    rb_raise(rb_eNotImpError,\n\t     \"cancel_eval is supported Tcl/Tk8.6 or later.\");\n\n    UNREACHABLE;\n#else\n    Tcl_Obj *msg_obj;\n\n    if (NIL_P(msg)) {\n      msg_obj = NULL;\n    } else {\n      msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg), RSTRING_LEN(msg));\n      Tcl_IncrRefCount(msg_obj);\n    }\n\n    return Tcl_CancelEval(interp, msg_obj, 0, flag);\n#endif\n}",
          "project": "tk",
          "hash": 36662980673448013518338214311261061157,
          "size": 23,
          "commit_id": "ebd0fc80d62eeb7b8556522256f8d035e013eb65",
          "message": "tcltklib.c: check argument\n\n* ext/tk/tcltklib.c (ip_cancel_eval_core): check argument type and\n  length.\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51468 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 1,
          "dataset": "other",
          "idx": 210324
        },
        {
          "func": "rb_str_offset(VALUE str, long pos)\n{\n    return str_offset(RSTRING_PTR(str), RSTRING_END(str), pos,\n\t\t      STR_ENC_GET(str), single_byte_optimizable(str));\n}",
          "project": "ruby",
          "hash": 139178502107311951114891623827156237780,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336975
        },
        {
          "func": "sym_inspect(VALUE sym)\n{\n    VALUE str;\n    ID id = SYM2ID(sym);\n    rb_encoding *enc;\n\n    sym = rb_id2str(id);\n    enc = STR_ENC_GET(sym);\n    str = rb_enc_str_new(0, RSTRING_LEN(sym)+1, enc);\n    RSTRING_PTR(str)[0] = ':';\n    memcpy(RSTRING_PTR(str)+1, RSTRING_PTR(sym), RSTRING_LEN(sym));\n    if (RSTRING_LEN(sym) != (long)strlen(RSTRING_PTR(sym)) ||\n\t!rb_enc_symname_p(RSTRING_PTR(sym), enc) ||\n\t!sym_printable(RSTRING_PTR(sym), RSTRING_END(sym), enc)) {\n\tstr = rb_str_inspect(str);\n\tmemcpy(RSTRING_PTR(str), \":\\\"\", 2);\n    }\n    return str;\n}",
          "project": "ruby",
          "hash": 7499315132594944353728829066526401524,
          "size": 19,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336930
        },
        {
          "func": "rb_string_value_ptr(volatile VALUE *ptr)\n{\n    VALUE str = rb_string_value(ptr);\n    return RSTRING_PTR(str);\n}",
          "project": "ruby",
          "hash": 129180089407572609699082295864646941554,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336982
        },
        {
          "func": "str_enc_copy(VALUE str1, VALUE str2)\n{\n    rb_enc_set_index(str1, ENCODING_GET(str2));\n}",
          "project": "ruby",
          "hash": 298677506776313331735413304751391592880,
          "size": 4,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336860
        },
        {
          "func": "rb_str_set_len(VALUE str, long len)\n{\n    STR_SET_LEN(str, len);\n    RSTRING_PTR(str)[len] = '\\0';\n}",
          "project": "ruby",
          "hash": 304101420755704748714654969904389321414,
          "size": 5,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336956
        },
        {
          "func": "rb_str_new_shared(VALUE str)\n{\n    VALUE str2 = str_new3(rb_obj_class(str), str);\n\n    OBJ_INFECT(str2, str);\n    return str2;\n}",
          "project": "ruby",
          "hash": 229537409377826449241143952346016160796,
          "size": 7,
          "commit_id": "1c2ef610358af33f9ded3086aa2d70aac03dcac5",
          "message": "* string.c (rb_str_justify): CVE-2009-4124.\n  Fixes a bug reported by \n  Emmanouel Kellinis <Emmanouel.Kellinis AT kpmg.co.uk>, KPMG London;\n  Patch by nobu.\n\n\ngit-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e",
          "target": 0,
          "dataset": "other",
          "idx": 336971
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "printer_func_set_alt",
        "set_interface",
        "printer_reset_interface"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void printer_func_disable(struct usb_function *f)\n{\n\tstruct printer_dev *dev = func_to_printer(f);\n\n\tDBG(dev, \"%s\\n\", __func__);\n\n\tprinter_reset_interface(dev);\n}",
          "project": "linux",
          "hash": 119911552292150677763724637834125068633,
          "size": 8,
          "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1",
          "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim <kt0755@gmail.com>\nSigned-off-by: Zqiang <qiang.zhang@windriver.com>\nSigned-off-by: Felipe Balbi <balbi@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 389330
        },
        {
          "func": "static int printer_func_set_alt(struct usb_function *f,\n\t\tunsigned intf, unsigned alt)\n{\n\tstruct printer_dev *dev = func_to_printer(f);\n\tint ret = -ENOTSUPP;\n\n\tif (!alt)\n\t\tret = set_interface(dev, intf);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 272503163987710925329285689219930374758,
          "size": 11,
          "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1",
          "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim <kt0755@gmail.com>\nSigned-off-by: Zqiang <qiang.zhang@windriver.com>\nSigned-off-by: Felipe Balbi <balbi@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 389359
        },
        {
          "func": "static void printer_reset_interface(struct printer_dev *dev)\n{\n\tunsigned long\tflags;\n\n\tif (dev->interface < 0)\n\t\treturn;\n\n\tDBG(dev, \"%s\\n\", __func__);\n\n\tif (dev->in_ep->desc)\n\t\tusb_ep_disable(dev->in_ep);\n\n\tif (dev->out_ep->desc)\n\t\tusb_ep_disable(dev->out_ep);\n\n\tspin_lock_irqsave(&dev->lock, flags);\n\tdev->in_ep->desc = NULL;\n\tdev->out_ep->desc = NULL;\n\tdev->interface = -1;\n\tspin_unlock_irqrestore(&dev->lock, flags);\n}",
          "project": "linux",
          "hash": 161249777138159104099192353156344389747,
          "size": 21,
          "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1",
          "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim <kt0755@gmail.com>\nSigned-off-by: Zqiang <qiang.zhang@windriver.com>\nSigned-off-by: Felipe Balbi <balbi@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 389335
        },
        {
          "func": "static int set_interface(struct printer_dev *dev, unsigned number)\n{\n\tint\t\t\tresult = 0;\n\n\t/* Free the current interface */\n\tprinter_reset_interface(dev);\n\n\tresult = set_printer_interface(dev);\n\tif (result)\n\t\tprinter_reset_interface(dev);\n\telse\n\t\tdev->interface = number;\n\n\tif (!result)\n\t\tINFO(dev, \"Using interface %x\\n\", number);\n\n\treturn result;\n}",
          "project": "linux",
          "hash": 288191072707913825275035251745840966467,
          "size": 18,
          "commit_id": "e8d5f92b8d30bb4ade76494490c3c065e12411b1",
          "message": "usb: gadget: function: printer: fix use-after-free in __lock_acquire\n\nFix this by increase object reference count.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180\nkernel/locking/lockdep.c:3831\nRead of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377\n\nCPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135\n __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831\n lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723\n vfs_ioctl fs/ioctl.c:47 [inline]\n ksys_ioctl+0xfb/0x130 fs/ioctl.c:763\n __do_sys_ioctl fs/ioctl.c:772 [inline]\n __se_sys_ioctl fs/ioctl.c:770 [inline]\n __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\nRIP: 0033:0x4531a9\nCode: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9\nRDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003\nRBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61\nR13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff\n\nAllocated by task 2393:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515\n kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529\n kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813\n kmalloc include/linux/slab.h:555 [inline]\n kzalloc include/linux/slab.h:669 [inline]\n gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416\n usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61\n config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444\n configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202\n vfs_symlink+0x33d/0x5b0 fs/namei.c:4201\n do_symlinkat+0x11b/0x1d0 fs/namei.c:4228\n __do_sys_symlinkat fs/namei.c:4242 [inline]\n __se_sys_symlinkat fs/namei.c:4239 [inline]\n __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFreed by task 3368:\n save_stack+0x21/0x90 mm/kasan/common.c:72\n set_track mm/kasan/common.c:80 [inline]\n kasan_set_free_info mm/kasan/common.c:337 [inline]\n __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476\n kasan_slab_free+0xe/0x10 mm/kasan/common.c:485\n slab_free_hook mm/slub.c:1444 [inline]\n slab_free_freelist_hook mm/slub.c:1477 [inline]\n slab_free mm/slub.c:3034 [inline]\n kfree+0xf7/0x410 mm/slub.c:3995\n gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353\n usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87\n config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485\n configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250\n vfs_unlink+0x287/0x570 fs/namei.c:4073\n do_unlinkat+0x4f9/0x620 fs/namei.c:4137\n __do_sys_unlink fs/namei.c:4184 [inline]\n __se_sys_unlink fs/namei.c:4182 [inline]\n __x64_sys_unlink+0x42/0x50 fs/namei.c:4182\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nThe buggy address belongs to the object at ffff8880683b0000\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 24 bytes inside of\n 1024-byte region [ffff8880683b0000, ffff8880683b0400)\nThe buggy address belongs to the page:\npage:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300\nindex:0xffff8880683b1800 compound_mapcount: 0\nflags: 0x100000000010200(slab|head)\nraw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300\nraw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nReported-by: Kyungtae Kim <kt0755@gmail.com>\nSigned-off-by: Zqiang <qiang.zhang@windriver.com>\nSigned-off-by: Felipe Balbi <balbi@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 389355
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "REGISTER_INI_ENTRIES",
        "PHP_MINIT_FUNCTION",
        "php_libxml_initialize"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static php_iconv_err_t php_iconv_stream_filter_register_factory(void)\n{\n\tstatic php_stream_filter_factory filter_factory = {\n\t\tphp_iconv_stream_filter_factory_create\n\t};\n\n\tif (FAILURE == php_stream_filter_register_factory(\n\t\t\t\tphp_iconv_stream_filter_ops.label,\n\t\t\t\t&filter_factory)) {\n\t\treturn PHP_ICONV_ERR_UNKNOWN;\n\t}\n\treturn PHP_ICONV_ERR_SUCCESS;\n}",
          "project": "php-src",
          "hash": 62326953807896979841263466370935259391,
          "size": 13,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382782
        },
        {
          "func": "PHP_LIBXML_API void php_libxml_initialize(void)\n{\n\tif (!_php_libxml_initialized) {\n\t\t/* we should be the only one's to ever init!! */\n\t\txmlInitParser();\n\n\t\tzend_hash_init(&php_libxml_exports, 0, NULL, NULL, 1);\n\n\t\t_php_libxml_initialized = 1;\n\t}\n}",
          "project": "php-src",
          "hash": 307088112107635459923645685382830785694,
          "size": 11,
          "commit_id": "8e76d0404b7f664ee6719fd98f0483f0ac4669d6",
          "message": "Fixed external entity loading",
          "target": 0,
          "dataset": "other",
          "idx": 484434
        },
        {
          "func": "static PHP_MINIT_FUNCTION(libxml)\n{\n\tzend_class_entry ce;\n\n\tphp_libxml_initialize();\n\n\tREGISTER_LONG_CONSTANT(\"LIBXML_VERSION\",\t\t\tLIBXML_VERSION,\t\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_STRING_CONSTANT(\"LIBXML_DOTTED_VERSION\",\tLIBXML_DOTTED_VERSION,\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_STRING_CONSTANT(\"LIBXML_LOADED_VERSION\",\t(char *)xmlParserVersion,\t\tCONST_CS | CONST_PERSISTENT);\n\n\t/* For use with loading xml */\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOENT\",\t\tXML_PARSE_NOENT,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_DTDLOAD\",\tXML_PARSE_DTDLOAD,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_DTDATTR\",\tXML_PARSE_DTDATTR,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_DTDVALID\",\tXML_PARSE_DTDVALID,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOERROR\",\tXML_PARSE_NOERROR,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOWARNING\",\tXML_PARSE_NOWARNING,\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOBLANKS\",\tXML_PARSE_NOBLANKS,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_XINCLUDE\",\tXML_PARSE_XINCLUDE,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NSCLEAN\",\tXML_PARSE_NSCLEAN,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOCDATA\",\tXML_PARSE_NOCDATA,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NONET\",\t\tXML_PARSE_NONET,\t\tCONST_CS | CONST_PERSISTENT);\n#if LIBXML_VERSION >= 20621\n\tREGISTER_LONG_CONSTANT(\"LIBXML_COMPACT\",\tXML_PARSE_COMPACT,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOXMLDECL\",\tXML_SAVE_NO_DECL,\t\tCONST_CS | CONST_PERSISTENT);\n#endif\n#if LIBXML_VERSION >= 20703\n\tREGISTER_LONG_CONSTANT(\"LIBXML_PARSEHUGE\",\tXML_PARSE_HUGE,\t\t\tCONST_CS | CONST_PERSISTENT);\n#endif\n\tREGISTER_LONG_CONSTANT(\"LIBXML_NOEMPTYTAG\",\tLIBXML_SAVE_NOEMPTYTAG,\tCONST_CS | CONST_PERSISTENT);\n\n\t/* Error levels */\n\tREGISTER_LONG_CONSTANT(\"LIBXML_ERR_NONE\",\t\tXML_ERR_NONE,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_ERR_WARNING\",\tXML_ERR_WARNING,\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_ERR_ERROR\",\t\tXML_ERR_ERROR,\t\tCONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"LIBXML_ERR_FATAL\",\t\tXML_ERR_FATAL,\t\tCONST_CS | CONST_PERSISTENT);\n\n\tINIT_CLASS_ENTRY(ce, \"LibXMLError\", NULL);\n\tlibxmlerror_class_entry = zend_register_internal_class(&ce TSRMLS_CC);\n\n\treturn SUCCESS;\n}",
          "project": "php-src",
          "hash": 138852125139179414337567947426772980036,
          "size": 42,
          "commit_id": "8e76d0404b7f664ee6719fd98f0483f0ac4669d6",
          "message": "Fixed external entity loading",
          "target": 0,
          "dataset": "other",
          "idx": 484438
        },
        {
          "func": "PHP_MINIT_FUNCTION(miconv)\n{\n\tchar *version = \"unknown\";\n\n\tREGISTER_INI_ENTRIES();\n\n#if HAVE_LIBICONV\n\t{\n\t\tstatic char buf[16];\n\t\tsnprintf(buf, sizeof(buf), \"%d.%d\",\n\t\t    ((_libiconv_version >> 8) & 0x0f), (_libiconv_version & 0x0f));\n\t\tversion = buf;\n\t}\n#elif HAVE_GLIBC_ICONV\n\tversion = (char *)gnu_get_libc_version();\n#elif defined(NETWARE)\n\tversion = \"OS built-in\";\n#endif\n\n#ifdef PHP_ICONV_IMPL\n\tREGISTER_STRING_CONSTANT(\"ICONV_IMPL\", PHP_ICONV_IMPL, CONST_CS | CONST_PERSISTENT);\n#elif HAVE_LIBICONV\n\tREGISTER_STRING_CONSTANT(\"ICONV_IMPL\", \"libiconv\", CONST_CS | CONST_PERSISTENT);\n#elif defined(NETWARE)\n\tREGISTER_STRING_CONSTANT(\"ICONV_IMPL\", \"Novell\", CONST_CS | CONST_PERSISTENT);\n#else\n\tREGISTER_STRING_CONSTANT(\"ICONV_IMPL\", \"unknown\", CONST_CS | CONST_PERSISTENT);\n#endif\n\tREGISTER_STRING_CONSTANT(\"ICONV_VERSION\", version, CONST_CS | CONST_PERSISTENT);\n\n\tREGISTER_LONG_CONSTANT(\"ICONV_MIME_DECODE_STRICT\", PHP_ICONV_MIME_DECODE_STRICT, CONST_CS | CONST_PERSISTENT);\n\tREGISTER_LONG_CONSTANT(\"ICONV_MIME_DECODE_CONTINUE_ON_ERROR\", PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR, CONST_CS | CONST_PERSISTENT);\n\n\tif (php_iconv_stream_filter_register_factory() != PHP_ICONV_ERR_SUCCESS) {\n\t\treturn FAILURE;\n\t}\n\n\tphp_output_handler_alias_register(ZEND_STRL(\"ob_iconv_handler\"), php_iconv_output_handler_init);\n\tphp_output_handler_conflict_register(ZEND_STRL(\"ob_iconv_handler\"), php_iconv_output_conflict);\n\n\treturn SUCCESS;\n}",
          "project": "php-src",
          "hash": 265543697699041513104677273644141235762,
          "size": 42,
          "commit_id": "7cf7148a8f8f4f55fb04de2a517d740bb6253eac",
          "message": "Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow",
          "target": 0,
          "dataset": "other",
          "idx": 382779
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "bcf_idx_init",
        "vcf_idx_init",
        "idx_calc_n_lvls_ids"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int idx_calc_n_lvls_ids(const bcf_hdr_t *h, int min_shift,\n                               int starting_n_lvls, int *nids_out)\n{\n    int n_lvls, i, nids = 0;\n    int64_t max_len = 0, s;\n\n    for (i = 0; i < h->n[BCF_DT_CTG]; ++i)\n    {\n        if ( !h->id[BCF_DT_CTG][i].val ) continue;\n        if ( max_len < h->id[BCF_DT_CTG][i].val->info[0] )\n            max_len = h->id[BCF_DT_CTG][i].val->info[0];\n        nids++;\n    }\n    if ( !max_len ) max_len = (1LL<<31) - 1;  // In case contig line is broken.\n    max_len += 256;\n    s = 1LL << (min_shift + starting_n_lvls * 3);\n    for (n_lvls = starting_n_lvls; max_len > s; ++n_lvls, s <<= 3);\n\n    if (nids_out) *nids_out = nids;\n    return n_lvls;\n}",
          "project": "htslib",
          "hash": 36560992857013423294685734316720400965,
          "size": 21,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402175
        },
        {
          "func": "int bcf_idx_init(htsFile *fp, bcf_hdr_t *h, int min_shift, const char *fnidx) {\n    int n_lvls, nids = 0;\n\n    if (fp->format.format == vcf)\n        return vcf_idx_init(fp, h, min_shift, fnidx);\n\n    if (!min_shift)\n        min_shift = 14;\n\n    n_lvls = idx_calc_n_lvls_ids(h, min_shift, 0, &nids);\n\n    fp->idx = hts_idx_init(nids, HTS_FMT_CSI, bgzf_tell(fp->fp.bgzf), min_shift, n_lvls);\n    if (!fp->idx) return -1;\n    fp->fnidx = fnidx;\n\n    return 0;\n}",
          "project": "htslib",
          "hash": 31862953913394906965846469849788848261,
          "size": 17,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402214
        },
        {
          "func": "static int vcf_idx_init(htsFile *fp, bcf_hdr_t *h, int min_shift, const char *fnidx) {\n    int n_lvls, fmt;\n\n    if (min_shift == 0) {\n        min_shift = 14;\n        n_lvls = 5;\n        fmt = HTS_FMT_TBI;\n    } else {\n        // Set initial n_lvls to match tbx_index()\n        int starting_n_lvls = (TBX_MAX_SHIFT - min_shift + 2) / 3;\n        // Increase if necessary\n        n_lvls = idx_calc_n_lvls_ids(h, min_shift, starting_n_lvls, NULL);\n        fmt = HTS_FMT_CSI;\n    }\n\n    fp->idx = hts_idx_init(0, fmt, bgzf_tell(fp->fp.bgzf), min_shift, n_lvls);\n    if (!fp->idx) return -1;\n\n    // Tabix meta data, added even in CSI for VCF\n    uint8_t conf[4*7];\n    u32_to_le(TBX_VCF, conf+0);  // fmt\n    u32_to_le(1,       conf+4);  // name col\n    u32_to_le(2,       conf+8);  // beg col\n    u32_to_le(0,       conf+12); // end col\n    u32_to_le('#',     conf+16); // comment\n    u32_to_le(0,       conf+20); // n.skip\n    u32_to_le(0,       conf+24); // ref name len\n    if (hts_idx_set_meta(fp->idx, sizeof(conf)*sizeof(*conf), (uint8_t *)conf, 1) < 0) {\n        hts_idx_destroy(fp->idx);\n        fp->idx = NULL;\n        return -1;\n    }\n    fp->fnidx = fnidx;\n\n    return 0;\n}",
          "project": "htslib",
          "hash": 267069432208098790908159743900202672245,
          "size": 36,
          "commit_id": "dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c",
          "message": "Fix check for VCF record size\n\nThe check for excessive record size in vcf_parse_format() only\nlooked at individual fields.  It was therefore possible to\nexceed the limit and overflow fmt_aux_t::offset by having\nmultiple fields with a combined size that went over INT_MAX.\nFix by including the amount of memory used so far in the check.\n\nCredit to OSS-Fuzz\nFixes oss-fuzz 24097",
          "target": 0,
          "dataset": "other",
          "idx": 402217
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "get_cmdln_options",
        "read_config",
        "getToken"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "int read_config(const char *config_file) {\nFILE *fp;\nchar *buffer;\nchar *token, *value;\n\n  if (config_file==NULL) return -1;\n\n  if( (fp = fopen( config_file, \"r\" ) ) == NULL ) {\n     return -1;\n  }\n\n  buffer = (char*)malloc( sizeof(char) * 4096 );\n\n  while( fgets( buffer, 4096, fp ) ) {\n    value = trim_whitespace( buffer );\n    token = getToken( &value, \"=\" );\n    if( token == NULL )  /* ignore this line if there isn't a token/value pair */\n        continue;\n    token = trim_whitespace( token );\n\n    if( strcasecmp( token, \"TIMEOUT\" ) == 0 ) {\n        if (value && atol(value)>0) { delay=atol(value); }\n#ifdef PROC_NET_DEV\n    } else if( strcasecmp( token, \"PROCFILE\" ) == 0 ) {\n        if (value && (strlen(value)<PATH_MAX)) strcpy(PROC_FILE,value);\n#endif\n#ifdef PROC_DISKSTATS\n    } else if( strcasecmp( token, \"DISKSTATSFILE\" ) == 0 ) {\n        if (value && (strlen(value)<PATH_MAX)) strcpy(PROC_DISKSTATS_FILE,value);\t\t  \n    } else if( strcasecmp( token, \"PARTITIONSFILE\" ) == 0 ) {\n        if (value && (strlen(value)<PATH_MAX)) strcpy(PROC_PARTITIONS_FILE,value);\t\t  \n#endif\n#if ALLOW_NETSTATPATH\n#ifdef NETSTAT\n    } else if( strcasecmp( token, \"NETSTAT\" ) == 0 ) {\n        if (value && (strlen(value)<PATH_MAX)) strcpy(NETSTAT_FILE,value);\n#endif\n#endif\n    } else if( strcasecmp( token, \"INPUT\" ) == 0 ) {\n        if (value) input_method=str2in_method(value);\n\t } else if( strcasecmp( token, \"ANSIOUT\" ) == 0 ) {\n\t\t if (value) ansi_output=value[0]=='0' ? 0 : 1;\n    } else if( strcasecmp( token, \"DYNAMIC\" ) == 0 ) {\n        if (value) dynamic=value[0]=='0' ? 0 : 1;\n    } else if( strcasecmp( token, \"UNIT\" ) == 0 ) {\n        if (value) output_unit=str2output_unit(value);\n#if EXTENDED_STATS\n    } else if( strcasecmp( token, \"TYPE\" ) == 0 ) {\n        if (value) output_type=str2output_type(value);\n    } else if( strcasecmp( token, \"AVGLENGTH\" ) == 0 ) {\n        if (value) avg_length=atoi(value)*1000;\n#endif        \n    } else if( strcasecmp( token, \"ALLIF\" ) == 0 ) {\n        if (value) show_all_if=value[0];\n    } else if( strcasecmp( token, \"INTERFACES\" ) == 0 ) {\n        if (value) iface_list=(char *)strdup(value);\n    } else if( strcasecmp( token, \"OUTPUT\" ) == 0 ) {\n        if (value) output_method=str2out_method(value);\n#ifdef CSV\n    } else if( strcasecmp( token, \"CSVCHAR\" ) == 0 ) {\n        if (value) csv_char=value[0];\n#endif\n#if CSV || HTML\n    } else if( strcasecmp( token, \"OUTFILE\" ) == 0 ) {\n        if (value) { \n            if (out_file) fclose(out_file);\n            out_file=fopen(value,\"a\"); \n            if (!out_file) deinit(1, \"failed to open outfile\\n\");\n            if (out_file_path) free(out_file_path);\n            out_file_path=(char *)strdup(value);\n        }\n#endif\n    } else if( strcasecmp( token, \"COUNT\" ) == 0 ) {\n        if (value) output_count=atol(value);\n    } else if( strcasecmp( token, \"DAEMON\" ) == 0 ) {\n        if (value) daemonize=value[0]=='0' ? 0 : 1;\n    } else if( strcasecmp( token, \"SUMHIDDEN\" ) == 0 ) {\n        if (value) sumhidden=value[0]=='0' ? 0 : 1;\n#if IOSERVICE_IN\n\t } else if( strcasecmp( token, \"LONGDISKNAMES\" ) == 0) {\n\t\t if (value) long_darwin_disk_names=value[0]=='0' ? 0 : 1;\n#endif\n#ifdef HTML\n    } else if( strcasecmp( token, \"HTMLREFRESH\" ) == 0 ) {\n        if (value && atol(value)>0) { html_refresh=atol(value); }\n    } else if( strcasecmp( token, \"HTMLHEADER\" ) == 0 ) {\n        if (value) html_header=value[0]=='0' ? 0 : 1;\n#endif\n    }\n  }\n  free(buffer);\n  fclose(fp);\n\n return 0;\n}",
          "project": "bwm-ng",
          "hash": 74766385231026271907474676220686881086,
          "size": 95,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387904
        },
        {
          "func": "static inline int str2out_method(char *optarg) {\n    if (optarg) {\n        if (!strcasecmp(optarg,\"plain\")) return PLAIN_OUT;\n#ifdef HAVE_CURSES\n            else\n        if (!strcasecmp(optarg,\"curses\")) return CURSES_OUT;\n\t    else\n        if (!strcasecmp(optarg,\"curses2\")) return CURSES2_OUT;\n#endif\n#ifdef CSV\n            else\n        if (!strcasecmp(optarg,\"csv\")) return CSV_OUT;\n#endif\n#ifdef HTML\n        else\n        if (!strcasecmp(optarg,\"html\")) return HTML_OUT;\n#endif\n    }\n    return -1;\n}",
          "project": "bwm-ng",
          "hash": 56326898216332850616138386200504373482,
          "size": 20,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387901
        },
        {
          "func": "void get_cmdln_options(int argc, char *argv[]) {\n\tint o;\n#if CONFIG_FILE && HAVE_GETPWUID\n    static struct passwd *pwd_entry;\n    char *str;\n#endif\n#ifdef LONG_OPTIONS\n    int option_index = 0;\n    static struct option long_options[] = {\n        {\"timeout\", 1, 0, 't'},\n#ifdef PROC_NET_DEV\n        {\"procfile\",1,0,'f'},\n#endif\n#ifdef PROC_DISKSTATS\n\t\t\t{\"diskstatsfile\",1,0,1000},\n\t\t\t{\"partitionsfile\",1,0,1001},\n#endif\t\t  \n#if NETSTAT && ALLOW_NETSTATPATH\n        {\"netstat\",1,0,'n'},\n#endif\n#if IOSERVICE_IN\n\t\t  {\"longdisknames\",0,0,1002},\n#endif\n        {\"input\",1,0,'i'},\n        {\"dynamic\",1,0,'d'},\n        {\"help\", 0, 0, 'h'},\n        {\"version\",0,0,'V'},\n        {\"allif\",1,0,'a'},\n        {\"unit\",1,0,'u'},\n\t\t  {\"ansiout\",0,0,'N'},\n#if EXTENDED_STATS        \n        {\"type\",1,0,'T'},\n        {\"avglength\",1,0,'A'},\n#endif        \n        {\"interfaces\",1,0,'I'},\n        {\"sumhidden\",1,0,'S'},\n        {\"output\",1,0,'o'},\n#ifdef CSV\n        {\"csvchar\",1,0,'C'},\n        {\"csvfile\",1,0,'F'},\n#endif\n        {\"count\",1,0,'c'},\n        {\"daemon\",1,0,'D'},\n#ifdef HTML\n        {\"htmlrefresh\",1,0,'R'},\n        {\"htmlheader\",1,0,'H'},\n#endif\n        {0,0,0,0}\n    };\n#endif\n#ifdef CONFIG_FILE\n    /* loop till first non option argument */\n    opterr=0;\n    while (1) {\n#ifdef LONG_OPTIONS\n        o=getopt_long (argc,argv,SHORT_OPTIONS,long_options, &option_index);\n#else\n        o=getopt (argc,argv,SHORT_OPTIONS);\n#endif\n        if (o==-1) break;\n    }\n    opterr=1;\n    if (optind < argc) {\n        read_config(argv[optind]);\n    } else {\n        read_config(\"/etc/bwm-ng.conf\");\n#ifdef HAVE_GETPWUID    \n        pwd_entry=getpwuid(getuid());\n        if (pwd_entry!=NULL) {\n            str=(char*)malloc(strlen(pwd_entry->pw_dir)+14);\n            snprintf(str,strlen(pwd_entry->pw_dir)+14,\"%s/.bwm-ng.conf\",pwd_entry->pw_dir);\n            read_config(str);\n            free(str);\n        }\n#endif    \n    }\n    /* reset getopt again  */\n    optind=1;\n#endif\n    /* get command line arguments, kinda ugly, wanna rewrite it? */\n    while (1) {\n#ifdef LONG_OPTIONS\n\t\to=getopt_long (argc,argv,SHORT_OPTIONS,long_options, &option_index);\n#else\n\t\to=getopt (argc,argv,SHORT_OPTIONS);\n#endif\t\t\n        if (o==-1) break;\n        switch (o) {\n            case '?': printf(\"unknown option: %s\\n\",argv[optind-1]);\n                      exit(EXIT_FAILURE);\n                      break;\n            /* ugly workaround to handle optional arguments for all platforms */                      \n            case ':': if (!strcmp(argv[optind-1],\"-a\") || !strcasecmp(argv[optind-1],\"--allif\")) \n                            show_all_if=1;\n                      else if (!strcmp(argv[optind-1],\"-d\") || !strcasecmp(argv[optind-1],\"--dynamic\"))\n                            dynamic=1;\n                      else if (!strcmp(argv[optind-1],\"-D\") || !strcasecmp(argv[optind-1],\"--daemon\"))\n                            daemonize=1;\n#ifdef HTML                      \n                      else if (!strcmp(argv[optind-1],\"-H\") || !strcasecmp(argv[optind-1],\"--htmlheader\"))\n                            html_header=1;\n#endif                      \n                      else if (!strcmp(argv[optind-1],\"-S\") || !strcasecmp(argv[optind-1],\"--sumhidden\"))\n                            sumhidden=1;    \n                          else {\n                              printf(\"%s requires an argument!\\n\",argv[optind-1]);\n                              exit(EXIT_FAILURE);\n                          }\n                      break;\n#ifdef PROC_DISKSTATS\n\t\t\tcase 1000:\n\t\t\t\tif (strlen(optarg)<PATH_MAX) \n\t\t\t\t\tstrcpy(PROC_DISKSTATS_FILE,optarg);\n\t\t\t\tbreak;\n         case 1001:\n            if (strlen(optarg)<PATH_MAX)\n               strcpy(PROC_PARTITIONS_FILE,optarg);\n\t\t\t\tbreak;\n#endif\t\t\t\t\n#if IOSERVICE_IN\n\t\t\tcase 1002:\n\t\t\t\tlong_darwin_disk_names=!long_darwin_disk_names;\n\t\t\t\tbreak;\n#endif\n\t\t\tcase 'D':\n\t\t\t\tif (optarg) daemonize=atoi(optarg);\n\t\t\t\tbreak;\n#ifdef HTML\n\t\t\tcase 'R':\n\t\t\t\tif ((optarg) && atol(optarg)>0) { html_refresh=atol(optarg); }\n\t\t\t\tbreak;\n\t\t\tcase 'H':\n\t\t\t\tif (optarg) html_header=atoi(optarg);\n\t\t\t\tbreak;\n#endif\n\t\t\tcase 'c':\n\t\t\t\tif (optarg) output_count=atol(optarg);\n\t\t\t\tbreak;\n#if CSV || HTML\n            case 'F':\n                if (optarg) { \n                    if (out_file) fclose(out_file);\n                    out_file=fopen(optarg,\"a\"); \n                    if (!out_file) deinit(1, \"failed to open outfile\\n\");\n                    if (out_file_path) free(out_file_path);\n                    out_file_path=(char *)strdup(optarg);\n                }\n                break;\n#endif\n#ifdef CSV\n\t\t\tcase 'C':\n\t\t\t\tif (optarg) csv_char=optarg[0];\n\t\t\t\tbreak;\n#endif\n            case 'h':\n                cmdln_printhelp();\n                break;\n#ifdef PROC_NET_DEV\n\t\t\tcase 'f':\n                if (optarg && (strlen(optarg)<PATH_MAX)) strcpy(PROC_FILE,optarg);\n                break;\n#endif\t\t\t\n\t\t\tcase 'i':\n                if (optarg) {\n                    input_method=str2in_method(optarg);\n                }\n\t\t\t\tbreak;\t\t\t\t\n            case 'I':\n                if (optarg) iface_list=(char *)strdup(optarg);\n                break;\n            case 'S':\n                if (optarg) sumhidden=atoi(optarg);\n                break;\n            case 'o':\n                if (optarg) {\n                    output_method=str2out_method(optarg);\n                }\n                break;\n\t\t\t\tcase 'N':\n\t\t\t\t\t ansi_output=!ansi_output;\n            case 'a':\n                if (optarg) show_all_if=atoi(optarg);\n                break;\n            case 't':\n                if ((optarg) && atol(optarg)>0) { delay=atol(optarg); }\n                break;\n#if EXTENDED_STATS                \n            case 'T':\n                output_type=str2output_type(optarg);\n                break;\n            case 'A':\n                if (optarg) avg_length=atoi(optarg)*1000;\n                break;\n#endif                \n            case 'd':\n                if (optarg) dynamic=atoi(optarg);\n                break;\n            case 'u':\n                output_unit=str2output_unit(optarg);\n                break;\n#if NETSTAT && ALLOW_NETSTATPATH\n            case 'n':\n                if (optarg && (strlen(optarg)<PATH_MAX)) strcpy(NETSTAT_FILE,optarg);\n                break;\n#endif                \n            case 'V':\n                print_version;\n                exit(EXIT_SUCCESS);\n                break;\n        }\n    }\n    if (iface_list==NULL && show_all_if==1) show_all_if=2;\n#if EXTENDED_STATS    \n    /* default init of avg_length */\n    if (avg_length==0) {\n        if (delay<AVG_LENGTH/2) \n            avg_length=AVG_LENGTH; \n        else  \n            avg_length=(delay*2)+1;\n    } else /* avg_length was set via cmdline or config file, better check it */\n        if (delay*2>=avg_length) deinit(1, \"avglength needs to be a least twice the value of timeout\\n\");\n#endif    \n\t if ((output_unit==ERRORS_OUT && !net_input_method(input_method)) || \n\t\t\t (output_unit==PACKETS_OUT && input_method==LIBSTATDISK_IN)) \n\t\toutput_unit=BYTES_OUT;\n    return;\n}",
          "project": "bwm-ng",
          "hash": 190610676223568420413623069094924895723,
          "size": 227,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 1,
          "dataset": "other",
          "idx": 206867
        },
        {
          "func": "void get_cmdln_options(int argc, char *argv[]) {\n\tint o;\n#if CONFIG_FILE && HAVE_GETPWUID\n    static struct passwd *pwd_entry;\n    char *str;\n#endif\n#ifdef LONG_OPTIONS\n    int option_index = 0;\n    static struct option long_options[] = {\n        {\"timeout\", 1, 0, 't'},\n#ifdef PROC_NET_DEV\n        {\"procfile\",1,0,'f'},\n#endif\n#ifdef PROC_DISKSTATS\n\t\t\t{\"diskstatsfile\",1,0,1000},\n\t\t\t{\"partitionsfile\",1,0,1001},\n#endif\t\t  \n#if NETSTAT && ALLOW_NETSTATPATH\n        {\"netstat\",1,0,'n'},\n#endif\n#if IOSERVICE_IN\n\t\t  {\"longdisknames\",0,0,1002},\n#endif\n        {\"input\",1,0,'i'},\n        {\"dynamic\",1,0,'d'},\n        {\"help\", 0, 0, 'h'},\n        {\"version\",0,0,'V'},\n        {\"allif\",1,0,'a'},\n        {\"unit\",1,0,'u'},\n\t\t  {\"ansiout\",0,0,'N'},\n#if EXTENDED_STATS        \n        {\"type\",1,0,'T'},\n        {\"avglength\",1,0,'A'},\n#endif        \n        {\"interfaces\",1,0,'I'},\n        {\"sumhidden\",1,0,'S'},\n        {\"output\",1,0,'o'},\n#ifdef CSV\n        {\"csvchar\",1,0,'C'},\n        {\"csvfile\",1,0,'F'},\n#endif\n        {\"count\",1,0,'c'},\n        {\"daemon\",1,0,'D'},\n#ifdef HTML\n        {\"htmlrefresh\",1,0,'R'},\n        {\"htmlheader\",1,0,'H'},\n#endif\n        {0,0,0,0}\n    };\n#endif\n#ifdef CONFIG_FILE\n    /* loop till first non option argument */\n    opterr=0;\n    while (1) {\n#ifdef LONG_OPTIONS\n        o=getopt_long (argc,argv,SHORT_OPTIONS,long_options, &option_index);\n#else\n        o=getopt (argc,argv,SHORT_OPTIONS);\n#endif\n        if (o==-1) break;\n    }\n    opterr=1;\n    if (optind < argc) {\n        read_config(argv[optind]);\n    } else {\n        read_config(\"/etc/bwm-ng.conf\");\n#ifdef HAVE_GETPWUID    \n        pwd_entry=getpwuid(getuid());\n        if (pwd_entry!=NULL) {\n            str=(char*)malloc(strlen(pwd_entry->pw_dir)+14);\n            if(!str) {\n              printf(\"Fatal: failed to allocate %zu bytes.\\n\", strlen(pwd_entry->pw_dir)+14);\n              exit(EXIT_FAILURE);\n            }\n            snprintf(str,strlen(pwd_entry->pw_dir)+14,\"%s/.bwm-ng.conf\",pwd_entry->pw_dir);\n            read_config(str);\n            free(str);\n        }\n#endif    \n    }\n    /* reset getopt again  */\n    optind=1;\n#endif\n    /* get command line arguments, kinda ugly, wanna rewrite it? */\n    while (1) {\n#ifdef LONG_OPTIONS\n\t\to=getopt_long (argc,argv,SHORT_OPTIONS,long_options, &option_index);\n#else\n\t\to=getopt (argc,argv,SHORT_OPTIONS);\n#endif\t\t\n        if (o==-1) break;\n        switch (o) {\n            case '?': printf(\"unknown option: %s\\n\",argv[optind-1]);\n                      exit(EXIT_FAILURE);\n                      break;\n            /* ugly workaround to handle optional arguments for all platforms */                      \n            case ':': if (!strcmp(argv[optind-1],\"-a\") || !strcasecmp(argv[optind-1],\"--allif\")) \n                            show_all_if=1;\n                      else if (!strcmp(argv[optind-1],\"-d\") || !strcasecmp(argv[optind-1],\"--dynamic\"))\n                            dynamic=1;\n                      else if (!strcmp(argv[optind-1],\"-D\") || !strcasecmp(argv[optind-1],\"--daemon\"))\n                            daemonize=1;\n#ifdef HTML                      \n                      else if (!strcmp(argv[optind-1],\"-H\") || !strcasecmp(argv[optind-1],\"--htmlheader\"))\n                            html_header=1;\n#endif                      \n                      else if (!strcmp(argv[optind-1],\"-S\") || !strcasecmp(argv[optind-1],\"--sumhidden\"))\n                            sumhidden=1;    \n                          else {\n                              printf(\"%s requires an argument!\\n\",argv[optind-1]);\n                              exit(EXIT_FAILURE);\n                          }\n                      break;\n#ifdef PROC_DISKSTATS\n\t\t\tcase 1000:\n\t\t\t\tif (strlen(optarg)<PATH_MAX) \n\t\t\t\t\tstrcpy(PROC_DISKSTATS_FILE,optarg);\n\t\t\t\tbreak;\n         case 1001:\n            if (strlen(optarg)<PATH_MAX)\n               strcpy(PROC_PARTITIONS_FILE,optarg);\n\t\t\t\tbreak;\n#endif\t\t\t\t\n#if IOSERVICE_IN\n\t\t\tcase 1002:\n\t\t\t\tlong_darwin_disk_names=!long_darwin_disk_names;\n\t\t\t\tbreak;\n#endif\n\t\t\tcase 'D':\n\t\t\t\tif (optarg) daemonize=atoi(optarg);\n\t\t\t\tbreak;\n#ifdef HTML\n\t\t\tcase 'R':\n\t\t\t\tif ((optarg) && atol(optarg)>0) { html_refresh=atol(optarg); }\n\t\t\t\tbreak;\n\t\t\tcase 'H':\n\t\t\t\tif (optarg) html_header=atoi(optarg);\n\t\t\t\tbreak;\n#endif\n\t\t\tcase 'c':\n\t\t\t\tif (optarg) output_count=atol(optarg);\n\t\t\t\tbreak;\n#if CSV || HTML\n            case 'F':\n                if (optarg) { \n                    if (out_file) fclose(out_file);\n                    out_file=fopen(optarg,\"a\"); \n                    if (!out_file) deinit(1, \"failed to open outfile\\n\");\n                    if (out_file_path) free(out_file_path);\n                    out_file_path=(char *)strdup(optarg);\n                }\n                break;\n#endif\n#ifdef CSV\n\t\t\tcase 'C':\n\t\t\t\tif (optarg) csv_char=optarg[0];\n\t\t\t\tbreak;\n#endif\n            case 'h':\n                cmdln_printhelp();\n                break;\n#ifdef PROC_NET_DEV\n\t\t\tcase 'f':\n                if (optarg && (strlen(optarg)<PATH_MAX)) strcpy(PROC_FILE,optarg);\n                break;\n#endif\t\t\t\n\t\t\tcase 'i':\n                if (optarg) {\n                    input_method=str2in_method(optarg);\n                }\n\t\t\t\tbreak;\t\t\t\t\n            case 'I':\n                if (optarg) iface_list=(char *)strdup(optarg);\n                break;\n            case 'S':\n                if (optarg) sumhidden=atoi(optarg);\n                break;\n            case 'o':\n                if (optarg) {\n                    output_method=str2out_method(optarg);\n                }\n                break;\n\t\t\t\tcase 'N':\n\t\t\t\t\t ansi_output=!ansi_output;\n            case 'a':\n                if (optarg) show_all_if=atoi(optarg);\n                break;\n            case 't':\n                if ((optarg) && atol(optarg)>0) { delay=atol(optarg); }\n                break;\n#if EXTENDED_STATS                \n            case 'T':\n                output_type=str2output_type(optarg);\n                break;\n            case 'A':\n                if (optarg) avg_length=atoi(optarg)*1000;\n                break;\n#endif                \n            case 'd':\n                if (optarg) dynamic=atoi(optarg);\n                break;\n            case 'u':\n                output_unit=str2output_unit(optarg);\n                break;\n#if NETSTAT && ALLOW_NETSTATPATH\n            case 'n':\n                if (optarg && (strlen(optarg)<PATH_MAX)) strcpy(NETSTAT_FILE,optarg);\n                break;\n#endif                \n            case 'V':\n                print_version;\n                exit(EXIT_SUCCESS);\n                break;\n        }\n    }\n    if (iface_list==NULL && show_all_if==1) show_all_if=2;\n#if EXTENDED_STATS    \n    /* default init of avg_length */\n    if (avg_length==0) {\n        if (delay<AVG_LENGTH/2) \n            avg_length=AVG_LENGTH; \n        else  \n            avg_length=(delay*2)+1;\n    } else /* avg_length was set via cmdline or config file, better check it */\n        if (delay*2>=avg_length) deinit(1, \"avglength needs to be a least twice the value of timeout\\n\");\n#endif    \n\t if ((output_unit==ERRORS_OUT && !net_input_method(input_method)) || \n\t\t\t (output_unit==PACKETS_OUT && input_method==LIBSTATDISK_IN)) \n\t\toutput_unit=BYTES_OUT;\n    return;\n}",
          "project": "bwm-ng",
          "hash": 193898408646396083666542746077666107845,
          "size": 231,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387905
        },
        {
          "func": "static inline int str2in_method(char *optarg) {\n    if (optarg) {\n#ifdef PROC_NET_DEV\n        if (!strcasecmp(optarg,\"proc\")) return PROC_IN;\n#endif\n#ifdef NETSTAT\n        if (!strcasecmp(optarg,\"netstat\")) return NETSTAT_IN;\n#endif\n#ifdef LIBSTATGRAB\n        if (!strcasecmp(optarg,\"libstat\") || !strcasecmp(optarg,\"statgrab\") || !strcasecmp(optarg,\"libstatgrab\")) return LIBSTAT_IN;\n\t\t  if (!strcasecmp(optarg,\"libstatdisk\")) return LIBSTATDISK_IN;\n#endif\n#ifdef GETIFADDRS\n        if (!strcasecmp(optarg,\"getifaddrs\")) return GETIFADDRS_IN;\n#endif\n#if DEVSTAT_IN\n\t\t  if (!strcasecmp(optarg,\"devstat\")) return DEVSTAT_IN;\n#endif\n#ifdef SYSCTL\n        if (!strcasecmp(optarg,\"sysctl\")) return SYSCTL_IN;\n#endif\n#if SYSCTLDISK_IN\n\t\t  if (!strcasecmp(optarg,\"sysctldisk\")) return SYSCTLDISK_IN;\n#endif\n#ifdef PROC_DISKSTATS\n\t\t  if (!strcasecmp(optarg,\"disk\")) return DISKLINUX_IN;\n#endif\t\t  \n#ifdef WIN32\n\t\t  if (!strcasecmp(optarg,\"win32\")) return WIN32_IN;\n#endif\t\t\t  \n#ifdef HAVE_LIBKSTAT\n\t\t\tif (!strcasecmp(optarg,\"kstat\")) return KSTAT_IN;\n\t\t\tif (!strcasecmp(optarg,\"kstatdisk\")) return KSTATDISK_IN;\n#endif \n#if IOSERVICE_IN\n\t\t\tif (!strcasecmp(optarg,\"ioservice\")) return IOSERVICE_IN;\n#endif\n    }\n    return -1;\n}",
          "project": "bwm-ng",
          "hash": 108344679584290367903224420452870508339,
          "size": 40,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387900
        },
        {
          "func": "static inline int str2output_unit(char *optarg) {\n    if (optarg) {\n        if (!strcasecmp(optarg,\"bytes\")) return BYTES_OUT;\n        if (!strcasecmp(optarg,\"bits\")) return BITS_OUT;\n        if (!strcasecmp(optarg,\"packets\")) return PACKETS_OUT;\n        if (!strcasecmp(optarg,\"errors\")) return ERRORS_OUT;\n    }\n    return BYTES_OUT;\n}",
          "project": "bwm-ng",
          "hash": 222258036977557934891315184404921850071,
          "size": 9,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387903
        },
        {
          "func": "static inline int str2output_type(char *optarg) {\n    if (optarg) {\n        if (!strcasecmp(optarg,\"rate\")) return RATE_OUT;\n        if (!strcasecmp(optarg,\"max\")) return MAX_OUT;\n        if (!strcasecmp(optarg,\"sum\")) return SUM_OUT;\n        if (!strcasecmp(optarg,\"avg\")) return AVG_OUT;\n    }\n    return RATE_OUT;\n}",
          "project": "bwm-ng",
          "hash": 254948465393666657548553401422609827674,
          "size": 9,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387902
        },
        {
          "func": "static char* getToken(char** str, const char* delims) {\n    char* token;\n\n    if (*str==NULL) {\n        /* No more tokens */\n        return NULL;\n    }\n\n    token=*str;\n    while (**str!='\\0') {\n        if (strchr(delims,**str)!=NULL) {\n            **str='\\0';\n            (*str)++;\n            return token;\n        }\n        (*str)++;\n    }\n    /* There is no other token */\n    *str=NULL;\n    return token;\n}",
          "project": "bwm-ng",
          "hash": 210939990752000446678069495160319633942,
          "size": 21,
          "commit_id": "9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17",
          "message": "Fix https://github.com/vgropp/bwm-ng/issues/26",
          "target": 0,
          "dataset": "other",
          "idx": 387906
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "update_recv_pointer",
        "update_read_pointer_color",
        "_update_read_pointer_color"
      ],
      "group_size": 13,
      "functions": [
        {
          "func": "POINTER_COLOR_UPDATE* update_read_pointer_color(rdpUpdate* update, wStream* s, BYTE xorBpp)\n{\n\tPOINTER_COLOR_UPDATE* pointer_color = calloc(1, sizeof(POINTER_COLOR_UPDATE));\n\n\tif (!pointer_color)\n\t\tgoto fail;\n\n\tif (!_update_read_pointer_color(s, pointer_color, xorBpp,\n\t                                update->context->settings->LargePointerFlag))\n\t\tgoto fail;\n\n\treturn pointer_color;\nfail:\n\tfree_pointer_color_update(update->context, pointer_color);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 218463943941599749252924360326530834583,
          "size": 16,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295059
        },
        {
          "func": "POINTER_COLOR_UPDATE* update_read_pointer_color(rdpUpdate* update, wStream* s, BYTE xorBpp)\n{\n\tPOINTER_COLOR_UPDATE* pointer_color = calloc(1, sizeof(POINTER_COLOR_UPDATE));\n\n\tif (!pointer_color)\n\t\tgoto fail;\n\n\tif (!_update_read_pointer_color(s, pointer_color, xorBpp))\n\t\tgoto fail;\n\n\treturn pointer_color;\nfail:\n\tfree_pointer_color_update(update->context, pointer_color);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 237438429491696301660107096822381566914,
          "size": 15,
          "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637",
          "message": "Fixed #6005: Bounds checks in update_read_bitmap_data",
          "target": 0,
          "dataset": "other",
          "idx": 340401
        },
        {
          "func": "POINTER_CACHED_UPDATE* update_read_pointer_cached(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_CACHED_UPDATE* pointer = calloc(1, sizeof(POINTER_CACHED_UPDATE));\n\n\tif (!pointer)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer->cacheIndex); /* cacheIndex (2 bytes) */\n\treturn pointer;\nfail:\n\tfree_pointer_cached_update(update->context, pointer);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 268618224038895794431261032985787850171,
          "size": 16,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295020
        },
        {
          "func": "POINTER_LARGE_UPDATE* update_read_pointer_large(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_LARGE_UPDATE* pointer = calloc(1, sizeof(POINTER_LARGE_UPDATE));\n\n\tif (!pointer)\n\t\tgoto fail;\n\n\tif (!_update_read_pointer_large(s, pointer))\n\t\tgoto fail;\n\n\treturn pointer;\nfail:\n\tfree_pointer_large_update(update->context, pointer);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 217792033951710575623581635891913485789,
          "size": 15,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295110
        },
        {
          "func": "POINTER_SYSTEM_UPDATE* update_read_pointer_system(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_SYSTEM_UPDATE* pointer_system = calloc(1, sizeof(POINTER_SYSTEM_UPDATE));\n\n\tif (!pointer_system)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 4)\n\t\tgoto fail;\n\n\tStream_Read_UINT32(s, pointer_system->type); /* systemPointerType (4 bytes) */\n\treturn pointer_system;\nfail:\n\tfree_pointer_system_update(update->context, pointer_system);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 339444357779789492624078198525968752662,
          "size": 16,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295086
        },
        {
          "func": "BOOL update_recv_pointer(rdpUpdate* update, wStream* s)\n{\n\tBOOL rc = FALSE;\n\tUINT16 messageType;\n\trdpContext* context = update->context;\n\trdpPointerUpdate* pointer = update->pointer;\n\n\tif (Stream_GetRemainingLength(s) < 2 + 2)\n\t\treturn FALSE;\n\n\tStream_Read_UINT16(s, messageType); /* messageType (2 bytes) */\n\tStream_Seek_UINT16(s);              /* pad2Octets (2 bytes) */\n\n\tswitch (messageType)\n\t{\n\t\tcase PTR_MSG_TYPE_POSITION:\n\t\t{\n\t\t\tPOINTER_POSITION_UPDATE* pointer_position = update_read_pointer_position(update, s);\n\n\t\t\tif (pointer_position)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerPosition, context, pointer_position);\n\t\t\t\tfree_pointer_position_update(context, pointer_position);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase PTR_MSG_TYPE_SYSTEM:\n\t\t{\n\t\t\tPOINTER_SYSTEM_UPDATE* pointer_system = update_read_pointer_system(update, s);\n\n\t\t\tif (pointer_system)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerSystem, context, pointer_system);\n\t\t\t\tfree_pointer_system_update(context, pointer_system);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase PTR_MSG_TYPE_COLOR:\n\t\t{\n\t\t\tPOINTER_COLOR_UPDATE* pointer_color = update_read_pointer_color(update, s, 24);\n\n\t\t\tif (pointer_color)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerColor, context, pointer_color);\n\t\t\t\tfree_pointer_color_update(context, pointer_color);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase PTR_MSG_TYPE_POINTER_LARGE:\n\t\t{\n\t\t\tPOINTER_LARGE_UPDATE* pointer_large = update_read_pointer_large(update, s);\n\n\t\t\tif (pointer_large)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerLarge, context, pointer_large);\n\t\t\t\tfree_pointer_large_update(context, pointer_large);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase PTR_MSG_TYPE_POINTER:\n\t\t{\n\t\t\tPOINTER_NEW_UPDATE* pointer_new = update_read_pointer_new(update, s);\n\n\t\t\tif (pointer_new)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerNew, context, pointer_new);\n\t\t\t\tfree_pointer_new_update(context, pointer_new);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tcase PTR_MSG_TYPE_CACHED:\n\t\t{\n\t\t\tPOINTER_CACHED_UPDATE* pointer_cached = update_read_pointer_cached(update, s);\n\n\t\t\tif (pointer_cached)\n\t\t\t{\n\t\t\t\trc = IFCALLRESULT(FALSE, pointer->PointerCached, context, pointer_cached);\n\t\t\t\tfree_pointer_cached_update(context, pointer_cached);\n\t\t\t}\n\t\t}\n\t\tbreak;\n\n\t\tdefault:\n\t\t\tbreak;\n\t}\n\n\treturn rc;\n}",
          "project": "FreeRDP",
          "hash": 277819367770707859702659868515717310164,
          "size": 93,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295111
        },
        {
          "func": "static BOOL _update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, BYTE xorBpp,\n                                       UINT32 flags)\n{\n\tBYTE* newMask;\n\tUINT32 scanlineSize;\n\tUINT32 max = 32;\n\n\tif (flags & LARGE_POINTER_FLAG_96x96)\n\t\tmax = 96;\n\n\tif (!pointer_color)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 14)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_color->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->xPos);       /* xPos (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->yPos);       /* yPos (2 bytes) */\n\t/**\n\t *  As stated in 2.2.9.1.1.4.4 Color Pointer Update:\n\t *  The maximum allowed pointer width/height is 96 pixels if the client indicated support\n\t *  for large pointers by setting the LARGE_POINTER_FLAG (0x00000001) in the Large\n\t *  Pointer Capability Set (section 2.2.7.2.7). If the LARGE_POINTER_FLAG was not\n\t *  set, the maximum allowed pointer width/height is 32 pixels.\n\t *\n\t *  So we check for a maximum for CVE-2014-0250.\n\t */\n\tStream_Read_UINT16(s, pointer_color->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->height); /* height (2 bytes) */\n\n\tif ((pointer_color->width > max) || (pointer_color->height > max))\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_color->lengthAndMask); /* lengthAndMask (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->lengthXorMask); /* lengthXorMask (2 bytes) */\n\n\t/**\n\t * There does not seem to be any documentation on why\n\t * xPos / yPos can be larger than width / height\n\t * so it is missing in documentation or a bug in implementation\n\t * 2.2.9.1.1.4.4 Color Pointer Update (TS_COLORPOINTERATTRIBUTE)\n\t */\n\tif (pointer_color->xPos >= pointer_color->width)\n\t\tpointer_color->xPos = 0;\n\n\tif (pointer_color->yPos >= pointer_color->height)\n\t\tpointer_color->yPos = 0;\n\n\tif (pointer_color->lengthXorMask > 0)\n\t{\n\t\t/**\n\t\t * Spec states that:\n\t\t *\n\t\t * xorMaskData (variable): A variable-length array of bytes. Contains the 24-bpp, bottom-up\n\t\t * XOR mask scan-line data. The XOR mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 3x3 pixel cursor is being sent, then each scan-line will\n\t\t * consume 10 bytes (3 pixels per scan-line multiplied by 3 bytes per pixel, rounded up to\n\t\t * the next even number of bytes).\n\t\t *\n\t\t * In fact instead of 24-bpp, the bpp parameter is given by the containing packet.\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = (7 + xorBpp * pointer_color->width) / 8;\n\t\tscanlineSize = ((scanlineSize + 1) / 2) * 2;\n\n\t\tif (scanlineSize * pointer_color->height != pointer_color->lengthXorMask)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"invalid lengthXorMask: width=%\" PRIu32 \" height=%\" PRIu32 \", %\" PRIu32\n\t\t\t         \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer_color->width, pointer_color->height, pointer_color->lengthXorMask,\n\t\t\t         scanlineSize * pointer_color->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer_color->xorMaskData, pointer_color->lengthXorMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer_color->xorMaskData = newMask;\n\t\tStream_Read(s, pointer_color->xorMaskData, pointer_color->lengthXorMask);\n\t}\n\n\tif (pointer_color->lengthAndMask > 0)\n\t{\n\t\t/**\n\t\t * andMaskData (variable): A variable-length array of bytes. Contains the 1-bpp, bottom-up\n\t\t * AND mask scan-line data. The AND mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 7x7 pixel cursor is being sent, then each scan-line will\n\t\t * consume 2 bytes (7 pixels per scan-line multiplied by 1 bpp, rounded up to the next even\n\t\t * number of bytes).\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer_color->lengthAndMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = ((7 + pointer_color->width) / 8);\n\t\tscanlineSize = ((1 + scanlineSize) / 2) * 2;\n\n\t\tif (scanlineSize * pointer_color->height != pointer_color->lengthAndMask)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"invalid lengthAndMask: %\" PRIu32 \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer_color->lengthAndMask, scanlineSize * pointer_color->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer_color->andMaskData, pointer_color->lengthAndMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer_color->andMaskData = newMask;\n\t\tStream_Read(s, pointer_color->andMaskData, pointer_color->lengthAndMask);\n\t}\n\n\tif (Stream_GetRemainingLength(s) > 0)\n\t\tStream_Seek_UINT8(s); /* pad (1 byte) */\n\n\treturn TRUE;\nfail:\n\treturn FALSE;\n}",
          "project": "FreeRDP",
          "hash": 321398955940832530193747212857729928085,
          "size": 125,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295116
        },
        {
          "func": "static BOOL _update_read_pointer_color(wStream* s, POINTER_COLOR_UPDATE* pointer_color, BYTE xorBpp)\n{\n\tBYTE* newMask;\n\tUINT32 scanlineSize;\n\n\tif (!pointer_color)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 14)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_color->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->xPos);       /* xPos (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->yPos);       /* yPos (2 bytes) */\n\t/**\n\t *  As stated in 2.2.9.1.1.4.4 Color Pointer Update:\n\t *  The maximum allowed pointer width/height is 96 pixels if the client indicated support\n\t *  for large pointers by setting the LARGE_POINTER_FLAG (0x00000001) in the Large\n\t *  Pointer Capability Set (section 2.2.7.2.7). If the LARGE_POINTER_FLAG was not\n\t *  set, the maximum allowed pointer width/height is 32 pixels.\n\t *\n\t *  So we check for a maximum of 96 for CVE-2014-0250.\n\t */\n\tStream_Read_UINT16(s, pointer_color->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->height); /* height (2 bytes) */\n\n\tif ((pointer_color->width > 96) || (pointer_color->height > 96))\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_color->lengthAndMask); /* lengthAndMask (2 bytes) */\n\tStream_Read_UINT16(s, pointer_color->lengthXorMask); /* lengthXorMask (2 bytes) */\n\n\t/**\n\t * There does not seem to be any documentation on why\n\t * xPos / yPos can be larger than width / height\n\t * so it is missing in documentation or a bug in implementation\n\t * 2.2.9.1.1.4.4 Color Pointer Update (TS_COLORPOINTERATTRIBUTE)\n\t */\n\tif (pointer_color->xPos >= pointer_color->width)\n\t\tpointer_color->xPos = 0;\n\n\tif (pointer_color->yPos >= pointer_color->height)\n\t\tpointer_color->yPos = 0;\n\n\tif (pointer_color->lengthXorMask > 0)\n\t{\n\t\t/**\n\t\t * Spec states that:\n\t\t *\n\t\t * xorMaskData (variable): A variable-length array of bytes. Contains the 24-bpp, bottom-up\n\t\t * XOR mask scan-line data. The XOR mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 3x3 pixel cursor is being sent, then each scan-line will\n\t\t * consume 10 bytes (3 pixels per scan-line multiplied by 3 bytes per pixel, rounded up to\n\t\t * the next even number of bytes).\n\t\t *\n\t\t * In fact instead of 24-bpp, the bpp parameter is given by the containing packet.\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer_color->lengthXorMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = (7 + xorBpp * pointer_color->width) / 8;\n\t\tscanlineSize = ((scanlineSize + 1) / 2) * 2;\n\n\t\tif (scanlineSize * pointer_color->height != pointer_color->lengthXorMask)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"invalid lengthXorMask: width=%\" PRIu32 \" height=%\" PRIu32 \", %\" PRIu32\n\t\t\t         \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer_color->width, pointer_color->height, pointer_color->lengthXorMask,\n\t\t\t         scanlineSize * pointer_color->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer_color->xorMaskData, pointer_color->lengthXorMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer_color->xorMaskData = newMask;\n\t\tStream_Read(s, pointer_color->xorMaskData, pointer_color->lengthXorMask);\n\t}\n\n\tif (pointer_color->lengthAndMask > 0)\n\t{\n\t\t/**\n\t\t * andMaskData (variable): A variable-length array of bytes. Contains the 1-bpp, bottom-up\n\t\t * AND mask scan-line data. The AND mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 7x7 pixel cursor is being sent, then each scan-line will\n\t\t * consume 2 bytes (7 pixels per scan-line multiplied by 1 bpp, rounded up to the next even\n\t\t * number of bytes).\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer_color->lengthAndMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = ((7 + pointer_color->width) / 8);\n\t\tscanlineSize = ((1 + scanlineSize) / 2) * 2;\n\n\t\tif (scanlineSize * pointer_color->height != pointer_color->lengthAndMask)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"invalid lengthAndMask: %\" PRIu32 \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer_color->lengthAndMask, scanlineSize * pointer_color->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer_color->andMaskData, pointer_color->lengthAndMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer_color->andMaskData = newMask;\n\t\tStream_Read(s, pointer_color->andMaskData, pointer_color->lengthAndMask);\n\t}\n\n\tif (Stream_GetRemainingLength(s) > 0)\n\t\tStream_Seek_UINT8(s); /* pad (1 byte) */\n\n\treturn TRUE;\nfail:\n\treturn FALSE;\n}",
          "project": "FreeRDP",
          "hash": 308964776568817409802620424098239944020,
          "size": 120,
          "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637",
          "message": "Fixed #6005: Bounds checks in update_read_bitmap_data",
          "target": 0,
          "dataset": "other",
          "idx": 340400
        },
        {
          "func": "static BOOL _update_read_pointer_large(wStream* s, POINTER_LARGE_UPDATE* pointer)\n{\n\tBYTE* newMask;\n\tUINT32 scanlineSize;\n\n\tif (!pointer)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 20)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer->xorBpp);\n\tStream_Read_UINT16(s, pointer->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT16(s, pointer->hotSpotX);   /* xPos (2 bytes) */\n\tStream_Read_UINT16(s, pointer->hotSpotY);   /* yPos (2 bytes) */\n\n\tStream_Read_UINT16(s, pointer->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, pointer->height); /* height (2 bytes) */\n\n\tif ((pointer->width > 384) || (pointer->height > 384))\n\t\tgoto fail;\n\n\tStream_Read_UINT32(s, pointer->lengthAndMask); /* lengthAndMask (4 bytes) */\n\tStream_Read_UINT32(s, pointer->lengthXorMask); /* lengthXorMask (4 bytes) */\n\n\tif (pointer->hotSpotX >= pointer->width)\n\t\tpointer->hotSpotX = 0;\n\n\tif (pointer->hotSpotY >= pointer->height)\n\t\tpointer->hotSpotY = 0;\n\n\tif (pointer->lengthXorMask > 0)\n\t{\n\t\t/**\n\t\t * Spec states that:\n\t\t *\n\t\t * xorMaskData (variable): A variable-length array of bytes. Contains the 24-bpp, bottom-up\n\t\t * XOR mask scan-line data. The XOR mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 3x3 pixel cursor is being sent, then each scan-line will\n\t\t * consume 10 bytes (3 pixels per scan-line multiplied by 3 bytes per pixel, rounded up to\n\t\t * the next even number of bytes).\n\t\t *\n\t\t * In fact instead of 24-bpp, the bpp parameter is given by the containing packet.\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer->lengthXorMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = (7 + pointer->xorBpp * pointer->width) / 8;\n\t\tscanlineSize = ((scanlineSize + 1) / 2) * 2;\n\n\t\tif (scanlineSize * pointer->height != pointer->lengthXorMask)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"invalid lengthXorMask: width=%\" PRIu32 \" height=%\" PRIu32 \", %\" PRIu32\n\t\t\t         \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer->width, pointer->height, pointer->lengthXorMask,\n\t\t\t         scanlineSize * pointer->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer->xorMaskData, pointer->lengthXorMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer->xorMaskData = newMask;\n\t\tStream_Read(s, pointer->xorMaskData, pointer->lengthXorMask);\n\t}\n\n\tif (pointer->lengthAndMask > 0)\n\t{\n\t\t/**\n\t\t * andMaskData (variable): A variable-length array of bytes. Contains the 1-bpp, bottom-up\n\t\t * AND mask scan-line data. The AND mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 7x7 pixel cursor is being sent, then each scan-line will\n\t\t * consume 2 bytes (7 pixels per scan-line multiplied by 1 bpp, rounded up to the next even\n\t\t * number of bytes).\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer->lengthAndMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = ((7 + pointer->width) / 8);\n\t\tscanlineSize = ((1 + scanlineSize) / 2) * 2;\n\n\t\tif (scanlineSize * pointer->height != pointer->lengthAndMask)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"invalid lengthAndMask: %\" PRIu32 \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer->lengthAndMask, scanlineSize * pointer->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer->andMaskData, pointer->lengthAndMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer->andMaskData = newMask;\n\t\tStream_Read(s, pointer->andMaskData, pointer->lengthAndMask);\n\t}\n\n\tif (Stream_GetRemainingLength(s) > 0)\n\t\tStream_Seek_UINT8(s); /* pad (1 byte) */\n\n\treturn TRUE;\nfail:\n\treturn FALSE;\n}",
          "project": "FreeRDP",
          "hash": 319535406616462223397121840258268559891,
          "size": 107,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295049
        },
        {
          "func": "static BOOL _update_read_pointer_large(wStream* s, POINTER_LARGE_UPDATE* pointer)\n{\n\tBYTE* newMask;\n\tUINT32 scanlineSize;\n\n\tif (!pointer)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 14)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer->xorBpp);\n\tStream_Read_UINT16(s, pointer->cacheIndex); /* cacheIndex (2 bytes) */\n\tStream_Read_UINT16(s, pointer->hotSpotX);   /* xPos (2 bytes) */\n\tStream_Read_UINT16(s, pointer->hotSpotY);   /* yPos (2 bytes) */\n\n\tStream_Read_UINT16(s, pointer->width);  /* width (2 bytes) */\n\tStream_Read_UINT16(s, pointer->height); /* height (2 bytes) */\n\n\tif ((pointer->width > 384) || (pointer->height > 384))\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer->lengthAndMask); /* lengthAndMask (2 bytes) */\n\tStream_Read_UINT16(s, pointer->lengthXorMask); /* lengthXorMask (2 bytes) */\n\n\tif (pointer->hotSpotX >= pointer->width)\n\t\tpointer->hotSpotX = 0;\n\n\tif (pointer->hotSpotY >= pointer->height)\n\t\tpointer->hotSpotY = 0;\n\n\tif (pointer->lengthXorMask > 0)\n\t{\n\t\t/**\n\t\t * Spec states that:\n\t\t *\n\t\t * xorMaskData (variable): A variable-length array of bytes. Contains the 24-bpp, bottom-up\n\t\t * XOR mask scan-line data. The XOR mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 3x3 pixel cursor is being sent, then each scan-line will\n\t\t * consume 10 bytes (3 pixels per scan-line multiplied by 3 bytes per pixel, rounded up to\n\t\t * the next even number of bytes).\n\t\t *\n\t\t * In fact instead of 24-bpp, the bpp parameter is given by the containing packet.\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer->lengthXorMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = (7 + pointer->xorBpp * pointer->width) / 8;\n\t\tscanlineSize = ((scanlineSize + 1) / 2) * 2;\n\n\t\tif (scanlineSize * pointer->height != pointer->lengthXorMask)\n\t\t{\n\t\t\tWLog_ERR(TAG,\n\t\t\t         \"invalid lengthXorMask: width=%\" PRIu32 \" height=%\" PRIu32 \", %\" PRIu32\n\t\t\t         \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer->width, pointer->height, pointer->lengthXorMask,\n\t\t\t         scanlineSize * pointer->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer->xorMaskData, pointer->lengthXorMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer->xorMaskData = newMask;\n\t\tStream_Read(s, pointer->xorMaskData, pointer->lengthXorMask);\n\t}\n\n\tif (pointer->lengthAndMask > 0)\n\t{\n\t\t/**\n\t\t * andMaskData (variable): A variable-length array of bytes. Contains the 1-bpp, bottom-up\n\t\t * AND mask scan-line data. The AND mask is padded to a 2-byte boundary for each encoded\n\t\t * scan-line. For example, if a 7x7 pixel cursor is being sent, then each scan-line will\n\t\t * consume 2 bytes (7 pixels per scan-line multiplied by 1 bpp, rounded up to the next even\n\t\t * number of bytes).\n\t\t */\n\t\tif (Stream_GetRemainingLength(s) < pointer->lengthAndMask)\n\t\t\tgoto fail;\n\n\t\tscanlineSize = ((7 + pointer->width) / 8);\n\t\tscanlineSize = ((1 + scanlineSize) / 2) * 2;\n\n\t\tif (scanlineSize * pointer->height != pointer->lengthAndMask)\n\t\t{\n\t\t\tWLog_ERR(TAG, \"invalid lengthAndMask: %\" PRIu32 \" instead of %\" PRIu32 \"\",\n\t\t\t         pointer->lengthAndMask, scanlineSize * pointer->height);\n\t\t\tgoto fail;\n\t\t}\n\n\t\tnewMask = realloc(pointer->andMaskData, pointer->lengthAndMask);\n\n\t\tif (!newMask)\n\t\t\tgoto fail;\n\n\t\tpointer->andMaskData = newMask;\n\t\tStream_Read(s, pointer->andMaskData, pointer->lengthAndMask);\n\t}\n\n\tif (Stream_GetRemainingLength(s) > 0)\n\t\tStream_Seek_UINT8(s); /* pad (1 byte) */\n\n\treturn TRUE;\nfail:\n\treturn FALSE;\n}",
          "project": "FreeRDP",
          "hash": 221124485378056389358821967616984676233,
          "size": 107,
          "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637",
          "message": "Fixed #6005: Bounds checks in update_read_bitmap_data",
          "target": 0,
          "dataset": "other",
          "idx": 340398
        },
        {
          "func": "POINTER_POSITION_UPDATE* update_read_pointer_position(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_POSITION_UPDATE* pointer_position = calloc(1, sizeof(POINTER_POSITION_UPDATE));\n\n\tif (!pointer_position)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 4)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_position->xPos); /* xPos (2 bytes) */\n\tStream_Read_UINT16(s, pointer_position->yPos); /* yPos (2 bytes) */\n\treturn pointer_position;\nfail:\n\tfree_pointer_position_update(update->context, pointer_position);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 339533881186737758202422083886699244369,
          "size": 17,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295035
        },
        {
          "func": "POINTER_NEW_UPDATE* update_read_pointer_new(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_NEW_UPDATE* pointer_new = calloc(1, sizeof(POINTER_NEW_UPDATE));\n\n\tif (!pointer_new)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */\n\n\tif ((pointer_new->xorBpp < 1) || (pointer_new->xorBpp > 32))\n\t{\n\t\tWLog_ERR(TAG, \"invalid xorBpp %\" PRIu32 \"\", pointer_new->xorBpp);\n\t\tgoto fail;\n\t}\n\n\tif (!_update_read_pointer_color(s, &pointer_new->colorPtrAttr, pointer_new->xorBpp,\n\t                                update->context->settings->LargePointerFlag)) /* colorPtrAttr */\n\t\tgoto fail;\n\n\treturn pointer_new;\nfail:\n\tfree_pointer_new_update(update->context, pointer_new);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 214889354523854541641994285740418737374,
          "size": 27,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295069
        },
        {
          "func": "POINTER_NEW_UPDATE* update_read_pointer_new(rdpUpdate* update, wStream* s)\n{\n\tPOINTER_NEW_UPDATE* pointer_new = calloc(1, sizeof(POINTER_NEW_UPDATE));\n\n\tif (!pointer_new)\n\t\tgoto fail;\n\n\tif (Stream_GetRemainingLength(s) < 2)\n\t\tgoto fail;\n\n\tStream_Read_UINT16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */\n\n\tif ((pointer_new->xorBpp < 1) || (pointer_new->xorBpp > 32))\n\t{\n\t\tWLog_ERR(TAG, \"invalid xorBpp %\" PRIu32 \"\", pointer_new->xorBpp);\n\t\tgoto fail;\n\t}\n\n\tif (!_update_read_pointer_color(s, &pointer_new->colorPtrAttr,\n\t                                pointer_new->xorBpp)) /* colorPtrAttr */\n\t\tgoto fail;\n\n\treturn pointer_new;\nfail:\n\tfree_pointer_new_update(update->context, pointer_new);\n\treturn NULL;\n}",
          "project": "FreeRDP",
          "hash": 277013815797761157077891468632580336753,
          "size": 27,
          "commit_id": "f8890a645c221823ac133dbf991f8a65ae50d637",
          "message": "Fixed #6005: Bounds checks in update_read_bitmap_data",
          "target": 0,
          "dataset": "other",
          "idx": 340399
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "opj_j2k_setup_encoder",
        "opj_j2k_set_imf_parameters",
        "opj_j2k_get_imf_max_NL"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "static int opj_j2k_initialise_4K_poc(opj_poc_t *POC, int numres)\n{\n    POC[0].tile  = 1;\n    POC[0].resno0  = 0;\n    POC[0].compno0 = 0;\n    POC[0].layno1  = 1;\n    POC[0].resno1  = (OPJ_UINT32)(numres - 1);\n    POC[0].compno1 = 3;\n    POC[0].prg1 = OPJ_CPRL;\n    POC[1].tile  = 1;\n    POC[1].resno0  = (OPJ_UINT32)(numres - 1);\n    POC[1].compno0 = 0;\n    POC[1].layno1  = 1;\n    POC[1].resno1  = (OPJ_UINT32)numres;\n    POC[1].compno1 = 3;\n    POC[1].prg1 = OPJ_CPRL;\n    return 2;\n}",
          "project": "openjpeg",
          "hash": 328152533937005882107425666048707342819,
          "size": 18,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357282
        },
        {
          "func": "static OPJ_BOOL opj_j2k_is_imf_compliant(opj_cparameters_t *parameters,\n        opj_image_t *image,\n        opj_event_mgr_t *p_manager)\n{\n    OPJ_UINT32 i;\n    const OPJ_UINT16 rsiz = parameters->rsiz;\n    const OPJ_UINT16 profile = OPJ_GET_IMF_PROFILE(rsiz);\n    const OPJ_UINT16 mainlevel = OPJ_GET_IMF_MAINLEVEL(rsiz);\n    const OPJ_UINT16 sublevel = OPJ_GET_IMF_SUBLEVEL(rsiz);\n    const int NL = parameters->numresolution - 1;\n    const OPJ_UINT32 XTsiz = parameters->tile_size_on ? (OPJ_UINT32)\n                             parameters->cp_tdx : image->x1;\n    OPJ_BOOL ret = OPJ_TRUE;\n\n    /* Validate mainlevel */\n    if (mainlevel > OPJ_IMF_MAINLEVEL_MAX) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile require mainlevel <= 11.\\n\"\n                      \"-> %d is thus not compliant\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      mainlevel);\n        ret = OPJ_FALSE;\n    }\n\n    /* Validate sublevel */\n    assert(sizeof(tabMaxSubLevelFromMainLevel) ==\n           (OPJ_IMF_MAINLEVEL_MAX + 1) * sizeof(tabMaxSubLevelFromMainLevel[0]));\n    if (sublevel > tabMaxSubLevelFromMainLevel[mainlevel]) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile require sublevel <= %d for mainlevel = %d.\\n\"\n                      \"-> %d is thus not compliant\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      tabMaxSubLevelFromMainLevel[mainlevel],\n                      mainlevel,\n                      sublevel);\n        ret = OPJ_FALSE;\n    }\n\n    /* Number of components */\n    if (image->numcomps > 3) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profiles require at most 3 components.\\n\"\n                      \"-> Number of components of input image (%d) is not compliant\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      image->numcomps);\n        ret = OPJ_FALSE;\n    }\n\n    if (image->x0 != 0 || image->y0 != 0) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profiles require image origin to be at 0,0.\\n\"\n                      \"-> %d,%d is not compliant\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      image->x0, image->y0 != 0);\n        ret = OPJ_FALSE;\n    }\n\n    if (parameters->cp_tx0 != 0 || parameters->cp_ty0 != 0) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profiles require tile origin to be at 0,0.\\n\"\n                      \"-> %d,%d is not compliant\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->cp_tx0, parameters->cp_ty0);\n        ret = OPJ_FALSE;\n    }\n\n    if (parameters->tile_size_on) {\n        if (profile == OPJ_PROFILE_IMF_2K ||\n                profile == OPJ_PROFILE_IMF_4K ||\n                profile == OPJ_PROFILE_IMF_8K) {\n            if ((OPJ_UINT32)parameters->cp_tdx < image->x1 ||\n                    (OPJ_UINT32)parameters->cp_tdy < image->y1) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 2K/4K/8K single tile profiles require tile to be greater or equal to image size.\\n\"\n                              \"-> %d,%d is lesser than %d,%d\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              parameters->cp_tdx,\n                              parameters->cp_tdy,\n                              image->x1,\n                              image->y1);\n                ret = OPJ_FALSE;\n            }\n        } else {\n            if ((OPJ_UINT32)parameters->cp_tdx >= image->x1 &&\n                    (OPJ_UINT32)parameters->cp_tdy >= image->y1) {\n                /* ok */\n            } else if (parameters->cp_tdx == 1024 &&\n                       parameters->cp_tdy == 1024) {\n                /* ok */\n            } else if (parameters->cp_tdx == 2048 &&\n                       parameters->cp_tdy == 2048 &&\n                       (profile == OPJ_PROFILE_IMF_4K ||\n                        profile == OPJ_PROFILE_IMF_8K)) {\n                /* ok */\n            } else if (parameters->cp_tdx == 4096 &&\n                       parameters->cp_tdy == 4096 &&\n                       profile == OPJ_PROFILE_IMF_8K) {\n                /* ok */\n            } else {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 2K_R/4K_R/8K_R single/multiple tile profiles \"\n                              \"require tile to be greater or equal to image size,\\n\"\n                              \"or to be (1024,1024), or (2048,2048) for 4K_R/8K_R \"\n                              \"or (4096,4096) for 8K_R.\\n\"\n                              \"-> %d,%d is non conformant\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              parameters->cp_tdx,\n                              parameters->cp_tdy);\n                ret = OPJ_FALSE;\n            }\n        }\n    }\n\n    /* Bitdepth */\n    for (i = 0; i < image->numcomps; i++) {\n        if (!(image->comps[i].bpp >= 8 && image->comps[i].bpp <= 16) ||\n                (image->comps[i].sgnd)) {\n            char signed_str[] = \"signed\";\n            char unsigned_str[] = \"unsigned\";\n            char *tmp_str = image->comps[i].sgnd ? signed_str : unsigned_str;\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require precision of each component to b in [8-16] bits unsigned\"\n                          \"-> At least component %d of input image (%d bits, %s) is not compliant\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          i, image->comps[i].bpp, tmp_str);\n            ret = OPJ_FALSE;\n        }\n    }\n\n    /* Sub-sampling */\n    for (i = 0; i < image->numcomps; i++) {\n        if (i == 0 && image->comps[i].dx != 1) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require XRSiz1 == 1. Here it is set to %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[i].dx);\n            ret = OPJ_FALSE;\n        }\n        if (i == 1 && image->comps[i].dx != 1 && image->comps[i].dx != 2) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require XRSiz2 == 1 or 2. Here it is set to %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[i].dx);\n            ret = OPJ_FALSE;\n        }\n        if (i > 1 && image->comps[i].dx != image->comps[i - 1].dx) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require XRSiz%d to be the same as XRSiz2. \"\n                          \"Here it is set to %d instead of %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          i + 1, image->comps[i].dx, image->comps[i - 1].dx);\n            ret = OPJ_FALSE;\n        }\n        if (image->comps[i].dy != 1) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require YRsiz == 1. \"\n                          \"Here it is set to %d for component i.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[i].dy, i);\n            ret = OPJ_FALSE;\n        }\n    }\n\n    /* Image size */\n    switch (profile) {\n    case OPJ_PROFILE_IMF_2K:\n    case OPJ_PROFILE_IMF_2K_R:\n        if (((image->comps[0].w > 2048) | (image->comps[0].h > 1556))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 2K/2K_R profile require:\\n\"\n                          \"width <= 2048 and height <= 1556\\n\"\n                          \"-> Input image size %d x %d is not compliant\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[0].w, image->comps[0].h);\n            ret = OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_IMF_4K:\n    case OPJ_PROFILE_IMF_4K_R:\n        if (((image->comps[0].w > 4096) | (image->comps[0].h > 3112))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 4K/4K_R profile require:\\n\"\n                          \"width <= 4096 and height <= 3112\\n\"\n                          \"-> Input image size %d x %d is not compliant\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[0].w, image->comps[0].h);\n            ret = OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_IMF_8K:\n    case OPJ_PROFILE_IMF_8K_R:\n        if (((image->comps[0].w > 8192) | (image->comps[0].h > 6224))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 8K/8K_R profile require:\\n\"\n                          \"width <= 8192 and height <= 6224\\n\"\n                          \"-> Input image size %d x %d is not compliant\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          image->comps[0].w, image->comps[0].h);\n            ret = OPJ_FALSE;\n        }\n        break;\n    default :\n        assert(0);\n        return OPJ_FALSE;\n    }\n\n    if (parameters->roi_compno != -1) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile forbid RGN / region of interest marker.\\n\"\n                      \"-> Compression parameters specify a ROI\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\");\n        ret = OPJ_FALSE;\n    }\n\n    if (parameters->cblockw_init != 32 || parameters->cblockh_init != 32) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile require code block size to be 32x32.\\n\"\n                      \"-> Compression parameters set it to %dx%d.\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->cblockw_init,\n                      parameters->cblockh_init);\n        ret = OPJ_FALSE;\n    }\n\n    if (parameters->prog_order != OPJ_CPRL) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile require progression order to be CPRL.\\n\"\n                      \"-> Compression parameters set it to %d.\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->prog_order);\n        ret = OPJ_FALSE;\n    }\n\n    if (parameters->numpocs != 0) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile forbid POC markers.\\n\"\n                      \"-> Compression parameters set %d POC.\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->numpocs);\n        ret = OPJ_FALSE;\n    }\n\n    /* Codeblock style: no mode switch enabled */\n    if (parameters->mode != 0) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF profile forbid mode switch in code block style.\\n\"\n                      \"-> Compression parameters set code block style to %d.\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->mode);\n        ret = OPJ_FALSE;\n    }\n\n    if (profile == OPJ_PROFILE_IMF_2K ||\n            profile == OPJ_PROFILE_IMF_4K ||\n            profile == OPJ_PROFILE_IMF_8K) {\n        /* Expect 9-7 transform */\n        if (parameters->irreversible != 1) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 2K/4K/8K profiles require 9-7 Irreversible Transform.\\n\"\n                          \"-> Compression parameters set it to reversible.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\");\n            ret = OPJ_FALSE;\n        }\n    } else {\n        /* Expect 5-3 transform */\n        if (parameters->irreversible != 0) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 2K/4K/8K profiles require 5-3 reversible Transform.\\n\"\n                          \"-> Compression parameters set it to irreversible.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\");\n            ret = OPJ_FALSE;\n        }\n    }\n\n    /* Number of layers */\n    if (parameters->tcp_numlayers != 1) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"IMF 2K/4K/8K profiles require 1 single quality layer.\\n\"\n                      \"-> Number of layers is %d.\\n\"\n                      \"-> Non-IMF codestream will be generated\\n\",\n                      parameters->tcp_numlayers);\n        ret = OPJ_FALSE;\n    }\n\n    /* Decomposition levels */\n    switch (profile) {\n    case OPJ_PROFILE_IMF_2K:\n        if (!(NL >= 1 && NL <= 5)) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 2K profile requires 1 <= NL <= 5:\\n\"\n                          \"-> Number of decomposition levels is %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          NL);\n            ret = OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_IMF_4K:\n        if (!(NL >= 1 && NL <= 6)) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 4K profile requires 1 <= NL <= 6:\\n\"\n                          \"-> Number of decomposition levels is %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          NL);\n            ret = OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_IMF_8K:\n        if (!(NL >= 1 && NL <= 7)) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF 8K profile requires 1 <= NL <= 7:\\n\"\n                          \"-> Number of decomposition levels is %d.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          NL);\n            ret = OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_IMF_2K_R: {\n        if (XTsiz >= 2048) {\n            if (!(NL >= 1 && NL <= 5)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 2K_R profile requires 1 <= NL <= 5 for XTsiz >= 2048:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 1024) {\n            if (!(NL >= 1 && NL <= 4)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 2K_R profile requires 1 <= NL <= 4 for XTsiz in [1024,2048[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        }\n        break;\n    }\n    case OPJ_PROFILE_IMF_4K_R: {\n        if (XTsiz >= 4096) {\n            if (!(NL >= 1 && NL <= 6)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 6 for XTsiz >= 4096:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 2048) {\n            if (!(NL >= 1 && NL <= 5)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 5 for XTsiz in [2048,4096[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 1024) {\n            if (!(NL >= 1 && NL <= 4)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 4 for XTsiz in [1024,2048[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        }\n        break;\n    }\n    case OPJ_PROFILE_IMF_8K_R: {\n        if (XTsiz >= 8192) {\n            if (!(NL >= 1 && NL <= 7)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 7 for XTsiz >= 8192:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 4096) {\n            if (!(NL >= 1 && NL <= 6)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 6 for XTsiz in [4096,8192[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 2048) {\n            if (!(NL >= 1 && NL <= 5)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 5 for XTsiz in [2048,4096[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        } else if (XTsiz >= 1024) {\n            if (!(NL >= 1 && NL <= 4)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF 4K_R profile requires 1 <= NL <= 4 for XTsiz in [1024,2048[:\\n\"\n                              \"-> Number of decomposition levels is %d.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        }\n        break;\n    }\n    default:\n        break;\n    }\n\n    if (parameters->numresolution == 1) {\n        if (parameters->res_spec != 1 ||\n                parameters->prcw_init[0] != 128 ||\n                parameters->prch_init[0] != 128) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"IMF profiles require PPx = PPy = 7 for NLLL band, else 8.\\n\"\n                          \"-> Supplied values are different from that.\\n\"\n                          \"-> Non-IMF codestream will be generated\\n\",\n                          NL);\n            ret = OPJ_FALSE;\n        }\n    } else {\n        int i;\n        for (i = 0; i < parameters->res_spec; i++) {\n            if (parameters->prcw_init[i] != 256 ||\n                    parameters->prch_init[i] != 256) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"IMF profiles require PPx = PPy = 7 for NLLL band, else 8.\\n\"\n                              \"-> Supplied values are different from that.\\n\"\n                              \"-> Non-IMF codestream will be generated\\n\",\n                              NL);\n                ret = OPJ_FALSE;\n            }\n        }\n    }\n\n    return ret;\n}",
          "project": "openjpeg",
          "hash": 247621853903973910621601863312658855615,
          "size": 441,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357296
        },
        {
          "func": "OPJ_BOOL opj_j2k_setup_encoder(opj_j2k_t *p_j2k,\n                               opj_cparameters_t *parameters,\n                               opj_image_t *image,\n                               opj_event_mgr_t * p_manager)\n{\n    OPJ_UINT32 i, j, tileno, numpocs_tile;\n    opj_cp_t *cp = 00;\n    OPJ_UINT32 cblkw, cblkh;\n\n    if (!p_j2k || !parameters || ! image) {\n        return OPJ_FALSE;\n    }\n\n    if ((parameters->numresolution <= 0) ||\n            (parameters->numresolution > OPJ_J2K_MAXRLVLS)) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid number of resolutions : %d not in range [1,%d]\\n\",\n                      parameters->numresolution, OPJ_J2K_MAXRLVLS);\n        return OPJ_FALSE;\n    }\n\n    if (parameters->cblockw_init < 4 || parameters->cblockw_init > 1024) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid value for cblockw_init: %d not a power of 2 in range [4,1024]\\n\",\n                      parameters->cblockw_init);\n        return OPJ_FALSE;\n    }\n    if (parameters->cblockh_init < 4 || parameters->cblockh_init > 1024) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid value for cblockh_init: %d not a power of 2 not in range [4,1024]\\n\",\n                      parameters->cblockh_init);\n        return OPJ_FALSE;\n    }\n    if (parameters->cblockw_init * parameters->cblockh_init > 4096) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid value for cblockw_init * cblockh_init: should be <= 4096\\n\");\n        return OPJ_FALSE;\n    }\n    cblkw = (OPJ_UINT32)opj_int_floorlog2(parameters->cblockw_init);\n    cblkh = (OPJ_UINT32)opj_int_floorlog2(parameters->cblockh_init);\n    if (parameters->cblockw_init != (1 << cblkw)) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid value for cblockw_init: %d not a power of 2 in range [4,1024]\\n\",\n                      parameters->cblockw_init);\n        return OPJ_FALSE;\n    }\n    if (parameters->cblockh_init != (1 << cblkh)) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Invalid value for cblockw_init: %d not a power of 2 in range [4,1024]\\n\",\n                      parameters->cblockh_init);\n        return OPJ_FALSE;\n    }\n\n    /* keep a link to cp so that we can destroy it later in j2k_destroy_compress */\n    cp = &(p_j2k->m_cp);\n\n    /* set default values for cp */\n    cp->tw = 1;\n    cp->th = 1;\n\n    /* FIXME ADE: to be removed once deprecated cp_cinema and cp_rsiz have been removed */\n    if (parameters->rsiz ==\n            OPJ_PROFILE_NONE) { /* consider deprecated fields only if RSIZ has not been set */\n        OPJ_BOOL deprecated_used = OPJ_FALSE;\n        switch (parameters->cp_cinema) {\n        case OPJ_CINEMA2K_24:\n            parameters->rsiz = OPJ_PROFILE_CINEMA_2K;\n            parameters->max_cs_size = OPJ_CINEMA_24_CS;\n            parameters->max_comp_size = OPJ_CINEMA_24_COMP;\n            deprecated_used = OPJ_TRUE;\n            break;\n        case OPJ_CINEMA2K_48:\n            parameters->rsiz = OPJ_PROFILE_CINEMA_2K;\n            parameters->max_cs_size = OPJ_CINEMA_48_CS;\n            parameters->max_comp_size = OPJ_CINEMA_48_COMP;\n            deprecated_used = OPJ_TRUE;\n            break;\n        case OPJ_CINEMA4K_24:\n            parameters->rsiz = OPJ_PROFILE_CINEMA_4K;\n            parameters->max_cs_size = OPJ_CINEMA_24_CS;\n            parameters->max_comp_size = OPJ_CINEMA_24_COMP;\n            deprecated_used = OPJ_TRUE;\n            break;\n        case OPJ_OFF:\n        default:\n            break;\n        }\n        switch (parameters->cp_rsiz) {\n        case OPJ_CINEMA2K:\n            parameters->rsiz = OPJ_PROFILE_CINEMA_2K;\n            deprecated_used = OPJ_TRUE;\n            break;\n        case OPJ_CINEMA4K:\n            parameters->rsiz = OPJ_PROFILE_CINEMA_4K;\n            deprecated_used = OPJ_TRUE;\n            break;\n        case OPJ_MCT:\n            parameters->rsiz = OPJ_PROFILE_PART2 | OPJ_EXTENSION_MCT;\n            deprecated_used = OPJ_TRUE;\n        case OPJ_STD_RSIZ:\n        default:\n            break;\n        }\n        if (deprecated_used) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"Deprecated fields cp_cinema or cp_rsiz are used\\n\"\n                          \"Please consider using only the rsiz field\\n\"\n                          \"See openjpeg.h documentation for more details\\n\");\n        }\n    }\n\n    /* If no explicit layers are provided, use lossless settings */\n    if (parameters->tcp_numlayers == 0) {\n        parameters->tcp_numlayers = 1;\n        parameters->cp_disto_alloc = 1;\n        parameters->tcp_rates[0] = 0;\n    }\n\n    if (parameters->cp_disto_alloc) {\n        /* Emit warnings if tcp_rates are not decreasing */\n        for (i = 1; i < (OPJ_UINT32) parameters->tcp_numlayers; i++) {\n            OPJ_FLOAT32 rate_i_corr = parameters->tcp_rates[i];\n            OPJ_FLOAT32 rate_i_m_1_corr = parameters->tcp_rates[i - 1];\n            if (rate_i_corr <= 1.0) {\n                rate_i_corr = 1.0;\n            }\n            if (rate_i_m_1_corr <= 1.0) {\n                rate_i_m_1_corr = 1.0;\n            }\n            if (rate_i_corr >= rate_i_m_1_corr) {\n                if (rate_i_corr != parameters->tcp_rates[i] &&\n                        rate_i_m_1_corr != parameters->tcp_rates[i - 1]) {\n                    opj_event_msg(p_manager, EVT_WARNING,\n                                  \"tcp_rates[%d]=%f (corrected as %f) should be strictly lesser \"\n                                  \"than tcp_rates[%d]=%f (corrected as %f)\\n\",\n                                  i, parameters->tcp_rates[i], rate_i_corr,\n                                  i - 1, parameters->tcp_rates[i - 1], rate_i_m_1_corr);\n                } else if (rate_i_corr != parameters->tcp_rates[i]) {\n                    opj_event_msg(p_manager, EVT_WARNING,\n                                  \"tcp_rates[%d]=%f (corrected as %f) should be strictly lesser \"\n                                  \"than tcp_rates[%d]=%f\\n\",\n                                  i, parameters->tcp_rates[i], rate_i_corr,\n                                  i - 1, parameters->tcp_rates[i - 1]);\n                } else if (rate_i_m_1_corr != parameters->tcp_rates[i - 1]) {\n                    opj_event_msg(p_manager, EVT_WARNING,\n                                  \"tcp_rates[%d]=%f should be strictly lesser \"\n                                  \"than tcp_rates[%d]=%f (corrected as %f)\\n\",\n                                  i, parameters->tcp_rates[i],\n                                  i - 1, parameters->tcp_rates[i - 1], rate_i_m_1_corr);\n                } else {\n                    opj_event_msg(p_manager, EVT_WARNING,\n                                  \"tcp_rates[%d]=%f should be strictly lesser \"\n                                  \"than tcp_rates[%d]=%f\\n\",\n                                  i, parameters->tcp_rates[i],\n                                  i - 1, parameters->tcp_rates[i - 1]);\n                }\n            }\n        }\n    } else if (parameters->cp_fixed_quality) {\n        /* Emit warnings if tcp_distoratio are not increasing */\n        for (i = 1; i < (OPJ_UINT32) parameters->tcp_numlayers; i++) {\n            if (parameters->tcp_distoratio[i] < parameters->tcp_distoratio[i - 1] &&\n                    !(i == (OPJ_UINT32)parameters->tcp_numlayers - 1 &&\n                      parameters->tcp_distoratio[i] == 0)) {\n                opj_event_msg(p_manager, EVT_WARNING,\n                              \"tcp_distoratio[%d]=%f should be strictly greater \"\n                              \"than tcp_distoratio[%d]=%f\\n\",\n                              i, parameters->tcp_distoratio[i], i - 1,\n                              parameters->tcp_distoratio[i - 1]);\n            }\n        }\n    }\n\n    /* see if max_codestream_size does limit input rate */\n    if (parameters->max_cs_size <= 0) {\n        if (parameters->tcp_rates[parameters->tcp_numlayers - 1] > 0) {\n            OPJ_FLOAT32 temp_size;\n            temp_size = (OPJ_FLOAT32)(((double)image->numcomps * image->comps[0].w *\n                                       image->comps[0].h * image->comps[0].prec) /\n                                      ((double)parameters->tcp_rates[parameters->tcp_numlayers - 1] * 8 *\n                                       image->comps[0].dx * image->comps[0].dy));\n            if (temp_size > INT_MAX) {\n                parameters->max_cs_size = INT_MAX;\n            } else {\n                parameters->max_cs_size = (int) floor(temp_size);\n            }\n        } else {\n            parameters->max_cs_size = 0;\n        }\n    } else {\n        OPJ_FLOAT32 temp_rate;\n        OPJ_BOOL cap = OPJ_FALSE;\n\n        if (OPJ_IS_IMF(parameters->rsiz) && parameters->max_cs_size > 0 &&\n                parameters->tcp_numlayers == 1 && parameters->tcp_rates[0] == 0) {\n            parameters->tcp_rates[0] = (OPJ_FLOAT32)(image->numcomps * image->comps[0].w *\n                                       image->comps[0].h * image->comps[0].prec) /\n                                       (OPJ_FLOAT32)(((OPJ_UINT32)parameters->max_cs_size) * 8 * image->comps[0].dx *\n                                               image->comps[0].dy);\n        }\n\n        temp_rate = (OPJ_FLOAT32)(((double)image->numcomps * image->comps[0].w *\n                                   image->comps[0].h * image->comps[0].prec) /\n                                  (((double)parameters->max_cs_size) * 8 * image->comps[0].dx *\n                                   image->comps[0].dy));\n        for (i = 0; i < (OPJ_UINT32) parameters->tcp_numlayers; i++) {\n            if (parameters->tcp_rates[i] < temp_rate) {\n                parameters->tcp_rates[i] = temp_rate;\n                cap = OPJ_TRUE;\n            }\n        }\n        if (cap) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"The desired maximum codestream size has limited\\n\"\n                          \"at least one of the desired quality layers\\n\");\n        }\n    }\n\n    /* Manage profiles and applications and set RSIZ */\n    /* set cinema parameters if required */\n    if (OPJ_IS_CINEMA(parameters->rsiz)) {\n        if ((parameters->rsiz == OPJ_PROFILE_CINEMA_S2K)\n                || (parameters->rsiz == OPJ_PROFILE_CINEMA_S4K)) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Scalable Digital Cinema profiles not yet supported\\n\");\n            parameters->rsiz = OPJ_PROFILE_NONE;\n        } else {\n            opj_j2k_set_cinema_parameters(parameters, image, p_manager);\n            if (!opj_j2k_is_cinema_compliant(image, parameters->rsiz, p_manager)) {\n                parameters->rsiz = OPJ_PROFILE_NONE;\n            }\n        }\n    } else if (OPJ_IS_STORAGE(parameters->rsiz)) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Long Term Storage profile not yet supported\\n\");\n        parameters->rsiz = OPJ_PROFILE_NONE;\n    } else if (OPJ_IS_BROADCAST(parameters->rsiz)) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Broadcast profiles not yet supported\\n\");\n        parameters->rsiz = OPJ_PROFILE_NONE;\n    } else if (OPJ_IS_IMF(parameters->rsiz)) {\n        opj_j2k_set_imf_parameters(parameters, image, p_manager);\n        if (!opj_j2k_is_imf_compliant(parameters, image, p_manager)) {\n            parameters->rsiz = OPJ_PROFILE_NONE;\n        }\n    } else if (OPJ_IS_PART2(parameters->rsiz)) {\n        if (parameters->rsiz == ((OPJ_PROFILE_PART2) | (OPJ_EXTENSION_NONE))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Part-2 profile defined\\n\"\n                          \"but no Part-2 extension enabled.\\n\"\n                          \"Profile set to NONE.\\n\");\n            parameters->rsiz = OPJ_PROFILE_NONE;\n        } else if (parameters->rsiz != ((OPJ_PROFILE_PART2) | (OPJ_EXTENSION_MCT))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"Unsupported Part-2 extension enabled\\n\"\n                          \"Profile set to NONE.\\n\");\n            parameters->rsiz = OPJ_PROFILE_NONE;\n        }\n    }\n\n    /*\n    copy user encoding parameters\n    */\n    cp->m_specific_param.m_enc.m_max_comp_size = (OPJ_UINT32)\n            parameters->max_comp_size;\n    cp->rsiz = parameters->rsiz;\n    cp->m_specific_param.m_enc.m_disto_alloc = (OPJ_UINT32)\n            parameters->cp_disto_alloc & 1u;\n    cp->m_specific_param.m_enc.m_fixed_alloc = (OPJ_UINT32)\n            parameters->cp_fixed_alloc & 1u;\n    cp->m_specific_param.m_enc.m_fixed_quality = (OPJ_UINT32)\n            parameters->cp_fixed_quality & 1u;\n\n    /* mod fixed_quality */\n    if (parameters->cp_fixed_alloc && parameters->cp_matrice) {\n        size_t array_size = (size_t)parameters->tcp_numlayers *\n                            (size_t)parameters->numresolution * 3 * sizeof(OPJ_INT32);\n        cp->m_specific_param.m_enc.m_matrice = (OPJ_INT32 *) opj_malloc(array_size);\n        if (!cp->m_specific_param.m_enc.m_matrice) {\n            opj_event_msg(p_manager, EVT_ERROR,\n                          \"Not enough memory to allocate copy of user encoding parameters matrix \\n\");\n            return OPJ_FALSE;\n        }\n        memcpy(cp->m_specific_param.m_enc.m_matrice, parameters->cp_matrice,\n               array_size);\n    }\n\n    /* tiles */\n    cp->tdx = (OPJ_UINT32)parameters->cp_tdx;\n    cp->tdy = (OPJ_UINT32)parameters->cp_tdy;\n\n    /* tile offset */\n    cp->tx0 = (OPJ_UINT32)parameters->cp_tx0;\n    cp->ty0 = (OPJ_UINT32)parameters->cp_ty0;\n\n    /* comment string */\n    if (parameters->cp_comment) {\n        cp->comment = (char*)opj_malloc(strlen(parameters->cp_comment) + 1U);\n        if (!cp->comment) {\n            opj_event_msg(p_manager, EVT_ERROR,\n                          \"Not enough memory to allocate copy of comment string\\n\");\n            return OPJ_FALSE;\n        }\n        strcpy(cp->comment, parameters->cp_comment);\n    } else {\n        /* Create default comment for codestream */\n        const char comment[] = \"Created by OpenJPEG version \";\n        const size_t clen = strlen(comment);\n        const char *version = opj_version();\n\n        /* UniPG>> */\n#ifdef USE_JPWL\n        cp->comment = (char*)opj_malloc(clen + strlen(version) + 11);\n        if (!cp->comment) {\n            opj_event_msg(p_manager, EVT_ERROR,\n                          \"Not enough memory to allocate comment string\\n\");\n            return OPJ_FALSE;\n        }\n        sprintf(cp->comment, \"%s%s with JPWL\", comment, version);\n#else\n        cp->comment = (char*)opj_malloc(clen + strlen(version) + 1);\n        if (!cp->comment) {\n            opj_event_msg(p_manager, EVT_ERROR,\n                          \"Not enough memory to allocate comment string\\n\");\n            return OPJ_FALSE;\n        }\n        sprintf(cp->comment, \"%s%s\", comment, version);\n#endif\n        /* <<UniPG */\n    }\n\n    /*\n    calculate other encoding parameters\n    */\n\n    if (parameters->tile_size_on) {\n        if (cp->tdx == 0) {\n            opj_event_msg(p_manager, EVT_ERROR, \"Invalid tile width\\n\");\n            return OPJ_FALSE;\n        }\n        if (cp->tdy == 0) {\n            opj_event_msg(p_manager, EVT_ERROR, \"Invalid tile height\\n\");\n            return OPJ_FALSE;\n        }\n        cp->tw = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->x1 - cp->tx0),\n                                             (OPJ_INT32)cp->tdx);\n        cp->th = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->y1 - cp->ty0),\n                                             (OPJ_INT32)cp->tdy);\n    } else {\n        cp->tdx = image->x1 - cp->tx0;\n        cp->tdy = image->y1 - cp->ty0;\n    }\n\n    if (parameters->tp_on) {\n        cp->m_specific_param.m_enc.m_tp_flag = (OPJ_BYTE)parameters->tp_flag;\n        cp->m_specific_param.m_enc.m_tp_on = 1;\n    }\n\n#ifdef USE_JPWL\n    /*\n    calculate JPWL encoding parameters\n    */\n\n    if (parameters->jpwl_epc_on) {\n        OPJ_INT32 i;\n\n        /* set JPWL on */\n        cp->epc_on = OPJ_TRUE;\n        cp->info_on = OPJ_FALSE; /* no informative technique */\n\n        /* set EPB on */\n        if ((parameters->jpwl_hprot_MH > 0) || (parameters->jpwl_hprot_TPH[0] > 0)) {\n            cp->epb_on = OPJ_TRUE;\n\n            cp->hprot_MH = parameters->jpwl_hprot_MH;\n            for (i = 0; i < JPWL_MAX_NO_TILESPECS; i++) {\n                cp->hprot_TPH_tileno[i] = parameters->jpwl_hprot_TPH_tileno[i];\n                cp->hprot_TPH[i] = parameters->jpwl_hprot_TPH[i];\n            }\n            /* if tile specs are not specified, copy MH specs */\n            if (cp->hprot_TPH[0] == -1) {\n                cp->hprot_TPH_tileno[0] = 0;\n                cp->hprot_TPH[0] = parameters->jpwl_hprot_MH;\n            }\n            for (i = 0; i < JPWL_MAX_NO_PACKSPECS; i++) {\n                cp->pprot_tileno[i] = parameters->jpwl_pprot_tileno[i];\n                cp->pprot_packno[i] = parameters->jpwl_pprot_packno[i];\n                cp->pprot[i] = parameters->jpwl_pprot[i];\n            }\n        }\n\n        /* set ESD writing */\n        if ((parameters->jpwl_sens_size == 1) || (parameters->jpwl_sens_size == 2)) {\n            cp->esd_on = OPJ_TRUE;\n\n            cp->sens_size = parameters->jpwl_sens_size;\n            cp->sens_addr = parameters->jpwl_sens_addr;\n            cp->sens_range = parameters->jpwl_sens_range;\n\n            cp->sens_MH = parameters->jpwl_sens_MH;\n            for (i = 0; i < JPWL_MAX_NO_TILESPECS; i++) {\n                cp->sens_TPH_tileno[i] = parameters->jpwl_sens_TPH_tileno[i];\n                cp->sens_TPH[i] = parameters->jpwl_sens_TPH[i];\n            }\n        }\n\n        /* always set RED writing to false: we are at the encoder */\n        cp->red_on = OPJ_FALSE;\n\n    } else {\n        cp->epc_on = OPJ_FALSE;\n    }\n#endif /* USE_JPWL */\n\n    /* initialize the mutiple tiles */\n    /* ---------------------------- */\n    cp->tcps = (opj_tcp_t*) opj_calloc(cp->tw * cp->th, sizeof(opj_tcp_t));\n    if (!cp->tcps) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Not enough memory to allocate tile coding parameters\\n\");\n        return OPJ_FALSE;\n    }\n\n    for (tileno = 0; tileno < cp->tw * cp->th; tileno++) {\n        opj_tcp_t *tcp = &cp->tcps[tileno];\n        tcp->numlayers = (OPJ_UINT32)parameters->tcp_numlayers;\n\n        for (j = 0; j < tcp->numlayers; j++) {\n            if (OPJ_IS_CINEMA(cp->rsiz) || OPJ_IS_IMF(cp->rsiz)) {\n                if (cp->m_specific_param.m_enc.m_fixed_quality) {\n                    tcp->distoratio[j] = parameters->tcp_distoratio[j];\n                }\n                tcp->rates[j] = parameters->tcp_rates[j];\n            } else {\n                if (cp->m_specific_param.m_enc.m_fixed_quality) {       /* add fixed_quality */\n                    tcp->distoratio[j] = parameters->tcp_distoratio[j];\n                } else {\n                    tcp->rates[j] = parameters->tcp_rates[j];\n                }\n            }\n            if (!cp->m_specific_param.m_enc.m_fixed_quality &&\n                    tcp->rates[j] <= 1.0) {\n                tcp->rates[j] = 0.0;    /* force lossless */\n            }\n        }\n\n        tcp->csty = (OPJ_UINT32)parameters->csty;\n        tcp->prg = parameters->prog_order;\n        tcp->mct = (OPJ_UINT32)parameters->tcp_mct;\n\n        numpocs_tile = 0;\n        tcp->POC = 0;\n\n        if (parameters->numpocs) {\n            /* initialisation of POC */\n            for (i = 0; i < parameters->numpocs; i++) {\n                if (tileno + 1 == parameters->POC[i].tile)  {\n                    opj_poc_t *tcp_poc = &tcp->pocs[numpocs_tile];\n\n                    if (parameters->POC[numpocs_tile].compno0 >= image->numcomps) {\n                        opj_event_msg(p_manager, EVT_ERROR,\n                                      \"Invalid compno0 for POC %d\\n\", i);\n                        return OPJ_FALSE;\n                    }\n\n                    tcp_poc->resno0         = parameters->POC[numpocs_tile].resno0;\n                    tcp_poc->compno0        = parameters->POC[numpocs_tile].compno0;\n                    tcp_poc->layno1         = parameters->POC[numpocs_tile].layno1;\n                    tcp_poc->resno1         = parameters->POC[numpocs_tile].resno1;\n                    tcp_poc->compno1        = opj_uint_min(parameters->POC[numpocs_tile].compno1,\n                                                           image->numcomps);\n                    tcp_poc->prg1           = parameters->POC[numpocs_tile].prg1;\n                    tcp_poc->tile           = parameters->POC[numpocs_tile].tile;\n\n                    numpocs_tile++;\n                }\n            }\n\n            if (numpocs_tile) {\n\n                /* TODO MSD use the return value*/\n                opj_j2k_check_poc_val(parameters->POC, tileno, parameters->numpocs,\n                                      (OPJ_UINT32)parameters->numresolution, image->numcomps,\n                                      (OPJ_UINT32)parameters->tcp_numlayers, p_manager);\n\n                tcp->POC = 1;\n                tcp->numpocs = numpocs_tile - 1 ;\n            }\n        } else {\n            tcp->numpocs = 0;\n        }\n\n        tcp->tccps = (opj_tccp_t*) opj_calloc(image->numcomps, sizeof(opj_tccp_t));\n        if (!tcp->tccps) {\n            opj_event_msg(p_manager, EVT_ERROR,\n                          \"Not enough memory to allocate tile component coding parameters\\n\");\n            return OPJ_FALSE;\n        }\n        if (parameters->mct_data) {\n\n            OPJ_UINT32 lMctSize = image->numcomps * image->numcomps * (OPJ_UINT32)sizeof(\n                                      OPJ_FLOAT32);\n            OPJ_FLOAT32 * lTmpBuf = (OPJ_FLOAT32*)opj_malloc(lMctSize);\n            OPJ_INT32 * l_dc_shift = (OPJ_INT32 *)((OPJ_BYTE *) parameters->mct_data +\n                                                   lMctSize);\n\n            if (!lTmpBuf) {\n                opj_event_msg(p_manager, EVT_ERROR,\n                              \"Not enough memory to allocate temp buffer\\n\");\n                return OPJ_FALSE;\n            }\n\n            tcp->mct = 2;\n            tcp->m_mct_coding_matrix = (OPJ_FLOAT32*)opj_malloc(lMctSize);\n            if (! tcp->m_mct_coding_matrix) {\n                opj_free(lTmpBuf);\n                lTmpBuf = NULL;\n                opj_event_msg(p_manager, EVT_ERROR,\n                              \"Not enough memory to allocate encoder MCT coding matrix \\n\");\n                return OPJ_FALSE;\n            }\n            memcpy(tcp->m_mct_coding_matrix, parameters->mct_data, lMctSize);\n            memcpy(lTmpBuf, parameters->mct_data, lMctSize);\n\n            tcp->m_mct_decoding_matrix = (OPJ_FLOAT32*)opj_malloc(lMctSize);\n            if (! tcp->m_mct_decoding_matrix) {\n                opj_free(lTmpBuf);\n                lTmpBuf = NULL;\n                opj_event_msg(p_manager, EVT_ERROR,\n                              \"Not enough memory to allocate encoder MCT decoding matrix \\n\");\n                return OPJ_FALSE;\n            }\n            if (opj_matrix_inversion_f(lTmpBuf, (tcp->m_mct_decoding_matrix),\n                                       image->numcomps) == OPJ_FALSE) {\n                opj_free(lTmpBuf);\n                lTmpBuf = NULL;\n                opj_event_msg(p_manager, EVT_ERROR,\n                              \"Failed to inverse encoder MCT decoding matrix \\n\");\n                return OPJ_FALSE;\n            }\n\n            tcp->mct_norms = (OPJ_FLOAT64*)\n                             opj_malloc(image->numcomps * sizeof(OPJ_FLOAT64));\n            if (! tcp->mct_norms) {\n                opj_free(lTmpBuf);\n                lTmpBuf = NULL;\n                opj_event_msg(p_manager, EVT_ERROR,\n                              \"Not enough memory to allocate encoder MCT norms \\n\");\n                return OPJ_FALSE;\n            }\n            opj_calculate_norms(tcp->mct_norms, image->numcomps,\n                                tcp->m_mct_decoding_matrix);\n            opj_free(lTmpBuf);\n\n            for (i = 0; i < image->numcomps; i++) {\n                opj_tccp_t *tccp = &tcp->tccps[i];\n                tccp->m_dc_level_shift = l_dc_shift[i];\n            }\n\n            if (opj_j2k_setup_mct_encoding(tcp, image) == OPJ_FALSE) {\n                /* free will be handled by opj_j2k_destroy */\n                opj_event_msg(p_manager, EVT_ERROR, \"Failed to setup j2k mct encoding\\n\");\n                return OPJ_FALSE;\n            }\n        } else {\n            if (tcp->mct == 1 && image->numcomps >= 3) { /* RGB->YCC MCT is enabled */\n                if ((image->comps[0].dx != image->comps[1].dx) ||\n                        (image->comps[0].dx != image->comps[2].dx) ||\n                        (image->comps[0].dy != image->comps[1].dy) ||\n                        (image->comps[0].dy != image->comps[2].dy)) {\n                    opj_event_msg(p_manager, EVT_WARNING,\n                                  \"Cannot perform MCT on components with different sizes. Disabling MCT.\\n\");\n                    tcp->mct = 0;\n                }\n            }\n            for (i = 0; i < image->numcomps; i++) {\n                opj_tccp_t *tccp = &tcp->tccps[i];\n                opj_image_comp_t * l_comp = &(image->comps[i]);\n\n                if (! l_comp->sgnd) {\n                    tccp->m_dc_level_shift = 1 << (l_comp->prec - 1);\n                }\n            }\n        }\n\n        for (i = 0; i < image->numcomps; i++) {\n            opj_tccp_t *tccp = &tcp->tccps[i];\n\n            tccp->csty = parameters->csty &\n                         0x01;   /* 0 => one precinct || 1 => custom precinct  */\n            tccp->numresolutions = (OPJ_UINT32)parameters->numresolution;\n            tccp->cblkw = (OPJ_UINT32)opj_int_floorlog2(parameters->cblockw_init);\n            tccp->cblkh = (OPJ_UINT32)opj_int_floorlog2(parameters->cblockh_init);\n            tccp->cblksty = (OPJ_UINT32)parameters->mode;\n            tccp->qmfbid = parameters->irreversible ? 0 : 1;\n            tccp->qntsty = parameters->irreversible ? J2K_CCP_QNTSTY_SEQNT :\n                           J2K_CCP_QNTSTY_NOQNT;\n            tccp->numgbits = 2;\n\n            if ((OPJ_INT32)i == parameters->roi_compno) {\n                tccp->roishift = parameters->roi_shift;\n            } else {\n                tccp->roishift = 0;\n            }\n\n            if (parameters->csty & J2K_CCP_CSTY_PRT) {\n                OPJ_INT32 p = 0, it_res;\n                assert(tccp->numresolutions > 0);\n                for (it_res = (OPJ_INT32)tccp->numresolutions - 1; it_res >= 0; it_res--) {\n                    if (p < parameters->res_spec) {\n\n                        if (parameters->prcw_init[p] < 1) {\n                            tccp->prcw[it_res] = 1;\n                        } else {\n                            tccp->prcw[it_res] = (OPJ_UINT32)opj_int_floorlog2(parameters->prcw_init[p]);\n                        }\n\n                        if (parameters->prch_init[p] < 1) {\n                            tccp->prch[it_res] = 1;\n                        } else {\n                            tccp->prch[it_res] = (OPJ_UINT32)opj_int_floorlog2(parameters->prch_init[p]);\n                        }\n\n                    } else {\n                        OPJ_INT32 res_spec = parameters->res_spec;\n                        OPJ_INT32 size_prcw = 0;\n                        OPJ_INT32 size_prch = 0;\n\n                        assert(res_spec > 0); /* issue 189 */\n                        size_prcw = parameters->prcw_init[res_spec - 1] >> (p - (res_spec - 1));\n                        size_prch = parameters->prch_init[res_spec - 1] >> (p - (res_spec - 1));\n\n\n                        if (size_prcw < 1) {\n                            tccp->prcw[it_res] = 1;\n                        } else {\n                            tccp->prcw[it_res] = (OPJ_UINT32)opj_int_floorlog2(size_prcw);\n                        }\n\n                        if (size_prch < 1) {\n                            tccp->prch[it_res] = 1;\n                        } else {\n                            tccp->prch[it_res] = (OPJ_UINT32)opj_int_floorlog2(size_prch);\n                        }\n                    }\n                    p++;\n                    /*printf(\"\\nsize precinct for level %d : %d,%d\\n\", it_res,tccp->prcw[it_res], tccp->prch[it_res]); */\n                }       /*end for*/\n            } else {\n                for (j = 0; j < tccp->numresolutions; j++) {\n                    tccp->prcw[j] = 15;\n                    tccp->prch[j] = 15;\n                }\n            }\n\n            opj_dwt_calc_explicit_stepsizes(tccp, image->comps[i].prec);\n        }\n    }\n\n    if (parameters->mct_data) {\n        opj_free(parameters->mct_data);\n        parameters->mct_data = 00;\n    }\n    return OPJ_TRUE;\n}",
          "project": "openjpeg",
          "hash": 186800795896273863273003403215619007706,
          "size": 665,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357290
        },
        {
          "func": "static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,\n        opj_image_t *image, opj_event_mgr_t *p_manager)\n{\n    /* Configure cinema parameters */\n    int i;\n\n    /* No tiling */\n    parameters->tile_size_on = OPJ_FALSE;\n    parameters->cp_tdx = 1;\n    parameters->cp_tdy = 1;\n\n    /* One tile part for each component */\n    parameters->tp_flag = 'C';\n    parameters->tp_on = 1;\n\n    /* Tile and Image shall be at (0,0) */\n    parameters->cp_tx0 = 0;\n    parameters->cp_ty0 = 0;\n    parameters->image_offset_x0 = 0;\n    parameters->image_offset_y0 = 0;\n\n    /* Codeblock size= 32*32 */\n    parameters->cblockw_init = 32;\n    parameters->cblockh_init = 32;\n\n    /* Codeblock style: no mode switch enabled */\n    parameters->mode = 0;\n\n    /* No ROI */\n    parameters->roi_compno = -1;\n\n    /* No subsampling */\n    parameters->subsampling_dx = 1;\n    parameters->subsampling_dy = 1;\n\n    /* 9-7 transform */\n    parameters->irreversible = 1;\n\n    /* Number of layers */\n    if (parameters->tcp_numlayers > 1) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:\\n\"\n                      \"1 single quality layer\"\n                      \"-> Number of layers forced to 1 (rather than %d)\\n\"\n                      \"-> Rate of the last layer (%3.1f) will be used\",\n                      parameters->tcp_numlayers,\n                      parameters->tcp_rates[parameters->tcp_numlayers - 1]);\n        parameters->tcp_rates[0] = parameters->tcp_rates[parameters->tcp_numlayers - 1];\n        parameters->tcp_numlayers = 1;\n    }\n\n    /* Resolution levels */\n    switch (parameters->rsiz) {\n    case OPJ_PROFILE_CINEMA_2K:\n        if (parameters->numresolution > 6) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-3 (2k dc profile) requires:\\n\"\n                          \"Number of decomposition levels <= 5\\n\"\n                          \"-> Number of decomposition levels forced to 5 (rather than %d)\\n\",\n                          parameters->numresolution + 1);\n            parameters->numresolution = 6;\n        }\n        break;\n    case OPJ_PROFILE_CINEMA_4K:\n        if (parameters->numresolution < 2) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-4 (4k dc profile) requires:\\n\"\n                          \"Number of decomposition levels >= 1 && <= 6\\n\"\n                          \"-> Number of decomposition levels forced to 1 (rather than %d)\\n\",\n                          parameters->numresolution + 1);\n            parameters->numresolution = 1;\n        } else if (parameters->numresolution > 7) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-4 (4k dc profile) requires:\\n\"\n                          \"Number of decomposition levels >= 1 && <= 6\\n\"\n                          \"-> Number of decomposition levels forced to 6 (rather than %d)\\n\",\n                          parameters->numresolution + 1);\n            parameters->numresolution = 7;\n        }\n        break;\n    default :\n        break;\n    }\n\n    /* Precincts */\n    parameters->csty |= J2K_CP_CSTY_PRT;\n    if (parameters->numresolution == 1) {\n        parameters->res_spec = 1;\n        parameters->prcw_init[0] = 128;\n        parameters->prch_init[0] = 128;\n    } else {\n        parameters->res_spec = parameters->numresolution - 1;\n        for (i = 0; i < parameters->res_spec; i++) {\n            parameters->prcw_init[i] = 256;\n            parameters->prch_init[i] = 256;\n        }\n    }\n\n    /* The progression order shall be CPRL */\n    parameters->prog_order = OPJ_CPRL;\n\n    /* Progression order changes for 4K, disallowed for 2K */\n    if (parameters->rsiz == OPJ_PROFILE_CINEMA_4K) {\n        parameters->numpocs = (OPJ_UINT32)opj_j2k_initialise_4K_poc(parameters->POC,\n                              parameters->numresolution);\n    } else {\n        parameters->numpocs = 0;\n    }\n\n    /* Limited bit-rate */\n    parameters->cp_disto_alloc = 1;\n    if (parameters->max_cs_size <= 0) {\n        /* No rate has been introduced, 24 fps is assumed */\n        parameters->max_cs_size = OPJ_CINEMA_24_CS;\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:\\n\"\n                      \"Maximum 1302083 compressed bytes @ 24fps\\n\"\n                      \"As no rate has been given, this limit will be used.\\n\");\n    } else if (parameters->max_cs_size > OPJ_CINEMA_24_CS) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:\\n\"\n                      \"Maximum 1302083 compressed bytes @ 24fps\\n\"\n                      \"-> Specified rate exceeds this limit. Rate will be forced to 1302083 bytes.\\n\");\n        parameters->max_cs_size = OPJ_CINEMA_24_CS;\n    }\n\n    if (parameters->max_comp_size <= 0) {\n        /* No rate has been introduced, 24 fps is assumed */\n        parameters->max_comp_size = OPJ_CINEMA_24_COMP;\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:\\n\"\n                      \"Maximum 1041666 compressed bytes @ 24fps\\n\"\n                      \"As no rate has been given, this limit will be used.\\n\");\n    } else if (parameters->max_comp_size > OPJ_CINEMA_24_COMP) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:\\n\"\n                      \"Maximum 1041666 compressed bytes @ 24fps\\n\"\n                      \"-> Specified rate exceeds this limit. Rate will be forced to 1041666 bytes.\\n\");\n        parameters->max_comp_size = OPJ_CINEMA_24_COMP;\n    }\n\n    parameters->tcp_rates[0] = (OPJ_FLOAT32)(image->numcomps * image->comps[0].w *\n                               image->comps[0].h * image->comps[0].prec) /\n                               (OPJ_FLOAT32)(((OPJ_UINT32)parameters->max_cs_size) * 8 * image->comps[0].dx *\n                                       image->comps[0].dy);\n\n}",
          "project": "openjpeg",
          "hash": 297746079961944802370676389918711288583,
          "size": 147,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357407
        },
        {
          "func": "static int opj_j2k_get_imf_max_NL(opj_cparameters_t *parameters,\n                                  opj_image_t *image)\n{\n    /* Decomposition levels */\n    const OPJ_UINT16 rsiz = parameters->rsiz;\n    const OPJ_UINT16 profile = OPJ_GET_IMF_PROFILE(rsiz);\n    const OPJ_UINT32 XTsiz = parameters->tile_size_on ? (OPJ_UINT32)\n                             parameters->cp_tdx : image->x1;\n    switch (profile) {\n    case OPJ_PROFILE_IMF_2K:\n        return 5;\n    case OPJ_PROFILE_IMF_4K:\n        return 6;\n    case OPJ_PROFILE_IMF_8K:\n        return 7;\n    case OPJ_PROFILE_IMF_2K_R: {\n        if (XTsiz >= 2048) {\n            return 5;\n        } else if (XTsiz >= 1024) {\n            return 4;\n        }\n        break;\n    }\n    case OPJ_PROFILE_IMF_4K_R: {\n        if (XTsiz >= 4096) {\n            return 6;\n        } else if (XTsiz >= 2048) {\n            return 5;\n        } else if (XTsiz >= 1024) {\n            return 4;\n        }\n        break;\n    }\n    case OPJ_PROFILE_IMF_8K_R: {\n        if (XTsiz >= 8192) {\n            return 7;\n        } else if (XTsiz >= 4096) {\n            return 6;\n        } else if (XTsiz >= 2048) {\n            return 5;\n        } else if (XTsiz >= 1024) {\n            return 4;\n        }\n        break;\n    }\n    default:\n        break;\n    }\n    return -1;\n}",
          "project": "openjpeg",
          "hash": 229824589926677487589073697633540713236,
          "size": 50,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357368
        },
        {
          "func": "OPJ_BOOL opj_j2k_setup_mct_encoding(opj_tcp_t * p_tcp, opj_image_t * p_image)\n{\n    OPJ_UINT32 i;\n    OPJ_UINT32 l_indix = 1;\n    opj_mct_data_t * l_mct_deco_data = 00, * l_mct_offset_data = 00;\n    opj_simple_mcc_decorrelation_data_t * l_mcc_data;\n    OPJ_UINT32 l_mct_size, l_nb_elem;\n    OPJ_FLOAT32 * l_data, * l_current_data;\n    opj_tccp_t * l_tccp;\n\n    /* preconditions */\n    assert(p_tcp != 00);\n\n    if (p_tcp->mct != 2) {\n        return OPJ_TRUE;\n    }\n\n    if (p_tcp->m_mct_decoding_matrix) {\n        if (p_tcp->m_nb_mct_records == p_tcp->m_nb_max_mct_records) {\n            opj_mct_data_t *new_mct_records;\n            p_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;\n\n            new_mct_records = (opj_mct_data_t *) opj_realloc(p_tcp->m_mct_records,\n                              p_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));\n            if (! new_mct_records) {\n                opj_free(p_tcp->m_mct_records);\n                p_tcp->m_mct_records = NULL;\n                p_tcp->m_nb_max_mct_records = 0;\n                p_tcp->m_nb_mct_records = 0;\n                /* opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to setup mct encoding\\n\"); */\n                return OPJ_FALSE;\n            }\n            p_tcp->m_mct_records = new_mct_records;\n            l_mct_deco_data = p_tcp->m_mct_records + p_tcp->m_nb_mct_records;\n\n            memset(l_mct_deco_data, 0,\n                   (p_tcp->m_nb_max_mct_records - p_tcp->m_nb_mct_records) * sizeof(\n                       opj_mct_data_t));\n        }\n        l_mct_deco_data = p_tcp->m_mct_records + p_tcp->m_nb_mct_records;\n\n        if (l_mct_deco_data->m_data) {\n            opj_free(l_mct_deco_data->m_data);\n            l_mct_deco_data->m_data = 00;\n        }\n\n        l_mct_deco_data->m_index = l_indix++;\n        l_mct_deco_data->m_array_type = MCT_TYPE_DECORRELATION;\n        l_mct_deco_data->m_element_type = MCT_TYPE_FLOAT;\n        l_nb_elem = p_image->numcomps * p_image->numcomps;\n        l_mct_size = l_nb_elem * MCT_ELEMENT_SIZE[l_mct_deco_data->m_element_type];\n        l_mct_deco_data->m_data = (OPJ_BYTE*)opj_malloc(l_mct_size);\n\n        if (! l_mct_deco_data->m_data) {\n            return OPJ_FALSE;\n        }\n\n        j2k_mct_write_functions_from_float[l_mct_deco_data->m_element_type](\n            p_tcp->m_mct_decoding_matrix, l_mct_deco_data->m_data, l_nb_elem);\n\n        l_mct_deco_data->m_data_size = l_mct_size;\n        ++p_tcp->m_nb_mct_records;\n    }\n\n    if (p_tcp->m_nb_mct_records == p_tcp->m_nb_max_mct_records) {\n        opj_mct_data_t *new_mct_records;\n        p_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;\n        new_mct_records = (opj_mct_data_t *) opj_realloc(p_tcp->m_mct_records,\n                          p_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));\n        if (! new_mct_records) {\n            opj_free(p_tcp->m_mct_records);\n            p_tcp->m_mct_records = NULL;\n            p_tcp->m_nb_max_mct_records = 0;\n            p_tcp->m_nb_mct_records = 0;\n            /* opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to setup mct encoding\\n\"); */\n            return OPJ_FALSE;\n        }\n        p_tcp->m_mct_records = new_mct_records;\n        l_mct_offset_data = p_tcp->m_mct_records + p_tcp->m_nb_mct_records;\n\n        memset(l_mct_offset_data, 0,\n               (p_tcp->m_nb_max_mct_records - p_tcp->m_nb_mct_records) * sizeof(\n                   opj_mct_data_t));\n\n        if (l_mct_deco_data) {\n            l_mct_deco_data = l_mct_offset_data - 1;\n        }\n    }\n\n    l_mct_offset_data = p_tcp->m_mct_records + p_tcp->m_nb_mct_records;\n\n    if (l_mct_offset_data->m_data) {\n        opj_free(l_mct_offset_data->m_data);\n        l_mct_offset_data->m_data = 00;\n    }\n\n    l_mct_offset_data->m_index = l_indix++;\n    l_mct_offset_data->m_array_type = MCT_TYPE_OFFSET;\n    l_mct_offset_data->m_element_type = MCT_TYPE_FLOAT;\n    l_nb_elem = p_image->numcomps;\n    l_mct_size = l_nb_elem * MCT_ELEMENT_SIZE[l_mct_offset_data->m_element_type];\n    l_mct_offset_data->m_data = (OPJ_BYTE*)opj_malloc(l_mct_size);\n\n    if (! l_mct_offset_data->m_data) {\n        return OPJ_FALSE;\n    }\n\n    l_data = (OPJ_FLOAT32*)opj_malloc(l_nb_elem * sizeof(OPJ_FLOAT32));\n    if (! l_data) {\n        opj_free(l_mct_offset_data->m_data);\n        l_mct_offset_data->m_data = 00;\n        return OPJ_FALSE;\n    }\n\n    l_tccp = p_tcp->tccps;\n    l_current_data = l_data;\n\n    for (i = 0; i < l_nb_elem; ++i) {\n        *(l_current_data++) = (OPJ_FLOAT32)(l_tccp->m_dc_level_shift);\n        ++l_tccp;\n    }\n\n    j2k_mct_write_functions_from_float[l_mct_offset_data->m_element_type](l_data,\n            l_mct_offset_data->m_data, l_nb_elem);\n\n    opj_free(l_data);\n\n    l_mct_offset_data->m_data_size = l_mct_size;\n\n    ++p_tcp->m_nb_mct_records;\n\n    if (p_tcp->m_nb_mcc_records == p_tcp->m_nb_max_mcc_records) {\n        opj_simple_mcc_decorrelation_data_t *new_mcc_records;\n        p_tcp->m_nb_max_mcc_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;\n        new_mcc_records = (opj_simple_mcc_decorrelation_data_t *) opj_realloc(\n                              p_tcp->m_mcc_records, p_tcp->m_nb_max_mcc_records * sizeof(\n                                  opj_simple_mcc_decorrelation_data_t));\n        if (! new_mcc_records) {\n            opj_free(p_tcp->m_mcc_records);\n            p_tcp->m_mcc_records = NULL;\n            p_tcp->m_nb_max_mcc_records = 0;\n            p_tcp->m_nb_mcc_records = 0;\n            /* opj_event_msg(p_manager, EVT_ERROR, \"Not enough memory to setup mct encoding\\n\"); */\n            return OPJ_FALSE;\n        }\n        p_tcp->m_mcc_records = new_mcc_records;\n        l_mcc_data = p_tcp->m_mcc_records + p_tcp->m_nb_mcc_records;\n        memset(l_mcc_data, 0, (p_tcp->m_nb_max_mcc_records - p_tcp->m_nb_mcc_records) *\n               sizeof(opj_simple_mcc_decorrelation_data_t));\n\n    }\n\n    l_mcc_data = p_tcp->m_mcc_records + p_tcp->m_nb_mcc_records;\n    l_mcc_data->m_decorrelation_array = l_mct_deco_data;\n    l_mcc_data->m_is_irreversible = 1;\n    l_mcc_data->m_nb_comps = p_image->numcomps;\n    l_mcc_data->m_index = l_indix++;\n    l_mcc_data->m_offset_array = l_mct_offset_data;\n    ++p_tcp->m_nb_mcc_records;\n\n    return OPJ_TRUE;\n}",
          "project": "openjpeg",
          "hash": 282277109756410081868284151207452566699,
          "size": 162,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357370
        },
        {
          "func": "static void opj_j2k_set_imf_parameters(opj_cparameters_t *parameters,\n                                       opj_image_t *image, opj_event_mgr_t *p_manager)\n{\n    const OPJ_UINT16 rsiz = parameters->rsiz;\n    const OPJ_UINT16 profile = OPJ_GET_IMF_PROFILE(rsiz);\n\n    OPJ_UNUSED(p_manager);\n\n    /* Override defaults set by opj_set_default_encoder_parameters */\n    if (parameters->cblockw_init == OPJ_COMP_PARAM_DEFAULT_CBLOCKW &&\n            parameters->cblockh_init == OPJ_COMP_PARAM_DEFAULT_CBLOCKH) {\n        parameters->cblockw_init = 32;\n        parameters->cblockh_init = 32;\n    }\n\n    /* One tile part for each component */\n    parameters->tp_flag = 'C';\n    parameters->tp_on = 1;\n\n    if (parameters->prog_order == OPJ_COMP_PARAM_DEFAULT_PROG_ORDER) {\n        parameters->prog_order = OPJ_CPRL;\n    }\n\n    if (profile == OPJ_PROFILE_IMF_2K ||\n            profile == OPJ_PROFILE_IMF_4K ||\n            profile == OPJ_PROFILE_IMF_8K) {\n        /* 9-7 transform */\n        parameters->irreversible = 1;\n    }\n\n    /* Adjust the number of resolutions if set to its defaults */\n    if (parameters->numresolution == OPJ_COMP_PARAM_DEFAULT_NUMRESOLUTION &&\n            image->x0 == 0 &&\n            image->y0 == 0) {\n        const int max_NL = opj_j2k_get_imf_max_NL(parameters, image);\n        if (max_NL >= 0 && parameters->numresolution > max_NL) {\n            parameters->numresolution = max_NL + 1;\n        }\n\n        /* Note: below is generic logic */\n        if (!parameters->tile_size_on) {\n            while (parameters->numresolution > 0) {\n                if (image->x1 < (1U << ((OPJ_UINT32)parameters->numresolution - 1U))) {\n                    parameters->numresolution --;\n                    continue;\n                }\n                if (image->y1 < (1U << ((OPJ_UINT32)parameters->numresolution - 1U))) {\n                    parameters->numresolution --;\n                    continue;\n                }\n                break;\n            }\n        }\n    }\n\n    /* Set defaults precincts */\n    if (parameters->csty == 0) {\n        parameters->csty |= J2K_CP_CSTY_PRT;\n        if (parameters->numresolution == 1) {\n            parameters->res_spec = 1;\n            parameters->prcw_init[0] = 128;\n            parameters->prch_init[0] = 128;\n        } else {\n            int i;\n            parameters->res_spec = parameters->numresolution - 1;\n            for (i = 0; i < parameters->res_spec; i++) {\n                parameters->prcw_init[i] = 256;\n                parameters->prch_init[i] = 256;\n            }\n        }\n    }\n}",
          "project": "openjpeg",
          "hash": 8349866500140506143717077527305324941,
          "size": 72,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357311
        },
        {
          "func": "static OPJ_BOOL opj_j2k_check_poc_val(const opj_poc_t *p_pocs,\n                                      OPJ_UINT32 tileno,\n                                      OPJ_UINT32 p_nb_pocs,\n                                      OPJ_UINT32 p_nb_resolutions,\n                                      OPJ_UINT32 p_num_comps,\n                                      OPJ_UINT32 p_num_layers,\n                                      opj_event_mgr_t * p_manager)\n{\n    OPJ_UINT32* packet_array;\n    OPJ_UINT32 index, resno, compno, layno;\n    OPJ_UINT32 i;\n    OPJ_UINT32 step_c = 1;\n    OPJ_UINT32 step_r = p_num_comps * step_c;\n    OPJ_UINT32 step_l = p_nb_resolutions * step_r;\n    OPJ_BOOL loss = OPJ_FALSE;\n\n    assert(p_nb_pocs > 0);\n\n    packet_array = (OPJ_UINT32*) opj_calloc(step_l * p_num_layers,\n                                            sizeof(OPJ_UINT32));\n    if (packet_array == 00) {\n        opj_event_msg(p_manager, EVT_ERROR,\n                      \"Not enough memory for checking the poc values.\\n\");\n        return OPJ_FALSE;\n    }\n\n    /* iterate through all the pocs that match our tile of interest. */\n    for (i = 0; i < p_nb_pocs; ++i) {\n        const opj_poc_t *poc = &p_pocs[i];\n        if (tileno + 1 == poc->tile) {\n            index = step_r * poc->resno0;\n\n            /* take each resolution for each poc */\n            for (resno = poc->resno0 ;\n                    resno < opj_uint_min(poc->resno1, p_nb_resolutions); ++resno) {\n                OPJ_UINT32 res_index = index + poc->compno0 * step_c;\n\n                /* take each comp of each resolution for each poc */\n                for (compno = poc->compno0 ;\n                        compno < opj_uint_min(poc->compno1, p_num_comps); ++compno) {\n                    /* The layer index always starts at zero for every progression. */\n                    const OPJ_UINT32 layno0 = 0;\n                    OPJ_UINT32 comp_index = res_index + layno0 * step_l;\n\n                    /* and finally take each layer of each res of ... */\n                    for (layno = layno0; layno < opj_uint_min(poc->layno1, p_num_layers);\n                            ++layno) {\n                        packet_array[comp_index] = 1;\n                        comp_index += step_l;\n                    }\n\n                    res_index += step_c;\n                }\n\n                index += step_r;\n            }\n        }\n    }\n\n    index = 0;\n    for (layno = 0; layno < p_num_layers ; ++layno) {\n        for (resno = 0; resno < p_nb_resolutions; ++resno) {\n            for (compno = 0; compno < p_num_comps; ++compno) {\n                loss |= (packet_array[index] != 1);\n#ifdef DEBUG_VERBOSE\n                if (packet_array[index] != 1) {\n                    fprintf(stderr,\n                            \"Missing packet in POC: layno=%d resno=%d compno=%d\\n\",\n                            layno, resno, compno);\n                }\n#endif\n                index += step_c;\n            }\n        }\n    }\n\n    if (loss) {\n        opj_event_msg(p_manager, EVT_ERROR, \"Missing packets possible loss of data\\n\");\n    }\n\n    opj_free(packet_array);\n\n    return !loss;\n}",
          "project": "openjpeg",
          "hash": 120238727439045726067896449479920376024,
          "size": 84,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357293
        },
        {
          "func": "static OPJ_BOOL opj_j2k_is_cinema_compliant(opj_image_t *image, OPJ_UINT16 rsiz,\n        opj_event_mgr_t *p_manager)\n{\n    OPJ_UINT32 i;\n\n    /* Number of components */\n    if (image->numcomps != 3) {\n        opj_event_msg(p_manager, EVT_WARNING,\n                      \"JPEG 2000 Profile-3 (2k dc profile) requires:\\n\"\n                      \"3 components\"\n                      \"-> Number of components of input image (%d) is not compliant\\n\"\n                      \"-> Non-profile-3 codestream will be generated\\n\",\n                      image->numcomps);\n        return OPJ_FALSE;\n    }\n\n    /* Bitdepth */\n    for (i = 0; i < image->numcomps; i++) {\n        if ((image->comps[i].bpp != 12) | (image->comps[i].sgnd)) {\n            char signed_str[] = \"signed\";\n            char unsigned_str[] = \"unsigned\";\n            char *tmp_str = image->comps[i].sgnd ? signed_str : unsigned_str;\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-3 (2k dc profile) requires:\\n\"\n                          \"Precision of each component shall be 12 bits unsigned\"\n                          \"-> At least component %d of input image (%d bits, %s) is not compliant\\n\"\n                          \"-> Non-profile-3 codestream will be generated\\n\",\n                          i, image->comps[i].bpp, tmp_str);\n            return OPJ_FALSE;\n        }\n    }\n\n    /* Image size */\n    switch (rsiz) {\n    case OPJ_PROFILE_CINEMA_2K:\n        if (((image->comps[0].w > 2048) | (image->comps[0].h > 1080))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-3 (2k dc profile) requires:\\n\"\n                          \"width <= 2048 and height <= 1080\\n\"\n                          \"-> Input image size %d x %d is not compliant\\n\"\n                          \"-> Non-profile-3 codestream will be generated\\n\",\n                          image->comps[0].w, image->comps[0].h);\n            return OPJ_FALSE;\n        }\n        break;\n    case OPJ_PROFILE_CINEMA_4K:\n        if (((image->comps[0].w > 4096) | (image->comps[0].h > 2160))) {\n            opj_event_msg(p_manager, EVT_WARNING,\n                          \"JPEG 2000 Profile-4 (4k dc profile) requires:\\n\"\n                          \"width <= 4096 and height <= 2160\\n\"\n                          \"-> Image size %d x %d is not compliant\\n\"\n                          \"-> Non-profile-4 codestream will be generated\\n\",\n                          image->comps[0].w, image->comps[0].h);\n            return OPJ_FALSE;\n        }\n        break;\n    default :\n        break;\n    }\n\n    return OPJ_TRUE;\n}",
          "project": "openjpeg",
          "hash": 7680939836931048431024455846237404720,
          "size": 62,
          "commit_id": "73fdf28342e4594019af26eb6a347a34eceb6296",
          "message": "opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)",
          "target": 0,
          "dataset": "other",
          "idx": 357343
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "zend_shared_alloc_startup",
        "zend_shared_alloc_create_lock",
        "zend_accel_error"
      ],
      "group_size": 10,
      "functions": [
        {
          "func": "int zend_shared_alloc_startup(size_t requested_size)\n{\n\tzend_shared_segment **tmp_shared_segments;\n\tsize_t shared_segments_array_size;\n\tzend_smm_shared_globals tmp_shared_globals, *p_tmp_shared_globals;\n\tchar *error_in = NULL;\n\tconst zend_shared_memory_handler_entry *he;\n\tint res = ALLOC_FAILURE;\n\n\tTSRMLS_FETCH();\n\n\t/* shared_free must be valid before we call zend_shared_alloc()\n\t * - make it temporarily point to a local variable\n\t */\n\tsmm_shared_globals = &tmp_shared_globals;\n\tZSMMG(shared_free) = requested_size; /* goes to tmp_shared_globals.shared_free */\n\n\tzend_shared_alloc_create_lock();\n\n\tif (ZCG(accel_directives).memory_model && ZCG(accel_directives).memory_model[0]) {\n\t\tchar *model = ZCG(accel_directives).memory_model;\n\t\t/* \"cgi\" is really \"shm\"... */\n\t\tif (strncmp(ZCG(accel_directives).memory_model, \"cgi\", sizeof(\"cgi\")) == 0) {\n\t\t\tmodel = \"shm\";\n\t\t}\n\n\t\tfor (he = handler_table; he->name; he++) {\n\t\t\tif (strcmp(model, he->name) == 0) {\n\t\t\t\tres = zend_shared_alloc_try(he, requested_size, &ZSMMG(shared_segments), &ZSMMG(shared_segments_count), &error_in);\n\t\t\t\tif (res) {\n\t\t\t\t\t/* this model works! */\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (res == FAILED_REATTACHED) {\n\t\tsmm_shared_globals = NULL;\n\t\treturn res;\n\t}\n\n\tif (!g_shared_alloc_handler) {\n\t\t/* try memory handlers in order */\n\t\tfor (he = handler_table; he->name; he++) {\n\t\t\tres = zend_shared_alloc_try(he, requested_size, &ZSMMG(shared_segments), &ZSMMG(shared_segments_count), &error_in);\n\t\t\tif (res) {\n\t\t\t\t/* this model works! */\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!g_shared_alloc_handler) {\n\t\tno_memory_bailout(requested_size, error_in);\n\t\treturn ALLOC_FAILURE;\n\t}\n\n\tif (res == SUCCESSFULLY_REATTACHED) {\n\t\treturn res;\n\t}\n\n\tshared_segments_array_size = ZSMMG(shared_segments_count) * S_H(segment_type_size)();\n\n\t/* move shared_segments and shared_free to shared memory */\n\tZCG(locked) = 1; /* no need to perform a real lock at this point */\n\tp_tmp_shared_globals = (zend_smm_shared_globals *) zend_shared_alloc(sizeof(zend_smm_shared_globals));\n\tif (!p_tmp_shared_globals) {\n\t\tzend_accel_error(ACCEL_LOG_FATAL, \"Insufficient shared memory!\");\n\t\treturn ALLOC_FAILURE;;\n\t}\n\n\ttmp_shared_segments = zend_shared_alloc(shared_segments_array_size + ZSMMG(shared_segments_count) * sizeof(void *));\n\tif (!tmp_shared_segments) {\n\t\tzend_accel_error(ACCEL_LOG_FATAL, \"Insufficient shared memory!\");\n\t\treturn ALLOC_FAILURE;;\n\t}\n\n\tcopy_shared_segments(tmp_shared_segments, ZSMMG(shared_segments)[0], ZSMMG(shared_segments_count), S_H(segment_type_size)());\n\n\t*p_tmp_shared_globals = tmp_shared_globals;\n\tsmm_shared_globals = p_tmp_shared_globals;\n\n\tfree(ZSMMG(shared_segments));\n\tZSMMG(shared_segments) = tmp_shared_segments;\n\n\tZSMMG(shared_memory_state).positions = (int *)zend_shared_alloc(sizeof(int) * ZSMMG(shared_segments_count));\n\tif (!ZSMMG(shared_memory_state).positions) {\n\t\tzend_accel_error(ACCEL_LOG_FATAL, \"Insufficient shared memory!\");\n\t\treturn ALLOC_FAILURE;;\n\t}\n\n\tZCG(locked) = 0;\n\n\treturn res;\n}",
          "project": "php-src",
          "hash": 43164796773174333003687575161107203616,
          "size": 96,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301515
        },
        {
          "func": "void zend_shared_alloc_create_lock(void)\n{\n\tint val;\n\n#ifdef ZTS\n    zts_lock = tsrm_mutex_alloc();\n#endif\n\n\tsprintf(lockfile_name, \"%s/%sXXXXXX\", TMP_DIR, SEM_FILENAME_PREFIX);\n\tlock_file = mkstemp(lockfile_name);\n\tfchmod(lock_file, 0666);\n\n\tif (lock_file == -1) {\n\t\tzend_accel_error(ACCEL_LOG_FATAL, \"Unable to create lock file: %s (%d)\", strerror(errno), errno);\n\t}\n\tval = fcntl(lock_file, F_GETFD, 0);\n\tval |= FD_CLOEXEC;\n\tfcntl(lock_file, F_SETFD, val);\n\n\tunlink(lockfile_name);\n}",
          "project": "php-src",
          "hash": 37315271396221786570113492262216584254,
          "size": 21,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301526
        },
        {
          "func": "void *zend_shared_alloc(size_t size)\n{\n\tint i;\n\tunsigned int block_size = ZEND_ALIGNED_SIZE(size);\n\tTSRMLS_FETCH();\n\n#if 1\n\tif (!ZCG(locked)) {\n\t\tzend_accel_error(ACCEL_LOG_ERROR, \"Shared memory lock not obtained\");\n\t}\n#endif\n\tif (block_size > ZSMMG(shared_free)) { /* No hope to find a big-enough block */\n\t\tSHARED_ALLOC_FAILED();\n\t\treturn NULL;\n\t}\n\tfor (i = 0; i < ZSMMG(shared_segments_count); i++) {\n\t\tif (ZSMMG(shared_segments)[i]->size - ZSMMG(shared_segments)[i]->pos >= block_size) { /* found a valid block */\n\t\t\tvoid *retval = (void *) (((char *) ZSMMG(shared_segments)[i]->p) + ZSMMG(shared_segments)[i]->pos);\n\n\t\t\tZSMMG(shared_segments)[i]->pos += block_size;\n\t\t\tZSMMG(shared_free) -= block_size;\n\t\t\tmemset(retval, 0, block_size);\n\t\t\treturn retval;\n\t\t}\n\t}\n\tSHARED_ALLOC_FAILED();\n\treturn NULL;\n}",
          "project": "php-src",
          "hash": 104763542045729052738258008527633004885,
          "size": 28,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301535
        },
        {
          "func": "void zend_shared_alloc_safe_unlock(TSRMLS_D)\n{\n\tif (ZCG(locked)) {\n\t\tzend_shared_alloc_unlock(TSRMLS_C);\n\t}\n}",
          "project": "php-src",
          "hash": 265411608072664417321639017602496491638,
          "size": 6,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301516
        },
        {
          "func": "void zend_shared_alloc_lock(TSRMLS_D)\n{\n#ifndef ZEND_WIN32\n\n#ifdef ZTS\n\ttsrm_mutex_lock(zts_lock);\n#endif\n\n#if 0\n\t/* this will happen once per process, and will un-globalize mem_write_lock */\n\tif (mem_write_lock.l_pid == -1) {\n\t\tmem_write_lock.l_pid = getpid();\n\t}\n#endif\n\n\twhile (1) {\n\t\tif (fcntl(lock_file, F_SETLKW, &mem_write_lock) == -1) {\n\t\t\tif (errno == EINTR) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tzend_accel_error(ACCEL_LOG_ERROR, \"Cannot create lock - %s (%d)\", strerror(errno), errno);\n\t\t}\n\t\tbreak;\n\t}\n#else\n\tzend_shared_alloc_lock_win32();\n#endif\n\n\tZCG(locked) = 1;\n\n\t/* Prepare translation table\n\t *\n\t * Make it persistent so that it uses malloc() and allocated blocks\n\t * won't be taken from space which is freed by efree in memdup.\n\t * Otherwise it leads to false matches in memdup check.\n\t */\n\tzend_hash_init(&xlat_table, 100, NULL, NULL, 1);\n}",
          "project": "php-src",
          "hash": 12456624217880618862355917091150053091,
          "size": 38,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301532
        },
        {
          "func": "static void copy_shared_segments(void *to, void *from, int count, int size)\n{\n\tzend_shared_segment **shared_segments_v = (zend_shared_segment **)to;\n\tvoid *shared_segments_to_p = ((char *)to + count*(sizeof(void *)));\n\tvoid *shared_segments_from_p = from;\n\tint i;\n\n\tfor (i = 0; i < count; i++) {\n\t\tshared_segments_v[i] = \tshared_segments_to_p;\n\t\tmemcpy(shared_segments_to_p, shared_segments_from_p, size);\n\t\tshared_segments_to_p = ((char *)shared_segments_to_p + size);\n\t\tshared_segments_from_p = ((char *)shared_segments_from_p + size);\n\t}\n}",
          "project": "php-src",
          "hash": 28593976064315556136734400134300434460,
          "size": 14,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301528
        },
        {
          "func": "static int zend_shared_alloc_try(const zend_shared_memory_handler_entry *he, size_t requested_size, zend_shared_segment ***shared_segments_p, int *shared_segments_count, char **error_in)\n{\n\tint res;\n\tg_shared_alloc_handler = he->handler;\n\tg_shared_model = he->name;\n\tZSMMG(shared_segments) = NULL;\n\tZSMMG(shared_segments_count) = 0;\n\n\tres = S_H(create_segments)(requested_size, shared_segments_p, shared_segments_count, error_in);\n\n\tif (res) {\n\t\t/* this model works! */\n\t\treturn res;\n\t}\n\tif (*shared_segments_p) {\n\t\tint i;\n\t\t/* cleanup */\n\t\tfor (i = 0; i < *shared_segments_count; i++) {\n\t\t\tif ((*shared_segments_p)[i]->p && (*shared_segments_p)[i]->p != (void *)-1) {\n\t\t\t\tS_H(detach_segment)((*shared_segments_p)[i]);\n\t\t\t}\n\t\t}\n\t\tfree(*shared_segments_p);\n\t\t*shared_segments_p = NULL;\n\t}\n\tg_shared_alloc_handler = NULL;\n\treturn ALLOC_FAILURE;\n}",
          "project": "php-src",
          "hash": 335952215195202099083183453622920490720,
          "size": 28,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301522
        },
        {
          "func": "void zend_shared_alloc_unlock(TSRMLS_D)\n{\n\t/* Destroy translation table */\n\tzend_hash_destroy(&xlat_table);\n\n\tZCG(locked) = 0;\n\n#ifndef ZEND_WIN32\n\tif (fcntl(lock_file, F_SETLK, &mem_write_unlock) == -1) {\n\t\tzend_accel_error(ACCEL_LOG_ERROR, \"Cannot remove lock - %s (%d)\", strerror(errno), errno);\n\t}\n#ifdef ZTS\n\ttsrm_mutex_unlock(zts_lock);\n#endif\n#else\n\tzend_shared_alloc_unlock_win32();\n#endif\n}",
          "project": "php-src",
          "hash": 337641547962770676212742288284736128445,
          "size": 18,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301525
        },
        {
          "func": "static void no_memory_bailout(size_t allocate_size, char *error)\n{\n\tzend_accel_error(ACCEL_LOG_FATAL, \"Unable to allocate shared memory segment of %ld bytes: %s: %s (%d)\", allocate_size, error?error:\"unknown\", strerror(errno), errno );\n}",
          "project": "php-src",
          "hash": 168721820608208516982358022973227244998,
          "size": 4,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301531
        },
        {
          "func": "void zend_shared_alloc_shutdown(void)\n{\n\tzend_shared_segment **tmp_shared_segments;\n\tsize_t shared_segments_array_size;\n\tzend_smm_shared_globals tmp_shared_globals;\n\tint i;\n\n\ttmp_shared_globals = *smm_shared_globals;\n\tsmm_shared_globals = &tmp_shared_globals;\n\tshared_segments_array_size = ZSMMG(shared_segments_count) * (S_H(segment_type_size)() + sizeof(void *));\n\ttmp_shared_segments = emalloc(shared_segments_array_size);\n\tcopy_shared_segments(tmp_shared_segments, ZSMMG(shared_segments)[0], ZSMMG(shared_segments_count), S_H(segment_type_size)());\n\tZSMMG(shared_segments) = tmp_shared_segments;\n\n\tfor (i = 0; i < ZSMMG(shared_segments_count); i++) {\n\t\tS_H(detach_segment)(ZSMMG(shared_segments)[i]);\n\t}\n\tefree(ZSMMG(shared_segments));\n\tZSMMG(shared_segments) = NULL;\n\tg_shared_alloc_handler = NULL;\n#ifndef ZEND_WIN32\n\tclose(lock_file);\n#endif\n}",
          "project": "php-src",
          "hash": 92973661424923663154559348364010141591,
          "size": 24,
          "commit_id": "0a8f28b43212cc2ddbc1f2df710e37b1bec0addd",
          "message": "Fixed bug #68677 (Use After Free in OPcache)\n\n(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115)",
          "target": 0,
          "dataset": "other",
          "idx": 301524
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "xStreamBufferReceive",
        "prvReadMessageFromBuffer",
        "prvReadBytesFromBuffer"
      ],
      "group_size": 13,
      "functions": [
        {
          "func": "static size_t prvReadBytesFromBuffer( StreamBuffer_t * pxStreamBuffer,\r\n                                      uint8_t * pucData,\r\n                                      size_t xMaxCount,\r\n                                      size_t xBytesAvailable )\r\n{\r\n    size_t xCount, xFirstLength, xNextTail;\r\n\r\n    /* Use the minimum of the wanted bytes and the available bytes. */\r\n    xCount = configMIN( xBytesAvailable, xMaxCount );\r\n\r\n    if( xCount > ( size_t ) 0 )\r\n    {\r\n        xNextTail = pxStreamBuffer->xTail;\r\n\r\n        /* Calculate the number of bytes that can be read - which may be\r\n         * less than the number wanted if the data wraps around to the start of\r\n         * the buffer. */\r\n        xFirstLength = configMIN( pxStreamBuffer->xLength - xNextTail, xCount );\r\n\r\n        /* Obtain the number of bytes it is possible to obtain in the first\r\n         * read.  Asserts check bounds of read and write. */\r\n        configASSERT( xFirstLength <= xMaxCount );\r\n        configASSERT( ( xNextTail + xFirstLength ) <= pxStreamBuffer->xLength );\r\n        ( void ) memcpy( ( void * ) pucData, ( const void * ) &( pxStreamBuffer->pucBuffer[ xNextTail ] ), xFirstLength ); /*lint !e9087 memcpy() requires void *. */\r\n\r\n        /* If the total number of wanted bytes is greater than the number\r\n         * that could be read in the first read... */\r\n        if( xCount > xFirstLength )\r\n        {\r\n            /*...then read the remaining bytes from the start of the buffer. */\r\n            configASSERT( xCount <= xMaxCount );\r\n            ( void ) memcpy( ( void * ) &( pucData[ xFirstLength ] ), ( void * ) ( pxStreamBuffer->pucBuffer ), xCount - xFirstLength ); /*lint !e9087 memcpy() requires void *. */\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n\r\n        /* Move the tail pointer to effectively remove the data read from\r\n         * the buffer. */\r\n        xNextTail += xCount;\r\n\r\n        if( xNextTail >= pxStreamBuffer->xLength )\r\n        {\r\n            xNextTail -= pxStreamBuffer->xLength;\r\n        }\r\n\r\n        pxStreamBuffer->xTail = xNextTail;\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    return xCount;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 183800658054191255213388093548715804795,
          "size": 56,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246418
        },
        {
          "func": "static size_t prvReadMessageFromBuffer( StreamBuffer_t * pxStreamBuffer,\r\n                                        void * pvRxData,\r\n                                        size_t xBufferLengthBytes,\r\n                                        size_t xBytesAvailable,\r\n                                        size_t xBytesToStoreMessageLength )\r\n{\r\n    size_t xOriginalTail, xReceivedLength, xNextMessageLength;\r\n    configMESSAGE_BUFFER_LENGTH_TYPE xTempNextMessageLength;\r\n\r\n    if( xBytesToStoreMessageLength != ( size_t ) 0 )\r\n    {\r\n        /* A discrete message is being received.  First receive the length\r\n         * of the message.  A copy of the tail is stored so the buffer can be\r\n         * returned to its prior state if the length of the message is too\r\n         * large for the provided buffer. */\r\n        xOriginalTail = pxStreamBuffer->xTail;\r\n        ( void ) prvReadBytesFromBuffer( pxStreamBuffer, ( uint8_t * ) &xTempNextMessageLength, xBytesToStoreMessageLength, xBytesAvailable );\r\n        xNextMessageLength = ( size_t ) xTempNextMessageLength;\r\n\r\n        /* Reduce the number of bytes available by the number of bytes just\r\n         * read out. */\r\n        xBytesAvailable -= xBytesToStoreMessageLength;\r\n\r\n        /* Check there is enough space in the buffer provided by the\r\n         * user. */\r\n        if( xNextMessageLength > xBufferLengthBytes )\r\n        {\r\n            /* The user has provided insufficient space to read the message\r\n             * so return the buffer to its previous state (so the length of\r\n             * the message is in the buffer again). */\r\n            pxStreamBuffer->xTail = xOriginalTail;\r\n            xNextMessageLength = 0;\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        /* A stream of bytes is being received (as opposed to a discrete\r\n         * message), so read as many bytes as possible. */\r\n        xNextMessageLength = xBufferLengthBytes;\r\n    }\r\n\r\n    /* Read the actual data. */\r\n    xReceivedLength = prvReadBytesFromBuffer( pxStreamBuffer, ( uint8_t * ) pvRxData, xNextMessageLength, xBytesAvailable ); /*lint !e9079 Data storage area is implemented as uint8_t array for ease of sizing, indexing and alignment. */\r\n\r\n    return xReceivedLength;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 172046576489594346241252494025182269040,
          "size": 50,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246415
        },
        {
          "func": "size_t xStreamBufferNextMessageLengthBytes( StreamBufferHandle_t xStreamBuffer )\r\n{\r\n    StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReturn, xBytesAvailable, xOriginalTail;\r\n    configMESSAGE_BUFFER_LENGTH_TYPE xTempReturn;\r\n\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* Ensure the stream buffer is being used as a message buffer. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xBytesAvailable = prvBytesInBuffer( pxStreamBuffer );\r\n\r\n        if( xBytesAvailable > sbBYTES_TO_STORE_MESSAGE_LENGTH )\r\n        {\r\n            /* The number of bytes available is greater than the number of bytes\r\n             * required to hold the length of the next message, so another message\r\n             * is available.  Return its length without removing the length bytes\r\n             * from the buffer.  A copy of the tail is stored so the buffer can be\r\n             * returned to its prior state as the message is not actually being\r\n             * removed from the buffer. */\r\n            xOriginalTail = pxStreamBuffer->xTail;\r\n            ( void ) prvReadBytesFromBuffer( pxStreamBuffer, ( uint8_t * ) &xTempReturn, sbBYTES_TO_STORE_MESSAGE_LENGTH, xBytesAvailable );\r\n            xReturn = ( size_t ) xTempReturn;\r\n            pxStreamBuffer->xTail = xOriginalTail;\r\n        }\r\n        else\r\n        {\r\n            /* The minimum amount of bytes in a message buffer is\r\n             * ( sbBYTES_TO_STORE_MESSAGE_LENGTH + 1 ), so if xBytesAvailable is\r\n             * less than sbBYTES_TO_STORE_MESSAGE_LENGTH the only other valid\r\n             * value is 0. */\r\n            configASSERT( xBytesAvailable == 0 );\r\n            xReturn = 0;\r\n        }\r\n    }\r\n    else\r\n    {\r\n        xReturn = 0;\r\n    }\r\n\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 210757158170138131897407075493662777819,
          "size": 43,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246423
        },
        {
          "func": "size_t xStreamBufferReceiveFromISR( StreamBufferHandle_t xStreamBuffer,\r\n                                    void * pvRxData,\r\n                                    size_t xBufferLengthBytes,\r\n                                    BaseType_t * const pxHigherPriorityTaskWoken )\r\n{\r\n    StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReceivedLength = 0, xBytesAvailable, xBytesToStoreMessageLength;\r\n\r\n    configASSERT( pvRxData );\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* This receive function is used by both message buffers, which store\r\n     * discrete messages, and stream buffers, which store a continuous stream of\r\n     * bytes.  Discrete messages include an additional\r\n     * sbBYTES_TO_STORE_MESSAGE_LENGTH bytes that hold the length of the\r\n     * message. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xBytesToStoreMessageLength = sbBYTES_TO_STORE_MESSAGE_LENGTH;\r\n    }\r\n    else\r\n    {\r\n        xBytesToStoreMessageLength = 0;\r\n    }\r\n\r\n    xBytesAvailable = prvBytesInBuffer( pxStreamBuffer );\r\n\r\n    /* Whether receiving a discrete message (where xBytesToStoreMessageLength\r\n     * holds the number of bytes used to store the message length) or a stream of\r\n     * bytes (where xBytesToStoreMessageLength is zero), the number of bytes\r\n     * available must be greater than xBytesToStoreMessageLength to be able to\r\n     * read bytes from the buffer. */\r\n    if( xBytesAvailable > xBytesToStoreMessageLength )\r\n    {\r\n        xReceivedLength = prvReadMessageFromBuffer( pxStreamBuffer, pvRxData, xBufferLengthBytes, xBytesAvailable, xBytesToStoreMessageLength );\r\n\r\n        /* Was a task waiting for space in the buffer? */\r\n        if( xReceivedLength != ( size_t ) 0 )\r\n        {\r\n            sbRECEIVE_COMPLETED_FROM_ISR( pxStreamBuffer, pxHigherPriorityTaskWoken );\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    traceSTREAM_BUFFER_RECEIVE_FROM_ISR( xStreamBuffer, xReceivedLength );\r\n\r\n    return xReceivedLength;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 327831401079690943715300817667256533237,
          "size": 55,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246408
        },
        {
          "func": "size_t xStreamBufferSendFromISR( StreamBufferHandle_t xStreamBuffer,\r\n                                 const void * pvTxData,\r\n                                 size_t xDataLengthBytes,\r\n                                 BaseType_t * const pxHigherPriorityTaskWoken )\r\n{\r\n    StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReturn, xSpace;\r\n    size_t xRequiredSpace = xDataLengthBytes;\r\n\r\n    configASSERT( pvTxData );\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* This send function is used to write to both message buffers and stream\r\n     * buffers.  If this is a message buffer then the space needed must be\r\n     * increased by the amount of bytes needed to store the length of the\r\n     * message. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xRequiredSpace += sbBYTES_TO_STORE_MESSAGE_LENGTH;\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    xSpace = xStreamBufferSpacesAvailable( pxStreamBuffer );\r\n    xReturn = prvWriteMessageToBuffer( pxStreamBuffer, pvTxData, xDataLengthBytes, xSpace, xRequiredSpace );\r\n\r\n    if( xReturn > ( size_t ) 0 )\r\n    {\r\n        /* Was a task waiting for the data? */\r\n        if( prvBytesInBuffer( pxStreamBuffer ) >= pxStreamBuffer->xTriggerLevelBytes )\r\n        {\r\n            sbSEND_COMPLETE_FROM_ISR( pxStreamBuffer, pxHigherPriorityTaskWoken );\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    traceSTREAM_BUFFER_SEND_FROM_ISR( xStreamBuffer, xReturn );\r\n\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 19376530492639417633388832485690470453,
          "size": 49,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246416
        },
        {
          "func": "static size_t prvBytesInBuffer( const StreamBuffer_t * const pxStreamBuffer )\r\n{\r\n/* Returns the distance between xTail and xHead. */\r\n    size_t xCount;\r\n\r\n    xCount = pxStreamBuffer->xLength + pxStreamBuffer->xHead;\r\n    xCount -= pxStreamBuffer->xTail;\r\n\r\n    if( xCount >= pxStreamBuffer->xLength )\r\n    {\r\n        xCount -= pxStreamBuffer->xLength;\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    return xCount;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 127287939020592442817296727112821582750,
          "size": 19,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246420
        },
        {
          "func": "static size_t prvWriteMessageToBuffer( StreamBuffer_t * const pxStreamBuffer,\r\n                                       const void * pvTxData,\r\n                                       size_t xDataLengthBytes,\r\n                                       size_t xSpace,\r\n                                       size_t xRequiredSpace )\r\n{\r\n    BaseType_t xShouldWrite;\r\n    size_t xReturn;\r\n\r\n    if( xSpace == ( size_t ) 0 )\r\n    {\r\n        /* Doesn't matter if this is a stream buffer or a message buffer, there\r\n         * is no space to write. */\r\n        xShouldWrite = pdFALSE;\r\n    }\r\n    else if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) == ( uint8_t ) 0 )\r\n    {\r\n        /* This is a stream buffer, as opposed to a message buffer, so writing a\r\n         * stream of bytes rather than discrete messages.  Write as many bytes as\r\n         * possible. */\r\n        xShouldWrite = pdTRUE;\r\n        xDataLengthBytes = configMIN( xDataLengthBytes, xSpace );\r\n    }\r\n    else if( xSpace >= xRequiredSpace )\r\n    {\r\n        /* This is a message buffer, as opposed to a stream buffer, and there\r\n         * is enough space to write both the message length and the message itself\r\n         * into the buffer.  Start by writing the length of the data, the data\r\n         * itself will be written later in this function. */\r\n        xShouldWrite = pdTRUE;\r\n        ( void ) prvWriteBytesToBuffer( pxStreamBuffer, ( const uint8_t * ) &( xDataLengthBytes ), sbBYTES_TO_STORE_MESSAGE_LENGTH );\r\n    }\r\n    else\r\n    {\r\n        /* There is space available, but not enough space. */\r\n        xShouldWrite = pdFALSE;\r\n    }\r\n\r\n    if( xShouldWrite != pdFALSE )\r\n    {\r\n        /* Writes the data itself. */\r\n        xReturn = prvWriteBytesToBuffer( pxStreamBuffer, ( const uint8_t * ) pvTxData, xDataLengthBytes ); /*lint !e9079 Storage buffer is implemented as uint8_t for ease of sizing, alignment and access. */\r\n    }\r\n    else\r\n    {\r\n        xReturn = 0;\r\n    }\r\n\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 332078903378954341817170334238480949542,
          "size": 50,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246428
        },
        {
          "func": "size_t xStreamBufferReceive( StreamBufferHandle_t xStreamBuffer,\r\n                             void * pvRxData,\r\n                             size_t xBufferLengthBytes,\r\n                             TickType_t xTicksToWait )\r\n{\r\n    StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReceivedLength = 0, xBytesAvailable, xBytesToStoreMessageLength;\r\n\r\n    configASSERT( pvRxData );\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* This receive function is used by both message buffers, which store\r\n     * discrete messages, and stream buffers, which store a continuous stream of\r\n     * bytes.  Discrete messages include an additional\r\n     * sbBYTES_TO_STORE_MESSAGE_LENGTH bytes that hold the length of the\r\n     * message. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xBytesToStoreMessageLength = sbBYTES_TO_STORE_MESSAGE_LENGTH;\r\n    }\r\n    else\r\n    {\r\n        xBytesToStoreMessageLength = 0;\r\n    }\r\n\r\n    if( xTicksToWait != ( TickType_t ) 0 )\r\n    {\r\n        /* Checking if there is data and clearing the notification state must be\r\n         * performed atomically. */\r\n        taskENTER_CRITICAL();\r\n        {\r\n            xBytesAvailable = prvBytesInBuffer( pxStreamBuffer );\r\n\r\n            /* If this function was invoked by a message buffer read then\r\n             * xBytesToStoreMessageLength holds the number of bytes used to hold\r\n             * the length of the next discrete message.  If this function was\r\n             * invoked by a stream buffer read then xBytesToStoreMessageLength will\r\n             * be 0. */\r\n            if( xBytesAvailable <= xBytesToStoreMessageLength )\r\n            {\r\n                /* Clear notification state as going to wait for data. */\r\n                ( void ) xTaskNotifyStateClear( NULL );\r\n\r\n                /* Should only be one reader. */\r\n                configASSERT( pxStreamBuffer->xTaskWaitingToReceive == NULL );\r\n                pxStreamBuffer->xTaskWaitingToReceive = xTaskGetCurrentTaskHandle();\r\n            }\r\n            else\r\n            {\r\n                mtCOVERAGE_TEST_MARKER();\r\n            }\r\n        }\r\n        taskEXIT_CRITICAL();\r\n\r\n        if( xBytesAvailable <= xBytesToStoreMessageLength )\r\n        {\r\n            /* Wait for data to be available. */\r\n            traceBLOCKING_ON_STREAM_BUFFER_RECEIVE( xStreamBuffer );\r\n            ( void ) xTaskNotifyWait( ( uint32_t ) 0, ( uint32_t ) 0, NULL, xTicksToWait );\r\n            pxStreamBuffer->xTaskWaitingToReceive = NULL;\r\n\r\n            /* Recheck the data available after blocking. */\r\n            xBytesAvailable = prvBytesInBuffer( pxStreamBuffer );\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        xBytesAvailable = prvBytesInBuffer( pxStreamBuffer );\r\n    }\r\n\r\n    /* Whether receiving a discrete message (where xBytesToStoreMessageLength\r\n     * holds the number of bytes used to store the message length) or a stream of\r\n     * bytes (where xBytesToStoreMessageLength is zero), the number of bytes\r\n     * available must be greater than xBytesToStoreMessageLength to be able to\r\n     * read bytes from the buffer. */\r\n    if( xBytesAvailable > xBytesToStoreMessageLength )\r\n    {\r\n        xReceivedLength = prvReadMessageFromBuffer( pxStreamBuffer, pvRxData, xBufferLengthBytes, xBytesAvailable, xBytesToStoreMessageLength );\r\n\r\n        /* Was a task waiting for space in the buffer? */\r\n        if( xReceivedLength != ( size_t ) 0 )\r\n        {\r\n            traceSTREAM_BUFFER_RECEIVE( xStreamBuffer, xReceivedLength );\r\n            sbRECEIVE_COMPLETED( pxStreamBuffer );\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        traceSTREAM_BUFFER_RECEIVE_FAILED( xStreamBuffer );\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    return xReceivedLength;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 65705230510541843211735401564650538598,
          "size": 102,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246431
        },
        {
          "func": "static size_t prvWriteBytesToBuffer( StreamBuffer_t * const pxStreamBuffer,\r\n                                     const uint8_t * pucData,\r\n                                     size_t xCount )\r\n{\r\n    size_t xNextHead, xFirstLength;\r\n\r\n    configASSERT( xCount > ( size_t ) 0 );\r\n\r\n    xNextHead = pxStreamBuffer->xHead;\r\n\r\n    /* Calculate the number of bytes that can be added in the first write -\r\n     * which may be less than the total number of bytes that need to be added if\r\n     * the buffer will wrap back to the beginning. */\r\n    xFirstLength = configMIN( pxStreamBuffer->xLength - xNextHead, xCount );\r\n\r\n    /* Write as many bytes as can be written in the first write. */\r\n    configASSERT( ( xNextHead + xFirstLength ) <= pxStreamBuffer->xLength );\r\n    ( void ) memcpy( ( void * ) ( &( pxStreamBuffer->pucBuffer[ xNextHead ] ) ), ( const void * ) pucData, xFirstLength ); /*lint !e9087 memcpy() requires void *. */\r\n\r\n    /* If the number of bytes written was less than the number that could be\r\n     * written in the first write... */\r\n    if( xCount > xFirstLength )\r\n    {\r\n        /* ...then write the remaining bytes to the start of the buffer. */\r\n        configASSERT( ( xCount - xFirstLength ) <= pxStreamBuffer->xLength );\r\n        ( void ) memcpy( ( void * ) pxStreamBuffer->pucBuffer, ( const void * ) &( pucData[ xFirstLength ] ), xCount - xFirstLength ); /*lint !e9087 memcpy() requires void *. */\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    xNextHead += xCount;\r\n\r\n    if( xNextHead >= pxStreamBuffer->xLength )\r\n    {\r\n        xNextHead -= pxStreamBuffer->xLength;\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    pxStreamBuffer->xHead = xNextHead;\r\n\r\n    return xCount;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 93412800138889592456373561498288041464,
          "size": 47,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246430
        },
        {
          "func": "BaseType_t xStreamBufferIsFull( StreamBufferHandle_t xStreamBuffer )\r\n{\r\n    BaseType_t xReturn;\r\n    size_t xBytesToStoreMessageLength;\r\n    const StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* This generic version of the receive function is used by both message\r\n     * buffers, which store discrete messages, and stream buffers, which store a\r\n     * continuous stream of bytes.  Discrete messages include an additional\r\n     * sbBYTES_TO_STORE_MESSAGE_LENGTH bytes that hold the length of the message. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xBytesToStoreMessageLength = sbBYTES_TO_STORE_MESSAGE_LENGTH;\r\n    }\r\n    else\r\n    {\r\n        xBytesToStoreMessageLength = 0;\r\n    }\r\n\r\n    /* True if the available space equals zero. */\r\n    if( xStreamBufferSpacesAvailable( xStreamBuffer ) <= xBytesToStoreMessageLength )\r\n    {\r\n        xReturn = pdTRUE;\r\n    }\r\n    else\r\n    {\r\n        xReturn = pdFALSE;\r\n    }\r\n\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 217613630795139077472170719255581332998,
          "size": 33,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246417
        },
        {
          "func": "size_t xStreamBufferBytesAvailable( StreamBufferHandle_t xStreamBuffer )\r\n{\r\n    const StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReturn;\r\n\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    xReturn = prvBytesInBuffer( pxStreamBuffer );\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 85709709045146751385815964735640082570,
          "size": 10,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246407
        },
        {
          "func": "size_t xStreamBufferSend( StreamBufferHandle_t xStreamBuffer,\r\n                          const void * pvTxData,\r\n                          size_t xDataLengthBytes,\r\n                          TickType_t xTicksToWait )\r\n{\r\n    StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xReturn, xSpace = 0;\r\n    size_t xRequiredSpace = xDataLengthBytes;\r\n    TimeOut_t xTimeOut;\r\n\r\n    /* The maximum amount of space a stream buffer will ever report is its length\r\n     * minus 1. */\r\n    const size_t xMaxReportedSpace = pxStreamBuffer->xLength - ( size_t ) 1;\r\n\r\n    configASSERT( pvTxData );\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    /* This send function is used to write to both message buffers and stream\r\n     * buffers.  If this is a message buffer then the space needed must be\r\n     * increased by the amount of bytes needed to store the length of the\r\n     * message. */\r\n    if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )\r\n    {\r\n        xRequiredSpace += sbBYTES_TO_STORE_MESSAGE_LENGTH;\r\n\r\n        /* Overflow? */\r\n        configASSERT( xRequiredSpace > xDataLengthBytes );\r\n\r\n        /* If this is a message buffer then it must be possible to write the\r\n         * whole message. */\r\n        if( xRequiredSpace > xMaxReportedSpace )\r\n        {\r\n            /* The message would not fit even if the entire buffer was empty,\r\n             * so don't wait for space. */\r\n            xTicksToWait = ( TickType_t ) 0;\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        /* If this is a stream buffer then it is acceptable to write only part\r\n         * of the message to the buffer.  Cap the length to the total length of\r\n         * the buffer. */\r\n        if( xRequiredSpace > xMaxReportedSpace )\r\n        {\r\n            xRequiredSpace = xMaxReportedSpace;\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n\r\n    if( xTicksToWait != ( TickType_t ) 0 )\r\n    {\r\n        vTaskSetTimeOutState( &xTimeOut );\r\n\r\n        do\r\n        {\r\n            /* Wait until the required number of bytes are free in the message\r\n             * buffer. */\r\n            taskENTER_CRITICAL();\r\n            {\r\n                xSpace = xStreamBufferSpacesAvailable( pxStreamBuffer );\r\n\r\n                if( xSpace < xRequiredSpace )\r\n                {\r\n                    /* Clear notification state as going to wait for space. */\r\n                    ( void ) xTaskNotifyStateClear( NULL );\r\n\r\n                    /* Should only be one writer. */\r\n                    configASSERT( pxStreamBuffer->xTaskWaitingToSend == NULL );\r\n                    pxStreamBuffer->xTaskWaitingToSend = xTaskGetCurrentTaskHandle();\r\n                }\r\n                else\r\n                {\r\n                    taskEXIT_CRITICAL();\r\n                    break;\r\n                }\r\n            }\r\n            taskEXIT_CRITICAL();\r\n\r\n            traceBLOCKING_ON_STREAM_BUFFER_SEND( xStreamBuffer );\r\n            ( void ) xTaskNotifyWait( ( uint32_t ) 0, ( uint32_t ) 0, NULL, xTicksToWait );\r\n            pxStreamBuffer->xTaskWaitingToSend = NULL;\r\n        } while( xTaskCheckForTimeOut( &xTimeOut, &xTicksToWait ) == pdFALSE );\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    if( xSpace == ( size_t ) 0 )\r\n    {\r\n        xSpace = xStreamBufferSpacesAvailable( pxStreamBuffer );\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    xReturn = prvWriteMessageToBuffer( pxStreamBuffer, pvTxData, xDataLengthBytes, xSpace, xRequiredSpace );\r\n\r\n    if( xReturn > ( size_t ) 0 )\r\n    {\r\n        traceSTREAM_BUFFER_SEND( xStreamBuffer, xReturn );\r\n\r\n        /* Was a task waiting for the data? */\r\n        if( prvBytesInBuffer( pxStreamBuffer ) >= pxStreamBuffer->xTriggerLevelBytes )\r\n        {\r\n            sbSEND_COMPLETED( pxStreamBuffer );\r\n        }\r\n        else\r\n        {\r\n            mtCOVERAGE_TEST_MARKER();\r\n        }\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n        traceSTREAM_BUFFER_SEND_FAILED( xStreamBuffer );\r\n    }\r\n\r\n    return xReturn;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 210315931787382971401056014280888601116,
          "size": 128,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246424
        },
        {
          "func": "size_t xStreamBufferSpacesAvailable( StreamBufferHandle_t xStreamBuffer )\r\n{\r\n    const StreamBuffer_t * const pxStreamBuffer = xStreamBuffer;\r\n    size_t xSpace;\r\n\r\n    configASSERT( pxStreamBuffer );\r\n\r\n    xSpace = pxStreamBuffer->xLength + pxStreamBuffer->xTail;\r\n    xSpace -= pxStreamBuffer->xHead;\r\n    xSpace -= ( size_t ) 1;\r\n\r\n    if( xSpace >= pxStreamBuffer->xLength )\r\n    {\r\n        xSpace -= pxStreamBuffer->xLength;\r\n    }\r\n    else\r\n    {\r\n        mtCOVERAGE_TEST_MARKER();\r\n    }\r\n\r\n    return xSpace;\r\n}\r",
          "project": "FreeRTOS-Kernel",
          "hash": 119463301534942049801750027733044521570,
          "size": 22,
          "commit_id": "d05b9c123f2bf9090bce386a244fc934ae44db5b",
          "message": "Add addition overflow check for stream buffer (#226)",
          "target": 0,
          "dataset": "other",
          "idx": 246421
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "send_response_end",
        "send_response_data_reversed",
        "dump_bucket_entry"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "void RGWListBuckets_ObjStore_S3::send_response_begin(bool has_buckets)\n{\n  if (op_ret)\n    set_req_state_err(s, op_ret);\n  dump_errno(s);\n  dump_start(s);\n  // Explicitly use chunked transfer encoding so that we can stream the result\n  // to the user without having to wait for the full length of it.\n  end_header(s, NULL, \"application/xml\", CHUNKED_TRANSFER_ENCODING);\n\n  if (! op_ret) {\n    list_all_buckets_start(s);\n    dump_owner(s, s->user->user_id, s->user->display_name);\n    s->formatter->open_array_section(\"Buckets\");\n    sent_data = true;\n  }\n}",
          "project": "ceph",
          "hash": 151504910633335479365418853557459877928,
          "size": 17,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281331
        },
        {
          "func": "void RGWListBuckets_ObjStore_SWIFT::send_response_begin(bool has_buckets)\n{\n  if (op_ret) {\n    set_req_state_err(s, op_ret);\n  } else if (!has_buckets && s->format == RGW_FORMAT_PLAIN) {\n    op_ret = STATUS_NO_CONTENT;\n    set_req_state_err(s, op_ret);\n  }\n\n  if (! s->cct->_conf->rgw_swift_enforce_content_length) {\n    /* Adding account stats in the header to keep align with Swift API */\n    dump_account_metadata(s,\n            global_stats,\n            policies_stats,\n            attrs,\n            user_quota,\n            static_cast<RGWAccessControlPolicy_SWIFTAcct&>(*s->user_acl));\n    dump_errno(s);\n    dump_header(s, \"Accept-Ranges\", \"bytes\");\n    end_header(s, NULL, NULL, NO_CONTENT_LENGTH, true);\n  }\n\n  if (! op_ret) {\n    dump_start(s);\n    s->formatter->open_array_section_with_attrs(\"account\",\n            FormatterAttrs(\"name\", s->user->display_name.c_str(), NULL));\n\n    sent_data = true;\n  }\n}",
          "project": "ceph",
          "hash": 4712945470508070102828199098323172380,
          "size": 30,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448788
        },
        {
          "func": "void RGWListBuckets_ObjStore_SWIFT::send_response_data_reversed(RGWUserBuckets& buckets)\n{\n  if (! sent_data) {\n    return;\n  }\n\n  /* Take care of the prefix parameter of Swift API. There is no business\n   * in applying the filter earlier as we really need to go through all\n   * entries regardless of it (the headers like X-Account-Container-Count\n   * aren't affected by specifying prefix). */\n  std::map<std::string, RGWBucketEnt>& m = buckets.get_buckets();\n\n  auto iter = m.rbegin();\n  for (/* initialized above */;\n       iter != m.rend() && !boost::algorithm::starts_with(iter->first, prefix);\n       ++iter) {\n    /* NOP */;\n  }\n\n  for (/* iter carried */;\n       iter != m.rend() && boost::algorithm::starts_with(iter->first, prefix);\n       ++iter) {\n    dump_bucket_entry(iter->second);\n  }\n}",
          "project": "ceph",
          "hash": 186625326925143980943779390568763616787,
          "size": 25,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448849
        },
        {
          "func": "static void dump_account_metadata(struct req_state * const s,\n                                  const RGWUsageStats& global_stats,\n                                  const std::map<std::string, RGWUsageStats> &policies_stats,\n                                  /* const */map<string, bufferlist>& attrs,\n                                  const RGWQuotaInfo& quota,\n                                  const RGWAccessControlPolicy_SWIFTAcct &policy)\n{\n  /* Adding X-Timestamp to keep align with Swift API */\n  dump_header(s, \"X-Timestamp\", ceph_clock_now());\n\n  dump_header(s, \"X-Account-Container-Count\", global_stats.buckets_count);\n  dump_header(s, \"X-Account-Object-Count\", global_stats.objects_count);\n  dump_header(s, \"X-Account-Bytes-Used\", global_stats.bytes_used);\n  dump_header(s, \"X-Account-Bytes-Used-Actual\", global_stats.bytes_used_rounded);\n\n  for (const auto& kv : policies_stats) {\n    const auto& policy_name = camelcase_dash_http_attr(kv.first);\n    const auto& policy_stats = kv.second;\n\n    dump_header_infixed(s, \"X-Account-Storage-Policy-\", policy_name,\n                        \"-Container-Count\", policy_stats.buckets_count);\n    dump_header_infixed(s, \"X-Account-Storage-Policy-\", policy_name,\n                        \"-Object-Count\", policy_stats.objects_count);\n    dump_header_infixed(s, \"X-Account-Storage-Policy-\", policy_name,\n                        \"-Bytes-Used\", policy_stats.bytes_used);\n    dump_header_infixed(s, \"X-Account-Storage-Policy-\", policy_name,\n                        \"-Bytes-Used-Actual\", policy_stats.bytes_used_rounded);\n  }\n\n  /* Dump TempURL-related stuff */\n  if (s->perm_mask == RGW_PERM_FULL_CONTROL) {\n    auto iter = s->user->temp_url_keys.find(0);\n    if (iter != std::end(s->user->temp_url_keys) && ! iter->second.empty()) {\n      dump_header(s, \"X-Account-Meta-Temp-Url-Key\", iter->second);\n    }\n\n    iter = s->user->temp_url_keys.find(1);\n    if (iter != std::end(s->user->temp_url_keys) && ! iter->second.empty()) {\n      dump_header(s, \"X-Account-Meta-Temp-Url-Key-2\", iter->second);\n    }\n  }\n\n  /* Dump quota headers. */\n  if (quota.enabled) {\n    if (quota.max_size >= 0) {\n      dump_header(s, \"X-Account-Meta-Quota-Bytes\", quota.max_size);\n    }\n\n    /* Limit on the number of objects in a given account is a RadosGW's\n     * extension. Swift's account quota WSGI filter doesn't support it. */\n    if (quota.max_objects >= 0) {\n      dump_header(s, \"X-Account-Meta-Quota-Count\", quota.max_objects);\n    }\n  }\n\n  /* Dump user-defined metadata items and generic attrs. */\n  const size_t PREFIX_LEN = sizeof(RGW_ATTR_META_PREFIX) - 1;\n  map<string, bufferlist>::iterator iter;\n  for (iter = attrs.lower_bound(RGW_ATTR_PREFIX); iter != attrs.end(); ++iter) {\n    const char *name = iter->first.c_str();\n    map<string, string>::const_iterator geniter = rgw_to_http_attrs.find(name);\n\n    if (geniter != rgw_to_http_attrs.end()) {\n      dump_header(s, geniter->second, iter->second);\n    } else if (strncmp(name, RGW_ATTR_META_PREFIX, PREFIX_LEN) == 0) {\n      dump_header_prefixed(s, \"X-Account-Meta-\",\n                           camelcase_dash_http_attr(name + PREFIX_LEN),\n                           iter->second);\n    }\n  }\n\n  /* Dump account ACLs */\n  auto account_acls = policy.to_str();\n  if (account_acls) {\n    dump_header(s, \"X-Account-Access-Control\", std::move(*account_acls));\n  }\n}",
          "project": "ceph",
          "hash": 309704467928808382222914418458925402127,
          "size": 77,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448773
        },
        {
          "func": "void RGWListBuckets_ObjStore_S3::send_response_end()\n{\n  if (sent_data) {\n    s->formatter->close_section();\n    list_all_buckets_end(s);\n    rgw_flush_formatter_and_reset(s, s->formatter);\n  }\n}",
          "project": "ceph",
          "hash": 202263034526108553551723577532350274702,
          "size": 8,
          "commit_id": "ba0790a01ba5252db1ebc299db6e12cd758d0ff9",
          "message": "rgw: reject unauthenticated response-header actions\n\nSigned-off-by: Matt Benjamin <mbenjamin@redhat.com>\nReviewed-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400)",
          "target": 0,
          "dataset": "other",
          "idx": 281297
        },
        {
          "func": "void RGWListBuckets_ObjStore_SWIFT::send_response_end()\n{\n  if (wants_reversed) {\n    for (auto& buckets : reverse_buffer) {\n      send_response_data_reversed(buckets);\n    }\n  }\n\n  if (sent_data) {\n    s->formatter->close_section();\n  }\n\n  if (s->cct->_conf->rgw_swift_enforce_content_length) {\n    /* Adding account stats in the header to keep align with Swift API */\n    dump_account_metadata(s,\n            global_stats,\n            policies_stats,\n            attrs,\n            user_quota,\n            static_cast<RGWAccessControlPolicy_SWIFTAcct&>(*s->user_acl));\n    dump_errno(s);\n    end_header(s, nullptr, nullptr, s->formatter->get_len(), true);\n  }\n\n  if (sent_data || s->cct->_conf->rgw_swift_enforce_content_length) {\n    rgw_flush_formatter_and_reset(s, s->formatter);\n  }\n}",
          "project": "ceph",
          "hash": 201644979517479951703947394414346814779,
          "size": 28,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448772
        },
        {
          "func": "void RGWListBuckets_ObjStore_SWIFT::dump_bucket_entry(const RGWBucketEnt& obj)\n{\n  s->formatter->open_object_section(\"container\");\n  s->formatter->dump_string(\"name\", obj.bucket.name);\n\n  if (need_stats) {\n    s->formatter->dump_int(\"count\", obj.count);\n    s->formatter->dump_int(\"bytes\", obj.size);\n  }\n\n  s->formatter->close_section();\n\n  if (! s->cct->_conf->rgw_swift_enforce_content_length) {\n    rgw_flush_formatter(s, s->formatter);\n  }\n}",
          "project": "ceph",
          "hash": 106532962756803195588990747286454623137,
          "size": 16,
          "commit_id": "f44a8ae8aa27ecef69528db9aec220f12492810e",
          "message": "rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name\n\nchecking for empty name avoids later assertion in RGWObjectCtx::set_atomic\n\nFixes: CVE-2021-3531\n\nReviewed-by: Casey Bodley <cbodley@redhat.com>\nSigned-off-by: Casey Bodley <cbodley@redhat.com>\n(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)",
          "target": 0,
          "dataset": "other",
          "idx": 448855
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "__udp4_lib_mcast_deliver",
        "udp_queue_rcv_skb",
        "__udp_queue_rcv_skb",
        "__udp_enqueue_schedule_skb",
        "busylock_release"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct sk_buff_head *list = &sk->sk_receive_queue;\n\tint rmem, delta, amt, err = -ENOMEM;\n\tspinlock_t *busy = NULL;\n\tint size;\n\n\t/* try to avoid the costly atomic add/sub pair when the receive\n\t * queue is full; always allow at least a packet\n\t */\n\trmem = atomic_read(&sk->sk_rmem_alloc);\n\tif (rmem > sk->sk_rcvbuf)\n\t\tgoto drop;\n\n\t/* Under mem pressure, it might be helpful to help udp_recvmsg()\n\t * having linear skbs :\n\t * - Reduce memory overhead and thus increase receive queue capacity\n\t * - Less cache line misses at copyout() time\n\t * - Less work at consume_skb() (less alien page frag freeing)\n\t */\n\tif (rmem > (sk->sk_rcvbuf >> 1)) {\n\t\tskb_condense(skb);\n\n\t\tbusy = busylock_acquire(sk);\n\t}\n\tsize = skb->truesize;\n\tudp_set_dev_scratch(skb);\n\n\t/* we drop only if the receive buf is full and the receive\n\t * queue contains some other skb\n\t */\n\trmem = atomic_add_return(size, &sk->sk_rmem_alloc);\n\tif (rmem > (size + sk->sk_rcvbuf))\n\t\tgoto uncharge_drop;\n\n\tspin_lock(&list->lock);\n\tif (size >= sk->sk_forward_alloc) {\n\t\tamt = sk_mem_pages(size);\n\t\tdelta = amt << SK_MEM_QUANTUM_SHIFT;\n\t\tif (!__sk_mem_raise_allocated(sk, delta, amt, SK_MEM_RECV)) {\n\t\t\terr = -ENOBUFS;\n\t\t\tspin_unlock(&list->lock);\n\t\t\tgoto uncharge_drop;\n\t\t}\n\n\t\tsk->sk_forward_alloc += delta;\n\t}\n\n\tsk->sk_forward_alloc -= size;\n\n\t/* no need to setup a destructor, we will explicitly release the\n\t * forward allocated memory on dequeue\n\t */\n\tsock_skb_set_dropcount(sk, skb);\n\n\t__skb_queue_tail(list, skb);\n\tspin_unlock(&list->lock);\n\n\tif (!sock_flag(sk, SOCK_DEAD))\n\t\tsk->sk_data_ready(sk);\n\n\tbusylock_release(busy);\n\treturn 0;\n\nuncharge_drop:\n\tatomic_sub(skb->truesize, &sk->sk_rmem_alloc);\n\ndrop:\n\tatomic_inc(&sk->sk_drops);\n\tbusylock_release(busy);\n\treturn err;\n}",
          "project": "net",
          "hash": 207730457495565135688945977999082885638,
          "size": 72,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 469011
        },
        {
          "func": "static void udp_set_dev_scratch(struct sk_buff *skb)\n{\n\tstruct udp_dev_scratch *scratch = udp_skb_scratch(skb);\n\n\tBUILD_BUG_ON(sizeof(struct udp_dev_scratch) > sizeof(long));\n\tscratch->_tsize_state = skb->truesize;\n#if BITS_PER_LONG == 64\n\tscratch->len = skb->len;\n\tscratch->csum_unnecessary = !!skb_csum_unnecessary(skb);\n\tscratch->is_linear = !skb_is_nonlinear(skb);\n#endif\n\tif (likely(!skb->_skb_refdst))\n\t\tscratch->_tsize_state |= UDP_SKB_IS_STATELESS;\n}",
          "project": "net",
          "hash": 186548478787266436106538045524561063522,
          "size": 14,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468993
        },
        {
          "func": "static int __udp4_lib_mcast_deliver(struct net *net, struct sk_buff *skb,\n\t\t\t\t    struct udphdr  *uh,\n\t\t\t\t    __be32 saddr, __be32 daddr,\n\t\t\t\t    struct udp_table *udptable,\n\t\t\t\t    int proto)\n{\n\tstruct sock *sk, *first = NULL;\n\tunsigned short hnum = ntohs(uh->dest);\n\tstruct udp_hslot *hslot = udp_hashslot(udptable, net, hnum);\n\tunsigned int hash2 = 0, hash2_any = 0, use_hash2 = (hslot->count > 10);\n\tunsigned int offset = offsetof(typeof(*sk), sk_node);\n\tint dif = skb->dev->ifindex;\n\tstruct hlist_node *node;\n\tstruct sk_buff *nskb;\n\n\tif (use_hash2) {\n\t\thash2_any = udp4_portaddr_hash(net, htonl(INADDR_ANY), hnum) &\n\t\t\t    udptable->mask;\n\t\thash2 = udp4_portaddr_hash(net, daddr, hnum) & udptable->mask;\nstart_lookup:\n\t\thslot = &udptable->hash2[hash2];\n\t\toffset = offsetof(typeof(*sk), __sk_common.skc_portaddr_node);\n\t}\n\n\tsk_for_each_entry_offset_rcu(sk, node, &hslot->head, offset) {\n\t\tif (!__udp_is_mcast_sock(net, sk, uh->dest, daddr,\n\t\t\t\t\t uh->source, saddr, dif, hnum))\n\t\t\tcontinue;\n\n\t\tif (!first) {\n\t\t\tfirst = sk;\n\t\t\tcontinue;\n\t\t}\n\t\tnskb = skb_clone(skb, GFP_ATOMIC);\n\n\t\tif (unlikely(!nskb)) {\n\t\t\tatomic_inc(&sk->sk_drops);\n\t\t\t__UDP_INC_STATS(net, UDP_MIB_RCVBUFERRORS,\n\t\t\t\t\tIS_UDPLITE(sk));\n\t\t\t__UDP_INC_STATS(net, UDP_MIB_INERRORS,\n\t\t\t\t\tIS_UDPLITE(sk));\n\t\t\tcontinue;\n\t\t}\n\t\tif (udp_queue_rcv_skb(sk, nskb) > 0)\n\t\t\tconsume_skb(nskb);\n\t}\n\n\t/* Also lookup *:port if we are using hash2 and haven't done so yet. */\n\tif (use_hash2 && hash2 != hash2_any) {\n\t\thash2 = hash2_any;\n\t\tgoto start_lookup;\n\t}\n\n\tif (first) {\n\t\tif (udp_queue_rcv_skb(first, skb) > 0)\n\t\t\tconsume_skb(skb);\n\t} else {\n\t\tkfree_skb(skb);\n\t\t__UDP_INC_STATS(net, UDP_MIB_IGNOREDMULTI,\n\t\t\t\tproto == IPPROTO_UDPLITE);\n\t}\n\treturn 0;\n}",
          "project": "net",
          "hash": 152912852201407550967922989540603572688,
          "size": 63,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468953
        },
        {
          "func": "static void busylock_release(spinlock_t *busy)\n{\n\tif (busy)\n\t\tspin_unlock(busy);\n}",
          "project": "net",
          "hash": 131774410419539032478676489223282513263,
          "size": 5,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468935
        },
        {
          "func": "static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)\n{\n\tint rc;\n\n\tif (inet_sk(sk)->inet_daddr) {\n\t\tsock_rps_save_rxhash(sk, skb);\n\t\tsk_mark_napi_id(sk, skb);\n\t\tsk_incoming_cpu_update(sk);\n\t} else {\n\t\tsk_mark_napi_id_once(sk, skb);\n\t}\n\n\t/* At recvmsg() time we may access skb->dst or skb->sp depending on\n\t * the IP options and the cmsg flags, elsewhere can we clear all\n\t * pending head states while they are hot in the cache\n\t */\n\tif (likely(IPCB(skb)->opt.optlen == 0 && !skb_sec_path(skb)))\n\t\tskb_release_head_state(skb);\n\n\trc = __udp_enqueue_schedule_skb(sk, skb);\n\tif (rc < 0) {\n\t\tint is_udplite = IS_UDPLITE(sk);\n\n\t\t/* Note that an ENOMEM error is charged twice */\n\t\tif (rc == -ENOMEM)\n\t\t\tUDP_INC_STATS(sock_net(sk), UDP_MIB_RCVBUFERRORS,\n\t\t\t\t\tis_udplite);\n\t\tUDP_INC_STATS(sock_net(sk), UDP_MIB_INERRORS, is_udplite);\n\t\tkfree_skb(skb);\n\t\ttrace_udp_fail_queue_rcv_skb(rc, sk);\n\t\treturn -1;\n\t}\n\n\treturn 0;\n}",
          "project": "net",
          "hash": 226682662751611739157088192734707207748,
          "size": 35,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468915
        },
        {
          "func": "static int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)\n{\n\tstruct udp_sock *up = udp_sk(sk);\n\tint is_udplite = IS_UDPLITE(sk);\n\n\t/*\n\t *\tCharge it to the socket, dropping if the queue is full.\n\t */\n\tif (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))\n\t\tgoto drop;\n\tnf_reset(skb);\n\n\tif (static_key_false(&udp_encap_needed) && up->encap_type) {\n\t\tint (*encap_rcv)(struct sock *sk, struct sk_buff *skb);\n\n\t\t/*\n\t\t * This is an encapsulation socket so pass the skb to\n\t\t * the socket's udp_encap_rcv() hook. Otherwise, just\n\t\t * fall through and pass this up the UDP socket.\n\t\t * up->encap_rcv() returns the following value:\n\t\t * =0 if skb was successfully passed to the encap\n\t\t *    handler or was discarded by it.\n\t\t * >0 if skb should be passed on to UDP.\n\t\t * <0 if skb should be resubmitted as proto -N\n\t\t */\n\n\t\t/* if we're overly short, let UDP handle it */\n\t\tencap_rcv = ACCESS_ONCE(up->encap_rcv);\n\t\tif (encap_rcv) {\n\t\t\tint ret;\n\n\t\t\t/* Verify checksum before giving to encap */\n\t\t\tif (udp_lib_checksum_complete(skb))\n\t\t\t\tgoto csum_error;\n\n\t\t\tret = encap_rcv(sk, skb);\n\t\t\tif (ret <= 0) {\n\t\t\t\t__UDP_INC_STATS(sock_net(sk),\n\t\t\t\t\t\tUDP_MIB_INDATAGRAMS,\n\t\t\t\t\t\tis_udplite);\n\t\t\t\treturn -ret;\n\t\t\t}\n\t\t}\n\n\t\t/* FALLTHROUGH -- it's a UDP Packet */\n\t}\n\n\t/*\n\t * \tUDP-Lite specific tests, ignored on UDP sockets\n\t */\n\tif ((is_udplite & UDPLITE_RECV_CC)  &&  UDP_SKB_CB(skb)->partial_cov) {\n\n\t\t/*\n\t\t * MIB statistics other than incrementing the error count are\n\t\t * disabled for the following two types of errors: these depend\n\t\t * on the application settings, not on the functioning of the\n\t\t * protocol stack as such.\n\t\t *\n\t\t * RFC 3828 here recommends (sec 3.3): \"There should also be a\n\t\t * way ... to ... at least let the receiving application block\n\t\t * delivery of packets with coverage values less than a value\n\t\t * provided by the application.\"\n\t\t */\n\t\tif (up->pcrlen == 0) {          /* full coverage was set  */\n\t\t\tnet_dbg_ratelimited(\"UDPLite: partial coverage %d while full coverage %d requested\\n\",\n\t\t\t\t\t    UDP_SKB_CB(skb)->cscov, skb->len);\n\t\t\tgoto drop;\n\t\t}\n\t\t/* The next case involves violating the min. coverage requested\n\t\t * by the receiver. This is subtle: if receiver wants x and x is\n\t\t * greater than the buffersize/MTU then receiver will complain\n\t\t * that it wants x while sender emits packets of smaller size y.\n\t\t * Therefore the above ...()->partial_cov statement is essential.\n\t\t */\n\t\tif (UDP_SKB_CB(skb)->cscov  <  up->pcrlen) {\n\t\t\tnet_dbg_ratelimited(\"UDPLite: coverage %d too small, need min %d\\n\",\n\t\t\t\t\t    UDP_SKB_CB(skb)->cscov, up->pcrlen);\n\t\t\tgoto drop;\n\t\t}\n\t}\n\n\tprefetch(&sk->sk_rmem_alloc);\n\tif (rcu_access_pointer(sk->sk_filter) &&\n\t    udp_lib_checksum_complete(skb))\n\t\t\tgoto csum_error;\n\n\tif (sk_filter_trim_cap(sk, skb, sizeof(struct udphdr)))\n\t\tgoto drop;\n\n\tudp_csum_pull_header(skb);\n\n\tipv4_pktinfo_prepare(sk, skb);\n\treturn __udp_queue_rcv_skb(sk, skb);\n\ncsum_error:\n\t__UDP_INC_STATS(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);\ndrop:\n\t__UDP_INC_STATS(sock_net(sk), UDP_MIB_INERRORS, is_udplite);\n\tatomic_inc(&sk->sk_drops);\n\tkfree_skb(skb);\n\treturn -1;\n}",
          "project": "net",
          "hash": 177996409018370749187970055497880054743,
          "size": 102,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468917
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "tipc_nl_node_set_key",
        "__tipc_nl_node_set_key",
        "tipc_nl_retrieve_nodeid"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static int __tipc_nl_node_set_key(struct sk_buff *skb, struct genl_info *info)\n{\n\tstruct nlattr *attrs[TIPC_NLA_NODE_MAX + 1];\n\tstruct net *net = sock_net(skb->sk);\n\tstruct tipc_crypto *tx = tipc_net(net)->crypto_tx, *c = tx;\n\tstruct tipc_node *n = NULL;\n\tstruct tipc_aead_key *ukey;\n\tbool rekeying = true, master_key = false;\n\tu8 *id, *own_id, mode;\n\tu32 intv = 0;\n\tint rc = 0;\n\n\tif (!info->attrs[TIPC_NLA_NODE])\n\t\treturn -EINVAL;\n\n\trc = nla_parse_nested(attrs, TIPC_NLA_NODE_MAX,\n\t\t\t      info->attrs[TIPC_NLA_NODE],\n\t\t\t      tipc_nl_node_policy, info->extack);\n\tif (rc)\n\t\treturn rc;\n\n\town_id = tipc_own_id(net);\n\tif (!own_id) {\n\t\tGENL_SET_ERR_MSG(info, \"not found own node identity (set id?)\");\n\t\treturn -EPERM;\n\t}\n\n\trc = tipc_nl_retrieve_rekeying(attrs, &intv);\n\tif (rc == -ENODATA)\n\t\trekeying = false;\n\n\trc = tipc_nl_retrieve_key(attrs, &ukey);\n\tif (rc == -ENODATA && rekeying)\n\t\tgoto rekeying;\n\telse if (rc)\n\t\treturn rc;\n\n\trc = tipc_aead_key_validate(ukey, info);\n\tif (rc)\n\t\treturn rc;\n\n\trc = tipc_nl_retrieve_nodeid(attrs, &id);\n\tswitch (rc) {\n\tcase -ENODATA:\n\t\tmode = CLUSTER_KEY;\n\t\tmaster_key = !!(attrs[TIPC_NLA_NODE_KEY_MASTER]);\n\t\tbreak;\n\tcase 0:\n\t\tmode = PER_NODE_KEY;\n\t\tif (memcmp(id, own_id, NODE_ID_LEN)) {\n\t\t\tn = tipc_node_find_by_id(net, id) ?:\n\t\t\t\ttipc_node_create(net, 0, id, 0xffffu, 0, true);\n\t\t\tif (unlikely(!n))\n\t\t\t\treturn -ENOMEM;\n\t\t\tc = n->crypto_rx;\n\t\t}\n\t\tbreak;\n\tdefault:\n\t\treturn rc;\n\t}\n\n\t/* Initiate the TX/RX key */\n\trc = tipc_crypto_key_init(c, ukey, mode, master_key);\n\tif (n)\n\t\ttipc_node_put(n);\n\n\tif (unlikely(rc < 0)) {\n\t\tGENL_SET_ERR_MSG(info, \"unable to initiate or attach new key\");\n\t\treturn rc;\n\t} else if (c == tx) {\n\t\t/* Distribute TX key but not master one */\n\t\tif (!master_key && tipc_crypto_key_distr(tx, rc, NULL))\n\t\t\tGENL_SET_ERR_MSG(info, \"failed to replicate new key\");\nrekeying:\n\t\t/* Schedule TX rekeying if needed */\n\t\ttipc_crypto_rekeying_sched(tx, rekeying, intv);\n\t}\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 194979634484378285779372233553662865543,
          "size": 80,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 364911
        },
        {
          "func": "static int tipc_nl_retrieve_rekeying(struct nlattr **attrs, u32 *intv)\n{\n\tstruct nlattr *attr = attrs[TIPC_NLA_NODE_REKEYING];\n\n\tif (!attr)\n\t\treturn -ENODATA;\n\n\t*intv = nla_get_u32(attr);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 193816255445229179305180535936392676020,
          "size": 10,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 364948
        },
        {
          "func": "static int tipc_nl_retrieve_nodeid(struct nlattr **attrs, u8 **node_id)\n{\n\tstruct nlattr *attr = attrs[TIPC_NLA_NODE_ID];\n\n\tif (!attr)\n\t\treturn -ENODATA;\n\n\tif (nla_len(attr) < TIPC_NODEID_LEN)\n\t\treturn -EINVAL;\n\n\t*node_id = (u8 *)nla_data(attr);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 153862900688780788735562620022692417252,
          "size": 13,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 364974
        },
        {
          "func": "static int tipc_nl_retrieve_key(struct nlattr **attrs,\n\t\t\t\tstruct tipc_aead_key **key)\n{\n\tstruct nlattr *attr = attrs[TIPC_NLA_NODE_KEY];\n\n\tif (!attr)\n\t\treturn -ENODATA;\n\n\t*key = (struct tipc_aead_key *)nla_data(attr);\n\tif (nla_len(attr) < tipc_aead_key_size(*key))\n\t\treturn -EINVAL;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 284003867985169166932353704253458867619,
          "size": 14,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 1,
          "dataset": "other",
          "idx": 204764
        },
        {
          "func": "static int tipc_nl_retrieve_key(struct nlattr **attrs,\n\t\t\t\tstruct tipc_aead_key **pkey)\n{\n\tstruct nlattr *attr = attrs[TIPC_NLA_NODE_KEY];\n\tstruct tipc_aead_key *key;\n\n\tif (!attr)\n\t\treturn -ENODATA;\n\n\tif (nla_len(attr) < sizeof(*key))\n\t\treturn -EINVAL;\n\tkey = (struct tipc_aead_key *)nla_data(attr);\n\tif (key->keylen > TIPC_AEAD_KEYLEN_MAX ||\n\t    nla_len(attr) < tipc_aead_key_size(key))\n\t\treturn -EINVAL;\n\n\t*pkey = key;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 184504004987990882955216536013391680124,
          "size": 19,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 364977
        },
        {
          "func": "int tipc_nl_node_set_key(struct sk_buff *skb, struct genl_info *info)\n{\n\tint err;\n\n\trtnl_lock();\n\terr = __tipc_nl_node_set_key(skb, info);\n\trtnl_unlock();\n\n\treturn err;\n}",
          "project": "linux",
          "hash": 152830576302131176881413034673229092509,
          "size": 10,
          "commit_id": "0217ed2848e8538bcf9172d97ed2eeb4a26041bb",
          "message": "tipc: better validate user input in tipc_nl_retrieve_key()\n\nBefore calling tipc_aead_key_size(ptr), we need to ensure\nwe have enough data to dereference ptr->keylen.\n\nWe probably also want to make sure tipc_aead_key_size()\nwont overflow with malicious ptr->keylen values.\n\nSyzbot reported:\n\nBUG: KMSAN: uninit-value in __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\nBUG: KMSAN: uninit-value in tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\nCPU: 0 PID: 21060 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:120\n kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197\n __tipc_nl_node_set_key net/tipc/node.c:2971 [inline]\n tipc_nl_node_set_key+0x9bf/0x13b0 net/tipc/node.c:3023\n genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x1319/0x1610 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x6fa/0x810 net/netlink/af_netlink.c:2494\n genl_rcv+0x63/0x80 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]\n netlink_unicast+0x11d6/0x14a0 net/netlink/af_netlink.c:1330\n netlink_sendmsg+0x1740/0x1840 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\nRIP: 0023:0xf7f60549\nCode: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\nRSP: 002b:00000000f555a5fc EFLAGS: 00000296 ORIG_RAX: 0000000000000172\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000200\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]\n kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104\n kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76\n slab_alloc_node mm/slub.c:2907 [inline]\n __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527\n __kmalloc_reserve net/core/skbuff.c:142 [inline]\n __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210\n alloc_skb include/linux/skbuff.h:1099 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]\n netlink_sendmsg+0xdbc/0x1840 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0xcfc/0x12f0 net/socket.c:2345\n ___sys_sendmsg net/socket.c:2399 [inline]\n __sys_sendmsg+0x714/0x830 net/socket.c:2432\n __compat_sys_sendmsg net/compat.c:347 [inline]\n __do_compat_sys_sendmsg net/compat.c:354 [inline]\n __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351\n __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351\n do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]\n __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141\n do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166\n do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nFixes: e1f32190cf7d (\"tipc: add support for AEAD key setting via netlink\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Tuong Lien <tuong.t.lien@dektech.com.au>\nCc: Jon Maloy <jmaloy@redhat.com>\nCc: Ying Xue <ying.xue@windriver.com>\nReported-by: syzbot <syzkaller@googlegroups.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 364962
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "t2p_write_pdf",
        "t2p_readwrite_pdf_image",
        "t2p_sample_realize_palette"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){\n\n\ttsize_t written=0;\n\tunsigned char* buffer=NULL;\n\tunsigned char* samplebuffer=NULL;\n\ttsize_t bufferoffset=0;\n\ttsize_t samplebufferoffset=0;\n\ttsize_t read=0;\n\ttstrip_t i=0;\n\ttstrip_t j=0;\n\ttstrip_t stripcount=0;\n\ttsize_t stripsize=0;\n\ttsize_t sepstripcount=0;\n\ttsize_t sepstripsize=0;\n#ifdef OJPEG_SUPPORT\n\ttoff_t inputoffset=0;\n\tuint16 h_samp=1;\n\tuint16 v_samp=1;\n\tuint16 ri=1;\n\tuint32 rows=0;\n#endif /* ifdef OJPEG_SUPPORT */\n#ifdef JPEG_SUPPORT\n\tunsigned char* jpt;\n\tfloat* xfloatp;\n\tuint64* sbc;\n\tunsigned char* stripbuffer;\n\ttsize_t striplength=0;\n\tuint32 max_striplength=0;\n#endif /* ifdef JPEG_SUPPORT */\n\n\t/* Fail if prior error (in particular, can't trust tiff_datasize) */\n\tif (t2p->t2p_error != T2P_ERR_OK)\n\t\treturn(0);\n\n\tif(t2p->pdf_transcode == T2P_TRANSCODE_RAW){\n#ifdef CCITT_SUPPORT\n\t\tif(t2p->pdf_compression == T2P_COMPRESS_G4){\n\t\t\tbuffer = (unsigned char*)\n\t\t\t\t_TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif (buffer == NULL) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory for \"\n\t\t\t\t\t\"t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif (TIFFReadRawStrip(input, 0, (tdata_t) buffer,\n\t\t\t\t\t t2p->tiff_datasize) < 0) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"TIFFReadRawStrip() failed\");\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tif (t2p->tiff_fillorder==FILLORDER_LSB2MSB){\n\t\t\t\t\t/*\n\t\t\t\t\t * make sure is lsb-to-msb\n\t\t\t\t\t * bit-endianness fill order\n\t\t\t\t\t */\n\t\t\t\t\tTIFFReverseBits(buffer,\n\t\t\t\t\t\t\tt2p->tiff_datasize);\n\t\t\t}\n\t\t\tt2pWriteFile(output, (tdata_t) buffer,\n\t\t\t\t      t2p->tiff_datasize);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(t2p->tiff_datasize);\n\t\t}\n#endif /* ifdef CCITT_SUPPORT */\n#ifdef ZIP_SUPPORT\n\t\tif (t2p->pdf_compression == T2P_COMPRESS_ZIP) {\n\t\t\tbuffer = (unsigned char*)\n\t\t\t\t_TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer == NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif (TIFFReadRawStrip(input, 0, (tdata_t) buffer,\n\t\t\t\t\t t2p->tiff_datasize) < 0) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"TIFFReadRawStrip() failed\");\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tif (t2p->tiff_fillorder==FILLORDER_LSB2MSB) {\n\t\t\t\t\tTIFFReverseBits(buffer,\n\t\t\t\t\t\t\tt2p->tiff_datasize);\n\t\t\t}\n\t\t\tt2pWriteFile(output, (tdata_t) buffer,\n\t\t\t\t      t2p->tiff_datasize);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(t2p->tiff_datasize);\n\t\t}\n#endif /* ifdef ZIP_SUPPORT */\n#ifdef OJPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_OJPEG) {\n\n\t\t\tif(t2p->tiff_dataoffset != 0) {\n\t\t\t\tbuffer = (unsigned char*)\n\t\t\t\t\t_TIFFmalloc(t2p->tiff_datasize);\n\t\t\t\tif(buffer == NULL) {\n\t\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\t\tif(t2p->pdf_ojpegiflength==0){\n\t\t\t\t\tinputoffset=t2pSeekFile(input, 0,\n\t\t\t\t\t\t\t\t SEEK_CUR);\n\t\t\t\t\tt2pSeekFile(input,\n\t\t\t\t\t\t     t2p->tiff_dataoffset,\n\t\t\t\t\t\t     SEEK_SET);\n\t\t\t\t\tt2pReadFile(input, (tdata_t) buffer,\n\t\t\t\t\t\t     t2p->tiff_datasize);\n\t\t\t\t\tt2pSeekFile(input, inputoffset,\n\t\t\t\t\t\t     SEEK_SET);\n\t\t\t\t\tt2pWriteFile(output, (tdata_t) buffer,\n\t\t\t\t\t\t      t2p->tiff_datasize);\n\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\treturn(t2p->tiff_datasize);\n\t\t\t\t} else {\n\t\t\t\t\tinputoffset=t2pSeekFile(input, 0,\n\t\t\t\t\t\t\t\t SEEK_CUR);\n\t\t\t\t\tt2pSeekFile(input,\n\t\t\t\t\t\t     t2p->tiff_dataoffset,\n\t\t\t\t\t\t     SEEK_SET);\n\t\t\t\t\tbufferoffset = t2pReadFile(input,\n\t\t\t\t\t\t(tdata_t) buffer,\n\t\t\t\t\t\tt2p->pdf_ojpegiflength);\n\t\t\t\t\tt2p->pdf_ojpegiflength = 0;\n\t\t\t\t\tt2pSeekFile(input, inputoffset,\n\t\t\t\t\t\t     SEEK_SET);\n\t\t\t\t\tTIFFGetField(input,\n\t\t\t\t\t\t     TIFFTAG_YCBCRSUBSAMPLING,\n\t\t\t\t\t\t     &h_samp, &v_samp);\n\t\t\t\t\tbuffer[bufferoffset++]= 0xff;\n\t\t\t\t\tbuffer[bufferoffset++]= 0xdd;\n\t\t\t\t\tbuffer[bufferoffset++]= 0x00;\n\t\t\t\t\tbuffer[bufferoffset++]= 0x04;\n\t\t\t\t\th_samp*=8;\n\t\t\t\t\tv_samp*=8;\n\t\t\t\t\tri=(t2p->tiff_width+h_samp-1) / h_samp;\n\t\t\t\t\tTIFFGetField(input,\n\t\t\t\t\t\t     TIFFTAG_ROWSPERSTRIP,\n\t\t\t\t\t\t     &rows);\n\t\t\t\t\tri*=(rows+v_samp-1)/v_samp;\n\t\t\t\t\tbuffer[bufferoffset++]= (ri>>8) & 0xff;\n\t\t\t\t\tbuffer[bufferoffset++]= ri & 0xff;\n\t\t\t\t\tstripcount=TIFFNumberOfStrips(input);\n\t\t\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\t\t\tif(i != 0 ){ \n\t\t\t\t\t\t\tbuffer[bufferoffset++]=0xff;\n\t\t\t\t\t\t\tbuffer[bufferoffset++]=(0xd0 | ((i-1)%8));\n\t\t\t\t\t\t}\n\t\t\t\t\t\tbufferoffset+=TIFFReadRawStrip(input, \n\t\t\t\t\t\t\ti, \n\t\t\t\t\t\t\t(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), \n\t\t\t\t\t\t\t-1);\n\t\t\t\t\t}\n\t\t\t\t\tt2pWriteFile(output, (tdata_t) buffer, bufferoffset);\n\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\treturn(bufferoffset);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif(! t2p->pdf_ojpegdata){\n\t\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\t\"No support for OJPEG image %s with bad tables\",\n\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t\tbuffer = (unsigned char*)\n\t\t\t\t\t_TIFFmalloc(t2p->tiff_datasize);\n\t\t\t\tif(buffer==NULL){\n\t\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\t\t_TIFFmemcpy(buffer, t2p->pdf_ojpegdata, t2p->pdf_ojpegdatalength);\n\t\t\t\tbufferoffset=t2p->pdf_ojpegdatalength;\n\t\t\t\tstripcount=TIFFNumberOfStrips(input);\n\t\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\t\ttsize_t retTIFFReadRawStrip;\n\t\t\t\t\tif(i != 0){\n\t\t\t\t\t\tbuffer[bufferoffset++]=0xff;\n\t\t\t\t\t\tbuffer[bufferoffset++]=(0xd0 | ((i-1)%8));\n\t\t\t\t\t}\n\t\t\t\t\tretTIFFReadRawStrip = TIFFReadRawStrip(input,\n\t\t\t\t\t\ti, \n\t\t\t\t\t\t(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), \n\t\t\t\t\t\t-1);\n\t\t\t\t\tif (retTIFFReadRawStrip < 0) {\n\t\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"TIFFReadRawStrip()\");\n\t\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\treturn(0);\n\t\t\t\t\t}\n\t\t\t\t\tbufferoffset += retTIFFReadRawStrip;\n\t\t\t\t}\n\t\t\t\tif( ! ( (buffer[bufferoffset-1]==0xd9) && (buffer[bufferoffset-2]==0xff) ) ){\n\t\t\t\t\t\tbuffer[bufferoffset++]=0xff;\n\t\t\t\t\t\tbuffer[bufferoffset++]=0xd9;\n\t\t\t\t}\n\t\t\t\tt2pWriteFile(output, (tdata_t) buffer, bufferoffset);\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\treturn(bufferoffset);\n#if 0\n                                /*\n                                  This hunk of code removed code is clearly\n                                  mis-placed and we are not sure where it\n                                  should be (if anywhere)\n                                */\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\"No support for OJPEG image %s with no JPEG File Interchange offset\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n#endif\n\t\t\t}\n\t\t}\n#endif /* ifdef OJPEG_SUPPORT */\n#ifdef JPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_JPEG) {\n\t\t\tuint32 count = 0;\n\t\t\tbuffer = (unsigned char*)\n\t\t\t\t_TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif (TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {\n\t\t\t\tif(count > 4) {\n\t\t\t\t\t_TIFFmemcpy(buffer, jpt, count);\n\t\t\t\t\tbufferoffset += count - 2;\n\t\t\t\t}\n\t\t\t}\n\t\t\tstripcount=TIFFNumberOfStrips(input);\n\t\t\tTIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc);\n\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\tif(sbc[i]>max_striplength) max_striplength=sbc[i];\n\t\t\t}\n\t\t\tstripbuffer = (unsigned char*)\n\t\t\t\t_TIFFmalloc(max_striplength);\n\t\t\tif(stripbuffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %u bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\tmax_striplength,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(stripbuffer, 0, max_striplength);\n\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\tstriplength=TIFFReadRawStrip(input, i, (tdata_t) stripbuffer, -1);\n\t\t\t\tif (striplength < 0) {\n\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"TIFFReadRawStrip() failed\");\n\t\t\t\t\t_TIFFfree(samplebuffer);\n\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t\tif(!t2p_process_jpeg_strip(\n\t\t\t\t\tstripbuffer, \n\t\t\t\t\t&striplength, \n\t\t\t\t\tbuffer,\n                    t2p->tiff_datasize,\n\t\t\t\t\t&bufferoffset, \n\t\t\t\t\ti, \n\t\t\t\t\tt2p->tiff_length)){\n\t\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\"Can't process JPEG data in input file %s\", \n\t\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t_TIFFfree(samplebuffer);\n\t\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t}\n\t\t\tbuffer[bufferoffset++]=0xff; \n\t\t\tbuffer[bufferoffset++]=0xd9;\n\t\t\tt2pWriteFile(output, (tdata_t) buffer, bufferoffset);\n\t\t\t_TIFFfree(stripbuffer);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(bufferoffset);\n\t\t}\n#endif /* ifdef JPEG_SUPPORT */\n\t\t(void)0;\n\t}\n\n\tif(t2p->pdf_sample==T2P_SAMPLE_NOTHING){\n\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\tif(buffer==NULL){\n\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\tTIFFFileName(input));\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\tstripsize=TIFFStripSize(input);\n\t\tstripcount=TIFFNumberOfStrips(input);\n\t\tfor(i=0;i<stripcount;i++){\n\t\t\tread = \n\t\t\t\tTIFFReadEncodedStrip(input, \n\t\t\t\ti, \n\t\t\t\t(tdata_t) &buffer[bufferoffset], \n\t\t\t\tTIFFmin(stripsize, t2p->tiff_datasize - bufferoffset));\n\t\t\tif(read==-1){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Error on decoding strip %u of %s\", \n\t\t\t\t\ti, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tbufferoffset+=read;\n\t\t}\n\t} else {\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_PLANAR_SEPARATE_TO_CONTIG){\n\t\t\n\t\t\tsepstripsize=TIFFStripSize(input);\n\t\t\tsepstripcount=TIFFNumberOfStrips(input);\n\t\t\n\t\t\tstripsize=sepstripsize*t2p->tiff_samplesperpixel;\n\t\t\tstripcount=sepstripcount/t2p->tiff_samplesperpixel;\n\t\t\t\n\t\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tsamplebuffer = (unsigned char*) _TIFFmalloc(stripsize);\n\t\t\tif(samplebuffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n                                _TIFFfree(buffer);\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\tsamplebufferoffset=0;\n\t\t\t\tfor(j=0;j<t2p->tiff_samplesperpixel;j++){\n\t\t\t\t\tread = \n\t\t\t\t\t\tTIFFReadEncodedStrip(input, \n\t\t\t\t\t\t\ti + j*stripcount, \n\t\t\t\t\t\t\t(tdata_t) &(samplebuffer[samplebufferoffset]), \n\t\t\t\t\t\t\tTIFFmin(sepstripsize, stripsize - samplebufferoffset));\n\t\t\t\t\tif(read==-1){\n\t\t\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\t\t\"Error on decoding strip %u of %s\",\n\t\t\t\t\t\t\ti + j*stripcount,\n\t\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\t\t\t\treturn(0);\n\t\t\t\t\t}\n\t\t\t\t\tsamplebufferoffset+=read;\n\t\t\t\t}\n\t\t\t\tt2p_sample_planar_separate_to_contig(\n\t\t\t\t\tt2p,\n\t\t\t\t\t&(buffer[bufferoffset]),\n\t\t\t\t\tsamplebuffer, \n\t\t\t\t\tsamplebufferoffset); \n\t\t\t\tbufferoffset+=samplebufferoffset;\n\t\t\t}\n\t\t\t_TIFFfree(samplebuffer);\n\t\t\tgoto dataready;\n\t\t}\n\n\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\tif(buffer==NULL){\n\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\",\n\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\tTIFFFileName(input));\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\tstripsize=TIFFStripSize(input);\n\t\tstripcount=TIFFNumberOfStrips(input);\n\t\tfor(i=0;i<stripcount;i++){\n\t\t\tread = \n\t\t\t\tTIFFReadEncodedStrip(input, \n\t\t\t\ti, \n\t\t\t\t(tdata_t) &buffer[bufferoffset], \n\t\t\t\tTIFFmin(stripsize, t2p->tiff_datasize - bufferoffset));\n\t\t\tif(read==-1){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Error on decoding strip %u of %s\", \n\t\t\t\t\ti, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t_TIFFfree(samplebuffer);\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tbufferoffset+=read;\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_REALIZE_PALETTE){\n\t\t\t// FIXME: overflow?\n\t\t\tsamplebuffer=(unsigned char*)_TIFFrealloc( \n\t\t\t\t(tdata_t) buffer, \n\t\t\t\tt2p->tiff_datasize * t2p->tiff_samplesperpixel);\n\t\t\tif(samplebuffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\", \n\t\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\treturn(0);\n\t\t\t} else {\n\t\t\t\tbuffer=samplebuffer;\n\t\t\t\tt2p->tiff_datasize *= t2p->tiff_samplesperpixel;\n\t\t\t}\n\t\t\tt2p_sample_realize_palette(t2p, buffer);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_RGBA_TO_RGB){\n\t\t\tt2p->tiff_datasize=t2p_sample_rgba_to_rgb(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_width*t2p->tiff_length);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_RGBAA_TO_RGB){\n\t\t\tt2p->tiff_datasize=t2p_sample_rgbaa_to_rgb(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_width*t2p->tiff_length);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_YCBCR_TO_RGB){\n\t\t\tsamplebuffer=(unsigned char*)_TIFFrealloc(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_width*t2p->tiff_length*4);\n\t\t\tif(samplebuffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s\", \n\t\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\treturn(0);\n\t\t\t} else {\n\t\t\t\tbuffer=samplebuffer;\n\t\t\t}\n\t\t\tif(!TIFFReadRGBAImageOriented(\n\t\t\t\tinput, \n\t\t\t\tt2p->tiff_width, \n\t\t\t\tt2p->tiff_length, \n\t\t\t\t(uint32*)buffer, \n\t\t\t\tORIENTATION_TOPLEFT,\n\t\t\t\t0)){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\"Can't use TIFFReadRGBAImageOriented to extract RGB image from %s\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tt2p->tiff_datasize=t2p_sample_abgr_to_rgb(\n\t\t\t\t(tdata_t) buffer, \n\t\t\t\tt2p->tiff_width*t2p->tiff_length);\n\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_LAB_SIGNED_TO_UNSIGNED){\n\t\t\tt2p->tiff_datasize=t2p_sample_lab_signed_to_unsigned(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_width*t2p->tiff_length);\n\t\t}\n\t}\n\ndataready:\n\n\tt2p_disable(output);\n\tTIFFSetField(output, TIFFTAG_PHOTOMETRIC, t2p->tiff_photometric);\n\tTIFFSetField(output, TIFFTAG_BITSPERSAMPLE, t2p->tiff_bitspersample);\n\tTIFFSetField(output, TIFFTAG_SAMPLESPERPIXEL, t2p->tiff_samplesperpixel);\n\tTIFFSetField(output, TIFFTAG_IMAGEWIDTH, t2p->tiff_width);\n\tTIFFSetField(output, TIFFTAG_IMAGELENGTH, t2p->tiff_length);\n\tTIFFSetField(output, TIFFTAG_ROWSPERSTRIP, t2p->tiff_length);\n\tTIFFSetField(output, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);\n\tTIFFSetField(output, TIFFTAG_FILLORDER, FILLORDER_MSB2LSB);\n\n\tswitch(t2p->pdf_compression){\n\tcase T2P_COMPRESS_NONE:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_NONE);\n\t\tbreak;\n#ifdef CCITT_SUPPORT\n\tcase T2P_COMPRESS_G4:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_CCITTFAX4);\n\t\tbreak;\n#endif /* ifdef CCITT_SUPPORT */\n#ifdef JPEG_SUPPORT\n\tcase T2P_COMPRESS_JPEG:\n\t\tif(t2p->tiff_photometric==PHOTOMETRIC_YCBCR) {\n\t\t\tuint16 hor = 0, ver = 0;\n\t\t\tif (TIFFGetField(input, TIFFTAG_YCBCRSUBSAMPLING, &hor, &ver) !=0 ) {\n\t\t\t\tif(hor != 0 && ver != 0){\n\t\t\t\t\tTIFFSetField(output, TIFFTAG_YCBCRSUBSAMPLING, hor, ver);\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(TIFFGetField(input, TIFFTAG_REFERENCEBLACKWHITE, &xfloatp)!=0){\n\t\t\t\tTIFFSetField(output, TIFFTAG_REFERENCEBLACKWHITE, xfloatp);\n\t\t\t}\n\t\t}\n\t\tif(TIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_JPEG)==0){\n\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\"Unable to use JPEG compression for input %s and output %s\", \n\t\t\t\tTIFFFileName(input),\n\t\t\t\tTIFFFileName(output));\n\t\t\t_TIFFfree(buffer);\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\t\tTIFFSetField(output, TIFFTAG_JPEGTABLESMODE, 0);\n\n\t\tif(t2p->pdf_colorspace & (T2P_CS_RGB | T2P_CS_LAB)){\n\t\t\tTIFFSetField(output, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR);\n\t\t\tif(t2p->tiff_photometric != PHOTOMETRIC_YCBCR){\n\t\t\t\tTIFFSetField(output, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);\n\t\t\t} else {\n\t\t\t\tTIFFSetField(output, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RAW);\n\t\t\t}\n\t\t}\n\t\tif(t2p->pdf_colorspace & T2P_CS_GRAY){\n\t\t\t(void)0;\n\t\t}\n\t\tif(t2p->pdf_colorspace & T2P_CS_CMYK){\n\t\t\t(void)0;\n\t\t}\n\t\tif(t2p->pdf_defaultcompressionquality != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_JPEGQUALITY, \n\t\t\t\tt2p->pdf_defaultcompressionquality);\n\t\t}\n\t\n\t\tbreak;\n#endif /* ifdef JPEG_SUPPORT */\n#ifdef ZIP_SUPPORT\n\tcase T2P_COMPRESS_ZIP:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_DEFLATE);\n\t\tif(t2p->pdf_defaultcompressionquality%100 != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_PREDICTOR, \n\t\t\t\tt2p->pdf_defaultcompressionquality % 100);\n\t\t}\n\t\tif(t2p->pdf_defaultcompressionquality/100 != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_ZIPQUALITY, \n\t\t\t\t(t2p->pdf_defaultcompressionquality / 100));\n\t\t}\n\t\tbreak;\n#endif /* ifdef ZIP_SUPPORT */\n\tdefault:\n\t\tbreak;\n\t}\n\n\tt2p_enable(output);\n\tt2p->outputwritten = 0;\n#ifdef JPEG_SUPPORT\n\tif(t2p->pdf_compression == T2P_COMPRESS_JPEG\n\t   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR){\n\t\tbufferoffset = TIFFWriteEncodedStrip(output, (tstrip_t)0,\n\t\t\t\t\t\t     buffer,\n\t\t\t\t\t\t     stripsize * stripcount); \n\t} else\n#endif /* ifdef JPEG_SUPPORT */\n        {\n\t\tbufferoffset = TIFFWriteEncodedStrip(output, (tstrip_t)0,\n\t\t\t\t\t\t     buffer,\n\t\t\t\t\t\t     t2p->tiff_datasize); \n\t}\n\tif (buffer != NULL) {\n\t\t_TIFFfree(buffer);\n\t\tbuffer=NULL;\n\t}\n\n\tif (bufferoffset == (tsize_t)-1) {\n\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t  \"Error writing encoded strip to output PDF %s\", \n\t\t\t  TIFFFileName(output));\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn(0);\n\t}\n\t\n\twritten = t2p->outputwritten;\n\treturn(written);\n}",
          "project": "libtiff",
          "hash": 84052621455541957078395456270362682892,
          "size": 618,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458978
        },
        {
          "func": "void t2p_read_tiff_size(T2P* t2p, TIFF* input){\n\n\tuint64* sbc=NULL;\n#if defined(JPEG_SUPPORT) || defined (OJPEG_SUPPORT)\n\tunsigned char* jpt=NULL;\n\ttstrip_t i=0;\n\ttstrip_t stripcount=0;\n#endif\n        uint64 k = 0;\n\n\tif(t2p->pdf_transcode == T2P_TRANSCODE_RAW){\n#ifdef CCITT_SUPPORT\n\t\tif(t2p->pdf_compression == T2P_COMPRESS_G4 ){\n\t\t\tTIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc);\n            if (sbc[0] != (uint64)(tmsize_t)sbc[0]) {\n                TIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n                t2p->t2p_error = T2P_ERR_ERROR;\n            }\n\t\t\tt2p->tiff_datasize=(tmsize_t)sbc[0];\n\t\t\treturn;\n\t\t}\n#endif\n#ifdef ZIP_SUPPORT\n\t\tif(t2p->pdf_compression == T2P_COMPRESS_ZIP){\n\t\t\tTIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc);\n            if (sbc[0] != (uint64)(tmsize_t)sbc[0]) {\n                TIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n                t2p->t2p_error = T2P_ERR_ERROR;\n            }\n\t\t\tt2p->tiff_datasize=(tmsize_t)sbc[0];\n\t\t\treturn;\n\t\t}\n#endif\n#ifdef OJPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_OJPEG){\n\t\t\tif(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Input file %s missing field: TIFFTAG_STRIPBYTECOUNTS\",\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tstripcount=TIFFNumberOfStrips(input);\n\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\tk = checkAdd64(k, sbc[i], t2p);\n\t\t\t}\n\t\t\tif(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){\n\t\t\t\tif(t2p->tiff_dataoffset != 0){\n\t\t\t\t\tif(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){\n\t\t\t\t\t\tif((uint64)t2p->tiff_datasize < k) {\n\t\t\t\t\t\t\tTIFFWarning(TIFF2PDF_MODULE, \n\t\t\t\t\t\t\t\t\"Input file %s has short JPEG interchange file byte count\", \n\t\t\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t\tt2p->pdf_ojpegiflength=t2p->tiff_datasize;\n\t\t\t\t\t\t\tk = checkAdd64(k, t2p->tiff_datasize, t2p);\n\t\t\t\t\t\t\tk = checkAdd64(k, 6, t2p);\n\t\t\t\t\t\t\tk = checkAdd64(k, stripcount, t2p);\n\t\t\t\t\t\t\tk = checkAdd64(k, stripcount, t2p);\n\t\t\t\t\t\t\tt2p->tiff_datasize = (tsize_t) k;\n\t\t\t\t\t\t\tif ((uint64) t2p->tiff_datasize != k) {\n\t\t\t\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\t\t\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}else {\n\t\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\t\t\"Input file %s missing field: TIFFTAG_JPEGIFBYTECOUNT\",\n\t\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tk = checkAdd64(k, stripcount, t2p);\n\t\t\tk = checkAdd64(k, stripcount, t2p);\n\t\t\tk = checkAdd64(k, 2048, t2p);\n\t\t\tt2p->tiff_datasize = (tsize_t) k;\n\t\t\tif ((uint64) t2p->tiff_datasize != k) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t}\n\t\t\treturn;\n\t\t}\n#endif\n#ifdef JPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_JPEG) {\n\t\t\tuint32 count = 0;\n\t\t\tif(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){\n\t\t\t\tif(count > 4){\n\t\t\t\t\tk += count;\n\t\t\t\t\tk -= 2; /* don't use EOI of header */\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tk = 2; /* SOI for first strip */\n\t\t\t}\n\t\t\tstripcount=TIFFNumberOfStrips(input);\n\t\t\tif(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Input file %s missing field: TIFFTAG_STRIPBYTECOUNTS\",\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tfor(i=0;i<stripcount;i++){\n\t\t\t\tk = checkAdd64(k, sbc[i], t2p);\n\t\t\t\tk -=2; /* don't use EOI of strip */\n\t\t\t\tk +=2; /* add space for restart marker */\n\t\t\t}\n\t\t\tk = checkAdd64(k, 2, t2p); /* use EOI of last strip */\n\t\t\tk = checkAdd64(k, 6, t2p); /* for DRI marker of first strip */\n\t\t\tt2p->tiff_datasize = (tsize_t) k;\n\t\t\tif ((uint64) t2p->tiff_datasize != k) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t}\n\t\t\treturn;\n\t\t}\n#endif\n\t\t(void) 0;\n\t}\n#ifdef JPEG_SUPPORT\n\tif(t2p->pdf_compression == T2P_COMPRESS_JPEG\n\t   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {\n\t\tk = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);\n\t} else\n#endif\n\t{\n\t\tk = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);\n\t\tif(t2p->tiff_planar==PLANARCONFIG_SEPARATE){\n\t\t\tk = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);\n\t\t}\n\t}\n\tif (k == 0) {\n\t\t/* Assume we had overflow inside TIFFScanlineSize */\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t}\n\n\tt2p->tiff_datasize = (tsize_t) k;\n\tif ((uint64) t2p->tiff_datasize != k) {\n\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t}\n\n\treturn;\n}",
          "project": "libtiff",
          "hash": 290623600493300717102076515548479341238,
          "size": 147,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458964
        },
        {
          "func": "void t2p_read_tiff_size_tile(T2P* t2p, TIFF* input, ttile_t tile){\n\n\tuint64* tbc = NULL;\n\tuint16 edge=0;\n#ifdef JPEG_SUPPORT\n\tunsigned char* jpt;\n#endif\n        uint64 k;\n\n\tedge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);\n\tedge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);\n\t\n\tif(t2p->pdf_transcode==T2P_TRANSCODE_RAW){\n\t\tif(edge\n#if defined(JPEG_SUPPORT) || defined(OJPEG_SUPPORT)\n\t\t&& !(t2p->pdf_compression==T2P_COMPRESS_JPEG)\n#endif\n\t\t){\n\t\t\tt2p->tiff_datasize=TIFFTileSize(input);\n\t\t\tif (t2p->tiff_datasize == 0) {\n\t\t\t\t/* Assume we had overflow inside TIFFTileSize */\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t}\n\t\t\treturn;\n\t\t} else {\n\t\t\tTIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc);\n\t\t\tk=tbc[tile];\n#ifdef OJPEG_SUPPORT\n\t\t\tif(t2p->tiff_compression==COMPRESSION_OJPEG){\n\t\t\t\tk = checkAdd64(k, 2048, t2p);\n\t\t\t}\n#endif\n#ifdef JPEG_SUPPORT\n\t\t\tif(t2p->tiff_compression==COMPRESSION_JPEG) {\n\t\t\t\tuint32 count = 0;\n\t\t\t\tif(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){\n\t\t\t\t\tif(count > 4){\n\t\t\t\t\t\tk = checkAdd64(k, count, t2p);\n\t\t\t\t\t\tk -= 2; /* don't use EOI of header or SOI of tile */\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n#endif\n\t\t\tt2p->tiff_datasize = (tsize_t) k;\n\t\t\tif ((uint64) t2p->tiff_datasize != k) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\t}\n\tk = TIFFTileSize(input);\n\tif(t2p->tiff_planar==PLANARCONFIG_SEPARATE){\n\t\tk = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);\n\t}\n\tif (k == 0) {\n\t\t/* Assume we had overflow inside TIFFTileSize */\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t}\n\n\tt2p->tiff_datasize = (tsize_t) k;\n\tif ((uint64) t2p->tiff_datasize != k) {\n\t\tTIFFError(TIFF2PDF_MODULE, \"Integer overflow\");\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t}\n\n\treturn;\n}",
          "project": "libtiff",
          "hash": 174919938547401728560893363822829287963,
          "size": 68,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458975
        },
        {
          "func": "void t2p_read_tiff_data(T2P* t2p, TIFF* input){\n\n\tint i=0;\n\tuint16* r = NULL;\n\tuint16* g = NULL;\n\tuint16* b = NULL;\n\tuint16* a = NULL;\n\tuint16 xuint16;\n\tuint16* xuint16p;\n\tfloat* xfloatp;\n\n\tt2p->pdf_transcode = T2P_TRANSCODE_ENCODE;\n\tt2p->pdf_sample = T2P_SAMPLE_NOTHING;\n        t2p->pdf_switchdecode = t2p->pdf_colorspace_invert;\n        \n\t\n\tTIFFSetDirectory(input, t2p->tiff_pages[t2p->pdf_page].page_directory);\n\n\tTIFFGetField(input, TIFFTAG_IMAGEWIDTH, &(t2p->tiff_width));\n\tif(t2p->tiff_width == 0){\n\t\tTIFFError(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"No support for %s with zero width\", \n\t\t\tTIFFFileName(input)\t);\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn;\n\t}\n\n\tTIFFGetField(input, TIFFTAG_IMAGELENGTH, &(t2p->tiff_length));\n\tif(t2p->tiff_length == 0){\n\t\tTIFFError(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"No support for %s with zero length\", \n\t\t\tTIFFFileName(input)\t);\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn;\n\t}\n\n        if(TIFFGetField(input, TIFFTAG_COMPRESSION, &(t2p->tiff_compression)) == 0){\n                TIFFError(\n                        TIFF2PDF_MODULE, \n                        \"No support for %s with no compression tag\", \n                        TIFFFileName(input)     );\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n\n        }\n        if( TIFFIsCODECConfigured(t2p->tiff_compression) == 0){\n\t\tTIFFError(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"No support for %s with compression type %u:  not configured\", \n\t\t\tTIFFFileName(input), \n\t\t\tt2p->tiff_compression\t\n\t\t\t);\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn;\n\t\n\t}\n\n\tTIFFGetFieldDefaulted(input, TIFFTAG_BITSPERSAMPLE, &(t2p->tiff_bitspersample));\n\tswitch(t2p->tiff_bitspersample){\n\t\tcase 1:\n\t\tcase 2:\n\t\tcase 4:\n\t\tcase 8:\n\t\t\tbreak;\n\t\tcase 0:\n\t\t\tTIFFWarning(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"Image %s has 0 bits per sample, assuming 1\",\n\t\t\t\tTIFFFileName(input));\n\t\t\tt2p->tiff_bitspersample=1;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tTIFFError(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"No support for %s with %u bits per sample\",\n\t\t\t\tTIFFFileName(input),\n\t\t\t\tt2p->tiff_bitspersample);\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn;\n\t}\n\n\tTIFFGetFieldDefaulted(input, TIFFTAG_SAMPLESPERPIXEL, &(t2p->tiff_samplesperpixel));\n\tif(t2p->tiff_samplesperpixel>4){\n\t\tTIFFError(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"No support for %s with %u samples per pixel\",\n\t\t\tTIFFFileName(input),\n\t\t\tt2p->tiff_samplesperpixel);\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn;\n\t}\n\tif(t2p->tiff_samplesperpixel==0){\n\t\tTIFFWarning(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"Image %s has 0 samples per pixel, assuming 1\",\n\t\t\tTIFFFileName(input));\n\t\tt2p->tiff_samplesperpixel=1;\n\t}\n\t\n\tif(TIFFGetField(input, TIFFTAG_SAMPLEFORMAT, &xuint16) != 0 ){\n\t\tswitch(xuint16){\n\t\t\tcase 0:\n\t\t\tcase 1:\n\t\t\tcase 4:\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for %s with sample format %u\",\n\t\t\t\t\tTIFFFileName(input),\n\t\t\t\t\txuint16);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t\tbreak;\n\t\t}\n\t}\n\t\n\tTIFFGetFieldDefaulted(input, TIFFTAG_FILLORDER, &(t2p->tiff_fillorder));\n\t\n        if(TIFFGetField(input, TIFFTAG_PHOTOMETRIC, &(t2p->tiff_photometric)) == 0){\n                TIFFError(\n                        TIFF2PDF_MODULE, \n                        \"No support for %s with no photometric interpretation tag\", \n                        TIFFFileName(input)     );\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n\n        }\n        \n\tswitch(t2p->tiff_photometric){\n\t\tcase PHOTOMETRIC_MINISWHITE:\n\t\tcase PHOTOMETRIC_MINISBLACK: \n\t\t\tif (t2p->tiff_bitspersample==1){\n\t\t\t\tt2p->pdf_colorspace=T2P_CS_BILEVEL;\n\t\t\t\tif(t2p->tiff_photometric==PHOTOMETRIC_MINISWHITE){\n\t\t\t\t\tt2p->pdf_switchdecode ^= 1;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tt2p->pdf_colorspace=T2P_CS_GRAY;\n\t\t\t\tif(t2p->tiff_photometric==PHOTOMETRIC_MINISWHITE){\n\t\t\t\t\tt2p->pdf_switchdecode ^= 1;\n\t\t\t\t} \n\t\t\t}\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_RGB: \n\t\t\tt2p->pdf_colorspace=T2P_CS_RGB;\n\t\t\tif(t2p->tiff_samplesperpixel == 3){\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif(TIFFGetField(input, TIFFTAG_INDEXED, &xuint16)){\n\t\t\t\tif(xuint16==1)\n\t\t\t\t\tgoto photometric_palette;\n\t\t\t}\n\t\t\tif(t2p->tiff_samplesperpixel > 3) {\n\t\t\t\tif(t2p->tiff_samplesperpixel == 4) {\n\t\t\t\t\tt2p->pdf_colorspace = T2P_CS_RGB;\n\t\t\t\t\tif(TIFFGetField(input,\n\t\t\t\t\t\t\tTIFFTAG_EXTRASAMPLES,\n\t\t\t\t\t\t\t&xuint16, &xuint16p)\n\t\t\t\t\t   && xuint16 == 1) {\n\t\t\t\t\t\tif(xuint16p[0] == EXTRASAMPLE_ASSOCALPHA){\n\t\t\t\t\t\t\tif( t2p->tiff_bitspersample != 8 )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t    TIFFError(\n\t\t\t\t\t\t\t\t    TIFF2PDF_MODULE, \n\t\t\t\t\t\t\t\t    \"No support for BitsPerSample=%d for RGBA\",\n\t\t\t\t\t\t\t\t    t2p->tiff_bitspersample);\n\t\t\t\t\t\t\t    t2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\t\t    return;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tt2p->pdf_sample=T2P_SAMPLE_RGBAA_TO_RGB;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif(xuint16p[0] == EXTRASAMPLE_UNASSALPHA){\n\t\t\t\t\t\t\tif( t2p->tiff_bitspersample != 8 )\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t    TIFFError(\n\t\t\t\t\t\t\t\t    TIFF2PDF_MODULE, \n\t\t\t\t\t\t\t\t    \"No support for BitsPerSample=%d for RGBA\",\n\t\t\t\t\t\t\t\t    t2p->tiff_bitspersample);\n\t\t\t\t\t\t\t    t2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\t\t\t    return;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tt2p->pdf_sample=T2P_SAMPLE_RGBA_TO_RGB;\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tTIFFWarning(\n\t\t\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\t\t\"RGB image %s has 4 samples per pixel, assuming RGBA\",\n\t\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t\tt2p->pdf_colorspace=T2P_CS_CMYK;\n\t\t\t\t\tt2p->pdf_switchdecode ^= 1;\n\t\t\t\t\tTIFFWarning(\n\t\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\t\"RGB image %s has 4 samples per pixel, assuming inverse CMYK\",\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\tbreak;\n\t\t\t\t} else {\n\t\t\t\t\tTIFFError(\n\t\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\t\"No support for RGB image %s with %u samples per pixel\", \n\t\t\t\t\t\tTIFFFileName(input), \n\t\t\t\t\t\tt2p->tiff_samplesperpixel);\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for RGB image %s with %u samples per pixel\", \n\t\t\t\t\tTIFFFileName(input), \n\t\t\t\t\tt2p->tiff_samplesperpixel);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\tbreak;\n\t\t\t}\n\t\tcase PHOTOMETRIC_PALETTE: \n\t\t\tphotometric_palette:\n\t\t\tif(t2p->tiff_samplesperpixel!=1){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for palettized image %s with not one sample per pixel\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tt2p->pdf_colorspace=T2P_CS_RGB | T2P_CS_PALETTE;\n\t\t\tt2p->pdf_palettesize=0x0001<<t2p->tiff_bitspersample;\n\t\t\tif(!TIFFGetField(input, TIFFTAG_COLORMAP, &r, &g, &b)){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE,\n\t\t\t\t\t\"Palettized image %s has no color map\",\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif(r == NULL || g == NULL || b == NULL){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE,\n\t\t\t\t\t\"Error getting 3 components from color map\");\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif(t2p->pdf_palette != NULL){\n\t\t\t\t_TIFFfree(t2p->pdf_palette);\n\t\t\t\tt2p->pdf_palette=NULL;\n\t\t\t}\n\t\t\tt2p->pdf_palette = (unsigned char*)\n\t\t\t\t_TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->pdf_palettesize,3));\n\t\t\tif(t2p->pdf_palette==NULL){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate %u bytes of memory for t2p_read_tiff_image, %s\", \n\t\t\t\t\tt2p->pdf_palettesize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tfor(i=0;i<t2p->pdf_palettesize;i++){\n\t\t\t\tt2p->pdf_palette[(i*3)]  = (unsigned char) (r[i]>>8);\n\t\t\t\tt2p->pdf_palette[(i*3)+1]= (unsigned char) (g[i]>>8);\n\t\t\t\tt2p->pdf_palette[(i*3)+2]= (unsigned char) (b[i]>>8);\n\t\t\t}\n\t\t\tt2p->pdf_palettesize *= 3;\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_SEPARATED:\n\t\t\tif(TIFFGetField(input, TIFFTAG_INDEXED, &xuint16)){\n\t\t\t\tif(xuint16==1){\n\t\t\t\t\t\tgoto photometric_palette_cmyk;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif( TIFFGetField(input, TIFFTAG_INKSET, &xuint16) ){\n\t\t\t\tif(xuint16 != INKSET_CMYK){\n\t\t\t\t\tTIFFError(\n\t\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\t\"No support for %s because its inkset is not CMYK\",\n\t\t\t\t\t\tTIFFFileName(input) );\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(t2p->tiff_samplesperpixel==4){\n\t\t\t\tt2p->pdf_colorspace=T2P_CS_CMYK;\n\t\t\t} else {\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for %s because it has %u samples per pixel\",\n\t\t\t\t\tTIFFFileName(input), \n\t\t\t\t\tt2p->tiff_samplesperpixel);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tbreak;\n\t\t\tphotometric_palette_cmyk:\n\t\t\tif(t2p->tiff_samplesperpixel!=1){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for palettized CMYK image %s with not one sample per pixel\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tt2p->pdf_colorspace=T2P_CS_CMYK | T2P_CS_PALETTE;\n\t\t\tt2p->pdf_palettesize=0x0001<<t2p->tiff_bitspersample;\n\t\t\tif(!TIFFGetField(input, TIFFTAG_COLORMAP, &r, &g, &b, &a)){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE,\n\t\t\t\t\t\"Palettized image %s has no color map\",\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif(r == NULL || g == NULL || b == NULL || a == NULL){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE,\n\t\t\t\t\t\"Error getting 4 components from color map\");\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif(t2p->pdf_palette != NULL){\n\t\t\t\t_TIFFfree(t2p->pdf_palette);\n\t\t\t\tt2p->pdf_palette=NULL;\n\t\t\t}\n\t\t\tt2p->pdf_palette = (unsigned char*) \n\t\t\t\t_TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->pdf_palettesize,4));\n\t\t\tif(t2p->pdf_palette==NULL){\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate %u bytes of memory for t2p_read_tiff_image, %s\", \n\t\t\t\t\tt2p->pdf_palettesize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tfor(i=0;i<t2p->pdf_palettesize;i++){\n\t\t\t\tt2p->pdf_palette[(i*4)]  = (unsigned char) (r[i]>>8);\n\t\t\t\tt2p->pdf_palette[(i*4)+1]= (unsigned char) (g[i]>>8);\n\t\t\t\tt2p->pdf_palette[(i*4)+2]= (unsigned char) (b[i]>>8);\n\t\t\t\tt2p->pdf_palette[(i*4)+3]= (unsigned char) (a[i]>>8);\n\t\t\t}\n\t\t\tt2p->pdf_palettesize *= 4;\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_YCBCR:\n\t\t\tt2p->pdf_colorspace=T2P_CS_RGB;\n\t\t\tif(t2p->tiff_samplesperpixel==1){\n\t\t\t\tt2p->pdf_colorspace=T2P_CS_GRAY;\n\t\t\t\tt2p->tiff_photometric=PHOTOMETRIC_MINISBLACK;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tt2p->pdf_sample=T2P_SAMPLE_YCBCR_TO_RGB;\n#ifdef JPEG_SUPPORT\n\t\t\tif(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){\n\t\t\t\tt2p->pdf_sample=T2P_SAMPLE_NOTHING;\n\t\t\t}\n#endif\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_CIELAB:\n            if( t2p->tiff_samplesperpixel != 3){\n                TIFFError(\n                    TIFF2PDF_MODULE, \n                    \"Unsupported samplesperpixel = %d for CIELAB\", \n                    t2p->tiff_samplesperpixel);\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n            }\n            if( t2p->tiff_bitspersample != 8){\n                TIFFError(\n                    TIFF2PDF_MODULE, \n                    \"Invalid bitspersample = %d for CIELAB\", \n                    t2p->tiff_bitspersample);\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n            }\n\t\t\tt2p->pdf_labrange[0]= -127;\n\t\t\tt2p->pdf_labrange[1]= 127;\n\t\t\tt2p->pdf_labrange[2]= -127;\n\t\t\tt2p->pdf_labrange[3]= 127;\n\t\t\tt2p->pdf_sample=T2P_SAMPLE_LAB_SIGNED_TO_UNSIGNED;\n\t\t\tt2p->pdf_colorspace=T2P_CS_LAB;\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_ICCLAB:\n\t\t\tt2p->pdf_labrange[0]= 0;\n\t\t\tt2p->pdf_labrange[1]= 255;\n\t\t\tt2p->pdf_labrange[2]= 0;\n\t\t\tt2p->pdf_labrange[3]= 255;\n\t\t\tt2p->pdf_colorspace=T2P_CS_LAB;\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_ITULAB:\n            if( t2p->tiff_samplesperpixel != 3){\n                TIFFError(\n                    TIFF2PDF_MODULE, \n                    \"Unsupported samplesperpixel = %d for ITULAB\", \n                    t2p->tiff_samplesperpixel);\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n            }\n            if( t2p->tiff_bitspersample != 8){\n                TIFFError(\n                    TIFF2PDF_MODULE, \n                    \"Invalid bitspersample = %d for ITULAB\", \n                    t2p->tiff_bitspersample);\n                t2p->t2p_error = T2P_ERR_ERROR;\n                return;\n            }\n\t\t\tt2p->pdf_labrange[0]=-85;\n\t\t\tt2p->pdf_labrange[1]=85;\n\t\t\tt2p->pdf_labrange[2]=-75;\n\t\t\tt2p->pdf_labrange[3]=124;\n\t\t\tt2p->pdf_sample=T2P_SAMPLE_LAB_SIGNED_TO_UNSIGNED;\n\t\t\tt2p->pdf_colorspace=T2P_CS_LAB;\n\t\t\tbreak;\n\t\tcase PHOTOMETRIC_LOGL:\n\t\tcase PHOTOMETRIC_LOGLUV:\n\t\t\tTIFFError(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"No support for %s with photometric interpretation LogL/LogLuv\", \n\t\t\t\tTIFFFileName(input));\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn;\n\t\tdefault:\n\t\t\tTIFFError(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"No support for %s with photometric interpretation %u\", \n\t\t\t\tTIFFFileName(input),\n\t\t\t\tt2p->tiff_photometric);\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn;\n\t}\n\n\tif(TIFFGetField(input, TIFFTAG_PLANARCONFIG, &(t2p->tiff_planar))){\n\t\tswitch(t2p->tiff_planar){\n\t\t\tcase 0:\n\t\t\t\tTIFFWarning(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"Image %s has planar configuration 0, assuming 1\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->tiff_planar=PLANARCONFIG_CONTIG;\n\t\t\tcase PLANARCONFIG_CONTIG:\n\t\t\t\tbreak;\n\t\t\tcase PLANARCONFIG_SEPARATE:\n\t\t\t\tt2p->pdf_sample=T2P_SAMPLE_PLANAR_SEPARATE_TO_CONTIG;\n\t\t\t\tif(t2p->tiff_bitspersample!=8){\n\t\t\t\t\tTIFFError(\n\t\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\t\"No support for %s with separated planar configuration and %u bits per sample\", \n\t\t\t\t\t\tTIFFFileName(input),\n\t\t\t\t\t\tt2p->tiff_bitspersample);\n\t\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\tTIFFError(\n\t\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for %s with planar configuration %u\", \n\t\t\t\t\tTIFFFileName(input),\n\t\t\t\t\tt2p->tiff_planar);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn;\n\t\t}\n\t}\n\n        TIFFGetFieldDefaulted(input, TIFFTAG_ORIENTATION,\n                              &(t2p->tiff_orientation));\n        if(t2p->tiff_orientation>8){\n                TIFFWarning(TIFF2PDF_MODULE,\n                            \"Image %s has orientation %u, assuming 0\",\n                            TIFFFileName(input), t2p->tiff_orientation);\n                t2p->tiff_orientation=0;\n        }\n\n        if(TIFFGetField(input, TIFFTAG_XRESOLUTION, &(t2p->tiff_xres) ) == 0){\n                t2p->tiff_xres=0.0;\n        }\n        if(TIFFGetField(input, TIFFTAG_YRESOLUTION, &(t2p->tiff_yres) ) == 0){\n                t2p->tiff_yres=0.0;\n        }\n\tTIFFGetFieldDefaulted(input, TIFFTAG_RESOLUTIONUNIT,\n\t\t\t      &(t2p->tiff_resunit));\n\tif(t2p->tiff_resunit == RESUNIT_CENTIMETER) {\n\t\tt2p->tiff_xres *= 2.54F;\n\t\tt2p->tiff_yres *= 2.54F;\n\t} else if (t2p->tiff_resunit != RESUNIT_INCH\n\t\t   && t2p->pdf_centimeters != 0) {\n\t\tt2p->tiff_xres *= 2.54F;\n\t\tt2p->tiff_yres *= 2.54F;\n\t}\n\n\tt2p_compose_pdf_page(t2p);\n        if( t2p->t2p_error == T2P_ERR_ERROR )\n\t    return;\n\n\tt2p->pdf_transcode = T2P_TRANSCODE_ENCODE;\n        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */\n        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */\n        /* do not take into account the number of samples, and thus */\n        /* that can cause heap buffer overflows such as in */\n        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */\n\tif(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){\n#ifdef CCITT_SUPPORT\n\t\tif(t2p->tiff_compression==COMPRESSION_CCITTFAX4  \n\t\t\t){\n\t\t\tif(TIFFIsTiled(input) || (TIFFNumberOfStrips(input)==1) ){\n\t\t\t\tt2p->pdf_transcode = T2P_TRANSCODE_RAW;\n\t\t\t\tt2p->pdf_compression=T2P_COMPRESS_G4;\n\t\t\t}\n\t\t}\n#endif\n#ifdef ZIP_SUPPORT\n\t\tif(t2p->tiff_compression== COMPRESSION_ADOBE_DEFLATE \n\t\t\t|| t2p->tiff_compression==COMPRESSION_DEFLATE){\n\t\t\tif(TIFFIsTiled(input) || (TIFFNumberOfStrips(input)==1) ){\n\t\t\t\tuint16 predictor;\n\t\t\t\tt2p->pdf_transcode = T2P_TRANSCODE_RAW;\n\t\t\t\tt2p->pdf_compression=T2P_COMPRESS_ZIP;\n\t\t\t\tTIFFGetField(input, TIFFTAG_PREDICTOR, &predictor);\n\t\t\t\tt2p->pdf_compressionquality = predictor;\n\t\t\t\t/* TIFFTAG_ZIPQUALITY is always Z_DEFAULT_COMPRESSION on reading */\n\t\t\t}\n\t\t}\n#endif\n#ifdef OJPEG_SUPPORT\n\t\tif(t2p->tiff_compression==COMPRESSION_OJPEG){\n\t\t\tt2p->pdf_transcode = T2P_TRANSCODE_RAW;\n\t\t\tt2p->pdf_compression=T2P_COMPRESS_JPEG;\n\t\t\tt2p_process_ojpeg_tables(t2p, input);\n\t\t}\n#endif\n#ifdef JPEG_SUPPORT\n\t\tif(t2p->tiff_compression==COMPRESSION_JPEG){\n\t\t\tt2p->pdf_transcode = T2P_TRANSCODE_RAW;\n\t\t\tt2p->pdf_compression=T2P_COMPRESS_JPEG;\n\t\t}\n#endif\n\t\t(void)0;\n\t}\n\n\tif(t2p->pdf_transcode!=T2P_TRANSCODE_RAW){\n\t\tt2p->pdf_compression = t2p->pdf_defaultcompression;\n\t}\n\n#ifdef JPEG_SUPPORT\n\tif(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){\n\t\tif(t2p->pdf_colorspace & T2P_CS_PALETTE){\n\t\t\tt2p->pdf_sample|=T2P_SAMPLE_REALIZE_PALETTE;\n\t\t\tt2p->pdf_colorspace ^= T2P_CS_PALETTE;\n\t\t\tt2p->tiff_pages[t2p->pdf_page].page_extra--;\n\t\t}\n\t}\n\tif(t2p->tiff_compression==COMPRESSION_JPEG){\n\t\tif(t2p->tiff_planar==PLANARCONFIG_SEPARATE){\n\t\t\tTIFFError(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"No support for %s with JPEG compression and separated planar configuration\", \n\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\treturn;\n\t\t}\n\t}\n#endif\n#ifdef OJPEG_SUPPORT\n\tif(t2p->tiff_compression==COMPRESSION_OJPEG){\n\t\tif(t2p->tiff_planar==PLANARCONFIG_SEPARATE){\n\t\t\tTIFFError(\n\t\t\t\tTIFF2PDF_MODULE, \n\t\t\t\t\"No support for %s with OJPEG compression and separated planar configuration\", \n\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\treturn;\n\t\t}\n\t}\n#endif\n\n\tif(t2p->pdf_sample & T2P_SAMPLE_REALIZE_PALETTE){\n\t\tif(t2p->pdf_colorspace & T2P_CS_CMYK){\n\t\t\tt2p->tiff_samplesperpixel=4;\n\t\t\tt2p->tiff_photometric=PHOTOMETRIC_SEPARATED;\n\t\t} else {\n\t\t\tt2p->tiff_samplesperpixel=3;\n\t\t\tt2p->tiff_photometric=PHOTOMETRIC_RGB;\n\t\t}\n\t}\n\n\tif (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,\n\t\t\t &(t2p->tiff_transferfunction[0]),\n\t\t\t &(t2p->tiff_transferfunction[1]),\n\t\t\t &(t2p->tiff_transferfunction[2]))) {\n\t\tif((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&\n                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)\n                  ) {\n\t\t\tt2p->tiff_transferfunctioncount=3;\n\t\t} else {\n\t\t\tt2p->tiff_transferfunctioncount=1;\n\t\t}\n\t} else {\n\t\tt2p->tiff_transferfunctioncount=0;\n\t}\n\tif(TIFFGetField(input, TIFFTAG_WHITEPOINT, &xfloatp)!=0){\n\t\tt2p->tiff_whitechromaticities[0]=xfloatp[0];\n\t\tt2p->tiff_whitechromaticities[1]=xfloatp[1];\n\t\tif(t2p->pdf_colorspace & T2P_CS_GRAY){\n\t\t\tt2p->pdf_colorspace |= T2P_CS_CALGRAY;\n\t\t}\n\t\tif(t2p->pdf_colorspace & T2P_CS_RGB){\n\t\t\tt2p->pdf_colorspace |= T2P_CS_CALRGB;\n\t\t}\n\t}\n\tif(TIFFGetField(input, TIFFTAG_PRIMARYCHROMATICITIES, &xfloatp)!=0){\n\t\tt2p->tiff_primarychromaticities[0]=xfloatp[0];\n\t\tt2p->tiff_primarychromaticities[1]=xfloatp[1];\n\t\tt2p->tiff_primarychromaticities[2]=xfloatp[2];\n\t\tt2p->tiff_primarychromaticities[3]=xfloatp[3];\n\t\tt2p->tiff_primarychromaticities[4]=xfloatp[4];\n\t\tt2p->tiff_primarychromaticities[5]=xfloatp[5];\n\t\tif(t2p->pdf_colorspace & T2P_CS_RGB){\n\t\t\tt2p->pdf_colorspace |= T2P_CS_CALRGB;\n\t\t}\n\t}\n\tif(t2p->pdf_colorspace & T2P_CS_LAB){\n\t\tif(TIFFGetField(input, TIFFTAG_WHITEPOINT, &xfloatp) != 0){\n\t\t\tt2p->tiff_whitechromaticities[0]=xfloatp[0];\n\t\t\tt2p->tiff_whitechromaticities[1]=xfloatp[1];\n\t\t} else {\n\t\t\tt2p->tiff_whitechromaticities[0]=0.3457F; /* 0.3127F; */\n\t\t\tt2p->tiff_whitechromaticities[1]=0.3585F; /* 0.3290F; */\n\t\t}\n\t}\n\tif(TIFFGetField(input, \n\t\tTIFFTAG_ICCPROFILE, \n\t\t&(t2p->tiff_iccprofilelength), \n\t\t&(t2p->tiff_iccprofile))!=0){\n\t\tt2p->pdf_colorspace |= T2P_CS_ICCBASED;\n\t} else {\n\t\tt2p->tiff_iccprofilelength=0;\n\t\tt2p->tiff_iccprofile=NULL;\n\t}\n\t\n#ifdef CCITT_SUPPORT\n\tif( t2p->tiff_bitspersample==1 &&\n\t\tt2p->tiff_samplesperpixel==1){\n\t\tt2p->pdf_compression = T2P_COMPRESS_G4;\n\t}\n#endif\n\n\n\treturn;\n}",
          "project": "libtiff",
          "hash": 249546762647681018805219825626624313897,
          "size": 650,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458973
        },
        {
          "func": "tsize_t t2p_write_pdf_info(T2P* t2p, TIFF* input, TIFF* output)\n{\n\ttsize_t written = 0;\n\tconst char* info;\n\tchar buffer[512];\n\n\tif(t2p->pdf_datetime[0] == '\\0')\n\t\tt2p_pdf_tifftime(t2p, input);\n\tif (strlen(t2p->pdf_datetime) > 0) {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"<< \\n/CreationDate \", 18);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_datetime, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n/ModDate \", 10);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_datetime, output);\n\t}\n\twritten += t2pWriteFile(output, (tdata_t) \"\\n/Producer \", 11);\n\tsnprintf(buffer, sizeof(buffer), \"libtiff / tiff2pdf - %d\", TIFFLIB_VERSION);\n\twritten += t2p_write_pdf_string(buffer, output);\n\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\tif (!t2p->pdf_creator_set) {\n\t\tif (TIFFGetField(input, TIFFTAG_SOFTWARE, &info) != 0 && info) {\n\t\t\tstrncpy(t2p->pdf_creator, info, sizeof(t2p->pdf_creator) - 1);\n\t\t\tt2p->pdf_creator[sizeof(t2p->pdf_creator) - 1] = '\\0';\n\t\t}\n\t}\n\tif (t2p->pdf_creator[0] != '\\0') {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"/Creator \", 9);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_creator, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\t}\n\tif (!t2p->pdf_author_set) {\n\t\tif ((TIFFGetField(input, TIFFTAG_ARTIST, &info) != 0\n\t\t     || TIFFGetField(input, TIFFTAG_COPYRIGHT, &info) != 0)\n\t\t    && info) {\n\t\t\tstrncpy(t2p->pdf_author, info, sizeof(t2p->pdf_author) - 1);\n\t\t\tt2p->pdf_author[sizeof(t2p->pdf_author) - 1] = '\\0';\n\t\t}\n\t}\n\tif (t2p->pdf_author[0] != '\\0') {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"/Author \", 8);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_author, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\t}\n\tif (!t2p->pdf_title_set) {\n\t\tif (TIFFGetField(input, TIFFTAG_DOCUMENTNAME, &info) != 0 && info) {\n\t\t\tstrncpy(t2p->pdf_title, info, sizeof(t2p->pdf_title) - 1);\n\t\t\tt2p->pdf_title[sizeof(t2p->pdf_title) - 1] = '\\0';\n\t\t}\n\t}\n\tif (t2p->pdf_title[0] != '\\0') {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"/Title \", 7);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_title, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\t}\n\tif (!t2p->pdf_subject_set) {\n\t\tif (TIFFGetField(input, TIFFTAG_IMAGEDESCRIPTION, &info) != 0 && info) {\n\t\t\tstrncpy(t2p->pdf_subject, info, sizeof(t2p->pdf_subject) - 1);\n\t\t\tt2p->pdf_subject[sizeof(t2p->pdf_subject) - 1] = '\\0';\n\t\t}\n\t}\n\tif (t2p->pdf_subject[0] != '\\0') {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"/Subject \", 9);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_subject, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\t}\n\tif (t2p->pdf_keywords[0] != '\\0') {\n\t\twritten += t2pWriteFile(output, (tdata_t) \"/Keywords \", 10);\n\t\twritten += t2p_write_pdf_string(t2p->pdf_keywords, output);\n\t\twritten += t2pWriteFile(output, (tdata_t) \"\\n\", 1);\n\t}\n\twritten += t2pWriteFile(output, (tdata_t) \">> \\n\", 4);\n\n\treturn(written);\n}",
          "project": "libtiff",
          "hash": 15529802383915487239436101793385069277,
          "size": 73,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458974
        },
        {
          "func": "tsize_t t2p_write_pdf_string(const char* pdfstr, TIFF* output)\n{\n\ttsize_t written = 0;\n\tuint32 i = 0;\n\tchar buffer[64];\n\tsize_t len = 0;\n\t\n\tlen = strlen(pdfstr);\n\twritten += t2pWriteFile(output, (tdata_t) \"(\", 1);\n\tfor (i=0; i<len; i++) {\n\t\tif((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){\n\t\t\tsnprintf(buffer, sizeof(buffer), \"\\\\%.3o\", ((unsigned char)pdfstr[i]));\n\t\t\twritten += t2pWriteFile(output, (tdata_t)buffer, 4);\n\t\t} else {\n\t\t\tswitch (pdfstr[i]){\n\t\t\t\tcase 0x08:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\b\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x09:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\t\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x0A:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\n\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x0C:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\f\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x0D:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\r\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x28:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\(\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x29:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\)\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tcase 0x5C:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) \"\\\\\\\\\", 2);\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\twritten += t2pWriteFile(output, (tdata_t) &pdfstr[i], 1);\n\t\t\t}\n\t\t}\n\t}\n\twritten += t2pWriteFile(output, (tdata_t) \") \", 1);\n\n\treturn(written);\n}",
          "project": "libtiff",
          "hash": 86151881559785071816298781752930765945,
          "size": 48,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458970
        },
        {
          "func": "tsize_t t2p_write_pdf(T2P* t2p, TIFF* input, TIFF* output){\n\n\ttsize_t written=0;\n\tttile_t i2=0;\n\ttsize_t streamlen=0;\n\tuint16 i=0;\n\n\tt2p_read_tiff_init(t2p, input);\n\tif(t2p->t2p_error!=T2P_ERR_OK){return(0);}\n\tt2p->pdf_xrefoffsets= (uint32*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->pdf_xrefcount,sizeof(uint32)) );\n\tif(t2p->pdf_xrefoffsets==NULL){\n\t\tTIFFError(\n\t\t\tTIFF2PDF_MODULE, \n\t\t\t\"Can't allocate %u bytes of memory for t2p_write_pdf\", \n\t\t\t(unsigned int) (t2p->pdf_xrefcount * sizeof(uint32)) );\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn(written);\n\t}\n\tt2p->pdf_xrefcount=0;\n\tt2p->pdf_catalog=1;\n\tt2p->pdf_info=2;\n\tt2p->pdf_pages=3;\n\twritten += t2p_write_pdf_header(t2p, output);\n\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\tt2p->pdf_catalog=t2p->pdf_xrefcount;\n\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\twritten += t2p_write_pdf_catalog(t2p, output);\n\twritten += t2p_write_pdf_obj_end(output);\n\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\tt2p->pdf_info=t2p->pdf_xrefcount;\n\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\twritten += t2p_write_pdf_info(t2p, input, output);\n\twritten += t2p_write_pdf_obj_end(output);\n\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\tt2p->pdf_pages=t2p->pdf_xrefcount;\n\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\twritten += t2p_write_pdf_pages(t2p, output);\n\twritten += t2p_write_pdf_obj_end(output);\n\tfor(t2p->pdf_page=0;t2p->pdf_page<t2p->tiff_pagecount;t2p->pdf_page++){\n\t\tt2p_read_tiff_data(t2p, input);\n\t\tif(t2p->t2p_error!=T2P_ERR_OK){return(0);}\n\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\twritten += t2p_write_pdf_page(t2p->pdf_xrefcount, t2p, output);\n\t\twritten += t2p_write_pdf_obj_end(output);\n\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\twritten += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);\n\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\twritten += t2p_write_pdf_stream_start(output);\n\t\tstreamlen=written;\n\t\twritten += t2p_write_pdf_page_content_stream(t2p, output);\n\t\tstreamlen=written-streamlen;\n\t\twritten += t2p_write_pdf_stream_end(output);\n\t\twritten += t2p_write_pdf_obj_end(output);\n\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\twritten += t2p_write_pdf_stream_length(streamlen, output);\n\t\twritten += t2p_write_pdf_obj_end(output);\n\t\tif(t2p->tiff_transferfunctioncount != 0){\n\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\twritten += t2p_write_pdf_transfer(t2p, output);\n\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t\tfor(i=0; i < t2p->tiff_transferfunctioncount; i++){\n\t\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\t\t\twritten += t2p_write_pdf_transfer_dict(t2p, output, i);\n\t\t\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\t\t\twritten += t2p_write_pdf_stream_start(output);\n\t\t\t\t/* streamlen=written; */ /* value not used */\n\t\t\t\twritten += t2p_write_pdf_transfer_stream(t2p, output, i);\n\t\t\t\t/* streamlen=written-streamlen; */ /* value not used */\n\t\t\t\twritten += t2p_write_pdf_stream_end(output);\n\t\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t\t}\n\t\t}\n\t\tif( (t2p->pdf_colorspace & T2P_CS_PALETTE) != 0){\n\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\tt2p->pdf_palettecs=t2p->pdf_xrefcount;\n\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\t\twritten += t2p_write_pdf_stream_dict(t2p->pdf_palettesize, 0, output);\n\t\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\t\twritten += t2p_write_pdf_stream_start(output);\n\t\t\t/* streamlen=written; */ /* value not used */\n\t\t\twritten += t2p_write_pdf_xobject_palettecs_stream(t2p, output);\n\t\t\t/* streamlen=written-streamlen; */ /* value not used */\n\t\t\twritten += t2p_write_pdf_stream_end(output);\n\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t}\n\t\tif( (t2p->pdf_colorspace & T2P_CS_ICCBASED) != 0){\n\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\tt2p->pdf_icccs=t2p->pdf_xrefcount;\n\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\t\twritten += t2p_write_pdf_xobject_icccs_dict(t2p, output);\n\t\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\t\twritten += t2p_write_pdf_stream_start(output);\n\t\t\t/* streamlen=written; */ /* value not used */\n\t\t\twritten += t2p_write_pdf_xobject_icccs_stream(t2p, output);\n\t\t\t/* streamlen=written-streamlen; */ /* value not used */\n\t\t\twritten += t2p_write_pdf_stream_end(output);\n\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t}\n\t\tif(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount !=0){\n\t\t\tfor(i2=0;i2<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i2++){\n\t\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\t\t\twritten += t2p_write_pdf_xobject_stream_dict(\n\t\t\t\t\ti2+1, \n\t\t\t\t\tt2p, \n\t\t\t\t\toutput);\n\t\t\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\t\t\twritten += t2p_write_pdf_stream_start(output);\n\t\t\t\tstreamlen=written;\n\t\t\t\tt2p_read_tiff_size_tile(t2p, input, i2);\n\t\t\t\twritten += t2p_readwrite_pdf_image_tile(t2p, input, output, i2);\n\t\t\t\tt2p_write_advance_directory(t2p, output);\n\t\t\t\tif(t2p->t2p_error!=T2P_ERR_OK){return(0);}\n\t\t\t\tstreamlen=written-streamlen;\n\t\t\t\twritten += t2p_write_pdf_stream_end(output);\n\t\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\t\twritten += t2p_write_pdf_stream_length(streamlen, output);\n\t\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t\t}\n\t\t} else {\n\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\twritten += t2p_write_pdf_stream_dict_start(output);\n\t\t\twritten += t2p_write_pdf_xobject_stream_dict(\n\t\t\t\t0, \n\t\t\t\tt2p, \n\t\t\t\toutput);\n\t\t\twritten += t2p_write_pdf_stream_dict_end(output);\n\t\t\twritten += t2p_write_pdf_stream_start(output);\n\t\t\tstreamlen=written;\n\t\t\tt2p_read_tiff_size(t2p, input);\n\t\t\tif (t2p->tiff_maxdatasize && (t2p->tiff_datasize > t2p->tiff_maxdatasize)) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Allocation of \" TIFF_UINT64_FORMAT \" bytes is forbidden. Limit is \" TIFF_UINT64_FORMAT \". Use -m option to change limit\",\n\t\t\t\t\t(uint64)t2p->tiff_datasize, (uint64)t2p->tiff_maxdatasize);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn (0);\n\t\t\t}\n\t\t\twritten += t2p_readwrite_pdf_image(t2p, input, output);\n\t\t\tt2p_write_advance_directory(t2p, output);\n\t\t\tif(t2p->t2p_error!=T2P_ERR_OK){return(0);}\n\t\t\tstreamlen=written-streamlen;\n\t\t\twritten += t2p_write_pdf_stream_end(output);\n\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t\tt2p->pdf_xrefoffsets[t2p->pdf_xrefcount++]=written;\n\t\t\twritten += t2p_write_pdf_obj_start(t2p->pdf_xrefcount, output);\n\t\t\twritten += t2p_write_pdf_stream_length(streamlen, output);\n\t\t\twritten += t2p_write_pdf_obj_end(output);\n\t\t}\n\t}\n\tt2p->pdf_startxref = written;\n\twritten += t2p_write_pdf_xreftable(t2p, output);\n\twritten += t2p_write_pdf_trailer(t2p, output);\n\tt2p_disable(output);\n\n\treturn(written);\n}",
          "project": "libtiff",
          "hash": 121739583097653850761874652218865650196,
          "size": 169,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458967
        },
        {
          "func": "tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){\n\n\tuint32 sample_count=0;\n\tuint16 component_count=0;\n\tuint32 palette_offset=0;\n\tuint32 sample_offset=0;\n\tuint32 i=0;\n\tuint32 j=0;\n        size_t data_size;\n\tsample_count=t2p->tiff_width*t2p->tiff_length;\n\tcomponent_count=t2p->tiff_samplesperpixel;\n        data_size=TIFFSafeMultiply(size_t,sample_count,component_count);\n        if( (data_size == 0U) || (t2p->tiff_datasize < 0) ||\n            (data_size > (size_t) t2p->tiff_datasize) )\n        {\n            TIFFError(TIFF2PDF_MODULE,\n                      \"Error: sample_count * component_count > t2p->tiff_datasize\");\n            t2p->t2p_error = T2P_ERR_ERROR;\n            return 1;\n        }\n\t\n\tfor(i=sample_count;i>0;i--){\n\t\tpalette_offset=buffer[i-1] * component_count;\n\t\tsample_offset= (i-1) * component_count;\n\t\tif(palette_offset + component_count > t2p->pdf_palettesize){\n\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\"Error: palette_offset + component_count > t2p->pdf_palettesize\");\n\t\t\treturn 1;\n\t\t}\n\t\tfor(j=0;j<component_count;j++){\n\t\t\tbuffer[sample_offset+j]=t2p->pdf_palette[palette_offset+j];\n\t\t}\n\t}\n\n\treturn(0);\n}",
          "project": "libtiff",
          "hash": 11898587447193504535260703162915026572,
          "size": 36,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458980
        },
        {
          "func": "tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_t tile){\n\n\tuint16 edge=0;\n\ttsize_t written=0;\n\tunsigned char* buffer=NULL;\n\ttsize_t bufferoffset=0;\n\tunsigned char* samplebuffer=NULL;\n\ttsize_t samplebufferoffset=0;\n\ttsize_t read=0;\n\tuint16 i=0;\n\tttile_t tilecount=0;\n\t/* tsize_t tilesize=0; */\n\tttile_t septilecount=0;\n\ttsize_t septilesize=0;\n#ifdef JPEG_SUPPORT\n\tunsigned char* jpt;\n\tfloat* xfloatp;\n\tuint32 xuint32=0;\n#endif\n\n\t/* Fail if prior error (in particular, can't trust tiff_datasize) */\n\tif (t2p->t2p_error != T2P_ERR_OK)\n\t\treturn(0);\n\n\tedge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);\n\tedge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);\n\n\tif( (t2p->pdf_transcode == T2P_TRANSCODE_RAW) && ((edge == 0)\n#if defined(JPEG_SUPPORT) || defined(OJPEG_SUPPORT)\n\t\t|| (t2p->pdf_compression == T2P_COMPRESS_JPEG)\n#endif\n\t)\n\t){\n#ifdef CCITT_SUPPORT\n\t\tif(t2p->pdf_compression == T2P_COMPRESS_G4){\n\t\t\tbuffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n                                        \"for t2p_readwrite_pdf_image_tile, %s\", \n\t\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif (TIFFReadRawTile(input, tile, (tdata_t) buffer, t2p->tiff_datasize) < 0) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"TIFFReadRawTile() failed\");\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tif (t2p->tiff_fillorder==FILLORDER_LSB2MSB){\n\t\t\t\t\tTIFFReverseBits(buffer, t2p->tiff_datasize);\n\t\t\t}\n\t\t\tt2pWriteFile(output, (tdata_t) buffer, t2p->tiff_datasize);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(t2p->tiff_datasize);\n\t\t}\n#endif\n#ifdef ZIP_SUPPORT\n\t\tif(t2p->pdf_compression == T2P_COMPRESS_ZIP){\n\t\t\tbuffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n                                        \"for t2p_readwrite_pdf_image_tile, %s\", \n\t\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif (TIFFReadRawTile(input, tile, (tdata_t) buffer, t2p->tiff_datasize) < 0) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"TIFFReadRawTile() failed\");\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tif (t2p->tiff_fillorder==FILLORDER_LSB2MSB){\n\t\t\t\t\tTIFFReverseBits(buffer, t2p->tiff_datasize);\n\t\t\t}\n\t\t\tt2pWriteFile(output, (tdata_t) buffer, t2p->tiff_datasize);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(t2p->tiff_datasize);\n\t\t}\n#endif\n#ifdef OJPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_OJPEG){\n\t\t\ttsize_t retTIFFReadRawTile;\n\t\t\tif(! t2p->pdf_ojpegdata){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"No support for OJPEG image %s with \"\n                                        \"bad tables\", \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tbuffer=(unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n                                        \"for t2p_readwrite_pdf_image, %s\", \n\t\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\t_TIFFmemcpy(buffer, t2p->pdf_ojpegdata, t2p->pdf_ojpegdatalength);\n\t\t\tif(edge!=0){\n\t\t\t\tif(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile)){\n\t\t\t\t\tbuffer[7]=\n\t\t\t\t\t\t(t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength >> 8) & 0xff;\n\t\t\t\t\tbuffer[8]=\n\t\t\t\t\t\t(t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength ) & 0xff;\n\t\t\t\t}\n\t\t\t\tif(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile)){\n\t\t\t\t\tbuffer[9]=\n\t\t\t\t\t\t(t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth >> 8) & 0xff;\n\t\t\t\t\tbuffer[10]=\n\t\t\t\t\t\t(t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth ) & 0xff;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbufferoffset = t2p->pdf_ojpegdatalength;\n\t\t\tretTIFFReadRawTile = TIFFReadRawTile(input,\n\t\t\t\t\ttile, \n\t\t\t\t\t(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), \n\t\t\t\t\t-1);\n\t\t\tif (retTIFFReadRawTile < 0) {\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \"TIFFReadRawTile() failed\");\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tbufferoffset += retTIFFReadRawTile;\n\t\t\t((unsigned char*)buffer)[bufferoffset++]=0xff;\n\t\t\t((unsigned char*)buffer)[bufferoffset++]=0xd9;\n\t\t\tt2pWriteFile(output, (tdata_t) buffer, bufferoffset);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(bufferoffset);\n\t\t}\n#endif\n#ifdef JPEG_SUPPORT\n\t\tif(t2p->tiff_compression == COMPRESSION_JPEG){\n\t\t\tunsigned char table_end[2];\n\t\t\tuint32 count = 0;\n\t\t\tbuffer= (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\"Can't allocate \" TIFF_SIZE_FORMAT \" bytes of memory \"\n                                        \"for t2p_readwrite_pdf_image_tile, %s\", \n                                          (TIFF_SIZE_T) t2p->tiff_datasize, \n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tif(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {\n\t\t\t\tif (count > 4) {\n                                        tsize_t retTIFFReadRawTile;\n                    /* Ignore EOI marker of JpegTables */\n\t\t\t\t\t_TIFFmemcpy(buffer, jpt, count - 2);\n\t\t\t\t\tbufferoffset += count - 2;\n                    /* Store last 2 bytes of the JpegTables */\n\t\t\t\t\ttable_end[0] = buffer[bufferoffset-2];\n\t\t\t\t\ttable_end[1] = buffer[bufferoffset-1];\n\t\t\t\t\txuint32 = bufferoffset;\n                                        bufferoffset -= 2;\n                                        retTIFFReadRawTile = TIFFReadRawTile(\n\t\t\t\t\t\tinput, \n\t\t\t\t\t\ttile, \n\t\t\t\t\t\t(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), \n\t\t\t\t\t\t-1);\n                                        if( retTIFFReadRawTile < 0 )\n                                        {\n                                            _TIFFfree(buffer);\n                                            t2p->t2p_error = T2P_ERR_ERROR;\n                                            return(0);\n                                        }\n\t\t\t\t\tbufferoffset += retTIFFReadRawTile;\n                    /* Overwrite SOI marker of image scan with previously */\n                    /* saved end of JpegTables */\n\t\t\t\t\tbuffer[xuint32-2]=table_end[0];\n\t\t\t\t\tbuffer[xuint32-1]=table_end[1];\n\t\t\t\t}\n\t\t\t}\n\t\t\tt2pWriteFile(output, (tdata_t) buffer, bufferoffset);\n\t\t\t_TIFFfree(buffer);\n\t\t\treturn(bufferoffset);\n\t\t}\n#endif\n\t\t(void)0;\n\t}\n\n\tif(t2p->pdf_sample==T2P_SAMPLE_NOTHING){\n\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\tif(buffer==NULL){\n\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\"Can't allocate %lu bytes of memory for \"\n                                \"t2p_readwrite_pdf_image_tile, %s\", \n\t\t\t\t(unsigned long) t2p->tiff_datasize, \n\t\t\t\tTIFFFileName(input));\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\n\t\tread = TIFFReadEncodedTile(\n\t\t\tinput, \n\t\t\ttile, \n\t\t\t(tdata_t) &buffer[bufferoffset], \n\t\t\tt2p->tiff_datasize);\n\t\tif(read==-1){\n\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\"Error on decoding tile %u of %s\", \n\t\t\t\ttile, \n\t\t\t\tTIFFFileName(input));\n\t\t\t_TIFFfree(buffer);\n\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\n\t} else {\n\n\t\tif(t2p->pdf_sample == T2P_SAMPLE_PLANAR_SEPARATE_TO_CONTIG){\n\t\t\tseptilesize=TIFFTileSize(input);\n\t\t\tseptilecount=TIFFNumberOfTiles(input);\n\t\t\t/* tilesize=septilesize*t2p->tiff_samplesperpixel; */\n\t\t\ttilecount=septilecount/t2p->tiff_samplesperpixel;\n\t\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n\t\t\t\t\t\"for t2p_readwrite_pdf_image_tile, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tsamplebuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(samplebuffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n\t\t\t\t\t\"for t2p_readwrite_pdf_image_tile, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(samplebuffer, 0, t2p->tiff_datasize);\n\t\t\tsamplebufferoffset=0;\n\t\t\tfor(i=0;i<t2p->tiff_samplesperpixel;i++){\n\t\t\t\tread = \n\t\t\t\t\tTIFFReadEncodedTile(input, \n\t\t\t\t\t\ttile + i*tilecount, \n\t\t\t\t\t\t(tdata_t) &(samplebuffer[samplebufferoffset]), \n\t\t\t\t\t\tseptilesize);\n\t\t\t\tif(read==-1){\n\t\t\t\t\tTIFFError(TIFF2PDF_MODULE, \n\t\t\t\t\t\t\"Error on decoding tile %u of %s\", \n\t\t\t\t\t\ttile + i*tilecount, \n\t\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t\t\t_TIFFfree(samplebuffer);\n\t\t\t\t\t\t_TIFFfree(buffer);\n\t\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\t\t\treturn(0);\n\t\t\t\t}\n\t\t\t\tsamplebufferoffset+=read;\n\t\t\t}\n\t\t\tt2p_sample_planar_separate_to_contig(\n\t\t\t\tt2p,\n\t\t\t\t&(buffer[bufferoffset]),\n\t\t\t\tsamplebuffer, \n\t\t\t\tsamplebufferoffset); \n\t\t\tbufferoffset+=samplebufferoffset;\n\t\t\t_TIFFfree(samplebuffer);\n\t\t}\n\n\t\tif(buffer==NULL){\n\t\t\tbuffer = (unsigned char*) _TIFFmalloc(t2p->tiff_datasize);\n\t\t\tif(buffer==NULL){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Can't allocate %lu bytes of memory \"\n\t\t\t\t\t\"for t2p_readwrite_pdf_image_tile, %s\",\n\t\t\t\t\t(unsigned long) t2p->tiff_datasize,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t\tmemset(buffer, 0, t2p->tiff_datasize);\n\t\t\tread = TIFFReadEncodedTile(\n\t\t\t\tinput, \n\t\t\t\ttile, \n\t\t\t\t(tdata_t) &buffer[bufferoffset], \n\t\t\t\tt2p->tiff_datasize);\n\t\t\tif(read==-1){\n\t\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\t\"Error on decoding tile %u of %s\",\n\t\t\t\t\ttile,\n\t\t\t\t\tTIFFFileName(input));\n\t\t\t\t_TIFFfree(buffer);\n\t\t\t\tt2p->t2p_error=T2P_ERR_ERROR;\n\t\t\t\treturn(0);\n\t\t\t}\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_RGBA_TO_RGB){\n\t\t\tt2p->tiff_datasize=t2p_sample_rgba_to_rgb(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth\n\t\t\t\t*t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_RGBAA_TO_RGB){\n\t\t\tt2p->tiff_datasize=t2p_sample_rgbaa_to_rgb(\n\t\t\t\t(tdata_t)buffer, \n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth\n\t\t\t\t*t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_YCBCR_TO_RGB){\n\t\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t\t\t\"No support for YCbCr to RGB in tile for %s\",\n\t\t\t\tTIFFFileName(input));\n\t\t\t_TIFFfree(buffer);\n\t\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\t\treturn(0);\n\t\t}\n\n\t\tif(t2p->pdf_sample & T2P_SAMPLE_LAB_SIGNED_TO_UNSIGNED){\n\t\t\tt2p->tiff_datasize=t2p_sample_lab_signed_to_unsigned(\n\t\t\t\t(tdata_t)buffer,\n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth\n\t\t\t\t*t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t\t}\n\t}\n\n\tif(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile) != 0){\n\t\tif ((uint64)t2p->tiff_datasize < (uint64)TIFFTileRowSize(input) * (uint64)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength) {\n\t\t\t/* we don't know how to handle PLANARCONFIG_CONTIG, PHOTOMETRIC_YCBCR with 3 samples per pixel */\n\t\t\tTIFFWarning(\n\t\t\t\tTIFF2PDF_MODULE,\n\t\t\t\t\"Don't know how to collapse tile to the left\");\n\t\t} else {\n\t\t\tt2p_tile_collapse_left(\n\t\t\t\tbuffer,\n\t\t\t\tTIFFTileRowSize(input),\n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth,\n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth,\n\t\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t\t}\n\t}\n\n\n\tt2p_disable(output);\n\tTIFFSetField(output, TIFFTAG_PHOTOMETRIC, t2p->tiff_photometric);\n\tTIFFSetField(output, TIFFTAG_BITSPERSAMPLE, t2p->tiff_bitspersample);\n\tTIFFSetField(output, TIFFTAG_SAMPLESPERPIXEL, t2p->tiff_samplesperpixel);\n\tif(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile) == 0){\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_IMAGEWIDTH, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);\n\t} else {\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_IMAGEWIDTH, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);\n\t}\n\tif(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile) == 0){\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_IMAGELENGTH, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_ROWSPERSTRIP, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);\n\t} else {\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_IMAGELENGTH, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);\n\t\tTIFFSetField(\n\t\t\toutput, \n\t\t\tTIFFTAG_ROWSPERSTRIP, \n\t\t\tt2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);\n\t}\n\tTIFFSetField(output, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);\n\tTIFFSetField(output, TIFFTAG_FILLORDER, FILLORDER_MSB2LSB);\n\n\tswitch(t2p->pdf_compression){\n\tcase T2P_COMPRESS_NONE:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_NONE);\n\t\tbreak;\n#ifdef CCITT_SUPPORT\n\tcase T2P_COMPRESS_G4:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_CCITTFAX4);\n\t\tbreak;\n#endif\n#ifdef JPEG_SUPPORT\n\tcase T2P_COMPRESS_JPEG:\n\t\tif (t2p->tiff_photometric==PHOTOMETRIC_YCBCR) {\n\t\t\tuint16 hor = 0, ver = 0;\n\t\t\tif (TIFFGetField(input, TIFFTAG_YCBCRSUBSAMPLING, &hor, &ver)!=0) {\n\t\t\t\tif (hor != 0 && ver != 0) {\n\t\t\t\t\tTIFFSetField(output, TIFFTAG_YCBCRSUBSAMPLING, hor, ver);\n\t\t\t\t}\n\t\t\t}\n\t\t\tif(TIFFGetField(input, TIFFTAG_REFERENCEBLACKWHITE, &xfloatp)!=0){\n\t\t\t\tTIFFSetField(output, TIFFTAG_REFERENCEBLACKWHITE, xfloatp);\n\t\t\t}\n\t\t}\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_JPEG);\n\t\tTIFFSetField(output, TIFFTAG_JPEGTABLESMODE, 0); /* JPEGTABLESMODE_NONE */\n\t\tif(t2p->pdf_colorspace & (T2P_CS_RGB | T2P_CS_LAB)){\n\t\t\tTIFFSetField(output, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_YCBCR);\n\t\t\tif(t2p->tiff_photometric != PHOTOMETRIC_YCBCR){\n\t\t\t\tTIFFSetField(output, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);\n\t\t\t} else {\n\t\t\t\tTIFFSetField(output, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RAW);\n\t\t\t}\n\t\t}\n\t\tif(t2p->pdf_colorspace & T2P_CS_GRAY){\n\t\t\t(void)0;\n\t\t}\n\t\tif(t2p->pdf_colorspace & T2P_CS_CMYK){\n\t\t\t(void)0;\n\t\t}\n\t\tif(t2p->pdf_defaultcompressionquality != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_JPEGQUALITY, \n\t\t\t\tt2p->pdf_defaultcompressionquality);\n\t\t}\n\t\tbreak;\n#endif\n#ifdef ZIP_SUPPORT\n\tcase T2P_COMPRESS_ZIP:\n\t\tTIFFSetField(output, TIFFTAG_COMPRESSION, COMPRESSION_DEFLATE);\n\t\tif(t2p->pdf_defaultcompressionquality%100 != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_PREDICTOR, \n\t\t\t\tt2p->pdf_defaultcompressionquality % 100);\n\t\t}\n\t\tif(t2p->pdf_defaultcompressionquality/100 != 0){\n\t\t\tTIFFSetField(output, \n\t\t\t\tTIFFTAG_ZIPQUALITY, \n\t\t\t\t(t2p->pdf_defaultcompressionquality / 100));\n\t\t}\n\t\tbreak;\n#endif\n\tdefault:\n\t\tbreak;\n\t}\n\n\tt2p_enable(output);\n\tt2p->outputwritten = 0;\n\tbufferoffset = TIFFWriteEncodedStrip(output, (tstrip_t) 0, buffer,\n\t                                     TIFFStripSize(output));\n\tif (buffer != NULL) {\n\t\t_TIFFfree(buffer);\n\t\tbuffer = NULL;\n\t}\n\tif (bufferoffset == -1) {\n\t\tTIFFError(TIFF2PDF_MODULE,\n\t\t         \"Error writing encoded tile to output PDF %s\",\n\t\t          TIFFFileName(output));\n\t\tt2p->t2p_error = T2P_ERR_ERROR;\n\t\treturn(0);\n\t}\n\t\n\twritten = t2p->outputwritten;\n\t\n\treturn(written);\n}",
          "project": "libtiff",
          "hash": 6062510438439762854881860806786490226,
          "size": 480,
          "commit_id": "7be2e452ddcf6d7abca88f41d3761e6edab72b22",
          "message": "tiff2pdf.c: properly calculate datasize when saving to JPEG YCbCr\n\nfixes #220",
          "target": 0,
          "dataset": "other",
          "idx": 458976
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "update_send_window_create",
        "update_send_new_or_existing_window",
        "update_calculate_new_or_existing_window"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static BOOL update_send_new_or_existing_window(rdpContext* context,\n                                               const WINDOW_ORDER_INFO* orderInfo,\n                                               const WINDOW_STATE_ORDER* stateOrder)\n{\n\twStream* s;\n\trdpUpdate* update = context->update;\n\tBYTE controlFlags = ORDER_SECONDARY | (ORDER_TYPE_WINDOW << 2);\n\tUINT16 orderSize = update_calculate_new_or_existing_window(orderInfo, stateOrder);\n\n\tupdate_check_flush(context, orderSize);\n\n\ts = update->us;\n\n\tif (!s)\n\t\treturn FALSE;\n\n\tif (!Stream_EnsureRemainingCapacity(s, orderSize))\n\t\treturn FALSE;\n\n\tStream_Write_UINT8(s, controlFlags);           /* Header (1 byte) */\n\tStream_Write_UINT16(s, orderSize);             /* OrderSize (2 bytes) */\n\tStream_Write_UINT32(s, orderInfo->fieldFlags); /* FieldsPresentFlags (4 bytes) */\n\tStream_Write_UINT32(s, orderInfo->windowId);   /* WindowID (4 bytes) */\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_OWNER) != 0)\n\t\tStream_Write_UINT32(s, stateOrder->ownerWindowId);\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_STYLE) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->style);\n\t\tStream_Write_UINT32(s, stateOrder->extendedStyle);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_SHOW) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->showState);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_TITLE) != 0)\n\t{\n\t\tStream_Write_UINT16(s, stateOrder->titleInfo.length);\n\t\tStream_Write(s, stateOrder->titleInfo.string, stateOrder->titleInfo.length);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_CLIENT_AREA_OFFSET) != 0)\n\t{\n\t\tStream_Write_INT32(s, stateOrder->clientOffsetX);\n\t\tStream_Write_INT32(s, stateOrder->clientOffsetY);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_CLIENT_AREA_SIZE) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->clientAreaWidth);\n\t\tStream_Write_UINT32(s, stateOrder->clientAreaHeight);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RESIZE_MARGIN_X) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->resizeMarginLeft);\n\t\tStream_Write_UINT32(s, stateOrder->resizeMarginRight);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RESIZE_MARGIN_Y) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->resizeMarginTop);\n\t\tStream_Write_UINT32(s, stateOrder->resizeMarginBottom);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RP_CONTENT) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->RPContent);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_ROOT_PARENT) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->rootParentHandle);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_OFFSET) != 0)\n\t{\n\t\tStream_Write_INT32(s, stateOrder->windowOffsetX);\n\t\tStream_Write_INT32(s, stateOrder->windowOffsetY);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_CLIENT_DELTA) != 0)\n\t{\n\t\tStream_Write_INT32(s, stateOrder->windowClientDeltaX);\n\t\tStream_Write_INT32(s, stateOrder->windowClientDeltaY);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_SIZE) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->windowWidth);\n\t\tStream_Write_UINT32(s, stateOrder->windowHeight);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_RECTS) != 0)\n\t{\n\t\tStream_Write_UINT16(s, stateOrder->numWindowRects);\n\t\tStream_Write(s, stateOrder->windowRects, stateOrder->numWindowRects * sizeof(RECTANGLE_16));\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_VIS_OFFSET) != 0)\n\t{\n\t\tStream_Write_UINT32(s, stateOrder->visibleOffsetX);\n\t\tStream_Write_UINT32(s, stateOrder->visibleOffsetY);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_VISIBILITY) != 0)\n\t{\n\t\tStream_Write_UINT16(s, stateOrder->numVisibilityRects);\n\t\tStream_Write(s, stateOrder->visibilityRects,\n\t\t             stateOrder->numVisibilityRects * sizeof(RECTANGLE_16));\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_OVERLAY_DESCRIPTION) != 0)\n\t{\n\t\tStream_Write_UINT16(s, stateOrder->OverlayDescription.length);\n\t\tStream_Write(s, stateOrder->OverlayDescription.string,\n\t\t             stateOrder->OverlayDescription.length);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_TASKBAR_BUTTON) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->TaskbarButton);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_ENFORCE_SERVER_ZORDER) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->EnforceServerZOrder);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_APPBAR_STATE) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->AppBarState);\n\t}\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_APPBAR_EDGE) != 0)\n\t{\n\t\tStream_Write_UINT8(s, stateOrder->AppBarEdge);\n\t}\n\n\tupdate->numberOrders++;\n\treturn TRUE;\n}",
          "project": "FreeRDP",
          "hash": 124760451968936173510223398271208979727,
          "size": 145,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295068
        },
        {
          "func": "static UINT16 update_calculate_new_or_existing_window(const WINDOW_ORDER_INFO* orderInfo,\n                                                      const WINDOW_STATE_ORDER* stateOrder)\n{\n\tUINT16 orderSize = 11;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_OWNER) != 0)\n\t\torderSize += 4;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_STYLE) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_SHOW) != 0)\n\t\torderSize += 1;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_TITLE) != 0)\n\t\torderSize += 2 + stateOrder->titleInfo.length;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_CLIENT_AREA_OFFSET) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_CLIENT_AREA_SIZE) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RESIZE_MARGIN_X) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RESIZE_MARGIN_Y) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_RP_CONTENT) != 0)\n\t\torderSize += 1;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_ROOT_PARENT) != 0)\n\t\torderSize += 4;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_OFFSET) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_CLIENT_DELTA) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_SIZE) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_WND_RECTS) != 0)\n\t\torderSize += 2 + stateOrder->numWindowRects * sizeof(RECTANGLE_16);\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_VIS_OFFSET) != 0)\n\t\torderSize += 8;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_VISIBILITY) != 0)\n\t\torderSize += 2 + stateOrder->numVisibilityRects * sizeof(RECTANGLE_16);\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_OVERLAY_DESCRIPTION) != 0)\n\t\torderSize += 2 + stateOrder->OverlayDescription.length;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_TASKBAR_BUTTON) != 0)\n\t\torderSize += 1;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_ENFORCE_SERVER_ZORDER) != 0)\n\t\torderSize += 1;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_APPBAR_STATE) != 0)\n\t\torderSize += 1;\n\n\tif ((orderInfo->fieldFlags & WINDOW_ORDER_FIELD_APPBAR_EDGE) != 0)\n\t\torderSize += 1;\n\n\treturn orderSize;\n}",
          "project": "FreeRDP",
          "hash": 31939646501544311464704313942093584006,
          "size": 70,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295040
        },
        {
          "func": "static BOOL update_send_window_create(rdpContext* context, const WINDOW_ORDER_INFO* orderInfo,\n                                      const WINDOW_STATE_ORDER* stateOrder)\n{\n\treturn update_send_new_or_existing_window(context, orderInfo, stateOrder);\n}",
          "project": "FreeRDP",
          "hash": 70810042977149728754304204225912821312,
          "size": 5,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295102
        },
        {
          "func": "static BOOL update_send_window_update(rdpContext* context, const WINDOW_ORDER_INFO* orderInfo,\n                                      const WINDOW_STATE_ORDER* stateOrder)\n{\n\treturn update_send_new_or_existing_window(context, orderInfo, stateOrder);\n}",
          "project": "FreeRDP",
          "hash": 292010346822393637013189358006251972620,
          "size": 5,
          "commit_id": "0332cad015fdf7fac7e5c6863484f18a554e0fcf",
          "message": "Fixed oob read in update_recv\n\nproperly use update_type_to_string to print update type.\nThanks to hac425 CVE-2020-11019",
          "target": 0,
          "dataset": "other",
          "idx": 295026
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "rtsx_usb_ms_handle_req",
        "rtsx_usb_ms_issue_cmd",
        "ms_write_bytes",
        "ms_clear_error"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static void ms_print_debug_regs(struct rtsx_usb_ms *host)\n{\n}",
          "project": "linux",
          "hash": 176400605400045756040048099491150353938,
          "size": 3,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386056
        },
        {
          "func": "static void ms_print_debug_regs(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tu16 i;\n\tu8 *ptr;\n\n\t/* Print MS host internal registers */\n\trtsx_usb_init_cmd(ucr);\n\n\t/* MS_CFG to MS_INT_REG */\n\tfor (i = 0xFD40; i <= 0xFD44; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_SHARE_MODE to CARD_GPIO */\n\tfor (i = 0xFD51; i <= 0xFD56; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_PULL_CTLx */\n\tfor (i = 0xFD60; i <= 0xFD65; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, i, 0, 0);\n\n\t/* CARD_DATA_SOURCE, CARD_SELECT, CARD_CLK_EN, CARD_PWR_CTL */\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_DATA_SOURCE, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_SELECT, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_CLK_EN, 0, 0);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, CARD_PWR_CTL, 0, 0);\n\n\trtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\trtsx_usb_get_rsp(ucr, 21, 100);\n\n\tptr = ucr->rsp_buf;\n\tfor (i = 0xFD40; i <= 0xFD44; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\tfor (i = 0xFD51; i <= 0xFD56; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\tfor (i = 0xFD60; i <= 0xFD65; i++)\n\t\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", i, *(ptr++));\n\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_DATA_SOURCE, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_SELECT, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_CLK_EN, *(ptr++));\n\tdev_dbg(ms_dev(host), \"0x%04X: 0x%02x\\n\", CARD_PWR_CTL, *(ptr++));\n}",
          "project": "linux",
          "hash": 326803931574304168358292052953432330419,
          "size": 43,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386058
        },
        {
          "func": "static int rtsx_usb_ms_issue_cmd(struct rtsx_usb_ms *host)\n{\n\tstruct memstick_request *req = host->req;\n\tint err = 0;\n\tu8 cfg = 0, int_reg;\n\n\tdev_dbg(ms_dev(host), \"%s\\n\", __func__);\n\n\tif (req->need_card_int) {\n\t\tif (host->ifmode != MEMSTICK_SERIAL)\n\t\t\tcfg = WAIT_INT;\n\t}\n\n\tif (req->long_data) {\n\t\terr = ms_transfer_data(host, req->data_dir,\n\t\t\t\treq->tpc, cfg, &(req->sg));\n\t} else {\n\t\tif (req->data_dir == READ)\n\t\t\terr = ms_read_bytes(host, req->tpc, cfg,\n\t\t\t\t\treq->data_len, req->data, &int_reg);\n\t\telse\n\t\t\terr = ms_write_bytes(host, req->tpc, cfg,\n\t\t\t\t\treq->data_len, req->data, &int_reg);\n\t}\n\tif (err < 0)\n\t\treturn err;\n\n\tif (req->need_card_int) {\n\t\tif (host->ifmode == MEMSTICK_SERIAL) {\n\t\t\terr = ms_read_bytes(host, MS_TPC_GET_INT,\n\t\t\t\t\tNO_WAIT_INT, 1, &req->int_reg, NULL);\n\t\t\tif (err < 0)\n\t\t\t\treturn err;\n\t\t} else {\n\n\t\t\tif (int_reg & MS_INT_CMDNK)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_CMDNAK;\n\t\t\tif (int_reg & MS_INT_BREQ)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_BREQ;\n\t\t\tif (int_reg & MS_INT_ERR)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_ERR;\n\t\t\tif (int_reg & MS_INT_CED)\n\t\t\t\treq->int_reg |= MEMSTICK_INT_CED;\n\t\t}\n\t\tdev_dbg(ms_dev(host), \"int_reg: 0x%02x\\n\", req->int_reg);\n\t}\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 169539839505914735375447515182540820783,
          "size": 49,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386061
        },
        {
          "func": "static int ms_write_bytes(struct rtsx_usb_ms *host, u8 tpc,\n\t\tu8 cfg, u8 cnt, u8 *data, u8 *int_reg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err, i;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x\\n\", __func__, tpc);\n\n\trtsx_usb_init_cmd(ucr);\n\n\tfor (i = 0; i < cnt; i++)\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + i, 0xFF, data[i]);\n\n\tif (cnt % 2)\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + i, 0xFF, 0xFF);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, PINGPONG_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | MS_TM_WRITE_BYTES);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, MS_TRANS_CFG, 0, 0);\n\n\terr = rtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_get_rsp(ucr, 2, 5000);\n\tif (err || (ucr->rsp_buf[0] & MS_TRANSFER_ERR)) {\n\t\tu8 val;\n\n\t\trtsx_usb_ep0_read_register(ucr, MS_TRANS_CFG, &val);\n\t\tdev_dbg(ms_dev(host), \"MS_TRANS_CFG: 0x%02x\\n\", val);\n\n\t\tif (int_reg)\n\t\t\t*int_reg = val & 0x0F;\n\n\t\tms_print_debug_regs(host);\n\n\t\tms_clear_error(host);\n\n\t\tif (!(tpc & 0x08)) {\n\t\t\tif (val & MS_CRC16_ERR)\n\t\t\t\treturn -EIO;\n\t\t} else {\n\t\t\tif (!(val & 0x80)) {\n\t\t\t\tif (val & (MS_INT_ERR | MS_INT_CMDNK))\n\t\t\t\t\treturn -EIO;\n\t\t\t}\n\t\t}\n\n\t\treturn -ETIMEDOUT;\n\t}\n\n\tif (int_reg)\n\t\t*int_reg = ucr->rsp_buf[1] & 0x0F;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 43064859218006336972034644189664040268,
          "size": 66,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386059
        },
        {
          "func": "static inline void ms_clear_error(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\trtsx_usb_ep0_write_register(ucr, CARD_STOP,\n\t\t\t\t  MS_STOP | MS_CLR_ERR,\n\t\t\t\t  MS_STOP | MS_CLR_ERR);\n\n\trtsx_usb_clear_dma_err(ucr);\n\trtsx_usb_clear_fsm_err(ucr);\n}",
          "project": "linux",
          "hash": 184168621941908989210848212393875143513,
          "size": 10,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386067
        },
        {
          "func": "static int ms_transfer_data(struct rtsx_usb_ms *host, unsigned char data_dir,\n\t\tu8 tpc, u8 cfg, struct scatterlist *sg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err;\n\tunsigned int length = sg->length;\n\tu16 sec_cnt = (u16)(length / 512);\n\tu8 trans_mode, dma_dir, flag;\n\tunsigned int pipe;\n\tstruct memstick_dev *card = host->msh->card;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x, data_dir = %s, length = %d\\n\",\n\t\t\t__func__, tpc, (data_dir == READ) ? \"READ\" : \"WRITE\",\n\t\t\tlength);\n\n\tif (data_dir == READ) {\n\t\tflag = MODE_CDIR;\n\t\tdma_dir = DMA_DIR_FROM_CARD;\n\t\tif (card->id.type != MEMSTICK_TYPE_PRO)\n\t\t\ttrans_mode = MS_TM_NORMAL_READ;\n\t\telse\n\t\t\ttrans_mode = MS_TM_AUTO_READ;\n\t\tpipe = usb_rcvbulkpipe(ucr->pusb_dev, EP_BULK_IN);\n\t} else {\n\t\tflag = MODE_CDOR;\n\t\tdma_dir = DMA_DIR_TO_CARD;\n\t\tif (card->id.type != MEMSTICK_TYPE_PRO)\n\t\t\ttrans_mode = MS_TM_NORMAL_WRITE;\n\t\telse\n\t\t\ttrans_mode = MS_TM_AUTO_WRITE;\n\t\tpipe = usb_sndbulkpipe(ucr->pusb_dev, EP_BULK_OUT);\n\t}\n\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\tif (card->id.type == MEMSTICK_TYPE_PRO) {\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_SECTOR_CNT_H,\n\t\t\t\t0xFF, (u8)(sec_cnt >> 8));\n\t\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_SECTOR_CNT_L,\n\t\t\t\t0xFF, (u8)sec_cnt);\n\t}\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC3,\n\t\t\t0xFF, (u8)(length >> 24));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC2,\n\t\t\t0xFF, (u8)(length >> 16));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC1,\n\t\t\t0xFF, (u8)(length >> 8));\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_TC0, 0xFF,\n\t\t\t(u8)length);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MC_DMA_CTL,\n\t\t\t0x03 | DMA_PACK_SIZE_MASK, dma_dir | DMA_EN | DMA_512);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, RING_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | trans_mode);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\n\terr = rtsx_usb_send_cmd(ucr, flag | STAGE_MS_STATUS, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_transfer_data(ucr, pipe, sg, length,\n\t\t\t1, NULL, 10000);\n\tif (err)\n\t\tgoto err_out;\n\n\terr = rtsx_usb_get_rsp(ucr, 3, 15000);\n\tif (err)\n\t\tgoto err_out;\n\n\tif (ucr->rsp_buf[0] & MS_TRANSFER_ERR ||\n\t    ucr->rsp_buf[1] & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) {\n\t\terr = -EIO;\n\t\tgoto err_out;\n\t}\n\treturn 0;\nerr_out:\n\tms_clear_error(host);\n\treturn err;\n}",
          "project": "linux",
          "hash": 230127094400080261160329003204111452297,
          "size": 85,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386055
        },
        {
          "func": "static int ms_read_bytes(struct rtsx_usb_ms *host, u8 tpc,\n\t\tu8 cfg, u8 cnt, u8 *data, u8 *int_reg)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err, i;\n\tu8 *ptr;\n\n\tdev_dbg(ms_dev(host), \"%s: tpc = 0x%02x\\n\", __func__, tpc);\n\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_DATA_SOURCE,\n\t\t\t0x01, PINGPONG_BUFFER);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, MS_TRANSFER,\n\t\t\t0xFF, MS_TRANSFER_START | MS_TM_READ_BYTES);\n\trtsx_usb_add_cmd(ucr, CHECK_REG_CMD, MS_TRANSFER,\n\t\t\tMS_TRANSFER_END, MS_TRANSFER_END);\n\tfor (i = 0; i < cnt - 1; i++)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, PPBUF_BASE2 + i, 0, 0);\n\tif (cnt % 2)\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD, PPBUF_BASE2 + cnt, 0, 0);\n\telse\n\t\trtsx_usb_add_cmd(ucr, READ_REG_CMD,\n\t\t\t\tPPBUF_BASE2 + cnt - 1, 0, 0);\n\n\trtsx_usb_add_cmd(ucr, READ_REG_CMD, MS_TRANS_CFG, 0, 0);\n\n\terr = rtsx_usb_send_cmd(ucr, MODE_CR, 100);\n\tif (err)\n\t\treturn err;\n\n\terr = rtsx_usb_get_rsp(ucr, cnt + 2, 5000);\n\tif (err || (ucr->rsp_buf[0] & MS_TRANSFER_ERR)) {\n\t\tu8 val;\n\n\t\trtsx_usb_ep0_read_register(ucr, MS_TRANS_CFG, &val);\n\t\tdev_dbg(ms_dev(host), \"MS_TRANS_CFG: 0x%02x\\n\", val);\n\n\t\tif (int_reg && (host->ifmode != MEMSTICK_SERIAL))\n\t\t\t*int_reg = val & 0x0F;\n\n\t\tms_print_debug_regs(host);\n\n\t\tms_clear_error(host);\n\n\t\tif (!(tpc & 0x08)) {\n\t\t\tif (val & MS_CRC16_ERR)\n\t\t\t\treturn -EIO;\n\t\t} else {\n\t\t\tif (!(val & 0x80)) {\n\t\t\t\tif (val & (MS_INT_ERR | MS_INT_CMDNK))\n\t\t\t\t\treturn -EIO;\n\t\t\t}\n\t\t}\n\n\t\treturn -ETIMEDOUT;\n\t}\n\n\tptr = ucr->rsp_buf + 1;\n\tfor (i = 0; i < cnt; i++)\n\t\tdata[i] = *ptr++;\n\n\n\tif (int_reg && (host->ifmode != MEMSTICK_SERIAL))\n\t\t*int_reg = *ptr & 0x0F;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 258735760856662779335532937746038298034,
          "size": 72,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386073
        },
        {
          "func": "static void rtsx_usb_ms_handle_req(struct work_struct *work)\n{\n\tstruct rtsx_usb_ms *host = container_of(work,\n\t\t\tstruct rtsx_usb_ms, handle_req);\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tstruct memstick_host *msh = host->msh;\n\tint rc;\n\n\tif (!host->req) {\n\t\tpm_runtime_get_sync(ms_dev(host));\n\t\tdo {\n\t\t\trc = memstick_next_req(msh, &host->req);\n\t\t\tdev_dbg(ms_dev(host), \"next req %d\\n\", rc);\n\n\t\t\tif (!rc) {\n\t\t\t\tmutex_lock(&ucr->dev_mutex);\n\n\t\t\t\tif (rtsx_usb_card_exclusive_check(ucr,\n\t\t\t\t\t\t\tRTSX_USB_MS_CARD))\n\t\t\t\t\thost->req->error = -EIO;\n\t\t\t\telse\n\t\t\t\t\thost->req->error =\n\t\t\t\t\t\trtsx_usb_ms_issue_cmd(host);\n\n\t\t\t\tmutex_unlock(&ucr->dev_mutex);\n\n\t\t\t\tdev_dbg(ms_dev(host), \"req result %d\\n\",\n\t\t\t\t\t\thost->req->error);\n\t\t\t}\n\t\t} while (!rc);\n\t\tpm_runtime_put_sync(ms_dev(host));\n\t}\n\n}",
          "project": "linux",
          "hash": 175247277736640744572955526817545119083,
          "size": 34,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386066
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "_gnutls_x509_get_time",
        "_gnutls_x509_generalTime2gtime",
        "time2gtime",
        "mktime_utc"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static time_t mktime_utc(const struct fake_tm *tm)\n{\n\ttime_t result = 0;\n\tint i;\n\n/* We do allow some ill-formed dates, but we don't do anything special\n * with them and our callers really shouldn't pass them to us.  Do\n * explicitly disallow the ones that would cause invalid array accesses\n * or other algorithm problems. \n */\n\tif (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970)\n\t\treturn (time_t) - 1;\n\n/* Convert to a time_t. \n */\n\tfor (i = 1970; i < tm->tm_year; i++)\n\t\tresult += 365 + ISLEAP(i);\n\tfor (i = 0; i < tm->tm_mon; i++)\n\t\tresult += MONTHDAYS[i];\n\tif (tm->tm_mon > 1 && ISLEAP(tm->tm_year))\n\t\tresult++;\n\tresult = 24 * (result + tm->tm_mday - 1) + tm->tm_hour;\n\tresult = 60 * result + tm->tm_min;\n\tresult = 60 * result + tm->tm_sec;\n\treturn result;\n}",
          "project": "gnutls",
          "hash": 255583354875587551064427115420146067224,
          "size": 26,
          "commit_id": "272854367efc130fbd4f1a51840d80c630214e12",
          "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.",
          "target": 0,
          "dataset": "other",
          "idx": 462692
        },
        {
          "func": "static time_t utcTime2gtime(const char *ttime)\n{\n\tchar xx[3];\n\tint year;\n\n\tif (strlen(ttime) < 10) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\txx[2] = 0;\n/* get the year\n */\n\tmemcpy(xx, ttime, 2);\t/* year */\n\tyear = atoi(xx);\n\tttime += 2;\n\n\tif (year > 49)\n\t\tyear += 1900;\n\telse\n\t\tyear += 2000;\n\n\treturn time2gtime(ttime, year);\n}",
          "project": "gnutls",
          "hash": 305444558622662156229039864608137356411,
          "size": 23,
          "commit_id": "272854367efc130fbd4f1a51840d80c630214e12",
          "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.",
          "target": 0,
          "dataset": "other",
          "idx": 462700
        },
        {
          "func": "time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when, int nochoice)\n{\n\tchar ttime[MAX_TIME];\n\tchar name[128];\n\ttime_t c_time = (time_t) - 1;\n\tint len, result;\n\n\tlen = sizeof(ttime) - 1;\n\tresult = asn1_read_value(c2, when, ttime, &len);\n\tif (result != ASN1_SUCCESS) {\n\t\tgnutls_assert();\n\t\treturn (time_t) (-1);\n\t}\n\n\tif (nochoice != 0) {\n\t\tc_time = _gnutls_x509_generalTime2gtime(ttime);\n\t} else {\n\t\t_gnutls_str_cpy(name, sizeof(name), when);\n\n\t\t/* choice */\n\t\tif (strcmp(ttime, \"generalTime\") == 0) {\n\t\t\t_gnutls_str_cat(name, sizeof(name),\n\t\t\t\t\t\".generalTime\");\n\t\t\tlen = sizeof(ttime) - 1;\n\t\t\tresult = asn1_read_value(c2, name, ttime, &len);\n\t\t\tif (result == ASN1_SUCCESS)\n\t\t\t\tc_time =\n\t\t\t\t    _gnutls_x509_generalTime2gtime(ttime);\n\t\t} else {\t/* UTCTIME */\n\t\t\t_gnutls_str_cat(name, sizeof(name), \".utcTime\");\n\t\t\tlen = sizeof(ttime) - 1;\n\t\t\tresult = asn1_read_value(c2, name, ttime, &len);\n\t\t\tif (result == ASN1_SUCCESS)\n\t\t\t\tc_time = utcTime2gtime(ttime);\n\t\t}\n\n\t\t/* We cannot handle dates after 2031 in 32 bit machines.\n\t\t * a time_t of 64bits has to be used.\n\t\t */\n\t\tif (result != ASN1_SUCCESS) {\n\t\t\tgnutls_assert();\n\t\t\treturn (time_t) (-1);\n\t\t}\n\t}\n\n\treturn c_time;\n}",
          "project": "gnutls",
          "hash": 222057145187227737041406586357311452460,
          "size": 47,
          "commit_id": "272854367efc130fbd4f1a51840d80c630214e12",
          "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.",
          "target": 0,
          "dataset": "other",
          "idx": 462694
        },
        {
          "func": "time_t _gnutls_x509_generalTime2gtime(const char *ttime)\n{\n\tchar xx[5];\n\tint year;\n\n\tif (strlen(ttime) < 12) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\n\tif (strchr(ttime, 'Z') == 0) {\n\t\tgnutls_assert();\n\t\t/* sorry we don't support it yet\n\t\t */\n\t\treturn (time_t) - 1;\n\t}\n\txx[4] = 0;\n\n/* get the year\n */\n\tmemcpy(xx, ttime, 4);\t/* year */\n\tyear = atoi(xx);\n\tttime += 4;\n\n\treturn time2gtime(ttime, year);\n}",
          "project": "gnutls",
          "hash": 259945156522401648247067488269809219355,
          "size": 26,
          "commit_id": "272854367efc130fbd4f1a51840d80c630214e12",
          "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.",
          "target": 0,
          "dataset": "other",
          "idx": 462711
        },
        {
          "func": "static time_t time2gtime(const char *ttime, int year)\n{\n\tchar xx[4];\n\tstruct fake_tm etime;\n\n\tif (strlen(ttime) < 8) {\n\t\tgnutls_assert();\n\t\treturn (time_t) - 1;\n\t}\n\n\tetime.tm_year = year;\n\n\t/* In order to work with 32 bit\n\t * time_t.\n\t */\n\tif (sizeof(time_t) <= 4 && etime.tm_year >= 2038)\n\t\treturn (time_t) 2145914603;\t/* 2037-12-31 23:23:23 */\n\n\tif (etime.tm_year < 1970)\n\t\treturn (time_t) 0;\n\n\txx[2] = 0;\n\n/* get the month\n */\n\tmemcpy(xx, ttime, 2);\t/* month */\n\tetime.tm_mon = atoi(xx) - 1;\n\tttime += 2;\n\n/* get the day\n */\n\tmemcpy(xx, ttime, 2);\t/* day */\n\tetime.tm_mday = atoi(xx);\n\tttime += 2;\n\n/* get the hour\n */\n\tmemcpy(xx, ttime, 2);\t/* hour */\n\tetime.tm_hour = atoi(xx);\n\tttime += 2;\n\n/* get the minutes\n */\n\tmemcpy(xx, ttime, 2);\t/* minutes */\n\tetime.tm_min = atoi(xx);\n\tttime += 2;\n\n\tif (strlen(ttime) >= 2) {\n\t\tmemcpy(xx, ttime, 2);\n\t\tetime.tm_sec = atoi(xx);\n\t} else\n\t\tetime.tm_sec = 0;\n\n\treturn mktime_utc(&etime);\n}",
          "project": "gnutls",
          "hash": 193396090484000543539033958433909418524,
          "size": 55,
          "commit_id": "272854367efc130fbd4f1a51840d80c630214e12",
          "message": "Reset the output value on error in _gnutls_x509_dn_to_string()\n\nReported by Kurt Roeckx.",
          "target": 0,
          "dataset": "other",
          "idx": 462733
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "borrowPinnedConnection",
        "validatePinnedConnection",
        "cbdataReferenceValid"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "ConnStateData::unpinConnection(const bool andClose)\n{\n    debugs(33, 3, HERE << pinning.serverConnection);\n\n    if (pinning.peer)\n        cbdataReferenceDone(pinning.peer);\n\n    if (Comm::IsConnOpen(pinning.serverConnection)) {\n        if (pinning.closeHandler != NULL) {\n            comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler);\n            pinning.closeHandler = NULL;\n        }\n\n        stopPinnedConnectionMonitoring();\n\n        // close the server side socket if requested\n        if (andClose)\n            pinning.serverConnection->close();\n        pinning.serverConnection = NULL;\n    }\n\n    safe_free(pinning.host);\n\n    pinning.zeroReply = false;\n\n    /* NOTE: pinning.pinned should be kept. This combined with fd == -1 at the end of a request indicates that the host\n     * connection has gone away */\n}",
          "project": "squid",
          "hash": 8126723958400450209621663530532865131,
          "size": 28,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402363
        },
        {
          "func": "ConnStateData::borrowPinnedConnection(HttpRequest *request, const CachePeer *aPeer)\n{\n    debugs(33, 7, pinning.serverConnection);\n    if (validatePinnedConnection(request, aPeer) != NULL)\n        stopPinnedConnectionMonitoring();\n\n    return pinning.serverConnection; // closed if validation failed\n}",
          "project": "squid",
          "hash": 197943209884432641940624481743052313463,
          "size": 8,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402319
        },
        {
          "func": "ConnStateData::swanSong()\n{\n    debugs(33, 2, HERE << clientConnection);\n    checkLogging();\n\n    flags.readMore = false;\n    clientdbEstablished(clientConnection->remote, -1);  /* decrement */\n    pipeline.terminateAll(0);\n\n    // XXX: Closing pinned conn is too harsh: The Client may want to continue!\n    unpinConnection(true);\n\n    Server::swanSong(); // closes the client connection\n\n#if USE_AUTH\n    // NP: do this bit after closing the connections to avoid side effects from unwanted TCP RST\n    setAuth(NULL, \"ConnStateData::SwanSong cleanup\");\n#endif\n\n    flags.swanSang = true;\n}",
          "project": "squid",
          "hash": 250147708476536924722896317883820047435,
          "size": 21,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402351
        },
        {
          "func": "clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)\n{\n    ConnStateData * conn = http->getConn();\n    ACLFilledChecklist *ch = new ACLFilledChecklist(acl, http->request,\n            cbdataReferenceValid(conn) && conn != NULL && conn->clientConnection != NULL ? conn->clientConnection->rfc931 : dash_str);\n    ch->al = http->al;\n    ch->syncAle(http->request, http->log_uri);\n    /*\n     * hack for ident ACL. It needs to get full addresses, and a place to store\n     * the ident result on persistent connections...\n     */\n    /* connection oriented auth also needs these two lines for it's operation. */\n    return ch;\n}",
          "project": "squid",
          "hash": 301345786289336883799756852985363914809,
          "size": 14,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402375
        },
        {
          "func": "ConnStateData::validatePinnedConnection(HttpRequest *request, const CachePeer *aPeer)\n{\n    debugs(33, 7, HERE << pinning.serverConnection);\n\n    bool valid = true;\n    if (!Comm::IsConnOpen(pinning.serverConnection))\n        valid = false;\n    else if (pinning.auth && pinning.host && request && strcasecmp(pinning.host, request->url.host()) != 0)\n        valid = false;\n    else if (request && pinning.port != request->url.port())\n        valid = false;\n    else if (pinning.peer && !cbdataReferenceValid(pinning.peer))\n        valid = false;\n    else if (aPeer != pinning.peer)\n        valid = false;\n\n    if (!valid) {\n        /* The pinning info is not safe, remove any pinning info */\n        unpinConnection(true);\n    }\n\n    return pinning.serverConnection;\n}",
          "project": "squid",
          "hash": 181324117080263363221674208200496791621,
          "size": 23,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402332
        },
        {
          "func": "ConnStateData::checkLogging()\n{\n    // if we are parsing request body, its request is responsible for logging\n    if (bodyPipe)\n        return;\n\n    // a request currently using this connection is responsible for logging\n    if (!pipeline.empty() && pipeline.back()->mayUseConnection())\n        return;\n\n    /* Either we are waiting for the very first transaction, or\n     * we are done with the Nth transaction and are waiting for N+1st.\n     * XXX: We assume that if anything was added to inBuf, then it could\n     * only be consumed by actions already covered by the above checks.\n     */\n\n    // do not log connections that closed after a transaction (it is normal)\n    // TODO: access_log needs ACLs to match received-no-bytes connections\n    if (pipeline.nrequests && inBuf.isEmpty())\n        return;\n\n    /* Create a temporary ClientHttpRequest object. Its destructor will log. */\n    ClientHttpRequest http(this);\n    http.req_sz = inBuf.length();\n    // XXX: Or we died while waiting for the pinned connection to become idle.\n    http.setErrorUri(\"error:transaction-end-before-headers\");\n}",
          "project": "squid",
          "hash": 226736814919375169237608393216734947054,
          "size": 27,
          "commit_id": "fd68382860633aca92065e6c343cfd1b12b126e7",
          "message": "Improve Transfer-Encoding handling (#702)\n\nReject messages containing Transfer-Encoding header with coding other\nthan chunked or identity. Squid does not support other codings.\n\nFor simplicity and security sake, also reject messages where\nTransfer-Encoding contains unnecessary complex values that are\ntechnically equivalent to \"chunked\" or \"identity\" (e.g., \",,chunked\" or\n\"identity, chunked\").\n\nRFC 7230 formally deprecated and removed identity coding, but it is\nstill used by some agents.",
          "target": 0,
          "dataset": "other",
          "idx": 402382
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "Register_DEPTHWISE_CONV_2D_UINT8",
        "Register_DEPTHWISE_CONV_2D",
        "Register_DEPTHWISE_CONVOLUTION_GENERIC_OPT"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "TfLiteRegistration* Register_DEPTHWISE_CONVOLUTION_GENERIC_OPT() {\n  static TfLiteRegistration r = {\n      depthwise_conv::Init, depthwise_conv::Free, depthwise_conv::Prepare,\n      depthwise_conv::Eval<depthwise_conv::kGenericOptimized>};\n  return &r;\n}",
          "project": "tensorflow",
          "hash": 90381963354818109026421148639698872422,
          "size": 6,
          "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc",
          "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25",
          "target": 0,
          "dataset": "other",
          "idx": 223173
        },
        {
          "func": "TfLiteRegistration* Register_DEPTHWISE_CONVOLUTION_NEON_OPT_UINT8() {\n  static TfLiteRegistration r = {\n      depthwise_conv::Init, depthwise_conv::Free, depthwise_conv::Prepare,\n      depthwise_conv::EvalImpl<depthwise_conv::kNeonOptimized, kTfLiteUInt8>};\n  return &r;\n}",
          "project": "tensorflow",
          "hash": 259511075250531727873395827625969357451,
          "size": 6,
          "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc",
          "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25",
          "target": 0,
          "dataset": "other",
          "idx": 223186
        },
        {
          "func": "TfLiteRegistration* Register_DEPTHWISE_CONV_2D() {\n#ifdef USE_NEON\n  return Register_DEPTHWISE_CONVOLUTION_NEON_OPT();\n#else\n  return Register_DEPTHWISE_CONVOLUTION_GENERIC_OPT();\n#endif\n}",
          "project": "tensorflow",
          "hash": 93675220586672160062558623139332772786,
          "size": 7,
          "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc",
          "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25",
          "target": 0,
          "dataset": "other",
          "idx": 223177
        },
        {
          "func": "TfLiteRegistration* Register_DEPTHWISE_CONVOLUTION_NEON_OPT() {\n  static TfLiteRegistration r = {\n      depthwise_conv::Init, depthwise_conv::Free, depthwise_conv::Prepare,\n      depthwise_conv::Eval<depthwise_conv::kNeonOptimized>};\n  return &r;\n}",
          "project": "tensorflow",
          "hash": 8789946826749525151422178724820235421,
          "size": 6,
          "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc",
          "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25",
          "target": 0,
          "dataset": "other",
          "idx": 223185
        },
        {
          "func": "TfLiteRegistration* Register_DEPTHWISE_CONV_2D_UINT8() {\n#ifdef USE_NEON\n  return Register_DEPTHWISE_CONVOLUTION_NEON_OPT_UINT8();\n#else\n  return Register_DEPTHWISE_CONV_2D();\n#endif\n}",
          "project": "tensorflow",
          "hash": 241262428454337070765876511174245130660,
          "size": 7,
          "commit_id": "e5b0eec199c2d03de54fd6a7fd9275692218e2bc",
          "message": "[lite] Add validation check for dilation height/width to be positive integers.\n\nPiperOrigin-RevId: 416429178\nChange-Id: If7cdcddca54486434d9b2f06e7e2b401d7c3ee25",
          "target": 0,
          "dataset": "other",
          "idx": 223180
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "git_tcp_connect",
        "git_tcp_connect_sock",
        "enable_keepalive"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static int git_tcp_connect_sock(char *host, int flags)\n{\n\tstruct strbuf error_message = STRBUF_INIT;\n\tint sockfd = -1;\n\tconst char *port = STR(DEFAULT_GIT_PORT);\n\tstruct addrinfo hints, *ai0, *ai;\n\tint gai;\n\tint cnt = 0;\n\n\tget_host_and_port(&host, &port);\n\tif (!*port)\n\t\tport = \"<none>\";\n\n\tmemset(&hints, 0, sizeof(hints));\n\tif (flags & CONNECT_IPV4)\n\t\thints.ai_family = AF_INET;\n\telse if (flags & CONNECT_IPV6)\n\t\thints.ai_family = AF_INET6;\n\thints.ai_socktype = SOCK_STREAM;\n\thints.ai_protocol = IPPROTO_TCP;\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"Looking up %s ... \", host);\n\n\tgai = getaddrinfo(host, port, &hints, &ai);\n\tif (gai)\n\t\tdie(\"Unable to look up %s (port %s) (%s)\", host, port, gai_strerror(gai));\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"done.\\nConnecting to %s (port %s) ... \", host, port);\n\n\tfor (ai0 = ai; ai; ai = ai->ai_next, cnt++) {\n\t\tsockfd = socket(ai->ai_family,\n\t\t\t\tai->ai_socktype, ai->ai_protocol);\n\t\tif ((sockfd < 0) ||\n\t\t    (connect(sockfd, ai->ai_addr, ai->ai_addrlen) < 0)) {\n\t\t\tstrbuf_addf(&error_message, \"%s[%d: %s]: errno=%s\\n\",\n\t\t\t\t    host, cnt, ai_name(ai), strerror(errno));\n\t\t\tif (0 <= sockfd)\n\t\t\t\tclose(sockfd);\n\t\t\tsockfd = -1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (flags & CONNECT_VERBOSE)\n\t\t\tfprintf(stderr, \"%s \", ai_name(ai));\n\t\tbreak;\n\t}\n\n\tfreeaddrinfo(ai0);\n\n\tif (sockfd < 0)\n\t\tdie(\"unable to connect to %s:\\n%s\", host, error_message.buf);\n\n\tenable_keepalive(sockfd);\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"done.\\n\");\n\n\tstrbuf_release(&error_message);\n\n\treturn sockfd;\n}",
          "project": "git",
          "hash": 75484244048397178670674431595415622496,
          "size": 62,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376259
        },
        {
          "func": "static int git_tcp_connect_sock(char *host, int flags)\n{\n\tstruct strbuf error_message = STRBUF_INIT;\n\tint sockfd = -1;\n\tconst char *port = STR(DEFAULT_GIT_PORT);\n\tchar *ep;\n\tstruct hostent *he;\n\tstruct sockaddr_in sa;\n\tchar **ap;\n\tunsigned int nport;\n\tint cnt;\n\n\tget_host_and_port(&host, &port);\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"Looking up %s ... \", host);\n\n\the = gethostbyname(host);\n\tif (!he)\n\t\tdie(\"Unable to look up %s (%s)\", host, hstrerror(h_errno));\n\tnport = strtoul(port, &ep, 10);\n\tif ( ep == port || *ep ) {\n\t\t/* Not numeric */\n\t\tstruct servent *se = getservbyname(port,\"tcp\");\n\t\tif ( !se )\n\t\t\tdie(\"Unknown port %s\", port);\n\t\tnport = se->s_port;\n\t}\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"done.\\nConnecting to %s (port %s) ... \", host, port);\n\n\tfor (cnt = 0, ap = he->h_addr_list; *ap; ap++, cnt++) {\n\t\tmemset(&sa, 0, sizeof sa);\n\t\tsa.sin_family = he->h_addrtype;\n\t\tsa.sin_port = htons(nport);\n\t\tmemcpy(&sa.sin_addr, *ap, he->h_length);\n\n\t\tsockfd = socket(he->h_addrtype, SOCK_STREAM, 0);\n\t\tif ((sockfd < 0) ||\n\t\t    connect(sockfd, (struct sockaddr *)&sa, sizeof sa) < 0) {\n\t\t\tstrbuf_addf(&error_message, \"%s[%d: %s]: errno=%s\\n\",\n\t\t\t\thost,\n\t\t\t\tcnt,\n\t\t\t\tinet_ntoa(*(struct in_addr *)&sa.sin_addr),\n\t\t\t\tstrerror(errno));\n\t\t\tif (0 <= sockfd)\n\t\t\t\tclose(sockfd);\n\t\t\tsockfd = -1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (flags & CONNECT_VERBOSE)\n\t\t\tfprintf(stderr, \"%s \",\n\t\t\t\tinet_ntoa(*(struct in_addr *)&sa.sin_addr));\n\t\tbreak;\n\t}\n\n\tif (sockfd < 0)\n\t\tdie(\"unable to connect to %s:\\n%s\", host, error_message.buf);\n\n\tenable_keepalive(sockfd);\n\n\tif (flags & CONNECT_VERBOSE)\n\t\tfprintf(stderr, \"done.\\n\");\n\n\treturn sockfd;\n}",
          "project": "git",
          "hash": 282116232110985789070273945485104328668,
          "size": 67,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376267
        },
        {
          "func": "static void git_tcp_connect(int fd[2], char *host, int flags)\n{\n\tint sockfd = git_tcp_connect_sock(host, flags);\n\n\tfd[0] = sockfd;\n\tfd[1] = dup(sockfd);\n}",
          "project": "git",
          "hash": 140963176966914680770945237058378544289,
          "size": 7,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376274
        },
        {
          "func": "static void enable_keepalive(int sockfd)\n{\n\tint ka = 1;\n\n\tif (setsockopt(sockfd, SOL_SOCKET, SO_KEEPALIVE, &ka, sizeof(ka)) < 0)\n\t\tfprintf(stderr, \"unable to set SO_KEEPALIVE on socket: %s\\n\",\n\t\t\tstrerror(errno));\n}",
          "project": "git",
          "hash": 72578412397206043297479591802762819137,
          "size": 8,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376278
        },
        {
          "func": "static struct child_process *git_proxy_connect(int fd[2], char *host)\n{\n\tconst char *port = STR(DEFAULT_GIT_PORT);\n\tstruct child_process *proxy;\n\n\tget_host_and_port(&host, &port);\n\n\tif (looks_like_command_line_option(host))\n\t\tdie(\"strange hostname '%s' blocked\", host);\n\tif (looks_like_command_line_option(port))\n\t\tdie(\"strange port '%s' blocked\", port);\n\n\tproxy = xmalloc(sizeof(*proxy));\n\tchild_process_init(proxy);\n\targv_array_push(&proxy->args, git_proxy_command);\n\targv_array_push(&proxy->args, host);\n\targv_array_push(&proxy->args, port);\n\tproxy->in = -1;\n\tproxy->out = -1;\n\tif (start_command(proxy))\n\t\tdie(\"cannot start proxy %s\", git_proxy_command);\n\tfd[0] = proxy->out; /* read from proxy stdout */\n\tfd[1] = proxy->in;  /* write to proxy stdin */\n\treturn proxy;\n}",
          "project": "git",
          "hash": 103002577782197029879738855125256635945,
          "size": 25,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376248
        },
        {
          "func": "static void get_host_and_port(char **host, const char **port)\n{\n\tchar *colon, *end;\n\tend = host_end(host, 1);\n\tcolon = strchr(end, ':');\n\tif (colon) {\n\t\tlong portnr = strtol(colon + 1, &end, 10);\n\t\tif (end != colon + 1 && *end == '\\0' && 0 <= portnr && portnr < 65536) {\n\t\t\t*colon = 0;\n\t\t\t*port = colon + 1;\n\t\t} else if (!colon[1]) {\n\t\t\t*colon = 0;\n\t\t}\n\t}\n}",
          "project": "git",
          "hash": 109057949494438843808210370667213198552,
          "size": 15,
          "commit_id": "f82a97eb9197c1e3768e72648f37ce0ca3233734",
          "message": "mingw: handle `subst`-ed \"DOS drives\"\n\nOver a decade ago, in 25fe217b86c (Windows: Treat Windows style path\nnames., 2008-03-05), Git was taught to handle absolute Windows paths,\ni.e. paths that start with a drive letter and a colon.\n\nUnbeknownst to us, while drive letters of physical drives are limited to\nletters of the English alphabet, there is a way to assign virtual drive\nletters to arbitrary directories, via the `subst` command, which is\n_not_ limited to English letters.\n\nIt is therefore possible to have absolute Windows paths of the form\n`1:\\what\\the\\hex.txt`. Even \"better\": pretty much arbitrary Unicode\nletters can also be used, e.g. `ä:\\tschibät.sch`.\n\nWhile it can be sensibly argued that users who set up such funny drive\nletters really seek adverse consequences, the Windows Operating System\nis known to be a platform where many users are at the mercy of\nadministrators who have their very own idea of what constitutes a\nreasonable setup.\n\nTherefore, let's just make sure that such funny paths are still\nconsidered absolute paths by Git, on Windows.\n\nIn addition to Unicode characters, pretty much any character is a valid\ndrive letter, as far as `subst` is concerned, even `:` and `\"` or even a\nspace character. While it is probably the opposite of smart to use them,\nlet's safeguard `is_dos_drive_prefix()` against all of them.\n\nNote: `[::1]:repo` is a valid URL, but not a valid path on Windows.\nAs `[` is now considered a valid drive letter, we need to be very\ncareful to avoid misinterpreting such a string as valid local path in\n`url_is_local_not_ssh()`. To do that, we use the just-introduced\nfunction `is_valid_path()` (which will label the string as invalid file\nname because of the colon characters).\n\nThis fixes CVE-2019-1351.\n\nReported-by: Nicolas Joly <Nicolas.Joly@microsoft.com>\nSigned-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>",
          "target": 0,
          "dataset": "other",
          "idx": 376276
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "input_add_uevent_bm_var",
        "input_print_bitmap",
        "input_bits_to_string"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static ssize_t input_dev_show_properties(struct device *dev,\n\t\t\t\t\t struct device_attribute *attr,\n\t\t\t\t\t char *buf)\n{\n\tstruct input_dev *input_dev = to_input_dev(dev);\n\tint len = input_print_bitmap(buf, PAGE_SIZE, input_dev->propbit,\n\t\t\t\t     INPUT_PROP_MAX, true);\n\treturn min_t(int, len, PAGE_SIZE);\n}",
          "project": "linux",
          "hash": 73643454758577544594548642985618883815,
          "size": 9,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353344
        },
        {
          "func": "static int input_bits_to_string(char *buf, int buf_size,\n\t\t\t\tunsigned long bits, bool skip_empty)\n{\n\treturn bits || !skip_empty ?\n\t\tsnprintf(buf, buf_size, \"%lx\", bits) : 0;\n}",
          "project": "linux",
          "hash": 200981411527474337248998264431809788484,
          "size": 6,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353325
        },
        {
          "func": "static int input_bits_to_string(char *buf, int buf_size,\n\t\t\t\tunsigned long bits, bool skip_empty)\n{\n\tint len = 0;\n\n\tif (in_compat_syscall()) {\n\t\tu32 dword = bits >> 32;\n\t\tif (dword || !skip_empty)\n\t\t\tlen += snprintf(buf, buf_size, \"%x \", dword);\n\n\t\tdword = bits & 0xffffffffUL;\n\t\tif (dword || !skip_empty || len)\n\t\t\tlen += snprintf(buf + len, max(buf_size - len, 0),\n\t\t\t\t\t\"%x\", dword);\n\t} else {\n\t\tif (bits || !skip_empty)\n\t\t\tlen += snprintf(buf, buf_size, \"%lx\", bits);\n\t}\n\n\treturn len;\n}",
          "project": "linux",
          "hash": 68551690508502806898970228950092002401,
          "size": 21,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353366
        },
        {
          "func": "static void input_seq_print_bitmap(struct seq_file *seq, const char *name,\n\t\t\t\t   unsigned long *bitmap, int max)\n{\n\tint i;\n\tbool skip_empty = true;\n\tchar buf[18];\n\n\tseq_printf(seq, \"B: %s=\", name);\n\n\tfor (i = BITS_TO_LONGS(max) - 1; i >= 0; i--) {\n\t\tif (input_bits_to_string(buf, sizeof(buf),\n\t\t\t\t\t bitmap[i], skip_empty)) {\n\t\t\tskip_empty = false;\n\t\t\tseq_printf(seq, \"%s%s\", buf, i > 0 ? \" \" : \"\");\n\t\t}\n\t}\n\n\t/*\n\t * If no output was produced print a single 0.\n\t */\n\tif (skip_empty)\n\t\tseq_putc(seq, '0');\n\n\tseq_putc(seq, '\\n');\n}",
          "project": "linux",
          "hash": 252139204397985976048643955849396121086,
          "size": 25,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353330
        },
        {
          "func": "static int input_add_uevent_bm_var(struct kobj_uevent_env *env,\n\t\t\t\t   const char *name, unsigned long *bitmap, int max)\n{\n\tint len;\n\n\tif (add_uevent_var(env, \"%s\", name))\n\t\treturn -ENOMEM;\n\n\tlen = input_print_bitmap(&env->buf[env->buflen - 1],\n\t\t\t\t sizeof(env->buf) - env->buflen,\n\t\t\t\t bitmap, max, false);\n\tif (len >= (sizeof(env->buf) - env->buflen))\n\t\treturn -ENOMEM;\n\n\tenv->buflen += len;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 215914705303760305720610312608600380589,
          "size": 17,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353378
        },
        {
          "func": "static int input_devices_seq_show(struct seq_file *seq, void *v)\n{\n\tstruct input_dev *dev = container_of(v, struct input_dev, node);\n\tconst char *path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);\n\tstruct input_handle *handle;\n\n\tseq_printf(seq, \"I: Bus=%04x Vendor=%04x Product=%04x Version=%04x\\n\",\n\t\t   dev->id.bustype, dev->id.vendor, dev->id.product, dev->id.version);\n\n\tseq_printf(seq, \"N: Name=\\\"%s\\\"\\n\", dev->name ? dev->name : \"\");\n\tseq_printf(seq, \"P: Phys=%s\\n\", dev->phys ? dev->phys : \"\");\n\tseq_printf(seq, \"S: Sysfs=%s\\n\", path ? path : \"\");\n\tseq_printf(seq, \"U: Uniq=%s\\n\", dev->uniq ? dev->uniq : \"\");\n\tseq_puts(seq, \"H: Handlers=\");\n\n\tlist_for_each_entry(handle, &dev->h_list, d_node)\n\t\tseq_printf(seq, \"%s \", handle->name);\n\tseq_putc(seq, '\\n');\n\n\tinput_seq_print_bitmap(seq, \"PROP\", dev->propbit, INPUT_PROP_MAX);\n\n\tinput_seq_print_bitmap(seq, \"EV\", dev->evbit, EV_MAX);\n\tif (test_bit(EV_KEY, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"KEY\", dev->keybit, KEY_MAX);\n\tif (test_bit(EV_REL, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"REL\", dev->relbit, REL_MAX);\n\tif (test_bit(EV_ABS, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"ABS\", dev->absbit, ABS_MAX);\n\tif (test_bit(EV_MSC, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"MSC\", dev->mscbit, MSC_MAX);\n\tif (test_bit(EV_LED, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"LED\", dev->ledbit, LED_MAX);\n\tif (test_bit(EV_SND, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"SND\", dev->sndbit, SND_MAX);\n\tif (test_bit(EV_FF, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"FF\", dev->ffbit, FF_MAX);\n\tif (test_bit(EV_SW, dev->evbit))\n\t\tinput_seq_print_bitmap(seq, \"SW\", dev->swbit, SW_MAX);\n\n\tseq_putc(seq, '\\n');\n\n\tkfree(path);\n\treturn 0;\n}",
          "project": "linux",
          "hash": 206835860867474540625387286507968429091,
          "size": 44,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353331
        },
        {
          "func": "static int input_print_bitmap(char *buf, int buf_size, unsigned long *bitmap,\n\t\t\t      int max, int add_cr)\n{\n\tint i;\n\tint len = 0;\n\tbool skip_empty = true;\n\n\tfor (i = BITS_TO_LONGS(max) - 1; i >= 0; i--) {\n\t\tlen += input_bits_to_string(buf + len, max(buf_size - len, 0),\n\t\t\t\t\t    bitmap[i], skip_empty);\n\t\tif (len) {\n\t\t\tskip_empty = false;\n\t\t\tif (i > 0)\n\t\t\t\tlen += snprintf(buf + len, max(buf_size - len, 0), \" \");\n\t\t}\n\t}\n\n\t/*\n\t * If no output was produced print a single 0.\n\t */\n\tif (len == 0)\n\t\tlen = snprintf(buf, buf_size, \"%d\", 0);\n\n\tif (add_cr)\n\t\tlen += snprintf(buf + len, max(buf_size - len, 0), \"\\n\");\n\n\treturn len;\n}",
          "project": "linux",
          "hash": 135811896709280841763883857580312902338,
          "size": 28,
          "commit_id": "cb222aed03d798fc074be55e59d9a112338ee784",
          "message": "Input: add safety guards to input_set_keycode()\n\nIf we happen to have a garbage in input device's keycode table with values\ntoo big we'll end up doing clear_bit() with offset way outside of our\nbitmaps, damaging other objects within an input device or even outside of\nit. Let's add sanity checks to the returned old keycodes.\n\nReported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com\nReported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws\nSigned-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 353394
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "dw_spi_transfer_one",
        "poll_transfer",
        "dw_writer",
        "tx_max"
      ],
      "group_size": 9,
      "functions": [
        {
          "func": "static inline u32 rx_max(struct dw_spi *dws)\n{\n\tu32 rx_left = (dws->rx_end - dws->rx) / dws->n_bytes;\n\n\treturn min_t(u32, rx_left, dw_readl(dws, DW_SPI_RXFLR));\n}",
          "project": "linux",
          "hash": 28861315435500243985574094629287346337,
          "size": 6,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462460
        },
        {
          "func": "static inline u32 tx_max(struct dw_spi *dws)\n{\n\tu32 tx_left, tx_room, rxtx_gap;\n\n\ttx_left = (dws->tx_end - dws->tx) / dws->n_bytes;\n\ttx_room = dws->fifo_len - dw_readl(dws, DW_SPI_TXFLR);\n\n\t/*\n\t * Another concern is about the tx/rx mismatch, we\n\t * though to use (dws->fifo_len - rxflr - txflr) as\n\t * one maximum value for tx, but it doesn't cover the\n\t * data which is out of tx/rx fifo and inside the\n\t * shift registers. So a control from sw point of\n\t * view is taken.\n\t */\n\trxtx_gap =  ((dws->rx_end - dws->rx) - (dws->tx_end - dws->tx))\n\t\t\t/ dws->n_bytes;\n\n\treturn min3(tx_left, tx_room, (u32) (dws->fifo_len - rxtx_gap));\n}",
          "project": "linux",
          "hash": 213183701304300001146036022339693894975,
          "size": 20,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462444
        },
        {
          "func": "static void dw_reader(struct dw_spi *dws)\n{\n\tu32 max;\n\tu16 rxw;\n\n\tspin_lock(&dws->buf_lock);\n\tmax = rx_max(dws);\n\twhile (max--) {\n\t\trxw = dw_read_io_reg(dws, DW_SPI_DR);\n\t\t/* Care rx only if the transfer's original \"rx\" is not null */\n\t\tif (dws->rx_end - dws->len) {\n\t\t\tif (dws->n_bytes == 1)\n\t\t\t\t*(u8 *)(dws->rx) = rxw;\n\t\t\telse\n\t\t\t\t*(u16 *)(dws->rx) = rxw;\n\t\t}\n\t\tdws->rx += dws->n_bytes;\n\t}\n\tspin_unlock(&dws->buf_lock);\n}",
          "project": "linux",
          "hash": 43175951923458851445352561349773373287,
          "size": 20,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462449
        },
        {
          "func": "static irqreturn_t interrupt_transfer(struct dw_spi *dws)\n{\n\tu16 irq_status = dw_readl(dws, DW_SPI_ISR);\n\n\t/* Error handling */\n\tif (irq_status & (SPI_INT_TXOI | SPI_INT_RXOI | SPI_INT_RXUI)) {\n\t\tdw_readl(dws, DW_SPI_ICR);\n\t\tint_error_stop(dws, \"interrupt_transfer: fifo overrun/underrun\");\n\t\treturn IRQ_HANDLED;\n\t}\n\n\tdw_reader(dws);\n\tif (dws->rx_end == dws->rx) {\n\t\tspi_mask_intr(dws, SPI_INT_TXEI);\n\t\tspi_finalize_current_transfer(dws->master);\n\t\treturn IRQ_HANDLED;\n\t}\n\tif (irq_status & SPI_INT_TXEI) {\n\t\tspi_mask_intr(dws, SPI_INT_TXEI);\n\t\tdw_writer(dws);\n\t\t/* Enable TX irq always, it will be disabled when RX finished */\n\t\tspi_umask_intr(dws, SPI_INT_TXEI);\n\t}\n\n\treturn IRQ_HANDLED;\n}",
          "project": "linux",
          "hash": 329394486355196072499215754377682953976,
          "size": 26,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462455
        },
        {
          "func": "static void int_error_stop(struct dw_spi *dws, const char *msg)\n{\n\tspi_reset_chip(dws);\n\n\tdev_err(&dws->master->dev, \"%s\\n\", msg);\n\tdws->master->cur_msg->status = -EIO;\n\tspi_finalize_current_transfer(dws->master);\n}",
          "project": "linux",
          "hash": 51366913899485688758339908551603046061,
          "size": 8,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462445
        },
        {
          "func": "static int poll_transfer(struct dw_spi *dws)\n{\n\tdo {\n\t\tdw_writer(dws);\n\t\tdw_reader(dws);\n\t\tcpu_relax();\n\t} while (dws->rx_end > dws->rx);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 223794499753899155092530499212227087021,
          "size": 10,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462447
        },
        {
          "func": "static void dw_writer(struct dw_spi *dws)\n{\n\tu32 max;\n\tu16 txw = 0;\n\n\tspin_lock(&dws->buf_lock);\n\tmax = tx_max(dws);\n\twhile (max--) {\n\t\t/* Set the tx word if the transfer's original \"tx\" is not null */\n\t\tif (dws->tx_end - dws->len) {\n\t\t\tif (dws->n_bytes == 1)\n\t\t\t\ttxw = *(u8 *)(dws->tx);\n\t\t\telse\n\t\t\t\ttxw = *(u16 *)(dws->tx);\n\t\t}\n\t\tdw_write_io_reg(dws, DW_SPI_DR, txw);\n\t\tdws->tx += dws->n_bytes;\n\t}\n\tspin_unlock(&dws->buf_lock);\n}",
          "project": "linux",
          "hash": 175439461371127859720464846166133329580,
          "size": 20,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462463
        },
        {
          "func": "static int dw_spi_transfer_one(struct spi_controller *master,\n\t\tstruct spi_device *spi, struct spi_transfer *transfer)\n{\n\tstruct dw_spi *dws = spi_controller_get_devdata(master);\n\tstruct chip_data *chip = spi_get_ctldata(spi);\n\tu8 imask = 0;\n\tu16 txlevel = 0;\n\tu32 cr0;\n\tint ret;\n\n\tdws->dma_mapped = 0;\n\n\tdws->tx = (void *)transfer->tx_buf;\n\tdws->tx_end = dws->tx + transfer->len;\n\tdws->rx = transfer->rx_buf;\n\tdws->rx_end = dws->rx + transfer->len;\n\tdws->len = transfer->len;\n\n\tspi_enable_chip(dws, 0);\n\n\t/* Handle per transfer options for bpw and speed */\n\tif (transfer->speed_hz != dws->current_freq) {\n\t\tif (transfer->speed_hz != chip->speed_hz) {\n\t\t\t/* clk_div doesn't support odd number */\n\t\t\tchip->clk_div = (DIV_ROUND_UP(dws->max_freq, transfer->speed_hz) + 1) & 0xfffe;\n\t\t\tchip->speed_hz = transfer->speed_hz;\n\t\t}\n\t\tdws->current_freq = transfer->speed_hz;\n\t\tspi_set_clk(dws, chip->clk_div);\n\t}\n\n\tdws->n_bytes = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\tdws->dma_width = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\n\t/* Default SPI mode is SCPOL = 0, SCPH = 0 */\n\tcr0 = (transfer->bits_per_word - 1)\n\t\t| (chip->type << SPI_FRF_OFFSET)\n\t\t| ((((spi->mode & SPI_CPOL) ? 1 : 0) << SPI_SCOL_OFFSET) |\n\t\t\t(((spi->mode & SPI_CPHA) ? 1 : 0) << SPI_SCPH_OFFSET))\n\t\t| (chip->tmode << SPI_TMOD_OFFSET);\n\n\t/*\n\t * Adjust transfer mode if necessary. Requires platform dependent\n\t * chipselect mechanism.\n\t */\n\tif (chip->cs_control) {\n\t\tif (dws->rx && dws->tx)\n\t\t\tchip->tmode = SPI_TMOD_TR;\n\t\telse if (dws->rx)\n\t\t\tchip->tmode = SPI_TMOD_RO;\n\t\telse\n\t\t\tchip->tmode = SPI_TMOD_TO;\n\n\t\tcr0 &= ~SPI_TMOD_MASK;\n\t\tcr0 |= (chip->tmode << SPI_TMOD_OFFSET);\n\t}\n\n\tdw_writel(dws, DW_SPI_CTRL0, cr0);\n\n\t/* Check if current transfer is a DMA transaction */\n\tif (master->can_dma && master->can_dma(master, spi, transfer))\n\t\tdws->dma_mapped = master->cur_msg_mapped;\n\n\t/* For poll mode just disable all interrupts */\n\tspi_mask_intr(dws, 0xff);\n\n\t/*\n\t * Interrupt mode\n\t * we only need set the TXEI IRQ, as TX/RX always happen syncronizely\n\t */\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_setup(dws, transfer);\n\t\tif (ret < 0) {\n\t\t\tspi_enable_chip(dws, 1);\n\t\t\treturn ret;\n\t\t}\n\t} else if (!chip->poll_mode) {\n\t\ttxlevel = min_t(u16, dws->fifo_len / 2, dws->len / dws->n_bytes);\n\t\tdw_writel(dws, DW_SPI_TXFLTR, txlevel);\n\n\t\t/* Set the interrupt mask */\n\t\timask |= SPI_INT_TXEI | SPI_INT_TXOI |\n\t\t\t SPI_INT_RXUI | SPI_INT_RXOI;\n\t\tspi_umask_intr(dws, imask);\n\n\t\tdws->transfer_handler = interrupt_transfer;\n\t}\n\n\tspi_enable_chip(dws, 1);\n\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_transfer(dws, transfer);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\tif (chip->poll_mode)\n\t\treturn poll_transfer(dws);\n\n\treturn 1;\n}",
          "project": "linux",
          "hash": 191752239953234250352277066792734233491,
          "size": 101,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 1,
          "dataset": "other",
          "idx": 212837
        },
        {
          "func": "static int dw_spi_transfer_one(struct spi_controller *master,\n\t\tstruct spi_device *spi, struct spi_transfer *transfer)\n{\n\tstruct dw_spi *dws = spi_controller_get_devdata(master);\n\tstruct chip_data *chip = spi_get_ctldata(spi);\n\tunsigned long flags;\n\tu8 imask = 0;\n\tu16 txlevel = 0;\n\tu32 cr0;\n\tint ret;\n\n\tdws->dma_mapped = 0;\n\tspin_lock_irqsave(&dws->buf_lock, flags);\n\tdws->tx = (void *)transfer->tx_buf;\n\tdws->tx_end = dws->tx + transfer->len;\n\tdws->rx = transfer->rx_buf;\n\tdws->rx_end = dws->rx + transfer->len;\n\tdws->len = transfer->len;\n\tspin_unlock_irqrestore(&dws->buf_lock, flags);\n\n\tspi_enable_chip(dws, 0);\n\n\t/* Handle per transfer options for bpw and speed */\n\tif (transfer->speed_hz != dws->current_freq) {\n\t\tif (transfer->speed_hz != chip->speed_hz) {\n\t\t\t/* clk_div doesn't support odd number */\n\t\t\tchip->clk_div = (DIV_ROUND_UP(dws->max_freq, transfer->speed_hz) + 1) & 0xfffe;\n\t\t\tchip->speed_hz = transfer->speed_hz;\n\t\t}\n\t\tdws->current_freq = transfer->speed_hz;\n\t\tspi_set_clk(dws, chip->clk_div);\n\t}\n\n\tdws->n_bytes = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\tdws->dma_width = DIV_ROUND_UP(transfer->bits_per_word, BITS_PER_BYTE);\n\n\t/* Default SPI mode is SCPOL = 0, SCPH = 0 */\n\tcr0 = (transfer->bits_per_word - 1)\n\t\t| (chip->type << SPI_FRF_OFFSET)\n\t\t| ((((spi->mode & SPI_CPOL) ? 1 : 0) << SPI_SCOL_OFFSET) |\n\t\t\t(((spi->mode & SPI_CPHA) ? 1 : 0) << SPI_SCPH_OFFSET))\n\t\t| (chip->tmode << SPI_TMOD_OFFSET);\n\n\t/*\n\t * Adjust transfer mode if necessary. Requires platform dependent\n\t * chipselect mechanism.\n\t */\n\tif (chip->cs_control) {\n\t\tif (dws->rx && dws->tx)\n\t\t\tchip->tmode = SPI_TMOD_TR;\n\t\telse if (dws->rx)\n\t\t\tchip->tmode = SPI_TMOD_RO;\n\t\telse\n\t\t\tchip->tmode = SPI_TMOD_TO;\n\n\t\tcr0 &= ~SPI_TMOD_MASK;\n\t\tcr0 |= (chip->tmode << SPI_TMOD_OFFSET);\n\t}\n\n\tdw_writel(dws, DW_SPI_CTRL0, cr0);\n\n\t/* Check if current transfer is a DMA transaction */\n\tif (master->can_dma && master->can_dma(master, spi, transfer))\n\t\tdws->dma_mapped = master->cur_msg_mapped;\n\n\t/* For poll mode just disable all interrupts */\n\tspi_mask_intr(dws, 0xff);\n\n\t/*\n\t * Interrupt mode\n\t * we only need set the TXEI IRQ, as TX/RX always happen syncronizely\n\t */\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_setup(dws, transfer);\n\t\tif (ret < 0) {\n\t\t\tspi_enable_chip(dws, 1);\n\t\t\treturn ret;\n\t\t}\n\t} else if (!chip->poll_mode) {\n\t\ttxlevel = min_t(u16, dws->fifo_len / 2, dws->len / dws->n_bytes);\n\t\tdw_writel(dws, DW_SPI_TXFLTR, txlevel);\n\n\t\t/* Set the interrupt mask */\n\t\timask |= SPI_INT_TXEI | SPI_INT_TXOI |\n\t\t\t SPI_INT_RXUI | SPI_INT_RXOI;\n\t\tspi_umask_intr(dws, imask);\n\n\t\tdws->transfer_handler = interrupt_transfer;\n\t}\n\n\tspi_enable_chip(dws, 1);\n\n\tif (dws->dma_mapped) {\n\t\tret = dws->dma_ops->dma_transfer(dws, transfer);\n\t\tif (ret < 0)\n\t\t\treturn ret;\n\t}\n\n\tif (chip->poll_mode)\n\t\treturn poll_transfer(dws);\n\n\treturn 1;\n}",
          "project": "linux",
          "hash": 323360310926930360690361021045187060996,
          "size": 103,
          "commit_id": "19b61392c5a852b4e8a0bf35aecb969983c5932d",
          "message": "spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls\n\ndw_spi_irq() and dw_spi_transfer_one concurrent calls.\n\nI find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,\ndw->len==4, and dw->tx_end==1.\n\nWhen tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one\nmay concurrent visit dw_spi, so I think dw_spi structure lack of protection.\n\nOtherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,\nstore dw rx/tx instructions and other cores handle irq load dw rx/tx\ninstructions may out of order.\n\n\t[ 1025.321302] Call trace:\n\t...\n\t[ 1025.321319]  __crash_kexec+0x98/0x148\n\t[ 1025.321323]  panic+0x17c/0x314\n\t[ 1025.321329]  die+0x29c/0x2e8\n\t[ 1025.321334]  die_kernel_fault+0x68/0x78\n\t[ 1025.321337]  __do_kernel_fault+0x90/0xb0\n\t[ 1025.321346]  do_page_fault+0x88/0x500\n\t[ 1025.321347]  do_translation_fault+0xa8/0xb8\n\t[ 1025.321349]  do_mem_abort+0x68/0x118\n\t[ 1025.321351]  el1_da+0x20/0x8c\n\t[ 1025.321362]  dw_writer+0xc8/0xd0\n\t[ 1025.321364]  interrupt_transfer+0x60/0x110\n\t[ 1025.321365]  dw_spi_irq+0x48/0x70\n\t...\n\nSigned-off-by: wuxu.wu <wuxu.wu@huawei.com>\nLink: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com\nSigned-off-by: Mark Brown <broonie@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 462461
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "nhmldump_process",
        "nhmldump_send_frame",
        "nhmldump_pck_property"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static void nhmldump_send_header(GF_NHMLDumpCtx *ctx)\n{\n\tGF_FilterPacket *dst_pck;\n\tchar nhml[1024];\n\tu32 size;\n\tu8 *output;\n\tconst GF_PropertyValue *p;\n\n\tctx->szRootName = \"NHNTStream\";\n\tif (ctx->dims) {\n\t\tctx->szRootName = \"DIMSStream\";\n\t}\n\n\tif (!ctx->filep) {\n\t\tsprintf(nhml, \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" ?>\\n\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\t/*write header*/\n\tsprintf(nhml, \"<%s version=\\\"1.0\\\" \", ctx->szRootName);\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\n\tNHML_PRINT_UINT(GF_PROP_PID_ID, NULL, \"trackID\")\n\tNHML_PRINT_UINT(GF_PROP_PID_TIMESCALE, NULL, \"timeScale\")\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_IN_IOD);\n\tif (p && p->value.boolean) {\n\t\tsprintf(nhml, \"inRootOD=\\\"yes\\\" \");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\tif (ctx->oti && (ctx->oti<GF_CODECID_LAST_MPEG4_MAPPING)) {\n\t\tsprintf(nhml, \"streamType=\\\"%d\\\" objectTypeIndication=\\\"%d\\\" \", ctx->streamtype, ctx->oti);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32)strlen(nhml));\n\t} else {\n\t\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_SUBTYPE);\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"%s=\\\"%s\\\" \", \"mediaType\", gf_4cc_to_str(p->value.uint));\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\t\tNHML_PRINT_4CC(GF_PROP_PID_ISOM_SUBTYPE, \"mediaSubType\", \"mediaSubType\")\n\t\t} else {\n\t\t\tNHML_PRINT_4CC(GF_PROP_PID_CODECID, NULL, \"codecID\")\n\t\t}\n\t}\n\n\tif (ctx->w && ctx->h) {\n\t\t//compatibility with old arch, we might want to remove this\n\t\tswitch (ctx->streamtype) {\n\t\tcase GF_STREAM_VISUAL:\n\t\tcase GF_STREAM_SCENE:\n\t\t\tsprintf(nhml, \"width=\\\"%d\\\" height=\\\"%d\\\" \", ctx->w, ctx->h);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\telse if (ctx->sr && ctx->chan) {\n\t\tsprintf(nhml, \"sampleRate=\\\"%d\\\" numChannels=\\\"%d\\\" \", ctx->sr, ctx->chan);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tsprintf(nhml, \"sampleRate=\\\"%d\\\" numChannels=\\\"%d\\\" \", ctx->sr, ctx->chan);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_AUDIO_FORMAT);\n\t\tsprintf(nhml, \"bitsPerSample=\\\"%d\\\" \", gf_audio_fmt_bit_depth(p->value.uint));\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\tNHML_PRINT_4CC(0, \"codec_vendor\", \"codecVendor\")\n\tNHML_PRINT_UINT(0, \"codec_version\", \"codecVersion\")\n\tNHML_PRINT_UINT(0, \"codec_revision\", \"codecRevision\")\n\tNHML_PRINT_STRING(0, \"compressor_name\", \"compressorName\")\n\tNHML_PRINT_UINT(0, \"temporal_quality\", \"temporalQuality\")\n\tNHML_PRINT_UINT(0, \"spatial_quality\", \"spatialQuality\")\n\tNHML_PRINT_UINT(0, \"hres\", \"horizontalResolution\")\n\tNHML_PRINT_UINT(0, \"vres\", \"verticalResolution\")\n\tNHML_PRINT_UINT(GF_PROP_PID_BIT_DEPTH_Y, NULL, \"bitDepth\")\n\n\tNHML_PRINT_STRING(0, \"meta:xmlns\", \"xml_namespace\")\n\tNHML_PRINT_STRING(0, \"meta:schemaloc\", \"xml_schema_location\")\n\tNHML_PRINT_STRING(0, \"meta:mime\", \"mime_type\")\n\n\tNHML_PRINT_STRING(0, \"meta:config\", \"config\")\n\tNHML_PRINT_STRING(0, \"meta:aux_mimes\", \"aux_mime_type\")\n\n\tif (ctx->codecid == GF_CODECID_DIMS) {\n\t\tif (gf_filter_pid_get_property_str(ctx->ipid, \"meta:xmlns\")==NULL) {\n\t\t\tsprintf(nhml, \"xmlns=\\\"http://www.3gpp.org/richmedia\\\" \");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\n\t\tNHML_PRINT_UINT(0, \"dims:profile\", \"profile\")\n\t\tNHML_PRINT_UINT(0, \"dims:level\", \"level\")\n\t\tNHML_PRINT_UINT(0, \"dims:pathComponents\", \"pathComponents\")\n\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:fullRequestHost\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"useFullRequestHost=\\\"%s\\\" \", p->value.boolean ? \"yes\" : \"no\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:streamType\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"stream_type=\\\"%s\\\" \", p->value.boolean ? \"primary\" : \"secondary\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:redundant\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"contains_redundant=\\\"%s\\\" \", (p->value.uint==1) ? \"main\" : ((p->value.uint==1) ? \"redundant\" : \"main+redundant\") );\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tNHML_PRINT_UINT(0, \"dims:scriptTypes\", \"scriptTypes\")\n\t}\n\n\t//send DCD\n\tif (ctx->opid_info) {\n\t\tsprintf(nhml, \"specificInfoFile=\\\"%s\\\" \", gf_file_basename(ctx->info_file) );\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\tdst_pck = gf_filter_pck_new_shared(ctx->opid_info, ctx->dcfg, ctx->dcfg_size, NULL);\n\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\t\tgf_filter_pck_set_readonly(dst_pck);\n\t\tgf_filter_pck_send(dst_pck);\n\t}\n\n\tNHML_PRINT_STRING(0, \"meta:encoding\", \"encoding\")\n\tNHML_PRINT_STRING(0, \"meta:contentEncoding\", \"content_encoding\")\n\tctx->uncompress = GF_FALSE;\n\tif (p) {\n\t\tif (!strcmp(p->value.string, \"deflate\")) ctx->uncompress = GF_TRUE;\n\t\telse {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_AUTHOR, (\"[NHMLMx] content_encoding %s not supported\\n\", p->value.string ));\n\t\t}\n\t}\n\n\tif (ctx->opid_mdia) {\n\t\tsprintf(nhml, \"baseMediaFile=\\\"%s\\\" \", gf_file_basename(ctx->media_file) );\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\tsprintf(nhml, \">\\n\");\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\tgf_bs_get_content_no_truncate(ctx->bs_w, &ctx->nhml_buffer, &size, &ctx->nhml_buffer_size);\n\n\tif (ctx->filep) {\n\t\tgf_fwrite(ctx->nhml_buffer, size, ctx->filep);\n\t\treturn;\n\t}\n\n\tdst_pck = gf_filter_pck_new_alloc(ctx->opid_nhml, size, &output);\n\tmemcpy(output, ctx->nhml_buffer, size);\n\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_FALSE);\n\tgf_filter_pck_send(dst_pck);\n}",
          "project": "gpac",
          "hash": 171851966591827362626279278095562125748,
          "size": 154,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 1,
          "dataset": "other",
          "idx": 196766
        },
        {
          "func": "static void nhmldump_send_header(GF_NHMLDumpCtx *ctx)\n{\n\tGF_FilterPacket *dst_pck;\n\tchar nhml[1024];\n\tu32 size;\n\tu8 *output;\n\tconst GF_PropertyValue *p;\n\n\tctx->szRootName = \"NHNTStream\";\n\tif (ctx->dims) {\n\t\tctx->szRootName = \"DIMSStream\";\n\t}\n\n\tif (!ctx->filep) {\n\t\tsprintf(nhml, \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" ?>\\n\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\t/*write header*/\n\tsprintf(nhml, \"<%s version=\\\"1.0\\\" \", ctx->szRootName);\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\n\tNHML_PRINT_UINT(GF_PROP_PID_ID, NULL, \"trackID\")\n\tNHML_PRINT_UINT(GF_PROP_PID_TIMESCALE, NULL, \"timeScale\")\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_IN_IOD);\n\tif (p && p->value.boolean) {\n\t\tsprintf(nhml, \"inRootOD=\\\"yes\\\" \");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\tif (ctx->oti && (ctx->oti<GF_CODECID_LAST_MPEG4_MAPPING)) {\n\t\tsprintf(nhml, \"streamType=\\\"%d\\\" objectTypeIndication=\\\"%d\\\" \", ctx->streamtype, ctx->oti);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32)strlen(nhml));\n\t} else {\n\t\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_SUBTYPE);\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"%s=\\\"%s\\\" \", \"mediaType\", gf_4cc_to_str(p->value.uint));\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\t\tNHML_PRINT_4CC(GF_PROP_PID_ISOM_SUBTYPE, \"mediaSubType\", \"mediaSubType\")\n\t\t} else {\n\t\t\tNHML_PRINT_4CC(GF_PROP_PID_CODECID, NULL, \"codecID\")\n\t\t}\n\t}\n\n\tif (ctx->w && ctx->h) {\n\t\t//compatibility with old arch, we might want to remove this\n\t\tswitch (ctx->streamtype) {\n\t\tcase GF_STREAM_VISUAL:\n\t\tcase GF_STREAM_SCENE:\n\t\t\tsprintf(nhml, \"width=\\\"%d\\\" height=\\\"%d\\\" \", ctx->w, ctx->h);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tbreak;\n\t\t}\n\t}\n\telse if (ctx->sr && ctx->chan) {\n\t\tsprintf(nhml, \"sampleRate=\\\"%d\\\" numChannels=\\\"%d\\\" \", ctx->sr, ctx->chan);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tsprintf(nhml, \"sampleRate=\\\"%d\\\" numChannels=\\\"%d\\\" \", ctx->sr, ctx->chan);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_AUDIO_FORMAT);\n\t\tif (p)\n\t\t\tsprintf(nhml, \"bitsPerSample=\\\"%d\\\" \", gf_audio_fmt_bit_depth(p->value.uint));\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\n\tNHML_PRINT_4CC(0, \"codec_vendor\", \"codecVendor\")\n\tNHML_PRINT_UINT(0, \"codec_version\", \"codecVersion\")\n\tNHML_PRINT_UINT(0, \"codec_revision\", \"codecRevision\")\n\tNHML_PRINT_STRING(0, \"compressor_name\", \"compressorName\")\n\tNHML_PRINT_UINT(0, \"temporal_quality\", \"temporalQuality\")\n\tNHML_PRINT_UINT(0, \"spatial_quality\", \"spatialQuality\")\n\tNHML_PRINT_UINT(0, \"hres\", \"horizontalResolution\")\n\tNHML_PRINT_UINT(0, \"vres\", \"verticalResolution\")\n\tNHML_PRINT_UINT(GF_PROP_PID_BIT_DEPTH_Y, NULL, \"bitDepth\")\n\n\tNHML_PRINT_STRING(0, \"meta:xmlns\", \"xml_namespace\")\n\tNHML_PRINT_STRING(0, \"meta:schemaloc\", \"xml_schema_location\")\n\tNHML_PRINT_STRING(0, \"meta:mime\", \"mime_type\")\n\n\tNHML_PRINT_STRING(0, \"meta:config\", \"config\")\n\tNHML_PRINT_STRING(0, \"meta:aux_mimes\", \"aux_mime_type\")\n\n\tif (ctx->codecid == GF_CODECID_DIMS) {\n\t\tif (gf_filter_pid_get_property_str(ctx->ipid, \"meta:xmlns\")==NULL) {\n\t\t\tsprintf(nhml, \"xmlns=\\\"http://www.3gpp.org/richmedia\\\" \");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\n\t\tNHML_PRINT_UINT(0, \"dims:profile\", \"profile\")\n\t\tNHML_PRINT_UINT(0, \"dims:level\", \"level\")\n\t\tNHML_PRINT_UINT(0, \"dims:pathComponents\", \"pathComponents\")\n\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:fullRequestHost\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"useFullRequestHost=\\\"%s\\\" \", p->value.boolean ? \"yes\" : \"no\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:streamType\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"stream_type=\\\"%s\\\" \", p->value.boolean ? \"primary\" : \"secondary\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tp = gf_filter_pid_get_property_str(ctx->ipid, \"dims:redundant\");\n\t\tif (p) {\n\t\t\tsprintf(nhml, \"contains_redundant=\\\"%s\\\" \", (p->value.uint==1) ? \"main\" : ((p->value.uint==1) ? \"redundant\" : \"main+redundant\") );\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tNHML_PRINT_UINT(0, \"dims:scriptTypes\", \"scriptTypes\")\n\t}\n\n\t//send DCD\n\tif (ctx->opid_info) {\n\t\tsprintf(nhml, \"specificInfoFile=\\\"%s\\\" \", gf_file_basename(ctx->info_file) );\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\tdst_pck = gf_filter_pck_new_shared(ctx->opid_info, ctx->dcfg, ctx->dcfg_size, NULL);\n\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\t\tgf_filter_pck_set_readonly(dst_pck);\n\t\tgf_filter_pck_send(dst_pck);\n\t}\n\n\tNHML_PRINT_STRING(0, \"meta:encoding\", \"encoding\")\n\tNHML_PRINT_STRING(0, \"meta:contentEncoding\", \"content_encoding\")\n\tctx->uncompress = GF_FALSE;\n\tif (p) {\n\t\tif (!strcmp(p->value.string, \"deflate\")) ctx->uncompress = GF_TRUE;\n\t\telse {\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_AUTHOR, (\"[NHMLMx] content_encoding %s not supported\\n\", p->value.string ));\n\t\t}\n\t}\n\n\tif (ctx->opid_mdia) {\n\t\tsprintf(nhml, \"baseMediaFile=\\\"%s\\\" \", gf_file_basename(ctx->media_file) );\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\tsprintf(nhml, \">\\n\");\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\tgf_bs_get_content_no_truncate(ctx->bs_w, &ctx->nhml_buffer, &size, &ctx->nhml_buffer_size);\n\n\tif (ctx->filep) {\n\t\tgf_fwrite(ctx->nhml_buffer, size, ctx->filep);\n\t\treturn;\n\t}\n\n\tdst_pck = gf_filter_pck_new_alloc(ctx->opid_nhml, size, &output);\n\tmemcpy(output, ctx->nhml_buffer, size);\n\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_FALSE);\n\tgf_filter_pck_send(dst_pck);\n}",
          "project": "gpac",
          "hash": 192488898754254972476380860269472215022,
          "size": 155,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244385
        },
        {
          "func": "static void nhmldump_send_frame(GF_NHMLDumpCtx *ctx, char *data, u32 data_size, GF_FilterPacket *pck)\n{\n\tGF_FilterPacket *dst_pck;\n\tchar nhml[1024];\n\tconst GF_PropertyValue *p;\n\tu32 size;\n\tu8 *output;\n\tGF_FilterSAPType sap = gf_filter_pck_get_sap(pck);\n\tu64 dts = gf_filter_pck_get_dts(pck);\n\tu64 cts = gf_filter_pck_get_cts(pck);\n\n\tif (dts==GF_FILTER_NO_TS) dts = cts;\n\tif (cts==GF_FILTER_NO_TS) cts = dts;\n\n\tctx->pck_num++;\n\tsprintf(nhml, \"<NHNTSample number=\\\"%d\\\" DTS=\\\"\"LLU\"\\\" dataLength=\\\"%d\\\" \", ctx->pck_num, dts, data_size);\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\tif (ctx->pckp || (cts != dts) ) {\n\t\tsprintf(nhml, \"CTSOffset=\\\"%d\\\" \", (s32) ((s64)cts - (s64)dts));\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\tif (sap==GF_FILTER_SAP_1) {\n\t\tsprintf(nhml, \"isRAP=\\\"yes\\\" \");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t} else if (sap) {\n\t\tsprintf(nhml, \"SAPType=\\\"%d\\\" \", sap);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t} else if (ctx->pckp) {\n\t\tsprintf(nhml, \"isRAP=\\\"no\\\" \");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tif ((sap==GF_FILTER_SAP_4) || (sap==GF_FILTER_SAP_4_PROL)) {\n\t\t\ts32 roll = gf_filter_pck_get_roll_info(pck);\n\t\t\tsprintf(nhml, \"SAPType=\\\"4\\\" %s=\\\"%d\\\" \", (sap==GF_FILTER_SAP_4_PROL) ? \"prol\" : \"roll\", roll);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t}\n\n\tif (ctx->pckp) {\n\t\tu64 bo;\n\t\tu32 duration, idx;\n\t\tsprintf(nhml, \"mediaOffset=\\\"\"LLU\"\\\" \", ctx->mdia_pos);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\tbo = gf_filter_pck_get_byte_offset(pck);\n\t\tif (bo!=GF_FILTER_NO_BO) {\n\t\t\tsprintf(nhml, \"sourceByteOffset=\\\"\"LLU\"\\\" \", bo);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tduration = gf_filter_pck_get_duration(pck);\n\t\tif (duration) {\n\t\t\tsprintf(nhml, \"duration=\\\"%d\\\" \", duration);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tidx = gf_filter_pck_get_carousel_version(pck);\n\t\tif (idx) {\n\t\t\tsprintf(nhml, \"carouselVersion=\\\"%d\\\" \", idx);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tidx = 0;\n\t\twhile (1) {\n\t\t\tu32 prop_4cc;\n\t\t\tconst char *prop_name;\n\t\t\tp = gf_filter_pck_enum_properties(pck, &idx, &prop_4cc, &prop_name);\n\t\t\tif (!p) break;\n\t\t\tif (prop_4cc == GF_PROP_PCK_SUBS) continue;\n\t\t\tnhmldump_pck_property(ctx, prop_4cc, prop_name, p);\n\t\t}\n\t}\n\n\tif (ctx->chksum) {\n\t\tif (ctx->chksum==1) {\n\t\t\tu32 crc = gf_crc_32(data, data_size);\n\t\t\tsprintf(nhml, \"crc=\\\"%08X\\\" \", crc);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t} else {\n\t\t\tu32 j;\n\t\t\tu8 hash[GF_SHA1_DIGEST_SIZE];\n\t\t\tgf_sha1_csum(data, data_size, hash);\n\t\t\tsprintf(nhml, \"sha1=\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\tfor (j=0; j<20; j++) {\n\t\t\t\tsprintf(nhml, \"%02X\", hash[j]);\n\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\t}\n\t\t\tsprintf(nhml, \"\\\" \");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t}\n\n\tsprintf(nhml, \">\\n\");\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\tp = gf_filter_pck_get_property(pck, GF_PROP_PCK_SUBS);\n\tif (p) {\n\t\tu32 offset_in_sample = 0;\n\t\tBool first_subs = GF_TRUE;\n\t\tif (!ctx->bs_r) ctx->bs_r = gf_bs_new(p->value.data.ptr, p->value.data.size, GF_BITSTREAM_READ);\n\t\telse gf_bs_reassign_buffer(ctx->bs_r, p->value.data.ptr, p->value.data.size);\n\n\t\t//(data) binary blob containing N [(u32)flags(u32)size(u32)reserved(u8)priority(u8) discardable]\n\t\twhile (gf_bs_available(ctx->bs_r)) {\n\t\t\tu32 s_flags = gf_bs_read_u32(ctx->bs_r);\n\t\t\tu32 s_size = gf_bs_read_u32(ctx->bs_r);\n\t\t\tu32 s_res = gf_bs_read_u32(ctx->bs_r);\n\t\t\tu8 s_prio = gf_bs_read_u8(ctx->bs_r);\n\t\t\tu8 s_discard = gf_bs_read_u8(ctx->bs_r);\n\n\n\t\t\tif (offset_in_sample + s_size > data_size) {\n\t\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_AUTHOR, (\"Wrong subsample info: sample size %d vs subsample offset+size %dn\", data_size, offset_in_sample + s_size));\n\t\t\t\tbreak;\n\t\t\t}\n\n\t\t\tif (ctx->is_stpp && ctx->nhmlonly) {\n\t\t\t\tif (first_subs) {\n\t\t\t\t\tsprintf(nhml, \"<NHNTSubSample>\\n\");\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, data, s_size);\n\n\t\t\t\t\tsprintf(nhml, \"</NHNTSubSample>\\n\");\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\t\t} else {\n\t\t\t\t\tu32 d_size;\n\t\t\t\t\tif (ctx->b64_buffer_size<2*s_size) {\n\t\t\t\t\t\tctx->b64_buffer_size = 2 * s_size;\n\t\t\t\t\t\tctx->b64_buffer = gf_realloc(ctx->b64_buffer, ctx->b64_buffer_size);\n\t\t\t\t\t}\n\t\t\t\t\td_size = gf_base64_encode(data + offset_in_sample, s_size, ctx->b64_buffer, ctx->b64_buffer_size);\n\t\t\t\t\tctx->b64_buffer[d_size] = 0;\n\t\t\t\t\tsprintf(nhml, \"<NHNTSubSample data=\\\"data:application/octet-string;base64,\");\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, ctx->b64_buffer, d_size);\n\t\t\t\t\tsprintf(nhml, \"\\\">\\n\");\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tsprintf(nhml, \"<NHNTSubSample size=\\\"%d\\\" flags=\\\"%d\\\" reserved=\\\"%d\\\" priority=\\\"%d\\\" discard=\\\"%d\\\" />\\n\", s_size, s_flags, s_res, s_prio, s_discard);\n\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t\t}\n\t\t\tfirst_subs = GF_FALSE;\n\t\t}\n\t} else if (ctx->is_stpp && ctx->nhmlonly) {\n\t\tsprintf(nhml, \"<NHNTSubSample><![CDATA[\\n\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tgf_bs_write_data(ctx->bs_w, data, data_size);\n\t\tsprintf(nhml, \"]]></NHNTSubSample>\\n\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t}\n\tsprintf(nhml, \"</NHNTSample>\\n\");\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\tgf_bs_get_content_no_truncate(ctx->bs_w, &ctx->nhml_buffer, &size, &ctx->nhml_buffer_size);\n\n\tif (ctx->filep) {\n\t\tgf_fwrite(ctx->nhml_buffer, size, ctx->filep);\n\t\treturn;\n\t}\n\n\tdst_pck = gf_filter_pck_new_alloc(ctx->opid_nhml, size, &output);\n\tmemcpy(output, ctx->nhml_buffer, size);\n\tgf_filter_pck_set_framing(dst_pck, GF_FALSE, GF_FALSE);\n\tgf_filter_pck_send(dst_pck);\n\n\tctx->mdia_pos += data_size;\n\n\tif (ctx->opid_mdia) {\n\t\t//send data packet\n\t\tdst_pck = gf_filter_pck_new_ref(ctx->opid_mdia, data, data_size, pck);\n\t\tgf_filter_pck_merge_properties(pck, dst_pck);\n\t\t//keep byte offset ?\n//\t\tgf_filter_pck_set_byte_offset(dst_pck, GF_FILTER_NO_BO);\n\n\t\tgf_filter_pck_set_framing(dst_pck, ctx->first, GF_FALSE);\n\t\tgf_filter_pck_send(dst_pck);\n\t}\n}",
          "project": "gpac",
          "hash": 336286441310705311743487855153835615035,
          "size": 177,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244417
        },
        {
          "func": "static void nhmldump_pck_property(GF_NHMLDumpCtx *ctx, u32 p4cc, const char *pname, const GF_PropertyValue *att)\n{\n\tu32 i;\n\tchar nhml[1024];\n\tchar pval[GF_PROP_DUMP_ARG_SIZE];\n\tif (!pname) pname = gf_props_4cc_get_name(p4cc);\n\n\tsprintf(nhml, \"%s=\\\"\", pname ? pname : gf_4cc_to_str(p4cc));\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\tswitch (att->type) {\n\tcase GF_PROP_DATA:\n\tcase GF_PROP_CONST_DATA:\n\tcase GF_PROP_DATA_NO_COPY:\n\t\tsprintf(nhml, \"0x\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tfor (i=0; i<att->value.data.size; i++) {\n\t\t\tsprintf(nhml, \"%02X\", (unsigned char) att->value.data.ptr[i]);\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tnhml[0] = 0;\n\t\tbreak;\n\tdefault:\n\t\tsprintf(nhml, \"%s\", gf_props_dump_val(att, pval, GF_FALSE, NULL) );\n\t\tbreak;\n\t}\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\tsprintf(nhml, \"\\\"\");\n\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n}",
          "project": "gpac",
          "hash": 74197779920155075863098662992761658867,
          "size": 30,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244383
        },
        {
          "func": "GF_Err nhmldump_process(GF_Filter *filter)\n{\n\tGF_NHMLDumpCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck;\n\tchar *data;\n\tu32 pck_size;\n\n\tif (!ctx->side_streams_config) {\n\t\treturn nhmldump_config_side_stream(filter, ctx);\n\t}\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (ctx->bs_w && ctx->szRootName) {\n\t\t\t\tchar nhml[1024];\n\t\t\t\tu32 size;\n\t\t\t\tgf_bs_reassign_buffer(ctx->bs_w, ctx->nhml_buffer, ctx->nhml_buffer_size);\n\t\t\t\tsprintf(nhml, \"</%s>\\n\", ctx->szRootName);\n\t\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\t\t\tgf_bs_get_content_no_truncate(ctx->bs_w, &ctx->nhml_buffer, &size, &ctx->nhml_buffer_size);\n\n\t\t\t\tif (ctx->filep) {\n\t\t\t\t\tgf_fwrite(ctx->nhml_buffer, size, ctx->filep);\n\t\t\t\t} else {\n\t\t\t\t\tGF_FilterPacket *dst_pck;\n\t\t\t\t\tu8 *output;\n\t\t\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid_nhml, size, &output);\n\t\t\t\t\tmemcpy(output, ctx->nhml_buffer, size);\n\t\t\t\t\tgf_filter_pck_set_framing(dst_pck, GF_FALSE, GF_TRUE);\n\t\t\t\t\tgf_filter_pck_send(dst_pck);\n\t\t\t\t}\n\t\t\t\tctx->szRootName = NULL;\n\t\t\t}\n\t\t\tif (ctx->opid_nhml) gf_filter_pid_set_eos(ctx->opid_nhml);\n\t\t\tif (ctx->opid_mdia) gf_filter_pid_set_eos(ctx->opid_mdia);\n\t\t\tif (ctx->opid_info) gf_filter_pid_set_eos(ctx->opid_info);\n\t\t\treturn GF_EOS;\n\t\t}\n\t\treturn GF_OK;\n\t}\n\n\tif (!ctx->bs_w) ctx->bs_w = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);\n\telse gf_bs_reassign_buffer(ctx->bs_w, ctx->nhml_buffer, ctx->nhml_buffer_size);\n\n\tif (ctx->first) {\n\t\tnhmldump_send_header(ctx);\n\t\tgf_bs_reassign_buffer(ctx->bs_w, ctx->nhml_buffer, ctx->nhml_buffer_size);\n\t}\n\n\t//get media data\n\tdata = (char *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t//send data\n\tif (ctx->is_dims) {\n\t\tnhmldump_send_dims(ctx, data, pck_size, pck);\n\t} else {\n\t\tnhmldump_send_frame(ctx, data, pck_size, pck);\n\t}\n\tctx->first = GF_FALSE;\n\n\n\tif (ctx->exporter) {\n\t\tu32 timescale = gf_filter_pck_get_timescale(pck);\n\t\tu64 ts = gf_filter_pck_get_cts(pck);\n\t\tgf_set_progress(\"Exporting\", ts*ctx->duration.den, ctx->duration.num*timescale);\n\t}\n\n\tgf_filter_pid_drop_packet(ctx->ipid);\n\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 176148044180457207435418572123664792253,
          "size": 73,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244420
        },
        {
          "func": "GF_Err nhmldump_config_side_stream(GF_Filter *filter, GF_NHMLDumpCtx *ctx)\n{\n\tchar *mime=NULL, *name;\n\tchar fileName[GF_MAX_PATH+1];\n\tconst GF_PropertyValue *p;\n\tGF_FileIO *gfio = NULL;\n\n\tif (ctx->name) {\n\t\tstrncpy(fileName, ctx->name, GF_MAX_PATH);\n\t\tfileName[GF_MAX_PATH] = 0;\n\t} else {\n\t\tchar *url = gf_filter_pid_get_destination(ctx->opid_nhml);\n\t\tif (url) {\n\t\t\tif (!strncmp(url, \"gfio://\", 7)) {\n\t\t\t\tgfio = gf_fileio_from_url(url);\n\t\t\t\tstrncpy(fileName, gf_fileio_translate_url(url), GF_MAX_PATH);\n\t\t\t} else {\n\t\t\t\tstrncpy(fileName, url, GF_MAX_PATH);\n\t\t\t}\n\t\t\tfileName[GF_MAX_PATH] = 0;\n\t\t\tgf_free(url);\n \t\t} else {\n\t\t\tstrcpy(fileName, \"dump\");\n\t\t}\n\t}\n\tname = gf_file_ext_start(fileName);\n\tif (name) {\n\t\tname[0] = 0;\n\t}\n\n\tif (!ctx->opid_mdia && !ctx->nhmlonly)\n\t\tctx->opid_mdia = gf_filter_pid_new(filter);\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_DECODER_CONFIG);\n\tif (p) {\n\t\tctx->dcfg = p->value.data.ptr;\n\t\tctx->dcfg_size = p->value.data.size;\n\n\t\tif (!ctx->opid_info && !ctx->nhmlonly) {\n\t\t\tctx->opid_info = gf_filter_pid_new(filter);\n\t\t}\n\n\t} else if (ctx->opid_info) {\n\t\tgf_filter_pid_remove(ctx->opid_info);\n\t}\n\tif (ctx->info_file) gf_free(ctx->info_file);\n\tctx->info_file = NULL;\n\n\tif (ctx->opid_mdia) {\n\t\tGF_Err e;\n\t\tchar *res_name;\n\t\tgf_filter_pid_set_property(ctx->opid_mdia, GF_PROP_PID_STREAM_TYPE, &PROP_UINT(GF_STREAM_FILE) );\n\t\tgf_filter_pid_set_property(ctx->opid_mdia, GF_PROP_PID_MIME, &PROP_STRING(mime) );\n\n\t\tname = gf_file_ext_start(fileName);\n\t\tif (name) name[0] = 0;\n\t\tstrcat(fileName, \".media\");\n\t\tif (gfio) {\n\t\t\tres_name = (char *) gf_fileio_factory(gfio, gf_file_basename(fileName) );\n\t\t} else {\n\t\t\tres_name = fileName;\n\t\t}\n\t\tif (!ctx->exporter) {\n\t\t\tgf_filter_pid_set_property(ctx->opid_mdia, GF_PROP_PID_OUTPATH, &PROP_STRING(res_name) );\n\t\t}\n\n\t\tif (ctx->media_file) gf_free(ctx->media_file);\n\t\tctx->media_file = gf_strdup(fileName);\n\t\tgf_filter_pid_set_property(ctx->opid_mdia, GF_PROP_PID_FILE_EXT, &PROP_STRING(\"media\") );\n\n\t\tif (!ctx->exporter) {\n\t\t\tGF_Filter *o_media = gf_filter_connect_destination(filter, res_name, &e);\n\t\t\tif (o_media) gf_filter_set_source(o_media, filter, NULL);\n\t\t}\n\t}\n\n\tif (ctx->opid_info) {\n\t\tchar *res_name;\n\t\tGF_Err e;\n\t\tgf_filter_pid_set_property(ctx->opid_info, GF_PROP_PID_STREAM_TYPE, &PROP_UINT(GF_STREAM_FILE) );\n\t\tgf_filter_pid_set_property(ctx->opid_info, GF_PROP_PID_MIME, &PROP_STRING(mime) );\n\n\t\tname = gf_file_ext_start(fileName);\n\t\tif (name) name[0] = 0;\n\t\tstrcat(fileName, \".info\");\n\t\tif (gfio) {\n\t\t\tres_name = (char *) gf_fileio_factory(gfio, gf_file_basename(fileName) );\n\t\t} else {\n\t\t\tres_name = fileName;\n\t\t}\n\t\tif (!ctx->exporter) {\n\t\t\tgf_filter_pid_set_property(ctx->opid_info, GF_PROP_PID_OUTPATH, &PROP_STRING(res_name) );\n\t\t}\n\n\t\tif (ctx->info_file) gf_free(ctx->info_file);\n\t\tctx->info_file = gf_strdup(fileName);\n\t\tgf_filter_pid_set_property(ctx->opid_info, GF_PROP_PID_FILE_EXT, &PROP_STRING(\"info\") );\n\n\t\tif (!ctx->exporter) {\n\t\t\tGF_Filter *o_info = gf_filter_connect_destination(filter, res_name, &e);\n\t\t\tif (o_info) gf_filter_set_source(o_info, filter, NULL);\n\t\t}\n\t}\n\n\tif (ctx->opid_mdia)\n\t\tgf_filter_pid_set_name(ctx->opid_mdia, \"media\");\n\tif (ctx->opid_info)\n\t\tgf_filter_pid_set_name(ctx->opid_info, \"info\");\n\n\tctx->side_streams_config = GF_TRUE;\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 301536470294733846288601020965786265815,
          "size": 112,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244407
        },
        {
          "func": "static void nhmldump_send_dims(GF_NHMLDumpCtx *ctx, char *data, u32 data_size, GF_FilterPacket *pck)\n{\n\tchar nhml[1024];\n\tu32 size;\n\tu8 *output;\n\tGF_FilterPacket *dst_pck;\n\tu64 dts = gf_filter_pck_get_dts(pck);\n\tu64 cts = gf_filter_pck_get_cts(pck);\n\n\tif (dts==GF_FILTER_NO_TS) dts = cts;\n\tif (cts==GF_FILTER_NO_TS) cts = dts;\n\n\tif (!ctx->bs_r) ctx->bs_r = gf_bs_new(data, data_size, GF_BITSTREAM_READ);\n\telse gf_bs_reassign_buffer(ctx->bs_r, data, data_size);\n\n\twhile (gf_bs_available(ctx->bs_r)) {\n\t\tu64 pos = gf_bs_get_position(ctx->bs_r);\n\t\tsize = gf_bs_read_u16(ctx->bs_r);\n\t\tu8 flags = gf_bs_read_u8(ctx->bs_r);\n\t\tu8 prev;\n\n\t\tif (pos+size+2 > data_size)\n\t\t\tbreak;\n\n\t\tprev = data[pos+2+size];\n\t\tdata[pos+2+size] = 0;\n\n\n\t\tsprintf(nhml, \"<DIMSUnit time=\\\"\"LLU\"\\\"\", cts);\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\t/*DIMS flags*/\n\t\tif (flags & GF_DIMS_UNIT_S) {\n\t\t\tsprintf(nhml, \" is-Scene=\\\"yes\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tif (flags & GF_DIMS_UNIT_M) {\n\t\t\tsprintf(nhml, \" is-RAP=\\\"yes\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tif (flags & GF_DIMS_UNIT_I) {\n\t\t\tsprintf(nhml, \" is-redundant=\\\"yes\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tif (flags & GF_DIMS_UNIT_D) {\n\t\t\tsprintf(nhml, \" redundant-exit=\\\"yes\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tif (flags & GF_DIMS_UNIT_P) {\n\t\t\tsprintf(nhml, \" priority=\\\"high\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tif (flags & GF_DIMS_UNIT_C) {\n\t\t\tsprintf(nhml, \" compressed=\\\"yes\\\"\");\n\t\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\t}\n\t\tsprintf(nhml, \">\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\t\tif (ctx->uncompress && (flags & GF_DIMS_UNIT_C)) {\n#ifndef GPAC_DISABLE_ZLIB\n\t\t\tchar svg_data[2049];\n\t\t\tint err;\n\t\t\tu32 done = 0;\n\t\t\tz_stream d_stream;\n\t\t\td_stream.zalloc = (alloc_func)0;\n\t\t\td_stream.zfree = (free_func)0;\n\t\t\td_stream.opaque = (voidpf)0;\n\t\t\td_stream.next_in  = (Bytef*) data+pos+3;\n\t\t\td_stream.avail_in = size-1;\n\t\t\td_stream.next_out = (Bytef*)svg_data;\n\t\t\td_stream.avail_out = 2048;\n\n\t\t\terr = inflateInit(&d_stream);\n\t\t\tif (err == Z_OK) {\n\t\t\t\twhile ((s32) d_stream.total_in < size-1) {\n\t\t\t\t\terr = inflate(&d_stream, Z_NO_FLUSH);\n\t\t\t\t\tif (err < Z_OK) break;\n\t\t\t\t\tsvg_data[d_stream.total_out - done] = 0;\n\t\t\t\t\tgf_bs_write_data(ctx->bs_w, svg_data, (u32) strlen(svg_data));\n\n\t\t\t\t\tif (err== Z_STREAM_END) break;\n\t\t\t\t\tdone = (u32) d_stream.total_out;\n\t\t\t\t\td_stream.avail_out = 2048;\n\t\t\t\t\td_stream.next_out = (Bytef*)svg_data;\n\t\t\t\t}\n\t\t\t\tinflateEnd(&d_stream);\n\t\t\t}\n#else\n\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_AUTHOR, (\"Error: your version of GPAC was compiled with no libz support.\"));\n\t\t\tgf_bs_del(ctx->bs_r);\n\t\t\treturn;\n#endif\n\t\t} else {\n\t\t\tgf_bs_write_data(ctx->bs_w, data+pos+3, size-1);\n\t\t}\n\t\tsprintf(nhml, \"</DIMSUnit>\\n\");\n\t\tgf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));\n\n\t\tdata[pos+2+size] = prev;\n\t\tgf_bs_skip_bytes(ctx->bs_r, size-1);\n\t}\n\n\tgf_bs_get_content_no_truncate(ctx->bs_w, &ctx->nhml_buffer, &size, &ctx->nhml_buffer_size);\n\n\tif (ctx->filep) {\n\t\tgf_fwrite(ctx->nhml_buffer, size, ctx->filep);\n\t\treturn;\n\t}\n\n\tdst_pck = gf_filter_pck_new_alloc(ctx->opid_nhml, size, &output);\n\tmemcpy(output, ctx->nhml_buffer, size);\n\tgf_filter_pck_set_framing(dst_pck, GF_FALSE, GF_FALSE);\n\tgf_filter_pck_send(dst_pck);\n}",
          "project": "gpac",
          "hash": 133699289416255090549671730901096396334,
          "size": 114,
          "commit_id": "9eeac00b38348c664dfeae2525bba0cf1bc32349",
          "message": "fixed #1565",
          "target": 0,
          "dataset": "other",
          "idx": 244406
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "x25_destroy_timer",
        "x25_destroy_socket_from_timer",
        "__x25_destroy_socket",
        "x25_remove_socket"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static void x25_remove_socket(struct sock *sk)\n{\n\twrite_lock_bh(&x25_list_lock);\n\tsk_del_node_init(sk);\n\twrite_unlock_bh(&x25_list_lock);\n}",
          "project": "net",
          "hash": 211674392058988057045161520587012124519,
          "size": 6,
          "commit_id": "7781607938c8371d4c2b243527430241c62e39c2",
          "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n    (Thread 1)                 |  (Thread 2)\nx25_link_terminated()          | x25_recvmsg()\n x25_kill_by_neigh()           |  ...\n  x25_disconnect()             |  lock_sock(sk)\n   ...                         |  ...\n   x25->neighbour = NULL //(1) |\n   ...                         |  x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou <duoming@zju.edu.cn>\nReviewed-by: Lin Ma <linma@zju.edu.cn>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 449185
        },
        {
          "func": "static int x25_release(struct socket *sock)\n{\n\tstruct sock *sk = sock->sk;\n\tstruct x25_sock *x25;\n\n\tif (!sk)\n\t\treturn 0;\n\n\tx25 = x25_sk(sk);\n\n\tsock_hold(sk);\n\tlock_sock(sk);\n\tswitch (x25->state) {\n\n\t\tcase X25_STATE_0:\n\t\tcase X25_STATE_2:\n\t\t\tx25_disconnect(sk, 0, 0, 0);\n\t\t\t__x25_destroy_socket(sk);\n\t\t\tgoto out;\n\n\t\tcase X25_STATE_1:\n\t\tcase X25_STATE_3:\n\t\tcase X25_STATE_4:\n\t\t\tx25_clear_queues(sk);\n\t\t\tx25_write_internal(sk, X25_CLEAR_REQUEST);\n\t\t\tx25_start_t23timer(sk);\n\t\t\tx25->state = X25_STATE_2;\n\t\t\tsk->sk_state\t= TCP_CLOSE;\n\t\t\tsk->sk_shutdown\t|= SEND_SHUTDOWN;\n\t\t\tsk->sk_state_change(sk);\n\t\t\tsock_set_flag(sk, SOCK_DEAD);\n\t\t\tsock_set_flag(sk, SOCK_DESTROY);\n\t\t\tbreak;\n\n\t\tcase X25_STATE_5:\n\t\t\tx25_write_internal(sk, X25_CLEAR_REQUEST);\n\t\t\tx25_disconnect(sk, 0, 0, 0);\n\t\t\t__x25_destroy_socket(sk);\n\t\t\tgoto out;\n\t}\n\n\tsock_orphan(sk);\nout:\n\trelease_sock(sk);\n\tsock_put(sk);\n\treturn 0;\n}",
          "project": "net",
          "hash": 68953831480784744166510465628527507952,
          "size": 47,
          "commit_id": "7781607938c8371d4c2b243527430241c62e39c2",
          "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n    (Thread 1)                 |  (Thread 2)\nx25_link_terminated()          | x25_recvmsg()\n x25_kill_by_neigh()           |  ...\n  x25_disconnect()             |  lock_sock(sk)\n   ...                         |  ...\n   x25->neighbour = NULL //(1) |\n   ...                         |  x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou <duoming@zju.edu.cn>\nReviewed-by: Lin Ma <linma@zju.edu.cn>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 449167
        },
        {
          "func": "void x25_destroy_socket_from_timer(struct sock *sk)\n{\n\tsock_hold(sk);\n\tbh_lock_sock(sk);\n\t__x25_destroy_socket(sk);\n\tbh_unlock_sock(sk);\n\tsock_put(sk);\n}",
          "project": "net",
          "hash": 107285315962177851069016575084912150380,
          "size": 8,
          "commit_id": "7781607938c8371d4c2b243527430241c62e39c2",
          "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n    (Thread 1)                 |  (Thread 2)\nx25_link_terminated()          | x25_recvmsg()\n x25_kill_by_neigh()           |  ...\n  x25_disconnect()             |  lock_sock(sk)\n   ...                         |  ...\n   x25->neighbour = NULL //(1) |\n   ...                         |  x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou <duoming@zju.edu.cn>\nReviewed-by: Lin Ma <linma@zju.edu.cn>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 449174
        },
        {
          "func": "static void x25_destroy_timer(struct timer_list *t)\n{\n\tstruct sock *sk = from_timer(sk, t, sk_timer);\n\n\tx25_destroy_socket_from_timer(sk);\n}",
          "project": "net",
          "hash": 9533324264508029075556357866838344897,
          "size": 6,
          "commit_id": "7781607938c8371d4c2b243527430241c62e39c2",
          "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n    (Thread 1)                 |  (Thread 2)\nx25_link_terminated()          | x25_recvmsg()\n x25_kill_by_neigh()           |  ...\n  x25_disconnect()             |  lock_sock(sk)\n   ...                         |  ...\n   x25->neighbour = NULL //(1) |\n   ...                         |  x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou <duoming@zju.edu.cn>\nReviewed-by: Lin Ma <linma@zju.edu.cn>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 449172
        },
        {
          "func": "static void __x25_destroy_socket(struct sock *sk)\n{\n\tstruct sk_buff *skb;\n\n\tx25_stop_heartbeat(sk);\n\tx25_stop_timer(sk);\n\n\tx25_remove_socket(sk);\n\tx25_clear_queues(sk);\t\t/* Flush the queues */\n\n\twhile ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {\n\t\tif (skb->sk != sk) {\t\t/* A pending connection */\n\t\t\t/*\n\t\t\t * Queue the unaccepted socket for death\n\t\t\t */\n\t\t\tskb->sk->sk_state = TCP_LISTEN;\n\t\t\tsock_set_flag(skb->sk, SOCK_DEAD);\n\t\t\tx25_start_heartbeat(skb->sk);\n\t\t\tx25_sk(skb->sk)->state = X25_STATE_0;\n\t\t}\n\n\t\tkfree_skb(skb);\n\t}\n\n\tif (sk_has_allocations(sk)) {\n\t\t/* Defer: outstanding buffers */\n\t\tsk->sk_timer.expires  = jiffies + 10 * HZ;\n\t\tsk->sk_timer.function = x25_destroy_timer;\n\t\tadd_timer(&sk->sk_timer);\n\t} else {\n\t\t/* drop last reference so sock_put will free */\n\t\t__sock_put(sk);\n\t}\n}",
          "project": "net",
          "hash": 37876805302312188033380640487351936531,
          "size": 34,
          "commit_id": "7781607938c8371d4c2b243527430241c62e39c2",
          "message": "net/x25: Fix null-ptr-deref caused by x25_disconnect\n\nWhen the link layer is terminating, x25->neighbour will be set to NULL\nin x25_disconnect(). As a result, it could cause null-ptr-deref bugs in\nx25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is\nshown below.\n\n    (Thread 1)                 |  (Thread 2)\nx25_link_terminated()          | x25_recvmsg()\n x25_kill_by_neigh()           |  ...\n  x25_disconnect()             |  lock_sock(sk)\n   ...                         |  ...\n   x25->neighbour = NULL //(1) |\n   ...                         |  x25->neighbour->extended //(2)\n\nThe code sets NULL to x25->neighbour in position (1) and dereferences\nx25->neighbour in position (2), which could cause null-ptr-deref bug.\n\nThis patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize\nwith x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the\nsock held by lock_sock() is not NULL, because it is extracted from x25_list\nand uses x25_list_lock to synchronize.\n\nFixes: 4becb7ee5b3d (\"net/x25: Fix x25_neigh refcnt leak when x25 disconnect\")\nSigned-off-by: Duoming Zhou <duoming@zju.edu.cn>\nReviewed-by: Lin Ma <linma@zju.edu.cn>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 449165
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "WriteCombination",
        "ReadValue",
        "CopyToString"
      ],
      "group_size": 10,
      "functions": [
        {
          "func": "  void ReadValue(int64 batch, int64 n, tstring* out) const override {\n    CopyToString(values_(row_splits_(batch) + n), out);\n  }",
          "project": "tensorflow",
          "hash": 55788464238448605724962746924070324035,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230068
        },
        {
          "func": "  void ReadValue(int64 batch, int64 n, uint64* out) const override {\n    CopyToFingerprint(values_(row_splits_[batch] + n), out);\n  }",
          "project": "tensorflow",
          "hash": 254387731714568414422331348354777529512,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230072
        },
        {
          "func": "  void ReadValue(int64 batch, int64 n, uint64* out) const override {\n    CopyToFingerprint(values_(row_splits_(batch) + n), out);\n  }",
          "project": "tensorflow",
          "hash": 125238923028743371870118703373360803456,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230073
        },
        {
          "func": "  void ReadValue(int64 batch, int64 n, uint64* out) const override {\n    CopyToFingerprint(values_(batch, n), out);\n  }",
          "project": "tensorflow",
          "hash": 306003480010293006259926602076123830066,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230088
        },
        {
          "func": "  void ReadValue(int64 batch, int64 n, tstring* out) const override {\n    CopyToString(values_(row_splits_[batch] + n), out);\n  }",
          "project": "tensorflow",
          "hash": 216827240015663779340171285742749249548,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230094
        },
        {
          "func": "  void ReadValue(int64 batch, int64 n, tstring* out) const override {\n    CopyToString(values_(batch, n), out);\n  }",
          "project": "tensorflow",
          "hash": 26852071011468745647036129361935258399,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230096
        },
        {
          "func": "  void WriteCombination(int64 batch_index, const std::vector<int>& combination,\n                        tstring* out) {\n    static const auto k_feature_separator = \"_X_\";\n    gtl::InlinedVector<tstring, 6> cross_vec(features_.size());\n    for (int i = 0; i < combination.size(); ++i) {\n      features_[i]->ReadValue(batch_index, combination[i], &cross_vec[i]);\n    }\n    *out = absl::StrJoin(cross_vec, k_feature_separator);\n  }",
          "project": "tensorflow",
          "hash": 331863358337901230049519626400641216503,
          "size": 9,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230076
        },
        {
          "func": "  void WriteCombination(int64 batch_index, const std::vector<int>& combination,\n                        int64* out) {\n    // Do the fingerprint concatenation on uint64.\n    uint64 hashed_output = hash_key_;\n    for (size_t i = 0; i < combination.size(); ++i) {\n      uint64 hash_i;\n      features_[i]->ReadValue(batch_index, combination[i], &hash_i);\n      hashed_output = FingerprintCat64(hashed_output, hash_i);\n    }\n    // The return value is int64 based on the number of buckets.\n    if (num_buckets_ > 0) {\n      *out = hashed_output % num_buckets_;\n    } else {\n      // To prevent negative output we take modulo to max int64.\n      *out = hashed_output % std::numeric_limits<int64>::max();\n    }\n  }",
          "project": "tensorflow",
          "hash": 168480145799742065585525814434351380206,
          "size": 17,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230090
        },
        {
          "func": "void CopyToString(const tstring& src, tstring* dst) {\n  if (src.type() == tstring::SMALL) {\n    *dst = src;  // string buffer fits in the tstring object (under ~24 bytes)\n  } else {\n    dst->assign_as_view(src);\n  }\n}",
          "project": "tensorflow",
          "hash": 215870454551312112108584656546875435517,
          "size": 7,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230066
        },
        {
          "func": "void CopyToString(int64 src, tstring* dst) { *dst = std::to_string(src); }",
          "project": "tensorflow",
          "hash": 319244472554003583561190800163313431385,
          "size": 1,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230079
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "GC_array_mark_proc",
        "GC_push_complex_descriptor",
        "GC_descr_obj_size"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "STATIC mse * GC_array_mark_proc(word * addr, mse * mark_stack_ptr,\n                                mse * mark_stack_limit,\n                                word env GC_ATTR_UNUSED)\n{\n    hdr * hhdr = HDR(addr);\n    size_t sz = hhdr -> hb_sz;\n    size_t nwords = BYTES_TO_WORDS(sz);\n    complex_descriptor * descr = (complex_descriptor *)(addr[nwords-1]);\n    mse * orig_mark_stack_ptr = mark_stack_ptr;\n    mse * new_mark_stack_ptr;\n\n    if (descr == 0) {\n        /* Found a reference to a free list entry.  Ignore it. */\n        return(orig_mark_stack_ptr);\n    }\n    /* In use counts were already updated when array descriptor was     */\n    /* pushed.  Here we only replace it by subobject descriptors, so    */\n    /* no update is necessary.                                          */\n    new_mark_stack_ptr = GC_push_complex_descriptor(addr, descr,\n                                                    mark_stack_ptr,\n                                                    mark_stack_limit-1);\n    if (new_mark_stack_ptr == 0) {\n        /* Doesn't fit.  Conservatively push the whole array as a unit  */\n        /* and request a mark stack expansion.                          */\n        /* This cannot cause a mark stack overflow, since it replaces   */\n        /* the original array entry.                                    */\n        GC_ASSERT(mark_stack_ptr != NULL);\n        GC_mark_stack_too_small = TRUE;\n        new_mark_stack_ptr = orig_mark_stack_ptr + 1;\n        new_mark_stack_ptr -> mse_start = (ptr_t)addr;\n        new_mark_stack_ptr -> mse_descr.w = sz | GC_DS_LENGTH;\n    } else {\n        /* Push descriptor itself */\n        new_mark_stack_ptr++;\n        new_mark_stack_ptr -> mse_start = (ptr_t)(addr + nwords - 1);\n        new_mark_stack_ptr -> mse_descr.w = sizeof(word) | GC_DS_LENGTH;\n    }\n    return new_mark_stack_ptr;\n}",
          "project": "bdwgc",
          "hash": 269104642646459754473365694976646349605,
          "size": 39,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374068
        },
        {
          "func": "STATIC word GC_descr_obj_size(complex_descriptor *d)\n{\n    switch(d -> TAG) {\n      case LEAF_TAG:\n        return(d -> ld.ld_nelements * d -> ld.ld_size);\n      case ARRAY_TAG:\n        return(d -> ad.ad_nelements\n               * GC_descr_obj_size(d -> ad.ad_element_descr));\n      case SEQUENCE_TAG:\n        return(GC_descr_obj_size(d -> sd.sd_first)\n               + GC_descr_obj_size(d -> sd.sd_second));\n      default:\n        ABORT_RET(\"Bad complex descriptor\");\n        return 0;\n    }\n}",
          "project": "bdwgc",
          "hash": 196235824853855162524469342916051222244,
          "size": 16,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374063
        },
        {
          "func": "STATIC mse * GC_push_complex_descriptor(word *addr, complex_descriptor *d,\n                                        mse *msp, mse *msl)\n{\n    register ptr_t current = (ptr_t) addr;\n    register word nelements;\n    register word sz;\n    register word i;\n\n    switch(d -> TAG) {\n      case LEAF_TAG:\n        {\n          register GC_descr descr = d -> ld.ld_descriptor;\n\n          nelements = d -> ld.ld_nelements;\n          if (msl - msp <= (ptrdiff_t)nelements) return(0);\n          sz = d -> ld.ld_size;\n          for (i = 0; i < nelements; i++) {\n              msp++;\n              msp -> mse_start = current;\n              msp -> mse_descr.w = descr;\n              current += sz;\n          }\n          return(msp);\n        }\n      case ARRAY_TAG:\n        {\n          register complex_descriptor *descr = d -> ad.ad_element_descr;\n\n          nelements = d -> ad.ad_nelements;\n          sz = GC_descr_obj_size(descr);\n          for (i = 0; i < nelements; i++) {\n              msp = GC_push_complex_descriptor((word *)current, descr,\n                                                msp, msl);\n              if (msp == 0) return(0);\n              current += sz;\n          }\n          return(msp);\n        }\n      case SEQUENCE_TAG:\n        {\n          sz = GC_descr_obj_size(d -> sd.sd_first);\n          msp = GC_push_complex_descriptor((word *)current, d -> sd.sd_first,\n                                           msp, msl);\n          if (msp == 0) return(0);\n          current += sz;\n          msp = GC_push_complex_descriptor((word *)current, d -> sd.sd_second,\n                                           msp, msl);\n          return(msp);\n        }\n      default:\n        ABORT_RET(\"Bad complex descriptor\");\n        return 0;\n   }\n}",
          "project": "bdwgc",
          "hash": 100233720168210460635991273310518220064,
          "size": 54,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374065
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ip6_push_pending_frames",
        "ip6_send_skb",
        "ip6_local_out",
        "__ip6_local_out"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "int ip6_push_pending_frames(struct sock *sk)\n{\n\tstruct sk_buff *skb;\n\n\tskb = ip6_finish_skb(sk);\n\tif (!skb)\n\t\treturn 0;\n\n\treturn ip6_send_skb(skb);\n}",
          "project": "net",
          "hash": 98437086620911532825825118994734352049,
          "size": 10,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468936
        },
        {
          "func": "int ip6_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint err;\n\n\terr = __ip6_local_out(net, sk, skb);\n\tif (likely(err == 1))\n\t\terr = dst_output(net, sk, skb);\n\n\treturn err;\n}",
          "project": "linux",
          "hash": 52771529644351032790260622560929239956,
          "size": 10,
          "commit_id": "62f20e068ccc50d6ab66fdb72ba90da2b9418c99",
          "message": "ipv6: use prandom_u32() for ID generation\n\nThis is a complement to commit aa6dd211e4b1 (\"inet: use bigger hash\ntable for IP ID generation\"), but focusing on some specific aspects\nof IPv6.\n\nContary to IPv4, IPv6 only uses packet IDs with fragments, and with a\nminimum MTU of 1280, it's much less easy to force a remote peer to\nproduce many fragments to explore its ID sequence. In addition packet\nIDs are 32-bit in IPv6, which further complicates their analysis. On\nthe other hand, it is often easier to choose among plenty of possible\nsource addresses and partially work around the bigger hash table the\ncommit above permits, which leaves IPv6 partially exposed to some\npossibilities of remote analysis at the risk of weakening some\nprotocols like DNS if some IDs can be predicted with a good enough\nprobability.\n\nGiven the wide range of permitted IDs, the risk of collision is extremely\nlow so there's no need to rely on the positive increment algorithm that\nis shared with the IPv4 code via ip_idents_reserve(). We have a fast\nPRNG, so let's simply call prandom_u32() and be done with it.\n\nPerformance measurements at 10 Gbps couldn't show any difference with\nthe previous code, even when using a single core, because due to the\nlarge fragments, we're limited to only ~930 kpps at 10 Gbps and the cost\nof the random generation is completely offset by other operations and by\nthe network transfer time. In addition, this change removes the need to\nupdate a shared entry in the idents table so it may even end up being\nslightly faster on large scale systems where this matters.\n\nThe risk of at least one collision here is about 1/80 million among\n10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,\nwhich remains very low compared to IPv4 where all IDs are reused\nevery 4 to 80ms on a 10 Gbps flow depending on packet sizes.\n\nReported-by: Amit Klein <aksecurity@gmail.com>\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Eric Dumazet <edumazet@google.com>\nLink: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu\nSigned-off-by: Jakub Kicinski <kuba@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318497
        },
        {
          "func": "int __ip6_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tint len;\n\n\tlen = skb->len - sizeof(struct ipv6hdr);\n\tif (len > IPV6_MAXPLEN)\n\t\tlen = 0;\n\tipv6_hdr(skb)->payload_len = htons(len);\n\tIP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);\n\n\t/* if egress device is enslaved to an L3 master device pass the\n\t * skb to its handler for processing\n\t */\n\tskb = l3mdev_ip6_out(sk, skb);\n\tif (unlikely(!skb))\n\t\treturn 0;\n\n\tskb->protocol = htons(ETH_P_IPV6);\n\n\treturn nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT,\n\t\t       net, sk, skb, NULL, skb_dst(skb)->dev,\n\t\t       dst_output);\n}",
          "project": "linux",
          "hash": 65323340548815789678720155397800993393,
          "size": 23,
          "commit_id": "62f20e068ccc50d6ab66fdb72ba90da2b9418c99",
          "message": "ipv6: use prandom_u32() for ID generation\n\nThis is a complement to commit aa6dd211e4b1 (\"inet: use bigger hash\ntable for IP ID generation\"), but focusing on some specific aspects\nof IPv6.\n\nContary to IPv4, IPv6 only uses packet IDs with fragments, and with a\nminimum MTU of 1280, it's much less easy to force a remote peer to\nproduce many fragments to explore its ID sequence. In addition packet\nIDs are 32-bit in IPv6, which further complicates their analysis. On\nthe other hand, it is often easier to choose among plenty of possible\nsource addresses and partially work around the bigger hash table the\ncommit above permits, which leaves IPv6 partially exposed to some\npossibilities of remote analysis at the risk of weakening some\nprotocols like DNS if some IDs can be predicted with a good enough\nprobability.\n\nGiven the wide range of permitted IDs, the risk of collision is extremely\nlow so there's no need to rely on the positive increment algorithm that\nis shared with the IPv4 code via ip_idents_reserve(). We have a fast\nPRNG, so let's simply call prandom_u32() and be done with it.\n\nPerformance measurements at 10 Gbps couldn't show any difference with\nthe previous code, even when using a single core, because due to the\nlarge fragments, we're limited to only ~930 kpps at 10 Gbps and the cost\nof the random generation is completely offset by other operations and by\nthe network transfer time. In addition, this change removes the need to\nupdate a shared entry in the idents table so it may even end up being\nslightly faster on large scale systems where this matters.\n\nThe risk of at least one collision here is about 1/80 million among\n10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,\nwhich remains very low compared to IPv4 where all IDs are reused\nevery 4 to 80ms on a 10 Gbps flow depending on packet sizes.\n\nReported-by: Amit Klein <aksecurity@gmail.com>\nSigned-off-by: Willy Tarreau <w@1wt.eu>\nReviewed-by: Eric Dumazet <edumazet@google.com>\nLink: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu\nSigned-off-by: Jakub Kicinski <kuba@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 318496
        },
        {
          "func": "int ip6_send_skb(struct sk_buff *skb)\n{\n\tstruct net *net = sock_net(skb->sk);\n\tstruct rt6_info *rt = (struct rt6_info *)skb_dst(skb);\n\tint err;\n\n\terr = ip6_local_out(net, skb->sk, skb);\n\tif (err) {\n\t\tif (err > 0)\n\t\t\terr = net_xmit_errno(err);\n\t\tif (err)\n\t\t\tIP6_INC_STATS(net, rt->rt6i_idev,\n\t\t\t\t      IPSTATS_MIB_OUTDISCARDS);\n\t}\n\n\treturn err;\n}",
          "project": "net",
          "hash": 168395828033328433995927207072894963468,
          "size": 17,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 469001
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ndpi_search_openvpn",
        "check_pkid_and_detect_hmac_size",
        "get_packet_id"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "int8_t check_pkid_and_detect_hmac_size(const u_int8_t * payload) {\n  // try to guess\n  if(get_packet_id(payload, P_HMAC_160) == 1)\n    return P_HMAC_160;\n  \n  if(get_packet_id(payload, P_HMAC_128) == 1)    \n    return P_HMAC_128;\n  \n  return(-1);\n}",
          "project": "nDPI",
          "hash": 24985274642549712556186513782467980511,
          "size": 10,
          "commit_id": "8e7b1ea7a136cc4e4aa9880072ec2d69900a825e",
          "message": "Fix for potential heap-buffer-overflow in ndpi_search_openvpn",
          "target": 0,
          "dataset": "other",
          "idx": 241323
        },
        {
          "func": "u_int32_t get_packet_id(const u_int8_t * payload, u_int8_t hms) {\n  return(ntohl(*(u_int32_t*)(payload + P_HARD_RESET_PACKET_ID_OFFSET(hms))));\n}",
          "project": "nDPI",
          "hash": 143539128425072275289746317962721040534,
          "size": 3,
          "commit_id": "8e7b1ea7a136cc4e4aa9880072ec2d69900a825e",
          "message": "Fix for potential heap-buffer-overflow in ndpi_search_openvpn",
          "target": 0,
          "dataset": "other",
          "idx": 241322
        },
        {
          "func": "void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,\n                         struct ndpi_flow_struct* flow) {\n  struct ndpi_packet_struct* packet = &flow->packet;\n  const u_int8_t * ovpn_payload = packet->payload;\n  const u_int8_t * session_remote;\n  u_int8_t opcode;\n  u_int8_t alen;\n  int8_t hmac_size;\n  int8_t failed = 0;\n\n  if(packet->payload_packet_len >= 40) {\n    // skip openvpn TCP transport packet size\n    if(packet->tcp != NULL)\n      ovpn_payload += 2;\n\n    opcode = ovpn_payload[0] & P_OPCODE_MASK;\n\n    if(packet->udp) {\n#ifdef DEBUG\n      printf(\"[packet_id: %u][opcode: %u][Packet ID: %d][%u <-> %u][len: %u]\\n\",\n\t     flow->num_processed_pkts,\n\t     opcode, check_pkid_and_detect_hmac_size(ovpn_payload),\n\t     htons(packet->udp->source), htons(packet->udp->dest), packet->payload_packet_len);\t   \n#endif\n      \n      if(\n\t (flow->num_processed_pkts == 1)\n\t && (\n\t     ((packet->payload_packet_len == 112)\n\t      && ((opcode == 168) || (opcode == 192))\n\t      )\n\t     || ((packet->payload_packet_len == 80)\n\t\t && ((opcode == 184) || (opcode == 88) || (opcode == 160) || (opcode == 168) || (opcode == 200)))\n\t     )) {\n\tNDPI_LOG_INFO(ndpi_struct,\"found openvpn\\n\");\n\tndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);\n\treturn;\n      }\n    }\n    \n    if(flow->ovpn_counter < P_HARD_RESET_CLIENT_MAX_COUNT && (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||\n\t\t\t\t    opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {\n      if(check_pkid_and_detect_hmac_size(ovpn_payload) > 0) {\n        memcpy(flow->ovpn_session_id, ovpn_payload+1, 8);\n\n        NDPI_LOG_DBG2(ndpi_struct,\n\t\t \"session key: %02x%02x%02x%02x%02x%02x%02x%02x\\n\",\n\t\t flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],\n\t\t flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);\n      }\n    } else if(flow->ovpn_counter >= 1 && flow->ovpn_counter <= P_HARD_RESET_CLIENT_MAX_COUNT &&\n            (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {\n\n      hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload);\n\n      if(hmac_size > 0) {\n        alen = ovpn_payload[P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size)];\n        if (alen > 0) {\n\t  session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4;\n\n          if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) {\n\t    NDPI_LOG_INFO(ndpi_struct,\"found openvpn\\n\");\n\t    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);\n\t    return;\n\t  } else {\n            NDPI_LOG_DBG2(ndpi_struct,\n\t\t   \"key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\\n\",\n\t\t   session_remote[0], session_remote[1], session_remote[2], session_remote[3],\n\t\t   session_remote[4], session_remote[5], session_remote[6], session_remote[7]);\n            failed = 1;\n          }\n        } else\n          failed = 1;\n      } else\n        failed = 1;\n    } else\n      failed = 1;\n\n    flow->ovpn_counter++;\n    \n    if(failed) {\n      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);\n    }\n  }\n}",
          "project": "nDPI",
          "hash": 263464745339090965084831362920390201622,
          "size": 85,
          "commit_id": "8e7b1ea7a136cc4e4aa9880072ec2d69900a825e",
          "message": "Fix for potential heap-buffer-overflow in ndpi_search_openvpn",
          "target": 1,
          "dataset": "other",
          "idx": 196624
        },
        {
          "func": "void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,\n                         struct ndpi_flow_struct* flow) {\n  struct ndpi_packet_struct* packet = &flow->packet;\n  const u_int8_t * ovpn_payload = packet->payload;\n  const u_int8_t * session_remote;\n  u_int8_t opcode;\n  u_int8_t alen;\n  int8_t hmac_size;\n  int8_t failed = 0;\n  /* No u_ */int16_t ovpn_payload_len = packet->payload_packet_len;\n  \n  if(ovpn_payload_len >= 40) {\n    // skip openvpn TCP transport packet size\n    if(packet->tcp != NULL)\n      ovpn_payload += 2, ovpn_payload_len -= 2;;\n\n    opcode = ovpn_payload[0] & P_OPCODE_MASK;\n\n    if(packet->udp) {\n#ifdef DEBUG\n      printf(\"[packet_id: %u][opcode: %u][Packet ID: %d][%u <-> %u][len: %u]\\n\",\n\t     flow->num_processed_pkts,\n\t     opcode, check_pkid_and_detect_hmac_size(ovpn_payload),\n\t     htons(packet->udp->source), htons(packet->udp->dest), ovpn_payload_len);\t   \n#endif\n      \n      if(\n\t (flow->num_processed_pkts == 1)\n\t && (\n\t     ((ovpn_payload_len == 112)\n\t      && ((opcode == 168) || (opcode == 192))\n\t      )\n\t     || ((ovpn_payload_len == 80)\n\t\t && ((opcode == 184) || (opcode == 88) || (opcode == 160) || (opcode == 168) || (opcode == 200)))\n\t     )) {\n\tNDPI_LOG_INFO(ndpi_struct,\"found openvpn\\n\");\n\tndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);\n\treturn;\n      }\n    }\n    \n    if(flow->ovpn_counter < P_HARD_RESET_CLIENT_MAX_COUNT && (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||\n\t\t\t\t    opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {\n      if(check_pkid_and_detect_hmac_size(ovpn_payload) > 0) {\n        memcpy(flow->ovpn_session_id, ovpn_payload+1, 8);\n\n        NDPI_LOG_DBG2(ndpi_struct,\n\t\t \"session key: %02x%02x%02x%02x%02x%02x%02x%02x\\n\",\n\t\t flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],\n\t\t flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);\n      }\n    } else if(flow->ovpn_counter >= 1 && flow->ovpn_counter <= P_HARD_RESET_CLIENT_MAX_COUNT &&\n            (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {\n\n      hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload);\n\n      if(hmac_size > 0) {\n\tu_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size);\n\t  \n        alen = ovpn_payload[offset];\n\t\n        if (alen > 0) {\n\t  offset += 1 + alen * 4;\n\n\t  if((offset+8) <= ovpn_payload_len) {\n\t    session_remote = &ovpn_payload[offset];\n\t    \n\t    if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) {\n\t      NDPI_LOG_INFO(ndpi_struct,\"found openvpn\\n\");\n\t      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);\n\t      return;\n\t    } else {\n\t      NDPI_LOG_DBG2(ndpi_struct,\n\t\t\t    \"key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\\n\",\n\t\t\t    session_remote[0], session_remote[1], session_remote[2], session_remote[3],\n\t\t\t    session_remote[4], session_remote[5], session_remote[6], session_remote[7]);\n\t      failed = 1;\n\t    }\n\t  } else\n\t    failed = 1;\n\t} else\n          failed = 1;\n      } else\n        failed = 1;\n    } else\n      failed = 1;\n\n    flow->ovpn_counter++;\n    \n    if(failed) {\n      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);\n    }\n  }\n}",
          "project": "nDPI",
          "hash": 292660118622334727722308632088083734812,
          "size": 94,
          "commit_id": "8e7b1ea7a136cc4e4aa9880072ec2d69900a825e",
          "message": "Fix for potential heap-buffer-overflow in ndpi_search_openvpn",
          "target": 0,
          "dataset": "other",
          "idx": 241321
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "mcba_usb_read_bulk_callback",
        "mcba_usb_process_rx",
        "mcba_usb_process_ka_can",
        "convert_can2host_bitrate"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static void mcba_usb_process_ka_can(struct mcba_priv *priv,\n\t\t\t\t    struct mcba_usb_msg_ka_can *msg)\n{\n\tif (unlikely(priv->can_ka_first_pass)) {\n\t\tnetdev_info(priv->netdev, \"PIC CAN version %hhu.%hhu\\n\",\n\t\t\t    msg->soft_ver_major, msg->soft_ver_minor);\n\n\t\tpriv->can_ka_first_pass = false;\n\t}\n\n\tif (unlikely(priv->can_speed_check)) {\n\t\tconst u32 bitrate = convert_can2host_bitrate(msg);\n\n\t\tpriv->can_speed_check = false;\n\n\t\tif (bitrate != priv->can.bittiming.bitrate)\n\t\t\tnetdev_err(\n\t\t\t    priv->netdev,\n\t\t\t    \"Wrong bitrate reported by the device (%u). Expected %u\",\n\t\t\t    bitrate, priv->can.bittiming.bitrate);\n\t}\n\n\tpriv->bec.txerr = msg->tx_err_cnt;\n\tpriv->bec.rxerr = msg->rx_err_cnt;\n\n\tif (msg->tx_bus_off)\n\t\tpriv->can.state = CAN_STATE_BUS_OFF;\n\n\telse if ((priv->bec.txerr > MCBA_CAN_STATE_ERR_PSV_TH) ||\n\t\t (priv->bec.rxerr > MCBA_CAN_STATE_ERR_PSV_TH))\n\t\tpriv->can.state = CAN_STATE_ERROR_PASSIVE;\n\n\telse if ((priv->bec.txerr > MCBA_CAN_STATE_WRN_TH) ||\n\t\t (priv->bec.rxerr > MCBA_CAN_STATE_WRN_TH))\n\t\tpriv->can.state = CAN_STATE_ERROR_WARNING;\n}",
          "project": "linux",
          "hash": 140170198980991463076052245356814298617,
          "size": 36,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398315
        },
        {
          "func": "static void mcba_usb_process_rx(struct mcba_priv *priv,\n\t\t\t\tstruct mcba_usb_msg *msg)\n{\n\tswitch (msg->cmd_id) {\n\tcase MBCA_CMD_I_AM_ALIVE_FROM_CAN:\n\t\tmcba_usb_process_ka_can(priv,\n\t\t\t\t\t(struct mcba_usb_msg_ka_can *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_I_AM_ALIVE_FROM_USB:\n\t\tmcba_usb_process_ka_usb(priv,\n\t\t\t\t\t(struct mcba_usb_msg_ka_usb *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_RECEIVE_MESSAGE:\n\t\tmcba_usb_process_can(priv, (struct mcba_usb_msg_can *)msg);\n\t\tbreak;\n\n\tcase MBCA_CMD_NOTHING_TO_SEND:\n\t\t/* Side effect of communication between PIC_USB and PIC_CAN.\n\t\t * PIC_CAN is telling us that it has nothing to send\n\t\t */\n\t\tbreak;\n\n\tcase MBCA_CMD_TRANSMIT_MESSAGE_RSP:\n\t\t/* Transmission response from the device containing timestamp */\n\t\tbreak;\n\n\tdefault:\n\t\tnetdev_warn(priv->netdev, \"Unsupported msg (0x%hhX)\",\n\t\t\t    msg->cmd_id);\n\t\tbreak;\n\t}\n}",
          "project": "linux",
          "hash": 189816485004301915432920510029586829831,
          "size": 34,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398312
        },
        {
          "func": "static u32 convert_can2host_bitrate(struct mcba_usb_msg_ka_can *msg)\n{\n\tconst u32 bitrate = get_unaligned_be16(&msg->can_bitrate);\n\n\tif ((bitrate == 33) || (bitrate == 83))\n\t\treturn bitrate * 1000 + 333;\n\telse\n\t\treturn bitrate * 1000;\n}",
          "project": "linux",
          "hash": 43142121438217021989434137757153490953,
          "size": 9,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398316
        },
        {
          "func": "static void mcba_usb_process_ka_usb(struct mcba_priv *priv,\n\t\t\t\t    struct mcba_usb_msg_ka_usb *msg)\n{\n\tif (unlikely(priv->usb_ka_first_pass)) {\n\t\tnetdev_info(priv->netdev, \"PIC USB version %hhu.%hhu\\n\",\n\t\t\t    msg->soft_ver_major, msg->soft_ver_minor);\n\n\t\tpriv->usb_ka_first_pass = false;\n\t}\n\n\tif (msg->termination_state)\n\t\tpriv->can.termination = MCBA_TERMINATION_ENABLED;\n\telse\n\t\tpriv->can.termination = MCBA_TERMINATION_DISABLED;\n}",
          "project": "linux",
          "hash": 257496963091891816110649854790532425699,
          "size": 15,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398317
        },
        {
          "func": "static void mcba_usb_read_bulk_callback(struct urb *urb)\n{\n\tstruct mcba_priv *priv = urb->context;\n\tstruct net_device *netdev;\n\tint retval;\n\tint pos = 0;\n\n\tnetdev = priv->netdev;\n\n\tif (!netif_device_present(netdev))\n\t\treturn;\n\n\tswitch (urb->status) {\n\tcase 0: /* success */\n\t\tbreak;\n\n\tcase -ENOENT:\n\tcase -EPIPE:\n\tcase -EPROTO:\n\tcase -ESHUTDOWN:\n\t\treturn;\n\n\tdefault:\n\t\tnetdev_info(netdev, \"Rx URB aborted (%d)\\n\", urb->status);\n\n\t\tgoto resubmit_urb;\n\t}\n\n\twhile (pos < urb->actual_length) {\n\t\tstruct mcba_usb_msg *msg;\n\n\t\tif (pos + sizeof(struct mcba_usb_msg) > urb->actual_length) {\n\t\t\tnetdev_err(priv->netdev, \"format error\\n\");\n\t\t\tbreak;\n\t\t}\n\n\t\tmsg = (struct mcba_usb_msg *)(urb->transfer_buffer + pos);\n\t\tmcba_usb_process_rx(priv, msg);\n\n\t\tpos += sizeof(struct mcba_usb_msg);\n\t}\n\nresubmit_urb:\n\n\tusb_fill_bulk_urb(urb, priv->udev,\n\t\t\t  usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_OUT),\n\t\t\t  urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,\n\t\t\t  mcba_usb_read_bulk_callback, priv);\n\n\tretval = usb_submit_urb(urb, GFP_ATOMIC);\n\n\tif (retval == -ENODEV)\n\t\tnetif_device_detach(netdev);\n\telse if (retval)\n\t\tnetdev_err(netdev, \"failed resubmitting read bulk urb: %d\\n\",\n\t\t\t   retval);\n}",
          "project": "linux",
          "hash": 208190292833943165204243409532616932390,
          "size": 57,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398319
        },
        {
          "func": "static void mcba_usb_process_can(struct mcba_priv *priv,\n\t\t\t\t struct mcba_usb_msg_can *msg)\n{\n\tstruct can_frame *cf;\n\tstruct sk_buff *skb;\n\tstruct net_device_stats *stats = &priv->netdev->stats;\n\tu16 sid;\n\n\tskb = alloc_can_skb(priv->netdev, &cf);\n\tif (!skb)\n\t\treturn;\n\n\tsid = get_unaligned_be16(&msg->sid);\n\n\tif (sid & MCBA_SIDL_EXID_MASK) {\n\t\t/* SIDH    | SIDL                 | EIDH   | EIDL\n\t\t * 28 - 21 | 20 19 18 x x x 17 16 | 15 - 8 | 7 - 0\n\t\t */\n\t\tcf->can_id = CAN_EFF_FLAG;\n\n\t\t/* store 28-18 bits */\n\t\tcf->can_id |= (sid & 0xffe0) << 13;\n\t\t/* store 17-16 bits */\n\t\tcf->can_id |= (sid & 3) << 16;\n\t\t/* store 15-0 bits */\n\t\tcf->can_id |= get_unaligned_be16(&msg->eid);\n\t} else {\n\t\t/* SIDH   | SIDL\n\t\t * 10 - 3 | 2 1 0 x x x x x\n\t\t */\n\t\tcf->can_id = (sid & 0xffe0) >> 5;\n\t}\n\n\tif (msg->dlc & MCBA_DLC_RTR_MASK)\n\t\tcf->can_id |= CAN_RTR_FLAG;\n\n\tcf->can_dlc = get_can_dlc(msg->dlc & MCBA_DLC_MASK);\n\n\tmemcpy(cf->data, msg->data, cf->can_dlc);\n\n\tstats->rx_packets++;\n\tstats->rx_bytes += cf->can_dlc;\n\n\tcan_led_event(priv->netdev, CAN_LED_EVENT_RX);\n\tnetif_rx(skb);\n}",
          "project": "linux",
          "hash": 23500088538058214849151320036811999510,
          "size": 46,
          "commit_id": "4d6636498c41891d0482a914dd570343a838ad79",
          "message": "can: mcba_usb: fix use-after-free on disconnect\n\nThe driver was accessing its driver data after having freed it.\n\nFixes: 51f3baad7de9 (\"can: mcba_usb: Add support for Microchip CAN BUS Analyzer\")\nCc: stable <stable@vger.kernel.org>     # 4.12\nCc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>\nReported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Marc Kleine-Budde <mkl@pengutronix.de>",
          "target": 0,
          "dataset": "other",
          "idx": 398309
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "sm501_realize_pci",
        "sm501_init",
        "get_local_mem_size_index"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void sm501_realize_pci(PCIDevice *dev, Error **errp)\n{\n    SM501PCIState *s = PCI_SM501(dev);\n\n    sm501_init(&s->state, DEVICE(dev), s->vram_size);\n    if (get_local_mem_size(&s->state) != s->vram_size) {\n        error_setg(errp, \"Invalid VRAM size, nearest valid size is %\" PRIu32,\n                   get_local_mem_size(&s->state));\n        return;\n    }\n    pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY,\n                     &s->state.local_mem_region);\n    pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY,\n                     &s->state.mmio_region);\n}",
          "project": "qemu",
          "hash": 144713306371724119714333384248856472135,
          "size": 15,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367024
        },
        {
          "func": "static void sm501_init(SM501State *s, DeviceState *dev,\n                       uint32_t local_mem_bytes)\n{\n    s->local_mem_size_index = get_local_mem_size_index(local_mem_bytes);\n    SM501_DPRINTF(\"sm501 local mem size=%x. index=%d\\n\", get_local_mem_size(s),\n                  s->local_mem_size_index);\n\n    /* local memory */\n    memory_region_init_ram(&s->local_mem_region, OBJECT(dev), \"sm501.local\",\n                           get_local_mem_size(s), &error_fatal);\n    memory_region_set_log(&s->local_mem_region, true, DIRTY_MEMORY_VGA);\n    s->local_mem = memory_region_get_ram_ptr(&s->local_mem_region);\n\n    /* i2c */\n    s->i2c_bus = i2c_init_bus(dev, \"sm501.i2c\");\n    /* ddc */\n    I2CDDCState *ddc = I2CDDC(qdev_create(BUS(s->i2c_bus), TYPE_I2CDDC));\n    i2c_set_slave_address(I2C_SLAVE(ddc), 0x50);\n\n    /* mmio */\n    memory_region_init(&s->mmio_region, OBJECT(dev), \"sm501.mmio\", MMIO_SIZE);\n    memory_region_init_io(&s->system_config_region, OBJECT(dev),\n                          &sm501_system_config_ops, s,\n                          \"sm501-system-config\", 0x6c);\n    memory_region_add_subregion(&s->mmio_region, SM501_SYS_CONFIG,\n                                &s->system_config_region);\n    memory_region_init_io(&s->i2c_region, OBJECT(dev), &sm501_i2c_ops, s,\n                          \"sm501-i2c\", 0x14);\n    memory_region_add_subregion(&s->mmio_region, SM501_I2C, &s->i2c_region);\n    memory_region_init_io(&s->disp_ctrl_region, OBJECT(dev),\n                          &sm501_disp_ctrl_ops, s,\n                          \"sm501-disp-ctrl\", 0x1000);\n    memory_region_add_subregion(&s->mmio_region, SM501_DC,\n                                &s->disp_ctrl_region);\n    memory_region_init_io(&s->twoD_engine_region, OBJECT(dev),\n                          &sm501_2d_engine_ops, s,\n                          \"sm501-2d-engine\", 0x54);\n    memory_region_add_subregion(&s->mmio_region, SM501_2D_ENGINE,\n                                &s->twoD_engine_region);\n\n    /* create qemu graphic console */\n    s->con = graphic_console_init(dev, 0, &sm501_ops, s);\n}",
          "project": "qemu",
          "hash": 104269598637669238108852798989784235136,
          "size": 43,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367053
        },
        {
          "func": "static uint32_t get_local_mem_size_index(uint32_t size)\n{\n    uint32_t norm_size = 0;\n    int i, index = 0;\n\n    for (i = 0; i < ARRAY_SIZE(sm501_mem_local_size); i++) {\n        uint32_t new_size = sm501_mem_local_size[i];\n        if (new_size >= size) {\n            if (norm_size == 0 || norm_size > new_size) {\n                norm_size = new_size;\n                index = i;\n            }\n        }\n    }\n\n    return index;\n}",
          "project": "qemu",
          "hash": 33796380822377304247174669801145287606,
          "size": 17,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367026
        },
        {
          "func": "static void sm501_realize_sysbus(DeviceState *dev, Error **errp)\n{\n    SM501SysBusState *s = SYSBUS_SM501(dev);\n    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);\n    DeviceState *usb_dev;\n    MemoryRegion *mr;\n\n    sm501_init(&s->state, dev, s->vram_size);\n    if (get_local_mem_size(&s->state) != s->vram_size) {\n        error_setg(errp, \"Invalid VRAM size, nearest valid size is %\" PRIu32,\n                   get_local_mem_size(&s->state));\n        return;\n    }\n    sysbus_init_mmio(sbd, &s->state.local_mem_region);\n    sysbus_init_mmio(sbd, &s->state.mmio_region);\n\n    /* bridge to usb host emulation module */\n    usb_dev = qdev_create(NULL, \"sysbus-ohci\");\n    qdev_prop_set_uint32(usb_dev, \"num-ports\", 2);\n    qdev_prop_set_uint64(usb_dev, \"dma-offset\", s->base);\n    qdev_init_nofail(usb_dev);\n    memory_region_add_subregion(&s->state.mmio_region, SM501_USB_HOST,\n                       sysbus_mmio_get_region(SYS_BUS_DEVICE(usb_dev), 0));\n    sysbus_pass_irq(sbd, SYS_BUS_DEVICE(usb_dev));\n\n    /* bridge to serial emulation module */\n    qdev_init_nofail(DEVICE(&s->serial));\n    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->serial), 0);\n    memory_region_add_subregion(&s->state.mmio_region, SM501_UART0, mr);\n    /* TODO : chain irq to IRL */\n}",
          "project": "qemu",
          "hash": 109921215156051742238684666341467421330,
          "size": 31,
          "commit_id": "b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4",
          "message": "sm501: Replace hand written implementation with pixman where possible\n\nBesides being faster this should also prevent malicious guests to\nabuse 2D engine to overwrite data or cause a crash.\n\nSigned-off-by: BALATON Zoltan <balaton@eik.bme.hu>\nMessage-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 367027
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "setexCommand",
        "setGenericCommand",
        "getGenericCommand"
      ],
      "group_size": 17,
      "functions": [
        {
          "func": "int parseExtendedStringArgumentsOrReply(client *c, int *flags, int *unit, robj **expire, int command_type) {\n\n    int j = command_type == COMMAND_GET ? 2 : 3;\n    for (; j < c->argc; j++) {\n        char *opt = c->argv[j]->ptr;\n        robj *next = (j == c->argc-1) ? NULL : c->argv[j+1];\n\n        if ((opt[0] == 'n' || opt[0] == 'N') &&\n            (opt[1] == 'x' || opt[1] == 'X') && opt[2] == '\\0' &&\n            !(*flags & OBJ_SET_XX) && !(*flags & OBJ_SET_GET) && (command_type == COMMAND_SET))\n        {\n            *flags |= OBJ_SET_NX;\n        } else if ((opt[0] == 'x' || opt[0] == 'X') &&\n                   (opt[1] == 'x' || opt[1] == 'X') && opt[2] == '\\0' &&\n                   !(*flags & OBJ_SET_NX) && (command_type == COMMAND_SET))\n        {\n            *flags |= OBJ_SET_XX;\n        } else if ((opt[0] == 'g' || opt[0] == 'G') &&\n                   (opt[1] == 'e' || opt[1] == 'E') &&\n                   (opt[2] == 't' || opt[2] == 'T') && opt[3] == '\\0' &&\n                   !(*flags & OBJ_SET_NX) && (command_type == COMMAND_SET))\n        {\n            *flags |= OBJ_SET_GET;\n        } else if (!strcasecmp(opt, \"KEEPTTL\") && !(*flags & OBJ_PERSIST) &&\n            !(*flags & OBJ_EX) && !(*flags & OBJ_EXAT) &&\n            !(*flags & OBJ_PX) && !(*flags & OBJ_PXAT) && (command_type == COMMAND_SET))\n        {\n            *flags |= OBJ_KEEPTTL;\n        } else if (!strcasecmp(opt,\"PERSIST\") && (command_type == COMMAND_GET) &&\n               !(*flags & OBJ_EX) && !(*flags & OBJ_EXAT) &&\n               !(*flags & OBJ_PX) && !(*flags & OBJ_PXAT) &&\n               !(*flags & OBJ_KEEPTTL))\n        {\n            *flags |= OBJ_PERSIST;\n        } else if ((opt[0] == 'e' || opt[0] == 'E') &&\n                   (opt[1] == 'x' || opt[1] == 'X') && opt[2] == '\\0' &&\n                   !(*flags & OBJ_KEEPTTL) && !(*flags & OBJ_PERSIST) &&\n                   !(*flags & OBJ_EXAT) && !(*flags & OBJ_PX) &&\n                   !(*flags & OBJ_PXAT) && next)\n        {\n            *flags |= OBJ_EX;\n            *expire = next;\n            j++;\n        } else if ((opt[0] == 'p' || opt[0] == 'P') &&\n                   (opt[1] == 'x' || opt[1] == 'X') && opt[2] == '\\0' &&\n                   !(*flags & OBJ_KEEPTTL) && !(*flags & OBJ_PERSIST) &&\n                   !(*flags & OBJ_EX) && !(*flags & OBJ_EXAT) &&\n                   !(*flags & OBJ_PXAT) && next)\n        {\n            *flags |= OBJ_PX;\n            *unit = UNIT_MILLISECONDS;\n            *expire = next;\n            j++;\n        } else if ((opt[0] == 'e' || opt[0] == 'E') &&\n                   (opt[1] == 'x' || opt[1] == 'X') &&\n                   (opt[2] == 'a' || opt[2] == 'A') &&\n                   (opt[3] == 't' || opt[3] == 'T') && opt[4] == '\\0' &&\n                   !(*flags & OBJ_KEEPTTL) && !(*flags & OBJ_PERSIST) &&\n                   !(*flags & OBJ_EX) && !(*flags & OBJ_PX) &&\n                   !(*flags & OBJ_PXAT) && next)\n        {\n            *flags |= OBJ_EXAT;\n            *expire = next;\n            j++;\n        } else if ((opt[0] == 'p' || opt[0] == 'P') &&\n                   (opt[1] == 'x' || opt[1] == 'X') &&\n                   (opt[2] == 'a' || opt[2] == 'A') &&\n                   (opt[3] == 't' || opt[3] == 'T') && opt[4] == '\\0' &&\n                   !(*flags & OBJ_KEEPTTL) && !(*flags & OBJ_PERSIST) &&\n                   !(*flags & OBJ_EX) && !(*flags & OBJ_EXAT) &&\n                   !(*flags & OBJ_PX) && next)\n        {\n            *flags |= OBJ_PXAT;\n            *unit = UNIT_MILLISECONDS;\n            *expire = next;\n            j++;\n        } else {\n            addReplyErrorObject(c,shared.syntaxerr);\n            return C_ERR;\n        }\n    }\n    return C_OK;\n}",
          "project": "redis",
          "hash": 9745977651932863314638640421529443271,
          "size": 83,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455369
        },
        {
          "func": "void setexCommand(client *c) {\n    c->argv[3] = tryObjectEncoding(c->argv[3]);\n    setGenericCommand(c,OBJ_SET_NO_FLAGS,c->argv[1],c->argv[3],c->argv[2],UNIT_SECONDS,NULL,NULL);\n}",
          "project": "redis",
          "hash": 320351795325676263281802472065208820045,
          "size": 4,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361284
        },
        {
          "func": "void setexCommand(client *c) {\n    c->argv[3] = tryObjectEncoding(c->argv[3]);\n    setGenericCommand(c,OBJ_EX,c->argv[1],c->argv[3],c->argv[2],UNIT_SECONDS,NULL,NULL);\n}",
          "project": "redis",
          "hash": 203852551280588228060624897470495205364,
          "size": 4,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455372
        },
        {
          "func": "void psetexCommand(client *c) {\n    c->argv[3] = tryObjectEncoding(c->argv[3]);\n    setGenericCommand(c,OBJ_SET_NO_FLAGS,c->argv[1],c->argv[3],c->argv[2],UNIT_MILLISECONDS,NULL,NULL);\n}",
          "project": "redis",
          "hash": 53358964946490230184504727372010691589,
          "size": 4,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361280
        },
        {
          "func": "void psetexCommand(client *c) {\n    c->argv[3] = tryObjectEncoding(c->argv[3]);\n    setGenericCommand(c,OBJ_PX,c->argv[1],c->argv[3],c->argv[2],UNIT_MILLISECONDS,NULL,NULL);\n}",
          "project": "redis",
          "hash": 34220207700011214991153271160461520202,
          "size": 4,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455371
        },
        {
          "func": "void getexCommand(client *c) {\n    robj *expire = NULL;\n    int unit = UNIT_SECONDS;\n    int flags = OBJ_NO_FLAGS;\n\n    if (parseExtendedStringArgumentsOrReply(c,&flags,&unit,&expire,COMMAND_GET) != C_OK) {\n        return;\n    }\n\n    robj *o;\n\n    if ((o = lookupKeyReadOrReply(c,c->argv[1],shared.null[c->resp])) == NULL)\n        return;\n\n    if (checkType(c,o,OBJ_STRING)) {\n        return;\n    }\n\n    long long milliseconds = 0, when = 0;\n\n    /* Validate the expiration time value first */\n    if (expire) {\n        if (getLongLongFromObjectOrReply(c, expire, &milliseconds, NULL) != C_OK)\n            return;\n        if (milliseconds <= 0 || (unit == UNIT_SECONDS && milliseconds > LLONG_MAX / 1000)) {\n            /* Negative value provided or multiplication is gonna overflow. */\n            addReplyErrorFormat(c, \"invalid expire time in %s\", c->cmd->name);\n            return;\n        }\n        if (unit == UNIT_SECONDS) milliseconds *= 1000;\n        when = milliseconds;\n        if ((flags & OBJ_PX) || (flags & OBJ_EX))\n            when += mstime();\n        if (when <= 0) {\n            /* Overflow detected. */\n            addReplyErrorFormat(c, \"invalid expire time in %s\", c->cmd->name);\n            return;\n        }\n    }\n\n    /* We need to do this before we expire the key or delete it */\n    addReplyBulk(c,o);\n\n    /* This command is never propagated as is. It is either propagated as PEXPIRE[AT],DEL,UNLINK or PERSIST.\n     * This why it doesn't need special handling in feedAppendOnlyFile to convert relative expire time to absolute one. */\n    if (((flags & OBJ_PXAT) || (flags & OBJ_EXAT)) && checkAlreadyExpired(milliseconds)) {\n        /* When PXAT/EXAT absolute timestamp is specified, there can be a chance that timestamp\n         * has already elapsed so delete the key in that case. */\n        int deleted = server.lazyfree_lazy_expire ? dbAsyncDelete(c->db, c->argv[1]) :\n                      dbSyncDelete(c->db, c->argv[1]);\n        serverAssert(deleted);\n        robj *aux = server.lazyfree_lazy_expire ? shared.unlink : shared.del;\n        rewriteClientCommandVector(c,2,aux,c->argv[1]);\n        signalModifiedKey(c, c->db, c->argv[1]);\n        notifyKeyspaceEvent(NOTIFY_GENERIC, \"del\", c->argv[1], c->db->id);\n        server.dirty++;\n    } else if (expire) {\n        setExpire(c,c->db,c->argv[1],when);\n        /* Propagate */\n        robj *exp = (flags & OBJ_PXAT) || (flags & OBJ_EXAT) ? shared.pexpireat : shared.pexpire;\n        robj* millisecondObj = createStringObjectFromLongLong(milliseconds);\n        rewriteClientCommandVector(c,3,exp,c->argv[1],millisecondObj);\n        decrRefCount(millisecondObj);\n        signalModifiedKey(c, c->db, c->argv[1]);\n        notifyKeyspaceEvent(NOTIFY_GENERIC,\"expire\",c->argv[1],c->db->id);\n        server.dirty++;\n    } else if (flags & OBJ_PERSIST) {\n        if (removeExpire(c->db, c->argv[1])) {\n            signalModifiedKey(c, c->db, c->argv[1]);\n            rewriteClientCommandVector(c, 2, shared.persist, c->argv[1]);\n            notifyKeyspaceEvent(NOTIFY_GENERIC,\"persist\",c->argv[1],c->db->id);\n            server.dirty++;\n        }\n    }\n}",
          "project": "redis",
          "hash": 63387699981613464245631282382235374987,
          "size": 75,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455367
        },
        {
          "func": "void getsetCommand(client *c) {\n    if (getGenericCommand(c) == C_ERR) return;\n    c->argv[2] = tryObjectEncoding(c->argv[2]);\n    setKey(c,c->db,c->argv[1],c->argv[2]);\n    notifyKeyspaceEvent(NOTIFY_STRING,\"set\",c->argv[1],c->db->id);\n    server.dirty++;\n}",
          "project": "redis",
          "hash": 94972550429943072831072727661386283901,
          "size": 7,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361271
        },
        {
          "func": "void getsetCommand(client *c) {\n    if (getGenericCommand(c) == C_ERR) return;\n    c->argv[2] = tryObjectEncoding(c->argv[2]);\n    setKey(c,c->db,c->argv[1],c->argv[2]);\n    notifyKeyspaceEvent(NOTIFY_STRING,\"set\",c->argv[1],c->db->id);\n    server.dirty++;\n\n    /* Propagate as SET command */\n    rewriteClientCommandArgument(c,0,shared.set);\n}",
          "project": "redis",
          "hash": 68134555716241316958005948130915660337,
          "size": 10,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455374
        },
        {
          "func": "void setCommand(client *c) {\n    int j;\n    robj *expire = NULL;\n    int unit = UNIT_SECONDS;\n    int flags = OBJ_SET_NO_FLAGS;\n\n    for (j = 3; j < c->argc; j++) {\n        char *a = c->argv[j]->ptr;\n        robj *next = (j == c->argc-1) ? NULL : c->argv[j+1];\n\n        if ((a[0] == 'n' || a[0] == 'N') &&\n            (a[1] == 'x' || a[1] == 'X') && a[2] == '\\0' &&\n            !(flags & OBJ_SET_XX))\n        {\n            flags |= OBJ_SET_NX;\n        } else if ((a[0] == 'x' || a[0] == 'X') &&\n                   (a[1] == 'x' || a[1] == 'X') && a[2] == '\\0' &&\n                   !(flags & OBJ_SET_NX))\n        {\n            flags |= OBJ_SET_XX;\n        } else if (!strcasecmp(c->argv[j]->ptr,\"KEEPTTL\") &&\n                   !(flags & OBJ_SET_EX) && !(flags & OBJ_SET_PX))\n        {\n            flags |= OBJ_SET_KEEPTTL;\n        } else if ((a[0] == 'e' || a[0] == 'E') &&\n                   (a[1] == 'x' || a[1] == 'X') && a[2] == '\\0' &&\n                   !(flags & OBJ_SET_KEEPTTL) &&\n                   !(flags & OBJ_SET_PX) && next)\n        {\n            flags |= OBJ_SET_EX;\n            unit = UNIT_SECONDS;\n            expire = next;\n            j++;\n        } else if ((a[0] == 'p' || a[0] == 'P') &&\n                   (a[1] == 'x' || a[1] == 'X') && a[2] == '\\0' &&\n                   !(flags & OBJ_SET_KEEPTTL) &&\n                   !(flags & OBJ_SET_EX) && next)\n        {\n            flags |= OBJ_SET_PX;\n            unit = UNIT_MILLISECONDS;\n            expire = next;\n            j++;\n        } else {\n            addReply(c,shared.syntaxerr);\n            return;\n        }\n    }\n\n    c->argv[2] = tryObjectEncoding(c->argv[2]);\n    setGenericCommand(c,flags,c->argv[1],c->argv[2],expire,unit,NULL,NULL);\n}",
          "project": "redis",
          "hash": 91886403509668796195338531027146587179,
          "size": 51,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361264
        },
        {
          "func": "void setCommand(client *c) {\n    robj *expire = NULL;\n    int unit = UNIT_SECONDS;\n    int flags = OBJ_NO_FLAGS;\n\n    if (parseExtendedStringArgumentsOrReply(c,&flags,&unit,&expire,COMMAND_SET) != C_OK) {\n        return;\n    }\n\n    c->argv[2] = tryObjectEncoding(c->argv[2]);\n    setGenericCommand(c,flags,c->argv[1],c->argv[2],expire,unit,NULL,NULL);\n}",
          "project": "redis",
          "hash": 64802084236388221862659417799647346961,
          "size": 12,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455370
        },
        {
          "func": "void getdelCommand(client *c) {\n    if (getGenericCommand(c) == C_ERR) return;\n    int deleted = server.lazyfree_lazy_user_del ? dbAsyncDelete(c->db, c->argv[1]) :\n                  dbSyncDelete(c->db, c->argv[1]);\n    if (deleted) {\n        /* Propagate as DEL/UNLINK command */\n        robj *aux = server.lazyfree_lazy_user_del ? shared.unlink : shared.del;\n        rewriteClientCommandVector(c,2,aux,c->argv[1]);\n        signalModifiedKey(c, c->db, c->argv[1]);\n        notifyKeyspaceEvent(NOTIFY_GENERIC, \"del\", c->argv[1], c->db->id);\n        server.dirty++;\n    }\n}",
          "project": "redis",
          "hash": 157239275695633546438790196586044971099,
          "size": 13,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455375
        },
        {
          "func": "int getGenericCommand(client *c) {\n    robj *o;\n\n    if ((o = lookupKeyReadOrReply(c,c->argv[1],shared.null[c->resp])) == NULL)\n        return C_OK;\n\n    if (o->type != OBJ_STRING) {\n        addReply(c,shared.wrongtypeerr);\n        return C_ERR;\n    } else {\n        addReplyBulk(c,o);\n        return C_OK;\n    }\n}",
          "project": "redis",
          "hash": 249750839888082609174076017357600788579,
          "size": 14,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361274
        },
        {
          "func": "int getGenericCommand(client *c) {\n    robj *o;\n\n    if ((o = lookupKeyReadOrReply(c,c->argv[1],shared.null[c->resp])) == NULL)\n        return C_OK;\n\n    if (checkType(c,o,OBJ_STRING)) {\n        return C_ERR;\n    }\n\n    addReplyBulk(c,o);\n    return C_OK;\n}",
          "project": "redis",
          "hash": 156224148856405155848333206438559518113,
          "size": 13,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455376
        },
        {
          "func": "void setGenericCommand(client *c, int flags, robj *key, robj *val, robj *expire, int unit, robj *ok_reply, robj *abort_reply) {\n    long long milliseconds = 0; /* initialized to avoid any harmness warning */\n\n    if (expire) {\n        if (getLongLongFromObjectOrReply(c, expire, &milliseconds, NULL) != C_OK)\n            return;\n        if (milliseconds <= 0) {\n            addReplyErrorFormat(c,\"invalid expire time in %s\",c->cmd->name);\n            return;\n        }\n        if (unit == UNIT_SECONDS) milliseconds *= 1000;\n    }\n\n    if ((flags & OBJ_SET_NX && lookupKeyWrite(c->db,key) != NULL) ||\n        (flags & OBJ_SET_XX && lookupKeyWrite(c->db,key) == NULL))\n    {\n        addReply(c, abort_reply ? abort_reply : shared.null[c->resp]);\n        return;\n    }\n    genericSetKey(c,c->db,key,val,flags & OBJ_SET_KEEPTTL,1);\n    server.dirty++;\n    if (expire) setExpire(c,c->db,key,mstime()+milliseconds);\n    notifyKeyspaceEvent(NOTIFY_STRING,\"set\",key,c->db->id);\n    if (expire) notifyKeyspaceEvent(NOTIFY_GENERIC,\n        \"expire\",key,c->db->id);\n    addReply(c, ok_reply ? ok_reply : shared.ok);\n}",
          "project": "redis",
          "hash": 210837059235347050170677735565531600190,
          "size": 27,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361276
        },
        {
          "func": "void setGenericCommand(client *c, int flags, robj *key, robj *val, robj *expire, int unit, robj *ok_reply, robj *abort_reply) {\n    long long milliseconds = 0, when = 0; /* initialized to avoid any harmness warning */\n\n    if (expire) {\n        if (getLongLongFromObjectOrReply(c, expire, &milliseconds, NULL) != C_OK)\n            return;\n        if (milliseconds <= 0 || (unit == UNIT_SECONDS && milliseconds > LLONG_MAX / 1000)) {\n            /* Negative value provided or multiplication is gonna overflow. */\n            addReplyErrorFormat(c, \"invalid expire time in %s\", c->cmd->name);\n            return;\n        }\n        if (unit == UNIT_SECONDS) milliseconds *= 1000;\n        when = milliseconds;\n        if ((flags & OBJ_PX) || (flags & OBJ_EX))\n            when += mstime();\n        if (when <= 0) {\n            /* Overflow detected. */\n            addReplyErrorFormat(c, \"invalid expire time in %s\", c->cmd->name);\n            return;\n        }\n    }\n\n    if ((flags & OBJ_SET_NX && lookupKeyWrite(c->db,key) != NULL) ||\n        (flags & OBJ_SET_XX && lookupKeyWrite(c->db,key) == NULL))\n    {\n        addReply(c, abort_reply ? abort_reply : shared.null[c->resp]);\n        return;\n    }\n\n    if (flags & OBJ_SET_GET) {\n        if (getGenericCommand(c) == C_ERR) return;\n    }\n\n    genericSetKey(c,c->db,key, val,flags & OBJ_KEEPTTL,1);\n    server.dirty++;\n    notifyKeyspaceEvent(NOTIFY_STRING,\"set\",key,c->db->id);\n    if (expire) {\n        setExpire(c,c->db,key,when);\n        notifyKeyspaceEvent(NOTIFY_GENERIC,\"expire\",key,c->db->id);\n\n        /* Propagate as SET Key Value PXAT millisecond-timestamp if there is EXAT/PXAT or\n         * propagate as SET Key Value PX millisecond if there is EX/PX flag.\n         *\n         * Additionally when we propagate the SET with PX (relative millisecond) we translate\n         * it again to SET with PXAT for the AOF.\n         *\n         * Additional care is required while modifying the argument order. AOF relies on the\n         * exp argument being at index 3. (see feedAppendOnlyFile)\n         * */\n        robj *exp = (flags & OBJ_PXAT) || (flags & OBJ_EXAT) ? shared.pxat : shared.px;\n        robj *millisecondObj = createStringObjectFromLongLong(milliseconds);\n        rewriteClientCommandVector(c,5,shared.set,key,val,exp,millisecondObj);\n        decrRefCount(millisecondObj);\n    }\n    if (!(flags & OBJ_SET_GET)) {\n        addReply(c, ok_reply ? ok_reply : shared.ok);\n    }\n\n    /* Propagate without the GET argument (Isn't needed if we had expire since in that case we completely re-written the command argv) */\n    if ((flags & OBJ_SET_GET) && !expire) {\n        int argc = 0;\n        int j;\n        robj **argv = zmalloc((c->argc-1)*sizeof(robj*));\n        for (j=0; j < c->argc; j++) {\n            char *a = c->argv[j]->ptr;\n            /* Skip GET which may be repeated multiple times. */\n            if (j >= 3 &&\n                (a[0] == 'g' || a[0] == 'G') &&\n                (a[1] == 'e' || a[1] == 'E') &&\n                (a[2] == 't' || a[2] == 'T') && a[3] == '\\0')\n                continue;\n            argv[argc++] = c->argv[j];\n            incrRefCount(c->argv[j]);\n        }\n        replaceClientCommandVector(c, argc, argv);\n    }\n}",
          "project": "redis",
          "hash": 303786546363084861292201254389148319471,
          "size": 77,
          "commit_id": "92e3b1802f72ca0c5b0bde97f01d9b57a758d85c",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 455378
        },
        {
          "func": "void getCommand(client *c) {\n    getGenericCommand(c);\n}",
          "project": "redis",
          "hash": 66252008273459784549584533383612684503,
          "size": 3,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361282
        },
        {
          "func": "void setnxCommand(client *c) {\n    c->argv[2] = tryObjectEncoding(c->argv[2]);\n    setGenericCommand(c,OBJ_SET_NX,c->argv[1],c->argv[2],NULL,0,shared.cone,shared.czero);\n}",
          "project": "redis",
          "hash": 86025564155259990123287870176854249532,
          "size": 4,
          "commit_id": "394614a5f91d88380f480c4610926a865b5b0f16",
          "message": "Fix integer overflow in STRALGO LCS (CVE-2021-29477)\n\nAn integer overflow bug in Redis version 6.0 or newer could be exploited using\nthe STRALGO LCS command to corrupt the heap and potentially result with remote\ncode execution.\n\n(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)",
          "target": 0,
          "dataset": "other",
          "idx": 361277
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "~XMLTree",
        "XMLTree",
        "read_internal",
        "xmlKeepBlanksDefault"
      ],
      "group_size": 7,
      "functions": [
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::read_internal(bool validate)\n{\n\t//shouldnt be used anywhere ATM, remove if so!\n\tassert(!validate);\n\n\tdelete _root;\n\t_root = 0;\n\n\tif (_doc) {\n\t\txmlFreeDoc (_doc);\n\t\t_doc = 0;\n\t}\n\n\t/* Calling this prevents libxml2 from treating whitespace as active\n\t   nodes. It needs to be called before we create a parser context.\n\t*/\n\txmlKeepBlanksDefault(0);\n\n\t/* create a parser context */\n\txmlParserCtxtPtr ctxt = xmlNewParserCtxt();\n\tif (ctxt == NULL) {\n\t\treturn false;\n\t}\n\n\t/* parse the file, activating the DTD validation option */\n\tif (validate) {\n\t\t_doc = xmlCtxtReadFile(ctxt, _filename.c_str(), NULL, XML_PARSE_DTDVALID);\n\t} else {\n\t\t_doc = xmlCtxtReadFile(ctxt, _filename.c_str(), NULL, XML_PARSE_HUGE);\n\t}\n\n\t/* check if parsing suceeded */\n\tif (_doc == NULL) {\n\t\txmlFreeParserCtxt(ctxt);\n\t\treturn false;\n\t} else {\n\t\t/* check if validation suceeded */\n\t\tif (validate && ctxt->valid == 0) {\n\t\t\txmlFreeParserCtxt(ctxt);\n\t\t\tthrow XMLException(\"Failed to validate document \" + _filename);\n\t\t}\n\t}\n\n\t_root = readnode(xmlDocGetRootElement(_doc));\n\n\t/* free up the parser context */\n\txmlFreeParserCtxt(ctxt);\n\n\treturn true;\n}",
          "idx": 519661,
          "cwe": "CWE-416",
          "hash": 282602577873513987866733808663469843847,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::debug(FILE* out) const\n{\n#ifdef LIBXML_DEBUG_ENABLED\n\txmlDocPtr doc;\n\tXMLNodeList children;\n\n\txmlKeepBlanksDefault(0);\n\tdoc = xmlNewDoc(xml_version);\n\txmlSetDocCompressMode(doc, _compression);\n\twritenode(doc, _root, doc->children, 1);\n\txmlDebugDumpDocument (out, doc);\n\txmlFreeDoc(doc);\n#endif\n}",
          "idx": 519654,
          "cwe": "CWE-416",
          "hash": 334502150140909691035425169234400980067,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::write_buffer() const\n{\n\tstatic string retval;\n\tchar* ptr;\n\tint len;\n\txmlDocPtr doc;\n\tXMLNodeList children;\n\n\txmlKeepBlanksDefault(0);\n\tdoc = xmlNewDoc(xml_version);\n\txmlSetDocCompressMode(doc, _compression);\n\twritenode(doc, _root, doc->children, 1);\n\txmlDocDumpMemory(doc, (xmlChar **) & ptr, &len);\n\txmlFreeDoc(doc);\n\n\tretval = ptr;\n\n\tfree(ptr);\n\n\treturn retval;\n}",
          "idx": 519660,
          "cwe": "CWE-416",
          "hash": 171301428596270439461533586536560582745,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::XMLTree(const XMLTree* from)\n\t: _filename(from->filename())\n\t, _root(new XMLNode(*from->root()))\n\t, _doc (xmlCopyDoc (from->_doc, 1))\n\t, _compression(from->compression())\n{\n\n}",
          "idx": 519655,
          "cwe": "CWE-416",
          "hash": 53368891784882751795675731221455930302,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::XMLTree()\n\t: _filename()\n\t, _root(0)\n\t, _doc (0)\n\t, _compression(0)\n{\n}",
          "idx": 519659,
          "cwe": "CWE-416",
          "hash": 224251866575809493380432123093044529933,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::XMLTree(const string& fn, bool validate)\n\t: _filename(fn)\n\t, _root(0)\n\t, _doc (0)\n\t, _compression(0)\n{\n\tread_internal(validate);\n}",
          "idx": 519685,
          "cwe": "CWE-416",
          "hash": 91833938841644286003486411581296346487,
          "dataset": "other"
        },
        {
          "project": "ardour",
          "commit_id": "96daa4036a425ff3f23a7dfcba57bfb0f942bec6",
          "target": 0,
          "func": "XMLTree::~XMLTree()\n{\n\tdelete _root;\n\n\tif (_doc) {\n\t\txmlFreeDoc (_doc);\n\t}\n}",
          "idx": 519662,
          "cwe": "CWE-416",
          "hash": 148186101253235417727159463539179719047,
          "dataset": "other"
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "test_r_str_utf8_charsize_prev",
        "r_str_utf8_charsize_last",
        "r_str_utf8_charsize_prev"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "R_API size_t r_str_utf8_charsize_last(const char *str) {\n\tr_return_val_if_fail (str, 0);\n\tsize_t len = strlen (str);\n\treturn r_str_utf8_charsize_prev (str + len, len);\n}",
          "project": "radare2",
          "hash": 136186469842505774585183979313561971608,
          "size": 5,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269068
        },
        {
          "func": "bool test_r_str_utf8_charsize_prev(void) {\n\tchar s[16] = \"\\x61\\xc3\\xa1\\xe6\\x97\\xa5\\xf0\\x9f\\x91\\x8c\\xf0\\x9f\\x91\\x8c\\x8c\"; // aá日👌\n\tint sz;\n\n\tsz = r_str_utf8_charsize_last (s);\n\tmu_assert_eq (sz, 0, \"Malformed UTF-8\");\n\n\tsz = r_str_utf8_charsize_prev (s + 10, 10);\n\tmu_assert_eq (sz, 4, \"4 byte UTF-8\");\n\n\tsz = r_str_utf8_charsize_prev (s + 6, 6);\n\tmu_assert_eq (sz, 3, \"3 byte UTF-8\");\n\n\tsz = r_str_utf8_charsize_prev (s + 3, 3);\n\tmu_assert_eq (sz, 2, \"2 byte UTF-8\");\n\n\tsz = r_str_utf8_charsize_prev (s + 1, 1);\n\tmu_assert_eq (sz, 1, \"1 byte UTF-8\");\n\n\tmu_end;\n}",
          "project": "radare2",
          "hash": 122725785192562029863980825345765703551,
          "size": 21,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 268840
        },
        {
          "func": "R_API size_t r_str_utf8_charsize_prev(const char *str, int prev_len) {\n\tr_return_val_if_fail (str, 0);\n\tint pos = 0;\n\tsize_t size = 0, minsize = R_MIN (5, prev_len);\n\twhile (size < minsize) {\n\t\tsize++;\n\t\tif ((str[--pos] & 0xc0) != 0x80) {\n\t\t\tbreak;\n\t\t}\n\t}\n\treturn size < 5 ? size : 0;\n}",
          "project": "radare2",
          "hash": 251969895797919563786906960976175927082,
          "size": 12,
          "commit_id": "04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9",
          "message": "Fix command injection on PDB download (#16966)\n\n* Fix r_sys_mkdirp with absolute path on Windows\r\n* Fix build with --with-openssl\r\n* Use RBuffer in r_socket_http_answer()\r\n* r_socket_http_answer: Fix read for big responses\r\n* Implement r_str_escape_sh()\r\n* Cleanup r_socket_connect() on Windows\r\n* Fix socket being created without a protocol\r\n* Fix socket connect with SSL ##socket\r\n* Use select() in r_socket_ready()\r\n* Fix read failing if received only protocol answer\r\n* Fix double-free\r\n* r_socket_http_get: Fail if req. SSL with no support\r\n* Follow redirects in r_socket_http_answer()\r\n* Fix r_socket_http_get result length with R2_CURL=1\r\n* Also follow redirects\r\n* Avoid using curl for downloading PDBs\r\n* Use r_socket_http_get() on UNIXs\r\n* Use WinINet API on Windows for r_socket_http_get()\r\n* Fix command injection\r\n* Fix r_sys_cmd_str_full output for binary data\r\n* Validate GUID on PDB download\r\n* Pass depth to socket_http_get_recursive()\r\n* Remove 'r_' and '__' from static function names\r\n* Fix is_valid_guid\r\n* Fix for comments",
          "target": 0,
          "dataset": "other",
          "idx": 269077
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rsi_mac80211_config",
        "rsi_channel_change",
        "rsi_get_connected_channel"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int rsi_mac80211_config(struct ieee80211_hw *hw,\n\t\t\t       u32 changed)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\tstruct ieee80211_conf *conf = &hw->conf;\n\tint status = -EOPNOTSUPP;\n\n\tmutex_lock(&common->mutex);\n\n\tif (changed & IEEE80211_CONF_CHANGE_CHANNEL)\n\t\tstatus = rsi_channel_change(hw);\n\n\t/* tx power */\n\tif (changed & IEEE80211_CONF_CHANGE_POWER) {\n\t\trsi_dbg(INFO_ZONE, \"%s: Configuring Power\\n\", __func__);\n\t\tstatus = rsi_config_power(hw);\n\t}\n\n\t/* Power save parameters */\n\tif (changed & IEEE80211_CONF_CHANGE_PS) {\n\t\tstruct ieee80211_vif *vif, *sta_vif = NULL;\n\t\tunsigned long flags;\n\t\tint i, set_ps = 1;\n\n\t\tfor (i = 0; i < RSI_MAX_VIFS; i++) {\n\t\t\tvif = adapter->vifs[i];\n\t\t\tif (!vif)\n\t\t\t\tcontinue;\n\t\t\t/* Don't go to power save if AP vap exists */\n\t\t\tif ((vif->type == NL80211_IFTYPE_AP) ||\n\t\t\t    (vif->type == NL80211_IFTYPE_P2P_GO)) {\n\t\t\t\tset_ps = 0;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tif ((vif->type == NL80211_IFTYPE_STATION ||\n\t\t\t     vif->type == NL80211_IFTYPE_P2P_CLIENT) &&\n\t\t\t    (!sta_vif || vif->bss_conf.assoc))\n\t\t\t\tsta_vif = vif;\n\t\t}\n\t\tif (set_ps && sta_vif) {\n\t\t\tspin_lock_irqsave(&adapter->ps_lock, flags);\n\t\t\tif (conf->flags & IEEE80211_CONF_PS)\n\t\t\t\trsi_enable_ps(adapter, sta_vif);\n\t\t\telse\n\t\t\t\trsi_disable_ps(adapter, sta_vif);\n\t\t\tspin_unlock_irqrestore(&adapter->ps_lock, flags);\n\t\t}\n\t}\n\n\t/* RTS threshold */\n\tif (changed & WIPHY_PARAM_RTS_THRESHOLD) {\n\t\trsi_dbg(INFO_ZONE, \"RTS threshold\\n\");\n\t\tif ((common->rts_threshold) <= IEEE80211_MAX_RTS_THRESHOLD) {\n\t\t\trsi_dbg(INFO_ZONE,\n\t\t\t\t\"%s: Sending vap updates....\\n\", __func__);\n\t\t\tstatus = rsi_send_vap_dynamic_update(common);\n\t\t}\n\t}\n\tmutex_unlock(&common->mutex);\n\n\treturn status;\n}",
          "project": "linux",
          "hash": 98733492063270751071551406092014427833,
          "size": 63,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461638
        },
        {
          "func": "static int rsi_channel_change(struct ieee80211_hw *hw)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\tint status = -EOPNOTSUPP;\n\tstruct ieee80211_channel *curchan = hw->conf.chandef.chan;\n\tu16 channel = curchan->hw_value;\n\tstruct ieee80211_vif *vif;\n\tstruct ieee80211_bss_conf *bss;\n\tbool assoc = false;\n\tint i;\n\n\trsi_dbg(INFO_ZONE,\n\t\t\"%s: Set channel: %d MHz type: %d channel_no %d\\n\",\n\t\t__func__, curchan->center_freq,\n\t\tcurchan->flags, channel);\n\n\tfor (i = 0; i < RSI_MAX_VIFS; i++) {\n\t\tvif = adapter->vifs[i];\n\t\tif (!vif)\n\t\t\tcontinue;\n\t\tif (vif->type == NL80211_IFTYPE_STATION) {\n\t\t\tbss = &vif->bss_conf;\n\t\t\tif (bss->assoc) {\n\t\t\t\tassoc = true;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\tif (assoc) {\n\t\tif (!common->hw_data_qs_blocked &&\n\t\t    (rsi_get_connected_channel(vif) != channel)) {\n\t\t\trsi_dbg(INFO_ZONE, \"blk data q %d\\n\", channel);\n\t\t\tif (!rsi_send_block_unblock_frame(common, true))\n\t\t\t\tcommon->hw_data_qs_blocked = true;\n\t\t}\n\t}\n\n\tstatus = rsi_band_check(common, curchan);\n\tif (!status)\n\t\tstatus = rsi_set_channel(adapter->priv, curchan);\n\n\tif (assoc) {\n\t\tif (common->hw_data_qs_blocked &&\n\t\t    (rsi_get_connected_channel(vif) == channel)) {\n\t\t\trsi_dbg(INFO_ZONE, \"unblk data q %d\\n\", channel);\n\t\t\tif (!rsi_send_block_unblock_frame(common, false))\n\t\t\t\tcommon->hw_data_qs_blocked = false;\n\t\t}\n\t}\n\n\treturn status;\n}",
          "project": "linux",
          "hash": 65899985042214812543847782767000592942,
          "size": 53,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461630
        },
        {
          "func": "u16 rsi_get_connected_channel(struct ieee80211_vif *vif)\n{\n\tstruct ieee80211_bss_conf *bss;\n\tstruct ieee80211_channel *channel;\n\n\tif (!vif)\n\t\treturn 0;\n\n\tbss = &vif->bss_conf;\n\tchannel = bss->chandef.chan;\n\n\tif (!channel)\n\t\treturn 0;\n\n\treturn channel->hw_value;\n}",
          "project": "linux",
          "hash": 144872127323013305681508181567547474838,
          "size": 16,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461635
        },
        {
          "func": "static int rsi_config_power(struct ieee80211_hw *hw)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\tstruct ieee80211_conf *conf = &hw->conf;\n\n\tif (adapter->sc_nvifs <= 0) {\n\t\trsi_dbg(ERR_ZONE, \"%s: No virtual interface found\\n\", __func__);\n\t\treturn -EINVAL;\n\t}\n\n\trsi_dbg(INFO_ZONE,\n\t\t\"%s: Set tx power: %d dBM\\n\", __func__, conf->power_level);\n\n\tif (conf->power_level == common->tx_power)\n\t\treturn 0;\n\n\tcommon->tx_power = conf->power_level;\n\n\treturn rsi_send_radio_params_update(common);\n}",
          "project": "linux",
          "hash": 154350699552786105150899900159124955910,
          "size": 21,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461669
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "GC_calloc_explicitly_typed",
        "GC_make_array_descriptor",
        "GC_double_descr"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "GC_API GC_ATTR_MALLOC void * GC_CALL GC_calloc_explicitly_typed(size_t n,\n                                                        size_t lb, GC_descr d)\n{\n    word *op;\n    size_t lg;\n    GC_descr simple_descr;\n    complex_descriptor *complex_descr;\n    int descr_type;\n    struct LeafDescriptor leaf;\n\n    GC_ASSERT(GC_explicit_typing_initialized);\n    descr_type = GC_make_array_descriptor((word)n, (word)lb, d, &simple_descr,\n                                          &complex_descr, &leaf);\n    switch(descr_type) {\n        case NO_MEM: return(0);\n        case SIMPLE: return(GC_malloc_explicitly_typed(n*lb, simple_descr));\n        case LEAF:\n            lb *= n;\n            lb += sizeof(struct LeafDescriptor) + TYPD_EXTRA_BYTES;\n            break;\n        case COMPLEX:\n            lb *= n;\n            lb += TYPD_EXTRA_BYTES;\n            break;\n    }\n    op = GC_malloc_kind(lb, GC_array_kind);\n    if (EXPECT(NULL == op, FALSE))\n        return NULL;\n    lg = SMALL_OBJ(lb) ? GC_size_map[lb] : BYTES_TO_GRANULES(GC_size(op));\n    if (descr_type == LEAF) {\n       /* Set up the descriptor inside the object itself. */\n       volatile struct LeafDescriptor * lp =\n           (struct LeafDescriptor *)\n               (op + GRANULES_TO_WORDS(lg)\n                - (BYTES_TO_WORDS(sizeof(struct LeafDescriptor)) + 1));\n\n       lp -> ld_tag = LEAF_TAG;\n       lp -> ld_size = leaf.ld_size;\n       lp -> ld_nelements = leaf.ld_nelements;\n       lp -> ld_descriptor = leaf.ld_descriptor;\n       ((volatile word *)op)[GRANULES_TO_WORDS(lg) - 1] = (word)lp;\n   } else {\n#    ifndef GC_NO_FINALIZATION\n       size_t lw = GRANULES_TO_WORDS(lg);\n\n       op[lw - 1] = (word)complex_descr;\n       /* Make sure the descriptor is cleared once there is any danger  */\n       /* it may have been collected.                                   */\n       if (EXPECT(GC_general_register_disappearing_link(\n                                                (void **)(op + lw - 1), op)\n                  == GC_NO_MEMORY, FALSE))\n#    endif\n       {\n           /* Couldn't register it due to lack of memory.  Punt.        */\n           /* This will probably fail too, but gives the recovery code  */\n           /* a chance.                                                 */\n            return GC_malloc(lb);\n       }\n   }\n   return op;\n}",
          "project": "bdwgc",
          "hash": 129186795195986820153089371839787067250,
          "size": 61,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 1,
          "dataset": "other",
          "idx": 205872
        },
        {
          "func": "GC_API GC_ATTR_MALLOC void * GC_CALL GC_calloc_explicitly_typed(size_t n,\n                                                        size_t lb, GC_descr d)\n{\n    word *op;\n    size_t lg;\n    GC_descr simple_descr;\n    complex_descriptor *complex_descr;\n    int descr_type;\n    struct LeafDescriptor leaf;\n\n    GC_ASSERT(GC_explicit_typing_initialized);\n    descr_type = GC_make_array_descriptor((word)n, (word)lb, d, &simple_descr,\n                                          &complex_descr, &leaf);\n    if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial check */\n        && lb > 0 && n > GC_SIZE_MAX / lb)\n      return NULL; /* n*lb overflow */\n    lb *= n;\n    switch(descr_type) {\n        case NO_MEM: return(0);\n        case SIMPLE:\n            return GC_malloc_explicitly_typed(lb, simple_descr);\n        case LEAF:\n            lb += sizeof(struct LeafDescriptor) + TYPD_EXTRA_BYTES;\n            break;\n        case COMPLEX:\n            lb += TYPD_EXTRA_BYTES;\n            break;\n    }\n    op = GC_malloc_kind(lb, GC_array_kind);\n    if (EXPECT(NULL == op, FALSE))\n        return NULL;\n    lg = SMALL_OBJ(lb) ? GC_size_map[lb] : BYTES_TO_GRANULES(GC_size(op));\n    if (descr_type == LEAF) {\n       /* Set up the descriptor inside the object itself. */\n       volatile struct LeafDescriptor * lp =\n           (struct LeafDescriptor *)\n               (op + GRANULES_TO_WORDS(lg)\n                - (BYTES_TO_WORDS(sizeof(struct LeafDescriptor)) + 1));\n\n       lp -> ld_tag = LEAF_TAG;\n       lp -> ld_size = leaf.ld_size;\n       lp -> ld_nelements = leaf.ld_nelements;\n       lp -> ld_descriptor = leaf.ld_descriptor;\n       ((volatile word *)op)[GRANULES_TO_WORDS(lg) - 1] = (word)lp;\n   } else {\n#    ifndef GC_NO_FINALIZATION\n       size_t lw = GRANULES_TO_WORDS(lg);\n\n       op[lw - 1] = (word)complex_descr;\n       /* Make sure the descriptor is cleared once there is any danger  */\n       /* it may have been collected.                                   */\n       if (EXPECT(GC_general_register_disappearing_link(\n                                                (void **)(op + lw - 1), op)\n                  == GC_NO_MEMORY, FALSE))\n#    endif\n       {\n           /* Couldn't register it due to lack of memory.  Punt.        */\n           /* This will probably fail too, but gives the recovery code  */\n           /* a chance.                                                 */\n            return GC_malloc(lb);\n       }\n   }\n   return op;\n}",
          "project": "bdwgc",
          "hash": 196754813537280026105640227782301143544,
          "size": 64,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374064
        },
        {
          "func": "STATIC GC_descr GC_double_descr(GC_descr descriptor, word nwords)\n{\n    if ((descriptor & GC_DS_TAGS) == GC_DS_LENGTH) {\n        descriptor = GC_bm_table[BYTES_TO_WORDS((word)descriptor)];\n    };\n    descriptor |= (descriptor & ~GC_DS_TAGS) >> nwords;\n    return(descriptor);\n}",
          "project": "bdwgc",
          "hash": 244067845680989831098866291492820252649,
          "size": 8,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374061
        },
        {
          "func": "STATIC int GC_make_array_descriptor(size_t nelements, size_t size,\n                                    GC_descr descriptor, GC_descr *simple_d,\n                                    complex_descriptor **complex_d,\n                                    struct LeafDescriptor * leaf)\n{\n#   define OPT_THRESHOLD 50\n        /* For larger arrays, we try to combine descriptors of adjacent */\n        /* descriptors to speed up marking, and to reduce the amount    */\n        /* of space needed on the mark stack.                           */\n    if ((descriptor & GC_DS_TAGS) == GC_DS_LENGTH) {\n      if (descriptor == (GC_descr)size) {\n        *simple_d = nelements * descriptor;\n        return(SIMPLE);\n      } else if ((word)descriptor == 0) {\n        *simple_d = (GC_descr)0;\n        return(SIMPLE);\n      }\n    }\n    if (nelements <= OPT_THRESHOLD) {\n      if (nelements <= 1) {\n        if (nelements == 1) {\n            *simple_d = descriptor;\n            return(SIMPLE);\n        } else {\n            *simple_d = (GC_descr)0;\n            return(SIMPLE);\n        }\n      }\n    } else if (size <= BITMAP_BITS/2\n               && (descriptor & GC_DS_TAGS) != GC_DS_PROC\n               && (size & (sizeof(word)-1)) == 0) {\n      int result =\n          GC_make_array_descriptor(nelements/2, 2*size,\n                                   GC_double_descr(descriptor,\n                                                   BYTES_TO_WORDS(size)),\n                                   simple_d, complex_d, leaf);\n      if ((nelements & 1) == 0) {\n          return(result);\n      } else {\n          struct LeafDescriptor * one_element =\n              (struct LeafDescriptor *)\n                GC_malloc_atomic(sizeof(struct LeafDescriptor));\n\n          if (result == NO_MEM || one_element == 0) return(NO_MEM);\n          one_element -> ld_tag = LEAF_TAG;\n          one_element -> ld_size = size;\n          one_element -> ld_nelements = 1;\n          one_element -> ld_descriptor = descriptor;\n          switch(result) {\n            case SIMPLE:\n            {\n              struct LeafDescriptor * beginning =\n                (struct LeafDescriptor *)\n                  GC_malloc_atomic(sizeof(struct LeafDescriptor));\n              if (beginning == 0) return(NO_MEM);\n              beginning -> ld_tag = LEAF_TAG;\n              beginning -> ld_size = size;\n              beginning -> ld_nelements = 1;\n              beginning -> ld_descriptor = *simple_d;\n              *complex_d = GC_make_sequence_descriptor(\n                                (complex_descriptor *)beginning,\n                                (complex_descriptor *)one_element);\n              break;\n            }\n            case LEAF:\n            {\n              struct LeafDescriptor * beginning =\n                (struct LeafDescriptor *)\n                  GC_malloc_atomic(sizeof(struct LeafDescriptor));\n              if (beginning == 0) return(NO_MEM);\n              beginning -> ld_tag = LEAF_TAG;\n              beginning -> ld_size = leaf -> ld_size;\n              beginning -> ld_nelements = leaf -> ld_nelements;\n              beginning -> ld_descriptor = leaf -> ld_descriptor;\n              *complex_d = GC_make_sequence_descriptor(\n                                (complex_descriptor *)beginning,\n                                (complex_descriptor *)one_element);\n              break;\n            }\n            case COMPLEX:\n              *complex_d = GC_make_sequence_descriptor(\n                                *complex_d,\n                                (complex_descriptor *)one_element);\n              break;\n          }\n          return(COMPLEX);\n      }\n    }\n\n    leaf -> ld_size = size;\n    leaf -> ld_nelements = nelements;\n    leaf -> ld_descriptor = descriptor;\n    return(LEAF);\n}",
          "project": "bdwgc",
          "hash": 46177501544734546095080439612376021485,
          "size": 94,
          "commit_id": "4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4",
          "message": "Fix calloc_explicitly_typed in case of lb*n overflow\n\n* typd_mlc.c: Include limits.h (for SIZE_MAX).\n* typd_mlc.c (GC_SIZE_MAX, GC_SQRT_SIZE_MAX): New macro (same as in\nmalloc.c).\n* typd_mlc.c (GC_calloc_explicitly_typed): Return NULL if lb * n\noverflows (same algorithm as in calloc defined in malloc.c); eliminate\nlb *= n code duplication.",
          "target": 0,
          "dataset": "other",
          "idx": 374060
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "do_string_and_free",
        "do_string",
        "refresh_request"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "do_string_replot(const char *s)\n{\n    do_string(s);\n\n    if (volatile_data && (E_REFRESH_NOT_OK != refresh_ok)) {\n\tif (display_ipc_commands())\n\t    fprintf(stderr, \"refresh\\n\");\n\trefresh_request();\n\n    } else if (!replot_disabled)\n\treplotrequest();\n\n    else\n\tint_warn(NO_CARET, \"refresh not possible and replot is disabled\");\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 291579279894964375944063221702777252799,
          "size": 15,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506485
        },
        {
          "func": "refresh_command()\n{\n    c_token++;\n    refresh_request();\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 97347783036189310092858484712183281402,
          "size": 5,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506513
        },
        {
          "func": "do_string(const char *s)\n{\n    char *cmdline = gp_strdup(s);\n    do_string_and_free(cmdline);\n}",
          "target": 0,
          "cwe": [
            "CWE-415"
          ],
          "project": "gnuplot",
          "commit_id": "052cbd17c3cbbc602ee080b2617d32a8417d7563",
          "hash": 138266240495855944294073793531180690221,
          "size": 5,
          "message": "successive failures of \"set print <foo>\" could cause double-free\nBug #2312",
          "dataset": "other",
          "idx": 506504
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "bfq_init_hctx",
        "bfq_depth_updated",
        "bfq_update_depths"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "\nstatic int bfq_init_hctx(struct blk_mq_hw_ctx *hctx, unsigned int index)\n{\n\tbfq_depth_updated(hctx);\n\treturn 0;",
          "project": "linux",
          "hash": 17985867972788131300537994415053636378,
          "size": 5,
          "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9",
          "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667]  dump_backtrace+0x0/0x310\n[13058.354672]  show_stack+0x28/0x38\n[13058.354681]  dump_stack+0xd8/0x108\n[13058.354687]  print_address_description+0x68/0x2d0\n[13058.354690]  kasan_report+0x124/0x2e0\n[13058.354697]  __asan_load8+0x88/0xb0\n[13058.354702]  bfq_idle_slice_timer+0xac/0x290\n[13058.354707]  __hrtimer_run_queues+0x298/0x8b8\n[13058.354710]  hrtimer_interrupt+0x1b8/0x678\n[13058.354716]  arch_timer_handler_phys+0x4c/0x78\n[13058.354722]  handle_percpu_devid_irq+0xf0/0x558\n[13058.354731]  generic_handle_irq+0x50/0x70\n[13058.354735]  __handle_domain_irq+0x94/0x110\n[13058.354739]  gic_handle_irq+0x8c/0x1b0\n[13058.354742]  el1_irq+0xb8/0x140\n[13058.354748]  do_wp_page+0x260/0xe28\n[13058.354752]  __handle_mm_fault+0x8ec/0x9b0\n[13058.354756]  handle_mm_fault+0x280/0x460\n[13058.354762]  do_page_fault+0x3ec/0x890\n[13058.354765]  do_mem_abort+0xc0/0x1b0\n[13058.354768]  el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780]  kasan_kmalloc+0xe0/0x190\n[13058.354784]  kasan_slab_alloc+0x14/0x20\n[13058.354788]  kmem_cache_alloc_node+0x130/0x440\n[13058.354793]  bfq_get_queue+0x138/0x858\n[13058.354797]  bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801]  bfq_init_rq+0x1f4/0x1180\n[13058.354806]  bfq_insert_requests+0x264/0x1c98\n[13058.354811]  blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818]  blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826]  blk_flush_plug_list+0x230/0x548\n[13058.354830]  blk_finish_plug+0x60/0x80\n[13058.354838]  read_pages+0xec/0x2c0\n[13058.354842]  __do_page_cache_readahead+0x374/0x438\n[13058.354846]  ondemand_readahead+0x24c/0x6b0\n[13058.354851]  page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858]  generic_file_buffered_read+0x588/0xc58\n[13058.354862]  generic_file_read_iter+0x1b4/0x278\n[13058.354965]  ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972]  __vfs_read+0x238/0x320\n[13058.354976]  vfs_read+0xbc/0x1c0\n[13058.354980]  ksys_read+0xdc/0x1b8\n[13058.354984]  __arm64_sys_read+0x50/0x60\n[13058.354990]  el0_svc_common+0xb4/0x1d8\n[13058.354994]  el0_svc_handler+0x50/0xa8\n[13058.354998]  el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007]  __kasan_slab_free+0x120/0x228\n[13058.355010]  kasan_slab_free+0x10/0x18\n[13058.355014]  kmem_cache_free+0x288/0x3f0\n[13058.355018]  bfq_put_queue+0x134/0x208\n[13058.355022]  bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026]  bfq_exit_icq+0x28/0x40\n[13058.355030]  ioc_exit_icq+0xa0/0x150\n[13058.355035]  put_io_context_active+0x250/0x438\n[13058.355038]  exit_io_context+0xd0/0x138\n[13058.355045]  do_exit+0x734/0xc58\n[13058.355050]  do_group_exit+0x78/0x220\n[13058.355054]  __wake_up_parent+0x0/0x50\n[13058.355058]  el0_svc_common+0xb4/0x1d8\n[13058.355062]  el0_svc_handler+0x50/0xa8\n[13058.355066]  el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797]  ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801]  ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808]                                                                 ^\n[13058.370811]  ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815]  ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente <paolo.valente@linaro.org>\nReported-by: Wang Wang <wangwang2@huawei.com>\nSigned-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>\nSigned-off-by: Feilong Lin <linfeilong@huawei.com>\nSigned-off-by: Jens Axboe <axboe@kernel.dk>",
          "target": 0,
          "dataset": "other",
          "idx": 453310
        },
        {
          "func": "\nstatic void bfq_depth_updated(struct blk_mq_hw_ctx *hctx)\n{\n\tstruct bfq_data *bfqd = hctx->queue->elevator->elevator_data;\n\tstruct blk_mq_tags *tags = hctx->sched_tags;\n\tunsigned int min_shallow;\n\n\tmin_shallow = bfq_update_depths(bfqd, &tags->bitmap_tags);\n\tsbitmap_queue_min_shallow_depth(&tags->bitmap_tags, min_shallow);",
          "project": "linux",
          "hash": 46526425900654998379064372761150223322,
          "size": 9,
          "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9",
          "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667]  dump_backtrace+0x0/0x310\n[13058.354672]  show_stack+0x28/0x38\n[13058.354681]  dump_stack+0xd8/0x108\n[13058.354687]  print_address_description+0x68/0x2d0\n[13058.354690]  kasan_report+0x124/0x2e0\n[13058.354697]  __asan_load8+0x88/0xb0\n[13058.354702]  bfq_idle_slice_timer+0xac/0x290\n[13058.354707]  __hrtimer_run_queues+0x298/0x8b8\n[13058.354710]  hrtimer_interrupt+0x1b8/0x678\n[13058.354716]  arch_timer_handler_phys+0x4c/0x78\n[13058.354722]  handle_percpu_devid_irq+0xf0/0x558\n[13058.354731]  generic_handle_irq+0x50/0x70\n[13058.354735]  __handle_domain_irq+0x94/0x110\n[13058.354739]  gic_handle_irq+0x8c/0x1b0\n[13058.354742]  el1_irq+0xb8/0x140\n[13058.354748]  do_wp_page+0x260/0xe28\n[13058.354752]  __handle_mm_fault+0x8ec/0x9b0\n[13058.354756]  handle_mm_fault+0x280/0x460\n[13058.354762]  do_page_fault+0x3ec/0x890\n[13058.354765]  do_mem_abort+0xc0/0x1b0\n[13058.354768]  el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780]  kasan_kmalloc+0xe0/0x190\n[13058.354784]  kasan_slab_alloc+0x14/0x20\n[13058.354788]  kmem_cache_alloc_node+0x130/0x440\n[13058.354793]  bfq_get_queue+0x138/0x858\n[13058.354797]  bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801]  bfq_init_rq+0x1f4/0x1180\n[13058.354806]  bfq_insert_requests+0x264/0x1c98\n[13058.354811]  blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818]  blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826]  blk_flush_plug_list+0x230/0x548\n[13058.354830]  blk_finish_plug+0x60/0x80\n[13058.354838]  read_pages+0xec/0x2c0\n[13058.354842]  __do_page_cache_readahead+0x374/0x438\n[13058.354846]  ondemand_readahead+0x24c/0x6b0\n[13058.354851]  page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858]  generic_file_buffered_read+0x588/0xc58\n[13058.354862]  generic_file_read_iter+0x1b4/0x278\n[13058.354965]  ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972]  __vfs_read+0x238/0x320\n[13058.354976]  vfs_read+0xbc/0x1c0\n[13058.354980]  ksys_read+0xdc/0x1b8\n[13058.354984]  __arm64_sys_read+0x50/0x60\n[13058.354990]  el0_svc_common+0xb4/0x1d8\n[13058.354994]  el0_svc_handler+0x50/0xa8\n[13058.354998]  el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007]  __kasan_slab_free+0x120/0x228\n[13058.355010]  kasan_slab_free+0x10/0x18\n[13058.355014]  kmem_cache_free+0x288/0x3f0\n[13058.355018]  bfq_put_queue+0x134/0x208\n[13058.355022]  bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026]  bfq_exit_icq+0x28/0x40\n[13058.355030]  ioc_exit_icq+0xa0/0x150\n[13058.355035]  put_io_context_active+0x250/0x438\n[13058.355038]  exit_io_context+0xd0/0x138\n[13058.355045]  do_exit+0x734/0xc58\n[13058.355050]  do_group_exit+0x78/0x220\n[13058.355054]  __wake_up_parent+0x0/0x50\n[13058.355058]  el0_svc_common+0xb4/0x1d8\n[13058.355062]  el0_svc_handler+0x50/0xa8\n[13058.355066]  el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797]  ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801]  ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808]                                                                 ^\n[13058.370811]  ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815]  ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente <paolo.valente@linaro.org>\nReported-by: Wang Wang <wangwang2@huawei.com>\nSigned-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>\nSigned-off-by: Feilong Lin <linfeilong@huawei.com>\nSigned-off-by: Jens Axboe <axboe@kernel.dk>",
          "target": 0,
          "dataset": "other",
          "idx": 453413
        },
        {
          "func": " */\nstatic unsigned int bfq_update_depths(struct bfq_data *bfqd,\n\t\t\t\t      struct sbitmap_queue *bt)\n{\n\tunsigned int i, j, min_shallow = UINT_MAX;\n\n\t/*\n\t * In-word depths if no bfq_queue is being weight-raised:\n\t * leaving 25% of tags only for sync reads.\n\t *\n\t * In next formulas, right-shift the value\n\t * (1U<<bt->sb.shift), instead of computing directly\n\t * (1U<<(bt->sb.shift - something)), to be robust against\n\t * any possible value of bt->sb.shift, without having to\n\t * limit 'something'.\n\t */\n\t/* no more than 50% of tags for async I/O */\n\tbfqd->word_depths[0][0] = max((1U << bt->sb.shift) >> 1, 1U);\n\t/*\n\t * no more than 75% of tags for sync writes (25% extra tags\n\t * w.r.t. async I/O, to prevent async I/O from starving sync\n\t * writes)\n\t */\n\tbfqd->word_depths[0][1] = max(((1U << bt->sb.shift) * 3) >> 2, 1U);\n\n\t/*\n\t * In-word depths in case some bfq_queue is being weight-\n\t * raised: leaving ~63% of tags for sync reads. This is the\n\t * highest percentage for which, in our tests, application\n\t * start-up times didn't suffer from any regression due to tag\n\t * shortage.\n\t */\n\t/* no more than ~18% of tags for async I/O */\n\tbfqd->word_depths[1][0] = max(((1U << bt->sb.shift) * 3) >> 4, 1U);\n\t/* no more than ~37% of tags for sync writes (~20% extra tags) */\n\tbfqd->word_depths[1][1] = max(((1U << bt->sb.shift) * 6) >> 4, 1U);\n\n\tfor (i = 0; i < 2; i++)\n\t\tfor (j = 0; j < 2; j++)\n\t\t\tmin_shallow = min(min_shallow, bfqd->word_depths[i][j]);\n\n\treturn min_shallow;",
          "project": "linux",
          "hash": 325936854518236894026066920926641664043,
          "size": 42,
          "commit_id": "2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9",
          "message": "block, bfq: fix use-after-free in bfq_idle_slice_timer_body\n\nIn bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is\nnot in bfqd-lock critical section. The bfqq, which is not\nequal to NULL in bfq_idle_slice_timer, may be freed after passing\nto bfq_idle_slice_timer_body. So we will access the freed memory.\n\nIn addition, considering the bfqq may be in race, we should\nfirstly check whether bfqq is in service before doing something\non it in bfq_idle_slice_timer_body func. If the bfqq in race is\nnot in service, it means the bfqq has been expired through\n__bfq_bfqq_expire func, and wait_request flags has been cleared in\n__bfq_bfqd_reset_in_service func. So we do not need to re-clear the\nwait_request of bfqq which is not in service.\n\nKASAN log is given as follows:\n[13058.354613] ==================================================================\n[13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290\n[13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767\n[13058.354646]\n[13058.354655] CPU: 96 PID: 19767 Comm: fork13\n[13058.354661] Call trace:\n[13058.354667]  dump_backtrace+0x0/0x310\n[13058.354672]  show_stack+0x28/0x38\n[13058.354681]  dump_stack+0xd8/0x108\n[13058.354687]  print_address_description+0x68/0x2d0\n[13058.354690]  kasan_report+0x124/0x2e0\n[13058.354697]  __asan_load8+0x88/0xb0\n[13058.354702]  bfq_idle_slice_timer+0xac/0x290\n[13058.354707]  __hrtimer_run_queues+0x298/0x8b8\n[13058.354710]  hrtimer_interrupt+0x1b8/0x678\n[13058.354716]  arch_timer_handler_phys+0x4c/0x78\n[13058.354722]  handle_percpu_devid_irq+0xf0/0x558\n[13058.354731]  generic_handle_irq+0x50/0x70\n[13058.354735]  __handle_domain_irq+0x94/0x110\n[13058.354739]  gic_handle_irq+0x8c/0x1b0\n[13058.354742]  el1_irq+0xb8/0x140\n[13058.354748]  do_wp_page+0x260/0xe28\n[13058.354752]  __handle_mm_fault+0x8ec/0x9b0\n[13058.354756]  handle_mm_fault+0x280/0x460\n[13058.354762]  do_page_fault+0x3ec/0x890\n[13058.354765]  do_mem_abort+0xc0/0x1b0\n[13058.354768]  el0_da+0x24/0x28\n[13058.354770]\n[13058.354773] Allocated by task 19731:\n[13058.354780]  kasan_kmalloc+0xe0/0x190\n[13058.354784]  kasan_slab_alloc+0x14/0x20\n[13058.354788]  kmem_cache_alloc_node+0x130/0x440\n[13058.354793]  bfq_get_queue+0x138/0x858\n[13058.354797]  bfq_get_bfqq_handle_split+0xd4/0x328\n[13058.354801]  bfq_init_rq+0x1f4/0x1180\n[13058.354806]  bfq_insert_requests+0x264/0x1c98\n[13058.354811]  blk_mq_sched_insert_requests+0x1c4/0x488\n[13058.354818]  blk_mq_flush_plug_list+0x2d4/0x6e0\n[13058.354826]  blk_flush_plug_list+0x230/0x548\n[13058.354830]  blk_finish_plug+0x60/0x80\n[13058.354838]  read_pages+0xec/0x2c0\n[13058.354842]  __do_page_cache_readahead+0x374/0x438\n[13058.354846]  ondemand_readahead+0x24c/0x6b0\n[13058.354851]  page_cache_sync_readahead+0x17c/0x2f8\n[13058.354858]  generic_file_buffered_read+0x588/0xc58\n[13058.354862]  generic_file_read_iter+0x1b4/0x278\n[13058.354965]  ext4_file_read_iter+0xa8/0x1d8 [ext4]\n[13058.354972]  __vfs_read+0x238/0x320\n[13058.354976]  vfs_read+0xbc/0x1c0\n[13058.354980]  ksys_read+0xdc/0x1b8\n[13058.354984]  __arm64_sys_read+0x50/0x60\n[13058.354990]  el0_svc_common+0xb4/0x1d8\n[13058.354994]  el0_svc_handler+0x50/0xa8\n[13058.354998]  el0_svc+0x8/0xc\n[13058.354999]\n[13058.355001] Freed by task 19731:\n[13058.355007]  __kasan_slab_free+0x120/0x228\n[13058.355010]  kasan_slab_free+0x10/0x18\n[13058.355014]  kmem_cache_free+0x288/0x3f0\n[13058.355018]  bfq_put_queue+0x134/0x208\n[13058.355022]  bfq_exit_icq_bfqq+0x164/0x348\n[13058.355026]  bfq_exit_icq+0x28/0x40\n[13058.355030]  ioc_exit_icq+0xa0/0x150\n[13058.355035]  put_io_context_active+0x250/0x438\n[13058.355038]  exit_io_context+0xd0/0x138\n[13058.355045]  do_exit+0x734/0xc58\n[13058.355050]  do_group_exit+0x78/0x220\n[13058.355054]  __wake_up_parent+0x0/0x50\n[13058.355058]  el0_svc_common+0xb4/0x1d8\n[13058.355062]  el0_svc_handler+0x50/0xa8\n[13058.355066]  el0_svc+0x8/0xc\n[13058.355067]\n[13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464\n[13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)\n[13058.355077] The buggy address belongs to the page:\n[13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0\n[13058.366175] flags: 0x2ffffe0000008100(slab|head)\n[13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780\n[13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000\n[13058.370789] page dumped because: kasan: bad access detected\n[13058.370791]\n[13058.370792] Memory state around the buggy address:\n[13058.370797]  ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb\n[13058.370801]  ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370808]                                                                 ^\n[13058.370811]  ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n[13058.370815]  ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n[13058.370817] ==================================================================\n[13058.370820] Disabling lock debugging due to kernel taint\n\nHere, we directly pass the bfqd to bfq_idle_slice_timer_body func.\n--\nV2->V3: rewrite the comment as suggested by Paolo Valente\nV1->V2: add one comment, and add Fixes and Reported-by tag.\n\nFixes: aee69d78d (\"block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler\")\nAcked-by: Paolo Valente <paolo.valente@linaro.org>\nReported-by: Wang Wang <wangwang2@huawei.com>\nSigned-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>\nSigned-off-by: Feilong Lin <linfeilong@huawei.com>\nSigned-off-by: Jens Axboe <axboe@kernel.dk>",
          "target": 0,
          "dataset": "other",
          "idx": 453277
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "TracePath",
        "TraceArcPath",
        "TraceBezier",
        "CheckPrimitiveExtent"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static MagickBooleanType TraceBezier(MVGInfo *mvg_info,\n  const size_t number_coordinates)\n{\n  double\n    alpha,\n    *coefficients,\n    weight;\n\n  PointInfo\n    end,\n    point,\n    *points;\n\n  PrimitiveInfo\n    *primitive_info;\n\n  PrimitiveInfo\n    *p;\n\n  ssize_t\n    i,\n    j;\n\n  size_t\n    control_points,\n    quantum;\n\n  /*\n    Allocate coefficients.\n  */\n  primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n  quantum=number_coordinates;\n  for (i=0; i < (ssize_t) number_coordinates; i++)\n  {\n    for (j=i+1; j < (ssize_t) number_coordinates; j++)\n    {\n      alpha=fabs(primitive_info[j].point.x-primitive_info[i].point.x);\n      if (alpha > (double) MAGICK_SSIZE_MAX)\n        {\n          (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n            ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n          return(MagickFalse);\n        }\n      if (alpha > (double) quantum)\n        quantum=(size_t) alpha;\n      alpha=fabs(primitive_info[j].point.y-primitive_info[i].point.y);\n      if (alpha > (double) MAGICK_SSIZE_MAX)\n        {\n          (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n            ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n          return(MagickFalse);\n        }\n      if (alpha > (double) quantum)\n        quantum=(size_t) alpha;\n    }\n  }\n  coefficients=(double *) AcquireQuantumMemory(number_coordinates,\n    sizeof(*coefficients));\n  quantum=MagickMin(quantum/number_coordinates,BezierQuantum);\n  points=(PointInfo *) AcquireQuantumMemory(quantum,number_coordinates*\n    sizeof(*points));\n  if ((coefficients == (double *) NULL) || (points == (PointInfo *) NULL))\n    {\n      if (points != (PointInfo *) NULL)\n        points=(PointInfo *) RelinquishMagickMemory(points);\n      if (coefficients != (double *) NULL)\n        coefficients=(double *) RelinquishMagickMemory(coefficients);\n      (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n        ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n      return(MagickFalse);\n    }\n  control_points=quantum*number_coordinates;\n  if (CheckPrimitiveExtent(mvg_info,(double) control_points+1) == MagickFalse)\n    {\n      points=(PointInfo *) RelinquishMagickMemory(points);\n      coefficients=(double *) RelinquishMagickMemory(coefficients);\n      return(MagickFalse);\n    }\n  primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n  /*\n    Compute bezier points.\n  */\n  end=primitive_info[number_coordinates-1].point;\n  for (i=0; i < (ssize_t) number_coordinates; i++)\n    coefficients[i]=Permutate((ssize_t) number_coordinates-1,i);\n  weight=0.0;\n  for (i=0; i < (ssize_t) control_points; i++)\n  {\n    p=primitive_info;\n    point.x=0.0;\n    point.y=0.0;\n    alpha=pow((double) (1.0-weight),(double) number_coordinates-1.0);\n    for (j=0; j < (ssize_t) number_coordinates; j++)\n    {\n      point.x+=alpha*coefficients[j]*p->point.x;\n      point.y+=alpha*coefficients[j]*p->point.y;\n      alpha*=weight/(1.0-weight);\n      p++;\n    }\n    points[i]=point;\n    weight+=1.0/control_points;\n  }\n  /*\n    Bezier curves are just short segmented polys.\n  */\n  p=primitive_info;\n  for (i=0; i < (ssize_t) control_points; i++)\n  {\n    if (TracePoint(p,points[i]) == MagickFalse)\n      {\n        points=(PointInfo *) RelinquishMagickMemory(points);\n        coefficients=(double *) RelinquishMagickMemory(coefficients);\n        return(MagickFalse);\n      }\n    p+=p->coordinates;\n  }\n  if (TracePoint(p,end) == MagickFalse)\n    {\n      points=(PointInfo *) RelinquishMagickMemory(points);\n      coefficients=(double *) RelinquishMagickMemory(coefficients);\n      return(MagickFalse);\n    }\n  p+=p->coordinates;\n  primitive_info->coordinates=(size_t) (p-primitive_info);\n  primitive_info->closed_subpath=MagickFalse;\n  for (i=0; i < (ssize_t) primitive_info->coordinates; i++)\n  {\n    p->primitive=primitive_info->primitive;\n    p--;\n  }\n  points=(PointInfo *) RelinquishMagickMemory(points);\n  coefficients=(double *) RelinquishMagickMemory(coefficients);\n  return(MagickTrue);\n}",
          "project": "ImageMagick6",
          "hash": 253553152437105555548461944081055352860,
          "size": 134,
          "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3339",
          "target": 0,
          "dataset": "other",
          "idx": 316674
        },
        {
          "func": "static ssize_t TracePath(Image *image,MVGInfo *mvg_info,const char *path)\n{\n  char\n    *next_token,\n    token[MaxTextExtent];\n\n  const char\n    *p;\n\n  double\n    x,\n    y;\n\n  int\n    attribute,\n    last_attribute;\n\n  MagickStatusType\n    status;\n\n  PointInfo\n    end = {0.0, 0.0},\n    points[4] = { {0.0, 0.0}, {0.0, 0.0}, {0.0, 0.0}, {0.0, 0.0} },\n    point = {0.0, 0.0},\n    start = {0.0, 0.0};\n\n  PrimitiveInfo\n    *primitive_info;\n\n  PrimitiveType\n    primitive_type;\n\n  PrimitiveInfo\n    *q;\n\n  ssize_t\n    i;\n\n  size_t\n    number_coordinates,\n    z_count;\n\n  ssize_t\n    subpath_offset;\n\n  subpath_offset=mvg_info->offset;\n  primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n  status=MagickTrue;\n  attribute=0;\n  number_coordinates=0;\n  z_count=0;\n  primitive_type=primitive_info->primitive;\n  q=primitive_info;\n  for (p=path; *p != '\\0'; )\n  {\n    if (status == MagickFalse)\n      break;\n    while (isspace((int) ((unsigned char) *p)) != 0)\n      p++;\n    if (*p == '\\0')\n      break;\n    last_attribute=attribute;\n    attribute=(int) (*p++);\n    switch (attribute)\n    {\n      case 'a':\n      case 'A':\n      {\n        double\n          angle = 0.0;\n\n        MagickBooleanType\n          large_arc = MagickFalse,\n          sweep = MagickFalse;\n\n        PointInfo\n          arc = {0.0, 0.0};\n\n        /*\n          Elliptical arc.\n        */\n        do\n        {\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          arc.x=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          arc.y=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          angle=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          large_arc=StringToLong(token) != 0 ? MagickTrue : MagickFalse;\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          sweep=StringToLong(token) != 0 ? MagickTrue : MagickFalse;\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          x=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          y=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          end.x=(double) (attribute == (int) 'A' ? x : point.x+x);\n          end.y=(double) (attribute == (int) 'A' ? y : point.y+y);\n          status&=TraceArcPath(mvg_info,point,end,arc,angle,large_arc,sweep);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          point=end;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'c':\n      case 'C':\n      {\n        /*\n          Cubic Bézier curve.\n        */\n        do\n        {\n          points[0]=point;\n          for (i=1; i < 4; i++)\n          {\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            x=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            y=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            end.x=(double) (attribute == (int) 'C' ? x : point.x+x);\n            end.y=(double) (attribute == (int) 'C' ? y : point.y+y);\n            points[i]=end;\n          }\n          for (i=0; i < 4; i++)\n            (q+i)->point=points[i];\n          if (TraceBezier(mvg_info,4) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          point=end;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'H':\n      case 'h':\n      {\n        do\n        {\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          x=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          point.x=(double) (attribute == (int) 'H' ? x: point.x+x);\n          if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          if (TracePoint(q,point) == MagickFalse)\n            return(-1);\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'l':\n      case 'L':\n      {\n        /*\n          Line to.\n        */\n        do\n        {\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          x=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          y=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          point.x=(double) (attribute == (int) 'L' ? x : point.x+x);\n          point.y=(double) (attribute == (int) 'L' ? y : point.y+y);\n          if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          if (TracePoint(q,point) == MagickFalse)\n            return(-1);\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'M':\n      case 'm':\n      {\n        /*\n          Move to.\n        */\n        if (mvg_info->offset != subpath_offset)\n          {\n            primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n            primitive_info->coordinates=(size_t) (q-primitive_info);\n            number_coordinates+=primitive_info->coordinates;\n            primitive_info=q;\n            subpath_offset=mvg_info->offset;\n          }\n        i=0;\n        do\n        {\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          x=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          y=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          point.x=(double) (attribute == (int) 'M' ? x : point.x+x);\n          point.y=(double) (attribute == (int) 'M' ? y : point.y+y);\n          if (i == 0)\n            start=point;\n          i++;\n          if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          if (TracePoint(q,point) == MagickFalse)\n            return(-1);\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'q':\n      case 'Q':\n      {\n        /*\n          Quadratic Bézier curve.\n        */\n        do\n        {\n          points[0]=point;\n          for (i=1; i < 3; i++)\n          {\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            x=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            y=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            if (*p == ',')\n              p++;\n            end.x=(double) (attribute == (int) 'Q' ? x : point.x+x);\n            end.y=(double) (attribute == (int) 'Q' ? y : point.y+y);\n            points[i]=end;\n          }\n          for (i=0; i < 3; i++)\n            (q+i)->point=points[i];\n          if (TraceBezier(mvg_info,3) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          point=end;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 's':\n      case 'S':\n      {\n        /*\n          Cubic Bézier curve.\n        */\n        do\n        {\n          points[0]=points[3];\n          points[1].x=2.0*points[3].x-points[2].x;\n          points[1].y=2.0*points[3].y-points[2].y;\n          for (i=2; i < 4; i++)\n          {\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            x=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            y=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            if (*p == ',')\n              p++;\n            end.x=(double) (attribute == (int) 'S' ? x : point.x+x);\n            end.y=(double) (attribute == (int) 'S' ? y : point.y+y);\n            points[i]=end;\n          }\n          if (strchr(\"CcSs\",last_attribute) == (char *) NULL)\n            {\n              points[0]=point;\n              points[1]=point;\n            }\n          for (i=0; i < 4; i++)\n            (q+i)->point=points[i];\n          if (TraceBezier(mvg_info,4) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          point=end;\n          last_attribute=attribute;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 't':\n      case 'T':\n      {\n        /*\n          Quadratic Bézier curve.\n        */\n        do\n        {\n          points[0]=points[2];\n          points[1].x=2.0*points[2].x-points[1].x;\n          points[1].y=2.0*points[2].y-points[1].y;\n          for (i=2; i < 3; i++)\n          {\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            x=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n            if (*token == ',')\n              (void) GetNextToken(p,&p,MaxTextExtent,token);\n            y=GetDrawValue(token,&next_token);\n            if (token == next_token)\n              ThrowPointExpectedException(image,token);\n            end.x=(double) (attribute == (int) 'T' ? x : point.x+x);\n            end.y=(double) (attribute == (int) 'T' ? y : point.y+y);\n            points[i]=end;\n          }\n          if (status == MagickFalse)\n            break;\n          if (strchr(\"QqTt\",last_attribute) == (char *) NULL)\n            {\n              points[0]=point;\n              points[1]=point;\n            }\n          for (i=0; i < 3; i++)\n            (q+i)->point=points[i];\n          if (TraceBezier(mvg_info,3) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          point=end;\n          last_attribute=attribute;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'v':\n      case 'V':\n      {\n        /*\n          Line to.\n        */\n        do\n        {\n          (void) GetNextToken(p,&p,MaxTextExtent,token);\n          if (*token == ',')\n            (void) GetNextToken(p,&p,MaxTextExtent,token);\n          y=GetDrawValue(token,&next_token);\n          if (token == next_token)\n            ThrowPointExpectedException(image,token);\n          point.y=(double) (attribute == (int) 'V' ? y : point.y+y);\n          if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n            return(-1);\n          q=(*mvg_info->primitive_info)+mvg_info->offset;\n          if (TracePoint(q,point) == MagickFalse)\n            return(-1);\n          mvg_info->offset+=q->coordinates;\n          q+=q->coordinates;\n          while (isspace((int) ((unsigned char) *p)) != 0)\n            p++;\n          if (*p == ',')\n            p++;\n        } while (IsPoint(p) != MagickFalse);\n        break;\n      }\n      case 'z':\n      case 'Z':\n      {\n        /*\n          Close path.\n        */\n        point=start;\n        if (CheckPrimitiveExtent(mvg_info,PrimitiveExtentPad) == MagickFalse)\n          return(-1);\n        q=(*mvg_info->primitive_info)+mvg_info->offset;\n        if (TracePoint(q,point) == MagickFalse)\n          return(-1);\n        mvg_info->offset+=q->coordinates;\n        q+=q->coordinates;\n        primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n        primitive_info->coordinates=(size_t) (q-primitive_info);\n        primitive_info->closed_subpath=MagickTrue;\n        number_coordinates+=primitive_info->coordinates;\n        primitive_info=q;\n        subpath_offset=mvg_info->offset;\n        z_count++;\n        break;\n      }\n      default:\n      {\n        ThrowPointExpectedException(image,token);\n        break;\n      }\n    }\n  }\n  if (status == MagickFalse)\n    return(-1);\n  primitive_info=(*mvg_info->primitive_info)+subpath_offset;\n  primitive_info->coordinates=(size_t) (q-primitive_info);\n  number_coordinates+=primitive_info->coordinates;\n  for (i=0; i < (ssize_t) number_coordinates; i++)\n  {\n    q--;\n    q->primitive=primitive_type;\n    if (z_count > 1)\n      q->method=FillToBorderMethod;\n  }\n  q=primitive_info;\n  return((ssize_t) number_coordinates);\n}",
          "project": "ImageMagick6",
          "hash": 62329487104930950764409643756974280736,
          "size": 511,
          "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3339",
          "target": 0,
          "dataset": "other",
          "idx": 316671
        },
        {
          "func": "static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info,\n  const double pad)\n{\n  double\n    extent;\n\n  size_t\n    quantum;\n\n  /*\n    Check if there is enough storage for drawing pimitives.\n  */\n  quantum=sizeof(**mvg_info->primitive_info);\n  extent=(double) mvg_info->offset+pad+PrimitiveExtentPad*quantum+1.0;\n  if (extent <= (double) *mvg_info->extent)\n    return(MagickTrue);\n  if (extent == (double) CastDoubleToLong(extent))\n    {\n      *mvg_info->primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(\n        *mvg_info->primitive_info,(size_t) extent,quantum);\n      if (*mvg_info->primitive_info != (PrimitiveInfo *) NULL)\n        {\n          ssize_t\n            i;\n\n          *mvg_info->extent=(size_t) extent;\n          for (i=mvg_info->offset+1; i < (ssize_t) extent; i++)\n            (*mvg_info->primitive_info)[i].primitive=UndefinedPrimitive;\n          return(MagickTrue);\n        }\n    }\n  /*\n    Reallocation failed, allocate a primitive to facilitate unwinding.\n  */\n  if (*mvg_info->primitive_info != (PrimitiveInfo *) NULL)\n    *mvg_info->primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(\n      *mvg_info->primitive_info);\n  (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),\n    ResourceLimitError,\"MemoryAllocationFailed\",\"`%s'\",\"\");\n  *mvg_info->primitive_info=(PrimitiveInfo *)  AcquireCriticalMemory(\n    (size_t) (PrimitiveExtentPad*quantum));\n  (void) memset(*mvg_info->primitive_info,0,(size_t)\n    (PrimitiveExtentPad*quantum));\n  *mvg_info->extent=1;\n  return(MagickFalse);\n}",
          "project": "ImageMagick6",
          "hash": 255673321032456110218431166205636735831,
          "size": 46,
          "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3339",
          "target": 0,
          "dataset": "other",
          "idx": 316684
        },
        {
          "func": "static MagickBooleanType TraceArcPath(MVGInfo *mvg_info,const PointInfo start,\n  const PointInfo end,const PointInfo arc,const double angle,\n  const MagickBooleanType large_arc,const MagickBooleanType sweep)\n{\n  double\n    alpha,\n    beta,\n    delta,\n    factor,\n    gamma,\n    theta;\n\n  MagickStatusType\n    status;\n\n  PointInfo\n    center,\n    points[3],\n    radii;\n\n  double\n    cosine,\n    sine;\n\n  PrimitiveInfo\n    *primitive_info;\n\n  PrimitiveInfo\n    *p;\n\n  ssize_t\n    i;\n\n  size_t\n    arc_segments;\n\n  ssize_t\n    offset;\n\n  offset=mvg_info->offset;\n  primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n  primitive_info->coordinates=0;\n  if ((fabs(start.x-end.x) < MagickEpsilon) &&\n      (fabs(start.y-end.y) < MagickEpsilon))\n    return(TracePoint(primitive_info,end));\n  radii.x=fabs(arc.x);\n  radii.y=fabs(arc.y);\n  if ((radii.x < MagickEpsilon) || (radii.y < MagickEpsilon))\n    return(TraceLine(primitive_info,start,end));\n  cosine=cos(DegreesToRadians(fmod((double) angle,360.0)));\n  sine=sin(DegreesToRadians(fmod((double) angle,360.0)));\n  center.x=(double) (cosine*(end.x-start.x)/2+sine*(end.y-start.y)/2);\n  center.y=(double) (cosine*(end.y-start.y)/2-sine*(end.x-start.x)/2);\n  delta=(center.x*center.x)/(radii.x*radii.x)+(center.y*center.y)/\n    (radii.y*radii.y);\n  if (delta < MagickEpsilon)\n    return(TraceLine(primitive_info,start,end));\n  if (delta > 1.0)\n    {\n      radii.x*=sqrt((double) delta);\n      radii.y*=sqrt((double) delta);\n    }\n  points[0].x=(double) (cosine*start.x/radii.x+sine*start.y/radii.x);\n  points[0].y=(double) (cosine*start.y/radii.y-sine*start.x/radii.y);\n  points[1].x=(double) (cosine*end.x/radii.x+sine*end.y/radii.x);\n  points[1].y=(double) (cosine*end.y/radii.y-sine*end.x/radii.y);\n  alpha=points[1].x-points[0].x;\n  beta=points[1].y-points[0].y;\n  if (fabs(alpha*alpha+beta*beta) < MagickEpsilon)\n    return(TraceLine(primitive_info,start,end));\n  factor=PerceptibleReciprocal(alpha*alpha+beta*beta)-0.25;\n  if (factor <= 0.0)\n    factor=0.0;\n  else\n    {\n      factor=sqrt((double) factor);\n      if (sweep == large_arc)\n        factor=(-factor);\n    }\n  center.x=(double) ((points[0].x+points[1].x)/2-factor*beta);\n  center.y=(double) ((points[0].y+points[1].y)/2+factor*alpha);\n  alpha=atan2(points[0].y-center.y,points[0].x-center.x);\n  theta=atan2(points[1].y-center.y,points[1].x-center.x)-alpha;\n  if ((theta < 0.0) && (sweep != MagickFalse))\n    theta+=2.0*MagickPI;\n  else\n    if ((theta > 0.0) && (sweep == MagickFalse))\n      theta-=2.0*MagickPI;\n  arc_segments=(size_t) CastDoubleToLong(ceil(fabs((double) (theta/(0.5*\n    MagickPI+MagickEpsilon)))));\n  p=primitive_info;\n  status=MagickTrue;\n  for (i=0; i < (ssize_t) arc_segments; i++)\n  {\n    beta=0.5*((alpha+(i+1)*theta/arc_segments)-(alpha+i*theta/arc_segments));\n    gamma=(8.0/3.0)*sin(fmod((double) (0.5*beta),DegreesToRadians(360.0)))*\n      sin(fmod((double) (0.5*beta),DegreesToRadians(360.0)))/\n      sin(fmod((double) beta,DegreesToRadians(360.0)));\n    points[0].x=(double) (center.x+cos(fmod((double) (alpha+(double) i*theta/\n      arc_segments),DegreesToRadians(360.0)))-gamma*sin(fmod((double) (alpha+\n      (double) i*theta/arc_segments),DegreesToRadians(360.0))));\n    points[0].y=(double) (center.y+sin(fmod((double) (alpha+(double) i*theta/\n      arc_segments),DegreesToRadians(360.0)))+gamma*cos(fmod((double) (alpha+\n      (double) i*theta/arc_segments),DegreesToRadians(360.0))));\n    points[2].x=(double) (center.x+cos(fmod((double) (alpha+(double) (i+1)*\n      theta/arc_segments),DegreesToRadians(360.0))));\n    points[2].y=(double) (center.y+sin(fmod((double) (alpha+(double) (i+1)*\n      theta/arc_segments),DegreesToRadians(360.0))));\n    points[1].x=(double) (points[2].x+gamma*sin(fmod((double) (alpha+(double)\n      (i+1)*theta/arc_segments),DegreesToRadians(360.0))));\n    points[1].y=(double) (points[2].y-gamma*cos(fmod((double) (alpha+(double)\n      (i+1)*theta/arc_segments),DegreesToRadians(360.0))));\n    p->point.x=(p == primitive_info) ? start.x : (p-1)->point.x;\n    p->point.y=(p == primitive_info) ? start.y : (p-1)->point.y;\n    (p+1)->point.x=(double) (cosine*radii.x*points[0].x-sine*radii.y*\n      points[0].y);\n    (p+1)->point.y=(double) (sine*radii.x*points[0].x+cosine*radii.y*\n      points[0].y);\n    (p+2)->point.x=(double) (cosine*radii.x*points[1].x-sine*radii.y*\n      points[1].y);\n    (p+2)->point.y=(double) (sine*radii.x*points[1].x+cosine*radii.y*\n      points[1].y);\n    (p+3)->point.x=(double) (cosine*radii.x*points[2].x-sine*radii.y*\n      points[2].y);\n    (p+3)->point.y=(double) (sine*radii.x*points[2].x+cosine*radii.y*\n      points[2].y);\n    if (i == (ssize_t) (arc_segments-1))\n      (p+3)->point=end;\n    status&=TraceBezier(mvg_info,4);\n    if (status == 0)\n      break;\n    p=(*mvg_info->primitive_info)+mvg_info->offset;\n    mvg_info->offset+=p->coordinates;\n    p+=p->coordinates;\n  }\n  if (status == 0)\n    return(MagickFalse);\n  mvg_info->offset=offset;\n  primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;\n  primitive_info->coordinates=(size_t) (p-primitive_info);\n  primitive_info->closed_subpath=MagickFalse;\n  for (i=0; i < (ssize_t) primitive_info->coordinates; i++)\n  {\n    p->primitive=primitive_info->primitive;\n    p--;\n  }\n  return(MagickTrue);\n}",
          "project": "ImageMagick6",
          "hash": 73304484946342503190438339501963101627,
          "size": 148,
          "commit_id": "9a94877f7823b0b8a41d50638dd105229d91fa89",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3339",
          "target": 0,
          "dataset": "other",
          "idx": 316677
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "WritePS3Image",
        "WritePS3MaskImage",
        "SerializeImageChannel"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "static MagickBooleanType SerializeImageIndexes(const ImageInfo *image_info,\n  Image *image,MemoryInfo **pixel_info,size_t *length,ExceptionInfo *exception)\n{\n  MagickBooleanType\n    status;\n\n  register const Quantum\n    *p;\n\n  register ssize_t\n    x;\n\n  register unsigned char\n    *q;\n\n  ssize_t\n    y;\n\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  status=MagickTrue;\n  *length=(size_t) image->columns*image->rows;\n  *pixel_info=AcquireVirtualMemory(*length,sizeof(*q));\n  if (*pixel_info == (MemoryInfo *) NULL)\n    ThrowWriterException(ResourceLimitError,\"MemoryAllocationFailed\");\n  q=(unsigned char *) GetVirtualMemoryBlob(*pixel_info);\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    p=GetVirtualPixels(image,0,y,image->columns,1,exception);\n    if (p == (const Quantum *) NULL)\n      break;\n    for (x=0; x < (ssize_t) image->columns; x++)\n    {\n      *q++=(unsigned char) GetPixelIndex(image,p);\n      p+=GetPixelChannels(image);\n    }\n    if (image->previous == (Image *) NULL)\n      {\n        status=SetImageProgress(image,SaveImageTag,(MagickOffsetType) y,\n          image->rows);\n        if (status == MagickFalse)\n          break;\n      }\n  }\n  if (status == MagickFalse)\n    *pixel_info=RelinquishVirtualMemory(*pixel_info);\n  return(status);\n}",
          "project": "ImageMagick",
          "hash": 1422216920378647312522307092579595425,
          "size": 50,
          "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b",
          "message": "Fixed memory leaks reported in #1557.",
          "target": 0,
          "dataset": "other",
          "idx": 416804
        },
        {
          "func": "static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image,\n  ExceptionInfo *exception)\n{\n  static const char\n    *const PostscriptProlog[]=\n    {\n      \"/ByteStreamDecodeFilter\",\n      \"{\",\n      \"  /z exch def\",\n      \"  /r exch def\",\n      \"  /c exch def\",\n      \"  z \" PS3_NoCompression \" eq { /ASCII85Decode filter } if\",\n      \"  z \" PS3_FaxCompression \" eq\",\n      \"  {\",\n      \"    <<\",\n      \"      /K \" CCITTParam,\n      \"      /Columns c\",\n      \"      /Rows r\",\n      \"    >>\",\n      \"    /CCITTFaxDecode filter\",\n      \"  } if\",\n      \"  z \" PS3_JPEGCompression \" eq { /DCTDecode filter } if\",\n      \"  z \" PS3_LZWCompression \" eq { /LZWDecode filter } if\",\n      \"  z \" PS3_RLECompression \" eq { /RunLengthDecode filter } if\",\n      \"  z \" PS3_ZipCompression \" eq { /FlateDecode filter } if\",\n      \"} bind def\",\n      \"\",\n      \"/DirectClassImageDict\",\n      \"{\",\n      \"  colorspace \" PS3_RGBColorspace \" eq\",\n      \"  {\",\n      \"    /DeviceRGB setcolorspace\",\n      \"    <<\",\n      \"      /ImageType 1\",\n      \"      /Width columns\",\n      \"      /Height rows\",\n      \"      /BitsPerComponent 8\",\n      \"      /DataSource pixel_stream\",\n      \"      /MultipleDataSources false\",\n      \"      /ImageMatrix [columns 0 0 rows neg 0 rows]\",\n      \"      /Decode [0 1 0 1 0 1]\",\n      \"    >>\",\n      \"  }\",\n      \"  {\",\n      \"    /DeviceCMYK setcolorspace\",\n      \"    <<\",\n      \"      /ImageType 1\",\n      \"      /Width columns\",\n      \"      /Height rows\",\n      \"      /BitsPerComponent 8\",\n      \"      /DataSource pixel_stream\",\n      \"      /MultipleDataSources false\",\n      \"      /ImageMatrix [columns 0 0 rows neg 0 rows]\",\n      \"      /Decode\",\n      \"        compression \" PS3_JPEGCompression \" eq\",\n      \"        { [1 0 1 0 1 0 1 0] }\",\n      \"        { [0 1 0 1 0 1 0 1] }\",\n      \"        ifelse\",\n      \"    >>\",\n      \"  }\",\n      \"  ifelse\",\n      \"} bind def\",\n      \"\",\n      \"/PseudoClassImageDict\",\n      \"{\",\n      \"  % Colors in colormap image.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /colors exch def pop\",\n      \"  colors 0 eq\",\n      \"  {\",\n      \"    % Depth of grayscale image.\",\n      \"    currentfile buffer readline pop\",\n      \"    token pop /bits exch def pop\",\n      \"    /DeviceGray setcolorspace\",\n      \"    <<\",\n      \"      /ImageType 1\",\n      \"      /Width columns\",\n      \"      /Height rows\",\n      \"      /BitsPerComponent bits\",\n      \"      /Decode [0 1]\",\n      \"      /ImageMatrix [columns 0 0 rows neg 0 rows]\",\n      \"      /DataSource pixel_stream\",\n      \"    >>\",\n      \"  }\",\n      \"  {\",\n      \"    % RGB colormap.\",\n      \"    /colormap colors 3 mul string def\",\n      \"    compression \" PS3_NoCompression \" eq\",\n      \"    { currentfile /ASCII85Decode filter colormap readstring pop pop }\",\n      \"    { currentfile colormap readstring pop pop }\",\n      \"    ifelse\",\n      \"    [ /Indexed /DeviceRGB colors 1 sub colormap ] setcolorspace\",\n      \"    <<\",\n      \"      /ImageType 1\",\n      \"      /Width columns\",\n      \"      /Height rows\",\n      \"      /BitsPerComponent 8\",\n      \"      /Decode [0 255]\",\n      \"      /ImageMatrix [columns 0 0 rows neg 0 rows]\",\n      \"      /DataSource pixel_stream\",\n      \"    >>\",\n      \"  }\",\n      \"  ifelse\",\n      \"} bind def\",\n      \"\",\n      \"/NonMaskedImageDict\",\n      \"{\",\n      \"  class \" PS3_PseudoClass \" eq\",\n      \"  { PseudoClassImageDict }\",\n      \"  { DirectClassImageDict }\",\n      \"  ifelse\",\n      \"} bind def\",\n      \"\",\n      \"/MaskedImageDict\",\n      \"{\",\n      \"  <<\",\n      \"    /ImageType 3\",\n      \"    /InterleaveType 3\",\n      \"    /DataDict NonMaskedImageDict\",\n      \"    /MaskDict\",\n      \"    <<\",\n      \"      /ImageType 1\",\n      \"      /Width columns\",\n      \"      /Height rows\",\n      \"      /BitsPerComponent 1\",\n      \"      /DataSource mask_stream\",\n      \"      /MultipleDataSources false\",\n      \"      /ImageMatrix [ columns 0 0 rows neg 0 rows]\",\n      \"      /Decode [ 0 1 ]\",\n      \"    >>\",\n      \"  >>\",\n      \"} bind def\",\n      \"\",\n      \"/ClipImage\",\n      \"{} def\",\n      \"\",\n      \"/DisplayImage\",\n      \"{\",\n      \"  gsave\",\n      \"  /buffer 512 string def\",\n      \"  % Translation.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /x exch def\",\n      \"  token pop /y exch def pop\",\n      \"  x y translate\",\n      \"  % Image size and font size.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /x exch def\",\n      \"  token pop /y exch def pop\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /pointsize exch def pop\",\n      (const char *) NULL\n    },\n    *const PostscriptEpilog[]=\n    {\n      \"  x y scale\",\n      \"  % Clipping path.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /clipped exch def pop\",\n      \"  % Showpage.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /sp exch def pop\",\n      \"  % Image pixel size.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /columns exch def\",\n      \"  token pop /rows exch def pop\",\n      \"  % Colorspace (RGB/CMYK).\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /colorspace exch def pop\",\n      \"  % Transparency.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /alpha exch def pop\",\n      \"  % Stencil mask?\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /stencil exch def pop\",\n      \"  % Image class (direct/pseudo).\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /class exch def pop\",\n      \"  % Compression type.\",\n      \"  currentfile buffer readline pop\",\n      \"  token pop /compression exch def pop\",\n      \"  % Clip and render.\",\n      \"  /pixel_stream currentfile columns rows compression ByteStreamDecodeFilter def\",\n      \"  clipped { ClipImage } if\",\n      \"  alpha stencil not and\",\n      \"  { MaskedImageDict mask_stream resetfile }\",\n      \"  { NonMaskedImageDict }\",\n      \"  ifelse\",\n      \"  stencil { 0 setgray imagemask } { image } ifelse\",\n      \"  grestore\",\n      \"  sp { showpage } if\",\n      \"} bind def\",\n      (const char *) NULL\n    };\n\n  char\n    buffer[MagickPathExtent],\n    date[MagickPathExtent],\n    **labels,\n    page_geometry[MagickPathExtent];\n\n  CompressionType\n    compression;\n\n  const char\n    *option,\n    *const *q,\n    *value;\n\n  double\n    pointsize;\n\n  GeometryInfo\n    geometry_info;\n\n  MagickBooleanType\n    status;\n\n  MagickOffsetType\n    offset,\n    scene,\n    start,\n    stop;\n\n  MagickStatusType\n    flags;\n\n  MemoryInfo\n    *pixel_info;\n\n  PointInfo\n    delta,\n    resolution,\n    scale;\n\n  RectangleInfo\n    geometry,\n    media_info,\n    page_info;\n\n  register ssize_t\n    i;\n\n  SegmentInfo\n    bounds;\n\n  size_t\n    imageListLength,\n    length,\n    page,\n    pixel,\n    text_size;\n\n  ssize_t\n    j;\n\n  time_t\n    timer;\n\n  unsigned char\n    *pixels;\n\n  /*\n    Open output image file.\n  */\n  assert(image_info != (const ImageInfo *) NULL);\n  assert(image_info->signature == MagickCoreSignature);\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  assert(exception != (ExceptionInfo *) NULL);\n  assert(exception->signature == MagickCoreSignature);\n  status=OpenBlob(image_info,image,WriteBinaryBlobMode,exception);\n  if (status == MagickFalse)\n    return(MagickFalse);\n  compression=image->compression;\n  if (image_info->compression != UndefinedCompression)\n    compression=image_info->compression;\n  switch (compression)\n  {\n    case FaxCompression:\n    case Group4Compression:\n    { \n      if ((SetImageMonochrome(image,exception) == MagickFalse) ||\n          (image->alpha_trait != UndefinedPixelTrait))\n        compression=RLECompression;\n      break;\n    }\n#if !defined(MAGICKCORE_JPEG_DELEGATE)\n    case JPEGCompression:\n    {\n      compression=RLECompression;\n      (void) ThrowMagickException(exception,GetMagickModule(),\n        MissingDelegateError,\"DelegateLibrarySupportNotBuiltIn\",\"`%s' (JPEG)\",\n        image->filename);\n      break;\n    }\n#endif\n#if !defined(MAGICKCORE_ZLIB_DELEGATE)\n    case ZipCompression:\n    {\n      compression=RLECompression;\n      (void) ThrowMagickException(exception,GetMagickModule(),\n        MissingDelegateError,\"DelegateLibrarySupportNotBuiltIn\",\"`%s' (ZLIB)\",\n        image->filename);\n      break;\n    }\n#endif\n    default:\n      break;\n  }\n  (void) memset(&bounds,0,sizeof(bounds));\n  page=0;\n  scene=0;\n  imageListLength=GetImageListLength(image);\n  do\n  {\n    /*\n      Scale relative to dots-per-inch.\n    */\n    delta.x=DefaultResolution;\n    delta.y=DefaultResolution;\n    resolution.x=image->resolution.x;\n    resolution.y=image->resolution.y;\n    if ((resolution.x == 0.0) || (resolution.y == 0.0))\n      {\n        flags=ParseGeometry(PSDensityGeometry,&geometry_info);\n        resolution.x=geometry_info.rho;\n        resolution.y=geometry_info.sigma;\n        if ((flags & SigmaValue) == 0)\n          resolution.y=resolution.x;\n      }\n    if (image_info->density != (char *) NULL)\n      {\n        flags=ParseGeometry(image_info->density,&geometry_info);\n        resolution.x=geometry_info.rho;\n        resolution.y=geometry_info.sigma;\n        if ((flags & SigmaValue) == 0)\n          resolution.y=resolution.x;\n      }\n    if (image->units == PixelsPerCentimeterResolution)\n      {\n        resolution.x=(100.0*2.54*resolution.x+0.5)/100.0;\n        resolution.y=(100.0*2.54*resolution.y+0.5)/100.0;\n      }\n    SetGeometry(image,&geometry);\n    (void) FormatLocaleString(page_geometry,MagickPathExtent,\"%.20gx%.20g\",\n      (double) image->columns,(double) image->rows);\n    if (image_info->page != (char *) NULL)\n      (void) CopyMagickString(page_geometry,image_info->page,MagickPathExtent);\n    else\n      if ((image->page.width != 0) && (image->page.height != 0))\n        (void) FormatLocaleString(page_geometry,MagickPathExtent,\n          \"%.20gx%.20g%+.20g%+.20g\",(double) image->page.width,(double)\n          image->page.height,(double) image->page.x,(double) image->page.y);\n      else\n        if ((image->gravity != UndefinedGravity) &&\n            (LocaleCompare(image_info->magick,\"PS\") == 0))\n          (void) CopyMagickString(page_geometry,PSPageGeometry,\n            MagickPathExtent);\n    (void) ConcatenateMagickString(page_geometry,\">\",MagickPathExtent);\n    (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,\n      &geometry.width,&geometry.height);\n    scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;\n    geometry.width=(size_t) floor(scale.x+0.5);\n    scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;\n    geometry.height=(size_t) floor(scale.y+0.5);\n    (void) ParseAbsoluteGeometry(page_geometry,&media_info);\n    (void) ParseGravityGeometry(image,page_geometry,&page_info,exception);\n    if (image->gravity != UndefinedGravity)\n      {\n        geometry.x=(-page_info.x);\n        geometry.y=(ssize_t) (media_info.height+page_info.y-image->rows);\n      }\n    pointsize=12.0;\n    if (image_info->pointsize != 0.0)\n      pointsize=image_info->pointsize;\n    text_size=0;\n    value=GetImageProperty(image,\"label\",exception);\n    if (value != (const char *) NULL)\n      text_size=(size_t) (MultilineCensus(value)*pointsize+12);\n    page++;\n    if (page == 1)\n      {\n        /*\n          Postscript header on the first page.\n        */\n        if (LocaleCompare(image_info->magick,\"PS3\") == 0)\n          (void) CopyMagickString(buffer,\"%!PS-Adobe-3.0\\n\",MagickPathExtent);\n        else\n          (void) CopyMagickString(buffer,\"%!PS-Adobe-3.0 EPSF-3.0\\n\",\n            MagickPathExtent);\n        (void) WriteBlobString(image,buffer);\n        (void) FormatLocaleString(buffer,MagickPathExtent,\n          \"%%%%Creator: ImageMagick %s\\n\",MagickLibVersionText);\n        (void) WriteBlobString(image,buffer);\n        (void) FormatLocaleString(buffer,MagickPathExtent,\"%%%%Title: %s\\n\",\n          image->filename);\n        (void) WriteBlobString(image,buffer);\n        timer=GetMagickTime();\n        (void) FormatMagickTime(timer,MagickPathExtent,date);\n        (void) FormatLocaleString(buffer,MagickPathExtent,\n          \"%%%%CreationDate: %s\\n\",date);\n        (void) WriteBlobString(image,buffer);\n        bounds.x1=(double) geometry.x;\n        bounds.y1=(double) geometry.y;\n        bounds.x2=(double) geometry.x+scale.x;\n        bounds.y2=(double) geometry.y+scale.y+text_size;\n        if ((image_info->adjoin != MagickFalse) &&\n            (GetNextImageInList(image) != (Image *) NULL))\n          {\n            (void) WriteBlobString(image,\"%%BoundingBox: (atend)\\n\");\n            (void) WriteBlobString(image,\"%%HiResBoundingBox: (atend)\\n\");\n          }\n        else\n          {\n            (void) FormatLocaleString(buffer,MagickPathExtent,\n              \"%%%%BoundingBox: %g %g %g %g\\n\",ceil(bounds.x1-0.5),\n              ceil(bounds.y1-0.5),floor(bounds.x2+0.5),floor(bounds.y2+0.5));\n            (void) WriteBlobString(image,buffer);\n            (void) FormatLocaleString(buffer,MagickPathExtent,\n              \"%%%%HiResBoundingBox: %g %g %g %g\\n\",bounds.x1,\n              bounds.y1,bounds.x2,bounds.y2);\n            (void) WriteBlobString(image,buffer);\n            if (image->colorspace == CMYKColorspace)\n              (void) WriteBlobString(image,\n                \"%%DocumentProcessColors: Cyan Magenta Yellow Black\\n\");\n            else\n              if (SetImageGray(image,exception) != MagickFalse)\n                (void) WriteBlobString(image,\n                  \"%%DocumentProcessColors: Black\\n\");\n          }\n        /*\n          Font resources\n        */\n        value=GetImageProperty(image,\"label\",exception);\n        if (value != (const char *) NULL)\n          (void) WriteBlobString(image,\n            \"%%DocumentNeededResources: font Helvetica\\n\");\n        (void) WriteBlobString(image,\"%%LanguageLevel: 3\\n\");\n        /*\n          Pages, orientation and order.\n        */\n        if (LocaleCompare(image_info->magick,\"PS3\") != 0)\n          (void) WriteBlobString(image,\"%%Pages: 1\\n\");\n        else\n          {\n            (void) WriteBlobString(image,\"%%Orientation: Portrait\\n\");\n            (void) WriteBlobString(image,\"%%PageOrder: Ascend\\n\");\n            if (image_info->adjoin == MagickFalse)\n              (void) CopyMagickString(buffer,\"%%Pages: 1\\n\",MagickPathExtent);\n            else\n              (void) FormatLocaleString(buffer,MagickPathExtent,\n                \"%%%%Pages: %.20g\\n\",(double) imageListLength);\n            (void) WriteBlobString(image,buffer);\n          }\n        if (image->colorspace == CMYKColorspace)\n          (void) WriteBlobString(image,\n            \"%%DocumentProcessColors: Cyan Magenta Yellow Black\\n\");\n        (void) WriteBlobString(image,\"%%EndComments\\n\");\n        /*\n          The static postscript procedures prolog.\n        */\n        (void)WriteBlobString(image,\"%%BeginProlog\\n\");\n        for (q=PostscriptProlog; *q; q++)\n        {\n          (void) WriteBlobString(image,*q);\n          (void) WriteBlobByte(image,'\\n');\n        }\n        /*\n          One label line for each line in label string.\n        */\n        value=GetImageProperty(image,\"label\",exception);\n        if (value != (const char *) NULL)\n          {\n              (void) WriteBlobString(image,\"\\n  %% Labels.\\n  /Helvetica \"\n              \" findfont pointsize scalefont setfont\\n\");\n            for (i=(ssize_t) MultilineCensus(value)-1; i >= 0; i--)\n            {\n              (void) WriteBlobString(image,\n                \"  currentfile buffer readline pop token pop\\n\");\n              (void) FormatLocaleString(buffer,MagickPathExtent,\n                \"  0 y %g add moveto show pop\\n\",i*pointsize+12);\n              (void) WriteBlobString(image,buffer);\n            }\n          }\n        /*\n          The static postscript procedures epilog.\n        */\n        for (q=PostscriptEpilog; *q; q++)\n        {\n          (void) WriteBlobString(image,*q);\n          (void) WriteBlobByte(image,'\\n');\n        }\n        (void)WriteBlobString(image,\"%%EndProlog\\n\");\n      }\n    (void) FormatLocaleString(buffer,MagickPathExtent,\"%%%%Page: 1 %.20g\\n\",\n      (double) page);\n    (void) WriteBlobString(image,buffer);\n    /*\n      Page bounding box.\n    */\n    (void) FormatLocaleString(buffer,MagickPathExtent,\n      \"%%%%PageBoundingBox: %.20g %.20g %.20g %.20g\\n\",(double) geometry.x,\n       (double) geometry.y,geometry.x+(double) geometry.width,geometry.y+\n       (double) (geometry.height+text_size));\n    (void) WriteBlobString(image,buffer);\n    /*\n      Page process colors if not RGB.\n    */\n    if (image->colorspace == CMYKColorspace)\n      (void) WriteBlobString(image,\n        \"%%PageProcessColors: Cyan Magenta Yellow Black\\n\");\n    else\n      if (SetImageGray(image,exception) != MagickFalse)\n        (void) WriteBlobString(image,\"%%PageProcessColors: Black\\n\");\n    /*\n      Adjust document bounding box to bound page bounding box.\n    */\n    if ((double) geometry.x < bounds.x1)\n      bounds.x1=(double) geometry.x;\n    if ((double) geometry.y < bounds.y1)\n      bounds.y1=(double) geometry.y;\n    if ((double) (geometry.x+scale.x) > bounds.x2)\n      bounds.x2=(double) geometry.x+scale.x;\n    if ((double) (geometry.y+scale.y+text_size) > bounds.y2)\n      bounds.y2=(double) geometry.y+scale.y+text_size;\n    /*\n      Page font resource if there's a label.\n    */\n    value=GetImageProperty(image,\"label\",exception);\n    if (value != (const char *) NULL)\n      (void) WriteBlobString(image,\"%%PageResources: font Helvetica\\n\");\n    /*\n      PS clipping path from Photoshop clipping path.\n    */\n    if (((image->channels & WriteMaskChannel) != 0) ||\n        (LocaleNCompare(\"8BIM:\",image->magick_filename,5) != 0))\n      (void) WriteBlobString(image,\"/ClipImage {} def\\n\");\n    else\n      {\n        const char\n          *value;\n\n        value=GetImageProperty(image,image->magick_filename,exception);\n        if (value == (const char *) NULL)\n          return(MagickFalse);\n        (void) WriteBlobString(image,value);\n        (void) WriteBlobByte(image,'\\n');\n      }\n    /*\n      Push a dictionary for our own def's if this an EPS.\n    */\n    if (LocaleCompare(image_info->magick,\"PS3\") != 0)\n      (void) WriteBlobString(image,\"userdict begin\\n\");\n    /*\n      Image mask.\n    */\n    if ((image->alpha_trait != UndefinedPixelTrait) &&\n        (WritePS3MaskImage(image_info,image,compression,exception) == MagickFalse))\n      {\n        (void) CloseBlob(image);\n        return(MagickFalse);\n      }\n    /*\n      Remember position of BeginData comment so we can update it.\n    */\n    start=TellBlob(image);\n    if (start < 0)\n      ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n    (void) FormatLocaleString(buffer,MagickPathExtent,\n      \"%%%%BeginData:%13ld %s Bytes\\n\",0L,\n      compression == NoCompression ? \"ASCII\" : \"BINARY\");\n    (void) WriteBlobString(image,buffer);\n    stop=TellBlob(image);\n    if (stop < 0)\n      ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n    (void) WriteBlobString(image,\"DisplayImage\\n\");\n    /*\n      Translate, scale, and font point size.\n    */\n    (void) FormatLocaleString(buffer,MagickPathExtent,\"%.20g %.20g\\n%g %g\\n%g\\n\",\n      (double) geometry.x,(double) geometry.y,scale.x,scale.y,pointsize);\n    (void) WriteBlobString(image,buffer);\n    /*\n      Output labels.\n    */\n    labels=(char **) NULL;\n    value=GetImageProperty(image,\"label\",exception);\n    if (value != (const char *) NULL)\n      labels=StringToList(value);\n    if (labels != (char **) NULL)\n      {\n        for (i=0; labels[i] != (char *) NULL; i++)\n        {\n          if (compression != NoCompression)\n            {\n              for (j=0; labels[i][j] != '\\0'; j++)\n                (void) WriteBlobByte(image,(unsigned char) labels[i][j]);\n              (void) WriteBlobByte(image,'\\n');\n            }\n          else\n            {\n              (void) WriteBlobString(image,\"<~\");\n              Ascii85Initialize(image);\n              for (j=0; labels[i][j] != '\\0'; j++)\n                Ascii85Encode(image,(unsigned char) labels[i][j]);\n              Ascii85Flush(image);\n            }\n          labels[i]=DestroyString(labels[i]);\n        }\n        labels=(char **) RelinquishMagickMemory(labels);\n      }\n    /*\n      Photoshop clipping path active?\n    */\n    if (((image->channels & WriteMaskChannel) != 0) &&\n        (LocaleNCompare(\"8BIM:\",image->magick_filename,5) == 0))\n        (void) WriteBlobString(image,\"true\\n\");\n      else\n        (void) WriteBlobString(image,\"false\\n\");\n    /*\n      Showpage for non-EPS.\n    */\n    (void) WriteBlobString(image, LocaleCompare(image_info->magick,\"PS3\") == 0 ?\n      \"true\\n\" : \"false\\n\");\n    /*\n      Image columns, rows, and color space.\n    */\n    (void) FormatLocaleString(buffer,MagickPathExtent,\"%.20g %.20g\\n%s\\n\",\n      (double) image->columns,(double) image->rows,image->colorspace ==\n      CMYKColorspace ? PS3_CMYKColorspace : PS3_RGBColorspace);\n    (void) WriteBlobString(image,buffer);\n    /*\n      Masked image?\n    */\n    (void) WriteBlobString(image,image->alpha_trait != UndefinedPixelTrait ?\n      \"true\\n\" : \"false\\n\");\n    /*\n      Render with imagemask operator?\n    */\n    option=GetImageOption(image_info,\"ps3:imagemask\");\n    (void) WriteBlobString(image,((option != (const char *) NULL) &&\n      (SetImageMonochrome(image,exception) != MagickFalse)) ?\n      \"true\\n\" : \"false\\n\");\n    /*\n      Output pixel data.\n    */\n    pixels=(unsigned char *) NULL;\n    length=0;\n    if ((image_info->type != TrueColorType) &&\n        (image_info->type != TrueColorAlphaType) &&\n        (image_info->type != ColorSeparationType) &&\n        (image_info->type != ColorSeparationAlphaType) &&\n        (image->colorspace != CMYKColorspace) &&\n        ((SetImageGray(image,exception) != MagickFalse) ||\n         (SetImageMonochrome(image,exception) != MagickFalse)))\n      {\n        /*\n          Gray images.\n        */\n        (void) WriteBlobString(image,PS3_PseudoClass\"\\n\");\n        switch (compression)\n        {\n          case NoCompression:\n          default:\n          {\n            (void) WriteBlobString(image,PS3_NoCompression\"\\n\");\n            break;\n          }\n          case FaxCompression:\n          case Group4Compression:\n          {\n            (void) WriteBlobString(image,PS3_FaxCompression\"\\n\");\n            break;\n          }\n          case JPEGCompression:\n          {\n            (void) WriteBlobString(image,PS3_JPEGCompression\"\\n\");\n            break;\n          }\n          case LZWCompression:\n          {\n            (void) WriteBlobString(image,PS3_LZWCompression\"\\n\");\n            break;\n          }\n          case RLECompression:\n          {\n            (void) WriteBlobString(image,PS3_RLECompression\"\\n\");\n            break;\n          }\n          case ZipCompression:\n          {\n            (void) WriteBlobString(image,PS3_ZipCompression\"\\n\");\n            break;\n          }\n        }\n        /*\n          Number of colors -- 0 for single component non-color mapped data.\n        */\n        (void) WriteBlobString(image,\"0\\n\");\n        /*\n          1 bit or 8 bit components?\n        */\n        (void) FormatLocaleString(buffer,MagickPathExtent,\"%d\\n\",\n          SetImageMonochrome(image,exception) != MagickFalse ? 1 : 8);\n        (void) WriteBlobString(image,buffer);\n        /*\n          Image data.\n        */\n        if (compression == JPEGCompression)\n          status=InjectImageBlob(image_info,image,image,\"jpeg\",exception);\n        else\n          if ((compression == FaxCompression) ||\n              (compression == Group4Compression))\n            {\n              if (LocaleCompare(CCITTParam,\"0\") == 0)\n                status=HuffmanEncodeImage(image_info,image,image,exception);\n              else\n                status=Huffman2DEncodeImage(image_info,image,image,exception);\n            }\n          else\n            {\n              status=SerializeImageChannel(image_info,image,&pixel_info,&length,\n                exception);\n              if (status == MagickFalse)\n                {\n                  (void) CloseBlob(image);\n                  return(MagickFalse);\n                }\n              pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n              switch (compression)\n              {\n                case NoCompression:\n                default:\n                {\n                  Ascii85Initialize(image);\n                  for (i=0; i < (ssize_t) length; i++)\n                    Ascii85Encode(image,pixels[i]);\n                  Ascii85Flush(image);\n                  status=MagickTrue;\n                  break;\n                }\n                case LZWCompression:\n                {\n                  status=LZWEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n                case RLECompression:\n                {\n                  status=PackbitsEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n                case ZipCompression:\n                {\n                  status=ZLIBEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n              }\n              pixel_info=RelinquishVirtualMemory(pixel_info);\n            }\n      }\n    else\n      if ((image->storage_class == DirectClass) || (image->colors > 256) ||\n          (compression == JPEGCompression))\n        {\n          /*\n            Truecolor image.\n          */\n          (void) WriteBlobString(image,PS3_DirectClass\"\\n\");\n          switch (compression)\n          {\n            case NoCompression:\n            default:\n            {\n              (void) WriteBlobString(image,PS3_NoCompression\"\\n\");\n              break;\n            }\n            case RLECompression:\n            {\n              (void) WriteBlobString(image,PS3_RLECompression\"\\n\");\n              break;\n            }\n            case JPEGCompression:\n            {\n              (void) WriteBlobString(image,PS3_JPEGCompression\"\\n\");\n              break;\n            }\n            case LZWCompression:\n            {\n              (void) WriteBlobString(image,PS3_LZWCompression\"\\n\");\n              break;\n            }\n            case ZipCompression:\n            {\n              (void) WriteBlobString(image,PS3_ZipCompression\"\\n\");\n              break;\n            }\n          }\n          /*\n            Image data.\n          */\n          if (compression == JPEGCompression)\n            status=InjectImageBlob(image_info,image,image,\"jpeg\",exception);\n          else\n            {\n              /*\n                Stream based compressions.\n              */\n              status=SerializeImage(image_info,image,&pixel_info,&length,\n                exception);\n              if (status == MagickFalse)\n                {\n                  (void) CloseBlob(image);\n                  return(MagickFalse);\n                }\n              pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n              switch (compression)\n              {\n                case NoCompression:\n                default:\n                {\n                  Ascii85Initialize(image);\n                  for (i=0; i < (ssize_t) length; i++)\n                    Ascii85Encode(image,pixels[i]);\n                  Ascii85Flush(image);\n                  status=MagickTrue;\n                  break;\n                }\n                case RLECompression:\n                {\n                  status=PackbitsEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n                case LZWCompression:\n                {\n                  status=LZWEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n                case ZipCompression:\n                {\n                  status=ZLIBEncodeImage(image,length,pixels,exception);\n                  break;\n                }\n              }\n              pixel_info=RelinquishVirtualMemory(pixel_info);\n            }\n          }\n        else\n          {\n            /*\n              Colormapped images.\n            */\n            (void) WriteBlobString(image,PS3_PseudoClass\"\\n\");\n            switch (compression)\n            {\n              case NoCompression:\n              default:\n              {\n                (void) WriteBlobString(image,PS3_NoCompression\"\\n\");\n                break;\n              }\n              case RLECompression:\n              {\n                (void) WriteBlobString(image,PS3_RLECompression\"\\n\");\n                break;\n              }\n              case LZWCompression:\n              {\n                (void) WriteBlobString(image,PS3_LZWCompression\"\\n\");\n                break;\n              }\n              case ZipCompression:\n              {\n                (void) WriteBlobString(image,PS3_ZipCompression\"\\n\");\n                break;\n              }\n            }\n            /*\n              Number of colors in color map.\n            */\n            (void) FormatLocaleString(buffer,MagickPathExtent,\"%.20g\\n\",\n              (double) image->colors);\n            (void) WriteBlobString(image,buffer);\n            /*\n              Color map - uncompressed.\n            */\n            if ((compression != NoCompression) &&\n                (compression != UndefinedCompression))\n              {\n                for (i=0; i < (ssize_t) image->colors; i++)\n                {\n                  pixel=ScaleQuantumToChar(image->colormap[i].red);\n                  (void) WriteBlobByte(image,(unsigned char) pixel);\n                  pixel=ScaleQuantumToChar(image->colormap[i].green);\n                  (void) WriteBlobByte(image,(unsigned char) pixel);\n                  pixel=ScaleQuantumToChar(image->colormap[i].blue);\n                  (void) WriteBlobByte(image,(unsigned char) pixel);\n                }\n              }\n            else\n              {\n                Ascii85Initialize(image);\n                for (i=0; i < (ssize_t) image->colors; i++)\n                {\n                  pixel=ScaleQuantumToChar(image->colormap[i].red);\n                  Ascii85Encode(image,(unsigned char) pixel);\n                  pixel=ScaleQuantumToChar(image->colormap[i].green);\n                  Ascii85Encode(image,(unsigned char) pixel);\n                  pixel=ScaleQuantumToChar(image->colormap[i].blue);\n                  Ascii85Encode(image,(unsigned char) pixel);\n                }\n                Ascii85Flush(image);\n              }\n            status=SerializeImageIndexes(image_info,image,&pixel_info,&length,\n              exception);\n            if (status == MagickFalse)\n              {\n                (void) CloseBlob(image);\n                return(MagickFalse);\n              }\n            pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n            switch (compression)\n            {\n              case NoCompression:\n              default:\n              {\n                Ascii85Initialize(image);\n                for (i=0; i < (ssize_t) length; i++)\n                  Ascii85Encode(image,pixels[i]);\n                Ascii85Flush(image);\n                status=MagickTrue;\n                break;\n              }\n              case RLECompression:\n              {\n                status=PackbitsEncodeImage(image,length,pixels,exception);\n                break;\n              }\n              case LZWCompression:\n              {\n                status=LZWEncodeImage(image,length,pixels,exception);\n                break;\n              }\n              case ZipCompression:\n              {\n                status=ZLIBEncodeImage(image,length,pixels,exception);\n                break;\n              }\n            }\n            pixel_info=RelinquishVirtualMemory(pixel_info);\n          }\n    (void) WriteBlobByte(image,'\\n');\n    if (status == MagickFalse)\n      {\n        (void) CloseBlob(image);\n        return(MagickFalse);\n      }\n    /*\n      Update BeginData now that we know the data size.\n    */\n    length=(size_t) (TellBlob(image)-stop);\n    stop=TellBlob(image);\n    if (stop < 0)\n      ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n    offset=SeekBlob(image,start,SEEK_SET);\n    if (offset < 0)\n      ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n    (void) FormatLocaleString(buffer,MagickPathExtent,\n      \"%%%%BeginData:%13ld %s Bytes\\n\",(long) length,\n      compression == NoCompression ? \"ASCII\" : \"BINARY\");\n    (void) WriteBlobString(image,buffer);\n    offset=SeekBlob(image,stop,SEEK_SET);\n    (void) WriteBlobString(image,\"%%EndData\\n\");\n    /*\n      End private dictionary if this an EPS.\n    */\n    if (LocaleCompare(image_info->magick,\"PS3\") != 0)\n      (void) WriteBlobString(image,\"end\\n\");\n    (void) WriteBlobString(image,\"%%PageTrailer\\n\");\n    if (GetNextImageInList(image) == (Image *) NULL)\n      break;\n    image=SyncNextImageInList(image);\n    status=SetImageProgress(image,SaveImagesTag,scene++,imageListLength);\n    if (status == MagickFalse)\n      break;\n  } while (image_info->adjoin != MagickFalse);\n  (void) WriteBlobString(image,\"%%Trailer\\n\");\n  if (page > 1)\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"%%%%BoundingBox: %g %g %g %g\\n\",ceil(bounds.x1-0.5),\n        ceil(bounds.y1-0.5),floor(bounds.x2+0.5),floor(bounds.y2+0.5));\n      (void) WriteBlobString(image,buffer);\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"%%%%HiResBoundingBox: %g %g %g %g\\n\",bounds.x1,bounds.y1,bounds.x2,\n        bounds.y2);\n      (void) WriteBlobString(image,buffer);\n    }\n  (void) WriteBlobString(image,\"%%EOF\\n\");\n  (void) CloseBlob(image);\n  return(MagickTrue);\n}",
          "project": "ImageMagick",
          "hash": 289615160253947806666999393939266883372,
          "size": 1004,
          "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b",
          "message": "Fixed memory leaks reported in #1557.",
          "target": 0,
          "dataset": "other",
          "idx": 416809
        },
        {
          "func": "static MagickBooleanType WritePS3MaskImage(const ImageInfo *image_info,\n  Image *image,const CompressionType compression,ExceptionInfo *exception)\n{\n  char\n    buffer[MagickPathExtent];\n\n  Image\n    *mask_image;\n\n  MagickBooleanType\n    status;\n\n  MagickOffsetType\n    offset,\n    start,\n    stop;\n\n  MemoryInfo\n    *pixel_info;\n\n  register ssize_t\n    i;\n\n  size_t\n    length;\n\n  unsigned char\n    *pixels;\n\n  assert(image_info != (ImageInfo *) NULL);\n  assert(image_info->signature == MagickCoreSignature);\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  assert(image->alpha_trait != UndefinedPixelTrait);\n  status=MagickTrue;\n  /*\n    Note BeginData DSC comment for update later.\n  */\n  start=TellBlob(image);\n  if (start < 0)\n    ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n  (void) FormatLocaleString(buffer,MagickPathExtent,\n    \"%%%%BeginData:%13ld %s Bytes\\n\",0L,compression == NoCompression ?\n    \"ASCII\" : \"BINARY\");\n  (void) WriteBlobString(image,buffer);\n  stop=TellBlob(image);\n  if (stop < 0)\n    ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n  /*\n    Only lossless compressions for the mask.\n  */\n  switch (compression)\n  {\n    case NoCompression:\n    default:\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"currentfile %.20g %.20g \" PS3_NoCompression\n        \" ByteStreamDecodeFilter\\n\",(double) image->columns,(double)\n        image->rows);\n      break;\n    }\n    case FaxCompression:\n    case Group4Compression:\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"currentfile %.20g %.20g \" PS3_FaxCompression\n        \" ByteStreamDecodeFilter\\n\",(double) image->columns,(double)\n        image->rows);\n      break;\n    }\n    case LZWCompression:\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"currentfile %.20g %.20g \" PS3_LZWCompression\n        \" ByteStreamDecodeFilter\\n\",(double) image->columns,(double)\n        image->rows);\n      break;\n    }\n    case RLECompression:\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"currentfile %.20g %.20g \" PS3_RLECompression\n        \" ByteStreamDecodeFilter\\n\",(double) image->columns,(double)\n        image->rows);\n      break;\n    }\n    case ZipCompression:\n    {\n      (void) FormatLocaleString(buffer,MagickPathExtent,\n        \"currentfile %.20g %.20g \" PS3_ZipCompression\n        \" ByteStreamDecodeFilter\\n\",(double) image->columns,(double)\n        image->rows);\n      break;\n    }\n  }\n  (void) WriteBlobString(image,buffer);\n  (void) WriteBlobString(image,\"/ReusableStreamDecode filter\\n\");\n  mask_image=SeparateImage(image,AlphaChannel,exception);\n  if (mask_image == (Image *) NULL)\n    ThrowWriterException(CoderError,exception->reason);\n  (void) SetImageType(mask_image,BilevelType,exception);\n  (void) SetImageType(mask_image,PaletteType,exception);\n  mask_image->alpha_trait=UndefinedPixelTrait;\n  pixels=(unsigned char *) NULL;\n  length=0;\n  switch (compression)\n  {\n    case NoCompression:\n    default:\n    {\n      status=SerializeImageChannel(image_info,mask_image,&pixel_info,&length,\n        exception);\n      if (status == MagickFalse)\n        break;\n      Ascii85Initialize(image);\n      pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n      for (i=0; i < (ssize_t) length; i++)\n        Ascii85Encode(image,pixels[i]);\n      Ascii85Flush(image);\n      pixel_info=RelinquishVirtualMemory(pixel_info);\n      break;\n    }\n    case FaxCompression:\n    case Group4Compression:\n    {\n      if ((compression == FaxCompression) ||\n          (LocaleCompare(CCITTParam,\"0\") == 0))\n        status=HuffmanEncodeImage(image_info,image,mask_image,exception);\n      else\n        status=Huffman2DEncodeImage(image_info,image,mask_image,exception);\n      break;\n    }\n    case LZWCompression:\n    {\n      status=SerializeImageChannel(image_info,mask_image,&pixel_info,&length,\n        exception);\n      if (status == MagickFalse)\n        break;\n      pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n      status=LZWEncodeImage(image,length,pixels,exception);\n      pixel_info=RelinquishVirtualMemory(pixel_info);\n      break;\n    }\n    case RLECompression:\n    {\n      status=SerializeImageChannel(image_info,mask_image,&pixel_info,&length,\n        exception);\n      if (status == MagickFalse)\n        break;\n      pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n      status=PackbitsEncodeImage(image,length,pixels,exception);\n      pixel_info=RelinquishVirtualMemory(pixel_info);\n      break;\n    }\n    case ZipCompression:\n    {\n      status=SerializeImageChannel(image_info,mask_image,&pixel_info,&length,\n        exception);\n      if (status == MagickFalse)\n        break;\n      pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);\n      status=ZLIBEncodeImage(image,length,pixels,exception);\n      pixel_info=RelinquishVirtualMemory(pixel_info);\n      break;\n    }\n  }\n  mask_image=DestroyImage(mask_image);\n  (void) WriteBlobByte(image,'\\n');\n  length=(size_t) (TellBlob(image)-stop);\n  stop=TellBlob(image);\n  if (stop < 0)\n    ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n  offset=SeekBlob(image,start,SEEK_SET);\n  if (offset < 0)\n    ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n  (void) FormatLocaleString(buffer,MagickPathExtent,\n    \"%%%%BeginData:%13ld %s Bytes\\n\",(long) length,\n    compression == NoCompression ? \"ASCII\" : \"BINARY\");\n  (void) WriteBlobString(image,buffer);\n  offset=SeekBlob(image,stop,SEEK_SET);\n  if (offset < 0)\n    ThrowWriterException(CorruptImageError,\"ImproperImageHeader\");\n  (void) WriteBlobString(image,\"%%EndData\\n\");\n  (void) WriteBlobString(image, \"/mask_stream exch def\\n\");\n  return(status);\n}",
          "project": "ImageMagick",
          "hash": 50278300032645136337221449604318212735,
          "size": 189,
          "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b",
          "message": "Fixed memory leaks reported in #1557.",
          "target": 0,
          "dataset": "other",
          "idx": 416808
        },
        {
          "func": "static MagickBooleanType SerializeImage(const ImageInfo *image_info,\n  Image *image,MemoryInfo **pixel_info,size_t *length,ExceptionInfo *exception)\n{\n  MagickBooleanType\n    status;\n\n  register const Quantum\n    *p;\n\n  register ssize_t\n    x;\n\n  register unsigned char\n    *q;\n\n  ssize_t\n    y;\n\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  status=MagickTrue;\n  *length=(image->colorspace == CMYKColorspace ? 4 : 3)*(size_t)\n    image->columns*image->rows;\n  *pixel_info=AcquireVirtualMemory(*length,sizeof(*q));\n  if (*pixel_info == (MemoryInfo *) NULL)\n    ThrowWriterException(ResourceLimitError,\"MemoryAllocationFailed\");\n  q=(unsigned char *) GetVirtualMemoryBlob(*pixel_info);\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    p=GetVirtualPixels(image,0,y,image->columns,1,exception);\n    if (p == (const Quantum *) NULL)\n      break;\n    if (image->colorspace != CMYKColorspace)\n      for (x=0; x < (ssize_t) image->columns; x++)\n      {\n        *q++=ScaleQuantumToChar(GetPixelRed(image,p));\n        *q++=ScaleQuantumToChar(GetPixelGreen(image,p));\n        *q++=ScaleQuantumToChar(GetPixelBlue(image,p));\n        p+=GetPixelChannels(image);\n      }\n    else\n      for (x=0; x < (ssize_t) image->columns; x++)\n      {\n        *q++=ScaleQuantumToChar(GetPixelRed(image,p));\n        *q++=ScaleQuantumToChar(GetPixelGreen(image,p));\n        *q++=ScaleQuantumToChar(GetPixelBlue(image,p));\n        *q++=ScaleQuantumToChar(GetPixelBlack(image,p));\n        p+=GetPixelChannels(image);\n      }\n    if (image->previous == (Image *) NULL)\n      {\n        status=SetImageProgress(image,SaveImageTag,(MagickOffsetType) y,\n          image->rows);\n        if (status == MagickFalse)\n          break;\n      }\n  }\n  if (status == MagickFalse)\n    *pixel_info=RelinquishVirtualMemory(*pixel_info);\n  return(status);\n}",
          "project": "ImageMagick",
          "hash": 26348891072062093223080422911288690605,
          "size": 63,
          "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b",
          "message": "Fixed memory leaks reported in #1557.",
          "target": 0,
          "dataset": "other",
          "idx": 416810
        },
        {
          "func": "static MagickBooleanType SerializeImageChannel(const ImageInfo *image_info,\n  Image *image,MemoryInfo **pixel_info,size_t *length,ExceptionInfo *exception)\n{\n  MagickBooleanType\n    status;\n\n  register const Quantum\n    *p;\n\n  register ssize_t\n    x;\n\n  register unsigned char\n    *q;\n\n  size_t\n    pack,\n    padded_columns;\n\n  ssize_t\n    y;\n\n  unsigned char\n    code,\n    bit;\n\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  status=MagickTrue;\n  pack=SetImageMonochrome(image,exception) == MagickFalse ? 1UL : 8UL;\n  padded_columns=((image->columns+pack-1)/pack)*pack;\n  *length=(size_t) padded_columns*image->rows/pack;\n  *pixel_info=AcquireVirtualMemory(*length,sizeof(*q));\n  if (*pixel_info == (MemoryInfo *) NULL)\n    ThrowWriterException(ResourceLimitError,\"MemoryAllocationFailed\");\n  q=(unsigned char *) GetVirtualMemoryBlob(*pixel_info);\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    p=GetVirtualPixels(image,0,y,image->columns,1,exception);\n    if (p == (const Quantum *) NULL)\n      break;\n    if (pack == 1)\n      for (x=0; x < (ssize_t) image->columns; x++)\n      {\n        *q++=ScaleQuantumToChar(ClampToQuantum(GetPixelLuma(image,p)));\n        p+=GetPixelChannels(image);\n      }\n    else\n      {\n        code='\\0';\n        for (x=0; x < (ssize_t) padded_columns; x++)\n        {\n          bit=(unsigned char) 0x00;\n          if (x < (ssize_t) image->columns)\n            bit=(unsigned char) (GetPixelLuma(image,p) == TransparentAlpha ?\n              0x01 : 0x00);\n          code=(code << 1)+bit;\n          if (((x+1) % pack) == 0)\n            {\n              *q++=code;\n              code='\\0';\n            }\n          p+=GetPixelChannels(image);\n        }\n      }\n    status=SetImageProgress(image,SaveImageTag,(MagickOffsetType) y,\n      image->rows);\n    if (status == MagickFalse)\n      break;\n  }\n  if (status == MagickFalse)\n    *pixel_info=RelinquishVirtualMemory(*pixel_info);\n  return(status);\n}",
          "project": "ImageMagick",
          "hash": 180592484966918846599004399988978191743,
          "size": 76,
          "commit_id": "7b04c53c69792243d66d6876f843b850b3cc002b",
          "message": "Fixed memory leaks reported in #1557.",
          "target": 0,
          "dataset": "other",
          "idx": 416800
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "BuildOutputTensors",
        "CrossCountByBatchIndex",
        "FeatureCount"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "  Status BuildOutputTensors(const FeatureReaders& features, int64 batch_size,\n                            OpKernelContext* context, Tensor** values_out,\n                            Tensor** row_splits_out) {\n    // Allocate and populate the row_splits output tensor.\n    TF_RETURN_IF_ERROR(context->allocate_output(\n        1, TensorShape({batch_size + 1}), row_splits_out));\n    auto flat_row_splits = (*row_splits_out)->flat<SplitsType>();\n    int64 cross_count_total = 0;\n    flat_row_splits(0) = 0;\n    for (int64 b = 0; b < batch_size; b++) {\n      cross_count_total += CrossCountByBatchIndex(features, b);\n      flat_row_splits(b + 1) = cross_count_total;\n    }\n\n    // Allocate the values output tensor.\n    TF_RETURN_IF_ERROR(context->allocate_output(\n        0, TensorShape({cross_count_total}), values_out));\n\n    return Status::OK();\n  }",
          "project": "tensorflow",
          "hash": 171822104983155099422471356921161614833,
          "size": 20,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230077
        },
        {
          "func": "  int64 CrossCountByBatchIndex(const FeatureReaders& features,\n                               int batch_index) {\n    int64 cross_count = 1;\n    for (int i = 0; i < features.size(); ++i) {\n      const auto feature_count = features[i]->FeatureCount(batch_index);\n      if (feature_count == 0) return 0;\n      cross_count *= feature_count;\n    }\n    return cross_count;\n  }",
          "project": "tensorflow",
          "hash": 338071543034566527060555981410393450192,
          "size": 10,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230097
        },
        {
          "func": "  int64 FeatureCount(int64 batch) const override {\n    return row_splits_[batch + 1] - row_splits_[batch];\n  }",
          "project": "tensorflow",
          "hash": 220213710993492817738691071664744789373,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230075
        },
        {
          "func": "  int64 FeatureCount(int64 batch) const override {\n    return row_splits_(batch + 1) - row_splits_(batch);\n  }",
          "project": "tensorflow",
          "hash": 248537505487492333908110778157112000063,
          "size": 3,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230091
        },
        {
          "func": "  int64 FeatureCount(int64 batch) const override { return feature_count_; }",
          "project": "tensorflow",
          "hash": 81735050557168063221551819637296283610,
          "size": 1,
          "commit_id": "44b7f486c0143f68b56c34e2d01e146ee445134a",
          "message": "Fix out of bounds read in `ragged_cross_op.cc`.\n\nPiperOrigin-RevId: 369757702\nChange-Id: Ie6e5d2c21513a8d56bf41fcf35960caf76e890f9",
          "target": 0,
          "dataset": "other",
          "idx": 230093
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "LookupMapping",
        "Is",
        "LookupPredicate",
        "GetEntry"
      ],
      "group_size": 12,
      "functions": [
        {
          "func": "bool ConnectorPunctuation::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kConnectorPunctuationTable0,\n                                       kConnectorPunctuationTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kConnectorPunctuationTable1,\n                                       kConnectorPunctuationTable1Size,\n                                       c);\n    case 7: return LookupPredicate(kConnectorPunctuationTable7,\n                                       kConnectorPunctuationTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 202309568264926344252895605229406286309,
          "size": 15,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385615
        },
        {
          "func": "bool LineTerminator::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kLineTerminatorTable0,\n                                       kLineTerminatorTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kLineTerminatorTable1,\n                                       kLineTerminatorTable1Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 306437122167880868973874944545895682089,
          "size": 12,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385617
        },
        {
          "func": "bool CombiningMark::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kCombiningMarkTable0,\n                                       kCombiningMarkTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kCombiningMarkTable1,\n                                       kCombiningMarkTable1Size,\n                                       c);\n    case 5: return LookupPredicate(kCombiningMarkTable5,\n                                       kCombiningMarkTable5Size,\n                                       c);\n    case 7: return LookupPredicate(kCombiningMarkTable7,\n                                       kCombiningMarkTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 328032147315409575724163176042780543029,
          "size": 18,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385621
        },
        {
          "func": "bool Letter::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kLetterTable0,\n                                       kLetterTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kLetterTable1,\n                                       kLetterTable1Size,\n                                       c);\n    case 2: return LookupPredicate(kLetterTable2,\n                                       kLetterTable2Size,\n                                       c);\n    case 3: return LookupPredicate(kLetterTable3,\n                                       kLetterTable3Size,\n                                       c);\n    case 4: return LookupPredicate(kLetterTable4,\n                                       kLetterTable4Size,\n                                       c);\n    case 5: return LookupPredicate(kLetterTable5,\n                                       kLetterTable5Size,\n                                       c);\n    case 6: return LookupPredicate(kLetterTable6,\n                                       kLetterTable6Size,\n                                       c);\n    case 7: return LookupPredicate(kLetterTable7,\n                                       kLetterTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 261501930601033643558167397141148141264,
          "size": 30,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385624
        },
        {
          "func": "bool WhiteSpace::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kWhiteSpaceTable0,\n                                       kWhiteSpaceTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kWhiteSpaceTable1,\n                                       kWhiteSpaceTable1Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 28982256808811187234009115524577390228,
          "size": 12,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385625
        },
        {
          "func": "bool Lowercase::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kLowercaseTable0,\n                                       kLowercaseTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kLowercaseTable1,\n                                       kLowercaseTable1Size,\n                                       c);\n    case 5: return LookupPredicate(kLowercaseTable5,\n                                       kLowercaseTable5Size,\n                                       c);\n    case 7: return LookupPredicate(kLowercaseTable7,\n                                       kLowercaseTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 306415318189567837801821641777240489698,
          "size": 18,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385634
        },
        {
          "func": "bool Uppercase::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kUppercaseTable0,\n                                       kUppercaseTable0Size,\n                                       c);\n    case 1: return LookupPredicate(kUppercaseTable1,\n                                       kUppercaseTable1Size,\n                                       c);\n    case 5: return LookupPredicate(kUppercaseTable5,\n                                       kUppercaseTable5Size,\n                                       c);\n    case 7: return LookupPredicate(kUppercaseTable7,\n                                       kUppercaseTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 198484716824470869928393300848719870852,
          "size": 18,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385641
        },
        {
          "func": "bool Number::Is(uchar c) {\n  int chunk_index = c >> 13;\n  switch (chunk_index) {\n    case 0: return LookupPredicate(kNumberTable0,\n                                       kNumberTable0Size,\n                                       c);\n    case 5: return LookupPredicate(kNumberTable5,\n                                       kNumberTable5Size,\n                                       c);\n    case 7: return LookupPredicate(kNumberTable7,\n                                       kNumberTable7Size,\n                                       c);\n    default: return false;\n  }\n}",
          "project": "node",
          "hash": 194474308187196058350851767952097962021,
          "size": 15,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385642
        },
        {
          "func": "static inline bool IsStart(int32_t entry) {\n  return (entry & kStartBit) != 0;\n}",
          "project": "node",
          "hash": 315163817663965948278730766709240714257,
          "size": 3,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385607
        },
        {
          "func": "static int LookupMapping(const int32_t* table,\n                         uint16_t size,\n                         const MultiCharacterSpecialCase<kW>* multi_chars,\n                         uchar chr,\n                         uchar next,\n                         uchar* result,\n                         bool* allow_caching_ptr) {\n  static const int kEntryDist = 2;\n  uint16_t key = chr & (kChunkBits - 1);\n  uint16_t chunk_start = chr - key;\n  unsigned int low = 0;\n  unsigned int high = size - 1;\n  while (high != low) {\n    unsigned int mid = low + ((high - low) >> 1);\n    uchar current_value = GetEntry(TableGet<kEntryDist>(table, mid));\n    // If we've found an entry less than or equal to this one, and the next one\n    // is not also less than this one, we've arrived.\n    if ((current_value <= key) &&\n        (mid + 1 == size ||\n         GetEntry(TableGet<kEntryDist>(table, mid + 1)) > key)) {\n      low = mid;\n      break;\n    } else if (current_value < key) {\n      low = mid + 1;\n    } else if (current_value > key) {\n      // If we've just checked the bottom-most value and it's not\n      // the one we're looking for, we're done.\n      if (mid == 0) break;\n      high = mid - 1;\n    }\n  }\n  int32_t field = TableGet<kEntryDist>(table, low);\n  uchar entry = GetEntry(field);\n  bool is_start = IsStart(field);\n  bool found = (entry == key) || (entry < key && is_start);\n  if (found) {\n    int32_t value = table[2 * low + 1];\n    if (value == 0) {\n      // 0 means not present\n      return 0;\n    } else if ((value & 3) == 0) {\n      // Low bits 0 means a constant offset from the given character.\n      if (ranges_are_linear) {\n        result[0] = chr + (value >> 2);\n      } else {\n        result[0] = entry + chunk_start + (value >> 2);\n      }\n      return 1;\n    } else if ((value & 3) == 1) {\n      // Low bits 1 means a special case mapping\n      if (allow_caching_ptr) *allow_caching_ptr = false;\n      const MultiCharacterSpecialCase<kW>& mapping = multi_chars[value >> 2];\n      int length = 0;\n      for (length = 0; length < kW; length++) {\n        uchar mapped = mapping.chars[length];\n        if (mapped == MultiCharacterSpecialCase<kW>::kEndOfEncoding) break;\n        if (ranges_are_linear) {\n          result[length] = mapped + (key - entry);\n        } else {\n          result[length] = mapped;\n        }\n      }\n      return length;\n    } else {\n      // Low bits 2 means a really really special case\n      if (allow_caching_ptr) *allow_caching_ptr = false;\n      // The cases of this switch are defined in unicode.py in the\n      // really_special_cases mapping.\n      switch (value >> 2) {\n        case 1:\n          // Really special case 1: upper case sigma.  This letter\n          // converts to two different lower case sigmas depending on\n          // whether or not it occurs at the end of a word.\n          if (next != 0 && Letter::Is(next)) {\n            result[0] = 0x03C3;\n          } else {\n            result[0] = 0x03C2;\n          }\n          return 1;\n        default:\n          return 0;\n      }\n      return -1;\n    }\n  } else {\n    return 0;\n  }\n}",
          "project": "node",
          "hash": 168409440951517601081803230671729981840,
          "size": 88,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385609
        },
        {
          "func": "static bool LookupPredicate(const int32_t* table, uint16_t size, uchar chr) {\n  static const int kEntryDist = 1;\n  uint16_t value = chr & (kChunkBits - 1);\n  unsigned int low = 0;\n  unsigned int high = size - 1;\n  while (high != low) {\n    unsigned int mid = low + ((high - low) >> 1);\n    uchar current_value = GetEntry(TableGet<kEntryDist>(table, mid));\n    // If we've found an entry less than or equal to this one, and the\n    // next one is not also less than this one, we've arrived.\n    if ((current_value <= value) &&\n        (mid + 1 == size ||\n         GetEntry(TableGet<kEntryDist>(table, mid + 1)) > value)) {\n      low = mid;\n      break;\n    } else if (current_value < value) {\n      low = mid + 1;\n    } else if (current_value > value) {\n      // If we've just checked the bottom-most value and it's not\n      // the one we're looking for, we're done.\n      if (mid == 0) break;\n      high = mid - 1;\n    }\n  }\n  int32_t field = TableGet<kEntryDist>(table, low);\n  uchar entry = GetEntry(field);\n  bool is_start = IsStart(field);\n  return (entry == value) || (entry < value && is_start);\n}",
          "project": "node",
          "hash": 242960315321535601813901942046283298330,
          "size": 29,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385635
        },
        {
          "func": "static inline uchar GetEntry(int32_t entry) {\n  return entry & (kStartBit - 1);\n}",
          "project": "node",
          "hash": 249940707140760292065099100293212879734,
          "size": 3,
          "commit_id": "78b0e30954111cfaba0edbeee85450d8cbc6fdf6",
          "message": "deps: fix out-of-band write in utf8 decoder\n\nOriginally reported by: Kris Reeves <kris.re@bbhmedia.com>\n\nReviewed-By: Trevor Norris <trev.norris@gmail.com>",
          "target": 0,
          "dataset": "other",
          "idx": 385628
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "nfs4_destroy_clientid",
        "nfs4_proc_destroy_clientid",
        "_nfs4_proc_destroy_clientid"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int nfs4_proc_destroy_clientid(struct nfs_client *clp,\n\t\tconst struct cred *cred)\n{\n\tunsigned int loop;\n\tint ret;\n\n\tfor (loop = NFS4_MAX_LOOP_ON_RECOVER; loop != 0; loop--) {\n\t\tret = _nfs4_proc_destroy_clientid(clp, cred);\n\t\tswitch (ret) {\n\t\tcase -NFS4ERR_DELAY:\n\t\tcase -NFS4ERR_CLIENTID_BUSY:\n\t\t\tssleep(1);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\treturn ret;\n\t\t}\n\t}\n\treturn 0;\n}",
          "project": "linux",
          "hash": 108392093536477804166890510351311114362,
          "size": 19,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431446
        },
        {
          "func": "static int _nfs4_proc_destroy_clientid(struct nfs_client *clp,\n\t\tconst struct cred *cred)\n{\n\tstruct rpc_message msg = {\n\t\t.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_DESTROY_CLIENTID],\n\t\t.rpc_argp = clp,\n\t\t.rpc_cred = cred,\n\t};\n\tint status;\n\n\tstatus = rpc_call_sync(clp->cl_rpcclient, &msg,\n\t\t\t       RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN);\n\ttrace_nfs4_destroy_clientid(clp, status);\n\tif (status)\n\t\tdprintk(\"NFS: Got error %d from the server %s on \"\n\t\t\t\"DESTROY_CLIENTID.\", status, clp->cl_hostname);\n\treturn status;\n}",
          "project": "linux",
          "hash": 218443526268163435091978786734022208861,
          "size": 18,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431365
        },
        {
          "func": "int nfs4_destroy_clientid(struct nfs_client *clp)\n{\n\tconst struct cred *cred;\n\tint ret = 0;\n\n\tif (clp->cl_mvops->minor_version < 1)\n\t\tgoto out;\n\tif (clp->cl_exchange_flags == 0)\n\t\tgoto out;\n\tif (clp->cl_preserve_clid)\n\t\tgoto out;\n\tcred = nfs4_get_clid_cred(clp);\n\tret = nfs4_proc_destroy_clientid(clp, cred);\n\tput_cred(cred);\n\tswitch (ret) {\n\tcase 0:\n\tcase -NFS4ERR_STALE_CLIENTID:\n\t\tclp->cl_exchange_flags = 0;\n\t}\nout:\n\treturn ret;\n}",
          "project": "linux",
          "hash": 212007988069544547393471888582405255655,
          "size": 22,
          "commit_id": "b4487b93545214a9db8cbf32e86411677b0cca21",
          "message": "nfs: Fix getxattr kernel panic and memory overflow\n\nMove the buffer size check to decode_attr_security_label() before memcpy()\nOnly call memcpy() if the buffer is large enough\n\nFixes: aa9c2669626c (\"NFS: Client implementation of Labeled-NFS\")\nSigned-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>\n[Trond: clean up duplicate test of label->len != 0]\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 431048
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rtsx_usb_ms_set_param",
        "ms_power_off",
        "ms_pull_ctl_disable_qfn24"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "static int ms_pull_ctl_disable_lqfp48(struct rtsx_ucr *ucr)\n{\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);\n\n\treturn rtsx_usb_send_cmd(ucr, MODE_C, 100);\n}",
          "project": "linux",
          "hash": 175330394433115206129616772201483010020,
          "size": 13,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386069
        },
        {
          "func": "static int ms_pull_ctl_enable_qfn24(struct rtsx_ucr *ucr)\n{\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);\n\n\treturn rtsx_usb_send_cmd(ucr, MODE_C, 100);\n}",
          "project": "linux",
          "hash": 210539641281842764705487523839336936592,
          "size": 13,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386071
        },
        {
          "func": "static int ms_pull_ctl_disable_qfn24(struct rtsx_ucr *ucr)\n{\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);\n\n\treturn rtsx_usb_send_cmd(ucr, MODE_C, 100);\n}",
          "project": "linux",
          "hash": 285376566704278362797150066726714875676,
          "size": 13,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386064
        },
        {
          "func": "static int ms_power_on(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err;\n\n\tdev_dbg(ms_dev(host), \"%s\\n\", __func__);\n\n\trtsx_usb_init_cmd(ucr);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_SELECT, 0x07, MS_MOD_SEL);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_SHARE_MODE,\n\t\t\tCARD_SHARE_MASK, CARD_SHARE_MS);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_CLK_EN,\n\t\t\tMS_CLK_EN, MS_CLK_EN);\n\terr = rtsx_usb_send_cmd(ucr, MODE_C, 100);\n\tif (err < 0)\n\t\treturn err;\n\n\tif (CHECK_PKG(ucr, LQFP48))\n\t\terr = ms_pull_ctl_enable_lqfp48(ucr);\n\telse\n\t\terr = ms_pull_ctl_enable_qfn24(ucr);\n\tif (err < 0)\n\t\treturn err;\n\n\terr = rtsx_usb_write_register(ucr, CARD_PWR_CTL,\n\t\t\tPOWER_MASK, PARTIAL_POWER_ON);\n\tif (err)\n\t\treturn err;\n\n\tusleep_range(800, 1000);\n\n\trtsx_usb_init_cmd(ucr);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PWR_CTL,\n\t\t\tPOWER_MASK, POWER_ON);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_OE,\n\t\t\tMS_OUTPUT_EN, MS_OUTPUT_EN);\n\n\treturn rtsx_usb_send_cmd(ucr, MODE_C, 100);\n}",
          "project": "linux",
          "hash": 117225087238741212943134424097667944076,
          "size": 39,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386068
        },
        {
          "func": "static int ms_pull_ctl_enable_lqfp48(struct rtsx_ucr *ucr)\n{\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);\n\n\treturn rtsx_usb_send_cmd(ucr, MODE_C, 100);\n}",
          "project": "linux",
          "hash": 211193892281656815748731135651717029490,
          "size": 13,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386077
        },
        {
          "func": "static int rtsx_usb_ms_set_param(struct memstick_host *msh,\n\t\tenum memstick_param param, int value)\n{\n\tstruct rtsx_usb_ms *host = memstick_priv(msh);\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tunsigned int clock = 0;\n\tu8 ssc_depth = 0;\n\tint err;\n\n\tdev_dbg(ms_dev(host), \"%s: param = %d, value = %d\\n\",\n\t\t\t__func__, param, value);\n\n\tpm_runtime_get_sync(ms_dev(host));\n\tmutex_lock(&ucr->dev_mutex);\n\n\terr = rtsx_usb_card_exclusive_check(ucr, RTSX_USB_MS_CARD);\n\tif (err)\n\t\tgoto out;\n\n\tswitch (param) {\n\tcase MEMSTICK_POWER:\n\t\tif (value == host->power_mode)\n\t\t\tbreak;\n\n\t\tif (value == MEMSTICK_POWER_ON) {\n\t\t\tpm_runtime_get_noresume(ms_dev(host));\n\t\t\terr = ms_power_on(host);\n\t\t\tif (err)\n\t\t\t\tpm_runtime_put_noidle(ms_dev(host));\n\t\t} else if (value == MEMSTICK_POWER_OFF) {\n\t\t\terr = ms_power_off(host);\n\t\t\tif (!err)\n\t\t\t\tpm_runtime_put_noidle(ms_dev(host));\n\t\t} else\n\t\t\terr = -EINVAL;\n\t\tif (!err)\n\t\t\thost->power_mode = value;\n\t\tbreak;\n\n\tcase MEMSTICK_INTERFACE:\n\t\tif (value == MEMSTICK_SERIAL) {\n\t\t\tclock = 19000000;\n\t\t\tssc_depth = SSC_DEPTH_512K;\n\t\t\terr = rtsx_usb_write_register(ucr, MS_CFG, 0x5A,\n\t\t\t\t       MS_BUS_WIDTH_1 | PUSH_TIME_DEFAULT);\n\t\t\tif (err < 0)\n\t\t\t\tbreak;\n\t\t} else if (value == MEMSTICK_PAR4) {\n\t\t\tclock = 39000000;\n\t\t\tssc_depth = SSC_DEPTH_1M;\n\n\t\t\terr = rtsx_usb_write_register(ucr, MS_CFG, 0x5A,\n\t\t\t\t\tMS_BUS_WIDTH_4 | PUSH_TIME_ODD |\n\t\t\t\t\tMS_NO_CHECK_INT);\n\t\t\tif (err < 0)\n\t\t\t\tbreak;\n\t\t} else {\n\t\t\terr = -EINVAL;\n\t\t\tbreak;\n\t\t}\n\n\t\terr = rtsx_usb_switch_clock(ucr, clock,\n\t\t\t\tssc_depth, false, true, false);\n\t\tif (err < 0) {\n\t\t\tdev_dbg(ms_dev(host), \"switch clock failed\\n\");\n\t\t\tbreak;\n\t\t}\n\n\t\thost->ssc_depth = ssc_depth;\n\t\thost->clock = clock;\n\t\thost->ifmode = value;\n\t\tbreak;\n\tdefault:\n\t\terr = -EINVAL;\n\t\tbreak;\n\t}\nout:\n\tmutex_unlock(&ucr->dev_mutex);\n\tpm_runtime_put_sync(ms_dev(host));\n\n\t/* power-on delay */\n\tif (param == MEMSTICK_POWER && value == MEMSTICK_POWER_ON) {\n\t\tusleep_range(10000, 12000);\n\n\t\tif (!host->eject)\n\t\t\tschedule_delayed_work(&host->poll_card, 100);\n\t}\n\n\tdev_dbg(ms_dev(host), \"%s: return = %d\\n\", __func__, err);\n\treturn err;\n}",
          "project": "linux",
          "hash": 235368188057846220972751262500656866355,
          "size": 91,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386054
        },
        {
          "func": "static int ms_power_off(struct rtsx_usb_ms *host)\n{\n\tstruct rtsx_ucr *ucr = host->ucr;\n\tint err;\n\n\tdev_dbg(ms_dev(host), \"%s\\n\", __func__);\n\n\trtsx_usb_init_cmd(ucr);\n\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_CLK_EN, MS_CLK_EN, 0);\n\trtsx_usb_add_cmd(ucr, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0);\n\n\terr = rtsx_usb_send_cmd(ucr, MODE_C, 100);\n\tif (err < 0)\n\t\treturn err;\n\n\tif (CHECK_PKG(ucr, LQFP48))\n\t\treturn ms_pull_ctl_disable_lqfp48(ucr);\n\n\treturn ms_pull_ctl_disable_qfn24(ucr);\n}",
          "project": "linux",
          "hash": 92083583795946424760381830510686249238,
          "size": 21,
          "commit_id": "42933c8aa14be1caa9eda41f65cde8a3a95d3e39",
          "message": "memstick: rtsx_usb_ms: fix UAF\n\nThis patch fixes the following issues:\n1. memstick_free_host() will free the host, so the use of ms_dev(host) after\nit will be a problem. To fix this, move memstick_free_host() after when we\nare done with ms_dev(host).\n2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove\nand free host otherwise memstick_check will be called and UAF will\nhappen.\n\n[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]\n[   11.357376]  platform_remove+0x2a/0x50\n[   11.367531] Freed by task 298:\n[   11.368537]  kfree+0xa4/0x2a0\n[   11.368711]  device_release+0x51/0xe0\n[   11.368905]  kobject_put+0xa2/0x120\n[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]\n[   11.369386]  platform_remove+0x2a/0x50\n\n[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0\n[   12.045432]  mutex_lock+0xc9/0xd0\n[   12.046080]  memstick_check+0x6a/0x578 [memstick]\n[   12.046509]  process_one_work+0x46d/0x750\n[   12.052107] Freed by task 297:\n[   12.053115]  kfree+0xa4/0x2a0\n[   12.053272]  device_release+0x51/0xe0\n[   12.053463]  kobject_put+0xa2/0x120\n[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]\n[   12.053939]  platform_remove+0x2a/0x50\n\nSigned-off-by: Tong Zhang <ztong0001@gmail.com>\nCo-developed-by: Ulf Hansson <ulf.hansson@linaro.org>\nLink: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com\nSigned-off-by: Ulf Hansson <ulf.hansson@linaro.org>",
          "target": 0,
          "dataset": "other",
          "idx": 386070
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "vhost_for_each_try_unroll",
        "rte_smp_rmb",
        "VHOST_LOG_DATA"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "virtio_dev_rx_batch_packed(struct virtio_net *dev,\n\t\t\t   struct vhost_virtqueue *vq,\n\t\t\t   struct rte_mbuf **pkts)\n{\n\tbool wrap_counter = vq->avail_wrap_counter;\n\tstruct vring_packed_desc *descs = vq->desc_packed;\n\tuint16_t avail_idx = vq->last_avail_idx;\n\tuint64_t desc_addrs[PACKED_BATCH_SIZE];\n\tstruct virtio_net_hdr_mrg_rxbuf *hdrs[PACKED_BATCH_SIZE];\n\tuint32_t buf_offset = dev->vhost_hlen;\n\tuint64_t lens[PACKED_BATCH_SIZE];\n\tuint16_t ids[PACKED_BATCH_SIZE];\n\tuint16_t i;\n\n\tif (unlikely(avail_idx & PACKED_BATCH_MASK))\n\t\treturn -1;\n\n\tif (unlikely((avail_idx + PACKED_BATCH_SIZE) > vq->size))\n\t\treturn -1;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(pkts[i]->next != NULL))\n\t\t\treturn -1;\n\t\tif (unlikely(!desc_is_avail(&descs[avail_idx + i],\n\t\t\t\t\t    wrap_counter)))\n\t\t\treturn -1;\n\t}\n\n\trte_smp_rmb();\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tlens[i] = descs[avail_idx + i].len;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(pkts[i]->pkt_len > (lens[i] - buf_offset)))\n\t\t\treturn -1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tdesc_addrs[i] = vhost_iova_to_vva(dev, vq,\n\t\t\t\t\t\t  descs[avail_idx + i].addr,\n\t\t\t\t\t\t  &lens[i],\n\t\t\t\t\t\t  VHOST_ACCESS_RW);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(lens[i] != descs[avail_idx + i].len))\n\t\t\treturn -1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\trte_prefetch0((void *)(uintptr_t)desc_addrs[i]);\n\t\thdrs[i] = (struct virtio_net_hdr_mrg_rxbuf *)\n\t\t\t\t\t(uintptr_t)desc_addrs[i];\n\t\tlens[i] = pkts[i]->pkt_len + dev->vhost_hlen;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tvirtio_enqueue_offload(pkts[i], &hdrs[i]->hdr);\n\n\tvq_inc_last_avail_packed(vq, PACKED_BATCH_SIZE);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\trte_memcpy((void *)(uintptr_t)(desc_addrs[i] + buf_offset),\n\t\t\t   rte_pktmbuf_mtod_offset(pkts[i], void *, 0),\n\t\t\t   pkts[i]->pkt_len);\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tvhost_log_cache_write_iova(dev, vq, descs[avail_idx + i].addr,\n\t\t\t\t\t   lens[i]);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tids[i] = descs[avail_idx + i].id;\n\n\tvhost_flush_enqueue_batch_packed(dev, vq, lens, ids);\n\n\treturn 0;\n}",
          "project": "dpdk",
          "hash": 141015319348152109183918601798829151336,
          "size": 78,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 1,
          "dataset": "other",
          "idx": 207646
        },
        {
          "func": "virtio_dev_tx_batch_packed_zmbuf(struct virtio_net *dev,\n\t\t\t\t struct vhost_virtqueue *vq,\n\t\t\t\t struct rte_mempool *mbuf_pool,\n\t\t\t\t struct rte_mbuf **pkts)\n{\n\tstruct zcopy_mbuf *zmbufs[PACKED_BATCH_SIZE];\n\tuintptr_t desc_addrs[PACKED_BATCH_SIZE];\n\tuint16_t ids[PACKED_BATCH_SIZE];\n\tuint16_t i;\n\n\tuint16_t avail_idx = vq->last_avail_idx;\n\n\tif (vhost_reserve_avail_batch_packed(dev, vq, mbuf_pool, pkts,\n\t\t\t\t\t     avail_idx, desc_addrs, ids))\n\t\treturn -1;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tzmbufs[i] = get_zmbuf(vq);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (!zmbufs[i])\n\t\t\tgoto free_pkt;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tzmbufs[i]->mbuf = pkts[i];\n\t\tzmbufs[i]->desc_idx = ids[i];\n\t\tzmbufs[i]->desc_count = 1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\trte_mbuf_refcnt_update(pkts[i], 1);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tTAILQ_INSERT_TAIL(&vq->zmbuf_list, zmbufs[i], next);\n\n\tvq->nr_zmbuf += PACKED_BATCH_SIZE;\n\tvq_inc_last_avail_packed(vq, PACKED_BATCH_SIZE);\n\n\treturn 0;\n\nfree_pkt:\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\trte_pktmbuf_free(pkts[i]);\n\n\treturn -1;\n}",
          "project": "dpdk",
          "hash": 53804099006853604511378110308203956935,
          "size": 47,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 399930
        },
        {
          "func": "virtio_dev_rx_batch_packed(struct virtio_net *dev,\n\t\t\t   struct vhost_virtqueue *vq,\n\t\t\t   struct rte_mbuf **pkts)\n{\n\tbool wrap_counter = vq->avail_wrap_counter;\n\tstruct vring_packed_desc *descs = vq->desc_packed;\n\tuint16_t avail_idx = vq->last_avail_idx;\n\tuint64_t desc_addrs[PACKED_BATCH_SIZE];\n\tstruct virtio_net_hdr_mrg_rxbuf *hdrs[PACKED_BATCH_SIZE];\n\tuint32_t buf_offset = dev->vhost_hlen;\n\tuint64_t lens[PACKED_BATCH_SIZE];\n\tuint16_t ids[PACKED_BATCH_SIZE];\n\tuint16_t i;\n\n\tif (unlikely(avail_idx & PACKED_BATCH_MASK))\n\t\treturn -1;\n\n\tif (unlikely((avail_idx + PACKED_BATCH_SIZE) > vq->size))\n\t\treturn -1;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(pkts[i]->next != NULL))\n\t\t\treturn -1;\n\t\tif (unlikely(!desc_is_avail(&descs[avail_idx + i],\n\t\t\t\t\t    wrap_counter)))\n\t\t\treturn -1;\n\t}\n\n\trte_smp_rmb();\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tlens[i] = descs[avail_idx + i].len;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(pkts[i]->pkt_len > (lens[i] - buf_offset)))\n\t\t\treturn -1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tdesc_addrs[i] = vhost_iova_to_vva(dev, vq,\n\t\t\t\t\t\t  descs[avail_idx + i].addr,\n\t\t\t\t\t\t  &lens[i],\n\t\t\t\t\t\t  VHOST_ACCESS_RW);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(!desc_addrs[i]))\n\t\t\treturn -1;\n\t\tif (unlikely(lens[i] != descs[avail_idx + i].len))\n\t\t\treturn -1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\trte_prefetch0((void *)(uintptr_t)desc_addrs[i]);\n\t\thdrs[i] = (struct virtio_net_hdr_mrg_rxbuf *)\n\t\t\t\t\t(uintptr_t)desc_addrs[i];\n\t\tlens[i] = pkts[i]->pkt_len + dev->vhost_hlen;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tvirtio_enqueue_offload(pkts[i], &hdrs[i]->hdr);\n\n\tvq_inc_last_avail_packed(vq, PACKED_BATCH_SIZE);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\trte_memcpy((void *)(uintptr_t)(desc_addrs[i] + buf_offset),\n\t\t\t   rte_pktmbuf_mtod_offset(pkts[i], void *, 0),\n\t\t\t   pkts[i]->pkt_len);\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tvhost_log_cache_write_iova(dev, vq, descs[avail_idx + i].addr,\n\t\t\t\t\t   lens[i]);\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tids[i] = descs[avail_idx + i].id;\n\n\tvhost_flush_enqueue_batch_packed(dev, vq, lens, ids);\n\n\treturn 0;\n}",
          "project": "dpdk",
          "hash": 198754053444601304377848158125427004349,
          "size": 80,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 399931
        },
        {
          "func": "vhost_reserve_avail_batch_packed(struct virtio_net *dev,\n\t\t\t\t struct vhost_virtqueue *vq,\n\t\t\t\t struct rte_mempool *mbuf_pool,\n\t\t\t\t struct rte_mbuf **pkts,\n\t\t\t\t uint16_t avail_idx,\n\t\t\t\t uintptr_t *desc_addrs,\n\t\t\t\t uint16_t *ids)\n{\n\tbool wrap = vq->avail_wrap_counter;\n\tstruct vring_packed_desc *descs = vq->desc_packed;\n\tstruct virtio_net_hdr *hdr;\n\tuint64_t lens[PACKED_BATCH_SIZE];\n\tuint64_t buf_lens[PACKED_BATCH_SIZE];\n\tuint32_t buf_offset = dev->vhost_hlen;\n\tuint16_t flags, i;\n\n\tif (unlikely(avail_idx & PACKED_BATCH_MASK))\n\t\treturn -1;\n\tif (unlikely((avail_idx + PACKED_BATCH_SIZE) > vq->size))\n\t\treturn -1;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tflags = descs[avail_idx + i].flags;\n\t\tif (unlikely((wrap != !!(flags & VRING_DESC_F_AVAIL)) ||\n\t\t\t     (wrap == !!(flags & VRING_DESC_F_USED))  ||\n\t\t\t     (flags & PACKED_DESC_SINGLE_DEQUEUE_FLAG)))\n\t\t\treturn -1;\n\t}\n\n\trte_smp_rmb();\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tlens[i] = descs[avail_idx + i].len;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tdesc_addrs[i] = vhost_iova_to_vva(dev, vq,\n\t\t\t\t\t\t  descs[avail_idx + i].addr,\n\t\t\t\t\t\t  &lens[i], VHOST_ACCESS_RW);\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(!desc_addrs[i]))\n\t\t\treturn -1;\n\t\tif (unlikely((lens[i] != descs[avail_idx + i].len)))\n\t\t\treturn -1;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tpkts[i] = virtio_dev_pktmbuf_alloc(dev, mbuf_pool, lens[i]);\n\t\tif (!pkts[i])\n\t\t\tgoto free_buf;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE)\n\t\tbuf_lens[i] = pkts[i]->buf_len - pkts[i]->data_off;\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tif (unlikely(buf_lens[i] < (lens[i] - buf_offset)))\n\t\t\tgoto free_buf;\n\t}\n\n\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\tpkts[i]->pkt_len = descs[avail_idx + i].len - buf_offset;\n\t\tpkts[i]->data_len = pkts[i]->pkt_len;\n\t\tids[i] = descs[avail_idx + i].id;\n\t}\n\n\tif (virtio_net_with_host_offload(dev)) {\n\t\tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n\t\t\thdr = (struct virtio_net_hdr *)(desc_addrs[i]);\n\t\t\tvhost_dequeue_offload(hdr, pkts[i]);\n\t\t}\n\t}\n\n\treturn 0;\n\nfree_buf:\n\tfor (i = 0; i < PACKED_BATCH_SIZE; i++)\n\t\trte_pktmbuf_free(pkts[i]);\n\n\treturn -1;\n}",
          "project": "dpdk",
          "hash": 138353916795722732886014856375298446334,
          "size": 82,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 399961
        },
        {
          "func": "virtio_dev_rx_single_packed(struct virtio_net *dev,\n\t\t\t    struct vhost_virtqueue *vq,\n\t\t\t    struct rte_mbuf *pkt)\n{\n\tstruct buf_vector buf_vec[BUF_VECTOR_MAX];\n\tuint16_t nr_descs = 0;\n\n\trte_smp_rmb();\n\tif (unlikely(vhost_enqueue_single_packed(dev, vq, pkt, buf_vec,\n\t\t\t\t\t\t &nr_descs) < 0)) {\n\t\tVHOST_LOG_DATA(DEBUG,\n\t\t\t\t\"(%d) failed to get enough desc from vring\\n\",\n\t\t\t\tdev->vid);\n\t\treturn -1;\n\t}\n\n\tVHOST_LOG_DATA(DEBUG, \"(%d) current index %d | end index %d\\n\",\n\t\t\tdev->vid, vq->last_avail_idx,\n\t\t\tvq->last_avail_idx + nr_descs);\n\n\tvq_inc_last_avail_packed(vq, nr_descs);\n\n\treturn 0;\n}",
          "project": "dpdk",
          "hash": 234143874651352795448824707434723122016,
          "size": 24,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 399922
        },
        {
          "func": "virtio_dev_rx(struct virtio_net *dev, uint16_t queue_id,\n\tstruct rte_mbuf **pkts, uint32_t count)\n{\n\tstruct vhost_virtqueue *vq;\n\tuint32_t nb_tx = 0;\n\n\tVHOST_LOG_DATA(DEBUG, \"(%d) %s\\n\", dev->vid, __func__);\n\tif (unlikely(!is_valid_virt_queue_idx(queue_id, 0, dev->nr_vring))) {\n\t\tVHOST_LOG_DATA(ERR, \"(%d) %s: invalid virtqueue idx %d.\\n\",\n\t\t\tdev->vid, __func__, queue_id);\n\t\treturn 0;\n\t}\n\n\tvq = dev->virtqueue[queue_id];\n\n\trte_spinlock_lock(&vq->access_lock);\n\n\tif (unlikely(vq->enabled == 0))\n\t\tgoto out_access_unlock;\n\n\tif (dev->features & (1ULL << VIRTIO_F_IOMMU_PLATFORM))\n\t\tvhost_user_iotlb_rd_lock(vq);\n\n\tif (unlikely(vq->access_ok == 0))\n\t\tif (unlikely(vring_translate(dev, vq) < 0))\n\t\t\tgoto out;\n\n\tcount = RTE_MIN((uint32_t)MAX_PKT_BURST, count);\n\tif (count == 0)\n\t\tgoto out;\n\n\tif (vq_is_packed(dev))\n\t\tnb_tx = virtio_dev_rx_packed(dev, vq, pkts, count);\n\telse\n\t\tnb_tx = virtio_dev_rx_split(dev, vq, pkts, count);\n\nout:\n\tif (dev->features & (1ULL << VIRTIO_F_IOMMU_PLATFORM))\n\t\tvhost_user_iotlb_rd_unlock(vq);\n\nout_access_unlock:\n\trte_spinlock_unlock(&vq->access_lock);\n\n\treturn nb_tx;\n}",
          "project": "dpdk",
          "hash": 99231903305206413438432760618655077983,
          "size": 45,
          "commit_id": "97ecc1c85c95c13bc66a87435758e93406c35c48",
          "message": "vhost: fix translated address not checked\n\nMalicious guest can construct desc with invalid address and zero buffer\nlength. That will request vhost to check both translated address and\ntranslated data length. This patch will add missed address check.\n\nCVE-2020-10725\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\nFixes: ef861692c398 (\"vhost: add packed ring batch enqueue\")\nCc: stable@dpdk.org\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>",
          "target": 0,
          "dataset": "other",
          "idx": 399940
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "tcp_check_space",
        "tcp_new_space",
        "tcp_should_expand_sndbuf"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void tcp_check_space(struct sock *sk)\n{\n\tif (sock_flag(sk, SOCK_QUEUE_SHRUNK)) {\n\t\tsock_reset_flag(sk, SOCK_QUEUE_SHRUNK);\n\t\tif (sk->sk_socket &&\n\t\t    test_bit(SOCK_NOSPACE, &sk->sk_socket->flags))\n\t\t\ttcp_new_space(sk);\n\t}\n}",
          "project": "net-next",
          "hash": 296127787089843267932160485998070699193,
          "size": 9,
          "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa",
          "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko <denys@visp.net.lb>\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 409882
        },
        {
          "func": "static void tcp_new_space(struct sock *sk)\n{\n\tstruct tcp_sock *tp = tcp_sk(sk);\n\n\tif (tcp_should_expand_sndbuf(sk)) {\n\t\tint sndmem = SKB_TRUESIZE(max_t(u32,\n\t\t\t\t\t\ttp->rx_opt.mss_clamp,\n\t\t\t\t\t\ttp->mss_cache) +\n\t\t\t\t\t  MAX_TCP_HEADER);\n\t\tint demanded = max_t(unsigned int, tp->snd_cwnd,\n\t\t\t\t     tp->reordering + 1);\n\t\tsndmem *= 2 * demanded;\n\t\tif (sndmem > sk->sk_sndbuf)\n\t\t\tsk->sk_sndbuf = min(sndmem, sysctl_tcp_wmem[2]);\n\t\ttp->snd_cwnd_stamp = tcp_time_stamp;\n\t}\n\n\tsk->sk_write_space(sk);\n}",
          "project": "net-next",
          "hash": 202425998378617003007172841908596303553,
          "size": 19,
          "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa",
          "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko <denys@visp.net.lb>\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 409917
        },
        {
          "func": "static int tcp_should_expand_sndbuf(const struct sock *sk)\n{\n\tconst struct tcp_sock *tp = tcp_sk(sk);\n\n\t/* If the user specified a specific send buffer setting, do\n\t * not modify it.\n\t */\n\tif (sk->sk_userlocks & SOCK_SNDBUF_LOCK)\n\t\treturn 0;\n\n\t/* If we are under global TCP memory pressure, do not expand.  */\n\tif (tcp_memory_pressure)\n\t\treturn 0;\n\n\t/* If we are under soft global TCP memory pressure, do not expand.  */\n\tif (atomic_long_read(&tcp_memory_allocated) >= sysctl_tcp_mem[0])\n\t\treturn 0;\n\n\t/* If we filled the congestion window, do not expand.  */\n\tif (tp->packets_out >= tp->snd_cwnd)\n\t\treturn 0;\n\n\treturn 1;\n}",
          "project": "net-next",
          "hash": 328883797433948867138773900014105001499,
          "size": 24,
          "commit_id": "fdf5af0daf8019cec2396cdef8fb042d80fe71fa",
          "message": "tcp: drop SYN+FIN messages\n\nDenys Fedoryshchenko reported that SYN+FIN attacks were bringing his\nlinux machines to their limits.\n\nDont call conn_request() if the TCP flags includes SYN flag\n\nReported-by: Denys Fedoryshchenko <denys@visp.net.lb>\nSigned-off-by: Eric Dumazet <eric.dumazet@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 409918
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ext4_group_add",
        "setup_new_group_blocks",
        "extend_or_restart_transaction"
      ],
      "group_size": 10,
      "functions": [
        {
          "func": "static int reserve_backup_gdb(handle_t *handle, struct inode *inode,\n\t\t\t      struct ext4_new_group_data *input)\n{\n\tstruct super_block *sb = inode->i_sb;\n\tint reserved_gdb =le16_to_cpu(EXT4_SB(sb)->s_es->s_reserved_gdt_blocks);\n\tstruct buffer_head **primary;\n\tstruct buffer_head *dind;\n\tstruct ext4_iloc iloc;\n\text4_fsblk_t blk;\n\t__le32 *data, *end;\n\tint gdbackups = 0;\n\tint res, i;\n\tint err;\n\n\tprimary = kmalloc(reserved_gdb * sizeof(*primary), GFP_NOFS);\n\tif (!primary)\n\t\treturn -ENOMEM;\n\n\tdata = EXT4_I(inode)->i_data + EXT4_DIND_BLOCK;\n\tdind = sb_bread(sb, le32_to_cpu(*data));\n\tif (!dind) {\n\t\terr = -EIO;\n\t\tgoto exit_free;\n\t}\n\n\tblk = EXT4_SB(sb)->s_sbh->b_blocknr + 1 + EXT4_SB(sb)->s_gdb_count;\n\tdata = (__le32 *)dind->b_data + (EXT4_SB(sb)->s_gdb_count %\n\t\t\t\t\t EXT4_ADDR_PER_BLOCK(sb));\n\tend = (__le32 *)dind->b_data + EXT4_ADDR_PER_BLOCK(sb);\n\n\t/* Get each reserved primary GDT block and verify it holds backups */\n\tfor (res = 0; res < reserved_gdb; res++, blk++) {\n\t\tif (le32_to_cpu(*data) != blk) {\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"reserved block %llu\"\n\t\t\t\t     \" not at offset %ld\",\n\t\t\t\t     blk,\n\t\t\t\t     (long)(data - (__le32 *)dind->b_data));\n\t\t\terr = -EINVAL;\n\t\t\tgoto exit_bh;\n\t\t}\n\t\tprimary[res] = sb_bread(sb, blk);\n\t\tif (!primary[res]) {\n\t\t\terr = -EIO;\n\t\t\tgoto exit_bh;\n\t\t}\n\t\tif ((gdbackups = verify_reserved_gdb(sb, primary[res])) < 0) {\n\t\t\tbrelse(primary[res]);\n\t\t\terr = gdbackups;\n\t\t\tgoto exit_bh;\n\t\t}\n\t\tif (++data >= end)\n\t\t\tdata = (__le32 *)dind->b_data;\n\t}\n\n\tfor (i = 0; i < reserved_gdb; i++) {\n\t\tif ((err = ext4_journal_get_write_access(handle, primary[i]))) {\n\t\t\t/*\n\t\t\tint j;\n\t\t\tfor (j = 0; j < i; j++)\n\t\t\t\text4_journal_release_buffer(handle, primary[j]);\n\t\t\t */\n\t\t\tgoto exit_bh;\n\t\t}\n\t}\n\n\tif ((err = ext4_reserve_inode_write(handle, inode, &iloc)))\n\t\tgoto exit_bh;\n\n\t/*\n\t * Finally we can add each of the reserved backup GDT blocks from\n\t * the new group to its reserved primary GDT block.\n\t */\n\tblk = input->group * EXT4_BLOCKS_PER_GROUP(sb);\n\tfor (i = 0; i < reserved_gdb; i++) {\n\t\tint err2;\n\t\tdata = (__le32 *)primary[i]->b_data;\n\t\t/* printk(\"reserving backup %lu[%u] = %lu\\n\",\n\t\t       primary[i]->b_blocknr, gdbackups,\n\t\t       blk + primary[i]->b_blocknr); */\n\t\tdata[gdbackups] = cpu_to_le32(blk + primary[i]->b_blocknr);\n\t\terr2 = ext4_handle_dirty_metadata(handle, NULL, primary[i]);\n\t\tif (!err)\n\t\t\terr = err2;\n\t}\n\tinode->i_blocks += reserved_gdb * sb->s_blocksize >> 9;\n\text4_mark_iloc_dirty(handle, inode, &iloc);\n\nexit_bh:\n\twhile (--res >= 0)\n\t\tbrelse(primary[res]);\n\tbrelse(dind);\n\nexit_free:\n\tkfree(primary);\n\n\treturn err;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 53564046847221204145026812978118434897,
          "size": 98,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489882
        },
        {
          "func": "static int add_new_gdb(handle_t *handle, struct inode *inode,\n\t\t       struct ext4_new_group_data *input,\n\t\t       struct buffer_head **primary)\n{\n\tstruct super_block *sb = inode->i_sb;\n\tstruct ext4_super_block *es = EXT4_SB(sb)->s_es;\n\tunsigned long gdb_num = input->group / EXT4_DESC_PER_BLOCK(sb);\n\text4_fsblk_t gdblock = EXT4_SB(sb)->s_sbh->b_blocknr + 1 + gdb_num;\n\tstruct buffer_head **o_group_desc, **n_group_desc;\n\tstruct buffer_head *dind;\n\tint gdbackups;\n\tstruct ext4_iloc iloc;\n\t__le32 *data;\n\tint err;\n\n\tif (test_opt(sb, DEBUG))\n\t\tprintk(KERN_DEBUG\n\t\t       \"EXT4-fs: ext4_add_new_gdb: adding group block %lu\\n\",\n\t\t       gdb_num);\n\n\t/*\n\t * If we are not using the primary superblock/GDT copy don't resize,\n         * because the user tools have no way of handling this.  Probably a\n         * bad time to do it anyways.\n         */\n\tif (EXT4_SB(sb)->s_sbh->b_blocknr !=\n\t    le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) {\n\t\text4_warning(sb, __func__,\n\t\t\t\"won't resize using backup superblock at %llu\",\n\t\t\t(unsigned long long)EXT4_SB(sb)->s_sbh->b_blocknr);\n\t\treturn -EPERM;\n\t}\n\n\t*primary = sb_bread(sb, gdblock);\n\tif (!*primary)\n\t\treturn -EIO;\n\n\tif ((gdbackups = verify_reserved_gdb(sb, *primary)) < 0) {\n\t\terr = gdbackups;\n\t\tgoto exit_bh;\n\t}\n\n\tdata = EXT4_I(inode)->i_data + EXT4_DIND_BLOCK;\n\tdind = sb_bread(sb, le32_to_cpu(*data));\n\tif (!dind) {\n\t\terr = -EIO;\n\t\tgoto exit_bh;\n\t}\n\n\tdata = (__le32 *)dind->b_data;\n\tif (le32_to_cpu(data[gdb_num % EXT4_ADDR_PER_BLOCK(sb)]) != gdblock) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"new group %u GDT block %llu not reserved\",\n\t\t\t     input->group, gdblock);\n\t\terr = -EINVAL;\n\t\tgoto exit_dind;\n\t}\n\n\tif ((err = ext4_journal_get_write_access(handle, EXT4_SB(sb)->s_sbh)))\n\t\tgoto exit_dind;\n\n\tif ((err = ext4_journal_get_write_access(handle, *primary)))\n\t\tgoto exit_sbh;\n\n\tif ((err = ext4_journal_get_write_access(handle, dind)))\n\t\tgoto exit_primary;\n\n\t/* ext4_reserve_inode_write() gets a reference on the iloc */\n\tif ((err = ext4_reserve_inode_write(handle, inode, &iloc)))\n\t\tgoto exit_dindj;\n\n\tn_group_desc = kmalloc((gdb_num + 1) * sizeof(struct buffer_head *),\n\t\t\tGFP_NOFS);\n\tif (!n_group_desc) {\n\t\terr = -ENOMEM;\n\t\text4_warning(sb, __func__,\n\t\t\t      \"not enough memory for %lu groups\", gdb_num + 1);\n\t\tgoto exit_inode;\n\t}\n\n\t/*\n\t * Finally, we have all of the possible failures behind us...\n\t *\n\t * Remove new GDT block from inode double-indirect block and clear out\n\t * the new GDT block for use (which also \"frees\" the backup GDT blocks\n\t * from the reserved inode).  We don't need to change the bitmaps for\n\t * these blocks, because they are marked as in-use from being in the\n\t * reserved inode, and will become GDT blocks (primary and backup).\n\t */\n\tdata[gdb_num % EXT4_ADDR_PER_BLOCK(sb)] = 0;\n\text4_handle_dirty_metadata(handle, NULL, dind);\n\tbrelse(dind);\n\tinode->i_blocks -= (gdbackups + 1) * sb->s_blocksize >> 9;\n\text4_mark_iloc_dirty(handle, inode, &iloc);\n\tmemset((*primary)->b_data, 0, sb->s_blocksize);\n\text4_handle_dirty_metadata(handle, NULL, *primary);\n\n\to_group_desc = EXT4_SB(sb)->s_group_desc;\n\tmemcpy(n_group_desc, o_group_desc,\n\t       EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));\n\tn_group_desc[gdb_num] = *primary;\n\tEXT4_SB(sb)->s_group_desc = n_group_desc;\n\tEXT4_SB(sb)->s_gdb_count++;\n\tkfree(o_group_desc);\n\n\tle16_add_cpu(&es->s_reserved_gdt_blocks, -1);\n\text4_handle_dirty_metadata(handle, NULL, EXT4_SB(sb)->s_sbh);\n\n\treturn 0;\n\nexit_inode:\n\t/* ext4_journal_release_buffer(handle, iloc.bh); */\n\tbrelse(iloc.bh);\nexit_dindj:\n\t/* ext4_journal_release_buffer(handle, dind); */\nexit_primary:\n\t/* ext4_journal_release_buffer(handle, *primary); */\nexit_sbh:\n\t/* ext4_journal_release_buffer(handle, *primary); */\nexit_dind:\n\tbrelse(dind);\nexit_bh:\n\tbrelse(*primary);\n\n\text4_debug(\"leaving with error %d\\n\", err);\n\treturn err;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 332885612281430633913420144249098882494,
          "size": 127,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489879
        },
        {
          "func": "int ext4_group_extend(struct super_block *sb, struct ext4_super_block *es,\n\t\t      ext4_fsblk_t n_blocks_count)\n{\n\text4_fsblk_t o_blocks_count;\n\text4_group_t o_groups_count;\n\text4_grpblk_t last;\n\text4_grpblk_t add;\n\tstruct buffer_head *bh;\n\thandle_t *handle;\n\tint err;\n\text4_group_t group;\n\n\t/* We don't need to worry about locking wrt other resizers just\n\t * yet: we're going to revalidate es->s_blocks_count after\n\t * taking lock_super() below. */\n\to_blocks_count = ext4_blocks_count(es);\n\to_groups_count = EXT4_SB(sb)->s_groups_count;\n\n\tif (test_opt(sb, DEBUG))\n\t\tprintk(KERN_DEBUG \"EXT4-fs: extending last group from %llu uto %llu blocks\\n\",\n\t\t       o_blocks_count, n_blocks_count);\n\n\tif (n_blocks_count == 0 || n_blocks_count == o_blocks_count)\n\t\treturn 0;\n\n\tif (n_blocks_count > (sector_t)(~0ULL) >> (sb->s_blocksize_bits - 9)) {\n\t\tprintk(KERN_ERR \"EXT4-fs: filesystem on %s:\"\n\t\t\t\" too large to resize to %llu blocks safely\\n\",\n\t\t\tsb->s_id, n_blocks_count);\n\t\tif (sizeof(sector_t) < 8)\n\t\t\text4_warning(sb, __func__, \"CONFIG_LBD not enabled\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (n_blocks_count < o_blocks_count) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"can't shrink FS - resize aborted\");\n\t\treturn -EBUSY;\n\t}\n\n\t/* Handle the remaining blocks in the last group only. */\n\text4_get_group_no_and_offset(sb, o_blocks_count, &group, &last);\n\n\tif (last == 0) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"need to use ext2online to resize further\");\n\t\treturn -EPERM;\n\t}\n\n\tadd = EXT4_BLOCKS_PER_GROUP(sb) - last;\n\n\tif (o_blocks_count + add < o_blocks_count) {\n\t\text4_warning(sb, __func__, \"blocks_count overflow\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (o_blocks_count + add > n_blocks_count)\n\t\tadd = n_blocks_count - o_blocks_count;\n\n\tif (o_blocks_count + add < n_blocks_count)\n\t\text4_warning(sb, __func__,\n\t\t\t     \"will only finish group (%llu\"\n\t\t\t     \" blocks, %u new)\",\n\t\t\t     o_blocks_count + add, add);\n\n\t/* See if the device is actually as big as what was requested */\n\tbh = sb_bread(sb, o_blocks_count + add - 1);\n\tif (!bh) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"can't read last block, resize aborted\");\n\t\treturn -ENOSPC;\n\t}\n\tbrelse(bh);\n\n\t/* We will update the superblock, one block bitmap, and\n\t * one group descriptor via ext4_free_blocks().\n\t */\n\thandle = ext4_journal_start_sb(sb, 3);\n\tif (IS_ERR(handle)) {\n\t\terr = PTR_ERR(handle);\n\t\text4_warning(sb, __func__, \"error %d on journal start\", err);\n\t\tgoto exit_put;\n\t}\n\n\tlock_super(sb);\n\tif (o_blocks_count != ext4_blocks_count(es)) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"multiple resizers run on filesystem!\");\n\t\tunlock_super(sb);\n\t\text4_journal_stop(handle);\n\t\terr = -EBUSY;\n\t\tgoto exit_put;\n\t}\n\n\tif ((err = ext4_journal_get_write_access(handle,\n\t\t\t\t\t\t EXT4_SB(sb)->s_sbh))) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"error %d on journal write access\", err);\n\t\tunlock_super(sb);\n\t\text4_journal_stop(handle);\n\t\tgoto exit_put;\n\t}\n\text4_blocks_count_set(es, o_blocks_count + add);\n\text4_handle_dirty_metadata(handle, NULL, EXT4_SB(sb)->s_sbh);\n\tsb->s_dirt = 1;\n\tunlock_super(sb);\n\text4_debug(\"freeing blocks %llu through %llu\\n\", o_blocks_count,\n\t\t   o_blocks_count + add);\n\t/* We add the blocks to the bitmap and set the group need init bit */\n\text4_add_groupblocks(handle, sb, o_blocks_count, add);\n\text4_debug(\"freed blocks %llu through %llu\\n\", o_blocks_count,\n\t\t   o_blocks_count + add);\n\tif ((err = ext4_journal_stop(handle)))\n\t\tgoto exit_put;\n\n\tif (test_opt(sb, DEBUG))\n\t\tprintk(KERN_DEBUG \"EXT4-fs: extended group to %llu blocks\\n\",\n\t\t       ext4_blocks_count(es));\n\tupdate_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr, (char *)es,\n\t\t       sizeof(struct ext4_super_block));\nexit_put:\n\treturn err;\n} /* ext4_group_extend */",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 225669503474349997256762903535069719629,
          "size": 123,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489878
        },
        {
          "func": "static int verify_reserved_gdb(struct super_block *sb,\n\t\t\t       struct buffer_head *primary)\n{\n\tconst ext4_fsblk_t blk = primary->b_blocknr;\n\tconst ext4_group_t end = EXT4_SB(sb)->s_groups_count;\n\tunsigned three = 1;\n\tunsigned five = 5;\n\tunsigned seven = 7;\n\tunsigned grp;\n\t__le32 *p = (__le32 *)primary->b_data;\n\tint gdbackups = 0;\n\n\twhile ((grp = ext4_list_backups(sb, &three, &five, &seven)) < end) {\n\t\tif (le32_to_cpu(*p++) !=\n\t\t    grp * EXT4_BLOCKS_PER_GROUP(sb) + blk){\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"reserved GDT %llu\"\n\t\t\t\t     \" missing grp %d (%llu)\",\n\t\t\t\t     blk, grp,\n\t\t\t\t     grp *\n\t\t\t\t     (ext4_fsblk_t)EXT4_BLOCKS_PER_GROUP(sb) +\n\t\t\t\t     blk);\n\t\t\treturn -EINVAL;\n\t\t}\n\t\tif (++gdbackups > EXT4_ADDR_PER_BLOCK(sb))\n\t\t\treturn -EFBIG;\n\t}\n\n\treturn gdbackups;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 128954304814523851738698372455195263504,
          "size": 30,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489881
        },
        {
          "func": "static int verify_group_input(struct super_block *sb,\n\t\t\t      struct ext4_new_group_data *input)\n{\n\tstruct ext4_sb_info *sbi = EXT4_SB(sb);\n\tstruct ext4_super_block *es = sbi->s_es;\n\text4_fsblk_t start = ext4_blocks_count(es);\n\text4_fsblk_t end = start + input->blocks_count;\n\text4_group_t group = input->group;\n\text4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;\n\tunsigned overhead = ext4_bg_has_super(sb, group) ?\n\t\t(1 + ext4_bg_num_gdb(sb, group) +\n\t\t le16_to_cpu(es->s_reserved_gdt_blocks)) : 0;\n\text4_fsblk_t metaend = start + overhead;\n\tstruct buffer_head *bh = NULL;\n\text4_grpblk_t free_blocks_count, offset;\n\tint err = -EINVAL;\n\n\tinput->free_blocks_count = free_blocks_count =\n\t\tinput->blocks_count - 2 - overhead - sbi->s_itb_per_group;\n\n\tif (test_opt(sb, DEBUG))\n\t\tprintk(KERN_DEBUG \"EXT4-fs: adding %s group %u: %u blocks \"\n\t\t       \"(%d free, %u reserved)\\n\",\n\t\t       ext4_bg_has_super(sb, input->group) ? \"normal\" :\n\t\t       \"no-super\", input->group, input->blocks_count,\n\t\t       free_blocks_count, input->reserved_blocks);\n\n\text4_get_group_no_and_offset(sb, start, NULL, &offset);\n\tif (group != sbi->s_groups_count)\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Cannot add at group %u (only %u groups)\",\n\t\t\t     input->group, sbi->s_groups_count);\n\telse if (offset != 0)\n\t\t\text4_warning(sb, __func__, \"Last group not full\");\n\telse if (input->reserved_blocks > input->blocks_count / 5)\n\t\text4_warning(sb, __func__, \"Reserved blocks too high (%u)\",\n\t\t\t     input->reserved_blocks);\n\telse if (free_blocks_count < 0)\n\t\text4_warning(sb, __func__, \"Bad blocks count %u\",\n\t\t\t     input->blocks_count);\n\telse if (!(bh = sb_bread(sb, end - 1)))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Cannot read last block (%llu)\",\n\t\t\t     end - 1);\n\telse if (outside(input->block_bitmap, start, end))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Block bitmap not in group (block %llu)\",\n\t\t\t     (unsigned long long)input->block_bitmap);\n\telse if (outside(input->inode_bitmap, start, end))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Inode bitmap not in group (block %llu)\",\n\t\t\t     (unsigned long long)input->inode_bitmap);\n\telse if (outside(input->inode_table, start, end) ||\n\t\t outside(itend - 1, start, end))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Inode table not in group (blocks %llu-%llu)\",\n\t\t\t     (unsigned long long)input->inode_table, itend - 1);\n\telse if (input->inode_bitmap == input->block_bitmap)\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Block bitmap same as inode bitmap (%llu)\",\n\t\t\t     (unsigned long long)input->block_bitmap);\n\telse if (inside(input->block_bitmap, input->inode_table, itend))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Block bitmap (%llu) in inode table (%llu-%llu)\",\n\t\t\t     (unsigned long long)input->block_bitmap,\n\t\t\t     (unsigned long long)input->inode_table, itend - 1);\n\telse if (inside(input->inode_bitmap, input->inode_table, itend))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Inode bitmap (%llu) in inode table (%llu-%llu)\",\n\t\t\t     (unsigned long long)input->inode_bitmap,\n\t\t\t     (unsigned long long)input->inode_table, itend - 1);\n\telse if (inside(input->block_bitmap, start, metaend))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Block bitmap (%llu) in GDT table\"\n\t\t\t     \" (%llu-%llu)\",\n\t\t\t     (unsigned long long)input->block_bitmap,\n\t\t\t     start, metaend - 1);\n\telse if (inside(input->inode_bitmap, start, metaend))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Inode bitmap (%llu) in GDT table\"\n\t\t\t     \" (%llu-%llu)\",\n\t\t\t     (unsigned long long)input->inode_bitmap,\n\t\t\t     start, metaend - 1);\n\telse if (inside(input->inode_table, start, metaend) ||\n\t\t inside(itend - 1, start, metaend))\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Inode table (%llu-%llu) overlaps\"\n\t\t\t     \"GDT table (%llu-%llu)\",\n\t\t\t     (unsigned long long)input->inode_table,\n\t\t\t     itend - 1, start, metaend - 1);\n\telse\n\t\terr = 0;\n\tbrelse(bh);\n\n\treturn err;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 228488893860518117939278009627835171771,
          "size": 96,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489885
        },
        {
          "func": "static int extend_or_restart_transaction(handle_t *handle, int thresh,\n\t\t\t\t\t struct buffer_head *bh)\n{\n\tint err;\n\n\tif (ext4_handle_has_enough_credits(handle, thresh))\n\t\treturn 0;\n\n\terr = ext4_journal_extend(handle, EXT4_MAX_TRANS_DATA);\n\tif (err < 0)\n\t\treturn err;\n\tif (err) {\n\t\tif ((err = ext4_journal_restart(handle, EXT4_MAX_TRANS_DATA)))\n\t\t\treturn err;\n\t\tif ((err = ext4_journal_get_write_access(handle, bh)))\n\t\t\treturn err;\n\t}\n\n\treturn 0;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 123182504547485296901476464093407721569,
          "size": 20,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489880
        },
        {
          "func": "int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)\n{\n\tstruct ext4_sb_info *sbi = EXT4_SB(sb);\n\tstruct ext4_super_block *es = sbi->s_es;\n\tint reserved_gdb = ext4_bg_has_super(sb, input->group) ?\n\t\tle16_to_cpu(es->s_reserved_gdt_blocks) : 0;\n\tstruct buffer_head *primary = NULL;\n\tstruct ext4_group_desc *gdp;\n\tstruct inode *inode = NULL;\n\thandle_t *handle;\n\tint gdb_off, gdb_num;\n\tint num_grp_locked = 0;\n\tint err, err2;\n\n\tgdb_num = input->group / EXT4_DESC_PER_BLOCK(sb);\n\tgdb_off = input->group % EXT4_DESC_PER_BLOCK(sb);\n\n\tif (gdb_off == 0 && !EXT4_HAS_RO_COMPAT_FEATURE(sb,\n\t\t\t\t\tEXT4_FEATURE_RO_COMPAT_SPARSE_SUPER)) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Can't resize non-sparse filesystem further\");\n\t\treturn -EPERM;\n\t}\n\n\tif (ext4_blocks_count(es) + input->blocks_count <\n\t    ext4_blocks_count(es)) {\n\t\text4_warning(sb, __func__, \"blocks_count overflow\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (le32_to_cpu(es->s_inodes_count) + EXT4_INODES_PER_GROUP(sb) <\n\t    le32_to_cpu(es->s_inodes_count)) {\n\t\text4_warning(sb, __func__, \"inodes_count overflow\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (reserved_gdb || gdb_off == 0) {\n\t\tif (!EXT4_HAS_COMPAT_FEATURE(sb,\n\t\t\t\t\t     EXT4_FEATURE_COMPAT_RESIZE_INODE)\n\t\t    || !le16_to_cpu(es->s_reserved_gdt_blocks)) {\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"No reserved GDT blocks, can't resize\");\n\t\t\treturn -EPERM;\n\t\t}\n\t\tinode = ext4_iget(sb, EXT4_RESIZE_INO);\n\t\tif (IS_ERR(inode)) {\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"Error opening resize inode\");\n\t\t\treturn PTR_ERR(inode);\n\t\t}\n\t}\n\n\n\tif ((err = verify_group_input(sb, input)))\n\t\tgoto exit_put;\n\n\tif ((err = setup_new_group_blocks(sb, input)))\n\t\tgoto exit_put;\n\n\t/*\n\t * We will always be modifying at least the superblock and a GDT\n\t * block.  If we are adding a group past the last current GDT block,\n\t * we will also modify the inode and the dindirect block.  If we\n\t * are adding a group with superblock/GDT backups  we will also\n\t * modify each of the reserved GDT dindirect blocks.\n\t */\n\thandle = ext4_journal_start_sb(sb,\n\t\t\t\t       ext4_bg_has_super(sb, input->group) ?\n\t\t\t\t       3 + reserved_gdb : 4);\n\tif (IS_ERR(handle)) {\n\t\terr = PTR_ERR(handle);\n\t\tgoto exit_put;\n\t}\n\n\tlock_super(sb);\n\tif (input->group != sbi->s_groups_count) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"multiple resizers run on filesystem!\");\n\t\terr = -EBUSY;\n\t\tgoto exit_journal;\n\t}\n\n\tif ((err = ext4_journal_get_write_access(handle, sbi->s_sbh)))\n\t\tgoto exit_journal;\n\n        /*\n         * We will only either add reserved group blocks to a backup group\n         * or remove reserved blocks for the first group in a new group block.\n         * Doing both would be mean more complex code, and sane people don't\n         * use non-sparse filesystems anymore.  This is already checked above.\n         */\n\tif (gdb_off) {\n\t\tprimary = sbi->s_group_desc[gdb_num];\n\t\tif ((err = ext4_journal_get_write_access(handle, primary)))\n\t\t\tgoto exit_journal;\n\n\t\tif (reserved_gdb && ext4_bg_num_gdb(sb, input->group) &&\n\t\t    (err = reserve_backup_gdb(handle, inode, input)))\n\t\t\tgoto exit_journal;\n\t} else if ((err = add_new_gdb(handle, inode, input, &primary)))\n\t\tgoto exit_journal;\n\n        /*\n         * OK, now we've set up the new group.  Time to make it active.\n         *\n         * Current kernels don't lock all allocations via lock_super(),\n         * so we have to be safe wrt. concurrent accesses the group\n         * data.  So we need to be careful to set all of the relevant\n         * group descriptor data etc. *before* we enable the group.\n         *\n         * The key field here is sbi->s_groups_count: as long as\n         * that retains its old value, nobody is going to access the new\n         * group.\n         *\n         * So first we update all the descriptor metadata for the new\n         * group; then we update the total disk blocks count; then we\n         * update the groups count to enable the group; then finally we\n         * update the free space counts so that the system can start\n         * using the new disk blocks.\n         */\n\n\tnum_grp_locked = ext4_mb_get_buddy_cache_lock(sb, input->group);\n\t/* Update group descriptor block for new group */\n\tgdp = (struct ext4_group_desc *)((char *)primary->b_data +\n\t\t\t\t\t gdb_off * EXT4_DESC_SIZE(sb));\n\n\text4_block_bitmap_set(sb, gdp, input->block_bitmap); /* LV FIXME */\n\text4_inode_bitmap_set(sb, gdp, input->inode_bitmap); /* LV FIXME */\n\text4_inode_table_set(sb, gdp, input->inode_table); /* LV FIXME */\n\text4_free_blks_set(sb, gdp, input->free_blocks_count);\n\text4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb));\n\tgdp->bg_flags |= cpu_to_le16(EXT4_BG_INODE_ZEROED);\n\tgdp->bg_checksum = ext4_group_desc_csum(sbi, input->group, gdp);\n\n\t/*\n\t * We can allocate memory for mb_alloc based on the new group\n\t * descriptor\n\t */\n\terr = ext4_mb_add_groupinfo(sb, input->group, gdp);\n\tif (err) {\n\t\text4_mb_put_buddy_cache_lock(sb, input->group, num_grp_locked);\n\t\tgoto exit_journal;\n\t}\n\n\t/*\n\t * Make the new blocks and inodes valid next.  We do this before\n\t * increasing the group count so that once the group is enabled,\n\t * all of its blocks and inodes are already valid.\n\t *\n\t * We always allocate group-by-group, then block-by-block or\n\t * inode-by-inode within a group, so enabling these\n\t * blocks/inodes before the group is live won't actually let us\n\t * allocate the new space yet.\n\t */\n\text4_blocks_count_set(es, ext4_blocks_count(es) +\n\t\tinput->blocks_count);\n\tle32_add_cpu(&es->s_inodes_count, EXT4_INODES_PER_GROUP(sb));\n\n\t/*\n\t * We need to protect s_groups_count against other CPUs seeing\n\t * inconsistent state in the superblock.\n\t *\n\t * The precise rules we use are:\n\t *\n\t * * Writers of s_groups_count *must* hold lock_super\n\t * AND\n\t * * Writers must perform a smp_wmb() after updating all dependent\n\t *   data and before modifying the groups count\n\t *\n\t * * Readers must hold lock_super() over the access\n\t * OR\n\t * * Readers must perform an smp_rmb() after reading the groups count\n\t *   and before reading any dependent data.\n\t *\n\t * NB. These rules can be relaxed when checking the group count\n\t * while freeing data, as we can only allocate from a block\n\t * group after serialising against the group count, and we can\n\t * only then free after serialising in turn against that\n\t * allocation.\n\t */\n\tsmp_wmb();\n\n\t/* Update the global fs size fields */\n\tsbi->s_groups_count++;\n\text4_mb_put_buddy_cache_lock(sb, input->group, num_grp_locked);\n\n\text4_handle_dirty_metadata(handle, NULL, primary);\n\n\t/* Update the reserved block counts only once the new group is\n\t * active. */\n\text4_r_blocks_count_set(es, ext4_r_blocks_count(es) +\n\t\tinput->reserved_blocks);\n\n\t/* Update the free space counts */\n\tpercpu_counter_add(&sbi->s_freeblocks_counter,\n\t\t\t   input->free_blocks_count);\n\tpercpu_counter_add(&sbi->s_freeinodes_counter,\n\t\t\t   EXT4_INODES_PER_GROUP(sb));\n\n\tif (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) {\n\t\text4_group_t flex_group;\n\t\tflex_group = ext4_flex_group(sbi, input->group);\n\t\tsbi->s_flex_groups[flex_group].free_blocks +=\n\t\t\tinput->free_blocks_count;\n\t\tsbi->s_flex_groups[flex_group].free_inodes +=\n\t\t\tEXT4_INODES_PER_GROUP(sb);\n\t}\n\n\text4_handle_dirty_metadata(handle, NULL, sbi->s_sbh);\n\tsb->s_dirt = 1;\n\nexit_journal:\n\tunlock_super(sb);\n\tif ((err2 = ext4_journal_stop(handle)) && !err)\n\t\terr = err2;\n\tif (!err) {\n\t\tupdate_backups(sb, sbi->s_sbh->b_blocknr, (char *)es,\n\t\t\t       sizeof(struct ext4_super_block));\n\t\tupdate_backups(sb, primary->b_blocknr, primary->b_data,\n\t\t\t       primary->b_size);\n\t}\nexit_put:\n\tiput(inode);\n\treturn err;\n} /* ext4_group_add */",
          "target": 1,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 281245565929730846006190005126700543134,
          "size": 225,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 215458
        },
        {
          "func": "int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)\n{\n\tstruct ext4_sb_info *sbi = EXT4_SB(sb);\n\tstruct ext4_super_block *es = sbi->s_es;\n\tint reserved_gdb = ext4_bg_has_super(sb, input->group) ?\n\t\tle16_to_cpu(es->s_reserved_gdt_blocks) : 0;\n\tstruct buffer_head *primary = NULL;\n\tstruct ext4_group_desc *gdp;\n\tstruct inode *inode = NULL;\n\thandle_t *handle;\n\tint gdb_off, gdb_num;\n\tint num_grp_locked = 0;\n\tint err, err2;\n\n\tgdb_num = input->group / EXT4_DESC_PER_BLOCK(sb);\n\tgdb_off = input->group % EXT4_DESC_PER_BLOCK(sb);\n\n\tif (gdb_off == 0 && !EXT4_HAS_RO_COMPAT_FEATURE(sb,\n\t\t\t\t\tEXT4_FEATURE_RO_COMPAT_SPARSE_SUPER)) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"Can't resize non-sparse filesystem further\");\n\t\treturn -EPERM;\n\t}\n\n\tif (ext4_blocks_count(es) + input->blocks_count <\n\t    ext4_blocks_count(es)) {\n\t\text4_warning(sb, __func__, \"blocks_count overflow\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (le32_to_cpu(es->s_inodes_count) + EXT4_INODES_PER_GROUP(sb) <\n\t    le32_to_cpu(es->s_inodes_count)) {\n\t\text4_warning(sb, __func__, \"inodes_count overflow\");\n\t\treturn -EINVAL;\n\t}\n\n\tif (reserved_gdb || gdb_off == 0) {\n\t\tif (!EXT4_HAS_COMPAT_FEATURE(sb,\n\t\t\t\t\t     EXT4_FEATURE_COMPAT_RESIZE_INODE)\n\t\t    || !le16_to_cpu(es->s_reserved_gdt_blocks)) {\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"No reserved GDT blocks, can't resize\");\n\t\t\treturn -EPERM;\n\t\t}\n\t\tinode = ext4_iget(sb, EXT4_RESIZE_INO);\n\t\tif (IS_ERR(inode)) {\n\t\t\text4_warning(sb, __func__,\n\t\t\t\t     \"Error opening resize inode\");\n\t\t\treturn PTR_ERR(inode);\n\t\t}\n\t}\n\n\n\tif ((err = verify_group_input(sb, input)))\n\t\tgoto exit_put;\n\n\tif ((err = setup_new_group_blocks(sb, input)))\n\t\tgoto exit_put;\n\n\t/*\n\t * We will always be modifying at least the superblock and a GDT\n\t * block.  If we are adding a group past the last current GDT block,\n\t * we will also modify the inode and the dindirect block.  If we\n\t * are adding a group with superblock/GDT backups  we will also\n\t * modify each of the reserved GDT dindirect blocks.\n\t */\n\thandle = ext4_journal_start_sb(sb,\n\t\t\t\t       ext4_bg_has_super(sb, input->group) ?\n\t\t\t\t       3 + reserved_gdb : 4);\n\tif (IS_ERR(handle)) {\n\t\terr = PTR_ERR(handle);\n\t\tgoto exit_put;\n\t}\n\n\tlock_super(sb);\n\tif (input->group != sbi->s_groups_count) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"multiple resizers run on filesystem!\");\n\t\terr = -EBUSY;\n\t\tgoto exit_journal;\n\t}\n\n\tif ((err = ext4_journal_get_write_access(handle, sbi->s_sbh)))\n\t\tgoto exit_journal;\n\n        /*\n         * We will only either add reserved group blocks to a backup group\n         * or remove reserved blocks for the first group in a new group block.\n         * Doing both would be mean more complex code, and sane people don't\n         * use non-sparse filesystems anymore.  This is already checked above.\n         */\n\tif (gdb_off) {\n\t\tprimary = sbi->s_group_desc[gdb_num];\n\t\tif ((err = ext4_journal_get_write_access(handle, primary)))\n\t\t\tgoto exit_journal;\n\n\t\tif (reserved_gdb && ext4_bg_num_gdb(sb, input->group) &&\n\t\t    (err = reserve_backup_gdb(handle, inode, input)))\n\t\t\tgoto exit_journal;\n\t} else if ((err = add_new_gdb(handle, inode, input, &primary)))\n\t\tgoto exit_journal;\n\n        /*\n         * OK, now we've set up the new group.  Time to make it active.\n         *\n         * Current kernels don't lock all allocations via lock_super(),\n         * so we have to be safe wrt. concurrent accesses the group\n         * data.  So we need to be careful to set all of the relevant\n         * group descriptor data etc. *before* we enable the group.\n         *\n         * The key field here is sbi->s_groups_count: as long as\n         * that retains its old value, nobody is going to access the new\n         * group.\n         *\n         * So first we update all the descriptor metadata for the new\n         * group; then we update the total disk blocks count; then we\n         * update the groups count to enable the group; then finally we\n         * update the free space counts so that the system can start\n         * using the new disk blocks.\n         */\n\n\tnum_grp_locked = ext4_mb_get_buddy_cache_lock(sb, input->group);\n\t/* Update group descriptor block for new group */\n\tgdp = (struct ext4_group_desc *)((char *)primary->b_data +\n\t\t\t\t\t gdb_off * EXT4_DESC_SIZE(sb));\n\n\tmemset(gdp, 0, EXT4_DESC_SIZE(sb));\n\text4_block_bitmap_set(sb, gdp, input->block_bitmap); /* LV FIXME */\n\text4_inode_bitmap_set(sb, gdp, input->inode_bitmap); /* LV FIXME */\n\text4_inode_table_set(sb, gdp, input->inode_table); /* LV FIXME */\n\text4_free_blks_set(sb, gdp, input->free_blocks_count);\n\text4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb));\n\tgdp->bg_flags = cpu_to_le16(EXT4_BG_INODE_ZEROED);\n\tgdp->bg_checksum = ext4_group_desc_csum(sbi, input->group, gdp);\n\n\t/*\n\t * We can allocate memory for mb_alloc based on the new group\n\t * descriptor\n\t */\n\terr = ext4_mb_add_groupinfo(sb, input->group, gdp);\n\tif (err) {\n\t\text4_mb_put_buddy_cache_lock(sb, input->group, num_grp_locked);\n\t\tgoto exit_journal;\n\t}\n\n\t/*\n\t * Make the new blocks and inodes valid next.  We do this before\n\t * increasing the group count so that once the group is enabled,\n\t * all of its blocks and inodes are already valid.\n\t *\n\t * We always allocate group-by-group, then block-by-block or\n\t * inode-by-inode within a group, so enabling these\n\t * blocks/inodes before the group is live won't actually let us\n\t * allocate the new space yet.\n\t */\n\text4_blocks_count_set(es, ext4_blocks_count(es) +\n\t\tinput->blocks_count);\n\tle32_add_cpu(&es->s_inodes_count, EXT4_INODES_PER_GROUP(sb));\n\n\t/*\n\t * We need to protect s_groups_count against other CPUs seeing\n\t * inconsistent state in the superblock.\n\t *\n\t * The precise rules we use are:\n\t *\n\t * * Writers of s_groups_count *must* hold lock_super\n\t * AND\n\t * * Writers must perform a smp_wmb() after updating all dependent\n\t *   data and before modifying the groups count\n\t *\n\t * * Readers must hold lock_super() over the access\n\t * OR\n\t * * Readers must perform an smp_rmb() after reading the groups count\n\t *   and before reading any dependent data.\n\t *\n\t * NB. These rules can be relaxed when checking the group count\n\t * while freeing data, as we can only allocate from a block\n\t * group after serialising against the group count, and we can\n\t * only then free after serialising in turn against that\n\t * allocation.\n\t */\n\tsmp_wmb();\n\n\t/* Update the global fs size fields */\n\tsbi->s_groups_count++;\n\text4_mb_put_buddy_cache_lock(sb, input->group, num_grp_locked);\n\n\text4_handle_dirty_metadata(handle, NULL, primary);\n\n\t/* Update the reserved block counts only once the new group is\n\t * active. */\n\text4_r_blocks_count_set(es, ext4_r_blocks_count(es) +\n\t\tinput->reserved_blocks);\n\n\t/* Update the free space counts */\n\tpercpu_counter_add(&sbi->s_freeblocks_counter,\n\t\t\t   input->free_blocks_count);\n\tpercpu_counter_add(&sbi->s_freeinodes_counter,\n\t\t\t   EXT4_INODES_PER_GROUP(sb));\n\n\tif (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) {\n\t\text4_group_t flex_group;\n\t\tflex_group = ext4_flex_group(sbi, input->group);\n\t\tsbi->s_flex_groups[flex_group].free_blocks +=\n\t\t\tinput->free_blocks_count;\n\t\tsbi->s_flex_groups[flex_group].free_inodes +=\n\t\t\tEXT4_INODES_PER_GROUP(sb);\n\t}\n\n\text4_handle_dirty_metadata(handle, NULL, sbi->s_sbh);\n\tsb->s_dirt = 1;\n\nexit_journal:\n\tunlock_super(sb);\n\tif ((err2 = ext4_journal_stop(handle)) && !err)\n\t\terr = err2;\n\tif (!err) {\n\t\tupdate_backups(sb, sbi->s_sbh->b_blocknr, (char *)es,\n\t\t\t       sizeof(struct ext4_super_block));\n\t\tupdate_backups(sb, primary->b_blocknr, primary->b_data,\n\t\t\t       primary->b_size);\n\t}\nexit_put:\n\tiput(inode);\n\treturn err;\n} /* ext4_group_add */",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 193067835456666808284941587516352105575,
          "size": 226,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489876
        },
        {
          "func": "static int setup_new_group_blocks(struct super_block *sb,\n\t\t\t\t  struct ext4_new_group_data *input)\n{\n\tstruct ext4_sb_info *sbi = EXT4_SB(sb);\n\text4_fsblk_t start = ext4_group_first_block_no(sb, input->group);\n\tint reserved_gdb = ext4_bg_has_super(sb, input->group) ?\n\t\tle16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) : 0;\n\tunsigned long gdblocks = ext4_bg_num_gdb(sb, input->group);\n\tstruct buffer_head *bh;\n\thandle_t *handle;\n\text4_fsblk_t block;\n\text4_grpblk_t bit;\n\tint i;\n\tint err = 0, err2;\n\n\t/* This transaction may be extended/restarted along the way */\n\thandle = ext4_journal_start_sb(sb, EXT4_MAX_TRANS_DATA);\n\n\tif (IS_ERR(handle))\n\t\treturn PTR_ERR(handle);\n\n\tlock_super(sb);\n\tif (input->group != sbi->s_groups_count) {\n\t\terr = -EBUSY;\n\t\tgoto exit_journal;\n\t}\n\n\tif (IS_ERR(bh = bclean(handle, sb, input->block_bitmap))) {\n\t\terr = PTR_ERR(bh);\n\t\tgoto exit_journal;\n\t}\n\n\tif (ext4_bg_has_super(sb, input->group)) {\n\t\text4_debug(\"mark backup superblock %#04llx (+0)\\n\", start);\n\t\text4_set_bit(0, bh->b_data);\n\t}\n\n\t/* Copy all of the GDT blocks into the backup in this group */\n\tfor (i = 0, bit = 1, block = start + 1;\n\t     i < gdblocks; i++, block++, bit++) {\n\t\tstruct buffer_head *gdb;\n\n\t\text4_debug(\"update backup group %#04llx (+%d)\\n\", block, bit);\n\n\t\tif ((err = extend_or_restart_transaction(handle, 1, bh)))\n\t\t\tgoto exit_bh;\n\n\t\tgdb = sb_getblk(sb, block);\n\t\tif (!gdb) {\n\t\t\terr = -EIO;\n\t\t\tgoto exit_bh;\n\t\t}\n\t\tif ((err = ext4_journal_get_write_access(handle, gdb))) {\n\t\t\tbrelse(gdb);\n\t\t\tgoto exit_bh;\n\t\t}\n\t\tlock_buffer(gdb);\n\t\tmemcpy(gdb->b_data, sbi->s_group_desc[i]->b_data, gdb->b_size);\n\t\tset_buffer_uptodate(gdb);\n\t\tunlock_buffer(gdb);\n\t\text4_handle_dirty_metadata(handle, NULL, gdb);\n\t\text4_set_bit(bit, bh->b_data);\n\t\tbrelse(gdb);\n\t}\n\n\t/* Zero out all of the reserved backup group descriptor table blocks */\n\tfor (i = 0, bit = gdblocks + 1, block = start + bit;\n\t     i < reserved_gdb; i++, block++, bit++) {\n\t\tstruct buffer_head *gdb;\n\n\t\text4_debug(\"clear reserved block %#04llx (+%d)\\n\", block, bit);\n\n\t\tif ((err = extend_or_restart_transaction(handle, 1, bh)))\n\t\t\tgoto exit_bh;\n\n\t\tif (IS_ERR(gdb = bclean(handle, sb, block))) {\n\t\t\terr = PTR_ERR(bh);\n\t\t\tgoto exit_bh;\n\t\t}\n\t\text4_handle_dirty_metadata(handle, NULL, gdb);\n\t\text4_set_bit(bit, bh->b_data);\n\t\tbrelse(gdb);\n\t}\n\text4_debug(\"mark block bitmap %#04llx (+%llu)\\n\", input->block_bitmap,\n\t\t   input->block_bitmap - start);\n\text4_set_bit(input->block_bitmap - start, bh->b_data);\n\text4_debug(\"mark inode bitmap %#04llx (+%llu)\\n\", input->inode_bitmap,\n\t\t   input->inode_bitmap - start);\n\text4_set_bit(input->inode_bitmap - start, bh->b_data);\n\n\t/* Zero out all of the inode table blocks */\n\tfor (i = 0, block = input->inode_table, bit = block - start;\n\t     i < sbi->s_itb_per_group; i++, bit++, block++) {\n\t\tstruct buffer_head *it;\n\n\t\text4_debug(\"clear inode block %#04llx (+%d)\\n\", block, bit);\n\n\t\tif ((err = extend_or_restart_transaction(handle, 1, bh)))\n\t\t\tgoto exit_bh;\n\n\t\tif (IS_ERR(it = bclean(handle, sb, block))) {\n\t\t\terr = PTR_ERR(it);\n\t\t\tgoto exit_bh;\n\t\t}\n\t\text4_handle_dirty_metadata(handle, NULL, it);\n\t\tbrelse(it);\n\t\text4_set_bit(bit, bh->b_data);\n\t}\n\n\tif ((err = extend_or_restart_transaction(handle, 2, bh)))\n\t\tgoto exit_bh;\n\n\tmark_bitmap_end(input->blocks_count, sb->s_blocksize * 8, bh->b_data);\n\text4_handle_dirty_metadata(handle, NULL, bh);\n\tbrelse(bh);\n\t/* Mark unused entries in inode bitmap used */\n\text4_debug(\"clear inode bitmap %#04llx (+%llu)\\n\",\n\t\t   input->inode_bitmap, input->inode_bitmap - start);\n\tif (IS_ERR(bh = bclean(handle, sb, input->inode_bitmap))) {\n\t\terr = PTR_ERR(bh);\n\t\tgoto exit_journal;\n\t}\n\n\tmark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8,\n\t\t\tbh->b_data);\n\text4_handle_dirty_metadata(handle, NULL, bh);\nexit_bh:\n\tbrelse(bh);\n\nexit_journal:\n\tunlock_super(sb);\n\tif ((err2 = ext4_journal_stop(handle)) && !err)\n\t\terr = err2;\n\n\treturn err;\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 270094313103328522278874993323389670020,
          "size": 136,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489884
        },
        {
          "func": "static void update_backups(struct super_block *sb,\n\t\t\t   int blk_off, char *data, int size)\n{\n\tstruct ext4_sb_info *sbi = EXT4_SB(sb);\n\tconst ext4_group_t last = sbi->s_groups_count;\n\tconst int bpg = EXT4_BLOCKS_PER_GROUP(sb);\n\tunsigned three = 1;\n\tunsigned five = 5;\n\tunsigned seven = 7;\n\text4_group_t group;\n\tint rest = sb->s_blocksize - size;\n\thandle_t *handle;\n\tint err = 0, err2;\n\n\thandle = ext4_journal_start_sb(sb, EXT4_MAX_TRANS_DATA);\n\tif (IS_ERR(handle)) {\n\t\tgroup = 1;\n\t\terr = PTR_ERR(handle);\n\t\tgoto exit_err;\n\t}\n\n\twhile ((group = ext4_list_backups(sb, &three, &five, &seven)) < last) {\n\t\tstruct buffer_head *bh;\n\n\t\t/* Out of journal space, and can't get more - abort - so sad */\n\t\tif (ext4_handle_valid(handle) &&\n\t\t    handle->h_buffer_credits == 0 &&\n\t\t    ext4_journal_extend(handle, EXT4_MAX_TRANS_DATA) &&\n\t\t    (err = ext4_journal_restart(handle, EXT4_MAX_TRANS_DATA)))\n\t\t\tbreak;\n\n\t\tbh = sb_getblk(sb, group * bpg + blk_off);\n\t\tif (!bh) {\n\t\t\terr = -EIO;\n\t\t\tbreak;\n\t\t}\n\t\text4_debug(\"update metadata backup %#04lx\\n\",\n\t\t\t  (unsigned long)bh->b_blocknr);\n\t\tif ((err = ext4_journal_get_write_access(handle, bh)))\n\t\t\tbreak;\n\t\tlock_buffer(bh);\n\t\tmemcpy(bh->b_data, data, size);\n\t\tif (rest)\n\t\t\tmemset(bh->b_data + size, 0, rest);\n\t\tset_buffer_uptodate(bh);\n\t\tunlock_buffer(bh);\n\t\text4_handle_dirty_metadata(handle, NULL, bh);\n\t\tbrelse(bh);\n\t}\n\tif ((err2 = ext4_journal_stop(handle)) && !err)\n\t\terr = err2;\n\n\t/*\n\t * Ugh! Need to have e2fsck write the backup copies.  It is too\n\t * late to revert the resize, we shouldn't fail just because of\n\t * the backup copies (they are only needed in case of corruption).\n\t *\n\t * However, if we got here we have a journal problem too, so we\n\t * can't really start a transaction to mark the superblock.\n\t * Chicken out and just set the flag on the hope it will be written\n\t * to disk, and if not - we will simply wait until next fsck.\n\t */\nexit_err:\n\tif (err) {\n\t\text4_warning(sb, __func__,\n\t\t\t     \"can't update backup for group %u (err %d), \"\n\t\t\t     \"forcing fsck on next reboot\", group, err);\n\t\tsbi->s_mount_state &= ~EXT4_VALID_FS;\n\t\tsbi->s_es->s_state &= cpu_to_le16(~EXT4_VALID_FS);\n\t\tmark_buffer_dirty(sbi->s_sbh);\n\t}\n}",
          "target": 0,
          "cwe": [
            "CWE-20"
          ],
          "project": "linux-2.6",
          "commit_id": "fdff73f094e7220602cc3f8959c7230517976412",
          "hash": 44020648151160495114819576471010928671,
          "size": 72,
          "message": "ext4: Initialize the new group descriptor when resizing the filesystem\n\nMake sure all of the fields of the group descriptor are properly\ninitialized.  Previously, we allowed bg_flags field to be contain\nrandom garbage, which could trigger non-deterministic behavior,\nincluding a kernel OOPS.\n\nhttp://bugzilla.kernel.org/show_bug.cgi?id=12433\n\nSigned-off-by: \"Theodore Ts'o\" <tytso@mit.edu>\nCc: stable@kernel.org",
          "dataset": "other",
          "idx": 489877
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "ReadAnimatedWEBPImage",
        "ReadSingleWEBPImage",
        "IsWEBPImageLossless",
        "ReadWebPLSBWord"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static int ReadAnimatedWEBPImage(const ImageInfo *image_info,Image *image,\n  uint8_t *stream,size_t length,WebPDecoderConfig *configure,\n  ExceptionInfo *exception)\n{\n  Image\n    *original_image;\n\n  int\n    image_count,\n    webp_status;\n\n  size_t\n    canvas_width,\n    canvas_height;\n\n  WebPData\n    data;\n\n  WebPDemuxer\n    *demux;\n\n  WebPIterator\n    iter;\n\n  image_count=0;\n  webp_status=0;\n  original_image=image;\n  webp_status=FillBasicWEBPInfo(image,stream,length,configure);\n  canvas_width=image->columns;\n  canvas_height=image->rows;\n  data.bytes=stream;\n  data.size=length;\n  {\n    WebPMux\n      *mux;\n\n    WebPMuxAnimParams\n      params;\n\n    WebPMuxError\n      status;\n\n    mux=WebPMuxCreate(&data,0);\n    status=WebPMuxGetAnimationParams(mux,&params);\n    if (status >= 0)\n      image->iterations=params.loop_count;\n    WebPMuxDelete(mux);\n  }\n  demux=WebPDemux(&data);\n  if (WebPDemuxGetFrame(demux,1,&iter)) {\n    do {\n      if (image_count != 0)\n        {\n          AcquireNextImage(image_info,image);\n          if (GetNextImageInList(image) == (Image *) NULL)\n            break;\n          image=SyncNextImageInList(image);\n          CloneImageProperties(image, original_image);\n          image->page.x=iter.x_offset;\n          image->page.y=iter.y_offset;\n          webp_status=ReadSingleWEBPImage(image,iter.fragment.bytes,\n            iter.fragment.size,configure,exception,MagickFalse);\n        }\n      else\n        {\n          image->page.x=iter.x_offset;\n          image->page.y=iter.y_offset;\n          webp_status=ReadSingleWEBPImage(image,iter.fragment.bytes,\n            iter.fragment.size,configure,exception,MagickTrue);\n        }\n      if (webp_status != VP8_STATUS_OK)\n        break;\n\n      image->page.width=canvas_width;\n      image->page.height=canvas_height;\n      image->ticks_per_second=100;\n      image->delay=iter.duration/10;\n      image->dispose=NoneDispose;\n      if (iter.dispose_method == WEBP_MUX_DISPOSE_BACKGROUND)\n        image->dispose=BackgroundDispose;\n      image_count++;\n    } while (WebPDemuxNextFrame(&iter));\n    WebPDemuxReleaseIterator(&iter);\n  }\n  WebPDemuxDelete(demux);\n  return(webp_status);\n}",
          "project": "ImageMagick6",
          "hash": 289808360935285124131109024761867440086,
          "size": 87,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370810
        },
        {
          "func": "static int ReadSingleWEBPImage(Image *image,const uint8_t *stream,\n  size_t length,WebPDecoderConfig *configure,ExceptionInfo *exception,\n  MagickBooleanType is_first)\n{\n  int\n    webp_status;\n\n  unsigned char\n    *p;\n\n  size_t\n    canvas_width,\n    canvas_height,\n    image_width,\n    image_height;\n\n  ssize_t\n    x_offset,\n    y_offset,\n    y;\n\n  WebPDecBuffer\n    *magick_restrict webp_image = &configure->output;\n\n  MagickBooleanType\n    status;\n\n  if (is_first)\n    {\n      canvas_width=image->columns;\n      canvas_height=image->rows;\n      x_offset=image->page.x;\n      y_offset=image->page.y;\n      image->page.x=0;\n      image->page.y=0;\n    }\n  else\n    {\n      x_offset=0;\n      y_offset=0;\n    }\n  webp_status=FillBasicWEBPInfo(image,stream,length,configure);\n  image_width=image->columns;\n  image_height=image->rows;\n  if (is_first)\n    {\n      image->columns=canvas_width;\n      image->rows=canvas_height;\n    }\n\n  if (webp_status != VP8_STATUS_OK)\n    return(webp_status);\n\n  if (IsWEBPImageLossless(stream,length) != MagickFalse)\n    image->quality=100;\n\n  webp_status=WebPDecode(stream,length,configure);\n  if (webp_status != VP8_STATUS_OK)\n    return(webp_status);\n\n  p=(unsigned char *) webp_image->u.RGBA.rgba;\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    PixelPacket\n      *q;\n\n    ssize_t\n      x;\n\n    q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);\n    if (q == (PixelPacket *) NULL)\n      break;\n    for (x=0; x < (ssize_t) image->columns; x++)\n    {\n      if ((x >= x_offset && x < (ssize_t) (x_offset+image_width)) &&\n          (y >= y_offset && y < (ssize_t) (y_offset+image_height)))\n        {\n          SetPixelRed(q,ScaleCharToQuantum(*p++));\n          SetPixelGreen(q,ScaleCharToQuantum(*p++));\n          SetPixelBlue(q,ScaleCharToQuantum(*p++));\n          SetPixelAlpha(q,ScaleCharToQuantum(*p++));\n        }\n      else\n        {\n          SetPixelRed(q,0);\n          SetPixelGreen(q,0);\n          SetPixelBlue(q,0);\n          SetPixelAlpha(q,0);\n        }\n      q++;\n    }\n    if (SyncAuthenticPixels(image,exception) == MagickFalse)\n      break;\n    status=SetImageProgress(image,LoadImageTag,(MagickOffsetType) y,\n      image->rows);\n    if (status == MagickFalse)\n      break;\n  }\n  WebPFreeDecBuffer(webp_image);\n#if defined(MAGICKCORE_WEBPMUX_DELEGATE)\n  {\n    StringInfo\n      *profile;\n\n    uint32_t\n      webp_flags = 0;\n\n    WebPData\n     chunk,\n     content;\n\n    WebPMux\n      *mux;\n\n    /*\n      Extract any profiles:\n      https://developers.google.com/speed/webp/docs/container-api.\n    */\n    content.bytes=stream;\n    content.size=length;\n    mux=WebPMuxCreate(&content,0);\n    (void) memset(&chunk,0,sizeof(chunk));\n    WebPMuxGetFeatures(mux,&webp_flags);\n    if (webp_flags & ICCP_FLAG)\n      {\n        WebPMuxGetChunk(mux,\"ICCP\",&chunk);\n        profile=BlobToStringInfo(chunk.bytes,chunk.size);\n        if (profile != (StringInfo *) NULL)\n          {\n            SetImageProfile(image,\"ICC\",profile);\n            profile=DestroyStringInfo(profile);\n          }\n      }\n    if (webp_flags & EXIF_FLAG)\n      {\n        WebPMuxGetChunk(mux,\"EXIF\",&chunk);\n        profile=BlobToStringInfo(chunk.bytes,chunk.size);\n        if (profile != (StringInfo *) NULL)\n          {\n            SetImageProfile(image,\"EXIF\",profile);\n            profile=DestroyStringInfo(profile);\n          }\n      }\n    if (webp_flags & XMP_FLAG)\n      {\n        WebPMuxGetChunk(mux,\"XMP\",&chunk);\n        profile=BlobToStringInfo(chunk.bytes,chunk.size);\n        if (profile != (StringInfo *) NULL)\n          {\n            SetImageProfile(image,\"XMP\",profile);\n            profile=DestroyStringInfo(profile);\n          }\n      }\n    WebPMuxDelete(mux);\n  }\n#endif\n  return(webp_status);\n}",
          "project": "ImageMagick6",
          "hash": 12820978203361235442107047469631362612,
          "size": 158,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370819
        },
        {
          "func": "static MagickBooleanType IsWEBPImageLossless(const unsigned char *stream,\n  const size_t length)\n{\n#define VP8_CHUNK_INDEX  15\n#define LOSSLESS_FLAG  'L'\n#define EXTENDED_HEADER  'X'\n#define VP8_CHUNK_HEADER  \"VP8\"\n#define VP8_CHUNK_HEADER_SIZE  3\n#define RIFF_HEADER_SIZE  12\n#define VP8X_CHUNK_SIZE  10\n#define TAG_SIZE  4\n#define CHUNK_SIZE_BYTES  4\n#define CHUNK_HEADER_SIZE  8\n#define MAX_CHUNK_PAYLOAD  (~0U-CHUNK_HEADER_SIZE-1)\n\n  size_t\n    offset;\n\n  /*\n    Read simple header.\n  */\n  if (length <= VP8_CHUNK_INDEX)\n    return(MagickFalse);\n  if (stream[VP8_CHUNK_INDEX] != EXTENDED_HEADER)\n    return(stream[VP8_CHUNK_INDEX] == LOSSLESS_FLAG ? MagickTrue : MagickFalse);\n  /*\n    Read extended header.\n  */\n  offset=RIFF_HEADER_SIZE+TAG_SIZE+CHUNK_SIZE_BYTES+VP8X_CHUNK_SIZE;\n  while (offset <= (length-TAG_SIZE-TAG_SIZE-4))\n  {\n    uint32_t\n      chunk_size,\n      chunk_size_pad;\n\n    chunk_size=ReadWebPLSBWord(stream+offset+TAG_SIZE);\n    if (chunk_size > MAX_CHUNK_PAYLOAD)\n      break;\n    chunk_size_pad=(CHUNK_HEADER_SIZE+chunk_size+1) & ~1;\n    if (memcmp(stream+offset,VP8_CHUNK_HEADER,VP8_CHUNK_HEADER_SIZE) == 0)\n      return(*(stream+offset+VP8_CHUNK_HEADER_SIZE) == LOSSLESS_FLAG ?\n        MagickTrue : MagickFalse);\n    offset+=chunk_size_pad;\n  }\n  return(MagickFalse);\n}",
          "project": "ImageMagick6",
          "hash": 249079409081482155472943587192510982574,
          "size": 46,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370807
        },
        {
          "func": "static inline uint32_t ReadWebPLSBWord(\n  const unsigned char *magick_restrict data)\n{\n  const unsigned char\n    *p;\n\n  uint32_t\n    value;\n\n  p=data;\n  value=(uint32_t) (*p++);\n  value|=((uint32_t) (*p++)) << 8;\n  value|=((uint32_t) (*p++)) << 16;\n  value|=((uint32_t) (*p++)) << 24;\n  return(value);\n}",
          "project": "ImageMagick6",
          "hash": 129894979533153289444697853065786467565,
          "size": 16,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370812
        },
        {
          "func": "static int FillBasicWEBPInfo(Image *image,const uint8_t *stream,size_t length,\n  WebPDecoderConfig *configure)\n{\n  WebPBitstreamFeatures\n    *magick_restrict features = &configure->input;\n\n  int\n    webp_status;\n\n  webp_status=WebPGetFeatures(stream,length,features);\n\n  if (webp_status != VP8_STATUS_OK)\n    return(webp_status);\n\n  image->columns=(size_t) features->width;\n  image->rows=(size_t) features->height;\n  image->depth=8;\n  image->matte=features->has_alpha != 0 ? MagickTrue : MagickFalse;\n\n  return(webp_status);\n}",
          "project": "ImageMagick6",
          "hash": 88954484969752509702488546595380577529,
          "size": 21,
          "commit_id": "a78d92dc0f468e79c3d761aae9707042952cdaca",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3176",
          "target": 0,
          "dataset": "other",
          "idx": 370815
        },
        {
          "func": "MagickExport void AcquireNextImage(const ImageInfo *image_info,Image *image)\n{\n  /*\n    Allocate image structure.\n  */\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  image->next=AcquireImage(image_info);\n  if (GetNextImageInList(image) == (Image *) NULL)\n    return;\n  (void) CopyMagickString(GetNextImageInList(image)->filename,image->filename,\n    MaxTextExtent);\n  if (image_info != (ImageInfo *) NULL)\n    (void) CopyMagickString(GetNextImageInList(image)->filename,\n      image_info->filename,MaxTextExtent);\n  DestroyBlob(GetNextImageInList(image));\n  image->next->blob=ReferenceBlob(image->blob);\n  image->next->endian=image->endian;\n  image->next->scene=image->scene+1;\n  image->next->previous=image;\n}",
          "project": "ImageMagick6",
          "hash": 93917763940631088934569245499727034858,
          "size": 23,
          "commit_id": "27b1c74979ac473a430e266ff6c4b645664bc805",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/1522",
          "target": 0,
          "dataset": "other",
          "idx": 438543
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ofpact_init",
        "ofpact_put",
        "ofpbuf_pull"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "parse_CLONE(char *arg, const struct ofpact_parse_params *pp)\n{\n    const size_t clone_offset = ofpacts_pull(pp->ofpacts);\n    struct ofpact_nest *clone = ofpact_put_CLONE(pp->ofpacts);\n    char *error;\n\n    ofpbuf_pull(pp->ofpacts, sizeof *clone);\n    error = ofpacts_parse_copy(arg, pp, false, 0);\n    /* header points to the action list */\n    pp->ofpacts->header = ofpbuf_push_uninit(pp->ofpacts, sizeof *clone);\n    clone = pp->ofpacts->header;\n\n    ofpact_finish_CLONE(pp->ofpacts, &clone);\n    ofpbuf_push_uninit(pp->ofpacts, clone_offset);\n    return error;\n}",
          "project": "ovs",
          "hash": 268068110960223550029143298353990801116,
          "size": 16,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280637
        },
        {
          "func": "ofpacts_pull(struct ofpbuf *ofpacts)\n{\n    size_t ofs;\n\n    ofs = ofpacts->size;\n    ofpbuf_pull(ofpacts, ofs);\n\n    return ofs;\n}",
          "project": "ovs",
          "hash": 241149981455944836988584478388982093886,
          "size": 9,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280855
        },
        {
          "func": "parse_WRITE_ACTIONS(char *arg, const struct ofpact_parse_params *pp)\n{\n    size_t ofs = ofpacts_pull(pp->ofpacts);\n    struct ofpact_nest *on;\n    char *error;\n\n    /* Add a Write-Actions instruction and then pull it off. */\n    ofpact_put(pp->ofpacts, OFPACT_WRITE_ACTIONS, sizeof *on);\n    ofpbuf_pull(pp->ofpacts, sizeof *on);\n\n    /* Parse nested actions.\n     *\n     * We pulled off \"write-actions\" and the previous actions because the\n     * OFPACT_WRITE_ACTIONS is only partially constructed: its length is such\n     * that it doesn't actually include the nested actions.  That means that\n     * ofpacts_parse() would reject them as being part of an Apply-Actions that\n     * follows a Write-Actions, which is an invalid order.  */\n    error = ofpacts_parse(arg, pp, false, OFPACT_WRITE_ACTIONS);\n\n    /* Put the Write-Actions back on and update its length. */\n    on = ofpbuf_push_uninit(pp->ofpacts, sizeof *on);\n    on->ofpact.len = pp->ofpacts->size;\n\n    /* Put any previous actions or instructions back on. */\n    ofpbuf_push_uninit(pp->ofpacts, ofs);\n\n    return error;\n}",
          "project": "ovs",
          "hash": 53314483554877060462350565047020467635,
          "size": 28,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280498
        },
        {
          "func": "ofpact_put(struct ofpbuf *ofpacts, enum ofpact_type type, size_t len)\n{\n    struct ofpact *ofpact;\n\n    ofpacts->header = ofpbuf_put_uninit(ofpacts, len);\n    ofpact = ofpacts->header;\n    ofpact_init(ofpact, type, len);\n    return ofpact;\n}",
          "project": "ovs",
          "hash": 65309848014828324768184622354818925175,
          "size": 9,
          "commit_id": "65c61b0c23a0d474696d7b1cea522a5016a8aeb3",
          "message": "ofp-actions: Fix use-after-free while decoding RAW_ENCAP.\n\nWhile decoding RAW_ENCAP action, decode_ed_prop() might re-allocate\nofpbuf if there is no enough space left.  However, function\n'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'\nstructure leading to write-after-free and incorrect decoding.\n\n  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address\n  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408\n  WRITE of size 2 at 0x60600000011a thread T0\n    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20\n    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16\n    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21\n    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13\n    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12\n    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17\n    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13\n    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16\n    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21\n    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28\n    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9\n    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17\n    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5\n    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9\n    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)\n    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)\n\nFix that by getting a new pointer before using.\n\nCredit to OSS-Fuzz.\n\nFuzzer regression test will fail only with AddressSanitizer enabled.\n\nReported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851\nFixes: f839892a206a (\"OF support and translation of generic encap and decap\")\nAcked-by: William Tu <u9012063@gmail.com>\nSigned-off-by: Ilya Maximets <i.maximets@ovn.org>",
          "target": 0,
          "dataset": "other",
          "idx": 280495
        }
      ]
    },
    {
      "call_depth": 4,
      "longest_call_chain": [
        "uv__idna_toascii",
        "uv__idna_toascii_label",
        "uv__utf8_decode1",
        "uv__utf8_decode1_slow"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "unsigned uv__utf8_decode1(const char** p, const char* pe) {\n  unsigned a;\n\n  assert(*p < pe);\n\n  a = (unsigned char) *(*p)++;\n\n  if (a < 128)\n    return a;  /* ASCII, common case. */\n\n  return uv__utf8_decode1_slow(p, pe, a);\n}",
          "project": "libuv",
          "hash": 260002193897560539801354049804924733762,
          "size": 12,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 326147
        },
        {
          "func": "static unsigned uv__utf8_decode1_slow(const char** p,\n                                      const char* pe,\n                                      unsigned a) {\n  unsigned b;\n  unsigned c;\n  unsigned d;\n  unsigned min;\n\n  if (a > 0xF7)\n    return -1;\n\n  switch (pe - *p) {\n  default:\n    if (a > 0xEF) {\n      min = 0x10000;\n      a = a & 7;\n      b = (unsigned char) *(*p)++;\n      c = (unsigned char) *(*p)++;\n      d = (unsigned char) *(*p)++;\n      break;\n    }\n    /* Fall through. */\n  case 2:\n    if (a > 0xDF) {\n      min = 0x800;\n      b = 0x80 | (a & 15);\n      c = (unsigned char) *(*p)++;\n      d = (unsigned char) *(*p)++;\n      a = 0;\n      break;\n    }\n    /* Fall through. */\n  case 1:\n    if (a > 0xBF) {\n      min = 0x80;\n      b = 0x80;\n      c = 0x80 | (a & 31);\n      d = (unsigned char) *(*p)++;\n      a = 0;\n      break;\n    }\n    /* Fall through. */\n  case 0:\n    return -1;  /* Invalid continuation byte. */\n  }\n\n  if (0x80 != (0xC0 & (b ^ c ^ d)))\n    return -1;  /* Invalid sequence. */\n\n  b &= 63;\n  c &= 63;\n  d &= 63;\n  a = (a << 18) | (b << 12) | (c << 6) | d;\n\n  if (a < min)\n    return -1;  /* Overlong sequence. */\n\n  if (a > 0x10FFFF)\n    return -1;  /* Four-byte sequence > U+10FFFF. */\n\n  if (a >= 0xD800 && a <= 0xDFFF)\n    return -1;  /* Surrogate pair. */\n\n  return a;\n}",
          "project": "libuv",
          "hash": 72519685169788066819829832758156410439,
          "size": 65,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 326144
        },
        {
          "func": "long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {\n  const char* si;\n  const char* st;\n  unsigned c;\n  char* ds;\n  int rc;\n\n  ds = d;\n\n  for (si = s; si < se; /* empty */) {\n    st = si;\n    c = uv__utf8_decode1(&si, se);\n\n    if (c != '.')\n      if (c != 0x3002)  /* 。 */\n        if (c != 0xFF0E)  /* ． */\n          if (c != 0xFF61)  /* ｡ */\n            continue;\n\n    rc = uv__idna_toascii_label(s, st, &d, de);\n\n    if (rc < 0)\n      return rc;\n\n    if (d < de)\n      *d++ = '.';\n\n    s = si;\n  }\n\n  if (s < se) {\n    rc = uv__idna_toascii_label(s, se, &d, de);\n\n    if (rc < 0)\n      return rc;\n  }\n\n  if (d < de)\n    *d++ = '\\0';\n\n  return d - ds;  /* Number of bytes written. */\n}",
          "project": "libuv",
          "hash": 330726136045724320865601654107082283716,
          "size": 42,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 1,
          "dataset": "other",
          "idx": 201892
        },
        {
          "func": "long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {\n  const char* si;\n  const char* st;\n  unsigned c;\n  char* ds;\n  int rc;\n\n  ds = d;\n\n  si = s;\n  while (si < se) {\n    st = si;\n    c = uv__utf8_decode1(&si, se);\n\n    if (c == -1u)\n      return UV_EINVAL;\n\n    if (c != '.')\n      if (c != 0x3002)  /* 。 */\n        if (c != 0xFF0E)  /* ． */\n          if (c != 0xFF61)  /* ｡ */\n            continue;\n\n    rc = uv__idna_toascii_label(s, st, &d, de);\n\n    if (rc < 0)\n      return rc;\n\n    if (d < de)\n      *d++ = '.';\n\n    s = si;\n  }\n\n  if (s < se) {\n    rc = uv__idna_toascii_label(s, se, &d, de);\n\n    if (rc < 0)\n      return rc;\n  }\n\n  if (d < de)\n    *d++ = '\\0';\n\n  return d - ds;  /* Number of bytes written. */\n}",
          "project": "libuv",
          "hash": 143364374050282701014374410463146753253,
          "size": 46,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 326145
        },
        {
          "func": "static int uv__idna_toascii_label(const char* s, const char* se,\n                                  char** d, char* de) {\n  static const char alphabet[] = \"abcdefghijklmnopqrstuvwxyz0123456789\";\n  const char* ss;\n  unsigned c;\n  unsigned h;\n  unsigned k;\n  unsigned n;\n  unsigned m;\n  unsigned q;\n  unsigned t;\n  unsigned x;\n  unsigned y;\n  unsigned bias;\n  unsigned delta;\n  unsigned todo;\n  int first;\n\n  h = 0;\n  ss = s;\n  todo = 0;\n\n  /* Note: after this loop we've visited all UTF-8 characters and know\n   * they're legal so we no longer need to check for decode errors.\n   */\n  while (s < se) {\n    c = uv__utf8_decode1(&s, se);\n\n    if (c == -1u)\n      return UV_EINVAL;\n\n    if (c < 128)\n      h++;\n    else\n      todo++;\n  }\n\n  /* Only write \"xn--\" when there are non-ASCII characters. */\n  if (todo > 0) {\n    if (*d < de) *(*d)++ = 'x';\n    if (*d < de) *(*d)++ = 'n';\n    if (*d < de) *(*d)++ = '-';\n    if (*d < de) *(*d)++ = '-';\n  }\n\n  /* Write ASCII characters. */\n  x = 0;\n  s = ss;\n  while (s < se) {\n    c = uv__utf8_decode1(&s, se);\n    assert(c != -1u);\n\n    if (c > 127)\n      continue;\n\n    if (*d < de)\n      *(*d)++ = c;\n\n    if (++x == h)\n      break;  /* Visited all ASCII characters. */\n  }\n\n  if (todo == 0)\n    return h;\n\n  /* Only write separator when we've written ASCII characters first. */\n  if (h > 0)\n    if (*d < de)\n      *(*d)++ = '-';\n\n  n = 128;\n  bias = 72;\n  delta = 0;\n  first = 1;\n\n  while (todo > 0) {\n    m = -1;\n    s = ss;\n\n    while (s < se) {\n      c = uv__utf8_decode1(&s, se);\n      assert(c != -1u);\n\n      if (c >= n)\n        if (c < m)\n          m = c;\n    }\n\n    x = m - n;\n    y = h + 1;\n\n    if (x > ~delta / y)\n      return UV_E2BIG;  /* Overflow. */\n\n    delta += x * y;\n    n = m;\n\n    s = ss;\n    while (s < se) {\n      c = uv__utf8_decode1(&s, se);\n      assert(c != -1u);\n\n      if (c < n)\n        if (++delta == 0)\n          return UV_E2BIG;  /* Overflow. */\n\n      if (c != n)\n        continue;\n\n      for (k = 36, q = delta; /* empty */; k += 36) {\n        t = 1;\n\n        if (k > bias)\n          t = k - bias;\n\n        if (t > 26)\n          t = 26;\n\n        if (q < t)\n          break;\n\n        /* TODO(bnoordhuis) Since 1 <= t <= 26 and therefore\n         * 10 <= y <= 35, we can optimize the long division\n         * into a table-based reciprocal multiplication.\n         */\n        x = q - t;\n        y = 36 - t;  /* 10 <= y <= 35 since 1 <= t <= 26. */\n        q = x / y;\n        t = t + x % y;  /* 1 <= t <= 35 because of y. */\n\n        if (*d < de)\n          *(*d)++ = alphabet[t];\n      }\n\n      if (*d < de)\n        *(*d)++ = alphabet[q];\n\n      delta /= 2;\n\n      if (first) {\n        delta /= 350;\n        first = 0;\n      }\n\n      /* No overflow check is needed because |delta| was just\n       * divided by 2 and |delta+delta >= delta + delta/h|.\n       */\n      h++;\n      delta += delta / h;\n\n      for (bias = 0; delta > 35 * 26 / 2; bias += 36)\n        delta /= 35;\n\n      bias += 36 * delta / (delta + 38);\n      delta = 0;\n      todo--;\n    }\n\n    delta++;\n    n++;\n  }\n\n  return 0;\n}",
          "project": "libuv",
          "hash": 310982531914031347427892235781871884660,
          "size": 164,
          "commit_id": "b7466e31e4bee160d82a68fca11b1f61d46debae",
          "message": "idna: fix OOB read in punycode decoder\n\nlibuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()\nfunction which is used to convert strings to ASCII. This is called by\nthe DNS resolution function and can lead to information disclosures or\ncrashes.\n\nReported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.\n\nReported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>\nFixes: https://github.com/libuv/libuv/issues/3147\nPR-URL: https://github.com/libuv/libuv-private/pull/1\nRefs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918\nReviewed-By: Colin Ihrig <cjihrig@gmail.com>\nReviewed-By: Richard Lau <riclau@uk.ibm.com>",
          "target": 0,
          "dataset": "other",
          "idx": 326143
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "flac_dmx_process",
        "flac_dmx_check_pid",
        "flac_dmx_check_dur"
      ],
      "group_size": 8,
      "functions": [
        {
          "func": "static void flac_dmx_check_dur(GF_Filter *filter, GF_FLACDmxCtx *ctx)\n{\n\tu64 rate;\n\tFILE *stream;\n\tconst GF_PropertyValue *p;\n\tif (!ctx->opid || ctx->timescale || ctx->file_loaded) return;\n\n\tif (ctx->index<=0) {\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILEPATH);\n\tif (!p || !p->value.string || !strncmp(p->value.string, \"gmem://\", 7)) {\n\t\tctx->is_file = GF_FALSE;\n\t\tctx->file_loaded = GF_TRUE;\n\t\treturn;\n\t}\n\tctx->is_file = GF_TRUE;\n\n\tstream = gf_fopen(p->value.string, \"rb\");\n\tif (!stream) return;\n\tgf_fseek(stream, 0, SEEK_END);\n\n\trate = gf_ftell(stream);\n\tgf_fclose(stream);\n\tif (ctx->duration.num && !gf_sys_is_test_mode() ) {\n\t\trate *= 8 * ctx->duration.den;\n\t\trate /= ctx->duration.num;\n\t\tctx->bitrate = (u32) rate;\n\t}\n\n\tp = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);\n\tif (p && p->value.boolean) ctx->file_loaded = GF_TRUE;\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );\n}",
          "project": "gpac",
          "hash": 304549050216772881525607651146853564021,
          "size": 36,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255790
        },
        {
          "func": "static GFINLINE void flac_dmx_update_cts(GF_FLACDmxCtx *ctx, u32 nb_samp)\n{\n\tif (ctx->timescale) {\n\t\tu64 inc = nb_samp;\n\t\tinc *= ctx->timescale;\n\t\tinc /= ctx->sample_rate;\n\t\tctx->cts += inc;\n\t} else {\n\t\tctx->cts += nb_samp;\n\t}\n}",
          "project": "gpac",
          "hash": 258395584338445488219493502543517666020,
          "size": 11,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255792
        },
        {
          "func": "GF_Err flac_dmx_process(GF_Filter *filter)\n{\n\tGF_FLACDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu8 *output;\n\tu8 *start;\n\tBool final_flush=GF_FALSE;\n\tu32 pck_size, remain, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\tFLACHeader hdr;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tflac_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->flac_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t\tfinal_flush = GF_TRUE;\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tprev_pck_size = ctx->flac_buffer_size;\n\tif (pck && !ctx->resume_from) {\n\t\tu8 *data = (u8 *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t\tif (ctx->byte_offset != GF_FILTER_NO_BO) {\n\t\t\tu64 byte_offset = gf_filter_pck_get_byte_offset(pck);\n\t\t\tif (!ctx->flac_buffer_size) {\n\t\t\t\tctx->byte_offset = byte_offset;\n\t\t\t} else if (ctx->byte_offset + ctx->flac_buffer_size != byte_offset) {\n\t\t\t\tctx->byte_offset = GF_FILTER_NO_BO;\n\t\t\t\tif ((byte_offset != GF_FILTER_NO_BO) && (byte_offset>ctx->flac_buffer_size) ) {\n\t\t\t\t\tctx->byte_offset = byte_offset - ctx->flac_buffer_size;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (ctx->flac_buffer_size + pck_size > ctx->flac_buffer_alloc) {\n\t\t\tctx->flac_buffer_alloc = ctx->flac_buffer_size + pck_size;\n\t\t\tctx->flac_buffer = gf_realloc(ctx->flac_buffer, ctx->flac_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->flac_buffer + ctx->flac_buffer_size, data, pck_size);\n\t\tctx->flac_buffer_size += pck_size;\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tif (cts == GF_FILTER_NO_TS) {\n\t\t//avoids updating cts\n\t\tprev_pck_size = 0;\n\t}\n\n\tremain = ctx->flac_buffer_size;\n\tstart = ctx->flac_buffer;\n\n\tif (ctx->resume_from) {\n\t\tstart += ctx->resume_from - 1;\n\t\tremain -= ctx->resume_from - 1;\n\t\tctx->resume_from = 0;\n\t}\n\n\twhile (remain>2) {\n\t\tu32 next_frame=0, nb_samp;\n\t\tu32 cur_size = remain-2;\n\t\tu8 *cur_buf = start+2;\n\t\tu8 *hdr_start = NULL;\n\n\t\tif (final_flush) {\n\t\t\tnext_frame = remain;\n\t\t} else {\n\t\t\twhile (cur_size) {\n\t\t\t\t//wait till we have a frame header\n\t\t\t\thdr_start = memchr(cur_buf, 0xFF, cur_size);\n\t\t\t\tif (!hdr_start) break;\n\t\t\t\tnext_frame = (u32) (hdr_start-start);\n\t\t\t\tif (next_frame == remain)\n\t\t\t\t\tbreak;\n\n\t\t\t\tif ((hdr_start[1]&0xFC) == 0xF8) {\n\t\t\t\t\tif (flac_parse_header(ctx, hdr_start, (u32) remain - next_frame, &hdr))\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcur_buf = hdr_start+1;\n\t\t\t\tcur_size = (u32) (cur_buf - start);\n\t\t\t\tassert(cur_size<=remain);\n\t\t\t\tcur_size = remain - cur_size;\n\t\t\t\thdr_start = NULL;\n\t\t\t}\n\t\t\tif (!hdr_start) break;\n\t\t\tif (next_frame == remain)\n\t\t\t\tbreak;\n\t\t}\n\n\n\t\tif (!ctx->initialized) {\n\t\t\tu32 size = next_frame;\n\t\t\tu32 dsi_end = 0;\n\t\t\t//we have a header\n\t\t\tgf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size);\n\t\t\tu32 magic = gf_bs_read_u32(ctx->bs);\n\t\t\tif (magic != GF_4CC('f','L','a','C')) {\n\n\t\t\t}\n\t\t\twhile (gf_bs_available(ctx->bs)) {\n\t\t\t\tBool last = gf_bs_read_int(ctx->bs, 1);\n\t\t\t\tu32 type = gf_bs_read_int(ctx->bs, 7);\n\t\t\t\tu32 len = gf_bs_read_int(ctx->bs, 24);\n\n\t\t\t\tif (type==0) {\n\t\t\t\t\tu16 min_block_size = gf_bs_read_u16(ctx->bs);\n\t\t\t\t\tu16 max_block_size = gf_bs_read_u16(ctx->bs);\n\t\t\t\t\t/*u32 min_frame_size = */gf_bs_read_u24(ctx->bs);\n\t\t\t\t\t/*u32 max_frame_size = */gf_bs_read_u24(ctx->bs);\n\t\t\t\t\tctx->sample_rate = gf_bs_read_int(ctx->bs, 20);\n\t\t\t\t\tctx->nb_channels = 1 + gf_bs_read_int(ctx->bs, 3);\n\t\t\t\t\tctx->bits_per_sample = 1 + gf_bs_read_int(ctx->bs, 5);\n\t\t\t\t\tif (min_block_size==max_block_size) ctx->block_size = min_block_size;\n\t\t\t\t\telse ctx->block_size = 0;\n\n\t\t\t\t\tctx->duration.num = gf_bs_read_long_int(ctx->bs, 36);\n\t\t\t\t\tctx->duration.den = ctx->sample_rate;\n\t\t\t\t\t//ignore the rest\n\t\t\t\t\tgf_bs_skip_bytes(ctx->bs, 16);\n\t\t\t\t\tdsi_end = (u32) gf_bs_get_position(ctx->bs);\n\n\t\t\t\t} else {\n\t\t\t\t\t//ignore the rest for now\n\t\t\t\t\t//TODO: expose metadata, pictures and co\n\t\t\t\t\tgf_bs_skip_bytes(ctx->bs, len);\n\t\t\t\t}\n\t\t\t\tif (last) break;\n\t\t\t}\n\t\t\tflac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4);\n\t\t\tremain -= size;\n\t\t\tstart += size;\n\t\t\tctx->initialized = GF_TRUE;\n\t\t\tif (!ctx->is_playing) break;\n\t\t\tcontinue;\n\t\t}\n\n\t\t//we have a next frame, check we are synchronize\n\t\tif ((start[0] != 0xFF) && ((start[1]&0xFC) != 0xF8)) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[FLACDmx] invalid frame, droping %d bytes and resyncing\\n\", next_frame));\n\t\t\tstart += next_frame;\n\t\t\tremain -= next_frame;\n\t\t\tcontinue;\n\t\t}\n\n\t\tflac_parse_header(ctx,start, next_frame, &hdr);\n\t\tif (hdr.sample_rate != ctx->sample_rate) {\n\t\t\tctx->sample_rate = hdr.sample_rate;\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(ctx->sample_rate));\n\t\t}\n\n\t\tnb_samp = hdr.block_size;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * ctx->sample_rate);\n\t\t\tif (ctx->cts + nb_samp >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + nb_samp ) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tif (ctx->timescale && !prev_pck_size && (cts != GF_FILTER_NO_TS) ) {\n\t\t\tctx->cts = cts;\n\t\t\tcts = GF_FILTER_NO_TS;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, next_frame, &output);\n\t\t\tmemcpy(output, start, next_frame);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tif (!ctx->timescale || (ctx->timescale==ctx->sample_rate) )\n\t\t\t\tgf_filter_pck_set_duration(dst_pck, nb_samp);\n\t\t\telse {\n\t\t\t\tgf_filter_pck_set_duration(dst_pck, (nb_samp * ctx->timescale) / ctx->sample_rate);\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, GF_FILTER_SAP_1);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\tif (ctx->byte_offset != GF_FILTER_NO_BO) {\n\t\t\t\tgf_filter_pck_set_byte_offset(dst_pck, ctx->byte_offset);\n\t\t\t}\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tflac_dmx_update_cts(ctx, nb_samp);\n\n\t\tassert (start[0] == 0xFF);\n\t\tassert((start[1]&0xFC) == 0xF8);\n\n\t\tstart += next_frame;\n\t\tassert(remain >= next_frame);\n\t\tremain -= next_frame;\n\n\t}\n\n\tif (!pck) {\n\t\tctx->flac_buffer_size = 0;\n\t\treturn flac_dmx_process(filter);\n\t} else {\n\t\tif (remain < ctx->flac_buffer_size) {\n\t\t\tmemmove(ctx->flac_buffer, start, remain);\n\t\t}\n\t\tctx->flac_buffer_size = remain;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t}\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 181202795714431631737649125597649664622,
          "size": 226,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 1,
          "dataset": "other",
          "idx": 197240
        },
        {
          "func": "GF_Err flac_dmx_process(GF_Filter *filter)\n{\n\tGF_FLACDmxCtx *ctx = gf_filter_get_udta(filter);\n\tGF_FilterPacket *pck, *dst_pck;\n\tu8 *output;\n\tu8 *start;\n\tBool final_flush=GF_FALSE;\n\tu32 pck_size, remain, prev_pck_size;\n\tu64 cts = GF_FILTER_NO_TS;\n\tFLACHeader hdr;\n\n\tif (ctx->in_error)\n\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\n\t//always reparse duration\n\tif (!ctx->duration.num)\n\t\tflac_dmx_check_dur(filter, ctx);\n\n\tif (ctx->opid && !ctx->is_playing)\n\t\treturn GF_OK;\n\n\tpck = gf_filter_pid_get_packet(ctx->ipid);\n\tif (!pck) {\n\t\tif (gf_filter_pid_is_eos(ctx->ipid)) {\n\t\t\tif (!ctx->flac_buffer_size) {\n\t\t\t\tif (ctx->opid)\n\t\t\t\t\tgf_filter_pid_set_eos(ctx->opid);\n\t\t\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\t\t\tctx->src_pck = NULL;\n\t\t\t\treturn GF_EOS;\n\t\t\t}\n\t\t\tfinal_flush = GF_TRUE;\n\t\t} else {\n\t\t\treturn GF_OK;\n\t\t}\n\t}\n\n\tprev_pck_size = ctx->flac_buffer_size;\n\tif (pck && !ctx->resume_from) {\n\t\tu8 *data = (u8 *) gf_filter_pck_get_data(pck, &pck_size);\n\n\t\tif (ctx->byte_offset != GF_FILTER_NO_BO) {\n\t\t\tu64 byte_offset = gf_filter_pck_get_byte_offset(pck);\n\t\t\tif (!ctx->flac_buffer_size) {\n\t\t\t\tctx->byte_offset = byte_offset;\n\t\t\t} else if (ctx->byte_offset + ctx->flac_buffer_size != byte_offset) {\n\t\t\t\tctx->byte_offset = GF_FILTER_NO_BO;\n\t\t\t\tif ((byte_offset != GF_FILTER_NO_BO) && (byte_offset>ctx->flac_buffer_size) ) {\n\t\t\t\t\tctx->byte_offset = byte_offset - ctx->flac_buffer_size;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (ctx->flac_buffer_size + pck_size > ctx->flac_buffer_alloc) {\n\t\t\tctx->flac_buffer_alloc = ctx->flac_buffer_size + pck_size;\n\t\t\tctx->flac_buffer = gf_realloc(ctx->flac_buffer, ctx->flac_buffer_alloc);\n\t\t}\n\t\tmemcpy(ctx->flac_buffer + ctx->flac_buffer_size, data, pck_size);\n\t\tctx->flac_buffer_size += pck_size;\n\t}\n\n\t//input pid sets some timescale - we flushed pending data , update cts\n\tif (ctx->timescale && pck) {\n\t\tcts = gf_filter_pck_get_cts(pck);\n\t}\n\n\tif (cts == GF_FILTER_NO_TS) {\n\t\t//avoids updating cts\n\t\tprev_pck_size = 0;\n\t}\n\n\tremain = ctx->flac_buffer_size;\n\tstart = ctx->flac_buffer;\n\n\tif (ctx->resume_from) {\n\t\tstart += ctx->resume_from - 1;\n\t\tremain -= ctx->resume_from - 1;\n\t\tctx->resume_from = 0;\n\t}\n\n\twhile (remain>2) {\n\t\tu32 next_frame=0, nb_samp;\n\t\tu32 cur_size = remain-2;\n\t\tu8 *cur_buf = start+2;\n\t\tu8 *hdr_start = NULL;\n\n\t\tif (final_flush) {\n\t\t\tnext_frame = remain;\n\t\t} else {\n\t\t\twhile (cur_size) {\n\t\t\t\t//wait till we have a frame header\n\t\t\t\thdr_start = memchr(cur_buf, 0xFF, cur_size);\n\t\t\t\tif (!hdr_start) break;\n\t\t\t\tnext_frame = (u32) (hdr_start-start);\n\t\t\t\tif (next_frame == remain)\n\t\t\t\t\tbreak;\n\n\t\t\t\tif ((hdr_start[1]&0xFC) == 0xF8) {\n\t\t\t\t\tif (flac_parse_header(ctx, hdr_start, (u32) remain - next_frame, &hdr))\n\t\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t\tcur_buf = hdr_start+1;\n\t\t\t\tcur_size = (u32) (cur_buf - start);\n\t\t\t\tassert(cur_size<=remain);\n\t\t\t\tcur_size = remain - cur_size;\n\t\t\t\thdr_start = NULL;\n\t\t\t}\n\t\t\tif (!hdr_start) break;\n\t\t\tif (next_frame == remain)\n\t\t\t\tbreak;\n\t\t}\n\n\n\t\tif (!ctx->initialized) {\n\t\t\tu32 size = next_frame;\n\t\t\tu32 dsi_end = 0;\n\t\t\t//we have a header\n\t\t\tgf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size);\n\t\t\tu32 magic = gf_bs_read_u32(ctx->bs);\n\t\t\tif (magic != GF_4CC('f','L','a','C')) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[FLACDmx] invalid FLAC magic\\n\"));\n\t\t\t\tctx->in_error = GF_TRUE;\n\t\t\t\tctx->flac_buffer_size = 0;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\t\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t}\n\t\t\twhile (gf_bs_available(ctx->bs)) {\n\t\t\t\tBool last = gf_bs_read_int(ctx->bs, 1);\n\t\t\t\tu32 type = gf_bs_read_int(ctx->bs, 7);\n\t\t\t\tu32 len = gf_bs_read_int(ctx->bs, 24);\n\n\t\t\t\tif (type==0) {\n\t\t\t\t\tu16 min_block_size = gf_bs_read_u16(ctx->bs);\n\t\t\t\t\tu16 max_block_size = gf_bs_read_u16(ctx->bs);\n\t\t\t\t\t/*u32 min_frame_size = */gf_bs_read_u24(ctx->bs);\n\t\t\t\t\t/*u32 max_frame_size = */gf_bs_read_u24(ctx->bs);\n\t\t\t\t\tctx->sample_rate = gf_bs_read_int(ctx->bs, 20);\n\t\t\t\t\tctx->nb_channels = 1 + gf_bs_read_int(ctx->bs, 3);\n\t\t\t\t\tctx->bits_per_sample = 1 + gf_bs_read_int(ctx->bs, 5);\n\t\t\t\t\tif (min_block_size==max_block_size) ctx->block_size = min_block_size;\n\t\t\t\t\telse ctx->block_size = 0;\n\n\t\t\t\t\tctx->duration.num = gf_bs_read_long_int(ctx->bs, 36);\n\t\t\t\t\tctx->duration.den = ctx->sample_rate;\n\t\t\t\t\t//ignore the rest\n\t\t\t\t\tgf_bs_skip_bytes(ctx->bs, 16);\n\t\t\t\t\tdsi_end = (u32) gf_bs_get_position(ctx->bs);\n\n\t\t\t\t} else {\n\t\t\t\t\t//ignore the rest for now\n\t\t\t\t\t//TODO: expose metadata, pictures and co\n\t\t\t\t\tgf_bs_skip_bytes(ctx->bs, len);\n\t\t\t\t}\n\t\t\t\tif (last) break;\n\t\t\t}\n\t\t\tif (!dsi_end) {\n\t\t\t\tGF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, (\"[FLACDmx] invalid FLAC header\\n\"));\n\t\t\t\tctx->in_error = GF_TRUE;\n\t\t\t\tctx->flac_buffer_size = 0;\n\t\t\t\tif (pck)\n\t\t\t\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t\t\t\treturn GF_NON_COMPLIANT_BITSTREAM;\n\t\t\t}\n\t\t\tflac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4);\n\t\t\tremain -= size;\n\t\t\tstart += size;\n\t\t\tctx->initialized = GF_TRUE;\n\t\t\tif (!ctx->is_playing) break;\n\t\t\tcontinue;\n\t\t}\n\n\t\t//we have a next frame, check we are synchronize\n\t\tif ((start[0] != 0xFF) && ((start[1]&0xFC) != 0xF8)) {\n\t\t\tGF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, (\"[FLACDmx] invalid frame, droping %d bytes and resyncing\\n\", next_frame));\n\t\t\tstart += next_frame;\n\t\t\tremain -= next_frame;\n\t\t\tcontinue;\n\t\t}\n\n\t\tflac_parse_header(ctx,start, next_frame, &hdr);\n\t\tif (hdr.sample_rate != ctx->sample_rate) {\n\t\t\tctx->sample_rate = hdr.sample_rate;\n\t\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(ctx->sample_rate));\n\t\t}\n\n\t\tnb_samp = hdr.block_size;\n\n\t\tif (ctx->in_seek) {\n\t\t\tu64 nb_samples_at_seek = (u64) (ctx->start_range * ctx->sample_rate);\n\t\t\tif (ctx->cts + nb_samp >= nb_samples_at_seek) {\n\t\t\t\t//u32 samples_to_discard = (ctx->cts + nb_samp ) - nb_samples_at_seek;\n\t\t\t\tctx->in_seek = GF_FALSE;\n\t\t\t}\n\t\t}\n\n\t\tif (ctx->timescale && !prev_pck_size && (cts != GF_FILTER_NO_TS) ) {\n\t\t\tctx->cts = cts;\n\t\t\tcts = GF_FILTER_NO_TS;\n\t\t}\n\n\t\tif (!ctx->in_seek) {\n\t\t\tdst_pck = gf_filter_pck_new_alloc(ctx->opid, next_frame, &output);\n\t\t\tmemcpy(output, start, next_frame);\n\n\t\t\tgf_filter_pck_set_cts(dst_pck, ctx->cts);\n\t\t\tif (!ctx->timescale || (ctx->timescale==ctx->sample_rate) )\n\t\t\t\tgf_filter_pck_set_duration(dst_pck, nb_samp);\n\t\t\telse {\n\t\t\t\tgf_filter_pck_set_duration(dst_pck, (nb_samp * ctx->timescale) / ctx->sample_rate);\n\t\t\t}\n\t\t\tgf_filter_pck_set_sap(dst_pck, GF_FILTER_SAP_1);\n\t\t\tgf_filter_pck_set_framing(dst_pck, GF_TRUE, GF_TRUE);\n\n\t\t\tif (ctx->byte_offset != GF_FILTER_NO_BO) {\n\t\t\t\tgf_filter_pck_set_byte_offset(dst_pck, ctx->byte_offset);\n\t\t\t}\n\t\t\tgf_filter_pck_send(dst_pck);\n\t\t}\n\t\tflac_dmx_update_cts(ctx, nb_samp);\n\n\t\tassert (start[0] == 0xFF);\n\t\tassert((start[1]&0xFC) == 0xF8);\n\n\t\tstart += next_frame;\n\t\tassert(remain >= next_frame);\n\t\tremain -= next_frame;\n\n\t}\n\n\tif (!pck) {\n\t\tctx->flac_buffer_size = 0;\n\t\treturn flac_dmx_process(filter);\n\t} else {\n\t\tif (remain < ctx->flac_buffer_size) {\n\t\t\tmemmove(ctx->flac_buffer, start, remain);\n\t\t}\n\t\tctx->flac_buffer_size = remain;\n\t\tgf_filter_pid_drop_packet(ctx->ipid);\n\t}\n\treturn GF_OK;\n}",
          "project": "gpac",
          "hash": 45890451895495219456520744515811279483,
          "size": 242,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255791
        },
        {
          "func": "u8 flac_dmx_crc8(u8 *data, u32 len)\n{\n\tu8 crc = 0;\n\twhile (len--)\n\t\tcrc = flac_dmx_crc8_table[crc ^ *data++];\n\treturn crc;\n}",
          "project": "gpac",
          "hash": 65863343115187189429305351586214591876,
          "size": 7,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255795
        },
        {
          "func": "static void flac_dmx_check_pid(GF_Filter *filter, GF_FLACDmxCtx *ctx, u8 *dsi, u32 dsi_size)\n{\n\tif (!ctx->opid) {\n\t\tctx->opid = gf_filter_pid_new(filter);\n\t\tflac_dmx_check_dur(filter, ctx);\n\t}\n\t//copy properties at init or reconfig\n\tgf_filter_pid_copy_properties(ctx->opid, ctx->ipid);\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_STREAM_TYPE, & PROP_UINT( GF_STREAM_AUDIO));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_UNFRAMED, NULL );\n\tif (ctx->is_file && ctx->index) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_PLAYBACK_MODE, & PROP_UINT(GF_PLAYBACK_MODE_FASTFORWARD) );\n\t}\n\tif (ctx->duration.num)\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));\n\n\tif (!ctx->timescale) gf_filter_pid_set_name(ctx->opid, \"audio\");\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DECODER_CONFIG, & PROP_DATA( dsi, dsi_size ) );\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CODECID, & PROP_UINT( GF_CODECID_FLAC ) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_TIMESCALE, & PROP_UINT(ctx->timescale ? ctx->timescale : ctx->sample_rate));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLE_RATE, & PROP_UINT(ctx->sample_rate));\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_NUM_CHANNELS, & PROP_UINT(ctx->nb_channels) );\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_SAMPLES_PER_FRAME, & PROP_UINT(ctx->block_size) );\n\n\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_AUDIO_BPS, & PROP_UINT(ctx->bits_per_sample) );\n\n\tif (ctx->bitrate) {\n\t\tgf_filter_pid_set_property(ctx->opid, GF_PROP_PID_BITRATE, & PROP_UINT(ctx->bitrate));\n\t}\n\n}",
          "project": "gpac",
          "hash": 232540434167310452360376027909602133833,
          "size": 33,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255794
        },
        {
          "func": "static Bool flac_parse_header(GF_FLACDmxCtx *ctx, char *data, u32 size, FLACHeader *hdr)\n{\n\tu32 block_size, sample_rate, res, top, pos, crc, crc_hdr;\n\n\tgf_bs_reassign_buffer(ctx->bs, data, size);\n\tgf_bs_read_int(ctx->bs, 15);\n\t/*block_strategy = */gf_bs_read_int(ctx->bs, 1);\n\tblock_size = gf_bs_read_int(ctx->bs, 4);\n\tsample_rate = gf_bs_read_int(ctx->bs, 4);\n\t/*u32 channel_layout = */gf_bs_read_int(ctx->bs, 4);\n\t/*u32 bps = */gf_bs_read_int(ctx->bs, 3);\n\tgf_bs_read_int(ctx->bs, 1);\n\n\tres = gf_bs_read_u8(ctx->bs);\n\ttop = (res & 128) >> 1;\n\tif ((res & 0xC0) == 0x80 || (res >= 0xFE)) return GF_FALSE;\n\twhile (res & top) {\n\t\ts32 tmp = gf_bs_read_u8(ctx->bs);\n\t\ttmp -= 128;\n\t\tif(tmp>>6)\n\t\t\treturn GF_FALSE;\n\t\tres = (res<<6) + tmp;\n\t\ttop <<= 5;\n\t}\n\t//res &= (top << 1) - 1;\n\n\tif (block_size==6) block_size = 1 + gf_bs_read_int(ctx->bs, 8);\n\telse if (block_size==7) block_size = 1 + gf_bs_read_int(ctx->bs, 16);\n\telse {\n\t\tblock_size = flac_dmx_block_sizes[block_size];\n\t}\n\n#if 0\n\tif (bps==0) bps = ctx->bits_per_sample;\n\telse if (bps==1) bps = 8;\n\telse if (bps==2) bps = 12;\n\telse if (bps==4) bps = 16;\n\telse if (bps==5) bps = 20;\n\telse if (bps==6) bps = 24;\n#endif\n\n\tif (sample_rate==0) sample_rate = ctx->sample_rate;\n\telse if ((sample_rate&0xC)==0xC) {\n\t\tif (sample_rate==0xC) sample_rate = gf_bs_read_u8(ctx->bs);\n\t\telse if (sample_rate==0xD) sample_rate = gf_bs_read_u16(ctx->bs);\n\t\telse if (sample_rate==0xE) sample_rate = 10*gf_bs_read_u16(ctx->bs);\n\t} else {\n\t\tsample_rate = flac_dmx_samplerates[sample_rate];\n\t}\n\n\tpos = (u32) gf_bs_get_position(ctx->bs);\n\n\tcrc = gf_bs_read_u8(ctx->bs);\n\tcrc_hdr = flac_dmx_crc8(data, pos);\n\n\tif (crc != crc_hdr) {\n\t\treturn GF_FALSE;\n\t}\n\thdr->sample_rate = sample_rate;\n\thdr->block_size = block_size;\n\treturn GF_TRUE;\n}",
          "project": "gpac",
          "hash": 146940138001565824367237928998902629345,
          "size": 62,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255800
        },
        {
          "func": "static Bool flac_dmx_process_event(GF_Filter *filter, const GF_FilterEvent *evt)\n{\n\tu32 i;\n\tGF_FilterEvent fevt;\n\tGF_FLACDmxCtx *ctx = gf_filter_get_udta(filter);\n\n\tif (evt->base.on_pid != ctx->opid) return GF_TRUE;\n\n\tswitch (evt->base.type) {\n\tcase GF_FEVT_PLAY:\n\t\tif (!ctx->is_playing) {\n\t\t\tctx->is_playing = GF_TRUE;\n\t\t}\n\t\tif (! ctx->is_file) {\n\t\t\tif (evt->play.start_range || ctx->initial_play_done) {\n\t\t\t\tctx->flac_buffer_size = 0;\n\t\t\t\tctx->resume_from = 0;\n\t\t\t}\n\t\t\tctx->initial_play_done = GF_TRUE;\n\t\t\treturn GF_FALSE;\n\t\t}\n\t\tflac_dmx_check_dur(filter, ctx);\n\n\t\tctx->start_range = evt->play.start_range;\n\t\tctx->in_seek = GF_TRUE;\n\t\tctx->file_pos = 0;\n\t\tif (ctx->start_range) {\n\t\t\tfor (i=1; i<ctx->index_size; i++) {\n\t\t\t\tif (ctx->indexes[i].duration>ctx->start_range) {\n\t\t\t\t\tctx->cts = (u64) (ctx->indexes[i-1].duration * ctx->sample_rate);\n\t\t\t\t\tctx->file_pos = ctx->indexes[i-1].pos;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!ctx->initial_play_done) {\n\t\t\tctx->initial_play_done = GF_TRUE;\n\t\t\t//seek will not change the current source state, don't send a seek\n\t\t\tif (!ctx->file_pos)\n\t\t\t\treturn GF_TRUE;\n\t\t}\n\t\tctx->flac_buffer_size = 0;\n\t\tctx->resume_from = 0;\n\t\t//post a seek\n\t\tGF_FEVT_INIT(fevt, GF_FEVT_SOURCE_SEEK, ctx->ipid);\n\t\tfevt.seek.start_offset = ctx->file_pos;\n\t\tgf_filter_pid_send_event(ctx->ipid, &fevt);\n\n\t\t//cancel event\n\t\treturn GF_TRUE;\n\n\tcase GF_FEVT_STOP:\n\t\tctx->is_playing = GF_FALSE;\n\t\tif (ctx->src_pck) gf_filter_pck_unref(ctx->src_pck);\n\t\tctx->src_pck = NULL;\n\t\t//don't cancel event\n\t\treturn GF_FALSE;\n\n\tcase GF_FEVT_SET_SPEED:\n\t\t//cancel event\n\t\treturn GF_TRUE;\n\tdefault:\n\t\tbreak;\n\t}\n\t//by default don't cancel event - to rework once we have downloading in place\n\treturn GF_FALSE;\n}",
          "project": "gpac",
          "hash": 58796678165220143132545903613880864650,
          "size": 67,
          "commit_id": "da69ad1f970a7e17c865eaec9af98cc84df10d5b",
          "message": "fixed 1718",
          "target": 0,
          "dataset": "other",
          "idx": 255799
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "udp_recvmsg",
        "skb_consume_udp",
        "udp_skb_has_head_state"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static bool udp_skb_has_head_state(struct sk_buff *skb)\n{\n\treturn !(udp_skb_scratch(skb)->_tsize_state & UDP_SKB_IS_STATELESS);\n}",
          "project": "net",
          "hash": 75596643897424437307341242919964130006,
          "size": 4,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468928
        },
        {
          "func": "void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len)\n{\n\tif (unlikely(READ_ONCE(sk->sk_peek_off) >= 0)) {\n\t\tbool slow = lock_sock_fast(sk);\n\n\t\tsk_peek_offset_bwd(sk, len);\n\t\tunlock_sock_fast(sk, slow);\n\t}\n\n\t/* In the more common cases we cleared the head states previously,\n\t * see __udp_queue_rcv_skb().\n\t */\n\tif (unlikely(udp_skb_has_head_state(skb)))\n\t\tskb_release_head_state(skb);\n\tconsume_stateless_skb(skb);\n}",
          "project": "net",
          "hash": 225943577854652223116887108482932336234,
          "size": 16,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468934
        },
        {
          "func": "int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,\n\t\tint flags, int *addr_len)\n{\n\tstruct inet_sock *inet = inet_sk(sk);\n\tDECLARE_SOCKADDR(struct sockaddr_in *, sin, msg->msg_name);\n\tstruct sk_buff *skb;\n\tunsigned int ulen, copied;\n\tint peeked, peeking, off;\n\tint err;\n\tint is_udplite = IS_UDPLITE(sk);\n\tbool checksum_valid = false;\n\n\tif (flags & MSG_ERRQUEUE)\n\t\treturn ip_recv_error(sk, msg, len, addr_len);\n\ntry_again:\n\tpeeking = off = sk_peek_offset(sk, flags);\n\tskb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);\n\tif (!skb)\n\t\treturn err;\n\n\tulen = udp_skb_len(skb);\n\tcopied = len;\n\tif (copied > ulen - off)\n\t\tcopied = ulen - off;\n\telse if (copied < ulen)\n\t\tmsg->msg_flags |= MSG_TRUNC;\n\n\t/*\n\t * If checksum is needed at all, try to do it while copying the\n\t * data.  If the data is truncated, or if we only want a partial\n\t * coverage checksum (UDP-Lite), do it before the copy.\n\t */\n\n\tif (copied < ulen || peeking ||\n\t    (is_udplite && UDP_SKB_CB(skb)->partial_cov)) {\n\t\tchecksum_valid = udp_skb_csum_unnecessary(skb) ||\n\t\t\t\t!__udp_lib_checksum_complete(skb);\n\t\tif (!checksum_valid)\n\t\t\tgoto csum_copy_err;\n\t}\n\n\tif (checksum_valid || udp_skb_csum_unnecessary(skb)) {\n\t\tif (udp_skb_is_linear(skb))\n\t\t\terr = copy_linear_skb(skb, copied, off, &msg->msg_iter);\n\t\telse\n\t\t\terr = skb_copy_datagram_msg(skb, off, msg, copied);\n\t} else {\n\t\terr = skb_copy_and_csum_datagram_msg(skb, off, msg);\n\n\t\tif (err == -EINVAL)\n\t\t\tgoto csum_copy_err;\n\t}\n\n\tif (unlikely(err)) {\n\t\tif (!peeked) {\n\t\t\tatomic_inc(&sk->sk_drops);\n\t\t\tUDP_INC_STATS(sock_net(sk),\n\t\t\t\t      UDP_MIB_INERRORS, is_udplite);\n\t\t}\n\t\tkfree_skb(skb);\n\t\treturn err;\n\t}\n\n\tif (!peeked)\n\t\tUDP_INC_STATS(sock_net(sk),\n\t\t\t      UDP_MIB_INDATAGRAMS, is_udplite);\n\n\tsock_recv_ts_and_drops(msg, sk, skb);\n\n\t/* Copy the address. */\n\tif (sin) {\n\t\tsin->sin_family = AF_INET;\n\t\tsin->sin_port = udp_hdr(skb)->source;\n\t\tsin->sin_addr.s_addr = ip_hdr(skb)->saddr;\n\t\tmemset(sin->sin_zero, 0, sizeof(sin->sin_zero));\n\t\t*addr_len = sizeof(*sin);\n\t}\n\tif (inet->cmsg_flags)\n\t\tip_cmsg_recv_offset(msg, sk, skb, sizeof(struct udphdr), off);\n\n\terr = copied;\n\tif (flags & MSG_TRUNC)\n\t\terr = ulen;\n\n\tskb_consume_udp(sk, skb, peeking ? -err : err);\n\treturn err;\n\ncsum_copy_err:\n\tif (!__sk_queue_drop_skb(sk, &udp_sk(sk)->reader_queue, skb, flags,\n\t\t\t\t udp_skb_destructor)) {\n\t\tUDP_INC_STATS(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);\n\t\tUDP_INC_STATS(sock_net(sk), UDP_MIB_INERRORS, is_udplite);\n\t}\n\tkfree_skb(skb);\n\n\t/* starting over for a new packet, but check if we need to yield */\n\tcond_resched();\n\tmsg->msg_flags &= ~MSG_TRUNC;\n\tgoto try_again;\n}",
          "project": "net",
          "hash": 58392490434323142952560185875685509340,
          "size": 101,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468963
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "DimsToShape",
        "RuntimeShape",
        "BuildFrom"
      ],
      "group_size": 7,
      "functions": [
        {
          "func": "  inline static RuntimeShape ExtendedShape(int new_shape_size,\n                                           const RuntimeShape& shape) {\n    return RuntimeShape(new_shape_size, shape, 1);\n  }",
          "project": "tensorflow",
          "hash": 159680860774739202256470977404269601493,
          "size": 4,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269165
        },
        {
          "func": "  inline void BuildFrom(const T& src_iterable) {\n    const int dimensions_count =\n        std::distance(src_iterable.begin(), src_iterable.end());\n    Resize(dimensions_count);\n    int32_t* data = DimsData();\n    for (auto it : src_iterable) {\n      *data = it;\n      ++data;\n    }\n  }",
          "project": "tensorflow",
          "hash": 188723213691498056888114153264788661533,
          "size": 10,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269151
        },
        {
          "func": "  inline void BuildFrom(const std::initializer_list<int> init_list) {\n    BuildFrom<const std::initializer_list<int>>(init_list);\n  }",
          "project": "tensorflow",
          "hash": 59491366147344092120214428866658525017,
          "size": 3,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269184
        },
        {
          "func": "inline RuntimeShape DimsToShape(const tflite::Dims<4>& dims) {\n  return RuntimeShape(\n      {dims.sizes[3], dims.sizes[2], dims.sizes[1], dims.sizes[0]});\n}",
          "project": "tensorflow",
          "hash": 166765932906645759940963413765942152024,
          "size": 4,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269164
        },
        {
          "func": "  RuntimeShape() : size_(0) {}",
          "project": "tensorflow",
          "hash": 124986740443484127646846081410820275420,
          "size": 1,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269154
        },
        {
          "func": "  RuntimeShape(int dimensions_count, const int32_t* dims_data) : size_(0) {\n    ReplaceWith(dimensions_count, dims_data);\n  }",
          "project": "tensorflow",
          "hash": 146175229728474414336310525899539981310,
          "size": 3,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269170
        },
        {
          "func": "  RuntimeShape(const std::initializer_list<int> init_list) : size_(0) {\n    BuildFrom(init_list);\n  }",
          "project": "tensorflow",
          "hash": 24097122067391478662058055954168903884,
          "size": 3,
          "commit_id": "8ee24e7949a203d234489f9da2c5bf45a7d5157d",
          "message": "[tflite] Ensure `MatchingDim` does not allow buffer overflow.\n\nWe check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.\n\nA much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.\n\nPiperOrigin-RevId: 332526127\nChange-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4",
          "target": 0,
          "dataset": "other",
          "idx": 269182
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "collatorAlwaysEqual",
        "in",
        "setEqualities"
      ],
      "group_size": 17,
      "functions": [
        {
          "func": "TEST_F(QueryPlannerTest, EmptyQueryWithProjectionUsesCollscanIfIndexCollationDiffers) {\n    params.options = QueryPlannerParams::GENERATE_COVERED_IXSCANS;\n    CollatorInterfaceMock collator(CollatorInterfaceMock::MockType::kReverseString);\n    addIndex(BSON(\"a\" << 1), &collator);\n    runQueryAsCommand(fromjson(\"{find: 'testns', projection: {_id: 0, a: 1}}\"));\n    assertNumSolutions(1);\n    assertSolutionExists(\n        \"{proj: {spec: {_id: 0, a: 1}, node: \"\n        \"{cscan: {dir: 1}}}}\");\n}",
          "project": "mongo",
          "hash": 116511701241382531691326907951778309177,
          "size": 10,
          "commit_id": "b0ef26c639112b50648a02d969298650fbd402a4",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 392955
        },
        {
          "func": "TEST(ComparisonMatchExpression, StringMatchingRespectsCollation) {\n    BSONObj operand = BSON(\"a\"\n                           << \"string\");\n    CollatorInterfaceMock collator(CollatorInterfaceMock::MockType::kAlwaysEqual);\n    EqualityMatchExpression eq(\"a\", operand[\"a\"]);\n    eq.setCollator(&collator);\n    ASSERT(eq.matchesBSON(BSON(\"a\"\n                               << \"string2\"),\n                          NULL));\n}",
          "project": "mongo",
          "hash": 49200481839816426055067292892665845522,
          "size": 10,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422604
        },
        {
          "func": "TEST(InMatchExpression, StringMatchingRespectsCollation) {\n    BSONArray operand = BSON_ARRAY(\"string\");\n    BSONObj match = BSON(\"a\"\n                         << \"string2\");\n    CollatorInterfaceMock collator(CollatorInterfaceMock::MockType::kAlwaysEqual);\n    InMatchExpression in(\"\");\n    in.setCollator(&collator);\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n    ASSERT(in.matchesSingleElement(match[\"a\"]));\n}",
          "project": "mongo",
          "hash": 313042155359170171739143330219573298473,
          "size": 11,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422656
        },
        {
          "func": "TEST(InMatchExpression, MatchesArrayValue) {\n    BSONObj operand = BSON_ARRAY(5);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSON(\"a\" << BSON_ARRAY(5.0 << 6)), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << BSON_ARRAY(6 << 7)), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << BSON_ARRAY(BSON_ARRAY(5))), NULL));\n}",
          "project": "mongo",
          "hash": 226300102127799669308814563338121385276,
          "size": 10,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422539
        },
        {
          "func": "TEST(InMatchExpression, StringMatchingWithNullCollatorUsesBinaryComparison) {\n    BSONArray operand = BSON_ARRAY(\"string\");\n    BSONObj notMatch = BSON(\"a\"\n                            << \"string2\");\n    InMatchExpression in(\"\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n    ASSERT(!in.matchesSingleElement(notMatch[\"a\"]));\n}",
          "project": "mongo",
          "hash": 222848615768803539659319233780004606039,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422556
        },
        {
          "func": "TEST(InMatchExpression, MatchesFullArray) {\n    BSONObj operand = BSON_ARRAY(BSON_ARRAY(1 << 2) << 4 << 5);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand[0], operand[1], operand[2]};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2)), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2 << 3)), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << BSON_ARRAY(1)), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 1), NULL));\n}",
          "project": "mongo",
          "hash": 83337974193960845237515657753354444386,
          "size": 11,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422558
        },
        {
          "func": "TEST(InMatchExpression, MatchesScalar) {\n    BSONObj operand = BSON_ARRAY(5);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSON(\"a\" << 5.0), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 4), NULL));\n}",
          "project": "mongo",
          "hash": 13894676684628408898160584921075105240,
          "size": 9,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422562
        },
        {
          "func": "TEST(InMatchExpression, ElemMatchKey) {\n    BSONObj operand = BSON_ARRAY(5 << 2);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand[0], operand[1]};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    MatchDetails details;\n    details.requestElemMatchKey();\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 4), &details));\n    ASSERT(!details.hasElemMatchKey());\n    ASSERT(in.matchesBSON(BSON(\"a\" << 5), &details));\n    ASSERT(!details.hasElemMatchKey());\n    ASSERT(in.matchesBSON(BSON(\"a\" << BSON_ARRAY(1 << 2 << 5)), &details));\n    ASSERT(details.hasElemMatchKey());\n    ASSERT_EQUALS(\"1\", details.elemMatchKey());\n}",
          "project": "mongo",
          "hash": 216652547517168869643852088648632323168,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422584
        },
        {
          "func": "TEST(InMatchExpression, MatchesMinKey) {\n    BSONObj operand = BSON_ARRAY(MinKey);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSON(\"a\" << MinKey), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << MaxKey), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 4), NULL));\n}",
          "project": "mongo",
          "hash": 65711962331854143501621544695867760687,
          "size": 10,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422597
        },
        {
          "func": "TEST(InMatchExpression, MatchesElementMultiple) {\n    BSONObj operand = BSON_ARRAY(1 << \"r\" << true << 1);\n    InMatchExpression in(\"\");\n    std::vector<BSONElement> equalities{operand[0], operand[1], operand[2], operand[3]};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    BSONObj matchFirst = BSON(\"a\" << 1);\n    BSONObj matchSecond = BSON(\"a\"\n                               << \"r\");\n    BSONObj matchThird = BSON(\"a\" << true);\n    BSONObj notMatch = BSON(\"a\" << false);\n    ASSERT(in.matchesSingleElement(matchFirst[\"a\"]));\n    ASSERT(in.matchesSingleElement(matchSecond[\"a\"]));\n    ASSERT(in.matchesSingleElement(matchThird[\"a\"]));\n    ASSERT(!in.matchesSingleElement(notMatch[\"a\"]));\n}",
          "project": "mongo",
          "hash": 18978996959427266631071425504934045199,
          "size": 16,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422599
        },
        {
          "func": "TEST(InMatchExpression, MatchesUndefined) {\n    BSONObj operand = BSON_ARRAY(BSONUndefined);\n\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_NOT_OK(in.setEqualities(std::move(equalities)));\n}",
          "project": "mongo",
          "hash": 9087152684999343829843974470547880070,
          "size": 7,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422615
        },
        {
          "func": "TEST(InMatchExpression, MatchesEmpty) {\n    InMatchExpression in(\"a\");\n\n    BSONObj notMatch = BSON(\"a\" << 2);\n    ASSERT(!in.matchesSingleElement(notMatch[\"a\"]));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 1), NULL));\n    ASSERT(!in.matchesBSON(BSONObj(), NULL));\n}",
          "project": "mongo",
          "hash": 318137049493186870341000646874937439529,
          "size": 8,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422628
        },
        {
          "func": "TEST(InMatchExpression, MatchesNull) {\n    BSONObj operand = BSON_ARRAY(BSONNULL);\n\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSONObj(), NULL));\n    ASSERT(in.matchesBSON(BSON(\"a\" << BSONNULL), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 4), NULL));\n    // A non-existent field is treated same way as an empty bson object\n    ASSERT(in.matchesBSON(BSON(\"b\" << 4), NULL));\n}",
          "project": "mongo",
          "hash": 313294220935155537645799218005065733327,
          "size": 13,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422639
        },
        {
          "func": "TEST(InMatchExpression, MatchesElementSingle) {\n    BSONArray operand = BSON_ARRAY(1);\n    BSONObj match = BSON(\"a\" << 1);\n    BSONObj notMatch = BSON(\"a\" << 2);\n    InMatchExpression in(\"\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n    ASSERT(in.matchesSingleElement(match[\"a\"]));\n    ASSERT(!in.matchesSingleElement(notMatch[\"a\"]));\n}",
          "project": "mongo",
          "hash": 238284355812328079131428698018143007777,
          "size": 10,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422668
        },
        {
          "func": "TEST(InMatchExpression, MatchesMaxKey) {\n    BSONObj operand = BSON_ARRAY(MaxKey);\n    InMatchExpression in(\"a\");\n    std::vector<BSONElement> equalities{operand.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n\n    ASSERT(in.matchesBSON(BSON(\"a\" << MaxKey), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << MinKey), NULL));\n    ASSERT(!in.matchesBSON(BSON(\"a\" << 4), NULL));\n}",
          "project": "mongo",
          "hash": 131653085116474483340487521868016719326,
          "size": 10,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422673
        },
        {
          "func": "Status InMatchExpression::setEqualities(std::vector<BSONElement> equalities) {\n    for (auto&& equality : equalities) {\n        if (equality.type() == BSONType::RegEx) {\n            return Status(ErrorCodes::BadValue, \"InMatchExpression equality cannot be a regex\");\n        }\n        if (equality.type() == BSONType::Undefined) {\n            return Status(ErrorCodes::BadValue, \"InMatchExpression equality cannot be undefined\");\n        }\n\n        if (equality.type() == BSONType::jstNULL) {\n            _hasNull = true;\n        } else if (equality.type() == BSONType::Array && equality.Obj().isEmpty()) {\n            _hasEmptyArray = true;\n        }\n    }\n\n    _originalEqualityVector = std::move(equalities);\n\n    if (!std::is_sorted(_originalEqualityVector.begin(),\n                        _originalEqualityVector.end(),\n                        _eltCmp.makeLessThan())) {\n        // Sort the list of equalities to work around https://svn.boost.org/trac10/ticket/13140.\n        std::sort(\n            _originalEqualityVector.begin(), _originalEqualityVector.end(), _eltCmp.makeLessThan());\n    }\n\n    _equalitySet = _eltCmp.makeBSONEltFlatSet(_originalEqualityVector);\n\n    return Status::OK();\n}",
          "project": "mongo",
          "hash": 15848151713556943549153537753512546953,
          "size": 30,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422664
        },
        {
          "func": "TEST(InMatchExpression, ChangingCollationAfterAddingEqualitiesPreservesEqualities) {\n    BSONObj obj1 = BSON(\"\"\n                        << \"string1\");\n    BSONObj obj2 = BSON(\"\"\n                        << \"string2\");\n    CollatorInterfaceMock collatorAlwaysEqual(CollatorInterfaceMock::MockType::kAlwaysEqual);\n    CollatorInterfaceMock collatorReverseString(CollatorInterfaceMock::MockType::kReverseString);\n    InMatchExpression in(\"\");\n    in.setCollator(&collatorAlwaysEqual);\n    std::vector<BSONElement> equalities{obj1.firstElement(), obj2.firstElement()};\n    ASSERT_OK(in.setEqualities(std::move(equalities)));\n    ASSERT(in.getEqualities().size() == 1);\n    in.setCollator(&collatorReverseString);\n    ASSERT(in.getEqualities().size() == 2);\n    ASSERT(in.getEqualities().count(obj1.firstElement()));\n    ASSERT(in.getEqualities().count(obj2.firstElement()));\n}",
          "project": "mongo",
          "hash": 318922974627986294322587234956215187568,
          "size": 17,
          "commit_id": "64095239f41e9f3841d8be9088347db56d35c891",
          "message": "SERVER-51083 Reject invalid UTF-8 from $regex match expressions",
          "target": 0,
          "dataset": "other",
          "idx": 422580
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "print_join",
        "print_table_array",
        "print"
      ],
      "group_size": 10,
      "functions": [
        {
          "func": "static void print_join(THD *thd,\n                       table_map eliminated_tables,\n                       String *str,\n                       List<TABLE_LIST> *tables,\n                       enum_query_type query_type)\n{\n  /* List is reversed => we should reverse it before using */\n  List_iterator_fast<TABLE_LIST> ti(*tables);\n  TABLE_LIST **table;\n  DBUG_ENTER(\"print_join\");\n\n  /*\n    If the QT_NO_DATA_EXPANSION flag is specified, we print the\n    original table list, including constant tables that have been\n    optimized away, as the constant tables may be referenced in the\n    expression printed by Item_field::print() when this flag is given.\n    Otherwise, only non-const tables are printed.\n\n    Example:\n\n    Original SQL:\n    select * from (select 1) t\n\n    Printed without QT_NO_DATA_EXPANSION:\n    select '1' AS `1` from dual\n\n    Printed with QT_NO_DATA_EXPANSION:\n    select `t`.`1` from (select 1 AS `1`) `t`\n  */\n  const bool print_const_tables= (query_type & QT_NO_DATA_EXPANSION);\n  size_t tables_to_print= 0;\n\n  for (TABLE_LIST *t= ti++; t ; t= ti++)\n  {\n    /* See comment in print_table_array() about the second condition */\n    if (print_const_tables || !t->optimized_away)\n      if (!is_eliminated_table(eliminated_tables, t))\n        tables_to_print++;\n  }\n  if (tables_to_print == 0)\n  {\n    str->append(STRING_WITH_LEN(\"dual\"));\n    DBUG_VOID_RETURN;                   // all tables were optimized away\n  }\n  ti.rewind();\n\n  if (!(table= static_cast<TABLE_LIST **>(thd->alloc(sizeof(TABLE_LIST*) *\n                                                     tables_to_print))))\n    DBUG_VOID_RETURN;                   // out of memory\n\n  TABLE_LIST *tmp, **t= table + (tables_to_print - 1);\n  while ((tmp= ti++))\n  {\n    if (tmp->optimized_away && !print_const_tables)\n      continue;\n    if (is_eliminated_table(eliminated_tables, tmp))\n      continue;\n    *t--= tmp;\n  }\n\n  DBUG_ASSERT(tables->elements >= 1);\n  /*\n    Assert that the first table in the list isn't eliminated. This comes from\n    the fact that the first table can't be inner table of an outer join.\n  */\n  DBUG_ASSERT(!eliminated_tables || \n              !(((*table)->table && ((*table)->table->map & eliminated_tables)) ||\n                ((*table)->nested_join && !((*table)->nested_join->used_tables &\n                                           ~eliminated_tables))));\n  /* \n    If the first table is a semi-join nest, swap it with something that is\n    not a semi-join nest.\n  */\n  if ((*table)->sj_inner_tables)\n  {\n    TABLE_LIST **end= table + tables_to_print;\n    for (TABLE_LIST **t2= table; t2!=end; t2++)\n    {\n      if (!(*t2)->sj_inner_tables)\n      {\n        tmp= *t2;\n        *t2= *table;\n        *table= tmp;\n        break;\n      }\n    }\n  }\n  print_table_array(thd, eliminated_tables, str, table, \n                    table +  tables_to_print, query_type);\n  DBUG_VOID_RETURN;\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 158752683764176461762178093049610480322,
          "size": 91,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508477
        },
        {
          "func": "  void print_value(String *to) const\n  {\n    str_value.print(to);\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 198394178645807465600507091966696905942,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509040
        },
        {
          "func": "void vers_select_conds_t::print(String *str, enum_query_type query_type) const\n{\n  switch (orig_type) {\n  case SYSTEM_TIME_UNSPECIFIED:\n    break;\n  case SYSTEM_TIME_AS_OF:\n    start.print(str, query_type, STRING_WITH_LEN(\" FOR SYSTEM_TIME AS OF \"));\n    break;\n  case SYSTEM_TIME_FROM_TO:\n    start.print(str, query_type, STRING_WITH_LEN(\" FOR SYSTEM_TIME FROM \"));\n    end.print(str, query_type, STRING_WITH_LEN(\" TO \"));\n    break;\n  case SYSTEM_TIME_BETWEEN:\n    start.print(str, query_type, STRING_WITH_LEN(\" FOR SYSTEM_TIME BETWEEN \"));\n    end.print(str, query_type, STRING_WITH_LEN(\" AND \"));\n    break;\n  case SYSTEM_TIME_BEFORE:\n  case SYSTEM_TIME_HISTORY:\n    DBUG_ASSERT(0);\n    break;\n  case SYSTEM_TIME_ALL:\n    str->append(\" FOR SYSTEM_TIME ALL\");\n    break;\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 98798937267268417188840436026413721122,
          "size": 25,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508491
        },
        {
          "func": "void TABLE_LIST::print(THD *thd, table_map eliminated_tables, String *str, \n                       enum_query_type query_type)\n{\n  if (nested_join)\n  {\n    str->append('(');\n    print_join(thd, eliminated_tables, str, &nested_join->join_list, query_type);\n    str->append(')');\n  }\n  else if (jtbm_subselect)\n  {\n    if (jtbm_subselect->engine->engine_type() ==\n          subselect_engine::SINGLE_SELECT_ENGINE)\n    {\n      /* \n        We get here when conversion into materialization didn't finish (this\n        happens when\n        - The subquery is a degenerate case which produces 0 or 1 record\n        - subquery's optimization didn't finish because of @@max_join_size\n          limits\n        - ... maybe some other cases like this \n      */\n      str->append(STRING_WITH_LEN(\" <materialize> (\"));\n      jtbm_subselect->engine->print(str, query_type);\n      str->append(')');\n    }\n    else\n    {\n      str->append(STRING_WITH_LEN(\" <materialize> (\"));\n      subselect_hash_sj_engine *hash_engine;\n      hash_engine= (subselect_hash_sj_engine*)jtbm_subselect->engine;\n      hash_engine->materialize_engine->print(str, query_type);\n      str->append(')');\n    }\n  }\n  else\n  {\n    const char *cmp_name;                         // Name to compare with alias\n    if (view_name.str)\n    {\n      // A view\n\n      if (!(belong_to_view &&\n            belong_to_view->compact_view_format))\n      {\n        append_identifier(thd, str, &view_db);\n        str->append('.');\n      }\n      append_identifier(thd, str, &view_name);\n      cmp_name= view_name.str;\n    }\n    else if (derived)\n    {\n      if (!is_with_table())\n      {\n        // A derived table\n        str->append('(');\n        derived->print(str, query_type);\n        str->append(')');\n        cmp_name= \"\";                               // Force printing of alias\n      }\n      else\n      {\n        append_identifier(thd, str, &table_name);\n        cmp_name= table_name.str;\n      }\n    }\n    else\n    {\n      // A normal table\n\n      if (!(belong_to_view &&\n            belong_to_view->compact_view_format))\n      {\n        append_identifier(thd, str, &db);\n        str->append('.');\n      }\n      if (schema_table)\n      {\n        append_identifier(thd, str, &schema_table_name);\n        cmp_name= schema_table_name.str;\n      }\n      else\n      {\n        append_identifier(thd, str, &table_name);\n        cmp_name= table_name.str;\n      }\n#ifdef WITH_PARTITION_STORAGE_ENGINE\n      if (partition_names && partition_names->elements)\n      {\n        int i, num_parts= partition_names->elements;\n        List_iterator<String> name_it(*(partition_names));\n        str->append(STRING_WITH_LEN(\" PARTITION (\"));\n        for (i= 1; i <= num_parts; i++)\n        {\n          String *name= name_it++;\n          append_identifier(thd, str, name->c_ptr(), name->length());\n          if (i != num_parts)\n            str->append(',');\n        }\n        str->append(')');\n      }\n#endif /* WITH_PARTITION_STORAGE_ENGINE */\n    }\n    if (table && table->versioned())\n      vers_conditions.print(str, query_type);\n\n    if (my_strcasecmp(table_alias_charset, cmp_name, alias.str))\n    {\n      char t_alias_buff[MAX_ALIAS_NAME];\n      LEX_CSTRING t_alias= alias;\n\n      str->append(' ');\n      if (lower_case_table_names == 1)\n      {\n        if (alias.str && alias.str[0])\n        {\n          strmov(t_alias_buff, alias.str);\n          t_alias.length= my_casedn_str(files_charset_info, t_alias_buff);\n          t_alias.str= t_alias_buff;\n        }\n      }\n\n      append_identifier(thd, str, &t_alias);\n    }\n\n    if (index_hints)\n    {\n      List_iterator<Index_hint> it(*index_hints);\n      Index_hint *hint;\n\n      while ((hint= it++))\n      {\n        str->append (STRING_WITH_LEN(\" \"));\n        hint->print (thd, str);\n      }\n    }\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 300728936978076169998319381053009874325,
          "size": 139,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508492
        },
        {
          "func": "Index_hint::print(THD *thd, String *str)\n{\n  switch (type)\n  {\n    case INDEX_HINT_IGNORE: str->append(STRING_WITH_LEN(\"IGNORE INDEX\")); break;\n    case INDEX_HINT_USE:    str->append(STRING_WITH_LEN(\"USE INDEX\")); break;\n    case INDEX_HINT_FORCE:  str->append(STRING_WITH_LEN(\"FORCE INDEX\")); break;\n  }\n  str->append (STRING_WITH_LEN(\" (\"));\n  if (key_name.length)\n  {\n    if (thd && !my_strnncoll(system_charset_info,\n                             (const uchar *)key_name.str, key_name.length, \n                             (const uchar *)primary_key_name, \n                             strlen(primary_key_name)))\n      str->append(primary_key_name);\n    else\n      append_identifier(thd, str, &key_name);\n}\n  str->append(')');\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 134044205720613112784732010539419435169,
          "size": 21,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508618
        },
        {
          "func": "void st_select_lex::print(THD *thd, String *str, enum_query_type query_type)\n{\n  DBUG_ASSERT(thd);\n\n  if (tvc)\n  {\n    tvc->print(thd, str, query_type);\n    return;\n  }\n\n  if ((query_type & QT_SHOW_SELECT_NUMBER) &&\n      thd->lex->all_selects_list &&\n      thd->lex->all_selects_list->link_next &&\n      select_number != UINT_MAX &&\n      select_number != INT_MAX)\n  {\n    str->append(\"/* select#\");\n    str->append_ulonglong(select_number);\n    str->append(\" */ \");\n  }\n\n  str->append(STRING_WITH_LEN(\"select \"));\n\n  if (join && join->cleaned)\n  {\n    /*\n      JOIN already cleaned up so it is dangerous to print items\n      because temporary tables they pointed on could be freed.\n    */\n    str->append('#');\n    str->append(select_number);\n    return;\n  }\n\n  /* First add options */\n  if (options & SELECT_STRAIGHT_JOIN)\n    str->append(STRING_WITH_LEN(\"straight_join \"));\n  if (options & SELECT_HIGH_PRIORITY)\n    str->append(STRING_WITH_LEN(\"high_priority \"));\n  if (options & SELECT_DISTINCT)\n    str->append(STRING_WITH_LEN(\"distinct \"));\n  if (options & SELECT_SMALL_RESULT)\n    str->append(STRING_WITH_LEN(\"sql_small_result \"));\n  if (options & SELECT_BIG_RESULT)\n    str->append(STRING_WITH_LEN(\"sql_big_result \"));\n  if (options & OPTION_BUFFER_RESULT)\n    str->append(STRING_WITH_LEN(\"sql_buffer_result \"));\n  if (options & OPTION_FOUND_ROWS)\n    str->append(STRING_WITH_LEN(\"sql_calc_found_rows \"));\n  switch (sql_cache)\n  {\n    case SQL_NO_CACHE:\n      str->append(STRING_WITH_LEN(\"sql_no_cache \"));\n      break;\n    case SQL_CACHE:\n      str->append(STRING_WITH_LEN(\"sql_cache \"));\n      break;\n    case SQL_CACHE_UNSPECIFIED:\n      break;\n    default:\n      DBUG_ASSERT(0);\n  }\n\n  //Item List\n  bool first= 1;\n  List_iterator_fast<Item> it(item_list);\n  Item *item;\n  while ((item= it++))\n  {\n    if (first)\n      first= 0;\n    else\n      str->append(',');\n\n    if (is_subquery_function() && item->is_autogenerated_name)\n    {\n      /*\n        Do not print auto-generated aliases in subqueries. It has no purpose\n        in a view definition or other contexts where the query is printed.\n      */\n      item->print(str, query_type);\n    }\n    else\n      item->print_item_w_name(str, query_type);\n  }\n\n  /*\n    from clause\n    TODO: support USING/FORCE/IGNORE index\n  */\n  if (table_list.elements)\n  {\n    str->append(STRING_WITH_LEN(\" from \"));\n    /* go through join tree */\n    print_join(thd, join? join->eliminated_tables: 0, str, &top_join_list, query_type);\n  }\n  else if (where)\n  {\n    /*\n      \"SELECT 1 FROM DUAL WHERE 2\" should not be printed as \n      \"SELECT 1 WHERE 2\": the 1st syntax is valid, but the 2nd is not.\n    */\n    str->append(STRING_WITH_LEN(\" from DUAL \"));\n  }\n\n  // Where\n  Item *cur_where= where;\n  if (join)\n    cur_where= join->conds;\n  if (cur_where || cond_value != Item::COND_UNDEF)\n  {\n    str->append(STRING_WITH_LEN(\" where \"));\n    if (cur_where)\n      cur_where->print(str, query_type);\n    else\n      str->append(cond_value != Item::COND_FALSE ? \"1\" : \"0\");\n  }\n\n  // group by & olap\n  if (group_list.elements)\n  {\n    str->append(STRING_WITH_LEN(\" group by \"));\n    print_order(str, group_list.first, query_type);\n    switch (olap)\n    {\n      case CUBE_TYPE:\n\tstr->append(STRING_WITH_LEN(\" with cube\"));\n\tbreak;\n      case ROLLUP_TYPE:\n\tstr->append(STRING_WITH_LEN(\" with rollup\"));\n\tbreak;\n      default:\n\t;  //satisfy compiler\n    }\n  }\n\n  // having\n  Item *cur_having= having;\n  if (join)\n    cur_having= join->having;\n\n  if (cur_having || having_value != Item::COND_UNDEF)\n  {\n    str->append(STRING_WITH_LEN(\" having \"));\n    if (cur_having)\n      cur_having->print(str, query_type);\n    else\n      str->append(having_value != Item::COND_FALSE ? \"1\" : \"0\");\n  }\n\n  if (order_list.elements)\n  {\n    str->append(STRING_WITH_LEN(\" order by \"));\n    print_order(str, order_list.first, query_type);\n  }\n\n  // limit\n  print_limit(thd, str, query_type);\n\n  // lock type\n  if (lock_type == TL_READ_WITH_SHARED_LOCKS)\n    str->append(\" lock in share mode\");\n  else if (lock_type == TL_WRITE)\n    str->append(\" for update\");\n\n  // PROCEDURE unsupported here\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 332339047406078563782282850125410244748,
          "size": 167,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508647
        },
        {
          "func": "inline void Virtual_column_info::print(String* str)\n{\n  expr->print_for_table_def(str);\n}",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 311206635704968211615641013064330791691,
          "size": 4,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509143
        },
        {
          "func": "  virtual void print(String *str, enum_query_type query_type)\n  { ident->print(str, query_type); }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 89038788561708738890534198811419204929,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509291
        },
        {
          "func": "static bool is_eliminated_table(table_map eliminated_tables, TABLE_LIST *tbl)\n{\n  return eliminated_tables &&\n    ((tbl->table && (tbl->table->map & eliminated_tables)) ||\n     (tbl->nested_join && !(tbl->nested_join->used_tables &\n                            ~eliminated_tables)));\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 312244178416601699737568920507856674799,
          "size": 7,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508562
        },
        {
          "func": "static void print_table_array(THD *thd, \n                              table_map eliminated_tables,\n                              String *str, TABLE_LIST **table, \n                              TABLE_LIST **end,\n                              enum_query_type query_type)\n{\n  (*table)->print(thd, eliminated_tables, str, query_type);\n\n  for (TABLE_LIST **tbl= table + 1; tbl < end; tbl++)\n  {\n    TABLE_LIST *curr= *tbl;\n    \n    /*\n      The \"eliminated_tables &&\" check guards againist the case of \n      printing the query for CREATE VIEW. We do that without having run \n      JOIN::optimize() and so will have nested_join->used_tables==0.\n    */\n    if (eliminated_tables &&\n        ((curr->table && (curr->table->map & eliminated_tables)) ||\n         (curr->nested_join && !(curr->nested_join->used_tables &\n                                ~eliminated_tables))))\n    {\n      /* as of 5.5, print_join doesnt put eliminated elements into array */\n      DBUG_ASSERT(0); \n      continue;\n    }\n\n    /* JOIN_TYPE_OUTER is just a marker unrelated to real join */\n    if (curr->outer_join & (JOIN_TYPE_LEFT|JOIN_TYPE_RIGHT))\n    {\n      /* MySQL converts right to left joins */\n      str->append(STRING_WITH_LEN(\" left join \"));\n    }\n    else if (curr->straight)\n      str->append(STRING_WITH_LEN(\" straight_join \"));\n    else if (curr->sj_inner_tables)\n      str->append(STRING_WITH_LEN(\" semi join \"));\n    else\n      str->append(STRING_WITH_LEN(\" join \"));\n    \n    curr->print(thd, eliminated_tables, str, query_type);\n    if (curr->on_expr)\n    {\n      str->append(STRING_WITH_LEN(\" on(\"));\n      curr->on_expr->print(str, query_type);\n      str->append(')');\n    }\n  }\n}",
          "target": 0,
          "cwe": [],
          "project": "server",
          "commit_id": "ff77a09bda884fe6bf3917eb29b9d3a2f53f919b",
          "hash": 204891780141062851261229126640052977802,
          "size": 49,
          "message": "MDEV-22464 Server crash on UPDATE with nested subquery\n\nUninitialized ref_pointer_array[] because setup_fields() got empty\nfields list.  mysql_multi_update() for some reason does that by\nsubstituting the fields list with empty total_list for the\nmysql_select() call (looks like wrong merge since total_list is not\nused anywhere else and is always empty). The fix would be to return\nback the original fields list. But this fails update_use_source.test\ncase:\n\n  --error ER_BAD_FIELD_ERROR\n  update v1 set t1c1=2 order by 1;\n\nActually not failing the above seems to be ok.\n\nThe other fix would be to keep resolve_in_select_list false (and that\nkeeps outer context from being resolved in\nItem_ref::fix_fields()). This fix is more consistent with how SELECT\nbehaves:\n\n  --error ER_SUBQUERY_NO_1_ROW\n  select a from t1 where a= (select 2 from t1 having (a = 3));\n\nSo this patch implements this fix.",
          "dataset": "other",
          "idx": 508557
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "RemoveDuplicateLayers",
        "CompareImagesBounds",
        "ComparePixels"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static MagickBooleanType ComparePixels(const LayerMethod method,\n  const PixelInfo *p,const PixelInfo *q)\n{\n  double\n    o1,\n    o2;\n\n  /*\n    Any change in pixel values\n  */\n  if (method == CompareAnyLayer)\n    return(IsFuzzyEquivalencePixelInfo(p,q) == MagickFalse ? MagickTrue : MagickFalse);\n  o1 = (p->alpha_trait != UndefinedPixelTrait) ? p->alpha : OpaqueAlpha;\n  o2 = (q->alpha_trait != UndefinedPixelTrait) ? q->alpha : OpaqueAlpha;\n  /*\n    Pixel goes from opaque to transprency.\n  */\n  if (method == CompareClearLayer)\n    return((MagickBooleanType) ( (o1 >= ((double) QuantumRange/2.0)) &&\n      (o2 < ((double) QuantumRange/2.0)) ) );\n  /*\n    Overlay would change first pixel by second.\n  */\n  if (method == CompareOverlayLayer)\n    {\n      if (o2 < ((double) QuantumRange/2.0))\n        return MagickFalse;\n      return(IsFuzzyEquivalencePixelInfo(p,q) == MagickFalse ? MagickTrue :\n        MagickFalse);\n    }\n  return(MagickFalse);\n}",
          "project": "ImageMagick",
          "hash": 71969903763466407743223783519735972643,
          "size": 32,
          "commit_id": "ef59bd764f88d893f1219fee8ba696a5d3f8c1c4",
          "message": "There is a Division by Zero in function OptimizeLayerFrames (#2743)\n\nin file MagickCore/layer.c. cur->ticks_per_seconds can be zero\r\nwith a crafted input argument *image. This is similar to\r\nCVE-2019-13454.",
          "target": 0,
          "dataset": "other",
          "idx": 338503
        },
        {
          "func": "MagickExport void RemoveDuplicateLayers(Image **images,ExceptionInfo *exception)\n{\n  RectangleInfo\n    bounds;\n\n  register Image\n    *image,\n    *next;\n\n  assert((*images) != (const Image *) NULL);\n  assert((*images)->signature == MagickCoreSignature);\n  if ((*images)->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",\n      (*images)->filename);\n  assert(exception != (ExceptionInfo *) NULL);\n  assert(exception->signature == MagickCoreSignature);\n  image=GetFirstImageInList(*images);\n  for ( ; (next=GetNextImageInList(image)) != (Image *) NULL; image=next)\n  {\n    if ((image->columns != next->columns) || (image->rows != next->rows) ||\n        (image->page.x != next->page.x) || (image->page.y != next->page.y))\n      continue;\n    bounds=CompareImagesBounds(image,next,CompareAnyLayer,exception);\n    if (bounds.x < 0)\n      {\n        /*\n          Two images are the same, merge time delays and delete one.\n        */\n        size_t\n          time;\n\n        time=(size_t) (1000.0*image->delay*\n          PerceptibleReciprocal((double) image->ticks_per_second));\n        time+=(size_t) (1000.0*next->delay*\n          PerceptibleReciprocal((double) next->ticks_per_second));\n        next->ticks_per_second=100L;\n        next->delay=time*image->ticks_per_second/1000;\n        next->iterations=image->iterations;\n        *images=image;\n        (void) DeleteImageFromList(images);\n      }\n  }\n  *images=GetFirstImageInList(*images);\n}",
          "project": "ImageMagick",
          "hash": 142503199598786156427895124140558881737,
          "size": 44,
          "commit_id": "ef59bd764f88d893f1219fee8ba696a5d3f8c1c4",
          "message": "There is a Division by Zero in function OptimizeLayerFrames (#2743)\n\nin file MagickCore/layer.c. cur->ticks_per_seconds can be zero\r\nwith a crafted input argument *image. This is similar to\r\nCVE-2019-13454.",
          "target": 0,
          "dataset": "other",
          "idx": 338510
        },
        {
          "func": "static RectangleInfo CompareImagesBounds(const Image *image1,\n  const Image *image2,const LayerMethod method,ExceptionInfo *exception)\n{\n  RectangleInfo\n    bounds;\n\n  PixelInfo\n    pixel1,\n    pixel2;\n\n  register const Quantum\n    *p,\n    *q;\n\n  register ssize_t\n    x;\n\n  ssize_t\n    y;\n\n  /*\n    Set bounding box of the differences between images.\n  */\n  GetPixelInfo(image1,&pixel1);\n  GetPixelInfo(image2,&pixel2);\n  for (x=0; x < (ssize_t) image1->columns; x++)\n  {\n    p=GetVirtualPixels(image1,x,0,1,image1->rows,exception);\n    q=GetVirtualPixels(image2,x,0,1,image2->rows,exception);\n    if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n      break;\n    for (y=0; y < (ssize_t) image1->rows; y++)\n    {\n      GetPixelInfoPixel(image1,p,&pixel1);\n      GetPixelInfoPixel(image2,q,&pixel2);\n      if (ComparePixels(method,&pixel1,&pixel2) != MagickFalse)\n        break;\n      p+=GetPixelChannels(image1);\n      q+=GetPixelChannels(image2);\n    }\n    if (y < (ssize_t) image1->rows)\n      break;\n  }\n  if (x >= (ssize_t) image1->columns)\n    {\n      /*\n        Images are identical, return a null image.\n      */\n      bounds.x=-1;\n      bounds.y=-1;\n      bounds.width=1;\n      bounds.height=1;\n      return(bounds);\n    }\n  bounds.x=x;\n  for (x=(ssize_t) image1->columns-1; x >= 0; x--)\n  {\n    p=GetVirtualPixels(image1,x,0,1,image1->rows,exception);\n    q=GetVirtualPixels(image2,x,0,1,image2->rows,exception);\n    if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n      break;\n    for (y=0; y < (ssize_t) image1->rows; y++)\n    {\n      GetPixelInfoPixel(image1,p,&pixel1);\n      GetPixelInfoPixel(image2,q,&pixel2);\n      if (ComparePixels(method,&pixel1,&pixel2) != MagickFalse)\n        break;\n      p+=GetPixelChannels(image1);\n      q+=GetPixelChannels(image2);\n    }\n    if (y < (ssize_t) image1->rows)\n      break;\n  }\n  bounds.width=(size_t) (x-bounds.x+1);\n  for (y=0; y < (ssize_t) image1->rows; y++)\n  {\n    p=GetVirtualPixels(image1,0,y,image1->columns,1,exception);\n    q=GetVirtualPixels(image2,0,y,image2->columns,1,exception);\n    if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n      break;\n    for (x=0; x < (ssize_t) image1->columns; x++)\n    {\n      GetPixelInfoPixel(image1,p,&pixel1);\n      GetPixelInfoPixel(image2,q,&pixel2);\n      if (ComparePixels(method,&pixel1,&pixel2) != MagickFalse)\n        break;\n      p+=GetPixelChannels(image1);\n      q+=GetPixelChannels(image2);\n    }\n    if (x < (ssize_t) image1->columns)\n      break;\n  }\n  bounds.y=y;\n  for (y=(ssize_t) image1->rows-1; y >= 0; y--)\n  {\n    p=GetVirtualPixels(image1,0,y,image1->columns,1,exception);\n    q=GetVirtualPixels(image2,0,y,image2->columns,1,exception);\n    if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL))\n      break;\n    for (x=0; x < (ssize_t) image1->columns; x++)\n    {\n      GetPixelInfoPixel(image1,p,&pixel1);\n      GetPixelInfoPixel(image2,q,&pixel2);\n      if (ComparePixels(method,&pixel1,&pixel2) != MagickFalse)\n        break;\n      p+=GetPixelChannels(image1);\n      q+=GetPixelChannels(image2);\n    }\n    if (x < (ssize_t) image1->columns)\n      break;\n  }\n  bounds.height=(size_t) (y-bounds.y+1);\n  return(bounds);\n}",
          "project": "ImageMagick",
          "hash": 74152169590556357975726086117689155168,
          "size": 114,
          "commit_id": "ef59bd764f88d893f1219fee8ba696a5d3f8c1c4",
          "message": "There is a Division by Zero in function OptimizeLayerFrames (#2743)\n\nin file MagickCore/layer.c. cur->ticks_per_seconds can be zero\r\nwith a crafted input argument *image. This is similar to\r\nCVE-2019-13454.",
          "target": 0,
          "dataset": "other",
          "idx": 338504
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "auth_server_reconnect_timeout",
        "auth_server_connection_connect",
        "auth_server_connection_disconnect"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "int auth_server_connection_connect(struct auth_server_connection *conn)\n{\n\tconst char *handshake;\n\tint fd;\n\n\ti_assert(!conn->connected);\n\ti_assert(conn->fd == -1);\n\n\tconn->last_connect = ioloop_time;\n\ttimeout_remove(&conn->to);\n\n\t/* max. 1 second wait here. */\n\tfd = net_connect_unix_with_retries(conn->client->auth_socket_path,\n\t\t\t\t\t   1000);\n\tif (fd == -1) {\n\t\tif (errno == EACCES) {\n\t\t\ti_error(\"auth: %s\",\n\t\t\t\teacces_error_get(\"connect\",\n\t\t\t\t\tconn->client->auth_socket_path));\n\t\t} else {\n\t\t\ti_error(\"auth: connect(%s) failed: %m\",\n\t\t\t\tconn->client->auth_socket_path);\n\t\t}\n\t\treturn -1;\n\t}\n\tconn->fd = fd;\n\tconn->io = io_add(fd, IO_READ, auth_server_connection_input, conn);\n\tconn->input = i_stream_create_fd(fd, AUTH_SERVER_CONN_MAX_LINE_LENGTH);\n\tconn->output = o_stream_create_fd(fd, (size_t)-1);\n\tconn->connected = TRUE;\n\n\thandshake = t_strdup_printf(\"VERSION\\t%u\\t%u\\nCPID\\t%u\\n\",\n\t\t\t\t    AUTH_CLIENT_PROTOCOL_MAJOR_VERSION,\n                                    AUTH_CLIENT_PROTOCOL_MINOR_VERSION,\n\t\t\t\t    conn->client->client_pid);\n\tif (o_stream_send_str(conn->output, handshake) < 0) {\n\t\ti_warning(\"Error sending handshake to auth server: %s\",\n\t\t\t  o_stream_get_error(conn->output));\n\t\tauth_server_connection_disconnect(conn,\n\t\t\to_stream_get_error(conn->output));\n\t\treturn -1;\n\t}\n\n\tconn->to = timeout_add(AUTH_HANDSHAKE_TIMEOUT,\n\t\t\t       auth_client_handshake_timeout, conn);\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 248247155098641521347977298366079271112,
          "size": 47,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505198
        },
        {
          "func": "static void auth_server_connection_input(struct auth_server_connection *conn)\n{\n\tstruct istream *input;\n\tconst char *line, *error;\n\tint ret;\n\n\tswitch (i_stream_read(conn->input)) {\n\tcase 0:\n\t\treturn;\n\tcase -1:\n\t\t/* disconnected */\n\t\terror = conn->input->stream_errno != 0 ?\n\t\t\tstrerror(conn->input->stream_errno) : \"EOF\";\n\t\tauth_server_connection_reconnect(conn, error);\n\t\treturn;\n\tcase -2:\n\t\t/* buffer full - can't happen unless auth is buggy */\n\t\ti_error(\"BUG: Auth server sent us more than %d bytes of data\",\n\t\t\tAUTH_SERVER_CONN_MAX_LINE_LENGTH);\n\t\tauth_server_connection_disconnect(conn, \"buffer full\");\n\t\treturn;\n\t}\n\n\tif (!conn->version_received) {\n\t\tline = i_stream_next_line(conn->input);\n\t\tif (line == NULL)\n\t\t\treturn;\n\n\t\t/* make sure the major version matches */\n\t\tif (strncmp(line, \"VERSION\\t\", 8) != 0 ||\n\t\t    !str_uint_equals(t_strcut(line + 8, '\\t'),\n\t\t\t\t     AUTH_CLIENT_PROTOCOL_MAJOR_VERSION)) {\n\t\t\ti_error(\"Authentication server not compatible with \"\n\t\t\t\t\"this client (mixed old and new binaries?)\");\n\t\t\tauth_server_connection_disconnect(conn,\n\t\t\t\t\"incompatible server\");\n\t\t\treturn;\n\t\t}\n\t\tconn->version_received = TRUE;\n\t}\n\n\tinput = conn->input;\n\ti_stream_ref(input);\n\twhile ((line = i_stream_next_line(input)) != NULL && !input->closed) {\n\t\tT_BEGIN {\n\t\t\tret = auth_server_connection_input_line(conn, line);\n\t\t} T_END;\n\n\t\tif (ret < 0) {\n\t\t\tauth_server_connection_disconnect(conn, t_strdup_printf(\n\t\t\t\t\"Received broken input: %s\", line));\n\t\t\tbreak;\n\t\t}\n\t}\n\ti_stream_unref(&input);\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 261895622309149699495227662079957978387,
          "size": 56,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505212
        },
        {
          "func": "static void auth_server_reconnect_timeout(struct auth_server_connection *conn)\n{\n\t(void)auth_server_connection_connect(conn);\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 196873985221575723118301509644723633834,
          "size": 4,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505195
        },
        {
          "func": "void auth_server_connection_deinit(struct auth_server_connection **_conn)\n{\n        struct auth_server_connection *conn = *_conn;\n\n\t*_conn = NULL;\n\n\tauth_server_connection_disconnect(conn, \"deinitializing\");\n\ti_assert(hash_table_count(conn->requests) == 0);\n\thash_table_destroy(&conn->requests);\n\tarray_free(&conn->available_auth_mechs);\n\tpool_unref(&conn->pool);\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 216662586418196099072702855143233170264,
          "size": 12,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505208
        },
        {
          "func": "auth_server_connection_reconnect(struct auth_server_connection *conn,\n\t\t\t\t const char *disconnect_reason)\n{\n\ttime_t next_connect;\n\n\tauth_server_connection_disconnect(conn, disconnect_reason);\n\n\tnext_connect = conn->last_connect + AUTH_SERVER_RECONNECT_TIMEOUT_SECS;\n\tconn->to = timeout_add(ioloop_time >= next_connect ? 0 :\n\t\t\t       (next_connect - ioloop_time) * 1000,\n\t\t\t       auth_server_reconnect_timeout, conn);\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 31521442441470921887932668469167505419,
          "size": 12,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505211
        },
        {
          "func": "void auth_server_connection_disconnect(struct auth_server_connection *conn,\n\t\t\t\t       const char *reason)\n{\n\tif (!conn->connected)\n\t\treturn;\n\tconn->connected = FALSE;\n\tconn->handshake_received = FALSE;\n\tconn->version_received = FALSE;\n\tconn->has_plain_mech = FALSE;\n\tconn->server_pid = 0;\n\tconn->connect_uid = 0;\n\tconn->cookie = NULL;\n\tarray_clear(&conn->available_auth_mechs);\n\n\ttimeout_remove(&conn->to);\n\tio_remove(&conn->io);\n\tif (conn->fd != -1) {\n\t\ti_stream_destroy(&conn->input);\n\t\to_stream_destroy(&conn->output);\n\n\t\tif (close(conn->fd) < 0)\n\t\t\ti_error(\"close(auth server connection) failed: %m\");\n\t\tconn->fd = -1;\n\t}\n\n\tauth_server_connection_remove_requests(conn, reason);\n\n\tif (conn->client->connect_notify_callback != NULL) {\n\t\tconn->client->connect_notify_callback(conn->client, FALSE,\n\t\t\t\tconn->client->connect_notify_context);\n\t}\n}",
          "target": 0,
          "cwe": [],
          "project": "core",
          "commit_id": "a9b135760aea6d1790d447d351c56b78889dac22",
          "hash": 42639496603697390795538267128561591225,
          "size": 32,
          "message": "lib-auth: Remove request after abort\n\nOtherwise the request will still stay in hash table\nand get dereferenced when all requests are aborted\ncausing an attempt to access free'd memory.\n\nFound by Apollon Oikonomopoulos <apoikos@debian.org>\n\nBroken in 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060",
          "dataset": "other",
          "idx": 505216
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "sd_pkt_scan",
        "ov511_pkt_scan",
        "ov51x_handle_button"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "static void ov518_pkt_scan(struct gspca_dev *gspca_dev,\n\t\t\tu8 *data,\t\t\t/* isoc packet */\n\t\t\tint len)\t\t\t/* iso packet length */\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\t/* A false positive here is likely, until OVT gives me\n\t * the definitive SOF/EOF format */\n\tif ((!(data[0] | data[1] | data[2] | data[3] | data[5])) && data[6]) {\n\t\tov51x_handle_button(gspca_dev, (data[6] >> 1) & 1);\n\t\tgspca_frame_add(gspca_dev, LAST_PACKET, NULL, 0);\n\t\tgspca_frame_add(gspca_dev, FIRST_PACKET, NULL, 0);\n\t\tsd->packet_nr = 0;\n\t}\n\n\tif (gspca_dev->last_packet_type == DISCARD_PACKET)\n\t\treturn;\n\n\t/* Does this device use packet numbers ? */\n\tif (len & 7) {\n\t\tlen--;\n\t\tif (sd->packet_nr == data[len])\n\t\t\tsd->packet_nr++;\n\t\t/* The last few packets of the frame (which are all 0's\n\t\t   except that they may contain part of the footer), are\n\t\t   numbered 0 */\n\t\telse if (sd->packet_nr == 0 || data[len]) {\n\t\t\tgspca_err(gspca_dev, \"Invalid packet nr: %d (expect: %d)\\n\",\n\t\t\t\t  (int)data[len], (int)sd->packet_nr);\n\t\t\tgspca_dev->last_packet_type = DISCARD_PACKET;\n\t\t\treturn;\n\t\t}\n\t}\n\n\t/* intermediate packet */\n\tgspca_frame_add(gspca_dev, INTER_PACKET, data, len);\n}",
          "project": "linux",
          "hash": 248294460692326492688023245505605613915,
          "size": 37,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306315
        },
        {
          "func": "static void ov511_pkt_scan(struct gspca_dev *gspca_dev,\n\t\t\tu8 *in,\t\t\t/* isoc packet */\n\t\t\tint len)\t\t/* iso packet length */\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\t/* SOF/EOF packets have 1st to 8th bytes zeroed and the 9th\n\t * byte non-zero. The EOF packet has image width/height in the\n\t * 10th and 11th bytes. The 9th byte is given as follows:\n\t *\n\t * bit 7: EOF\n\t *     6: compression enabled\n\t *     5: 422/420/400 modes\n\t *     4: 422/420/400 modes\n\t *     3: 1\n\t *     2: snapshot button on\n\t *     1: snapshot frame\n\t *     0: even/odd field\n\t */\n\tif (!(in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6] | in[7]) &&\n\t    (in[8] & 0x08)) {\n\t\tov51x_handle_button(gspca_dev, (in[8] >> 2) & 1);\n\t\tif (in[8] & 0x80) {\n\t\t\t/* Frame end */\n\t\t\tif ((in[9] + 1) * 8 != gspca_dev->pixfmt.width ||\n\t\t\t    (in[10] + 1) * 8 != gspca_dev->pixfmt.height) {\n\t\t\t\tgspca_err(gspca_dev, \"Invalid frame size, got: %dx%d, requested: %dx%d\\n\",\n\t\t\t\t\t  (in[9] + 1) * 8, (in[10] + 1) * 8,\n\t\t\t\t\t  gspca_dev->pixfmt.width,\n\t\t\t\t\t  gspca_dev->pixfmt.height);\n\t\t\t\tgspca_dev->last_packet_type = DISCARD_PACKET;\n\t\t\t\treturn;\n\t\t\t}\n\t\t\t/* Add 11 byte footer to frame, might be useful */\n\t\t\tgspca_frame_add(gspca_dev, LAST_PACKET, in, 11);\n\t\t\treturn;\n\t\t} else {\n\t\t\t/* Frame start */\n\t\t\tgspca_frame_add(gspca_dev, FIRST_PACKET, in, 0);\n\t\t\tsd->packet_nr = 0;\n\t\t}\n\t}\n\n\t/* Ignore the packet number */\n\tlen--;\n\n\t/* intermediate packet */\n\tgspca_frame_add(gspca_dev, INTER_PACKET, in, len);\n}",
          "project": "linux",
          "hash": 150382074378047696838928351353155261202,
          "size": 49,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306284
        },
        {
          "func": "static void ov51x_handle_button(struct gspca_dev *gspca_dev, u8 state)\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tif (sd->snapshot_pressed != state) {\n#if IS_ENABLED(CONFIG_INPUT)\n\t\tinput_report_key(gspca_dev->input_dev, KEY_CAMERA, state);\n\t\tinput_sync(gspca_dev->input_dev);\n#endif\n\t\tif (state)\n\t\t\tsd->snapshot_needs_reset = 1;\n\n\t\tsd->snapshot_pressed = state;\n\t} else {\n\t\t/* On the ov511 / ov519 we need to reset the button state\n\t\t   multiple times, as resetting does not work as long as the\n\t\t   button stays pressed */\n\t\tswitch (sd->bridge) {\n\t\tcase BRIDGE_OV511:\n\t\tcase BRIDGE_OV511PLUS:\n\t\tcase BRIDGE_OV519:\n\t\t\tif (state)\n\t\t\t\tsd->snapshot_needs_reset = 1;\n\t\t\tbreak;\n\t\t}\n\t}\n}",
          "project": "linux",
          "hash": 150857478172841990234806162599780883915,
          "size": 27,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306289
        },
        {
          "func": "static void sd_pkt_scan(struct gspca_dev *gspca_dev,\n\t\t\tu8 *data,\t\t\t/* isoc packet */\n\t\t\tint len)\t\t\t/* iso packet length */\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tswitch (sd->bridge) {\n\tcase BRIDGE_OV511:\n\tcase BRIDGE_OV511PLUS:\n\t\tov511_pkt_scan(gspca_dev, data, len);\n\t\tbreak;\n\tcase BRIDGE_OV518:\n\tcase BRIDGE_OV518PLUS:\n\t\tov518_pkt_scan(gspca_dev, data, len);\n\t\tbreak;\n\tcase BRIDGE_OV519:\n\t\tov519_pkt_scan(gspca_dev, data, len);\n\t\tbreak;\n\tcase BRIDGE_OVFX2:\n\t\tovfx2_pkt_scan(gspca_dev, data, len);\n\t\tbreak;\n\tcase BRIDGE_W9968CF:\n\t\tw9968cf_pkt_scan(gspca_dev, data, len);\n\t\tbreak;\n\t}\n}",
          "project": "linux",
          "hash": 42331720888348708290121231729787661928,
          "size": 26,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306328
        },
        {
          "func": "static void ovfx2_pkt_scan(struct gspca_dev *gspca_dev,\n\t\t\tu8 *data,\t\t\t/* isoc packet */\n\t\t\tint len)\t\t\t/* iso packet length */\n{\n\tstruct sd *sd = (struct sd *) gspca_dev;\n\n\tgspca_frame_add(gspca_dev, INTER_PACKET, data, len);\n\n\t/* A short read signals EOF */\n\tif (len < gspca_dev->cam.bulk_size) {\n\t\t/* If the frame is short, and it is one of the first ones\n\t\t   the sensor and bridge are still syncing, so drop it. */\n\t\tif (sd->first_frame) {\n\t\t\tsd->first_frame--;\n\t\t\tif (gspca_dev->image_len <\n\t\t\t\t  sd->gspca_dev.pixfmt.width *\n\t\t\t\t\tsd->gspca_dev.pixfmt.height)\n\t\t\t\tgspca_dev->last_packet_type = DISCARD_PACKET;\n\t\t}\n\t\tgspca_frame_add(gspca_dev, LAST_PACKET, NULL, 0);\n\t\tgspca_frame_add(gspca_dev, FIRST_PACKET, NULL, 0);\n\t}\n}",
          "project": "linux",
          "hash": 144041765687203630765986724315242396265,
          "size": 23,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306305
        },
        {
          "func": "static void ov519_pkt_scan(struct gspca_dev *gspca_dev,\n\t\t\tu8 *data,\t\t\t/* isoc packet */\n\t\t\tint len)\t\t\t/* iso packet length */\n{\n\t/* Header of ov519 is 16 bytes:\n\t *     Byte     Value      Description\n\t *\t0\t0xff\tmagic\n\t *\t1\t0xff\tmagic\n\t *\t2\t0xff\tmagic\n\t *\t3\t0xXX\t0x50 = SOF, 0x51 = EOF\n\t *\t9\t0xXX\t0x01 initial frame without data,\n\t *\t\t\t0x00 standard frame with image\n\t *\t14\tLo\tin EOF: length of image data / 8\n\t *\t15\tHi\n\t */\n\n\tif (data[0] == 0xff && data[1] == 0xff && data[2] == 0xff) {\n\t\tswitch (data[3]) {\n\t\tcase 0x50:\t\t/* start of frame */\n\t\t\t/* Don't check the button state here, as the state\n\t\t\t   usually (always ?) changes at EOF and checking it\n\t\t\t   here leads to unnecessary snapshot state resets. */\n#define HDRSZ 16\n\t\t\tdata += HDRSZ;\n\t\t\tlen -= HDRSZ;\n#undef HDRSZ\n\t\t\tif (data[0] == 0xff || data[1] == 0xd8)\n\t\t\t\tgspca_frame_add(gspca_dev, FIRST_PACKET,\n\t\t\t\t\t\tdata, len);\n\t\t\telse\n\t\t\t\tgspca_dev->last_packet_type = DISCARD_PACKET;\n\t\t\treturn;\n\t\tcase 0x51:\t\t/* end of frame */\n\t\t\tov51x_handle_button(gspca_dev, data[11] & 1);\n\t\t\tif (data[9] != 0)\n\t\t\t\tgspca_dev->last_packet_type = DISCARD_PACKET;\n\t\t\tgspca_frame_add(gspca_dev, LAST_PACKET,\n\t\t\t\t\tNULL, 0);\n\t\t\treturn;\n\t\t}\n\t}\n\n\t/* intermediate packet */\n\tgspca_frame_add(gspca_dev, INTER_PACKET, data, len);\n}",
          "project": "linux",
          "hash": 239224543887259682507551553288128195332,
          "size": 45,
          "commit_id": "998912346c0da53a6dbb71fab3a138586b596b30",
          "message": "media: ov519: add missing endpoint sanity checks\n\nMake sure to check that we have at least one endpoint before accessing\nthe endpoint array to avoid dereferencing a NULL-pointer on stream\nstart.\n\nNote that these sanity checks are not redundant as the driver is mixing\nlooking up altsettings by index and by number, which need not coincide.\n\nFixes: 1876bb923c98 (\"V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge\")\nFixes: b282d87332f5 (\"V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)\")\nCc: stable <stable@vger.kernel.org>     # 2.6.31\nCc: Hans de Goede <hdegoede@redhat.com>\nSigned-off-by: Johan Hovold <johan@kernel.org>\nSigned-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>\nSigned-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>",
          "target": 0,
          "dataset": "other",
          "idx": 306286
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "GetImageExtrema",
        "GetImageChannelExtrema",
        "GetImageChannelRange"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "MagickExport MagickBooleanType GetImageExtrema(const Image *image,\n  size_t *minima,size_t *maxima,ExceptionInfo *exception)\n{\n  MagickBooleanType\n    status;\n\n  status=GetImageChannelExtrema(image,CompositeChannels,minima,maxima,\n    exception);\n  return(status);\n}",
          "project": "ImageMagick6",
          "hash": 89620588890280348783199772202386886778,
          "size": 10,
          "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3332",
          "target": 0,
          "dataset": "other",
          "idx": 279671
        },
        {
          "func": "MagickExport MagickBooleanType GetImageChannelRange(const Image *image,\n  const ChannelType channel,double *minima,double *maxima,\n  ExceptionInfo *exception)\n{\n  MagickPixelPacket\n    pixel;\n\n  ssize_t\n    y;\n\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  *maxima=(-MagickMaximumValue);\n  *minima=MagickMaximumValue;\n  GetMagickPixelPacket(image,&pixel);\n  for (y=0; y < (ssize_t) image->rows; y++)\n  {\n    const IndexPacket\n      *magick_restrict indexes;\n\n    const PixelPacket\n      *magick_restrict p;\n\n    ssize_t\n      x;\n\n    p=GetVirtualPixels(image,0,y,image->columns,1,exception);\n    if (p == (const PixelPacket *) NULL)\n      break;\n    indexes=GetVirtualIndexQueue(image);\n    for (x=0; x < (ssize_t) image->columns; x++)\n    {\n      SetMagickPixelPacket(image,p,indexes+x,&pixel);\n      if ((channel & RedChannel) != 0)\n        {\n          if (pixel.red < *minima)\n            *minima=(double) pixel.red;\n          if (pixel.red > *maxima)\n            *maxima=(double) pixel.red;\n        }\n      if ((channel & GreenChannel) != 0)\n        {\n          if (pixel.green < *minima)\n            *minima=(double) pixel.green;\n          if (pixel.green > *maxima)\n            *maxima=(double) pixel.green;\n        }\n      if ((channel & BlueChannel) != 0)\n        {\n          if (pixel.blue < *minima)\n            *minima=(double) pixel.blue;\n          if (pixel.blue > *maxima)\n            *maxima=(double) pixel.blue;\n        }\n      if (((channel & OpacityChannel) != 0) && (image->matte != MagickFalse))\n        {\n          if ((QuantumRange-pixel.opacity) < *minima)\n            *minima=(double) (QuantumRange-pixel.opacity);\n          if ((QuantumRange-pixel.opacity) > *maxima)\n            *maxima=(double) (QuantumRange-pixel.opacity);\n        }\n      if (((channel & IndexChannel) != 0) &&\n          (image->colorspace == CMYKColorspace))\n        {\n          if ((double) pixel.index < *minima)\n            *minima=(double) pixel.index;\n          if ((double) pixel.index > *maxima)\n            *maxima=(double) pixel.index;\n        }\n      p++;\n    }\n  }\n  return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);\n}",
          "project": "ImageMagick6",
          "hash": 295910190258527588056872618957129473125,
          "size": 76,
          "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3332",
          "target": 0,
          "dataset": "other",
          "idx": 279669
        },
        {
          "func": "MagickExport MagickBooleanType GetImageChannelExtrema(const Image *image,\n  const ChannelType channel,size_t *minima,size_t *maxima,\n  ExceptionInfo *exception)\n{\n  double\n    max,\n    min;\n\n  MagickBooleanType\n    status;\n\n  assert(image != (Image *) NULL);\n  assert(image->signature == MagickCoreSignature);\n  if (image->debug != MagickFalse)\n    (void) LogMagickEvent(TraceEvent,GetMagickModule(),\"%s\",image->filename);\n  status=GetImageChannelRange(image,channel,&min,&max,exception);\n  *minima=(size_t) ceil(min-0.5);\n  *maxima=(size_t) floor(max+0.5);\n  return(status);\n}",
          "project": "ImageMagick6",
          "hash": 273808305612378625434513217201000660308,
          "size": 20,
          "commit_id": "072d7b10dbe74d1cf4ec0d008990c1a28c076f9e",
          "message": "https://github.com/ImageMagick/ImageMagick/issues/3332",
          "target": 0,
          "dataset": "other",
          "idx": 279659
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ip6_flush_pending_frames",
        "__ip6_flush_pending_frames",
        "ip6_cork_release"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void __ip6_flush_pending_frames(struct sock *sk,\n\t\t\t\t       struct sk_buff_head *queue,\n\t\t\t\t       struct inet_cork_full *cork,\n\t\t\t\t       struct inet6_cork *v6_cork)\n{\n\tstruct sk_buff *skb;\n\n\twhile ((skb = __skb_dequeue_tail(queue)) != NULL) {\n\t\tif (skb_dst(skb))\n\t\t\tIP6_INC_STATS(sock_net(sk), ip6_dst_idev(skb_dst(skb)),\n\t\t\t\t      IPSTATS_MIB_OUTDISCARDS);\n\t\tkfree_skb(skb);\n\t}\n\n\tip6_cork_release(cork, v6_cork);\n}",
          "project": "net",
          "hash": 274902406864810533615672445424423331100,
          "size": 16,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468976
        },
        {
          "func": "static void ip6_cork_release(struct inet_cork_full *cork,\n\t\t\t     struct inet6_cork *v6_cork)\n{\n\tif (v6_cork->opt) {\n\t\tkfree(v6_cork->opt->dst0opt);\n\t\tkfree(v6_cork->opt->dst1opt);\n\t\tkfree(v6_cork->opt->hopopt);\n\t\tkfree(v6_cork->opt->srcrt);\n\t\tkfree(v6_cork->opt);\n\t\tv6_cork->opt = NULL;\n\t}\n\n\tif (cork->base.dst) {\n\t\tdst_release(cork->base.dst);\n\t\tcork->base.dst = NULL;\n\t\tcork->base.flags &= ~IPCORK_ALLFRAG;\n\t}\n\tmemset(&cork->fl, 0, sizeof(cork->fl));\n}",
          "project": "net",
          "hash": 305072947236491870073283779322394490711,
          "size": 19,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468937
        },
        {
          "func": "void ip6_flush_pending_frames(struct sock *sk)\n{\n\t__ip6_flush_pending_frames(sk, &sk->sk_write_queue,\n\t\t\t\t   &inet_sk(sk)->cork, &inet6_sk(sk)->cork);\n}",
          "project": "net",
          "hash": 160316371858776337464461155047973262285,
          "size": 5,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468987
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "finalize",
        "copy_up_to",
        "append"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "  void append(char c) {\n    assertx(p < end);\n    *p++ = c;\n  }",
          "project": "hhvm",
          "hash": 194270187745004253098062412131397465113,
          "size": 4,
          "commit_id": "b3679121bb3c7017ff04b4c08402ffff5cf59b13",
          "message": "Fix buffer overrun in SimpleParser::handleBackslash\n\nSummary:\nIt read 4 chars, then checked for validity, but any of them could have\nbeen the end of the string, so check after each one instead.\n\nReviewed By: oulgen\n\nDifferential Revision: D19611163\n\nfbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4",
          "target": 0,
          "dataset": "other",
          "idx": 227312
        },
        {
          "func": "UnicodeString::append(UChar32 srcChar) {\n  UChar buffer[U16_MAX_LENGTH];\n  int32_t _length = 0;\n  UBool isError = FALSE;\n  U16_APPEND(buffer, _length, U16_MAX_LENGTH, srcChar, isError);\n  // We test isError so that the compiler does not complain that we don't.\n  // If isError then _length==0 which turns the doAppend() into a no-op anyway.\n  return isError ? *this : doAppend(buffer, 0, _length);\n}",
          "project": "icu",
          "hash": 185527043463868504648827379672231453375,
          "size": 9,
          "commit_id": "b7d08bc04a4296982fcef8b6b8a354a9e4e7afca",
          "message": "ICU-20958 Prevent SEGV_MAPERR in append\n\nSee #971",
          "target": 0,
          "dataset": "other",
          "idx": 430794
        },
        {
          "func": "  bool append(Rewritable_query_parameter *p)\n  {\n    if (copy_up_to(p->pos_in_query) || p->append_for_log(thd, dst))\n      return true;\n    from= p->pos_in_query + p->len_in_query;\n    return false;\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 250858376201301816218606440955927257246,
          "size": 7,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509165
        },
        {
          "func": "  bool finalize()\n  { return copy_up_to(src_len); }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 186729004682616344182386535774793539415,
          "size": 2,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 508929
        },
        {
          "func": "  bool copy_up_to(size_t bytes)\n  {\n    DBUG_ASSERT(bytes >= from);\n    return dst->append(src + from, uint32(bytes - from));\n  }",
          "target": 0,
          "cwe": [
            "CWE-617"
          ],
          "project": "server",
          "commit_id": "2e7891080667c59ac80f788eef4d59d447595772",
          "hash": 60278060354674197881302339153674598560,
          "size": 5,
          "message": "MDEV-25635 Assertion failure when pushing from HAVING into WHERE of view\n\nThis bug could manifest itself after pushing a where condition over a\nmergeable derived table / view / CTE DT into a grouping view / derived\ntable / CTE V whose item list contained set functions with constant\narguments such as MIN(2), SUM(1) etc. In such cases the field references\nused in the condition pushed into the view V that correspond set functions\nare wrapped into Item_direct_view_ref wrappers. Due to a wrong implementation\nof the virtual method const_item() for the class Item_direct_view_ref the\nwrapped set functions with constant arguments could be erroneously taken\nfor constant items. This could lead to a wrong result set returned by the\nmain select query in 10.2. In 10.4 where a possibility of pushing condition\nfrom HAVING into WHERE had been added this could cause a crash.\n\nApproved by Sergey Petrunya <sergey.petrunya@mariadb.com>",
          "dataset": "other",
          "idx": 509289
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ctnetlink_del_conntrack",
        "ctnetlink_flush_conntrack",
        "ctnetlink_needs_filter"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int ctnetlink_flush_conntrack(struct net *net,\n\t\t\t\t     const struct nlattr * const cda[],\n\t\t\t\t     u32 portid, int report, u8 family)\n{\n\tstruct ctnetlink_filter *filter = NULL;\n\n\tif (ctnetlink_needs_filter(family, cda)) {\n\t\tif (cda[CTA_FILTER])\n\t\t\treturn -EOPNOTSUPP;\n\n\t\tfilter = ctnetlink_alloc_filter(cda, family);\n\t\tif (IS_ERR(filter))\n\t\t\treturn PTR_ERR(filter);\n\t}\n\n\tnf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,\n\t\t\t\t  portid, report);\n\tkfree(filter);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 297756815088480192333216843352414705469,
          "size": 21,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394240
        },
        {
          "func": "static int ctnetlink_start(struct netlink_callback *cb)\n{\n\tconst struct nlattr * const *cda = cb->data;\n\tstruct ctnetlink_filter *filter = NULL;\n\tstruct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);\n\tu8 family = nfmsg->nfgen_family;\n\n\tif (ctnetlink_needs_filter(family, cda)) {\n\t\tfilter = ctnetlink_alloc_filter(cda, family);\n\t\tif (IS_ERR(filter))\n\t\t\treturn PTR_ERR(filter);\n\t}\n\n\tcb->data = filter;\n\treturn 0;\n}",
          "project": "linux",
          "hash": 159580088770228980568785488949841904057,
          "size": 16,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394264
        },
        {
          "func": "static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)\n{\n\treturn family || cda[CTA_MARK] || cda[CTA_FILTER];\n}",
          "project": "linux",
          "hash": 28363253343194961682266834953341645937,
          "size": 4,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394263
        },
        {
          "func": "static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,\n\t\t\t\t   struct sk_buff *skb,\n\t\t\t\t   const struct nlmsghdr *nlh,\n\t\t\t\t   const struct nlattr * const cda[],\n\t\t\t\t   struct netlink_ext_ack *extack)\n{\n\tstruct nf_conntrack_tuple_hash *h;\n\tstruct nf_conntrack_tuple tuple;\n\tstruct nf_conn *ct;\n\tstruct nfgenmsg *nfmsg = nlmsg_data(nlh);\n\tstruct nf_conntrack_zone zone;\n\tint err;\n\n\terr = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);\n\tif (err < 0)\n\t\treturn err;\n\n\tif (cda[CTA_TUPLE_ORIG])\n\t\terr = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,\n\t\t\t\t\t    nfmsg->nfgen_family, &zone);\n\telse if (cda[CTA_TUPLE_REPLY])\n\t\terr = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,\n\t\t\t\t\t    nfmsg->nfgen_family, &zone);\n\telse {\n\t\tu_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;\n\n\t\treturn ctnetlink_flush_conntrack(net, cda,\n\t\t\t\t\t\t NETLINK_CB(skb).portid,\n\t\t\t\t\t\t nlmsg_report(nlh), u3);\n\t}\n\n\tif (err < 0)\n\t\treturn err;\n\n\th = nf_conntrack_find_get(net, &zone, &tuple);\n\tif (!h)\n\t\treturn -ENOENT;\n\n\tct = nf_ct_tuplehash_to_ctrack(h);\n\n\tif (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {\n\t\tnf_ct_put(ct);\n\t\treturn -EBUSY;\n\t}\n\n\tif (cda[CTA_ID]) {\n\t\t__be32 id = nla_get_be32(cda[CTA_ID]);\n\n\t\tif (id != (__force __be32)nf_ct_get_id(ct)) {\n\t\t\tnf_ct_put(ct);\n\t\t\treturn -ENOENT;\n\t\t}\n\t}\n\n\tnf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));\n\tnf_ct_put(ct);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 199519794799093900485088046311685364658,
          "size": 59,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394209
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "~FastHufDecoder",
        "FastHufDecoder",
        "readBits"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "FastHufDecoder::buildTables (Int64 *base, Int64 *offset)\n{\n    //\n    // Build the 'left justified' base table, by shifting base left..\n    //\n\n    for (int i = 0; i <= MAX_CODE_LEN; ++i)\n    {\n        if (base[i] != 0xffffffffffffffffULL)\n        {\n            _ljBase[i] = base[i] << (64 - i);\n        }\n        else\n        {\n            //\n            // Unused code length - insert dummy values\n            //\n\n            _ljBase[i] = 0xffffffffffffffffULL;\n        }\n    }\n\n    //\n    // Combine some terms into a big fat constant, which for\n    // lack of a better term we'll call the 'left justified' \n    // offset table (because it serves the same function\n    // as 'offset', when using the left justified base table.\n    //\n\n    _ljOffset[0] = offset[0] - _ljBase[0];\n    for (int i = 1; i <= MAX_CODE_LEN; ++i)\n        _ljOffset[i] = offset[i] - (_ljBase[i] >> (64 - i));\n\n    //\n    // Build the acceleration tables for the lookups of\n    // short codes ( <= TABLE_LOOKUP_BITS long)\n    //\n\n    for (Int64 i = 0; i < 1 << TABLE_LOOKUP_BITS; ++i)\n    {\n        Int64 value = i << (64 - TABLE_LOOKUP_BITS);\n\n        _tableSymbol[i]  = 0xffff;\n        _tableCodeLen[i] = 0; \n\n        for (int codeLen = _minCodeLength; codeLen <= _maxCodeLength; ++codeLen)\n        {\n            if (_ljBase[codeLen] <= value)\n            {\n                _tableCodeLen[i] = codeLen;\n\n                Int64 id = _ljOffset[codeLen] + (value >> (64 - codeLen));\n                if (id < static_cast<Int64>(_numSymbols))\n                {\n                    _tableSymbol[i] = _idToSymbol[id];\n                }\n                else\n                {\n                    throw IEX_NAMESPACE::InputExc (\"Huffman decode error \"\n                                                   \"(Overrun).\");\n                }\n                break;\n            }\n        }\n    }\n\n    //\n    // Store the smallest value in the table that points to real data.\n    // This should be the entry for the largest length that has \n    // valid data (in our case, non-dummy _ljBase)\n    //\n\n    int minIdx = TABLE_LOOKUP_BITS;\n\n    while (minIdx > 0 && _ljBase[minIdx] == 0xffffffffffffffffULL)\n        minIdx--;\n\n    if (minIdx < 0)\n    {\n        //\n        // Error, no codes with lengths 0-TABLE_LOOKUP_BITS used.\n        // Set the min value such that the table is never tested.\n        //\n\n        _tableMin = 0xffffffffffffffffULL;\n    }\n    else\n    {\n        _tableMin = _ljBase[minIdx];\n    }\n}",
          "project": "openexr",
          "hash": 306109955892137423713079668733673743520,
          "size": 91,
          "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f",
          "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman <peterh@wetafx.co.nz>",
          "target": 0,
          "dataset": "other",
          "idx": 413445
        },
        {
          "func": "FastHufDecoder::readBits\n    (int numBits,\n     Int64 &buffer,             // c\n     int &bufferNumBits,        // lc\n     const char *&currByte)     // in\n{\n    while (bufferNumBits < numBits)\n    {\n        buffer = (buffer << 8) | *(unsigned char*)(currByte++);\n        bufferNumBits += 8;\n    }\n\n    bufferNumBits -= numBits;\n    return (buffer >> bufferNumBits) & ((1 << numBits) - 1);\n}",
          "project": "openexr",
          "hash": 161998660677043966011742297206927694899,
          "size": 15,
          "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f",
          "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman <peterh@wetafx.co.nz>",
          "target": 0,
          "dataset": "other",
          "idx": 413448
        },
        {
          "func": "FastHufDecoder::FastHufDecoder\n    (const char *&table,\n     int numBytes,\n     int minSymbol,\n     int maxSymbol,\n     int rleSymbol)\n:\n    _rleSymbol (rleSymbol),\n    _numSymbols (0),\n    _minCodeLength (255),\n    _maxCodeLength (0),\n    _idToSymbol (0)\n{\n    //\n    // List of symbols that we find with non-zero code lengths\n    // (listed in the order we find them). Store these in the\n    // same format as the code book stores codes + lengths - \n    // low 6 bits are the length, everything above that is\n    // the symbol.\n    //\n\n    std::vector<Int64> symbols;\n\n    //\n    // The 'base' table is the minimum code at each code length. base[i]\n    // is the smallest code (numerically) of length i.\n    //\n\n    Int64 base[MAX_CODE_LEN + 1];     \n\n    //\n    // The 'offset' table is the position (in sorted order) of the first id\n    // of a given code lenght. Array is indexed by code length, like base.  \n    //\n\n    Int64 offset[MAX_CODE_LEN + 1];   \n\n    //\n    // Count of how many codes at each length there are. Array is \n    // indexed by code length, like base and offset.\n    //\n\n    size_t codeCount[MAX_CODE_LEN + 1];    \n\n    for (int i = 0; i <= MAX_CODE_LEN; ++i)\n    {\n        codeCount[i] = 0;\n        base[i]      = 0xffffffffffffffffULL;\n        offset[i]    = 0;\n    }\n\n    //\n    // Count the number of codes, the min/max code lengths, the number of\n    // codes with each length, and record symbols with non-zero code\n    // length as we find them.\n    //\n\n    const char *currByte     = table;\n    Int64       currBits     = 0;\n    int         currBitCount = 0;\n\n    const int SHORT_ZEROCODE_RUN = 59;\n    const int LONG_ZEROCODE_RUN  = 63;\n    const int SHORTEST_LONG_RUN  = 2 + LONG_ZEROCODE_RUN - SHORT_ZEROCODE_RUN;\n\n    for (Int64 symbol = static_cast<Int64>(minSymbol); symbol <= static_cast<Int64>(maxSymbol); symbol++)\n    {\n        if (currByte - table > numBytes)\n        {\n            throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                           \"(Truncated table data).\");\n        }\n\n        //\n        // Next code length - either:\n        //       0-58  (literal code length)\n        //       59-62 (various lengths runs of 0)\n        //       63    (run of n 0's, with n is the next 8 bits)\n        //\n\n        Int64 codeLen = readBits (6, currBits, currBitCount, currByte);\n\n        if (codeLen == (Int64) LONG_ZEROCODE_RUN)\n        {\n            if (currByte - table > numBytes)\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Truncated table data).\");\n            }\n\n            int runLen = readBits (8, currBits, currBitCount, currByte) +\n                         SHORTEST_LONG_RUN;\n\n            if (symbol + runLen > static_cast<Int64>(maxSymbol + 1))\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Run beyond end of table).\");\n            }\n            \n            symbol += runLen - 1;\n\n        }\n        else if (codeLen >= static_cast<Int64>(SHORT_ZEROCODE_RUN))\n        {\n            int runLen = codeLen - SHORT_ZEROCODE_RUN + 2;\n\n            if (symbol + runLen > static_cast<Int64>(maxSymbol + 1))\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Run beyond end of table).\");\n            }\n\n            symbol += runLen - 1;\n\n        }\n        else if (codeLen != 0)\n        {\n            symbols.push_back ((symbol << 6) | (codeLen & 63));\n\n            if (codeLen < _minCodeLength)\n                _minCodeLength = codeLen;\n\n            if (codeLen > _maxCodeLength)\n                _maxCodeLength = codeLen;\n\n            codeCount[codeLen]++;\n        }\n    }\n\n    for (int i = 0; i < MAX_CODE_LEN; ++i)\n        _numSymbols += codeCount[i];\n\n    table = currByte;\n\n    //\n    // Compute base - once we have the code length counts, there\n    //                is a closed form solution for this\n    //\n\n    {\n        double* countTmp = new double[_maxCodeLength+1];\n\n        for (int l = _minCodeLength; l <= _maxCodeLength; ++l)\n        {\n            countTmp[l] = (double)codeCount[l] * \n                          (double)(2 << (_maxCodeLength-l));\n        }\n    \n        for (int l = _minCodeLength; l <= _maxCodeLength; ++l)\n        {\n            double tmp = 0;\n\n            for (int k =l + 1; k <= _maxCodeLength; ++k)\n                tmp += countTmp[k];\n            \n            tmp /= (double)(2 << (_maxCodeLength - l));\n\n            base[l] = (Int64)ceil (tmp);\n        }\n\n        delete [] countTmp;\n    }\n   \n    //\n    // Compute offset - these are the positions of the first\n    //                  id (not symbol) that has length [i]\n    //\n\n    offset[_maxCodeLength] = 0;\n\n    for (int i= _maxCodeLength - 1; i >= _minCodeLength; i--)\n        offset[i] = offset[i + 1] + codeCount[i + 1];\n\n    //\n    // Allocate and fill the symbol-to-id mapping. Smaller Ids should be\n    // mapped to less-frequent symbols (which have longer codes). Use\n    // the offset table to tell us where the id's for a given code \n    // length start off.\n    //\n\n    _idToSymbol = new int[_numSymbols];\n\n    Int64 mapping[MAX_CODE_LEN + 1];\n    for (int i = 0; i < MAX_CODE_LEN + 1; ++i) \n        mapping[i] = -1;\n    for (int i = _minCodeLength; i <= _maxCodeLength; ++i)\n        mapping[i] = offset[i];\n\n    for (std::vector<Int64>::const_iterator i = symbols.begin(); \n         i != symbols.end();\n         ++i)\n    {\n        int codeLen = *i & 63;\n        int symbol  = *i >> 6;\n\n        if (mapping[codeLen] >= static_cast<Int64>(_numSymbols))\n        {\n            delete[] _idToSymbol;\n            _idToSymbol = NULL;\n            throw IEX_NAMESPACE::InputExc (\"Huffman decode error \"\n                                           \"(Invalid symbol in header).\");\n        }\n        _idToSymbol[mapping[codeLen]] = symbol;\n        mapping[codeLen]++;\n    }\n\n    //\n    // exceptions can be thrown whilst building tables. Delete\n    // _idToSynmbol before re-throwing to prevent memory leak\n    //\n    try\n    {\n      buildTables(base, offset);\n    }catch(...)\n    {\n            delete[] _idToSymbol;\n            _idToSymbol = NULL;\n            throw;\n    }\n}",
          "project": "openexr",
          "hash": 295327035492456381923444384031538504049,
          "size": 220,
          "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f",
          "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman <peterh@wetafx.co.nz>",
          "target": 1,
          "dataset": "other",
          "idx": 208675
        },
        {
          "func": "FastHufDecoder::FastHufDecoder\n    (const char *&table,\n     int numBytes,\n     int minSymbol,\n     int maxSymbol,\n     int rleSymbol)\n:\n    _rleSymbol (rleSymbol),\n    _numSymbols (0),\n    _minCodeLength (255),\n    _maxCodeLength (0),\n    _idToSymbol (0)\n{\n    //\n    // List of symbols that we find with non-zero code lengths\n    // (listed in the order we find them). Store these in the\n    // same format as the code book stores codes + lengths - \n    // low 6 bits are the length, everything above that is\n    // the symbol.\n    //\n\n    std::vector<Int64> symbols;\n\n    //\n    // The 'base' table is the minimum code at each code length. base[i]\n    // is the smallest code (numerically) of length i.\n    //\n\n    Int64 base[MAX_CODE_LEN + 1];     \n\n    //\n    // The 'offset' table is the position (in sorted order) of the first id\n    // of a given code lenght. Array is indexed by code length, like base.  \n    //\n\n    Int64 offset[MAX_CODE_LEN + 1];   \n\n    //\n    // Count of how many codes at each length there are. Array is \n    // indexed by code length, like base and offset.\n    //\n\n    size_t codeCount[MAX_CODE_LEN + 1];    \n\n    for (int i = 0; i <= MAX_CODE_LEN; ++i)\n    {\n        codeCount[i] = 0;\n        base[i]      = 0xffffffffffffffffULL;\n        offset[i]    = 0;\n    }\n\n    //\n    // Count the number of codes, the min/max code lengths, the number of\n    // codes with each length, and record symbols with non-zero code\n    // length as we find them.\n    //\n\n    const char *currByte     = table;\n    Int64       currBits     = 0;\n    int         currBitCount = 0;\n\n    const int SHORT_ZEROCODE_RUN = 59;\n    const int LONG_ZEROCODE_RUN  = 63;\n    const int SHORTEST_LONG_RUN  = 2 + LONG_ZEROCODE_RUN - SHORT_ZEROCODE_RUN;\n\n    for (Int64 symbol = static_cast<Int64>(minSymbol); symbol <= static_cast<Int64>(maxSymbol); symbol++)\n    {\n        if (currByte - table > numBytes)\n        {\n            throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                           \"(Truncated table data).\");\n        }\n\n        //\n        // Next code length - either:\n        //       0-58  (literal code length)\n        //       59-62 (various lengths runs of 0)\n        //       63    (run of n 0's, with n is the next 8 bits)\n        //\n\n        Int64 codeLen = readBits (6, currBits, currBitCount, currByte);\n\n        if (codeLen == (Int64) LONG_ZEROCODE_RUN)\n        {\n            if (currByte - table > numBytes)\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Truncated table data).\");\n            }\n\n            int runLen = readBits (8, currBits, currBitCount, currByte) +\n                         SHORTEST_LONG_RUN;\n\n            if (symbol + runLen > static_cast<Int64>(maxSymbol + 1))\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Run beyond end of table).\");\n            }\n            \n            symbol += runLen - 1;\n\n        }\n        else if (codeLen >= static_cast<Int64>(SHORT_ZEROCODE_RUN))\n        {\n            int runLen = codeLen - SHORT_ZEROCODE_RUN + 2;\n\n            if (symbol + runLen > static_cast<Int64>(maxSymbol + 1))\n            {\n                throw IEX_NAMESPACE::InputExc (\"Error decoding Huffman table \"\n                                               \"(Run beyond end of table).\");\n            }\n\n            symbol += runLen - 1;\n\n        }\n        else if (codeLen != 0)\n        {\n            symbols.push_back ((symbol << 6) | (codeLen & 63));\n\n            if (codeLen < _minCodeLength)\n                _minCodeLength = codeLen;\n\n            if (codeLen > _maxCodeLength)\n                _maxCodeLength = codeLen;\n\n            codeCount[codeLen]++;\n        }\n    }\n\n    for (int i = 0; i < MAX_CODE_LEN; ++i)\n        _numSymbols += codeCount[i];\n\n    table = currByte;\n\n    //\n    // Compute base - once we have the code length counts, there\n    //                is a closed form solution for this\n    //\n\n    {\n        double* countTmp = new double[_maxCodeLength+1];\n\n        for (int l = _minCodeLength; l <= _maxCodeLength; ++l)\n        {\n            countTmp[l] = (double)codeCount[l] * \n                          (double)(2ll << (_maxCodeLength-l));\n        }\n    \n        for (int l = _minCodeLength; l <= _maxCodeLength; ++l)\n        {\n            double tmp = 0;\n\n            for (int k =l + 1; k <= _maxCodeLength; ++k)\n                tmp += countTmp[k];\n            \n            tmp /= (double)(2ll << (_maxCodeLength - l));\n\n            base[l] = (Int64)ceil (tmp);\n        }\n\n        delete [] countTmp;\n    }\n   \n    //\n    // Compute offset - these are the positions of the first\n    //                  id (not symbol) that has length [i]\n    //\n\n    offset[_maxCodeLength] = 0;\n\n    for (int i= _maxCodeLength - 1; i >= _minCodeLength; i--)\n        offset[i] = offset[i + 1] + codeCount[i + 1];\n\n    //\n    // Allocate and fill the symbol-to-id mapping. Smaller Ids should be\n    // mapped to less-frequent symbols (which have longer codes). Use\n    // the offset table to tell us where the id's for a given code \n    // length start off.\n    //\n\n    _idToSymbol = new int[_numSymbols];\n\n    Int64 mapping[MAX_CODE_LEN + 1];\n    for (int i = 0; i < MAX_CODE_LEN + 1; ++i) \n        mapping[i] = -1;\n    for (int i = _minCodeLength; i <= _maxCodeLength; ++i)\n        mapping[i] = offset[i];\n\n    for (std::vector<Int64>::const_iterator i = symbols.begin(); \n         i != symbols.end();\n         ++i)\n    {\n        int codeLen = *i & 63;\n        int symbol  = *i >> 6;\n\n        if (mapping[codeLen] >= static_cast<Int64>(_numSymbols))\n        {\n            delete[] _idToSymbol;\n            _idToSymbol = NULL;\n            throw IEX_NAMESPACE::InputExc (\"Huffman decode error \"\n                                           \"(Invalid symbol in header).\");\n        }\n        _idToSymbol[mapping[codeLen]] = symbol;\n        mapping[codeLen]++;\n    }\n\n    //\n    // exceptions can be thrown whilst building tables. Delete\n    // _idToSynmbol before re-throwing to prevent memory leak\n    //\n    try\n    {\n      buildTables(base, offset);\n    }catch(...)\n    {\n            delete[] _idToSymbol;\n            _idToSymbol = NULL;\n            throw;\n    }\n}",
          "project": "openexr",
          "hash": 153643357904600972132151102261211578620,
          "size": 220,
          "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f",
          "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman <peterh@wetafx.co.nz>",
          "target": 0,
          "dataset": "other",
          "idx": 413449
        },
        {
          "func": "FastHufDecoder::~FastHufDecoder()\n{\n    delete[] _idToSymbol;\n}",
          "project": "openexr",
          "hash": 34370562759391630391791074889164252260,
          "size": 4,
          "commit_id": "c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f",
          "message": "compute Huf codelengths using 64 bit to prevent shift overflow\n\nSigned-off-by: Peter Hillman <peterh@wetafx.co.nz>",
          "target": 0,
          "dataset": "other",
          "idx": 413443
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "dlpar_free_cc_nodes",
        "dlpar_free_one_cc_node",
        "dlpar_free_cc_property"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "void dlpar_free_cc_nodes(struct device_node *dn)\n{\n\tif (dn->child)\n\t\tdlpar_free_cc_nodes(dn->child);\n\n\tif (dn->sibling)\n\t\tdlpar_free_cc_nodes(dn->sibling);\n\n\tdlpar_free_one_cc_node(dn);\n}",
          "project": "linux",
          "hash": 294886270254998832875064053259382175941,
          "size": 10,
          "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607",
          "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang <blackgod016574@gmail.com>\nSigned-off-by: Michael Ellerman <mpe@ellerman.id.au>",
          "target": 0,
          "dataset": "other",
          "idx": 380136
        },
        {
          "func": "void dlpar_free_cc_property(struct property *prop)\n{\n\tkfree(prop->name);\n\tkfree(prop->value);\n\tkfree(prop);\n}",
          "project": "linux",
          "hash": 104293824315803097735386120227292768607,
          "size": 6,
          "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607",
          "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang <blackgod016574@gmail.com>\nSigned-off-by: Michael Ellerman <mpe@ellerman.id.au>",
          "target": 0,
          "dataset": "other",
          "idx": 380131
        },
        {
          "func": "static void dlpar_free_one_cc_node(struct device_node *dn)\n{\n\tstruct property *prop;\n\n\twhile (dn->properties) {\n\t\tprop = dn->properties;\n\t\tdn->properties = prop->next;\n\t\tdlpar_free_cc_property(prop);\n\t}\n\n\tkfree(dn->full_name);\n\tkfree(dn);\n}",
          "project": "linux",
          "hash": 39009601055864260210951865566015111448,
          "size": 13,
          "commit_id": "efa9ace68e487ddd29c2b4d6dd23242158f1f607",
          "message": "powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()\n\nIn dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().\nkstrdup() may return NULL, so it should be checked and handle error.\nAnd prop should be freed if 'prop->name' is NULL.\n\nSigned-off-by: Gen Zhang <blackgod016574@gmail.com>\nSigned-off-by: Michael Ellerman <mpe@ellerman.id.au>",
          "target": 0,
          "dataset": "other",
          "idx": 380130
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ntlm_compute_lm_v2_response",
        "ntlm_compute_ntlm_v2_hash",
        "ntlm_convert_password_hash"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "int ntlm_compute_lm_v2_response(NTLM_CONTEXT* context)\n{\n\tBYTE* response;\n\tBYTE value[WINPR_MD5_DIGEST_LENGTH];\n\n\tif (context->LmCompatibilityLevel < 2)\n\t{\n\t\tif (!sspi_SecBufferAlloc(&context->LmChallengeResponse, 24))\n\t\t\treturn -1;\n\n\t\tZeroMemory(context->LmChallengeResponse.pvBuffer, 24);\n\t\treturn 1;\n\t}\n\n\t/* Compute the NTLMv2 hash */\n\n\tif (ntlm_compute_ntlm_v2_hash(context, context->NtlmV2Hash) < 0)\n\t\treturn -1;\n\n\t/* Concatenate the server and client challenges */\n\tCopyMemory(value, context->ServerChallenge, 8);\n\tCopyMemory(&value[8], context->ClientChallenge, 8);\n\n\tif (!sspi_SecBufferAlloc(&context->LmChallengeResponse, 24))\n\t\treturn -1;\n\n\tresponse = (BYTE*)context->LmChallengeResponse.pvBuffer;\n\t/* Compute the HMAC-MD5 hash of the resulting value using the NTLMv2 hash as the key */\n\twinpr_HMAC(WINPR_MD_MD5, (void*)context->NtlmV2Hash, WINPR_MD5_DIGEST_LENGTH, (BYTE*)value,\n\t           WINPR_MD5_DIGEST_LENGTH, (BYTE*)response, WINPR_MD5_DIGEST_LENGTH);\n\t/* Concatenate the resulting HMAC-MD5 hash and the client challenge, giving us the LMv2 response\n\t * (24 bytes) */\n\tCopyMemory(&response[16], context->ClientChallenge, 8);\n\treturn 1;\n}",
          "project": "FreeRDP",
          "hash": 287281750704487996322467746096463896731,
          "size": 35,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424854
        },
        {
          "func": "static int ntlm_compute_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash)\n{\n\tSSPI_CREDENTIALS* credentials = context->credentials;\n#ifdef WITH_DEBUG_NTLM\n\n\tif (credentials)\n\t{\n\t\tWLog_DBG(TAG, \"Password (length = %\" PRIu32 \")\", credentials->identity.PasswordLength * 2);\n\t\twinpr_HexDump(TAG, WLOG_DEBUG, (BYTE*)credentials->identity.Password,\n\t\t              credentials->identity.PasswordLength * 2);\n\t\tWLog_DBG(TAG, \"Username (length = %\" PRIu32 \")\", credentials->identity.UserLength * 2);\n\t\twinpr_HexDump(TAG, WLOG_DEBUG, (BYTE*)credentials->identity.User,\n\t\t              credentials->identity.UserLength * 2);\n\t\tWLog_DBG(TAG, \"Domain (length = %\" PRIu32 \")\", credentials->identity.DomainLength * 2);\n\t\twinpr_HexDump(TAG, WLOG_DEBUG, (BYTE*)credentials->identity.Domain,\n\t\t              credentials->identity.DomainLength * 2);\n\t}\n\telse\n\t\tWLog_DBG(TAG, \"Strange, NTLM_CONTEXT is missing valid credentials...\");\n\n\tWLog_DBG(TAG, \"Workstation (length = %\" PRIu16 \")\", context->Workstation.Length);\n\twinpr_HexDump(TAG, WLOG_DEBUG, (BYTE*)context->Workstation.Buffer, context->Workstation.Length);\n\tWLog_DBG(TAG, \"NTOWFv2, NTLMv2 Hash\");\n\twinpr_HexDump(TAG, WLOG_DEBUG, context->NtlmV2Hash, WINPR_MD5_DIGEST_LENGTH);\n#endif\n\n\tif (memcmp(context->NtlmV2Hash, NTLM_NULL_BUFFER, 16) != 0)\n\t\treturn 1;\n\n\tif (!credentials)\n\t\treturn -1;\n\telse if (memcmp(context->NtlmHash, NTLM_NULL_BUFFER, 16) != 0)\n\t{\n\t\tNTOWFv2FromHashW(context->NtlmHash, (LPWSTR)credentials->identity.User,\n\t\t                 credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,\n\t\t                 credentials->identity.DomainLength * 2, (BYTE*)hash);\n\t}\n\telse if (credentials->identity.PasswordLength > SSPI_CREDENTIALS_HASH_LENGTH_OFFSET)\n\t{\n\t\t/* Special case for WinPR: password hash */\n\t\tif (ntlm_convert_password_hash(context, context->NtlmHash) < 0)\n\t\t\treturn -1;\n\n\t\tNTOWFv2FromHashW(context->NtlmHash, (LPWSTR)credentials->identity.User,\n\t\t                 credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,\n\t\t                 credentials->identity.DomainLength * 2, (BYTE*)hash);\n\t}\n\telse if (credentials->identity.Password)\n\t{\n\t\tNTOWFv2W((LPWSTR)credentials->identity.Password, credentials->identity.PasswordLength * 2,\n\t\t         (LPWSTR)credentials->identity.User, credentials->identity.UserLength * 2,\n\t\t         (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * 2,\n\t\t         (BYTE*)hash);\n\t}\n\telse if (context->HashCallback)\n\t{\n\t\tint ret;\n\t\tSecBuffer proofValue, micValue;\n\n\t\tif (ntlm_computeProofValue(context, &proofValue) != SEC_E_OK)\n\t\t\treturn -1;\n\n\t\tif (ntlm_computeMicValue(context, &micValue) != SEC_E_OK)\n\t\t{\n\t\t\tsspi_SecBufferFree(&proofValue);\n\t\t\treturn -1;\n\t\t}\n\n\t\tret = context->HashCallback(context->HashCallbackArg, &credentials->identity, &proofValue,\n\t\t                            context->EncryptedRandomSessionKey,\n\t\t                            (&context->AUTHENTICATE_MESSAGE)->MessageIntegrityCheck,\n\t\t                            &micValue, hash);\n\t\tsspi_SecBufferFree(&proofValue);\n\t\tsspi_SecBufferFree(&micValue);\n\t\treturn ret ? 1 : -1;\n\t}\n\telse if (context->UseSamFileDatabase)\n\t{\n\t\treturn ntlm_fetch_ntlm_v2_hash(context, hash);\n\t}\n\n\treturn 1;\n}",
          "project": "FreeRDP",
          "hash": 104785729071403500667549068738056476351,
          "size": 83,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424876
        },
        {
          "func": "static int ntlm_convert_password_hash(NTLM_CONTEXT* context, BYTE* hash)\n{\n\tint status;\n\tint i, hn, ln;\n\tchar* PasswordHash = NULL;\n\tUINT32 PasswordHashLength = 0;\n\tSSPI_CREDENTIALS* credentials = context->credentials;\n\t/* Password contains a password hash of length (PasswordLength -\n\t * SSPI_CREDENTIALS_HASH_LENGTH_OFFSET) */\n\tPasswordHashLength = credentials->identity.PasswordLength - SSPI_CREDENTIALS_HASH_LENGTH_OFFSET;\n\tstatus = ConvertFromUnicode(CP_UTF8, 0, (LPCWSTR)credentials->identity.Password,\n\t                            PasswordHashLength, &PasswordHash, 0, NULL, NULL);\n\n\tif (status <= 0)\n\t\treturn -1;\n\n\tCharUpperBuffA(PasswordHash, PasswordHashLength);\n\n\tfor (i = 0; i < 32; i += 2)\n\t{\n\t\thn = PasswordHash[i] > '9' ? PasswordHash[i] - 'A' + 10 : PasswordHash[i] - '0';\n\t\tln = PasswordHash[i + 1] > '9' ? PasswordHash[i + 1] - 'A' + 10 : PasswordHash[i + 1] - '0';\n\t\thash[i / 2] = (hn << 4) | ln;\n\t}\n\n\tfree(PasswordHash);\n\treturn 1;\n}",
          "project": "FreeRDP",
          "hash": 140653494673210334616659165600908872734,
          "size": 28,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424856
        },
        {
          "func": "static int ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash)\n{\n\tWINPR_SAM* sam;\n\tWINPR_SAM_ENTRY* entry;\n\tSSPI_CREDENTIALS* credentials = context->credentials;\n\tsam = SamOpen(context->SamFile, TRUE);\n\n\tif (!sam)\n\t\treturn -1;\n\n\tentry = SamLookupUserW(\n\t    sam, (LPWSTR)credentials->identity.User, credentials->identity.UserLength * 2,\n\t    (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * 2);\n\n\tif (entry)\n\t{\n#ifdef WITH_DEBUG_NTLM\n\t\tWLog_DBG(TAG, \"NTLM Hash:\");\n\t\twinpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);\n#endif\n\t\tNTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User,\n\t\t                 credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,\n\t\t                 credentials->identity.DomainLength * 2, (BYTE*)hash);\n\t\tSamFreeEntry(sam, entry);\n\t\tSamClose(sam);\n\t\treturn 1;\n\t}\n\n\tentry = SamLookupUserW(sam, (LPWSTR)credentials->identity.User,\n\t                       credentials->identity.UserLength * 2, NULL, 0);\n\n\tif (entry)\n\t{\n#ifdef WITH_DEBUG_NTLM\n\t\tWLog_DBG(TAG, \"NTLM Hash:\");\n\t\twinpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16);\n#endif\n\t\tNTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User,\n\t\t                 credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain,\n\t\t                 credentials->identity.DomainLength * 2, (BYTE*)hash);\n\t\tSamFreeEntry(sam, entry);\n\t\tSamClose(sam);\n\t\treturn 1;\n\t}\n\telse\n\t{\n\t\tSamClose(sam);\n\t\tWLog_ERR(TAG, \"Error: Could not find user in SAM database\");\n\t\treturn 0;\n\t}\n\n\tSamClose(sam);\n\treturn 1;\n}",
          "project": "FreeRDP",
          "hash": 302789123549310958569220928699431208926,
          "size": 54,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424853
        },
        {
          "func": "int ntlm_compute_ntlm_v2_response(NTLM_CONTEXT* context)\n{\n\tBYTE* blob;\n\tSecBuffer ntlm_v2_temp = { 0 };\n\tSecBuffer ntlm_v2_temp_chal = { 0 };\n\tPSecBuffer TargetInfo = &context->ChallengeTargetInfo;\n\tint ret = -1;\n\n\tif (!sspi_SecBufferAlloc(&ntlm_v2_temp, TargetInfo->cbBuffer + 28))\n\t\tgoto exit;\n\n\tZeroMemory(ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);\n\tblob = (BYTE*)ntlm_v2_temp.pvBuffer;\n\n\t/* Compute the NTLMv2 hash */\n\tif (ntlm_compute_ntlm_v2_hash(context, (BYTE*)context->NtlmV2Hash) < 0)\n\t\tgoto exit;\n\n\t/* Construct temp */\n\tblob[0] = 1; /* RespType (1 byte) */\n\tblob[1] = 1; /* HighRespType (1 byte) */\n\t/* Reserved1 (2 bytes) */\n\t/* Reserved2 (4 bytes) */\n\tCopyMemory(&blob[8], context->Timestamp, 8);        /* Timestamp (8 bytes) */\n\tCopyMemory(&blob[16], context->ClientChallenge, 8); /* ClientChallenge (8 bytes) */\n\t/* Reserved3 (4 bytes) */\n\tCopyMemory(&blob[28], TargetInfo->pvBuffer, TargetInfo->cbBuffer);\n#ifdef WITH_DEBUG_NTLM\n\tWLog_DBG(TAG, \"NTLMv2 Response Temp Blob\");\n\twinpr_HexDump(TAG, WLOG_DEBUG, ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);\n#endif\n\n\t/* Concatenate server challenge with temp */\n\n\tif (!sspi_SecBufferAlloc(&ntlm_v2_temp_chal, ntlm_v2_temp.cbBuffer + 8))\n\t\tgoto exit;\n\n\tblob = (BYTE*)ntlm_v2_temp_chal.pvBuffer;\n\tCopyMemory(blob, context->ServerChallenge, 8);\n\tCopyMemory(&blob[8], ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);\n\twinpr_HMAC(WINPR_MD_MD5, (BYTE*)context->NtlmV2Hash, WINPR_MD5_DIGEST_LENGTH,\n\t           (BYTE*)ntlm_v2_temp_chal.pvBuffer, ntlm_v2_temp_chal.cbBuffer,\n\t           context->NtProofString, WINPR_MD5_DIGEST_LENGTH);\n\n\t/* NtChallengeResponse, Concatenate NTProofStr with temp */\n\n\tif (!sspi_SecBufferAlloc(&context->NtChallengeResponse, ntlm_v2_temp.cbBuffer + 16))\n\t\tgoto exit;\n\n\tblob = (BYTE*)context->NtChallengeResponse.pvBuffer;\n\tCopyMemory(blob, context->NtProofString, WINPR_MD5_DIGEST_LENGTH);\n\tCopyMemory(&blob[16], ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);\n\t/* Compute SessionBaseKey, the HMAC-MD5 hash of NTProofStr using the NTLMv2 hash as the key */\n\twinpr_HMAC(WINPR_MD_MD5, (BYTE*)context->NtlmV2Hash, WINPR_MD5_DIGEST_LENGTH,\n\t           context->NtProofString, WINPR_MD5_DIGEST_LENGTH, context->SessionBaseKey,\n\t           WINPR_MD5_DIGEST_LENGTH);\n\tret = 1;\nexit:\n\tsspi_SecBufferFree(&ntlm_v2_temp);\n\tsspi_SecBufferFree(&ntlm_v2_temp_chal);\n\treturn ret;\n}",
          "project": "FreeRDP",
          "hash": 293239048048938838522778955487585675814,
          "size": 62,
          "commit_id": "c098f21fdaadca57ff649eee1674f6cc321a2ec4",
          "message": "Fixed oob read in ntlm_read_ntlm_v2_response",
          "target": 0,
          "dataset": "other",
          "idx": 424864
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ctnetlink_flush_iterate",
        "ctnetlink_filter_match",
        "ctnetlink_filter_match_tuple"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,\n\t\t\t\t\tstruct nf_conntrack_tuple *ct_tuple,\n\t\t\t\t\tu_int32_t flags, int family)\n{\n\tswitch (family) {\n\tcase NFPROTO_IPV4:\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&\n\t\t    filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)\n\t\t\treturn  0;\n\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&\n\t\t    filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)\n\t\t\treturn  0;\n\t\tbreak;\n\tcase NFPROTO_IPV6:\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&\n\t\t    !ipv6_addr_cmp(&filter_tuple->src.u3.in6,\n\t\t\t\t   &ct_tuple->src.u3.in6))\n\t\t\treturn 0;\n\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&\n\t\t    !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,\n\t\t\t\t   &ct_tuple->dst.u3.in6))\n\t\t\treturn 0;\n\t\tbreak;\n\t}\n\n\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&\n\t    filter_tuple->dst.protonum != ct_tuple->dst.protonum)\n\t\treturn 0;\n\n\tswitch (ct_tuple->dst.protonum) {\n\tcase IPPROTO_TCP:\n\tcase IPPROTO_UDP:\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&\n\t\t    filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)\n\t\t\treturn 0;\n\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&\n\t\t    filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase IPPROTO_ICMP:\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&\n\t\t    filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)\n\t\t\treturn 0;\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&\n\t\t    filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)\n\t\t\treturn 0;\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&\n\t\t    filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)\n\t\t\treturn 0;\n\t\tbreak;\n\tcase IPPROTO_ICMPV6:\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&\n\t\t    filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)\n\t\t\treturn 0;\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&\n\t\t    filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)\n\t\t\treturn 0;\n\t\tif ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&\n\t\t    filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)\n\t\t\treturn 0;\n\t\tbreak;\n\t}\n\n\treturn 1;\n}",
          "project": "linux",
          "hash": 282718761364807328440030437337385326064,
          "size": 68,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394177
        },
        {
          "func": "static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)\n{\n\tif (test_bit(IPS_OFFLOAD_BIT, &ct->status))\n\t\treturn 0;\n\n\treturn ctnetlink_filter_match(ct, data);\n}",
          "project": "linux",
          "hash": 182928000598968957127516725942562810938,
          "size": 7,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394179
        },
        {
          "func": "static int ctnetlink_filter_match(struct nf_conn *ct, void *data)\n{\n\tstruct ctnetlink_filter *filter = data;\n\tstruct nf_conntrack_tuple *tuple;\n\n\tif (filter == NULL)\n\t\tgoto out;\n\n\t/* Match entries of a given L3 protocol number.\n\t * If it is not specified, ie. l3proto == 0,\n\t * then match everything.\n\t */\n\tif (filter->family && nf_ct_l3num(ct) != filter->family)\n\t\tgoto ignore_entry;\n\n\tif (filter->orig_flags) {\n\t\ttuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);\n\t\tif (!ctnetlink_filter_match_tuple(&filter->orig, tuple,\n\t\t\t\t\t\t  filter->orig_flags,\n\t\t\t\t\t\t  filter->family))\n\t\t\tgoto ignore_entry;\n\t}\n\n\tif (filter->reply_flags) {\n\t\ttuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);\n\t\tif (!ctnetlink_filter_match_tuple(&filter->reply, tuple,\n\t\t\t\t\t\t  filter->reply_flags,\n\t\t\t\t\t\t  filter->family))\n\t\t\tgoto ignore_entry;\n\t}\n\n#ifdef CONFIG_NF_CONNTRACK_MARK\n\tif ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK_MASK)) &&\n\t    (ct->mark & filter->mark.mask) != filter->mark.val)\n\t\tgoto ignore_entry;\n\telse if ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK)) &&\n\t\t ct->mark != filter->mark.val)\n\t\tgoto ignore_entry;\n#endif\n\nout:\n\treturn 1;\n\nignore_entry:\n\treturn 0;\n}",
          "project": "linux",
          "hash": 274958493638342873070273360948319359578,
          "size": 46,
          "commit_id": "1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6",
          "message": "netfilter: ctnetlink: add a range check for l3/l4 protonum\n\nThe indexes to the nf_nat_l[34]protos arrays come from userspace. So\ncheck the tuple's family, e.g. l3num, when creating the conntrack in\norder to prevent an OOB memory access during setup.  Here is an example\nkernel panic on 4.14.180 when userspace passes in an index greater than\nNFPROTO_NUMPROTO.\n\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:...\nProcess poc (pid: 5614, stack limit = 0x00000000a3933121)\nCPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483\nHardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM\ntask: 000000002a3dfffe task.stack: 00000000a3933121\npc : __cfi_check_fail+0x1c/0x24\nlr : __cfi_check_fail+0x1c/0x24\n...\nCall trace:\n__cfi_check_fail+0x1c/0x24\nname_to_dev_t+0x0/0x468\nnfnetlink_parse_nat_setup+0x234/0x258\nctnetlink_parse_nat_setup+0x4c/0x228\nctnetlink_new_conntrack+0x590/0xc40\nnfnetlink_rcv_msg+0x31c/0x4d4\nnetlink_rcv_skb+0x100/0x184\nnfnetlink_rcv+0xf4/0x180\nnetlink_unicast+0x360/0x770\nnetlink_sendmsg+0x5a0/0x6a4\n___sys_sendmsg+0x314/0x46c\nSyS_sendmsg+0xb4/0x108\nel0_svc_naked+0x34/0x38\n\nThis crash is not happening since 5.4+, however, ctnetlink still\nallows for creating entries with unsupported layer 3 protocol number.\n\nFixes: c1d10adb4a521 (\"[NETFILTER]: Add ctnetlink port for nf_conntrack\")\nSigned-off-by: Will McVicker <willmcvicker@google.com>\n[pablo@netfilter.org: rebased original patch on top of nf.git]\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>",
          "target": 0,
          "dataset": "other",
          "idx": 394244
        }
      ]
    },
    {
      "call_depth": 5,
      "longest_call_chain": [
        "iwl_fw_dbg_collect_trig",
        "iwl_fw_dbg_collect",
        "iwl_fw_dbg_collect_desc",
        "iwl_fw_dbg_ini_collect",
        "_iwl_fw_dbg_ini_collect"
      ],
      "group_size": 6,
      "functions": [
        {
          "func": "int iwl_fw_dbg_error_collect(struct iwl_fw_runtime *fwrt,\n\t\t\t     enum iwl_fw_dbg_trigger trig_type)\n{\n\tint ret;\n\tstruct iwl_fw_dump_desc *iwl_dump_error_desc;\n\n\tif (!test_bit(STATUS_DEVICE_ENABLED, &fwrt->trans->status))\n\t\treturn -EIO;\n\n\tiwl_dump_error_desc = kmalloc(sizeof(*iwl_dump_error_desc), GFP_KERNEL);\n\tif (!iwl_dump_error_desc)\n\t\treturn -ENOMEM;\n\n\tiwl_dump_error_desc->trig_desc.type = cpu_to_le32(trig_type);\n\tiwl_dump_error_desc->len = 0;\n\n\tret = iwl_fw_dbg_collect_desc(fwrt, iwl_dump_error_desc, false, 0);\n\tif (ret)\n\t\tkfree(iwl_dump_error_desc);\n\telse\n\t\tiwl_trans_sync_nmi(fwrt->trans);\n\n\treturn ret;\n}",
          "project": "linux",
          "hash": 179299705507294275077513320510570789995,
          "size": 24,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384512
        },
        {
          "func": "int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,\n\t\t       enum iwl_fw_dbg_trigger trig,\n\t\t       const char *str, size_t len,\n\t\t       struct iwl_fw_dbg_trigger_tlv *trigger)\n{\n\tstruct iwl_fw_dump_desc *desc;\n\tunsigned int delay = 0;\n\tbool monitor_only = false;\n\n\tif (trigger) {\n\t\tu16 occurrences = le16_to_cpu(trigger->occurrences) - 1;\n\n\t\tif (!le16_to_cpu(trigger->occurrences))\n\t\t\treturn 0;\n\n\t\tif (trigger->flags & IWL_FW_DBG_FORCE_RESTART) {\n\t\t\tIWL_WARN(fwrt, \"Force restart: trigger %d fired.\\n\",\n\t\t\t\t trig);\n\t\t\tiwl_force_nmi(fwrt->trans);\n\t\t\treturn 0;\n\t\t}\n\n\t\ttrigger->occurrences = cpu_to_le16(occurrences);\n\t\tmonitor_only = trigger->mode & IWL_FW_DBG_TRIGGER_MONITOR_ONLY;\n\n\t\t/* convert msec to usec */\n\t\tdelay = le32_to_cpu(trigger->stop_delay) * USEC_PER_MSEC;\n\t}\n\n\tdesc = kzalloc(sizeof(*desc) + len, GFP_ATOMIC);\n\tif (!desc)\n\t\treturn -ENOMEM;\n\n\n\tdesc->len = len;\n\tdesc->trig_desc.type = cpu_to_le32(trig);\n\tmemcpy(desc->trig_desc.data, str, len);\n\n\treturn iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);\n}",
          "project": "linux",
          "hash": 185875951263182919810949925842734487958,
          "size": 40,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384498
        },
        {
          "func": "int _iwl_fw_dbg_ini_collect(struct iwl_fw_runtime *fwrt,\n\t\t\t    enum iwl_fw_ini_trigger_id id)\n{\n\tstruct iwl_fw_ini_active_triggers *active;\n\tu32 occur, delay;\n\tunsigned long idx;\n\n\tif (WARN_ON(!iwl_fw_ini_trigger_on(fwrt, id)))\n\t\treturn -EINVAL;\n\n\tif (!iwl_fw_ini_trigger_on(fwrt, id)) {\n\t\tIWL_WARN(fwrt, \"WRT: Trigger %d is not active, aborting dump\\n\",\n\t\t\t id);\n\t\treturn -EINVAL;\n\t}\n\n\tactive = &fwrt->dump.active_trigs[id];\n\tdelay = le32_to_cpu(active->trig->dump_delay);\n\toccur = le32_to_cpu(active->trig->occurrences);\n\tif (!occur)\n\t\treturn 0;\n\n\tactive->trig->occurrences = cpu_to_le32(--occur);\n\n\tif (le32_to_cpu(active->trig->force_restart)) {\n\t\tIWL_WARN(fwrt, \"WRT: Force restart: trigger %d fired.\\n\", id);\n\t\tiwl_force_nmi(fwrt->trans);\n\t\treturn 0;\n\t}\n\n\t/* Check there is an available worker.\n\t * ffz return value is undefined if no zero exists,\n\t * so check against ~0UL first.\n\t */\n\tif (fwrt->dump.active_wks == ~0UL)\n\t\treturn -EBUSY;\n\n\tidx = ffz(fwrt->dump.active_wks);\n\n\tif (idx >= IWL_FW_RUNTIME_DUMP_WK_NUM ||\n\t    test_and_set_bit(fwrt->dump.wks[idx].idx, &fwrt->dump.active_wks))\n\t\treturn -EBUSY;\n\n\tfwrt->dump.wks[idx].ini_trig_id = id;\n\n\tIWL_WARN(fwrt, \"WRT: Collecting data: ini trigger %d fired.\\n\", id);\n\n\tschedule_delayed_work(&fwrt->dump.wks[idx].wk, usecs_to_jiffies(delay));\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 115079245489843583928037103034620477581,
          "size": 51,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384500
        },
        {
          "func": "int iwl_fw_dbg_ini_collect(struct iwl_fw_runtime *fwrt, u32 legacy_trigger_id)\n{\n\tint id;\n\n\tswitch (legacy_trigger_id) {\n\tcase FW_DBG_TRIGGER_FW_ASSERT:\n\tcase FW_DBG_TRIGGER_ALIVE_TIMEOUT:\n\tcase FW_DBG_TRIGGER_DRIVER:\n\t\tid = IWL_FW_TRIGGER_ID_FW_ASSERT;\n\t\tbreak;\n\tcase FW_DBG_TRIGGER_USER:\n\t\tid = IWL_FW_TRIGGER_ID_USER_TRIGGER;\n\t\tbreak;\n\tdefault:\n\t\treturn -EIO;\n\t}\n\n\treturn _iwl_fw_dbg_ini_collect(fwrt, id);\n}",
          "project": "linux",
          "hash": 48189044191970065292804985077428113242,
          "size": 19,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384513
        },
        {
          "func": "int iwl_fw_dbg_collect_trig(struct iwl_fw_runtime *fwrt,\n\t\t\t    struct iwl_fw_dbg_trigger_tlv *trigger,\n\t\t\t    const char *fmt, ...)\n{\n\tint ret, len = 0;\n\tchar buf[64];\n\n\tif (fmt) {\n\t\tva_list ap;\n\n\t\tbuf[sizeof(buf) - 1] = '\\0';\n\n\t\tva_start(ap, fmt);\n\t\tvsnprintf(buf, sizeof(buf), fmt, ap);\n\t\tva_end(ap);\n\n\t\t/* check for truncation */\n\t\tif (WARN_ON_ONCE(buf[sizeof(buf) - 1]))\n\t\t\tbuf[sizeof(buf) - 1] = '\\0';\n\n\t\tlen = strlen(buf) + 1;\n\t}\n\n\tret = iwl_fw_dbg_collect(fwrt, le32_to_cpu(trigger->id), buf, len,\n\t\t\t\t trigger);\n\n\tif (ret)\n\t\treturn ret;\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 31999427507886365065530315839349252764,
          "size": 31,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384468
        },
        {
          "func": "int iwl_fw_dbg_collect_desc(struct iwl_fw_runtime *fwrt,\n\t\t\t    const struct iwl_fw_dump_desc *desc,\n\t\t\t    bool monitor_only,\n\t\t\t    unsigned int delay)\n{\n\tu32 trig_type = le32_to_cpu(desc->trig_desc.type);\n\tint ret;\n\n\tif (iwl_trans_dbg_ini_valid(fwrt->trans)) {\n\t\tret = iwl_fw_dbg_ini_collect(fwrt, trig_type);\n\t\tif (!ret)\n\t\t\tiwl_fw_free_dump_desc(fwrt);\n\n\t\treturn ret;\n\t}\n\n\t/* use wks[0] since dump flow prior to ini does not need to support\n\t * consecutive triggers collection\n\t */\n\tif (test_and_set_bit(fwrt->dump.wks[0].idx, &fwrt->dump.active_wks))\n\t\treturn -EBUSY;\n\n\tif (WARN_ON(fwrt->dump.desc))\n\t\tiwl_fw_free_dump_desc(fwrt);\n\n\tIWL_WARN(fwrt, \"Collecting data: trigger %d fired.\\n\",\n\t\t le32_to_cpu(desc->trig_desc.type));\n\n\tfwrt->dump.desc = desc;\n\tfwrt->dump.monitor_only = monitor_only;\n\n\tschedule_delayed_work(&fwrt->dump.wks[0].wk, usecs_to_jiffies(delay));\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 116402012900464947830285900179065452573,
          "size": 35,
          "commit_id": "b4b814fec1a5a849383f7b3886b654a13abbda7d",
          "message": "iwlwifi: dbg_ini: fix memory leak in alloc_sgtable\n\nIn alloc_sgtable if alloc_page fails, the alocated table should be\nreleased.\n\nSigned-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>\nSigned-off-by: Luca Coelho <luciano.coelho@intel.com>",
          "target": 0,
          "dataset": "other",
          "idx": 384485
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ff_layout_commit_prepare_v4",
        "ff_layout_commit_prepare_common",
        "ff_layout_commit_record_layoutstats_start"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void ff_layout_commit_prepare_v3(struct rpc_task *task, void *data)\n{\n\tff_layout_commit_prepare_common(task, data);\n\trpc_call_start(task);\n}",
          "project": "linux",
          "hash": 295029019518512631715379364109019110239,
          "size": 5,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234391
        },
        {
          "func": "static void ff_layout_commit_prepare_common(struct rpc_task *task,\n\t\tstruct nfs_commit_data *cdata)\n{\n\tff_layout_commit_record_layoutstats_start(task, cdata);\n}",
          "project": "linux",
          "hash": 79501687639063805324356772586497104609,
          "size": 5,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234494
        },
        {
          "func": "static void ff_layout_commit_prepare_v4(struct rpc_task *task, void *data)\n{\n\tstruct nfs_commit_data *wdata = data;\n\n\tif (nfs4_setup_sequence(wdata->ds_clp,\n\t\t\t\t&wdata->args.seq_args,\n\t\t\t\t&wdata->res.seq_res,\n\t\t\t\ttask))\n\t\treturn;\n\tff_layout_commit_prepare_common(task, data);\n}",
          "project": "linux",
          "hash": 58373963151584553919228009400623120131,
          "size": 11,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234468
        },
        {
          "func": "static void ff_layout_commit_record_layoutstats_start(struct rpc_task *task,\n\t\tstruct nfs_commit_data *cdata)\n{\n\tif (test_and_set_bit(NFS_IOHDR_STAT, &cdata->flags))\n\t\treturn;\n\tnfs4_ff_layout_stat_io_start_write(cdata->inode,\n\t\t\tFF_LAYOUT_COMP(cdata->lseg, cdata->ds_commit_index),\n\t\t\t0, task->tk_start);\n}",
          "project": "linux",
          "hash": 300992929852829700481817492813862146425,
          "size": 9,
          "commit_id": "ed34695e15aba74f45247f1ee2cf7e09d449f925",
          "message": "pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()\n\nWe (adam zabrocki, alexander matrosov, alexander tereshkin, maksym\nbazalii) observed the check:\n\n\tif (fh->size > sizeof(struct nfs_fh))\n\nshould not use the size of the nfs_fh struct which includes an extra two\nbytes from the size field.\n\nstruct nfs_fh {\n\tunsigned short         size;\n\tunsigned char          data[NFS_MAXFHSIZE];\n}\n\nbut should determine the size from data[NFS_MAXFHSIZE] so the memcpy\nwill not write 2 bytes beyond destination.  The proposed fix is to\ncompare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs\ncode base.\n\nFixes: d67ae825a59d (\"pnfs/flexfiles: Add the FlexFile Layout Driver\")\nSigned-off-by: Nikola Livic <nlivic@gmail.com>\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\nSigned-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>",
          "target": 0,
          "dataset": "other",
          "idx": 234429
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "virt_to_scatterlist",
        "sg_init_table",
        "encrypt_scatterlist"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t       struct scatterlist *dest_sg,\n\t\t\t       struct scatterlist *src_sg, int size,\n\t\t\t       unsigned char *iv)\n{\n\tstruct blkcipher_desc desc = {\n\t\t.tfm = crypt_stat->tfm,\n\t\t.info = iv,\n\t\t.flags = CRYPTO_TFM_REQ_MAY_SLEEP\n\t};\n\tint rc = 0;\n\n\tBUG_ON(!crypt_stat || !crypt_stat->tfm\n\t       || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));\n\tif (unlikely(ecryptfs_verbosity > 0)) {\n\t\tecryptfs_printk(KERN_DEBUG, \"Key size [%d]; key:\\n\",\n\t\t\t\tcrypt_stat->key_size);\n\t\tecryptfs_dump_hex(crypt_stat->key,\n\t\t\t\t  crypt_stat->key_size);\n\t}\n\t/* Consider doing this once, when the file is opened */\n\tmutex_lock(&crypt_stat->cs_tfm_mutex);\n\tif (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {\n\t\trc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,\n\t\t\t\t\t     crypt_stat->key_size);\n\t\tcrypt_stat->flags |= ECRYPTFS_KEY_SET;\n\t}\n\tif (rc) {\n\t\tecryptfs_printk(KERN_ERR, \"Error setting key; rc = [%d]\\n\",\n\t\t\t\trc);\n\t\tmutex_unlock(&crypt_stat->cs_tfm_mutex);\n\t\trc = -EINVAL;\n\t\tgoto out;\n\t}\n\tecryptfs_printk(KERN_DEBUG, \"Encrypting [%d] bytes.\\n\", size);\n\tcrypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size);\n\tmutex_unlock(&crypt_stat->cs_tfm_mutex);\nout:\n\treturn rc;\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b",
          "hash": 43093249919420749145666564157705188509,
          "size": 40,
          "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header.  Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K.  This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem.  2.6.28 is the only kernel release with this\nvulnerability.  Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>\nAcked-by: Dustin Kirkland <kirkland@canonical.com>\nReviewed-by: Eric Sandeen <sandeen@redhat.com>\nReviewed-by: Eugene Teo <eugeneteo@kernel.sg>\nCc: Greg KH <greg@kroah.com>\nCc: dann frazier <dannf@dannf.org>\nCc: Serge E. Hallyn <serue@us.ibm.com>\nCc: Florian Streibelt <florian@f-streibelt.de>\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "dataset": "other",
          "idx": 490191
        },
        {
          "func": "int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,\n\t\t\tint sg_size)\n{\n\tint i = 0;\n\tstruct page *pg;\n\tint offset;\n\tint remainder_of_page;\n\n\tsg_init_table(sg, sg_size);\n\n\twhile (size > 0 && i < sg_size) {\n\t\tpg = virt_to_page(addr);\n\t\toffset = offset_in_page(addr);\n\t\tif (sg)\n\t\t\tsg_set_page(&sg[i], pg, 0, offset);\n\t\tremainder_of_page = PAGE_CACHE_SIZE - offset;\n\t\tif (size >= remainder_of_page) {\n\t\t\tif (sg)\n\t\t\t\tsg[i].length = remainder_of_page;\n\t\t\taddr += remainder_of_page;\n\t\t\tsize -= remainder_of_page;\n\t\t} else {\n\t\t\tif (sg)\n\t\t\t\tsg[i].length = size;\n\t\t\taddr += size;\n\t\t\tsize = 0;\n\t\t}\n\t\ti++;\n\t}\n\tif (size > 0)\n\t\treturn -ENOMEM;\n\treturn i;\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b",
          "hash": 177263979817146619645509490018394809225,
          "size": 33,
          "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header.  Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K.  This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem.  2.6.28 is the only kernel release with this\nvulnerability.  Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>\nAcked-by: Dustin Kirkland <kirkland@canonical.com>\nReviewed-by: Eric Sandeen <sandeen@redhat.com>\nReviewed-by: Eugene Teo <eugeneteo@kernel.sg>\nCc: Greg KH <greg@kroah.com>\nCc: dann frazier <dannf@dannf.org>\nCc: Serge E. Hallyn <serue@us.ibm.com>\nCc: Florian Streibelt <florian@f-streibelt.de>\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "dataset": "other",
          "idx": 490190
        },
        {
          "func": "ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t     struct page *dst_page, int dst_offset,\n\t\t\t     struct page *src_page, int src_offset, int size,\n\t\t\t     unsigned char *iv)\n{\n\tstruct scatterlist src_sg, dst_sg;\n\n\tsg_init_table(&src_sg, 1);\n\tsg_set_page(&src_sg, src_page, size, src_offset);\n\n\tsg_init_table(&dst_sg, 1);\n\tsg_set_page(&dst_sg, dst_page, size, dst_offset);\n\n\treturn decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b",
          "hash": 159230256980142015078679405117409515842,
          "size": 15,
          "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header.  Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K.  This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem.  2.6.28 is the only kernel release with this\nvulnerability.  Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>\nAcked-by: Dustin Kirkland <kirkland@canonical.com>\nReviewed-by: Eric Sandeen <sandeen@redhat.com>\nReviewed-by: Eugene Teo <eugeneteo@kernel.sg>\nCc: Greg KH <greg@kroah.com>\nCc: dann frazier <dannf@dannf.org>\nCc: Serge E. Hallyn <serue@us.ibm.com>\nCc: Florian Streibelt <florian@f-streibelt.de>\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "dataset": "other",
          "idx": 490181
        },
        {
          "func": "ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,\n\t\t\t     struct page *dst_page, int dst_offset,\n\t\t\t     struct page *src_page, int src_offset, int size,\n\t\t\t     unsigned char *iv)\n{\n\tstruct scatterlist src_sg, dst_sg;\n\n\tsg_init_table(&src_sg, 1);\n\tsg_init_table(&dst_sg, 1);\n\n\tsg_set_page(&src_sg, src_page, size, src_offset);\n\tsg_set_page(&dst_sg, dst_page, size, dst_offset);\n\treturn encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);\n}",
          "target": 0,
          "cwe": [
            "CWE-189"
          ],
          "project": "linux-2.6",
          "commit_id": "8faece5f906725c10e7a1f6caf84452abadbdc7b",
          "hash": 183798196938772397655950918983478031786,
          "size": 14,
          "message": "eCryptfs: Allocate a variable number of pages for file headers\n\nWhen allocating the memory used to store the eCryptfs header contents, a\nsingle, zeroed page was being allocated with get_zeroed_page().\nHowever, the size of an eCryptfs header is either PAGE_CACHE_SIZE or\nECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is\nstored in the file's private_data->crypt_stat->num_header_bytes_at_front\nfield.\n\necryptfs_write_metadata_to_contents() was using\nnum_header_bytes_at_front to decide how many bytes should be written to\nthe lower filesystem for the file header.  Unfortunately, at least 8K\nwas being written from the page, despite the chance of the single,\nzeroed page being smaller than 8K.  This resulted in random areas of\nkernel memory being written between the 0x1000 and 0x1FFF bytes offsets\nin the eCryptfs file headers if PAGE_SIZE was 4K.\n\nThis patch allocates a variable number of pages, calculated with\nnum_header_bytes_at_front, and passes the number of allocated pages\nalong to ecryptfs_write_metadata_to_contents().\n\nThanks to Florian Streibelt for reporting the data leak and working with\nme to find the problem.  2.6.28 is the only kernel release with this\nvulnerability.  Corresponds to CVE-2009-0787\n\nSigned-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>\nAcked-by: Dustin Kirkland <kirkland@canonical.com>\nReviewed-by: Eric Sandeen <sandeen@redhat.com>\nReviewed-by: Eugene Teo <eugeneteo@kernel.sg>\nCc: Greg KH <greg@kroah.com>\nCc: dann frazier <dannf@dannf.org>\nCc: Serge E. Hallyn <serue@us.ibm.com>\nCc: Florian Streibelt <florian@f-streibelt.de>\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "dataset": "other",
          "idx": 490184
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "gdImageColorClosestHWB",
        "HWB_Diff",
        "RGB_to_HWB"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static HWBType * RGB_to_HWB (RGBType RGB, HWBType * HWB)\n{\n\t/*\n\t * RGB are each on [0, 1]. W and B are returned on [0, 1] and H is\n\t * returned on [0, 6]. Exception: H is returned UNDEFINED if W == 1 - B.\n\t */\n\n\tfloat R = RGB.R, G = RGB.G, B = RGB.B, w, v, b, f;\n\tint i;\n\n\tw = MIN3 (R, G, B);\n\tv = MAX3 (R, G, B);\n\tb = 1 - v;\n\tif (v == w) {\n\t\tRETURN_HWB(HWB_UNDEFINED, w, b);\n\t}\n\tf = (R == w) ? G - B : ((G == w) ? B - R : R - G);\n\ti = (R == w) ? 3 : ((G == w) ? 5 : 1);\n\n\tRETURN_HWB(i - f / (v - w), w, b);\n}",
          "project": "php-src",
          "hash": 209277974453491243576497135035707535616,
          "size": 21,
          "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6",
          "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow",
          "target": 0,
          "dataset": "other",
          "idx": 295136
        },
        {
          "func": "int gdImageColorClosestHWB (gdImagePtr im, int r, int g, int b)\n{\n\tint i;\n\t/* long rd, gd, bd; */\n\tint ct = (-1);\n\tint first = 1;\n\tfloat mindist = 0;\n\tif (im->trueColor) {\n\t\treturn gdTrueColor(r, g, b);\n\t}\n\tfor (i = 0; i < im->colorsTotal; i++) {\n\t\tfloat dist;\n\t\tif (im->open[i]) {\n\t\t\tcontinue;\n\t\t}\n\t\tdist = HWB_Diff(im->red[i], im->green[i], im->blue[i], r, g, b);\n\t\tif (first || (dist < mindist)) {\n\t\t\tmindist = dist;\n\t\t\tct = i;\n\t\t\tfirst = 0;\n\t\t}\n\t}\n\treturn ct;\n}",
          "project": "php-src",
          "hash": 286423259348331400973450044841647401848,
          "size": 24,
          "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6",
          "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow",
          "target": 0,
          "dataset": "other",
          "idx": 295140
        },
        {
          "func": "static float HWB_Diff (int r1, int g1, int b1, int r2, int g2, int b2)\n{\n\tRGBType RGB1, RGB2;\n\tHWBType HWB1, HWB2;\n\tfloat diff;\n\n\tSETUP_RGB(RGB1, r1, g1, b1);\n\tSETUP_RGB(RGB2, r2, g2, b2);\n\n\tRGB_to_HWB(RGB1, &HWB1);\n\tRGB_to_HWB(RGB2, &HWB2);\n\n\t/*\n\t * I made this bit up; it seems to produce OK results, and it is certainly\n\t * more visually correct than the current RGB metric. (PJW)\n\t */\n\n\tif ((HWB1.H == HWB_UNDEFINED) || (HWB2.H == HWB_UNDEFINED)) {\n\t\tdiff = 0.0f;\t/* Undefined hues always match... */\n\t} else {\n\t\tdiff = fabsf(HWB1.H - HWB2.H);\n\t\tif (diff > 3.0f) {\n\t\t\tdiff = 6.0f - diff;\t/* Remember, it's a colour circle */\n\t\t}\n\t}\n\n\tdiff = diff * diff + (HWB1.W - HWB2.W) * (HWB1.W - HWB2.W) + (HWB1.B - HWB2.B) * (HWB1.B - HWB2.B);\n\n\treturn diff;\n}",
          "project": "php-src",
          "hash": 313028172626822137293146407959188761999,
          "size": 30,
          "commit_id": "c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6",
          "message": "iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow",
          "target": 0,
          "dataset": "other",
          "idx": 295192
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "acpi_register_gsi",
        "acpi_gsi_to_irq",
        "gsi_irq_sharing"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static inline int gsi_irq_sharing(int gsi) { return gsi; }",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 198778032469776663148951417793982406815,
          "size": 1,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 500011
        },
        {
          "func": "int acpi_register_gsi(u32 gsi, int triggering, int polarity)\n{\n\tunsigned int irq;\n\tunsigned int plat_gsi = gsi;\n\n#ifdef CONFIG_PCI\n\t/*\n\t * Make sure all (legacy) PCI IRQs are set as level-triggered.\n\t */\n\tif (acpi_irq_model == ACPI_IRQ_MODEL_PIC) {\n\t\textern void eisa_set_level_irq(unsigned int irq);\n\n\t\tif (triggering == ACPI_LEVEL_SENSITIVE)\n\t\t\teisa_set_level_irq(gsi);\n\t}\n#endif\n\n#ifdef CONFIG_X86_IO_APIC\n\tif (acpi_irq_model == ACPI_IRQ_MODEL_IOAPIC) {\n\t\tplat_gsi = mp_register_gsi(gsi, triggering, polarity);\n\t}\n#endif\n\tacpi_gsi_to_irq(plat_gsi, &irq);\n\treturn irq;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 200884129183344529493421747188799869647,
          "size": 25,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 500014
        },
        {
          "func": "int acpi_gsi_to_irq(u32 gsi, unsigned int *irq)\n{\n#ifdef CONFIG_X86_IO_APIC\n\tif (use_pci_vector() && !platform_legacy_irq(gsi))\n\t\t*irq = IO_APIC_VECTOR(gsi);\n\telse\n#endif\n\t\t*irq = gsi_irq_sharing(gsi);\n\treturn 0;\n}",
          "target": 0,
          "cwe": [],
          "project": "linux-2.6",
          "commit_id": "f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff",
          "hash": 161080048401573734831045432367301008968,
          "size": 10,
          "message": "[PATCH] i386: add HPET(s) into resource map\n\nAdd HPET(s) into resource map. This will allow for the HPET(s) to be\nvisibile within /proc/iomem.\n\nSigned-off-by: Aaron Durbin <adurbin@google.com>\nSigned-off-by: Andi Kleen <ak@suse.de>",
          "dataset": "other",
          "idx": 499998
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "rsi_mac80211_suspend",
        "rsi_config_wowlan",
        "rsi_wow_map_triggers"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static u16 rsi_wow_map_triggers(struct rsi_common *common,\n\t\t\t\tstruct cfg80211_wowlan *wowlan)\n{\n\tu16 wow_triggers = 0;\n\n\trsi_dbg(INFO_ZONE, \"Mapping wowlan triggers\\n\");\n\n\tif (wowlan->any)\n\t\twow_triggers |= RSI_WOW_ANY;\n\tif (wowlan->magic_pkt)\n\t\twow_triggers |= RSI_WOW_MAGIC_PKT;\n\tif (wowlan->disconnect)\n\t\twow_triggers |= RSI_WOW_DISCONNECT;\n\tif (wowlan->gtk_rekey_failure || wowlan->eap_identity_req ||\n\t    wowlan->four_way_handshake)\n\t\twow_triggers |= RSI_WOW_GTK_REKEY;\n\n\treturn wow_triggers;\n}",
          "project": "linux",
          "hash": 291939068704885584682270027831021533582,
          "size": 19,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461654
        },
        {
          "func": "int rsi_config_wowlan(struct rsi_hw *adapter, struct cfg80211_wowlan *wowlan)\n{\n\tstruct rsi_common *common = adapter->priv;\n\tu16 triggers = 0;\n\tu16 rx_filter_word = 0;\n\tstruct ieee80211_bss_conf *bss = NULL;\n\n\trsi_dbg(INFO_ZONE, \"Config WoWLAN to device\\n\");\n\n\tif (!adapter->vifs[0])\n\t\treturn -EINVAL;\n\n\tbss = &adapter->vifs[0]->bss_conf;\n\n\tif (WARN_ON(!wowlan)) {\n\t\trsi_dbg(ERR_ZONE, \"WoW triggers not enabled\\n\");\n\t\treturn -EINVAL;\n\t}\n\n\tcommon->wow_flags |= RSI_WOW_ENABLED;\n\ttriggers = rsi_wow_map_triggers(common, wowlan);\n\tif (!triggers) {\n\t\trsi_dbg(ERR_ZONE, \"%s:No valid WoW triggers\\n\", __func__);\n\t\treturn -EINVAL;\n\t}\n\tif (!bss->assoc) {\n\t\trsi_dbg(ERR_ZONE,\n\t\t\t\"Cannot configure WoWLAN (Station not connected)\\n\");\n\t\tcommon->wow_flags |= RSI_WOW_NO_CONNECTION;\n\t\treturn 0;\n\t}\n\trsi_dbg(INFO_ZONE, \"TRIGGERS %x\\n\", triggers);\n\trsi_send_wowlan_request(common, triggers, 1);\n\n\t/**\n\t * Increase the beacon_miss threshold & keep-alive timers in\n\t * vap_update frame\n\t */\n\trsi_send_vap_dynamic_update(common);\n\n\trx_filter_word = (ALLOW_DATA_ASSOC_PEER | DISALLOW_BEACONS);\n\trsi_send_rx_filter_frame(common, rx_filter_word);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 120071220139982796540823250810229927855,
          "size": 45,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461668
        },
        {
          "func": "static int rsi_mac80211_suspend(struct ieee80211_hw *hw,\n\t\t\t\tstruct cfg80211_wowlan *wowlan)\n{\n\tstruct rsi_hw *adapter = hw->priv;\n\tstruct rsi_common *common = adapter->priv;\n\n\trsi_dbg(INFO_ZONE, \"%s: mac80211 suspend\\n\", __func__);\n\tmutex_lock(&common->mutex);\n\tif (rsi_config_wowlan(adapter, wowlan)) {\n\t\trsi_dbg(ERR_ZONE, \"Failed to configure WoWLAN\\n\");\n\t\tmutex_unlock(&common->mutex);\n\t\treturn 1;\n\t}\n\tmutex_unlock(&common->mutex);\n\n\treturn 0;\n}",
          "project": "linux",
          "hash": 9567306817360433743729872099058819311,
          "size": 17,
          "commit_id": "abd39c6ded9db53aa44c2540092bdd5fb6590fa8",
          "message": "rsi: add fix for crash during assertions\n\nObserved crash in some scenarios when assertion has occurred,\nthis is because hw structure is freed and is tried to get\naccessed in some functions where null check is already\npresent. So, avoided the crash by making the hw to NULL after\nfreeing.\n\nSigned-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>\nSigned-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>\nSigned-off-by: Kalle Valo <kvalo@codeaurora.org>",
          "target": 0,
          "dataset": "other",
          "idx": 461652
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "ip_finish_output",
        "ip_finish_output_gso",
        "ip_finish_output2"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static int ip_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,\n\t\t       unsigned int mtu,\n\t\t       int (*output)(struct net *, struct sock *, struct sk_buff *))\n{\n\tstruct iphdr *iph = ip_hdr(skb);\n\n\tif ((iph->frag_off & htons(IP_DF)) == 0)\n\t\treturn ip_do_fragment(net, sk, skb, output);\n\n\tif (unlikely(!skb->ignore_df ||\n\t\t     (IPCB(skb)->frag_max_size &&\n\t\t      IPCB(skb)->frag_max_size > mtu))) {\n\t\tIP_INC_STATS(net, IPSTATS_MIB_FRAGFAILS);\n\t\ticmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,\n\t\t\t  htonl(mtu));\n\t\tkfree_skb(skb);\n\t\treturn -EMSGSIZE;\n\t}\n\n\treturn ip_do_fragment(net, sk, skb, output);\n}",
          "project": "net",
          "hash": 154873400028567929086961473551016671506,
          "size": 21,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468966
        },
        {
          "func": "static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tstruct dst_entry *dst = skb_dst(skb);\n\tstruct rtable *rt = (struct rtable *)dst;\n\tstruct net_device *dev = dst->dev;\n\tunsigned int hh_len = LL_RESERVED_SPACE(dev);\n\tstruct neighbour *neigh;\n\tu32 nexthop;\n\n\tif (rt->rt_type == RTN_MULTICAST) {\n\t\tIP_UPD_PO_STATS(net, IPSTATS_MIB_OUTMCAST, skb->len);\n\t} else if (rt->rt_type == RTN_BROADCAST)\n\t\tIP_UPD_PO_STATS(net, IPSTATS_MIB_OUTBCAST, skb->len);\n\n\t/* Be paranoid, rather than too clever. */\n\tif (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {\n\t\tstruct sk_buff *skb2;\n\n\t\tskb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));\n\t\tif (!skb2) {\n\t\t\tkfree_skb(skb);\n\t\t\treturn -ENOMEM;\n\t\t}\n\t\tif (skb->sk)\n\t\t\tskb_set_owner_w(skb2, skb->sk);\n\t\tconsume_skb(skb);\n\t\tskb = skb2;\n\t}\n\n\tif (lwtunnel_xmit_redirect(dst->lwtstate)) {\n\t\tint res = lwtunnel_xmit(skb);\n\n\t\tif (res < 0 || res == LWTUNNEL_XMIT_DONE)\n\t\t\treturn res;\n\t}\n\n\trcu_read_lock_bh();\n\tnexthop = (__force u32) rt_nexthop(rt, ip_hdr(skb)->daddr);\n\tneigh = __ipv4_neigh_lookup_noref(dev, nexthop);\n\tif (unlikely(!neigh))\n\t\tneigh = __neigh_create(&arp_tbl, &nexthop, dev, false);\n\tif (!IS_ERR(neigh)) {\n\t\tint res;\n\n\t\tsock_confirm_neigh(skb, neigh);\n\t\tres = neigh_output(neigh, skb);\n\n\t\trcu_read_unlock_bh();\n\t\treturn res;\n\t}\n\trcu_read_unlock_bh();\n\n\tnet_dbg_ratelimited(\"%s: No header cache and no neighbour!\\n\",\n\t\t\t    __func__);\n\tkfree_skb(skb);\n\treturn -EINVAL;\n}",
          "project": "net",
          "hash": 279874634117793563501036273622582830759,
          "size": 57,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468958
        },
        {
          "func": "static int ip_finish_output_gso(struct net *net, struct sock *sk,\n\t\t\t\tstruct sk_buff *skb, unsigned int mtu)\n{\n\tnetdev_features_t features;\n\tstruct sk_buff *segs;\n\tint ret = 0;\n\n\t/* common case: seglen is <= mtu\n\t */\n\tif (skb_gso_validate_mtu(skb, mtu))\n\t\treturn ip_finish_output2(net, sk, skb);\n\n\t/* Slowpath -  GSO segment length exceeds the egress MTU.\n\t *\n\t * This can happen in several cases:\n\t *  - Forwarding of a TCP GRO skb, when DF flag is not set.\n\t *  - Forwarding of an skb that arrived on a virtualization interface\n\t *    (virtio-net/vhost/tap) with TSO/GSO size set by other network\n\t *    stack.\n\t *  - Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an\n\t *    interface with a smaller MTU.\n\t *  - Arriving GRO skb (or GSO skb in a virtualized environment) that is\n\t *    bridged to a NETIF_F_TSO tunnel stacked over an interface with an\n\t *    insufficent MTU.\n\t */\n\tfeatures = netif_skb_features(skb);\n\tBUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET);\n\tsegs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);\n\tif (IS_ERR_OR_NULL(segs)) {\n\t\tkfree_skb(skb);\n\t\treturn -ENOMEM;\n\t}\n\n\tconsume_skb(skb);\n\n\tdo {\n\t\tstruct sk_buff *nskb = segs->next;\n\t\tint err;\n\n\t\tsegs->next = NULL;\n\t\terr = ip_fragment(net, sk, segs, mtu, ip_finish_output2);\n\n\t\tif (err && ret == 0)\n\t\t\tret = err;\n\t\tsegs = nskb;\n\t} while (segs);\n\n\treturn ret;\n}",
          "project": "net",
          "hash": 299472189074641285610112881268118105183,
          "size": 49,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 468959
        },
        {
          "func": "static int ip_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)\n{\n\tunsigned int mtu;\n\tint ret;\n\n\tret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);\n\tif (ret) {\n\t\tkfree_skb(skb);\n\t\treturn ret;\n\t}\n\n#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)\n\t/* Policy lookup after SNAT yielded a new policy */\n\tif (skb_dst(skb)->xfrm) {\n\t\tIPCB(skb)->flags |= IPSKB_REROUTED;\n\t\treturn dst_output(net, sk, skb);\n\t}\n#endif\n\tmtu = ip_skb_dst_mtu(sk, skb);\n\tif (skb_is_gso(skb))\n\t\treturn ip_finish_output_gso(net, sk, skb, mtu);\n\n\tif (skb->len > mtu || (IPCB(skb)->flags & IPSKB_FRAG_PMTU))\n\t\treturn ip_fragment(net, sk, skb, mtu, ip_finish_output2);\n\n\treturn ip_finish_output2(net, sk, skb);\n}",
          "project": "net",
          "hash": 191822427021009706653025673605283189168,
          "size": 27,
          "commit_id": "85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa",
          "message": "udp: consistently apply ufo or fragmentation\n\nWhen iteratively building a UDP datagram with MSG_MORE and that\ndatagram exceeds MTU, consistently choose UFO or fragmentation.\n\nOnce skb_is_gso, always apply ufo. Conversely, once a datagram is\nsplit across multiple skbs, do not consider ufo.\n\nSendpage already maintains the first invariant, only add the second.\nIPv6 does not have a sendpage implementation to modify.\n\nA gso skb must have a partial checksum, do not follow sk_no_check_tx\nin udp_send_skb.\n\nFound by syzkaller.\n\nFixes: e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\")\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nSigned-off-by: Willem de Bruijn <willemb@google.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>",
          "target": 0,
          "dataset": "other",
          "idx": 469014
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "mmdrop_async_fn",
        "__mmdrop",
        "check_mm"
      ],
      "group_size": 4,
      "functions": [
        {
          "func": "static void mmdrop_async_fn(struct work_struct *work)\n{\n\tstruct mm_struct *mm;\n\n\tmm = container_of(work, struct mm_struct, async_put_work);\n\t__mmdrop(mm);\n}",
          "project": "linux",
          "hash": 92149953274283011598925228937866465334,
          "size": 7,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293713
        },
        {
          "func": "void __mmdrop(struct mm_struct *mm)\n{\n\tBUG_ON(mm == &init_mm);\n\tWARN_ON_ONCE(mm == current->mm);\n\tWARN_ON_ONCE(mm == current->active_mm);\n\tmm_free_pgd(mm);\n\tdestroy_context(mm);\n\tmmu_notifier_subscriptions_destroy(mm);\n\tcheck_mm(mm);\n\tput_user_ns(mm->user_ns);\n\tfree_mm(mm);\n}",
          "project": "linux",
          "hash": 140936636376116300533502763524354099192,
          "size": 12,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293639
        },
        {
          "func": "static inline void mm_free_pgd(struct mm_struct *mm)\n{\n\tpgd_free(mm, mm->pgd);\n}",
          "project": "linux",
          "hash": 29738674307397040606404287122312356129,
          "size": 4,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293685
        },
        {
          "func": "static void check_mm(struct mm_struct *mm)\n{\n\tint i;\n\n\tBUILD_BUG_ON_MSG(ARRAY_SIZE(resident_page_types) != NR_MM_COUNTERS,\n\t\t\t \"Please make sure 'struct resident_page_types[]' is updated as well\");\n\n\tfor (i = 0; i < NR_MM_COUNTERS; i++) {\n\t\tlong x = atomic_long_read(&mm->rss_stat.count[i]);\n\n\t\tif (unlikely(x))\n\t\t\tpr_alert(\"BUG: Bad rss-counter state mm:%p type:%s val:%ld\\n\",\n\t\t\t\t mm, resident_page_types[i], x);\n\t}\n\n\tif (mm_pgtables_bytes(mm))\n\t\tpr_alert(\"BUG: non-zero pgtables_bytes on freeing mm: %ld\\n\",\n\t\t\t\tmm_pgtables_bytes(mm));\n\n#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS\n\tVM_BUG_ON_MM(mm->pmd_huge_pte, mm);\n#endif\n}",
          "project": "linux",
          "hash": 190587792120355999114255332097185446222,
          "size": 23,
          "commit_id": "b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948",
          "message": "fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent\n\ncurrent->group_leader->exit_signal may change during copy_process() if\ncurrent->real_parent exits.\n\nMove the assignment inside tasklist_lock to avoid the race.\n\nSigned-off-by: Eddy Wu <eddy_wu@trendmicro.com>\nAcked-by: Oleg Nesterov <oleg@redhat.com>\nSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>",
          "target": 0,
          "dataset": "other",
          "idx": 293634
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "match_sums",
        "hash_search",
        "matched"
      ],
      "group_size": 5,
      "functions": [
        {
          "func": "void match_sums(int f, struct sum_struct *s, struct map_struct *buf, OFF_T len)\n{\n\tchar file_sum[MAX_DIGEST_LEN];\n\tint sum_len;\n\n\tlast_match = 0;\n\tfalse_alarms = 0;\n\thash_hits = 0;\n\tmatches = 0;\n\tdata_transfer = 0;\n\n\tsum_init(checksum_seed);\n\n\tif (append_mode > 0) {\n\t\tif (append_mode == 2) {\n\t\t\tOFF_T j = 0;\n\t\t\tfor (j = CHUNK_SIZE; j < s->flength; j += CHUNK_SIZE) {\n\t\t\t\tif (buf && do_progress)\n\t\t\t\t\tshow_progress(last_match, buf->file_size);\n\t\t\t\tsum_update(map_ptr(buf, last_match, CHUNK_SIZE),\n\t\t\t\t\t   CHUNK_SIZE);\n\t\t\t\tlast_match = j;\n\t\t\t}\n\t\t\tif (last_match < s->flength) {\n\t\t\t\tint32 n = (int32)(s->flength - last_match);\n\t\t\t\tif (buf && do_progress)\n\t\t\t\t\tshow_progress(last_match, buf->file_size);\n\t\t\t\tsum_update(map_ptr(buf, last_match, n), n);\n\t\t\t}\n\t\t}\n\t\tlast_match = s->flength;\n\t\ts->count = 0;\n\t}\n\n\tif (len > 0 && s->count > 0) {\n\t\tbuild_hash_table(s);\n\n\t\tif (verbose > 2)\n\t\t\trprintf(FINFO,\"built hash table\\n\");\n\n\t\thash_search(f, s, buf, len);\n\n\t\tif (verbose > 2)\n\t\t\trprintf(FINFO,\"done hash search\\n\");\n\t} else {\n\t\tOFF_T j;\n\t\t/* by doing this in pieces we avoid too many seeks */\n\t\tfor (j = last_match + CHUNK_SIZE; j < len; j += CHUNK_SIZE)\n\t\t\tmatched(f, s, buf, j, -2);\n\t\tmatched(f, s, buf, len, -1);\n\t}\n\n\tsum_len = sum_end(file_sum);\n\t/* If we had a read error, send a bad checksum. */\n\tif (buf && buf->status != 0)\n\t\tfile_sum[0]++;\n\n\tif (verbose > 2)\n\t\trprintf(FINFO,\"sending file_sum\\n\");\n\twrite_buf(f, file_sum, sum_len);\n\n\tif (verbose > 2)\n\t\trprintf(FINFO, \"false_alarms=%d hash_hits=%d matches=%d\\n\",\n\t\t\tfalse_alarms, hash_hits, matches);\n\n\ttotal_hash_hits += hash_hits;\n\ttotal_false_alarms += false_alarms;\n\ttotal_matches += matches;\n\tstats.literal_data += data_transfer;\n}",
          "project": "rsync",
          "hash": 37923117477280821757970530343326723404,
          "size": 70,
          "commit_id": "c8255147b06b74dad940d32f9cef5fbe17595239",
          "message": "Optimize finding the sum that matches our --inplace position.",
          "target": 0,
          "dataset": "other",
          "idx": 248547
        },
        {
          "func": "static void matched(int f, struct sum_struct *s, struct map_struct *buf,\n\t\t    OFF_T offset, int32 i)\n{\n\tint32 n = (int32)(offset - last_match); /* max value: block_size (int32) */\n\tint32 j;\n\n\tif (verbose > 2 && i >= 0) {\n\t\trprintf(FINFO,\n\t\t\t\"match at %.0f last_match=%.0f j=%d len=%ld n=%ld\\n\",\n\t\t\t(double)offset, (double)last_match, i,\n\t\t\t(long)s->sums[i].len, (long)n);\n\t}\n\n\tsend_token(f, i, buf, last_match, n, i < 0 ? 0 : s->sums[i].len);\n\tdata_transfer += n;\n\n\tif (i >= 0) {\n\t\tstats.matched_data += s->sums[i].len;\n\t\tn += s->sums[i].len;\n\t}\n\n\tfor (j = 0; j < n; j += CHUNK_SIZE) {\n\t\tint32 n1 = MIN(CHUNK_SIZE, n - j);\n\t\tsum_update(map_ptr(buf, last_match + j, n1), n1);\n\t}\n\n\tif (i >= 0)\n\t\tlast_match = offset + s->sums[i].len;\n\telse\n\t\tlast_match = offset;\n\n\tif (buf && do_progress)\n\t\tshow_progress(last_match, buf->file_size);\n}",
          "project": "rsync",
          "hash": 57643269069713905410840787588128113674,
          "size": 34,
          "commit_id": "c8255147b06b74dad940d32f9cef5fbe17595239",
          "message": "Optimize finding the sum that matches our --inplace position.",
          "target": 0,
          "dataset": "other",
          "idx": 248546
        },
        {
          "func": "static void hash_search(int f,struct sum_struct *s,\n\t\t\tstruct map_struct *buf, OFF_T len)\n{\n\tOFF_T offset, aligned_offset, end;\n\tint32 k, want_i, backup;\n\tchar sum2[SUM_LENGTH];\n\tuint32 s1, s2, sum;\n\tint more;\n\tschar *map;\n\n\t/* want_i is used to encourage adjacent matches, allowing the RLL\n\t * coding of the output to work more efficiently. */\n\twant_i = 0;\n\n\tif (verbose > 2) {\n\t\trprintf(FINFO, \"hash search b=%ld len=%.0f\\n\",\n\t\t\t(long)s->blength, (double)len);\n\t}\n\n\tk = (int32)MIN(len, (OFF_T)s->blength);\n\n\tmap = (schar *)map_ptr(buf, 0, k);\n\n\tsum = get_checksum1((char *)map, k);\n\ts1 = sum & 0xFFFF;\n\ts2 = sum >> 16;\n\tif (verbose > 3)\n\t\trprintf(FINFO, \"sum=%.8x k=%ld\\n\", sum, (long)k);\n\n\toffset = aligned_offset = 0;\n\n\tend = len + 1 - s->sums[s->count-1].len;\n\n\tif (verbose > 3) {\n\t\trprintf(FINFO, \"hash search s->blength=%ld len=%.0f count=%.0f\\n\",\n\t\t\t(long)s->blength, (double)len, (double)s->count);\n\t}\n\n\tdo {\n\t\tint done_csum2 = 0;\n\t\tint32 i;\n\n\t\tif (verbose > 4) {\n\t\t\trprintf(FINFO, \"offset=%.0f sum=%04x%04x\\n\",\n\t\t\t\t(double)offset, s2 & 0xFFFF, s1 & 0xFFFF);\n\t\t}\n\n\t\tif (tablesize == TRADITIONAL_TABLESIZE) {\n\t\t\tif ((i = hash_table[SUM2HASH2(s1,s2)]) < 0)\n\t\t\t\tgoto null_hash;\n\t\t\tsum = (s1 & 0xffff) | (s2 << 16);\n\t\t} else {\n\t\t\tsum = (s1 & 0xffff) | (s2 << 16);\n\t\t\tif ((i = hash_table[BIG_SUM2HASH(sum)]) < 0)\n\t\t\t\tgoto null_hash;\n\t\t}\n\n\t\thash_hits++;\n\t\tdo {\n\t\t\tint32 l;\n\n\t\t\tif (sum != s->sums[i].sum1)\n\t\t\t\tcontinue;\n\n\t\t\t/* also make sure the two blocks are the same length */\n\t\t\tl = (int32)MIN((OFF_T)s->blength, len-offset);\n\t\t\tif (l != s->sums[i].len)\n\t\t\t\tcontinue;\n\n\t\t\t/* in-place: ensure chunk's offset is either >= our\n\t\t\t * offset or that the data didn't move. */\n\t\t\tif (updating_basis_file && s->sums[i].offset < offset\n\t\t\t    && !(s->sums[i].flags & SUMFLG_SAME_OFFSET))\n\t\t\t\tcontinue;\n\n\t\t\tif (verbose > 3) {\n\t\t\t\trprintf(FINFO,\n\t\t\t\t\t\"potential match at %.0f i=%ld sum=%08x\\n\",\n\t\t\t\t\t(double)offset, (long)i, sum);\n\t\t\t}\n\n\t\t\tif (!done_csum2) {\n\t\t\t\tmap = (schar *)map_ptr(buf,offset,l);\n\t\t\t\tget_checksum2((char *)map,l,sum2);\n\t\t\t\tdone_csum2 = 1;\n\t\t\t}\n\n\t\t\tif (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {\n\t\t\t\tfalse_alarms++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* When updating in-place, the best possible match is\n\t\t\t * one with an identical offset, so we prefer that over\n\t\t\t * the adjacent want_i optimization. */\n\t\t\tif (updating_basis_file) {\n\t\t\t\t/* All the generator's chunks start at blength boundaries. */\n\t\t\t\twhile (aligned_offset < offset)\n\t\t\t\t\taligned_offset += s->blength;\n\t\t\t\tif (offset == aligned_offset) {\n\t\t\t\t\tint32 i2;\n\t\t\t\t\tfor (i2 = i; i2 >= 0; i2 = s->sums[i2].chain) {\n\t\t\t\t\t\tif (s->sums[i2].offset != offset)\n\t\t\t\t\t\t\tcontinue;\n\t\t\t\t\t\tif (i2 != i) {\n\t\t\t\t\t\t\tif (sum != s->sums[i2].sum1\n\t\t\t\t\t\t\t || l != s->sums[i2].len\n\t\t\t\t\t\t\t || memcmp(sum2, s->sums[i2].sum2, s->s2length) != 0)\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\ti = i2;\n\t\t\t\t\t\t}\n\t\t\t\t\t\t/* This chunk remained in the same spot in the old and new file. */\n\t\t\t\t\t\ts->sums[i].flags |= SUMFLG_SAME_OFFSET;\n\t\t\t\t\t\twant_i = i;\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t/* we've found a match, but now check to see\n\t\t\t * if want_i can hint at a better match. */\n\t\t\tif (i != want_i && want_i < s->count\n\t\t\t    && (!updating_basis_file || s->sums[want_i].offset >= offset\n\t\t\t     || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)\n\t\t\t    && sum == s->sums[want_i].sum1\n\t\t\t    && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {\n\t\t\t\t/* we've found an adjacent match - the RLL coder\n\t\t\t\t * will be happy */\n\t\t\t\ti = want_i;\n\t\t\t}\n\t\t\twant_i = i + 1;\n\n\t\t\tmatched(f,s,buf,offset,i);\n\t\t\toffset += s->sums[i].len - 1;\n\t\t\tk = (int32)MIN((OFF_T)s->blength, len-offset);\n\t\t\tmap = (schar *)map_ptr(buf, offset, k);\n\t\t\tsum = get_checksum1((char *)map, k);\n\t\t\ts1 = sum & 0xFFFF;\n\t\t\ts2 = sum >> 16;\n\t\t\tmatches++;\n\t\t\tbreak;\n\t\t} while ((i = s->sums[i].chain) >= 0);\n\n\t  null_hash:\n\t\tbackup = (int32)(offset - last_match);\n\t\t/* We sometimes read 1 byte prior to last_match... */\n\t\tif (backup < 0)\n\t\t\tbackup = 0;\n\n\t\t/* Trim off the first byte from the checksum */\n\t\tmore = offset + k < len;\n\t\tmap = (schar *)map_ptr(buf, offset - backup, k + more + backup)\n\t\t    + backup;\n\t\ts1 -= map[0] + CHAR_OFFSET;\n\t\ts2 -= k * (map[0]+CHAR_OFFSET);\n\n\t\t/* Add on the next byte (if there is one) to the checksum */\n\t\tif (more) {\n\t\t\ts1 += map[k] + CHAR_OFFSET;\n\t\t\ts2 += s1;\n\t\t} else\n\t\t\t--k;\n\n\t\t/* By matching early we avoid re-reading the\n\t\t   data 3 times in the case where a token\n\t\t   match comes a long way after last\n\t\t   match. The 3 reads are caused by the\n\t\t   running match, the checksum update and the\n\t\t   literal send. */\n\t\tif (backup >= s->blength+CHUNK_SIZE && end-offset > CHUNK_SIZE)\n\t\t\tmatched(f, s, buf, offset - s->blength, -2);\n\t} while (++offset < end);\n\n\tmatched(f, s, buf, len, -1);\n\tmap_ptr(buf, len-1, 1);\n}",
          "project": "rsync",
          "hash": 13269351929661258568831239064102968322,
          "size": 176,
          "commit_id": "c8255147b06b74dad940d32f9cef5fbe17595239",
          "message": "Optimize finding the sum that matches our --inplace position.",
          "target": 1,
          "dataset": "other",
          "idx": 196927
        },
        {
          "func": "static void hash_search(int f,struct sum_struct *s,\n\t\t\tstruct map_struct *buf, OFF_T len)\n{\n\tOFF_T offset, aligned_offset, end;\n\tint32 k, want_i, aligned_i, backup;\n\tchar sum2[SUM_LENGTH];\n\tuint32 s1, s2, sum;\n\tint more;\n\tschar *map;\n\n\t/* want_i is used to encourage adjacent matches, allowing the RLL\n\t * coding of the output to work more efficiently. */\n\twant_i = 0;\n\n\tif (verbose > 2) {\n\t\trprintf(FINFO, \"hash search b=%ld len=%.0f\\n\",\n\t\t\t(long)s->blength, (double)len);\n\t}\n\n\tk = (int32)MIN(len, (OFF_T)s->blength);\n\n\tmap = (schar *)map_ptr(buf, 0, k);\n\n\tsum = get_checksum1((char *)map, k);\n\ts1 = sum & 0xFFFF;\n\ts2 = sum >> 16;\n\tif (verbose > 3)\n\t\trprintf(FINFO, \"sum=%.8x k=%ld\\n\", sum, (long)k);\n\n\toffset = aligned_offset = aligned_i = 0;\n\n\tend = len + 1 - s->sums[s->count-1].len;\n\n\tif (verbose > 3) {\n\t\trprintf(FINFO, \"hash search s->blength=%ld len=%.0f count=%.0f\\n\",\n\t\t\t(long)s->blength, (double)len, (double)s->count);\n\t}\n\n\tdo {\n\t\tint done_csum2 = 0;\n\t\tint32 i;\n\n\t\tif (verbose > 4) {\n\t\t\trprintf(FINFO, \"offset=%.0f sum=%04x%04x\\n\",\n\t\t\t\t(double)offset, s2 & 0xFFFF, s1 & 0xFFFF);\n\t\t}\n\n\t\tif (tablesize == TRADITIONAL_TABLESIZE) {\n\t\t\tif ((i = hash_table[SUM2HASH2(s1,s2)]) < 0)\n\t\t\t\tgoto null_hash;\n\t\t\tsum = (s1 & 0xffff) | (s2 << 16);\n\t\t} else {\n\t\t\tsum = (s1 & 0xffff) | (s2 << 16);\n\t\t\tif ((i = hash_table[BIG_SUM2HASH(sum)]) < 0)\n\t\t\t\tgoto null_hash;\n\t\t}\n\n\t\thash_hits++;\n\t\tdo {\n\t\t\tint32 l;\n\n\t\t\tif (sum != s->sums[i].sum1)\n\t\t\t\tcontinue;\n\n\t\t\t/* also make sure the two blocks are the same length */\n\t\t\tl = (int32)MIN((OFF_T)s->blength, len-offset);\n\t\t\tif (l != s->sums[i].len)\n\t\t\t\tcontinue;\n\n\t\t\t/* in-place: ensure chunk's offset is either >= our\n\t\t\t * offset or that the data didn't move. */\n\t\t\tif (updating_basis_file && s->sums[i].offset < offset\n\t\t\t    && !(s->sums[i].flags & SUMFLG_SAME_OFFSET))\n\t\t\t\tcontinue;\n\n\t\t\tif (verbose > 3) {\n\t\t\t\trprintf(FINFO,\n\t\t\t\t\t\"potential match at %.0f i=%ld sum=%08x\\n\",\n\t\t\t\t\t(double)offset, (long)i, sum);\n\t\t\t}\n\n\t\t\tif (!done_csum2) {\n\t\t\t\tmap = (schar *)map_ptr(buf,offset,l);\n\t\t\t\tget_checksum2((char *)map,l,sum2);\n\t\t\t\tdone_csum2 = 1;\n\t\t\t}\n\n\t\t\tif (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {\n\t\t\t\tfalse_alarms++;\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\t/* When updating in-place, the best possible match is\n\t\t\t * one with an identical offset, so we prefer that over\n\t\t\t * the adjacent want_i optimization. */\n\t\t\tif (updating_basis_file) {\n\t\t\t\t/* All the generator's chunks start at blength boundaries. */\n\t\t\t\twhile (aligned_offset < offset) {\n\t\t\t\t\taligned_offset += s->blength;\n\t\t\t\t\taligned_i++;\n\t\t\t\t}\n\t\t\t\tif (offset == aligned_offset) {\n\t\t\t\t\tif (i != aligned_i) {\n\t\t\t\t\t\tif (sum != s->sums[aligned_i].sum1\n\t\t\t\t\t\t || l != s->sums[aligned_i].len\n\t\t\t\t\t\t || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)\n\t\t\t\t\t\t\tgoto check_want_i;\n\t\t\t\t\t\ti = aligned_i;\n\t\t\t\t\t}\n\t\t\t\t\t/* This identical chunk is in the same spot in the old and new file. */\n\t\t\t\t\ts->sums[i].flags |= SUMFLG_SAME_OFFSET;\n\t\t\t\t\twant_i = i;\n\t\t\t\t}\n\t\t\t}\n\n\t\t  check_want_i:\n\t\t\t/* we've found a match, but now check to see\n\t\t\t * if want_i can hint at a better match. */\n\t\t\tif (i != want_i && want_i < s->count\n\t\t\t    && (!updating_basis_file || s->sums[want_i].offset >= offset\n\t\t\t     || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)\n\t\t\t    && sum == s->sums[want_i].sum1\n\t\t\t    && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {\n\t\t\t\t/* we've found an adjacent match - the RLL coder\n\t\t\t\t * will be happy */\n\t\t\t\ti = want_i;\n\t\t\t}\n\t\t\twant_i = i + 1;\n\n\t\t\tmatched(f,s,buf,offset,i);\n\t\t\toffset += s->sums[i].len - 1;\n\t\t\tk = (int32)MIN((OFF_T)s->blength, len-offset);\n\t\t\tmap = (schar *)map_ptr(buf, offset, k);\n\t\t\tsum = get_checksum1((char *)map, k);\n\t\t\ts1 = sum & 0xFFFF;\n\t\t\ts2 = sum >> 16;\n\t\t\tmatches++;\n\t\t\tbreak;\n\t\t} while ((i = s->sums[i].chain) >= 0);\n\n\t  null_hash:\n\t\tbackup = (int32)(offset - last_match);\n\t\t/* We sometimes read 1 byte prior to last_match... */\n\t\tif (backup < 0)\n\t\t\tbackup = 0;\n\n\t\t/* Trim off the first byte from the checksum */\n\t\tmore = offset + k < len;\n\t\tmap = (schar *)map_ptr(buf, offset - backup, k + more + backup)\n\t\t    + backup;\n\t\ts1 -= map[0] + CHAR_OFFSET;\n\t\ts2 -= k * (map[0]+CHAR_OFFSET);\n\n\t\t/* Add on the next byte (if there is one) to the checksum */\n\t\tif (more) {\n\t\t\ts1 += map[k] + CHAR_OFFSET;\n\t\t\ts2 += s1;\n\t\t} else\n\t\t\t--k;\n\n\t\t/* By matching early we avoid re-reading the\n\t\t   data 3 times in the case where a token\n\t\t   match comes a long way after last\n\t\t   match. The 3 reads are caused by the\n\t\t   running match, the checksum update and the\n\t\t   literal send. */\n\t\tif (backup >= s->blength+CHUNK_SIZE && end-offset > CHUNK_SIZE)\n\t\t\tmatched(f, s, buf, offset - s->blength, -2);\n\t} while (++offset < end);\n\n\tmatched(f, s, buf, len, -1);\n\tmap_ptr(buf, len-1, 1);\n}",
          "project": "rsync",
          "hash": 282231606510893388476838486510622012833,
          "size": 173,
          "commit_id": "c8255147b06b74dad940d32f9cef5fbe17595239",
          "message": "Optimize finding the sum that matches our --inplace position.",
          "target": 0,
          "dataset": "other",
          "idx": 248548
        },
        {
          "func": "static void build_hash_table(struct sum_struct *s)\n{\n\tstatic uint32 alloc_size;\n\tint32 i;\n\n\t/* Dynamically calculate the hash table size so that the hash load\n\t * for big files is about 80%.  A number greater than the traditional\n\t * size must be odd or s2 will not be able to span the entire set. */\n\ttablesize = (uint32)(s->count/8) * 10 + 11;\n\tif (tablesize < TRADITIONAL_TABLESIZE)\n\t\ttablesize = TRADITIONAL_TABLESIZE;\n\tif (tablesize > alloc_size || tablesize < alloc_size - 16*1024) {\n\t\tif (hash_table)\n\t\t\tfree(hash_table);\n\t\thash_table = new_array(int32, tablesize);\n\t\tif (!hash_table)\n\t\t\tout_of_memory(\"build_hash_table\");\n\t\talloc_size = tablesize;\n\t}\n\n\tmemset(hash_table, 0xFF, tablesize * sizeof hash_table[0]);\n\n\tif (tablesize == TRADITIONAL_TABLESIZE) {\n\t\tfor (i = 0; i < s->count; i++) {\n\t\t\tuint32 t = SUM2HASH(s->sums[i].sum1);\n\t\t\ts->sums[i].chain = hash_table[t];\n\t\t\thash_table[t] = i;\n\t\t}\n\t} else {\n\t\tfor (i = 0; i < s->count; i++) {\n\t\t\tuint32 t = BIG_SUM2HASH(s->sums[i].sum1);\n\t\t\ts->sums[i].chain = hash_table[t];\n\t\t\thash_table[t] = i;\n\t\t}\n\t}\n}",
          "project": "rsync",
          "hash": 61600810833803559858293273796463637691,
          "size": 36,
          "commit_id": "c8255147b06b74dad940d32f9cef5fbe17595239",
          "message": "Optimize finding the sum that matches our --inplace position.",
          "target": 0,
          "dataset": "other",
          "idx": 248549
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "EncodePyBytesArray",
        "PyBytesArrayMap",
        "PyObjectToString"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "Status PyBytesArrayMap(PyArrayObject* array, F f) {\n  Safe_PyObjectPtr iter = tensorflow::make_safe(\n      PyArray_IterNew(reinterpret_cast<PyObject*>(array)));\n  while (PyArray_ITER_NOTDONE(iter.get())) {\n    auto item = tensorflow::make_safe(PyArray_GETITEM(\n        array, static_cast<char*>(PyArray_ITER_DATA(iter.get()))));\n    if (!item) {\n      return errors::Internal(\"Unable to get element from the feed - no item.\");\n    }\n    Py_ssize_t len;\n    const char* ptr;\n    PyObject* ptr_owner = nullptr;\n    TF_RETURN_IF_ERROR(PyObjectToString(item.get(), &ptr, &len, &ptr_owner));\n    f(ptr, len);\n    Py_XDECREF(ptr_owner);\n    PyArray_ITER_NEXT(iter.get());\n  }\n  return Status::OK();\n}",
          "project": "tensorflow",
          "hash": 31978297791717305580156936004676711223,
          "size": 19,
          "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489",
          "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8",
          "target": 0,
          "dataset": "other",
          "idx": 232667
        },
        {
          "func": "Status PyObjectToString(PyObject* obj, const char** ptr, Py_ssize_t* len,\n                        PyObject** ptr_owner) {\n  *ptr_owner = nullptr;\n  if (PyBytes_Check(obj)) {\n    char* buf;\n    if (PyBytes_AsStringAndSize(obj, &buf, len) != 0) {\n      return errors::Internal(\"Unable to get element as bytes.\");\n    }\n    *ptr = buf;\n    return Status::OK();\n  } else if (PyUnicode_Check(obj)) {\n#if (PY_MAJOR_VERSION > 3 || (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION >= 3))\n    *ptr = PyUnicode_AsUTF8AndSize(obj, len);\n    if (*ptr != nullptr) return Status::OK();\n#else\n    PyObject* utemp = PyUnicode_AsUTF8String(obj);\n    char* buf;\n    if (utemp != nullptr && PyBytes_AsStringAndSize(utemp, &buf, len) != -1) {\n      *ptr = buf;\n      *ptr_owner = utemp;\n      return Status::OK();\n    }\n    Py_XDECREF(utemp);\n#endif\n    return errors::Internal(\"Unable to convert element to UTF-8\");\n  } else {\n    return errors::Internal(\"Unsupported object type \", obj->ob_type->tp_name);\n  }\n}",
          "project": "tensorflow",
          "hash": 121658595224769143400305589780284555962,
          "size": 29,
          "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489",
          "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8",
          "target": 0,
          "dataset": "other",
          "idx": 232664
        },
        {
          "func": "Status EncodePyBytesArray(PyArrayObject* array, tensorflow::int64 nelems,\n                          size_t* size, void** buffer) {\n  // Encode all strings.\n  *size = nelems * sizeof(tensorflow::tstring);\n  std::unique_ptr<tensorflow::tstring[]> base_ptr(\n      new tensorflow::tstring[nelems]);\n  tensorflow::tstring* dst = base_ptr.get();\n\n  TF_RETURN_IF_ERROR(\n      PyBytesArrayMap(array, [&dst](const char* ptr, Py_ssize_t len) {\n        dst->assign(ptr, len);\n        dst++;\n      }));\n  *buffer = base_ptr.release();\n  return Status::OK();\n}",
          "project": "tensorflow",
          "hash": 185399263651554758855895348056249803992,
          "size": 16,
          "commit_id": "030af767d357d1b4088c4a25c72cb3906abac489",
          "message": "Fix `tf.raw_ops.ResourceCountUpTo` null pointer dereference.\n\nPiperOrigin-RevId: 368294347\nChange-Id: I2c16fbfc9b4966c402c3d8e311f0d665a9c852d8",
          "target": 0,
          "dataset": "other",
          "idx": 232669
        }
      ]
    },
    {
      "call_depth": 3,
      "longest_call_chain": [
        "XML_SetUserData",
        "freeUserdata",
        "freeString"
      ],
      "group_size": 3,
      "functions": [
        {
          "func": "static void freeString(slist * stk)\n{\n    slist *sp;\n\n    while (stk) {\n\tsp = stk->next;\n\tfree(stk);\n\tstk = sp;\n    }\n}",
          "target": 0,
          "cwe": [
            "CWE-476"
          ],
          "project": "graphviz",
          "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932",
          "hash": 323766937958692114121772654913768533116,
          "size": 10,
          "message": "attempted fix for null pointer deference on malformed input",
          "dataset": "other",
          "idx": 505488
        },
        {
          "func": "static void freeUserdata(userdata_t * ud)\n{\n    dtclose(ud->nameMap);\n    agxbfree(&(ud->xml_attr_name));\n    agxbfree(&(ud->xml_attr_value));\n    agxbfree(&(ud->composite_buffer));\n    freeString(ud->elements);\n    free(ud);\n}",
          "target": 0,
          "cwe": [
            "CWE-476"
          ],
          "project": "graphviz",
          "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932",
          "hash": 51490874138293443175062885090212690882,
          "size": 9,
          "message": "attempted fix for null pointer deference on malformed input",
          "dataset": "other",
          "idx": 505482
        },
        {
          "func": "Agraph_t *graphml_to_gv(char* gname, FILE * graphmlFile, int* rv)\n{\n    char buf[BUFSIZE];\n    int done;\n    userdata_t *udata = genUserdata(gname);\n    XML_Parser parser = XML_ParserCreate(NULL);\n\n    *rv = 0;\n    XML_SetUserData(parser, udata);\n    XML_SetElementHandler(parser, startElementHandler, endElementHandler);\n    XML_SetCharacterDataHandler(parser, characterDataHandler);\n\n    Current_class = TAG_GRAPH;\n    root = 0;\n    do {\n\tsize_t len = fread(buf, 1, sizeof(buf), graphmlFile);\n\tif (len == 0)\n\t    break;\n\tdone = len < sizeof(buf);\n\tif (XML_Parse(parser, buf, len, done) == XML_STATUS_ERROR) {\n\t    fprintf(stderr,\n\t\t    \"%s at line %lu\\n\",\n\t\t    XML_ErrorString(XML_GetErrorCode(parser)),\n\t\t    XML_GetCurrentLineNumber(parser));\n\t    *rv = 1;\n\t    break;\n\t}\n    } while (!done);\n    XML_ParserFree(parser);\n    freeUserdata(udata);\n\n    return root;\n}",
          "target": 0,
          "cwe": [
            "CWE-476"
          ],
          "project": "graphviz",
          "commit_id": "839085f8026afd6f6920a0c31ad2a9d880d97932",
          "hash": 179642333214400244061262734492515282421,
          "size": 33,
          "message": "attempted fix for null pointer deference on malformed input",
          "dataset": "other",
          "idx": 505496
        }
      ]
    }
  ]
}