blob: c8811bc68ff8772c0d1bf80b5d7064c848774a7e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
// Contributed by Alexandre Oliva <aoliva@redhat.com>
// From Red Hat case 106165.
typedef struct s1
{
unsigned short v1;
unsigned char *v2;
} S1;
extern void bar(const struct s1 *const hdb);
extern unsigned char* foo ();
unsigned int sn;
S1 *hdb;
S1 *pb;
unsigned short len;
unsigned int crashIt()
{
unsigned char *p;
unsigned int nsn;
unsigned short cnt;
if (sn != 0) return 1;
if ((len < 12) || ((p = (((pb->v1) >= 8) ? pb->v2 : foo() )) == 0))
return 1;
nsn = (
(((*(unsigned int*)p) & 0x000000ff) << 24) |
(((*(unsigned int*)p) & 0x0000ff00) << 8) |
(((*(unsigned int*)p) & 0x00ff0000) >> 8) |
(((*(unsigned int*)p) & 0xff000000) >> 24) );
p += 4;
cnt = (unsigned short) ((
(((*(unsigned int*)p) & 0x000000ff) << 24) |
(((*(unsigned int*)p) & 0x0000ff00) << 8) |
(((*(unsigned int*)p) & 0x00ff0000) >> 8) |
(((*(unsigned int*)p) & 0xff000000) >> 24) ) &
0xffff);
if ((len != 12 + (cnt * 56)) || (nsn == 0))
{
bar(hdb);
return 1;
}
return 0;
}
|