├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_bad.png
├── LICENSE
├── Project_Files
├── README.md
├── benchmarks_running.py
├── complex_program_running.py
├── run.py
├── samples
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_02.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_14.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_15.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_21.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67a.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_02.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_03.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_08.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_11.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_14.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_15.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_21.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_41.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_44.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_45.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67a.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_02.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_03.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_08.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_11.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_14.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_15.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_21.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_41.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_44.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_45.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67a.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_03.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_45.c
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_03.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_45.c
│ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_02.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_09.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_12.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_14.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_15.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_21.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_34.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_41.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_44.c
│ │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67a.c
│ │ └── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c
│ ├── executable.sh
│ ├── includes
│ │ ├── io.c
│ │ ├── std_testcase.h
│ │ ├── std_testcase_io.h
│ │ └── testcases.h
│ └── program.c
└── source
│ ├── MCSimulation.py
│ ├── NFACTOR_MC.cfg
│ ├── TypeUtils.py
│ ├── VulAnalyzer.py
│ ├── __init__.py
│ ├── analysis
│ ├── CFGPartAnalysis.py
│ ├── Units.py
│ └── __init__.py
│ ├── config.py
│ ├── constraintTree
│ ├── VNode.py
│ ├── VTree.py
│ └── __init__.py
│ ├── learning
│ ├── Cover.py
│ ├── Tar3.py
│ ├── Tar3Ranges.py
│ ├── __init__.py
│ └── tar3
│ │ ├── bin
│ │ ├── tar3.exe
│ │ └── xval.exe
│ │ ├── doc
│ │ ├── 02itar2.pdf
│ │ ├── 02metrics.pdf
│ │ ├── 02moreodc.pdf
│ │ ├── 02pairprog.pdf
│ │ ├── 02re02.pdf
│ │ ├── 02sereuse.pdf
│ │ ├── 02trust.pdf
│ │ ├── TAR2intro.pdf
│ │ ├── TAR3Manual.pdf
│ │ ├── ch4-TAR3.pdf
│ │ ├── itarv2.pdf
│ │ ├── kdd.pdf
│ │ ├── lazyagents.pdf
│ │ ├── mbtar.pdf
│ │ ├── ml4re.pdf
│ │ ├── soft.pdf
│ │ └── truisms.pdf
│ │ ├── sample
│ │ ├── data.cfg
│ │ ├── data.data
│ │ ├── data.names
│ │ ├── golf.cfg
│ │ ├── golf.data
│ │ ├── golf.names
│ │ ├── shadow.cfg
│ │ ├── shadow.data
│ │ ├── shadow.names
│ │ ├── tar3.bat
│ │ ├── xval.bat
│ │ └── xval_usage.txt
│ │ └── source
│ │ ├── tar3
│ │ ├── defns.h
│ │ ├── deltaf.c
│ │ ├── extern.h
│ │ ├── generate.c
│ │ ├── getdata.c
│ │ ├── getnames.c
│ │ ├── global.h
│ │ ├── main.c
│ │ ├── process.c
│ │ ├── random.c
│ │ ├── rawdata.c
│ │ ├── sort.c
│ │ ├── tar3
│ │ ├── test.c
│ │ ├── types.h
│ │ └── xvalsum.c
│ │ └── xval
│ │ ├── xval
│ │ ├── xval.c
│ │ └── xvalprep.c
│ └── simprocedure
│ ├── ExtractParams.py
│ ├── UnConstraintRetValue.py
│ ├── __init__.py
│ ├── vul_memcpy.py
│ ├── vul_memmove.py
│ ├── vul_memset.py
│ ├── vul_sprintf.py
│ ├── vul_strcat.py
│ ├── vul_strcpy.py
│ └── wcslen.py
├── README.md
└── requirements.txt
/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_bad.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_bad.png
--------------------------------------------------------------------------------
/Project_Files/README.md:
--------------------------------------------------------------------------------
1 | Our Evaluation
2 | ------------
3 | To reproduce the results of NIST SARD benchmarks, you can use the [`benchmarks_running.py`](https://github.com/SoftwareSecurityLab/Heap-Overflow-Detection/blob/main/Project_Files/benchmarks_running.py) file, and for testing the designed program, you can use the [`complex_program_running.py`](https://github.com/SoftwareSecurityLab/Heap-Overflow-Detection/blob/main/Project_Files/complex_program_running.py) file.
4 |
5 | ### Analyzing NIST SARD Programs
6 | Note that our implemented tool uses x64 binary code for analyzing C programs. Compile benchmark programs using the below command:
7 | ```
8 | cd samples; chmod +x executable.sh; ./executable.sh
9 | ```
10 | Run shellscript:
11 | ```
12 | cd .. ; chmod +x benchmarks_running.py; ./benchmarks_running.py
13 | ```
14 | ### Analyzing A Designed Program
15 | ```
16 | gcc ./samples/program.c -o program
17 | ```
18 | Run shellscript:
19 | ```
20 | chmod +x complex_program_running.py; ./complex_program_running.py
21 | ```
22 | Known Issues
23 | ------------
24 | You may get the error:
25 |
26 | PermissionError: [Errno 13] Permission denied: '~/Heap-Overflow-Detection/Project_Files/source/learning/./tar3/source/tar3/tar3'
27 |
28 | You can fix it by granting the execution permission to the [`tar3`](https://github.com/SoftwareSecurityLab/Heap-Overflow-Detection/blob/main/Project_Files/source/learning/tar3/source/tar3/tar3) file.
29 |
--------------------------------------------------------------------------------
/Project_Files/benchmarks_running.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import argparse
4 | import claripy,angr,monkeyhex
5 | from source.analysis import CFGPartAnalysis
6 | from source.constraintTree import _VTree
7 | from source.VulAnalyzer import VulAnalyzer
8 |
9 | import sys, os
10 | sys.setrecursionlimit(2000)
11 |
12 |
13 | for i in range(1, 91):
14 | print('===================')
15 | print("| Program No.: " + str(i))
16 | print('===================')
17 | proj=angr.Project('./samples/' + str(i),load_options={'auto_load_libs':False})
18 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis)
19 | angr.AnalysesHub.register_default('VTree',_VTree)
20 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer)
21 | cfg_an=proj.analyses.CFGPartAnalysis()
22 | an=proj.analyses.VulAnalyzer(cfg_an, False)
23 | u = an.propUnits()
24 |
25 | for unit in u:
26 | print("Test Unit : <{}>".format(unit))
27 | proj=angr.Project('./samples/' + str(i),load_options={'auto_load_libs':False})
28 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis)
29 | angr.AnalysesHub.register_default('VTree',_VTree)
30 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer)
31 | cfg_an=proj.analyses.CFGPartAnalysis()
32 | an=proj.analyses.VulAnalyzer(cfg_an, False)
33 | if i in [12, 14, 15, 31, 33, 35, 51, 53, 55, 87, 89, 90]:
34 | prototype = 'void ' + unit + '(char*, char*)'
35 | size = [0,100]
36 | else:
37 | prototype = 'void ' + unit + '(char*)'
38 | size = [100]
39 | an.analyze(prototype,args_index=[1],arg_sizes=size)
40 | print('\n\n')
41 |
42 |
43 |
--------------------------------------------------------------------------------
/Project_Files/complex_program_running.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import argparse
4 | import claripy,angr,monkeyhex
5 | from source.analysis import CFGPartAnalysis
6 | from source.constraintTree import _VTree
7 | from source.VulAnalyzer import VulAnalyzer
8 |
9 | import sys, os
10 | sys.setrecursionlimit(2000)
11 |
12 |
13 | proj=angr.Project('./program', load_options={'auto_load_libs':False})
14 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis)
15 | angr.AnalysesHub.register_default('VTree',_VTree)
16 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer)
17 | cfg_an=proj.analyses.CFGPartAnalysis()
18 | an=proj.analyses.VulAnalyzer(cfg_an, True)
19 | u = an.propUnits()
20 |
21 | for unit in u:
22 | print("Test Unit : <{}>".format(unit))
23 | proj=angr.Project('./program', load_options={'auto_load_libs':False})
24 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis)
25 | angr.AnalysesHub.register_default('VTree',_VTree)
26 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer)
27 | cfg_an=proj.analyses.CFGPartAnalysis()
28 | an=proj.analyses.VulAnalyzer(cfg_an, True)
29 | prototype = 'void ' + unit + '(char*, char*)'
30 | size = [100,100]
31 | if unit == 'check' or unit == 'authentication':
32 | index = [1,2]
33 | else:
34 | index = []
35 | an.analyze(prototype,args_index=index,arg_sizes=size)
36 | print('\n\n')
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Project_Files/run.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import argparse
4 | import claripy,angr,monkeyhex
5 | from source.analysis import CFGPartAnalysis
6 | from source.constraintTree import _VTree
7 | from source.VulAnalyzer import VulAnalyzer
8 |
9 | if __name__ == '__main__':
10 | parser = argparse.ArgumentParser()
11 | parser.add_argument("-b","--binary",help="The Name of Binary File You Want to Analyze",required=True)
12 | parser.add_argument("-p","--prototype",help="The Prototype of Test Unit You Want to Analyze",required=False)
13 | parser.add_argument("-a","--args",help="The Size of Test Unit Arguments",required=False)
14 | parser.add_argument("-s","--sizes",help="The Indexes of Argv Passed to The Test Unit As Function Arguments",required=False)
15 | parser.add_argument("-S","--solo", help="VTree solo mode", action='store_true', default=False, required=False)
16 | args = parser.parse_args()
17 |
18 | args_index=[]
19 | if args.args :
20 | args_index=list(map(int,args.args.split(',')))
21 |
22 | args_sizes=[]
23 | if args.sizes :
24 | args_sizes=list(map(int,args.sizes.split(',')))
25 |
26 | flag=True
27 | if args.prototype is None:
28 | flag=False
29 |
30 | proj=angr.Project(args.binary,load_options={'auto_load_libs':False})
31 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis)
32 | angr.AnalysesHub.register_default('VTree',_VTree)
33 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer)
34 | cfg_an=proj.analyses.CFGPartAnalysis()
35 | an=proj.analyses.VulAnalyzer(cfg_an, args.solo)
36 | if flag:
37 | an.analyze(args.prototype,args_index=args_index,arg_sizes=args_sizes)
38 | else:
39 | an.propUnits()
40 |
41 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sink: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_bad(char * activator)
33 | {
34 | char * data;
35 | struct fp * ptr;
36 | data = NULL;
37 | ptr = NULL;
38 | /* FLAW: Did not allocate space based on the source length */
39 | data = (char *)malloc(20*sizeof(char));
40 | if (data == NULL) {exit(-1);}
41 | ptr = (struct fp *)malloc(sizeof(struct fp));
42 | if (ptr == NULL) {exit(-1);}
43 | {
44 | ptr->fptr = printLine;
45 | /* POTENTIAL FLAW: data may not have enough space to hold source */
46 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
47 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
48 | {
49 | strcpy(data, activator);
50 | }
51 | ptr->fptr("That's OK!");
52 | printLine(data);
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B uses the GoodSource with the BadSink */
63 | static void goodG2B()
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | data = NULL;
68 | ptr = NULL;
69 | /* FIX: Allocate space for a null terminator */
70 | data = (char *)malloc((40+1)*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | {
75 | char source[40+1] = SRC_STRING;
76 | ptr->fptr = printLine;
77 | /* POTENTIAL FLAW: data may not have enough space to hold source */
78 | strcpy(data, source);
79 | ptr->fptr("That's OK!");
80 | printLine(data);
81 | free(data);
82 | free(ptr);
83 | }
84 | }
85 |
86 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_good()
87 | {
88 | goodG2B();
89 | }
90 |
91 | #endif /* OMITGOOD */
92 |
93 | /* Below is the main(). It is only used when building this testcase on
94 | * its own for testing or for building a binary to use in testing binary
95 | * analysis tools. It is not used when compiling all the testcases as one
96 | * application, which is how source code analysis tools are tested.
97 | */
98 |
99 |
100 | int main(int argc, char * argv[])
101 | {
102 | /* seed randomness */
103 | srand( (unsigned)time(NULL) );
104 | #ifndef OMITGOOD
105 | printLine("Calling good()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_good();
107 | printLine("Finished good()");
108 | #endif /* OMITGOOD */
109 | #ifndef OMITBAD
110 | printLine("Calling bad()...");
111 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01_bad(argv[1]);
112 | printLine("Finished bad()");
113 | #endif /* OMITBAD */
114 | return 0;
115 | }
116 |
117 |
118 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-17.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sink: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 17 Control flow: for loops
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17_bad(char * activator)
33 | {
34 | int i;
35 | char * data;
36 | struct fp * ptr;
37 | data = NULL;
38 | ptr = NULL;
39 | for(i = 0; i < 1; i++)
40 | {
41 | /* FLAW: Did not allocate space based on the source length */
42 | data = (char *)malloc(20*sizeof(char));
43 | if (data == NULL) {exit(-1);}
44 | ptr = (struct fp *)malloc(sizeof(struct fp));
45 | if (ptr == NULL) {exit(-1);}
46 | }
47 | {
48 | ptr->fptr = printLine;
49 | /* POTENTIAL FLAW: data may not have enough space to hold source */
50 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
51 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
52 | {
53 | strcpy(data, activator);
54 | }
55 | ptr->fptr("That's OK!");
56 | printLine(data);
57 | free(data);
58 | free(ptr);
59 | }
60 | }
61 |
62 | #endif /* OMITBAD */
63 |
64 | #ifndef OMITGOOD
65 |
66 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
67 | static void goodG2B()
68 | {
69 | int h;
70 | char * data;
71 | struct fp * ptr;
72 | data = NULL;
73 | ptr = NULL;
74 | for(h = 0; h < 1; h++)
75 | {
76 | /* FIX: Allocate space for a null terminator */
77 | data = (char *)malloc((40+1)*sizeof(char));
78 | if (data == NULL) {exit(-1);}
79 | ptr = (struct fp *)malloc(sizeof(struct fp));
80 | if (ptr == NULL) {exit(-1);}
81 | }
82 | {
83 | char source[40+1] = SRC_STRING;
84 | ptr->fptr = printLine;
85 | /* POTENTIAL FLAW: data may not have enough space to hold source */
86 | strcpy(data, source);
87 | ptr->fptr("That's OK!");
88 | printLine(data);
89 | free(data);
90 | free(ptr);
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17_good()
95 | {
96 | goodG2B();
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17_good();
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sink: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18_bad(char * activator)
33 | {
34 | char * data;
35 | struct fp * ptr;
36 | data = NULL;
37 | ptr = NULL;
38 | goto source;
39 | source:
40 | /* FLAW: Did not allocate space based on the source length */
41 | data = (char *)malloc(20*sizeof(char));
42 | if (data == NULL) {exit(-1);}
43 | ptr = (struct fp *)malloc(sizeof(struct fp));
44 | if (ptr == NULL) {exit(-1);}
45 | {
46 | ptr->fptr = printLine;
47 | /* POTENTIAL FLAW: data may not have enough space to hold source */
48 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
49 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
50 | {
51 | strcpy(data, activator);
52 | }
53 | ptr->fptr("That's OK!");
54 | printLine(data);
55 | free(data);
56 | free(ptr);
57 | }
58 | }
59 |
60 | #endif /* OMITBAD */
61 |
62 | #ifndef OMITGOOD
63 |
64 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
65 | static void goodG2B()
66 | {
67 | char * data;
68 | struct fp * ptr;
69 | data = NULL;
70 | ptr = NULL;
71 | goto source;
72 | source:
73 | /* FIX: Allocate space for a null terminator */
74 | data = (char *)malloc((40+1)*sizeof(char));
75 | if (data == NULL) {exit(-1);}
76 | ptr = (struct fp *)malloc(sizeof(struct fp));
77 | if (ptr == NULL) {exit(-1);}
78 | {
79 | char source[40+1] = SRC_STRING;
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: data may not have enough space to hold source */
82 | strcpy(data, source);
83 | ptr->fptr("That's OK!");
84 | printLine(data);
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18_good()
91 | {
92 | goodG2B();
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18_good();
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sinks: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31_bad(char * activator)
33 | {
34 | char * data;
35 | struct fp * ptr;
36 | data = NULL;
37 | ptr = NULL;
38 | /* FLAW: Did not allocate space based on the source length */
39 | data = (char *)malloc(20*sizeof(char));
40 | if (data == NULL) {exit(-1);}
41 | ptr = (struct fp *)malloc(sizeof(struct fp));
42 | if (ptr == NULL) {exit(-1);}
43 | {
44 | char * dataCopy = data;
45 | char * data = dataCopy;
46 | {
47 | ptr->fptr = printLine;
48 | /* POTENTIAL FLAW: data may not have enough space to hold source */
49 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
50 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
51 | {
52 | strcpy(data, activator);
53 | }
54 | ptr->fptr("That's OK!");
55 | printLine(data);
56 | free(data);
57 | free(ptr);
58 | }
59 | }
60 | }
61 |
62 | #endif /* OMITBAD */
63 |
64 | #ifndef OMITGOOD
65 |
66 | /* goodG2B() uses the GoodSource with the BadSink */
67 | static void goodG2B()
68 | {
69 | char * data;
70 | struct fp * ptr;
71 | data = NULL;
72 | ptr = NULL;
73 | /* FIX: Allocate space for a null terminator */
74 | data = (char *)malloc((40+1)*sizeof(char));
75 | if (data == NULL) {exit(-1);}
76 | ptr = (struct fp *)malloc(sizeof(struct fp));
77 | if (ptr == NULL) {exit(-1);}
78 | {
79 | char * dataCopy = data;
80 | char * data = dataCopy;
81 | {
82 | char source[40+1] = SRC_STRING;
83 | ptr->fptr = printLine;
84 | /* POTENTIAL FLAW: data may not have enough space to hold source */
85 | strcpy(data, source);
86 | ptr->fptr("That's OK!");
87 | printLine(data);
88 | free(data);
89 | free(ptr);
90 | }
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31_good()
95 | {
96 | goodG2B();
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31_good();
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-41.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sink: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_badSink(char * data, char * activator)
33 | {
34 | {
35 | /* POTENTIAL FLAW: data may not have enough space to hold source */
36 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
37 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
38 | {
39 | strcpy(data, activator);
40 | }
41 | printLine(data);
42 | free(data);
43 | }
44 | }
45 |
46 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_bad(char * activator)
47 | {
48 | char * data;
49 | struct fp * ptr;
50 | data = NULL;
51 | ptr = NULL;
52 | /* FLAW: Did not allocate space based on the source length */
53 | data = (char *)malloc(20*sizeof(char));
54 | if (data == NULL) {exit(-1);}
55 | ptr = (struct fp *)malloc(sizeof(struct fp));
56 | if (ptr == NULL) {exit(-1);}
57 | ptr->fptr = printLine;
58 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_badSink(data, activator);
59 | ptr->fptr("That's OK!");
60 | free(ptr);
61 | }
62 |
63 | #endif /* OMITBAD */
64 |
65 | #ifndef OMITGOOD
66 |
67 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_goodG2BSink(char * data)
68 | {
69 | {
70 | char source[40+1] = SRC_STRING;
71 | /* POTENTIAL FLAW: data may not have enough space to hold source */
72 | strcpy(data, source);
73 | printLine(data);
74 | free(data);
75 | }
76 | }
77 |
78 | /* goodG2B uses the GoodSource with the BadSink */
79 | static void goodG2B()
80 | {
81 | char * data;
82 | struct fp * ptr;
83 | data = NULL;
84 | ptr = NULL;
85 | /* FIX: Allocate space for a null terminator */
86 | data = (char *)malloc((40+1)*sizeof(char));
87 | if (data == NULL) {exit(-1);}
88 | ptr = (struct fp *)malloc(sizeof(struct fp));
89 | if (ptr == NULL) {exit(-1);}
90 | ptr->fptr = printLine;
91 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_goodG2BSink(data);
92 | ptr->fptr("That's OK!");
93 | free(ptr);
94 | }
95 |
96 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_good()
97 | {
98 | goodG2B();
99 | }
100 |
101 | #endif /* OMITGOOD */
102 |
103 | /* Below is the main(). It is only used when building this testcase on
104 | * its own for testing or for building a binary to use in testing binary
105 | * analysis tools. It is not used when compiling all the testcases as one
106 | * application, which is how source code analysis tools are tested.
107 | */
108 |
109 |
110 | int main(int argc, char * argv[])
111 | {
112 | /* seed randomness */
113 | srand( (unsigned)time(NULL) );
114 | #ifndef OMITGOOD
115 | printLine("Calling good()...");
116 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_good();
117 | printLine("Finished good()");
118 | #endif /* OMITGOOD */
119 | #ifndef OMITBAD
120 | printLine("Calling bad()...");
121 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41_bad(argv[1]);
122 | printLine("Finished bad()");
123 | #endif /* OMITBAD */
124 | return 0;
125 | }
126 |
127 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sink: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | static char * badSource(char * data)
33 | {
34 | /* FLAW: Did not allocate space based on the source length */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | return data;
38 | }
39 |
40 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42_bad(char * activator)
41 | {
42 | char * data;
43 | struct fp * ptr;
44 | data = NULL;
45 | ptr = NULL;
46 | data = badSource(data);
47 | ptr = (struct fp *)malloc(sizeof(struct fp));
48 | if (ptr == NULL) {exit(-1);}
49 | {
50 | ptr->fptr = printLine;
51 | /* POTENTIAL FLAW: data may not have enough space to hold source */
52 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
53 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
54 | {
55 | strcpy(data, activator);
56 | }
57 | ptr->fptr("That's OK!");
58 | printLine(data);
59 | free(data);
60 | free(ptr);
61 | }
62 | }
63 |
64 | #endif /* OMITBAD */
65 |
66 | #ifndef OMITGOOD
67 |
68 | static char * goodG2BSource(char * data)
69 | {
70 | /* FIX: Allocate space for a null terminator */
71 | data = (char *)malloc((40+1)*sizeof(char));
72 | if (data == NULL) {exit(-1);}
73 | return data;
74 | }
75 |
76 | /* goodG2B uses the GoodSource with the BadSink */
77 | static void goodG2B()
78 | {
79 | char * data;
80 | struct fp * ptr;
81 | data = NULL;
82 | ptr = NULL;
83 | data = goodG2BSource(data);
84 | ptr = (struct fp *)malloc(sizeof(struct fp));
85 | if (ptr == NULL) {exit(-1);}
86 | {
87 | char source[40+1] = SRC_STRING;
88 | ptr->fptr = printLine;
89 | /* POTENTIAL FLAW: data may not have enough space to hold source */
90 | strcpy(data, source);
91 | ptr->fptr("That's OK!");
92 | printLine(data);
93 | free(data);
94 | free(ptr);
95 | }
96 | }
97 |
98 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42_good()
99 | {
100 | goodG2B();
101 | }
102 |
103 | #endif /* OMITGOOD */
104 |
105 | /* Below is the main(). It is only used when building this testcase on
106 | * its own for testing or for building a binary to use in testing binary
107 | * analysis tools. It is not used when compiling all the testcases as one
108 | * application, which is how source code analysis tools are tested.
109 | */
110 |
111 |
112 | int main(int argc, char * argv[])
113 | {
114 | /* seed randomness */
115 | srand( (unsigned)time(NULL) );
116 | #ifndef OMITGOOD
117 | printLine("Calling good()...");
118 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42_good();
119 | printLine("Finished good()");
120 | #endif /* OMITGOOD */
121 | #ifndef OMITBAD
122 | printLine("Calling bad()...");
123 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42_bad(argv[1]);
124 | printLine("Finished bad()");
125 | #endif /* OMITBAD */
126 | return 0;
127 | }
128 |
129 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-44.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sinks: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 44 Data/control flow: data passed as an argument from one function to a function in the same source file called via a function pointer
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | #ifndef OMITBAD
31 |
32 | static void badSink(char * data, char * activator)
33 | {
34 | {
35 | /* POTENTIAL FLAW: data may not have enough space to hold source */
36 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
37 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
38 | {
39 | strcpy(data, activator);
40 | }
41 | printLine(data);
42 | free(data);
43 | }
44 | }
45 |
46 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44_bad(char * activator)
47 | {
48 | char * data;
49 | struct fp * ptr;
50 | /* define a function pointer */
51 | void (*funcPtr) (char *, char *) = badSink;
52 | data = NULL;
53 | ptr = NULL;
54 | /* FLAW: Did not allocate space based on the source length */
55 | data = (char *)malloc(20*sizeof(char));
56 | if (data == NULL) {exit(-1);}
57 | ptr = (struct fp *)malloc(sizeof(struct fp));
58 | if (ptr == NULL) {exit(-1);}
59 | ptr->fptr = printLine;
60 | /* use the function pointer */
61 | funcPtr(data, activator);
62 | ptr->fptr("That's OK!");
63 | free(ptr);
64 | }
65 |
66 | #endif /* OMITBAD */
67 |
68 | #ifndef OMITGOOD
69 |
70 | /* goodG2B() uses the GoodSource with the BadSink */
71 | static void goodG2BSink(char * data)
72 | {
73 | {
74 | char source[40+1] = SRC_STRING;
75 | /* POTENTIAL FLAW: data may not have enough space to hold source */
76 | strcpy(data, source);
77 | printLine(data);
78 | free(data);
79 | }
80 | }
81 |
82 | static void goodG2B()
83 | {
84 | char * data;
85 | struct fp * ptr;
86 | void (*funcPtr) (char *) = goodG2BSink;
87 | data = NULL;
88 | ptr = NULL;
89 | /* FIX: Allocate space for a null terminator */
90 | data = (char *)malloc((40+1)*sizeof(char));
91 | if (data == NULL) {exit(-1);}
92 | ptr = (struct fp *)malloc(sizeof(struct fp));
93 | if (ptr == NULL) {exit(-1);}
94 | ptr->fptr = printLine;
95 | /* use the function pointer */
96 | funcPtr(data);
97 | ptr->fptr("That's OK!");
98 | free(ptr);
99 | }
100 |
101 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44_good()
102 | {
103 | goodG2B();
104 | }
105 |
106 | #endif /* OMITGOOD */
107 |
108 | /* Below is the main(). It is only used when building this testcase on
109 | * its own for testing or for building a binary to use in testing binary
110 | * analysis tools. It is not used when compiling all the testcases as one
111 | * application, which is how source code analysis tools are tested.
112 | */
113 |
114 |
115 | int main(int argc, char * argv[])
116 | {
117 | /* seed randomness */
118 | srand( (unsigned)time(NULL) );
119 | #ifndef OMITGOOD
120 | printLine("Calling good()...");
121 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44_good();
122 | printLine("Finished good()");
123 | #endif /* OMITGOOD */
124 | #ifndef OMITBAD
125 | printLine("Calling bad()...");
126 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44_bad(argv[1]);
127 | printLine("Finished bad()");
128 | #endif /* OMITBAD */
129 | return 0;
130 | }
131 |
132 |
133 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67a.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67a.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-67a.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sinks: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | struct fp
24 | {
25 | void (*fptr)(const char*);
26 | };
27 | /* MAINTENANCE NOTE: The length of this string should equal the 40 */
28 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
29 |
30 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType
31 | {
32 | char * structFirst;
33 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType;
34 |
35 | #ifndef OMITBAD
36 |
37 | /* bad function declaration */
38 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct, char * activator);
39 |
40 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_bad(char * activator)
41 | {
42 | char * data;
43 | struct fp * ptr;
44 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct;
45 | data = NULL;
46 | ptr = NULL;
47 | /* FLAW: Did not allocate space based on the source length */
48 | data = (char *)malloc(20*sizeof(char));
49 | if (data == NULL) {exit(-1);}
50 | ptr = (struct fp *)malloc(sizeof(struct fp));
51 | if (ptr == NULL) {exit(-1);}
52 | ptr->fptr = printLine;
53 | myStruct.structFirst = data;
54 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_badSink(myStruct, activator);
55 | ptr->fptr("That's OK!");
56 | free(ptr);
57 | }
58 |
59 | #endif /* OMITBAD */
60 |
61 | #ifndef OMITGOOD
62 |
63 | /* goodG2B uses the GoodSource with the BadSink */
64 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct);
65 |
66 | static void goodG2B()
67 | {
68 | char * data;
69 | struct fp * ptr;
70 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct;
71 | data = NULL;
72 | ptr = NULL;
73 | /* FIX: Allocate space for a null terminator */
74 | data = (char *)malloc((40+1)*sizeof(char));
75 | if (data == NULL) {exit(-1);}
76 | ptr = (struct fp *)malloc(sizeof(struct fp));
77 | if (ptr == NULL) {exit(-1);}
78 | ptr->fptr = printLine;
79 | myStruct.structFirst = data;
80 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_goodG2BSink(myStruct);
81 | ptr->fptr("That's OK!");
82 | free(ptr);
83 | }
84 |
85 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_good()
86 | {
87 | goodG2B();
88 | }
89 |
90 | #endif /* OMITGOOD */
91 |
92 | /* Below is the main(). It is only used when building this testcase on
93 | * its own for testing or for building a binary to use in testing binary
94 | * analysis tools. It is not used when compiling all the testcases as one
95 | * application, which is how source code analysis tools are tested.
96 | */
97 |
98 |
99 | int main(int argc, char * argv[])
100 | {
101 | /* seed randomness */
102 | srand( (unsigned)time(NULL) );
103 | #ifndef OMITGOOD
104 | printLine("Calling good()...");
105 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_good();
106 | printLine("Finished good()");
107 | #endif /* OMITGOOD */
108 | #ifndef OMITBAD
109 | printLine("Calling bad()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_bad(argv[1]);
111 | printLine("Finished bad()");
112 | #endif /* OMITBAD */
113 | return 0;
114 | }
115 |
116 |
117 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4 | Template File: sources-sink-67b.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 | * GoodSource: Allocate enough memory for a string and the NULL terminator
11 | * Sinks: cpy
12 | * BadSink : Copy string to data using strcpy()
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #ifndef _WIN32
20 | #include
21 | #endif
22 |
23 | /* MAINTENANCE NOTE: The length of this string should equal the 10 */
24 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
25 |
26 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType
27 | {
28 | char * structFirst;
29 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType;
30 |
31 | #ifndef OMITBAD
32 |
33 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct, char * activator)
34 | {
35 | char * data = myStruct.structFirst;
36 | {
37 | /* POTENTIAL FLAW: data may not have enough space to hold source */
38 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
39 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
40 | {
41 | strcpy(data, activator);
42 | }
43 | printLine(data);
44 | free(data);
45 | }
46 | }
47 |
48 | #endif /* OMITBAD */
49 |
50 | #ifndef OMITGOOD
51 |
52 | /* goodG2B uses the GoodSource with the BadSink */
53 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct)
54 | {
55 | char * data = myStruct.structFirst;
56 | {
57 | char source[40+1] = SRC_STRING;
58 | /* POTENTIAL FLAW: data may not have enough space to hold source */
59 | strcpy(data, source);
60 | printLine(data);
61 | free(data);
62 | }
63 | }
64 |
65 | #endif /* OMITGOOD */
66 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | ptr->fptr = printLine;
42 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
43 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
44 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
45 | {
46 | memcpy(data, activator, strlen(activator)*sizeof(char));
47 | }
48 | ptr->fptr("That's OK!");
49 | free(data);
50 | free(ptr);
51 | }
52 | }
53 |
54 | #endif /* OMITBAD */
55 |
56 | #ifndef OMITGOOD
57 |
58 | /* goodG2B uses the GoodSource with the BadSink */
59 | static void goodG2B(char * source)
60 | {
61 | char * data;
62 | struct fp * ptr;
63 | data = NULL;
64 | ptr = NULL;
65 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
66 | data = (char *)malloc(100*sizeof(char));
67 | if (data == NULL) {exit(-1);}
68 | ptr = (struct fp *)malloc(sizeof(struct fp));
69 | if (ptr == NULL) {exit(-1);}
70 | data[0] = '\0'; /* null terminate */
71 | {
72 | ptr->fptr = printLine;
73 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
74 | memcpy(data, source, 100*sizeof(char));
75 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
76 | ptr->fptr("That's OK!");
77 | free(data);
78 | free(ptr);
79 | }
80 | }
81 |
82 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_good(char * source)
83 | {
84 | goodG2B(source);
85 | }
86 |
87 | #endif /* OMITGOOD */
88 |
89 | /* Below is the main(). It is only used when building this testcase on
90 | * its own for testing or for building a binary to use in testing binary
91 | * analysis tools. It is not used when compiling all the testcases as one
92 | * application, which is how source code analysis tools are tested.
93 | */
94 |
95 |
96 | int main(int argc, char * argv[])
97 | {
98 | /* seed randomness */
99 | srand( (unsigned)time(NULL) );
100 | #ifndef OMITGOOD
101 | printLine("Calling good()...");
102 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_good(argv[1]);
103 | printLine("Finished good()");
104 | #endif /* OMITGOOD */
105 | #ifndef OMITBAD
106 | printLine("Calling bad()...");
107 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad(argv[1]);
108 | printLine("Finished bad()");
109 | #endif /* OMITBAD */
110 | return 0;
111 | }
112 |
113 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-16.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 16 Control flow: while(1)
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | while(1)
35 | {
36 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 | data = (char *)malloc(20*sizeof(char));
38 | if (data == NULL) {exit(-1);}
39 | ptr = (struct fp *)malloc(sizeof(struct fp));
40 | if (ptr == NULL) {exit(-1);}
41 | data[0] = '\0'; /* null terminate */
42 | break;
43 | }
44 | {
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memcpy(data, activator, strlen(activator)*sizeof(char));
51 | }
52 | ptr->fptr("That's OK!");
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
63 | static void goodG2B(char * source)
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | data = NULL;
68 | ptr = NULL;
69 | while(1)
70 | {
71 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
72 | data = (char *)malloc(100*sizeof(char));
73 | if (data == NULL) {exit(-1);}
74 | ptr = (struct fp *)malloc(sizeof(struct fp));
75 | if (ptr == NULL) {exit(-1);}
76 | data[0] = '\0'; /* null terminate */
77 | break;
78 | }
79 | {
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
82 | memcpy(data, source, 100*sizeof(char));
83 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
84 | ptr->fptr("That's OK!");
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-17.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 17 Control flow: for loops
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17_bad(char * activator)
29 | {
30 | int i;
31 | char * data;
32 | struct fp * ptr;
33 | data = NULL;
34 | ptr = NULL;
35 | for(i = 0; i < 1; i++)
36 | {
37 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
38 | data = (char *)malloc(20*sizeof(char));
39 | if (data == NULL) {exit(-1);}
40 | ptr = (struct fp *)malloc(sizeof(struct fp));
41 | if (ptr == NULL) {exit(-1);}
42 | data[0] = '\0'; /* null terminate */
43 | }
44 | {
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memcpy(data, activator, strlen(activator)*sizeof(char));
51 | }
52 | ptr->fptr("That's OK!");
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
63 | static void goodG2B(char * source)
64 | {
65 | int h;
66 | char * data;
67 | struct fp * ptr;
68 | data = NULL;
69 | ptr = NULL;
70 | for(h = 0; h < 1; h++)
71 | {
72 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
73 | data = (char *)malloc(100*sizeof(char));
74 | if (data == NULL) {exit(-1);}
75 | ptr = (struct fp *)malloc(sizeof(struct fp));
76 | if (ptr == NULL) {exit(-1);}
77 | data[0] = '\0'; /* null terminate */
78 | }
79 | {
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
82 | memcpy(data, source, 100*sizeof(char));
83 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
84 | ptr->fptr("That's OK!");
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | goto source;
35 | source:
36 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 | data = (char *)malloc(20*sizeof(char));
38 | if (data == NULL) {exit(-1);}
39 | ptr = (struct fp *)malloc(sizeof(struct fp));
40 | if (ptr == NULL) {exit(-1);}
41 | data[0] = '\0'; /* null terminate */
42 | {
43 | ptr->fptr = printLine;
44 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
45 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
46 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
47 | {
48 | memcpy(data, activator, strlen(activator)*sizeof(char));
49 | }
50 | ptr->fptr("That's OK!");
51 | free(data);
52 | free(ptr);
53 | }
54 | }
55 |
56 | #endif /* OMITBAD */
57 |
58 | #ifndef OMITGOOD
59 |
60 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
61 | static void goodG2B(char * source)
62 | {
63 | char * data;
64 | struct fp * ptr;
65 | data = NULL;
66 | ptr = NULL;
67 | goto source;
68 | source:
69 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 | data = (char *)malloc(100*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | data[0] = '\0'; /* null terminate */
75 | {
76 | ptr->fptr = printLine;
77 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 | memcpy(data, source, 100*sizeof(char));
79 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
80 | ptr->fptr("That's OK!");
81 | free(data);
82 | free(ptr);
83 | }
84 | }
85 |
86 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18_good(char * source)
87 | {
88 | goodG2B(source);
89 | }
90 |
91 | #endif /* OMITGOOD */
92 |
93 | /* Below is the main(). It is only used when building this testcase on
94 | * its own for testing or for building a binary to use in testing binary
95 | * analysis tools. It is not used when compiling all the testcases as one
96 | * application, which is how source code analysis tools are tested.
97 | */
98 |
99 |
100 | int main(int argc, char * argv[])
101 | {
102 | /* seed randomness */
103 | srand( (unsigned)time(NULL) );
104 | #ifndef OMITGOOD
105 | printLine("Calling good()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18_good(argv[1]);
107 | printLine("Finished good()");
108 | #endif /* OMITGOOD */
109 | #ifndef OMITBAD
110 | printLine("Calling bad()...");
111 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18_bad(argv[1]);
112 | printLine("Finished bad()");
113 | #endif /* OMITBAD */
114 | return 0;
115 | }
116 |
117 |
118 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | char * dataCopy = data;
42 | char * data = dataCopy;
43 | {
44 | ptr->fptr = printLine;
45 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
47 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
48 | {
49 | memcpy(data, activator, strlen(activator)*sizeof(char));
50 | }
51 | ptr->fptr("That's OK!");
52 | free(data);
53 | free(ptr);
54 | }
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() uses the GoodSource with the BadSink */
63 | static void goodG2B(char * source)
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | data = NULL;
68 | ptr = NULL;
69 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 | data = (char *)malloc(100*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | data[0] = '\0'; /* null terminate */
75 | {
76 | char * dataCopy = data;
77 | char * data = dataCopy;
78 | {
79 | ptr->fptr = printLine;
80 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
81 | memcpy(data, source, 100*sizeof(char));
82 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
83 | ptr->fptr("That's OK!");
84 | free(data);
85 | free(ptr);
86 | }
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | static char * badSource(char * data)
29 | {
30 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 | data = (char *)malloc(20*sizeof(char));
32 | if (data == NULL) {exit(-1);}
33 | data[0] = '\0'; /* null terminate */
34 | return data;
35 | }
36 |
37 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42_bad(char * activator)
38 | {
39 | char * data;
40 | struct fp * ptr;
41 | data = NULL;
42 | ptr = NULL;
43 | data = badSource(data);
44 | ptr = (struct fp *)malloc(sizeof(struct fp));
45 | if (ptr == NULL) {exit(-1);}
46 | {
47 | ptr->fptr = printLine;
48 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
49 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
50 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
51 | {
52 | memcpy(data, activator, strlen(activator)*sizeof(char));
53 | }
54 | ptr->fptr("That's OK!");
55 | free(data);
56 | free(ptr);
57 | }
58 | }
59 |
60 | #endif /* OMITBAD */
61 |
62 | #ifndef OMITGOOD
63 |
64 | static char * goodG2BSource(char * data)
65 | {
66 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
67 | data = (char *)malloc(100*sizeof(char));
68 | if (data == NULL) {exit(-1);}
69 | data[0] = '\0'; /* null terminate */
70 | return data;
71 | }
72 |
73 | /* goodG2B uses the GoodSource with the BadSink */
74 | static void goodG2B(char * source)
75 | {
76 | char * data;
77 | struct fp * ptr;
78 | data = NULL;
79 | ptr = NULL;
80 | data = goodG2BSource(data);
81 | ptr = (struct fp *)malloc(sizeof(struct fp));
82 | if (ptr == NULL) {exit(-1);}
83 | {
84 | ptr->fptr = printLine;
85 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
86 | memcpy(data, source, 100*sizeof(char));
87 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
88 | ptr->fptr("That's OK!");
89 | free(data);
90 | free(ptr);
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42_good(char * source)
95 | {
96 | goodG2B(source);
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42_good(argv[1]);
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
126 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67a.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67a.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-67a.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType
27 | {
28 | char * structFirst;
29 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType;
30 |
31 | #ifndef OMITBAD
32 |
33 | /* bad function declaration */
34 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * activator);
35 |
36 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_bad(char * activator)
37 | {
38 | char * data;
39 | struct fp * ptr;
40 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct;
41 | data = NULL;
42 | ptr = NULL;
43 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
44 | data = (char *)malloc(20*sizeof(char));
45 | if (data == NULL) {exit(-1);}
46 | ptr = (struct fp *)malloc(sizeof(struct fp));
47 | if (ptr == NULL) {exit(-1);}
48 | data[0] = '\0'; /* null terminate */
49 | ptr->fptr = printLine;
50 | myStruct.structFirst = data;
51 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_badSink(myStruct, activator);
52 | ptr->fptr("That's OK!");
53 | free(ptr);
54 | }
55 |
56 | #endif /* OMITBAD */
57 |
58 | #ifndef OMITGOOD
59 |
60 | /* goodG2B uses the GoodSource with the BadSink */
61 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * source);
62 |
63 | static void goodG2B(char * source)
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct;
68 | data = NULL;
69 | ptr = NULL;
70 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 | data = (char *)malloc(100*sizeof(char));
72 | if (data == NULL) {exit(-1);}
73 | ptr = (struct fp *)malloc(sizeof(struct fp));
74 | if (ptr == NULL) {exit(-1);}
75 | data[0] = '\0'; /* null terminate */
76 | ptr->fptr = printLine;
77 | myStruct.structFirst = data;
78 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_goodG2BSink(myStruct, source);
79 | ptr->fptr("That's OK!");
80 | free(ptr);
81 | }
82 |
83 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_good(char * source)
84 | {
85 | goodG2B(source);
86 | }
87 |
88 | #endif /* OMITGOOD */
89 |
90 | /* Below is the main(). It is only used when building this testcase on
91 | * its own for testing or for building a binary to use in testing binary
92 | * analysis tools. It is not used when compiling all the testcases as one
93 | * application, which is how source code analysis tools are tested.
94 | */
95 |
96 |
97 | int main(int argc, char * argv[])
98 | {
99 | /* seed randomness */
100 | srand( (unsigned)time(NULL) );
101 | #ifndef OMITGOOD
102 | printLine("Calling good()...");
103 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_good(argv[1]);
104 | printLine("Finished good()");
105 | #endif /* OMITGOOD */
106 | #ifndef OMITBAD
107 | printLine("Calling bad()...");
108 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_bad(argv[1]);
109 | printLine("Finished bad()");
110 | #endif /* OMITBAD */
111 | return 0;
112 | }
113 |
114 |
115 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-67b.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memcpy
12 | * BadSink : Copy string to data using memcpy
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType
22 | {
23 | char * structFirst;
24 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType;
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * activator)
29 | {
30 | char * data = myStruct.structFirst;
31 | {
32 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
33 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
34 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
35 | {
36 | memcpy(data, activator, strlen(activator)*sizeof(char));
37 | }
38 | free(data);
39 | }
40 | }
41 |
42 | #endif /* OMITBAD */
43 |
44 | #ifndef OMITGOOD
45 |
46 | /* goodG2B uses the GoodSource with the BadSink */
47 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * source)
48 | {
49 | char * data = myStruct.structFirst;
50 | {
51 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
52 | memcpy(data, source, 100*sizeof(char));
53 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
54 | free(data);
55 | }
56 | }
57 |
58 | #endif /* OMITGOOD */
59 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | ptr->fptr = printLine;
42 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
43 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
44 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
45 | {
46 | memmove(data, activator, strlen(activator)*sizeof(char));
47 | }
48 | ptr->fptr("That's OK!");
49 | free(data);
50 | free(ptr);
51 | }
52 | }
53 |
54 | #endif /* OMITBAD */
55 |
56 | #ifndef OMITGOOD
57 |
58 | /* goodG2B uses the GoodSource with the BadSink */
59 | static void goodG2B(char * source)
60 | {
61 | char * data;
62 | struct fp * ptr;
63 | data = NULL;
64 | ptr = NULL;
65 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
66 | data = (char *)malloc(100*sizeof(char));
67 | if (data == NULL) {exit(-1);}
68 | ptr = (struct fp *)malloc(sizeof(struct fp));
69 | if (ptr == NULL) {exit(-1);}
70 | data[0] = '\0'; /* null terminate */
71 | {
72 | ptr->fptr = printLine;
73 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
74 | memmove(data, source, 100*sizeof(char));
75 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
76 | ptr->fptr("That's OK!");
77 | free(data);
78 | free(ptr);
79 | }
80 | }
81 |
82 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01_good(char * source)
83 | {
84 | goodG2B(source);
85 | }
86 |
87 | #endif /* OMITGOOD */
88 |
89 | /* Below is the main(). It is only used when building this testcase on
90 | * its own for testing or for building a binary to use in testing binary
91 | * analysis tools. It is not used when compiling all the testcases as one
92 | * application, which is how source code analysis tools are tested.
93 | */
94 |
95 |
96 | int main(int argc, char * argv[])
97 | {
98 | /* seed randomness */
99 | srand( (unsigned)time(NULL) );
100 | #ifndef OMITGOOD
101 | printLine("Calling good()...");
102 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01_good(argv[1]);
103 | printLine("Finished good()");
104 | #endif /* OMITGOOD */
105 | #ifndef OMITBAD
106 | printLine("Calling bad()...");
107 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01_bad(argv[1]);
108 | printLine("Finished bad()");
109 | #endif /* OMITBAD */
110 | return 0;
111 | }
112 |
113 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-16.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 16 Control flow: while(1)
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | while(1)
35 | {
36 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 | data = (char *)malloc(20*sizeof(char));
38 | if (data == NULL) {exit(-1);}
39 | ptr = (struct fp *)malloc(sizeof(struct fp));
40 | if (ptr == NULL) {exit(-1);}
41 | data[0] = '\0'; /* null terminate */
42 | break;
43 | }
44 | {
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memmove(data, activator, strlen(activator)*sizeof(char));
51 | }
52 | ptr->fptr("That's OK!");
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
63 | static void goodG2B(char * source)
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | data = NULL;
68 | ptr = NULL;
69 | while(1)
70 | {
71 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
72 | data = (char *)malloc(100*sizeof(char));
73 | if (data == NULL) {exit(-1);}
74 | ptr = (struct fp *)malloc(sizeof(struct fp));
75 | if (ptr == NULL) {exit(-1);}
76 | data[0] = '\0'; /* null terminate */
77 | break;
78 | }
79 | {
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
82 | memmove(data, source, 100*sizeof(char));
83 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
84 | ptr->fptr("That's OK!");
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-17.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 17 Control flow: for loops
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17_bad(char * activator)
29 | {
30 | int i;
31 | char * data;
32 | struct fp * ptr;
33 | data = NULL;
34 | ptr = NULL;
35 | for(i = 0; i < 1; i++)
36 | {
37 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
38 | data = (char *)malloc(20*sizeof(char));
39 | if (data == NULL) {exit(-1);}
40 | ptr = (struct fp *)malloc(sizeof(struct fp));
41 | if (ptr == NULL) {exit(-1);}
42 | data[0] = '\0'; /* null terminate */
43 | }
44 | {
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memmove(data, activator, strlen(activator)*sizeof(char));
51 | }
52 | ptr->fptr("That's OK!");
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
63 | static void goodG2B(char * source)
64 | {
65 | int h;
66 | char * data;
67 | struct fp * ptr;
68 | data = NULL;
69 | ptr = NULL;
70 | for(h = 0; h < 1; h++)
71 | {
72 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
73 | data = (char *)malloc(100*sizeof(char));
74 | if (data == NULL) {exit(-1);}
75 | ptr = (struct fp *)malloc(sizeof(struct fp));
76 | if (ptr == NULL) {exit(-1);}
77 | data[0] = '\0'; /* null terminate */
78 | }
79 | {
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
82 | memmove(data, source, 100*sizeof(char));
83 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
84 | ptr->fptr("That's OK!");
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
123 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | goto source;
35 | source:
36 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 | data = (char *)malloc(20*sizeof(char));
38 | if (data == NULL) {exit(-1);}
39 | ptr = (struct fp *)malloc(sizeof(struct fp));
40 | if (ptr == NULL) {exit(-1);}
41 | data[0] = '\0'; /* null terminate */
42 | {
43 | ptr->fptr = printLine;
44 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
45 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
46 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
47 | {
48 | memmove(data, activator, strlen(activator)*sizeof(char));
49 | }
50 | ptr->fptr("That's OK!");
51 | free(data);
52 | free(ptr);
53 | }
54 | }
55 |
56 | #endif /* OMITBAD */
57 |
58 | #ifndef OMITGOOD
59 |
60 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
61 | static void goodG2B(char * source)
62 | {
63 | char * data;
64 | struct fp * ptr;
65 | data = NULL;
66 | ptr = NULL;
67 | goto source;
68 | source:
69 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 | data = (char *)malloc(100*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | data[0] = '\0'; /* null terminate */
75 | {
76 | ptr->fptr = printLine;
77 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 | memmove(data, source, 100*sizeof(char));
79 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
80 | ptr->fptr("That's OK!");
81 | free(data);
82 | free(ptr);
83 | }
84 | }
85 |
86 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18_good(char * source)
87 | {
88 | goodG2B(source);
89 | }
90 |
91 | #endif /* OMITGOOD */
92 |
93 | /* Below is the main(). It is only used when building this testcase on
94 | * its own for testing or for building a binary to use in testing binary
95 | * analysis tools. It is not used when compiling all the testcases as one
96 | * application, which is how source code analysis tools are tested.
97 | */
98 |
99 |
100 | int main(int argc, char * argv[])
101 | {
102 | /* seed randomness */
103 | srand( (unsigned)time(NULL) );
104 | #ifndef OMITGOOD
105 | printLine("Calling good()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18_good(argv[1]);
107 | printLine("Finished good()");
108 | #endif /* OMITGOOD */
109 | #ifndef OMITBAD
110 | printLine("Calling bad()...");
111 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18_bad(argv[1]);
112 | printLine("Finished bad()");
113 | #endif /* OMITBAD */
114 | return 0;
115 | }
116 |
117 |
118 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | char * dataCopy = data;
42 | char * data = dataCopy;
43 | {
44 | ptr->fptr = printLine;
45 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
47 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
48 | {
49 | memmove(data, activator, strlen(activator)*sizeof(char));
50 | }
51 | ptr->fptr("That's OK!");
52 | free(data);
53 | free(ptr);
54 | }
55 | }
56 | }
57 |
58 | #endif /* OMITBAD */
59 |
60 | #ifndef OMITGOOD
61 |
62 | /* goodG2B() uses the GoodSource with the BadSink */
63 | static void goodG2B(char * source)
64 | {
65 | char * data;
66 | struct fp * ptr;
67 | data = NULL;
68 | ptr = NULL;
69 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 | data = (char *)malloc(100*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | data[0] = '\0'; /* null terminate */
75 | {
76 | char * dataCopy = data;
77 | char * data = dataCopy;
78 | {
79 | ptr->fptr = printLine;
80 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
81 | memmove(data, source, 100*sizeof(char));
82 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
83 | ptr->fptr("That's OK!");
84 | free(data);
85 | free(ptr);
86 | }
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31_good(char * source)
91 | {
92 | goodG2B(source);
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31_good(argv[1]);
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | static char * badSource(char * data)
29 | {
30 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 | data = (char *)malloc(20*sizeof(char));
32 | if (data == NULL) {exit(-1);}
33 | data[0] = '\0'; /* null terminate */
34 | return data;
35 | }
36 |
37 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42_bad(char * activator)
38 | {
39 | char * data;
40 | struct fp * ptr;
41 | data = NULL;
42 | ptr = NULL;
43 | data = badSource(data);
44 | ptr = (struct fp *)malloc(sizeof(struct fp));
45 | if (ptr == NULL) {exit(-1);}
46 | {
47 | ptr->fptr = printLine;
48 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
49 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
50 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
51 | {
52 | memmove(data, activator, strlen(activator)*sizeof(char));
53 | }
54 | ptr->fptr("That's OK!");
55 | free(data);
56 | free(ptr);
57 | }
58 | }
59 |
60 | #endif /* OMITBAD */
61 |
62 | #ifndef OMITGOOD
63 |
64 | static char * goodG2BSource(char * data)
65 | {
66 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
67 | data = (char *)malloc(100*sizeof(char));
68 | if (data == NULL) {exit(-1);}
69 | data[0] = '\0'; /* null terminate */
70 | return data;
71 | }
72 |
73 | /* goodG2B uses the GoodSource with the BadSink */
74 | static void goodG2B(char * source)
75 | {
76 | char * data;
77 | struct fp * ptr;
78 | data = NULL;
79 | ptr = NULL;
80 | data = goodG2BSource(data);
81 | ptr = (struct fp *)malloc(sizeof(struct fp));
82 | if (ptr == NULL) {exit(-1);}
83 | {
84 | ptr->fptr = printLine;
85 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
86 | memmove(data, source, 100*sizeof(char));
87 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
88 | ptr->fptr("That's OK!");
89 | free(data);
90 | free(ptr);
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42_good(char * source)
95 | {
96 | goodG2B(source);
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42_good(argv[1]);
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
126 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4 | Template File: sources-sink-67b.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memmove
12 | * BadSink : Copy string to data using memmove
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType
22 | {
23 | char * structFirst;
24 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType;
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType myStruct, char * activator)
29 | {
30 | char * data = myStruct.structFirst;
31 | {
32 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
33 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
34 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
35 | {
36 | memmove(data, activator, strlen(activator)*sizeof(char));
37 | }
38 | free(data);
39 | }
40 | }
41 |
42 | #endif /* OMITBAD */
43 |
44 | #ifndef OMITGOOD
45 |
46 | /* goodG2B uses the GoodSource with the BadSink */
47 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType myStruct, char * source)
48 | {
49 | char * data = myStruct.structFirst;
50 | {
51 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
52 | memmove(data, source, 100*sizeof(char));
53 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
54 | free(data);
55 | }
56 | }
57 |
58 | #endif /* OMITGOOD */
59 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy int array to data using memcpy
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 | data = (int *)malloc(5*sizeof(int));
34 | if (data == NULL) {exit(-1);}
35 | ptr = (struct fp *)malloc(sizeof(struct fp));
36 | if (ptr == NULL) {exit(-1);}
37 | {
38 | int source[100] = {0}; /* fill with 0's */
39 | ptr->fptr = printLine;
40 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
42 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
43 | {
44 | memcpy(data, source, 100*sizeof(int));
45 | }
46 | ptr->fptr("That's OK!");
47 | printIntLine(data[0]);
48 | free(data);
49 | free(ptr);
50 | }
51 | }
52 |
53 | #endif /* OMITBAD */
54 |
55 | #ifndef OMITGOOD
56 |
57 | /* goodG2B uses the GoodSource with the BadSink */
58 | static void goodG2B()
59 | {
60 | int * data;
61 | struct fp * ptr;
62 | data = NULL;
63 | ptr = NULL;
64 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 | data = (int *)malloc(100*sizeof(int));
66 | if (data == NULL) {exit(-1);}
67 | ptr = (struct fp *)malloc(sizeof(struct fp));
68 | if (ptr == NULL) {exit(-1);}
69 | {
70 | int source[100] = {0}; /* fill with 0's */
71 | ptr->fptr = printLine;
72 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
73 | memcpy(data, source, 100*sizeof(int));
74 | ptr->fptr("That's OK!");
75 | printIntLine(data[0]);
76 | free(data);
77 | free(ptr);
78 | }
79 | }
80 |
81 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01_good()
82 | {
83 | goodG2B();
84 | }
85 |
86 | #endif /* OMITGOOD */
87 |
88 | /* Below is the main(). It is only used when building this testcase on
89 | * its own for testing or for building a binary to use in testing binary
90 | * analysis tools. It is not used when compiling all the testcases as one
91 | * application, which is how source code analysis tools are tested.
92 | */
93 |
94 |
95 | int main(int argc, char * argv[])
96 | {
97 | /* seed randomness */
98 | srand( (unsigned)time(NULL) );
99 | #ifndef OMITGOOD
100 | printLine("Calling good()...");
101 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01_good();
102 | printLine("Finished good()");
103 | #endif /* OMITGOOD */
104 | #ifndef OMITBAD
105 | printLine("Calling bad()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01_bad(argv[1]);
107 | printLine("Finished bad()");
108 | #endif /* OMITBAD */
109 | return 0;
110 | }
111 |
112 |
113 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-16.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy int array to data using memcpy
13 | * Flow Variant: 16 Control flow: while(1)
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | while(1)
33 | {
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (int *)malloc(5*sizeof(int));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | break;
40 | }
41 | {
42 | int source[100] = {0}; /* fill with 0's */
43 | ptr->fptr = printLine;
44 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
45 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
46 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
47 | {
48 | memcpy(data, source, 100*sizeof(int));
49 | }
50 | ptr->fptr("That's OK!");
51 | printIntLine(data[0]);
52 | free(data);
53 | free(ptr);
54 | }
55 | }
56 |
57 | #endif /* OMITBAD */
58 |
59 | #ifndef OMITGOOD
60 |
61 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
62 | static void goodG2B()
63 | {
64 | int * data;
65 | struct fp * ptr;
66 | data = NULL;
67 | ptr = NULL;
68 | while(1)
69 | {
70 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 | data = (int *)malloc(100*sizeof(int));
72 | if (data == NULL) {exit(-1);}
73 | ptr = (struct fp *)malloc(sizeof(struct fp));
74 | if (ptr == NULL) {exit(-1);}
75 | break;
76 | }
77 | {
78 | int source[100] = {0}; /* fill with 0's */
79 | ptr->fptr = printLine;
80 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
81 | memcpy(data, source, 100*sizeof(int));
82 | ptr->fptr("That's OK!");
83 | printIntLine(data[0]);
84 | free(data);
85 | free(ptr);
86 | }
87 | }
88 |
89 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16_good()
90 | {
91 | goodG2B();
92 | }
93 |
94 | #endif /* OMITGOOD */
95 |
96 | /* Below is the main(). It is only used when building this testcase on
97 | * its own for testing or for building a binary to use in testing binary
98 | * analysis tools. It is not used when compiling all the testcases as one
99 | * application, which is how source code analysis tools are tested.
100 | */
101 |
102 |
103 | int main(int argc, char * argv[])
104 | {
105 | /* seed randomness */
106 | srand( (unsigned)time(NULL) );
107 | #ifndef OMITGOOD
108 | printLine("Calling good()...");
109 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16_good();
110 | printLine("Finished good()");
111 | #endif /* OMITGOOD */
112 | #ifndef OMITBAD
113 | printLine("Calling bad()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16_bad(argv[1]);
115 | printLine("Finished bad()");
116 | #endif /* OMITBAD */
117 | return 0;
118 | }
119 |
120 |
121 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy int array to data using memcpy
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | goto source;
33 | source:
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (int *)malloc(5*sizeof(int));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | {
40 | int source[100] = {0}; /* fill with 0's */
41 | ptr->fptr = printLine;
42 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
43 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
44 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
45 | {
46 | memcpy(data, source, 100*sizeof(int));
47 | }
48 | ptr->fptr("That's OK!");
49 | printIntLine(data[0]);
50 | free(data);
51 | free(ptr);
52 | }
53 | }
54 |
55 | #endif /* OMITBAD */
56 |
57 | #ifndef OMITGOOD
58 |
59 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
60 | static void goodG2B()
61 | {
62 | int * data;
63 | struct fp * ptr;
64 | data = NULL;
65 | ptr = NULL;
66 | goto source;
67 | source:
68 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 | data = (int *)malloc(100*sizeof(int));
70 | if (data == NULL) {exit(-1);}
71 | ptr = (struct fp *)malloc(sizeof(struct fp));
72 | if (ptr == NULL) {exit(-1);}
73 | {
74 | int source[100] = {0}; /* fill with 0's */
75 | ptr->fptr = printLine;
76 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
77 | memcpy(data, source, 100*sizeof(int));
78 | ptr->fptr("That's OK!");
79 | printIntLine(data[0]);
80 | free(data);
81 | free(ptr);
82 | }
83 | }
84 |
85 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18_good()
86 | {
87 | goodG2B();
88 | }
89 |
90 | #endif /* OMITGOOD */
91 |
92 | /* Below is the main(). It is only used when building this testcase on
93 | * its own for testing or for building a binary to use in testing binary
94 | * analysis tools. It is not used when compiling all the testcases as one
95 | * application, which is how source code analysis tools are tested.
96 | */
97 |
98 |
99 | int main(int argc, char * argv[])
100 | {
101 | /* seed randomness */
102 | srand( (unsigned)time(NULL) );
103 | #ifndef OMITGOOD
104 | printLine("Calling good()...");
105 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18_good();
106 | printLine("Finished good()");
107 | #endif /* OMITGOOD */
108 | #ifndef OMITBAD
109 | printLine("Calling bad()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18_bad(argv[1]);
111 | printLine("Finished bad()");
112 | #endif /* OMITBAD */
113 | return 0;
114 | }
115 |
116 |
117 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memcpy
12 | * BadSink : Copy int array to data using memcpy
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 | data = (int *)malloc(5*sizeof(int));
34 | if (data == NULL) {exit(-1);}
35 | ptr = (struct fp *)malloc(sizeof(struct fp));
36 | if (ptr == NULL) {exit(-1);}
37 | {
38 | int * dataCopy = data;
39 | int * data = dataCopy;
40 | {
41 | int source[100] = {0}; /* fill with 0's */
42 | ptr->fptr = printLine;
43 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
45 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
46 | {
47 | memcpy(data, source, 100*sizeof(int));
48 | }
49 | ptr->fptr("That's OK!");
50 | printIntLine(data[0]);
51 | free(data);
52 | free(ptr);
53 | }
54 | }
55 | }
56 |
57 | #endif /* OMITBAD */
58 |
59 | #ifndef OMITGOOD
60 |
61 | /* goodG2B() uses the GoodSource with the BadSink */
62 | static void goodG2B()
63 | {
64 | int * data;
65 | struct fp * ptr;
66 | data = NULL;
67 | ptr = NULL;
68 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 | data = (int *)malloc(100*sizeof(int));
70 | if (data == NULL) {exit(-1);}
71 | ptr = (struct fp *)malloc(sizeof(struct fp));
72 | if (ptr == NULL) {exit(-1);}
73 | {
74 | int * dataCopy = data;
75 | int * data = dataCopy;
76 | {
77 | int source[100] = {0}; /* fill with 0's */
78 | ptr->fptr = printLine;
79 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
80 | memcpy(data, source, 100*sizeof(int));
81 | ptr->fptr("That's OK!");
82 | printIntLine(data[0]);
83 | free(data);
84 | free(ptr);
85 | }
86 | }
87 | }
88 |
89 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31_good()
90 | {
91 | goodG2B();
92 | }
93 |
94 | #endif /* OMITGOOD */
95 |
96 | /* Below is the main(). It is only used when building this testcase on
97 | * its own for testing or for building a binary to use in testing binary
98 | * analysis tools. It is not used when compiling all the testcases as one
99 | * application, which is how source code analysis tools are tested.
100 | */
101 |
102 |
103 | int main(int argc, char * argv[])
104 | {
105 | /* seed randomness */
106 | srand( (unsigned)time(NULL) );
107 | #ifndef OMITGOOD
108 | printLine("Calling good()...");
109 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31_good();
110 | printLine("Finished good()");
111 | #endif /* OMITGOOD */
112 | #ifndef OMITBAD
113 | printLine("Calling bad()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31_bad(argv[1]);
115 | printLine("Finished bad()");
116 | #endif /* OMITBAD */
117 | return 0;
118 | }
119 |
120 |
121 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memcpy
12 | * BadSink : Copy int array to data using memcpy
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | static int * badSource(int * data)
27 | {
28 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
29 | data = (int *)malloc(5*sizeof(int));
30 | if (data == NULL) {exit(-1);}
31 | return data;
32 | }
33 |
34 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42_bad(char * activator)
35 | {
36 | int * data;
37 | struct fp * ptr;
38 | data = NULL;
39 | ptr = NULL;
40 | data = badSource(data);
41 | ptr = (struct fp *)malloc(sizeof(struct fp));
42 | if (ptr == NULL) {exit(-1);}
43 | {
44 | int source[100] = {0}; /* fill with 0's */
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memcpy(data, source, 100*sizeof(int));
51 | }
52 | ptr->fptr("That's OK!");
53 | printIntLine(data[0]);
54 | free(data);
55 | free(ptr);
56 | }
57 | }
58 |
59 | #endif /* OMITBAD */
60 |
61 | #ifndef OMITGOOD
62 |
63 | static int * goodG2BSource(int * data)
64 | {
65 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
66 | data = (int *)malloc(100*sizeof(int));
67 | if (data == NULL) {exit(-1);}
68 | return data;
69 | }
70 |
71 | /* goodG2B uses the GoodSource with the BadSink */
72 | static void goodG2B()
73 | {
74 | int * data;
75 | struct fp * ptr;
76 | data = NULL;
77 | ptr = NULL;
78 | data = goodG2BSource(data);
79 | ptr = (struct fp *)malloc(sizeof(struct fp));
80 | if (ptr == NULL) {exit(-1);}
81 | {
82 | int source[100] = {0}; /* fill with 0's */
83 | ptr->fptr = printLine;
84 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
85 | memcpy(data, source, 100*sizeof(int));
86 | ptr->fptr("That's OK!");
87 | printIntLine(data[0]);
88 | free(data);
89 | free(ptr);
90 | }
91 | }
92 |
93 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42_good()
94 | {
95 | goodG2B();
96 | }
97 |
98 | #endif /* OMITGOOD */
99 |
100 | /* Below is the main(). It is only used when building this testcase on
101 | * its own for testing or for building a binary to use in testing binary
102 | * analysis tools. It is not used when compiling all the testcases as one
103 | * application, which is how source code analysis tools are tested.
104 | */
105 |
106 |
107 | int main(int argc, char * argv[])
108 | {
109 | /* seed randomness */
110 | srand( (unsigned)time(NULL) );
111 | #ifndef OMITGOOD
112 | printLine("Calling good()...");
113 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42_good();
114 | printLine("Finished good()");
115 | #endif /* OMITGOOD */
116 | #ifndef OMITBAD
117 | printLine("Calling bad()...");
118 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42_bad(argv[1]);
119 | printLine("Finished bad()");
120 | #endif /* OMITBAD */
121 | return 0;
122 | }
123 |
124 |
125 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy int array to data using memmove
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 | data = (int *)malloc(5*sizeof(int));
34 | if (data == NULL) {exit(-1);}
35 | ptr = (struct fp *)malloc(sizeof(struct fp));
36 | if (ptr == NULL) {exit(-1);}
37 | {
38 | int source[100] = {0}; /* fill with 0's */
39 | ptr->fptr = printLine;
40 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
42 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
43 | {
44 | memmove(data, source, 100*sizeof(int));
45 | }
46 | ptr->fptr("That's OK!");
47 | printIntLine(data[0]);
48 | free(data);
49 | free(ptr);
50 | }
51 | }
52 |
53 | #endif /* OMITBAD */
54 |
55 | #ifndef OMITGOOD
56 |
57 | /* goodG2B uses the GoodSource with the BadSink */
58 | static void goodG2B()
59 | {
60 | int * data;
61 | struct fp * ptr;
62 | data = NULL;
63 | ptr = NULL;
64 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 | data = (int *)malloc(100*sizeof(int));
66 | if (data == NULL) {exit(-1);}
67 | ptr = (struct fp *)malloc(sizeof(struct fp));
68 | if (ptr == NULL) {exit(-1);}
69 | {
70 | int source[100] = {0}; /* fill with 0's */
71 | ptr->fptr = printLine;
72 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
73 | memmove(data, source, 100*sizeof(int));
74 | ptr->fptr("That's OK!");
75 | printIntLine(data[0]);
76 | free(data);
77 | free(ptr);
78 | }
79 | }
80 |
81 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01_good()
82 | {
83 | goodG2B();
84 | }
85 |
86 | #endif /* OMITGOOD */
87 |
88 | /* Below is the main(). It is only used when building this testcase on
89 | * its own for testing or for building a binary to use in testing binary
90 | * analysis tools. It is not used when compiling all the testcases as one
91 | * application, which is how source code analysis tools are tested.
92 | */
93 |
94 |
95 | int main(int argc, char * argv[])
96 | {
97 | /* seed randomness */
98 | srand( (unsigned)time(NULL) );
99 | #ifndef OMITGOOD
100 | printLine("Calling good()...");
101 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01_good();
102 | printLine("Finished good()");
103 | #endif /* OMITGOOD */
104 | #ifndef OMITBAD
105 | printLine("Calling bad()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01_bad(argv[1]);
107 | printLine("Finished bad()");
108 | #endif /* OMITBAD */
109 | return 0;
110 | }
111 |
112 |
113 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-16.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy int array to data using memmove
13 | * Flow Variant: 16 Control flow: while(1)
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | while(1)
33 | {
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (int *)malloc(5*sizeof(int));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | break;
40 | }
41 | {
42 | int source[100] = {0}; /* fill with 0's */
43 | ptr->fptr = printLine;
44 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
45 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
46 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
47 | {
48 | memmove(data, source, 100*sizeof(int));
49 | }
50 | ptr->fptr("That's OK!");
51 | printIntLine(data[0]);
52 | free(data);
53 | free(ptr);
54 | }
55 | }
56 |
57 | #endif /* OMITBAD */
58 |
59 | #ifndef OMITGOOD
60 |
61 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
62 | static void goodG2B()
63 | {
64 | int * data;
65 | struct fp * ptr;
66 | data = NULL;
67 | ptr = NULL;
68 | while(1)
69 | {
70 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 | data = (int *)malloc(100*sizeof(int));
72 | if (data == NULL) {exit(-1);}
73 | ptr = (struct fp *)malloc(sizeof(struct fp));
74 | if (ptr == NULL) {exit(-1);}
75 | break;
76 | }
77 | {
78 | int source[100] = {0}; /* fill with 0's */
79 | ptr->fptr = printLine;
80 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
81 | memmove(data, source, 100*sizeof(int));
82 | ptr->fptr("That's OK!");
83 | printIntLine(data[0]);
84 | free(data);
85 | free(ptr);
86 | }
87 | }
88 |
89 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16_good()
90 | {
91 | goodG2B();
92 | }
93 |
94 | #endif /* OMITGOOD */
95 |
96 | /* Below is the main(). It is only used when building this testcase on
97 | * its own for testing or for building a binary to use in testing binary
98 | * analysis tools. It is not used when compiling all the testcases as one
99 | * application, which is how source code analysis tools are tested.
100 | */
101 |
102 |
103 | int main(int argc, char * argv[])
104 | {
105 | /* seed randomness */
106 | srand( (unsigned)time(NULL) );
107 | #ifndef OMITGOOD
108 | printLine("Calling good()...");
109 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16_good();
110 | printLine("Finished good()");
111 | #endif /* OMITGOOD */
112 | #ifndef OMITBAD
113 | printLine("Calling bad()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16_bad(argv[1]);
115 | printLine("Finished bad()");
116 | #endif /* OMITBAD */
117 | return 0;
118 | }
119 |
120 |
121 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy int array to data using memmove
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | goto source;
33 | source:
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (int *)malloc(5*sizeof(int));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | {
40 | int source[100] = {0}; /* fill with 0's */
41 | ptr->fptr = printLine;
42 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
43 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
44 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
45 | {
46 | memmove(data, source, 100*sizeof(int));
47 | }
48 | ptr->fptr("That's OK!");
49 | printIntLine(data[0]);
50 | free(data);
51 | free(ptr);
52 | }
53 | }
54 |
55 | #endif /* OMITBAD */
56 |
57 | #ifndef OMITGOOD
58 |
59 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
60 | static void goodG2B()
61 | {
62 | int * data;
63 | struct fp * ptr;
64 | data = NULL;
65 | ptr = NULL;
66 | goto source;
67 | source:
68 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 | data = (int *)malloc(100*sizeof(int));
70 | if (data == NULL) {exit(-1);}
71 | ptr = (struct fp *)malloc(sizeof(struct fp));
72 | if (ptr == NULL) {exit(-1);}
73 | {
74 | int source[100] = {0}; /* fill with 0's */
75 | ptr->fptr = printLine;
76 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
77 | memmove(data, source, 100*sizeof(int));
78 | ptr->fptr("That's OK!");
79 | printIntLine(data[0]);
80 | free(data);
81 | free(ptr);
82 | }
83 | }
84 |
85 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18_good()
86 | {
87 | goodG2B();
88 | }
89 |
90 | #endif /* OMITGOOD */
91 |
92 | /* Below is the main(). It is only used when building this testcase on
93 | * its own for testing or for building a binary to use in testing binary
94 | * analysis tools. It is not used when compiling all the testcases as one
95 | * application, which is how source code analysis tools are tested.
96 | */
97 |
98 |
99 | int main(int argc, char * argv[])
100 | {
101 | /* seed randomness */
102 | srand( (unsigned)time(NULL) );
103 | #ifndef OMITGOOD
104 | printLine("Calling good()...");
105 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18_good();
106 | printLine("Finished good()");
107 | #endif /* OMITGOOD */
108 | #ifndef OMITBAD
109 | printLine("Calling bad()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18_bad(argv[1]);
111 | printLine("Finished bad()");
112 | #endif /* OMITBAD */
113 | return 0;
114 | }
115 |
116 |
117 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: memmove
12 | * BadSink : Copy int array to data using memmove
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31_bad(char * activator)
27 | {
28 | int * data;
29 | struct fp * ptr;
30 | data = NULL;
31 | ptr = NULL;
32 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 | data = (int *)malloc(5*sizeof(int));
34 | if (data == NULL) {exit(-1);}
35 | ptr = (struct fp *)malloc(sizeof(struct fp));
36 | if (ptr == NULL) {exit(-1);}
37 | {
38 | int * dataCopy = data;
39 | int * data = dataCopy;
40 | {
41 | int source[100] = {0}; /* fill with 0's */
42 | ptr->fptr = printLine;
43 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
45 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
46 | {
47 | memmove(data, source, 100*sizeof(int));
48 | }
49 | ptr->fptr("That's OK!");
50 | printIntLine(data[0]);
51 | free(data);
52 | free(ptr);
53 | }
54 | }
55 | }
56 |
57 | #endif /* OMITBAD */
58 |
59 | #ifndef OMITGOOD
60 |
61 | /* goodG2B() uses the GoodSource with the BadSink */
62 | static void goodG2B()
63 | {
64 | int * data;
65 | struct fp * ptr;
66 | data = NULL;
67 | ptr = NULL;
68 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 | data = (int *)malloc(100*sizeof(int));
70 | if (data == NULL) {exit(-1);}
71 | ptr = (struct fp *)malloc(sizeof(struct fp));
72 | if (ptr == NULL) {exit(-1);}
73 | {
74 | int * dataCopy = data;
75 | int * data = dataCopy;
76 | {
77 | int source[100] = {0}; /* fill with 0's */
78 | ptr->fptr = printLine;
79 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
80 | memmove(data, source, 100*sizeof(int));
81 | ptr->fptr("That's OK!");
82 | printIntLine(data[0]);
83 | free(data);
84 | free(ptr);
85 | }
86 | }
87 | }
88 |
89 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31_good()
90 | {
91 | goodG2B();
92 | }
93 |
94 | #endif /* OMITGOOD */
95 |
96 | /* Below is the main(). It is only used when building this testcase on
97 | * its own for testing or for building a binary to use in testing binary
98 | * analysis tools. It is not used when compiling all the testcases as one
99 | * application, which is how source code analysis tools are tested.
100 | */
101 |
102 |
103 | int main(int argc, char * argv[])
104 | {
105 | /* seed randomness */
106 | srand( (unsigned)time(NULL) );
107 | #ifndef OMITGOOD
108 | printLine("Calling good()...");
109 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31_good();
110 | printLine("Finished good()");
111 | #endif /* OMITGOOD */
112 | #ifndef OMITBAD
113 | printLine("Calling bad()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31_bad(argv[1]);
115 | printLine("Finished bad()");
116 | #endif /* OMITBAD */
117 | return 0;
118 | }
119 |
120 |
121 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: memmove
12 | * BadSink : Copy int array to data using memmove
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | struct fp
20 | {
21 | void (*fptr)(const char*);
22 | };
23 |
24 | #ifndef OMITBAD
25 |
26 | static int * badSource(int * data)
27 | {
28 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
29 | data = (int *)malloc(5*sizeof(int));
30 | if (data == NULL) {exit(-1);}
31 | return data;
32 | }
33 |
34 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42_bad(char * activator)
35 | {
36 | int * data;
37 | struct fp * ptr;
38 | data = NULL;
39 | ptr = NULL;
40 | data = badSource(data);
41 | ptr = (struct fp *)malloc(sizeof(struct fp));
42 | if (ptr == NULL) {exit(-1);}
43 | {
44 | int source[100] = {0}; /* fill with 0's */
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | memmove(data, source, 100*sizeof(int));
51 | }
52 | ptr->fptr("That's OK!");
53 | printIntLine(data[0]);
54 | free(data);
55 | free(ptr);
56 | }
57 | }
58 |
59 | #endif /* OMITBAD */
60 |
61 | #ifndef OMITGOOD
62 |
63 | static int * goodG2BSource(int * data)
64 | {
65 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
66 | data = (int *)malloc(100*sizeof(int));
67 | if (data == NULL) {exit(-1);}
68 | return data;
69 | }
70 |
71 | /* goodG2B uses the GoodSource with the BadSink */
72 | static void goodG2B()
73 | {
74 | int * data;
75 | struct fp * ptr;
76 | data = NULL;
77 | ptr = NULL;
78 | data = goodG2BSource(data);
79 | ptr = (struct fp *)malloc(sizeof(struct fp));
80 | if (ptr == NULL) {exit(-1);}
81 | {
82 | int source[100] = {0}; /* fill with 0's */
83 | ptr->fptr = printLine;
84 | /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
85 | memmove(data, source, 100*sizeof(int));
86 | ptr->fptr("That's OK!");
87 | printIntLine(data[0]);
88 | free(data);
89 | free(ptr);
90 | }
91 | }
92 |
93 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42_good()
94 | {
95 | goodG2B();
96 | }
97 |
98 | #endif /* OMITGOOD */
99 |
100 | /* Below is the main(). It is only used when building this testcase on
101 | * its own for testing or for building a binary to use in testing binary
102 | * analysis tools. It is not used when compiling all the testcases as one
103 | * application, which is how source code analysis tools are tested.
104 | */
105 |
106 |
107 | int main(int argc, char * argv[])
108 | {
109 | /* seed randomness */
110 | srand( (unsigned)time(NULL) );
111 | #ifndef OMITGOOD
112 | printLine("Calling good()...");
113 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42_good();
114 | printLine("Finished good()");
115 | #endif /* OMITGOOD */
116 | #ifndef OMITBAD
117 | printLine("Calling bad()...");
118 | CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42_bad(argv[1]);
119 | printLine("Finished bad()");
120 | #endif /* OMITBAD */
121 | return 0;
122 | }
123 |
124 |
125 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-01.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 01 Baseline
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | ptr->fptr = printLine;
42 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
43 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
44 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
45 | {
46 | strcat(data, activator);
47 | }
48 | ptr->fptr("That's OK!");
49 | printLine(data);
50 | free(data);
51 | free(ptr);
52 | }
53 | }
54 |
55 | #endif /* OMITBAD */
56 |
57 | #ifndef OMITGOOD
58 |
59 | /* goodG2B uses the GoodSource with the BadSink */
60 | static void goodG2B()
61 | {
62 | char * data;
63 | struct fp * ptr;
64 | data = NULL;
65 | ptr = NULL;
66 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
67 | data = (char *)malloc(100*sizeof(char));
68 | if (data == NULL) {exit(-1);}
69 | ptr = (struct fp *)malloc(sizeof(struct fp));
70 | if (ptr == NULL) {exit(-1);}
71 | data[0] = '\0'; /* null terminate */
72 | {
73 | char source[100];
74 | memset(source, 'C', 100-1); /* fill with 'C's */
75 | source[100-1] = '\0'; /* null terminate */
76 | ptr->fptr = printLine;
77 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
78 | strcat(data, source);
79 | ptr->fptr("That's OK!");
80 | printLine(data);
81 | free(data);
82 | free(ptr);
83 | }
84 | }
85 |
86 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_good()
87 | {
88 | goodG2B();
89 | }
90 |
91 | #endif /* OMITGOOD */
92 |
93 | /* Below is the main(). It is only used when building this testcase on
94 | * its own for testing or for building a binary to use in testing binary
95 | * analysis tools. It is not used when compiling all the testcases as one
96 | * application, which is how source code analysis tools are tested.
97 | */
98 |
99 |
100 | int main(int argc, char * argv[])
101 | {
102 | /* seed randomness */
103 | srand( (unsigned)time(NULL) );
104 | #ifndef OMITGOOD
105 | printLine("Calling good()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_good();
107 | printLine("Finished good()");
108 | #endif /* OMITGOOD */
109 | #ifndef OMITBAD
110 | printLine("Calling bad()...");
111 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_bad(argv[1]);
112 | printLine("Finished bad()");
113 | #endif /* OMITBAD */
114 | return 0;
115 | }
116 |
117 |
118 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-17.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 17 Control flow: for loops
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17_bad(char * activator)
29 | {
30 | int i;
31 | char * data;
32 | struct fp * ptr;
33 | data = NULL;
34 | ptr = NULL;
35 | for(i = 0; i < 1; i++)
36 | {
37 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
38 | data = (char *)malloc(20*sizeof(char));
39 | if (data == NULL) {exit(-1);}
40 | ptr = (struct fp *)malloc(sizeof(struct fp));
41 | if (ptr == NULL) {exit(-1);}
42 | data[0] = '\0'; /* null terminate */
43 | }
44 | {
45 | ptr->fptr = printLine;
46 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
47 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
48 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
49 | {
50 | strcat(data, activator);
51 | }
52 | ptr->fptr("That's OK!");
53 | printLine(data);
54 | free(data);
55 | free(ptr);
56 | }
57 | }
58 |
59 | #endif /* OMITBAD */
60 |
61 | #ifndef OMITGOOD
62 |
63 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
64 | static void goodG2B()
65 | {
66 | int h;
67 | char * data;
68 | struct fp * ptr;
69 | data = NULL;
70 | ptr = NULL;
71 | for(h = 0; h < 1; h++)
72 | {
73 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
74 | data = (char *)malloc(100*sizeof(char));
75 | if (data == NULL) {exit(-1);}
76 | ptr = (struct fp *)malloc(sizeof(struct fp));
77 | if (ptr == NULL) {exit(-1);}
78 | data[0] = '\0'; /* null terminate */
79 | }
80 | {
81 | char source[100];
82 | memset(source, 'C', 100-1); /* fill with 'C's */
83 | source[100-1] = '\0'; /* null terminate */
84 | ptr->fptr = printLine;
85 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
86 | strcat(data, source);
87 | ptr->fptr("That's OK!");
88 | printLine(data);
89 | free(data);
90 | free(ptr);
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17_good()
95 | {
96 | goodG2B();
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17_good();
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
126 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-18.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 18 Control flow: goto statements
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | goto source;
35 | source:
36 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 | data = (char *)malloc(20*sizeof(char));
38 | if (data == NULL) {exit(-1);}
39 | ptr = (struct fp *)malloc(sizeof(struct fp));
40 | if (ptr == NULL) {exit(-1);}
41 | data[0] = '\0'; /* null terminate */
42 | {
43 | ptr->fptr = printLine;
44 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
45 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
46 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
47 | {
48 | strcat(data, activator);
49 | }
50 | ptr->fptr("That's OK!");
51 | printLine(data);
52 | free(data);
53 | free(ptr);
54 | }
55 | }
56 |
57 | #endif /* OMITBAD */
58 |
59 | #ifndef OMITGOOD
60 |
61 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
62 | static void goodG2B()
63 | {
64 | char * data;
65 | struct fp * ptr;
66 | data = NULL;
67 | ptr = NULL;
68 | goto source;
69 | source:
70 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 | data = (char *)malloc(100*sizeof(char));
72 | if (data == NULL) {exit(-1);}
73 | ptr = (struct fp *)malloc(sizeof(struct fp));
74 | if (ptr == NULL) {exit(-1);}
75 | data[0] = '\0'; /* null terminate */
76 | {
77 | char source[100];
78 | memset(source, 'C', 100-1); /* fill with 'C's */
79 | source[100-1] = '\0'; /* null terminate */
80 | ptr->fptr = printLine;
81 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
82 | strcat(data, source);
83 | ptr->fptr("That's OK!");
84 | printLine(data);
85 | free(data);
86 | free(ptr);
87 | }
88 | }
89 |
90 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18_good()
91 | {
92 | goodG2B();
93 | }
94 |
95 | #endif /* OMITGOOD */
96 |
97 | /* Below is the main(). It is only used when building this testcase on
98 | * its own for testing or for building a binary to use in testing binary
99 | * analysis tools. It is not used when compiling all the testcases as one
100 | * application, which is how source code analysis tools are tested.
101 | */
102 |
103 |
104 | int main(int argc, char * argv[])
105 | {
106 | /* seed randomness */
107 | srand( (unsigned)time(NULL) );
108 | #ifndef OMITGOOD
109 | printLine("Calling good()...");
110 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18_good();
111 | printLine("Finished good()");
112 | #endif /* OMITGOOD */
113 | #ifndef OMITBAD
114 | printLine("Calling bad()...");
115 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18_bad(argv[1]);
116 | printLine("Finished bad()");
117 | #endif /* OMITBAD */
118 | return 0;
119 | }
120 |
121 |
122 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-31.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 31 Data flow using a copy of data within the same function
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31_bad(char * activator)
29 | {
30 | char * data;
31 | struct fp * ptr;
32 | data = NULL;
33 | ptr = NULL;
34 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 | data = (char *)malloc(20*sizeof(char));
36 | if (data == NULL) {exit(-1);}
37 | ptr = (struct fp *)malloc(sizeof(struct fp));
38 | if (ptr == NULL) {exit(-1);}
39 | data[0] = '\0'; /* null terminate */
40 | {
41 | char * dataCopy = data;
42 | char * data = dataCopy;
43 | {
44 | ptr->fptr = printLine;
45 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
46 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
47 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
48 | {
49 | strcat(data, activator);
50 | }
51 | ptr->fptr("That's OK!");
52 | printLine(data);
53 | free(data);
54 | free(ptr);
55 | }
56 | }
57 | }
58 |
59 | #endif /* OMITBAD */
60 |
61 | #ifndef OMITGOOD
62 |
63 | /* goodG2B() uses the GoodSource with the BadSink */
64 | static void goodG2B()
65 | {
66 | char * data;
67 | struct fp * ptr;
68 | data = NULL;
69 | ptr = NULL;
70 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 | data = (char *)malloc(100*sizeof(char));
72 | if (data == NULL) {exit(-1);}
73 | ptr = (struct fp *)malloc(sizeof(struct fp));
74 | if (ptr == NULL) {exit(-1);}
75 | data[0] = '\0'; /* null terminate */
76 | {
77 | char * dataCopy = data;
78 | char * data = dataCopy;
79 | {
80 | char source[100];
81 | memset(source, 'C', 100-1); /* fill with 'C's */
82 | source[100-1] = '\0'; /* null terminate */
83 | ptr->fptr = printLine;
84 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
85 | strcat(data, source);
86 | ptr->fptr("That's OK!");
87 | printLine(data);
88 | free(data);
89 | free(ptr);
90 | }
91 | }
92 | }
93 |
94 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31_good()
95 | {
96 | goodG2B();
97 | }
98 |
99 | #endif /* OMITGOOD */
100 |
101 | /* Below is the main(). It is only used when building this testcase on
102 | * its own for testing or for building a binary to use in testing binary
103 | * analysis tools. It is not used when compiling all the testcases as one
104 | * application, which is how source code analysis tools are tested.
105 | */
106 |
107 |
108 | int main(int argc, char * argv[])
109 | {
110 | /* seed randomness */
111 | srand( (unsigned)time(NULL) );
112 | #ifndef OMITGOOD
113 | printLine("Calling good()...");
114 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31_good();
115 | printLine("Finished good()");
116 | #endif /* OMITGOOD */
117 | #ifndef OMITBAD
118 | printLine("Calling bad()...");
119 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31_bad(argv[1]);
120 | printLine("Finished bad()");
121 | #endif /* OMITBAD */
122 | return 0;
123 | }
124 |
125 |
126 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-42.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sink: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | #ifndef OMITBAD
27 |
28 | static char * badSource(char * data)
29 | {
30 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 | data = (char *)malloc(20*sizeof(char));
32 | if (data == NULL) {exit(-1);}
33 | data[0] = '\0'; /* null terminate */
34 | return data;
35 | }
36 |
37 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42_bad(char * activator)
38 | {
39 | char * data;
40 | struct fp * ptr;
41 | data = NULL;
42 | ptr = NULL;
43 | data = badSource(data);
44 | ptr = (struct fp *)malloc(sizeof(struct fp));
45 | if (ptr == NULL) {exit(-1);}
46 | {
47 | ptr->fptr = printLine;
48 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
49 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
50 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
51 | {
52 | strcat(data, activator);
53 | }
54 | ptr->fptr("That's OK!");
55 | printLine(data);
56 | free(data);
57 | free(ptr);
58 | }
59 | }
60 |
61 | #endif /* OMITBAD */
62 |
63 | #ifndef OMITGOOD
64 |
65 | static char * goodG2BSource(char * data)
66 | {
67 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
68 | data = (char *)malloc(100*sizeof(char));
69 | if (data == NULL) {exit(-1);}
70 | data[0] = '\0'; /* null terminate */
71 | return data;
72 | }
73 |
74 | /* goodG2B uses the GoodSource with the BadSink */
75 | static void goodG2B()
76 | {
77 | char * data;
78 | struct fp * ptr;
79 | data = NULL;
80 | ptr = NULL;
81 | data = goodG2BSource(data);
82 | ptr = (struct fp *)malloc(sizeof(struct fp));
83 | if (ptr == NULL) {exit(-1);}
84 | {
85 | char source[100];
86 | memset(source, 'C', 100-1); /* fill with 'C's */
87 | source[100-1] = '\0'; /* null terminate */
88 | ptr->fptr = printLine;
89 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
90 | strcat(data, source);
91 | ptr->fptr("That's OK!");
92 | printLine(data);
93 | free(data);
94 | free(ptr);
95 | }
96 | }
97 |
98 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42_good()
99 | {
100 | goodG2B();
101 | }
102 |
103 | #endif /* OMITGOOD */
104 |
105 | /* Below is the main(). It is only used when building this testcase on
106 | * its own for testing or for building a binary to use in testing binary
107 | * analysis tools. It is not used when compiling all the testcases as one
108 | * application, which is how source code analysis tools are tested.
109 | */
110 |
111 |
112 | int main(int argc, char * argv[])
113 | {
114 | /* seed randomness */
115 | srand( (unsigned)time(NULL) );
116 | #ifndef OMITGOOD
117 | printLine("Calling good()...");
118 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42_good();
119 | printLine("Finished good()");
120 | #endif /* OMITGOOD */
121 | #ifndef OMITBAD
122 | printLine("Calling bad()...");
123 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42_bad(argv[1]);
124 | printLine("Finished bad()");
125 | #endif /* OMITBAD */
126 | return 0;
127 | }
128 |
129 |
130 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67a.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67a.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-67a.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | struct fp
22 | {
23 | void (*fptr)(const char*);
24 | };
25 |
26 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType
27 | {
28 | char * structFirst;
29 | } CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType;
30 |
31 | #ifndef OMITBAD
32 |
33 | /* bad function declaration */
34 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct, char * activator);
35 |
36 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_bad(char * activator)
37 | {
38 | char * data;
39 | struct fp * ptr;
40 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct;
41 | data = NULL;
42 | ptr = NULL;
43 | /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
44 | data = (char *)malloc(20*sizeof(char));
45 | if (data == NULL) {exit(-1);}
46 | ptr = (struct fp *)malloc(sizeof(struct fp));
47 | if (ptr == NULL) {exit(-1);}
48 | ptr->fptr = printLine;
49 | myStruct.structFirst = data;
50 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_badSink(myStruct, activator);
51 | ptr->fptr("That's OK!");
52 | free(ptr);
53 | }
54 |
55 | #endif /* OMITBAD */
56 |
57 | #ifndef OMITGOOD
58 |
59 | /* goodG2B uses the GoodSource with the BadSink */
60 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct);
61 |
62 | static void goodG2B()
63 | {
64 | char * data;
65 | struct fp * ptr;
66 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct;
67 | data = NULL;
68 | ptr = NULL;
69 | /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 | data = (char *)malloc(100*sizeof(char));
71 | if (data == NULL) {exit(-1);}
72 | ptr = (struct fp *)malloc(sizeof(struct fp));
73 | if (ptr == NULL) {exit(-1);}
74 | ptr->fptr = printLine;
75 | myStruct.structFirst = data;
76 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_goodG2BSink(myStruct);
77 | ptr->fptr("That's OK!");
78 | free(ptr);
79 | }
80 |
81 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_good()
82 | {
83 | goodG2B();
84 | }
85 |
86 | #endif /* OMITGOOD */
87 |
88 | /* Below is the main(). It is only used when building this testcase on
89 | * its own for testing or for building a binary to use in testing binary
90 | * analysis tools. It is not used when compiling all the testcases as one
91 | * application, which is how source code analysis tools are tested.
92 | */
93 |
94 |
95 | int main(int argc, char * argv[])
96 | {
97 | /* seed randomness */
98 | srand( (unsigned)time(NULL) );
99 | #ifndef OMITGOOD
100 | printLine("Calling good()...");
101 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_good();
102 | printLine("Finished good()");
103 | #endif /* OMITGOOD */
104 | #ifndef OMITBAD
105 | printLine("Calling bad()...");
106 | CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_bad(argv[1]);
107 | printLine("Finished bad()");
108 | #endif /* OMITBAD */
109 | return 0;
110 | }
111 |
112 |
113 |
--------------------------------------------------------------------------------
/Project_Files/samples/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c:
--------------------------------------------------------------------------------
1 | /* TEMPLATE GENERATED TESTCASE FILE
2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c
3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4 | Template File: sources-sink-67b.tmpl.c
5 | */
6 | /*
7 | * @description
8 | * CWE: 122 Heap Based Buffer Overflow
9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 | * Sinks: cat
12 | * BadSink : Copy string to data using strcat
13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files
14 | *
15 | * */
16 |
17 | #include "std_testcase.h"
18 |
19 | #include
20 |
21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType
22 | {
23 | char * structFirst;
24 | } CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType;
25 |
26 | #ifndef OMITBAD
27 |
28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct, char * activator)
29 | {
30 | char * data = myStruct.structFirst;
31 | data[0] = '\0'; /* null terminate */
32 | {
33 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
34 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4'
35 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a')
36 | {
37 | strcat(data, activator);
38 | }
39 | printLine(data);
40 | free(data);
41 | }
42 | }
43 |
44 | #endif /* OMITBAD */
45 |
46 | #ifndef OMITGOOD
47 |
48 | /* goodG2B uses the GoodSource with the BadSink */
49 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct)
50 | {
51 | char * data = myStruct.structFirst;
52 | data[0] = '\0'; /* null terminate */
53 | {
54 | char source[100];
55 | memset(source, 'C', 100-1); /* fill with 'C's */
56 | source[100-1] = '\0'; /* null terminate */
57 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
58 | strcat(data, source);
59 | printLine(data);
60 | free(data);
61 | }
62 | }
63 |
64 | #endif /* OMITGOOD */
65 |
--------------------------------------------------------------------------------
/Project_Files/samples/includes/std_testcase_io.h:
--------------------------------------------------------------------------------
1 | /* header file to define functions in io.c. Not named io.h
2 | because that name is already taken by a system header on
3 | Windows */
4 |
5 | #ifndef _STD_TESTCASE_IO_H
6 | #define _STD_TESTCASE_IO_H
7 |
8 | #include "std_testcase.h" /* needed for the twoint struct */
9 |
10 | #ifdef __cplusplus
11 | extern "C" {
12 | #endif
13 |
14 | void printLine(const char * line);
15 |
16 | void printWLine(const wchar_t * line);
17 |
18 | void printIntLine (int intNumber);
19 |
20 | void printShortLine (short shortNumber);
21 |
22 | void printFloatLine (float floatNumber);
23 |
24 | void printLongLine(long longNumber);
25 |
26 | void printLongLongLine(int64_t longLongIntNumber);
27 |
28 | void printSizeTLine(size_t sizeTNumber);
29 |
30 | void printHexCharLine(char charHex);
31 |
32 | void printWcharLine(wchar_t wideChar);
33 |
34 | void printUnsignedLine(unsigned unsignedNumber);
35 |
36 | void printHexUnsignedCharLine(unsigned char unsignedCharacter);
37 |
38 | void printDoubleLine(double doubleNumber);
39 |
40 | void printStructLine(const twoIntsStruct * structTwoIntsStruct);
41 |
42 | void printBytesLine(const unsigned char * bytes, size_t numBytes);
43 |
44 | size_t decodeHexChars(unsigned char * bytes, size_t numBytes, const char * hex);
45 |
46 | size_t decodeHexWChars(unsigned char * bytes, size_t numBytes, const wchar_t * hex);
47 |
48 | int globalReturnsTrue();
49 |
50 | int globalReturnsFalse();
51 |
52 | int globalReturnsTrueOrFalse();
53 |
54 | /* Define some global variables that will get argc and argv */
55 | extern int globalArgc;
56 | extern char** globalArgv;
57 |
58 | #ifdef __cplusplus
59 | }
60 | #endif
61 |
62 | #endif
63 |
--------------------------------------------------------------------------------
/Project_Files/source/NFACTOR_MC.cfg:
--------------------------------------------------------------------------------
1 | HOW_MANY
2 | 10
3 | #index begin from zero
4 | TYPES
5 | #int,char
6 | #int,char,int
7 | #nth param,array type , length
8 |
9 |
10 | ARRAYS
11 | 1,char *,100
12 | 2,char *,100
13 | #3,char *,50
14 | #4,char *,80
15 |
16 | #nth param,normal dist
17 | DISTROS
18 | #1,normal
19 | #2,normal,05,50
20 | #3,normal,0,100
21 | #4,random
22 | #4,normal,0,2
23 |
24 | NPAIRS
25 | 2
26 |
27 |
28 | GROUPS
29 | param_1:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }]
30 | param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }]
31 | #param_1:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ *;~ }]
32 | #param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ *;~ }]
33 | #param_1:[50;60),[19;20],[21;90),[1000;2000]
34 | #param_2:[john-jeason-jack-jona]
35 | #param_3:[a-c),[A-Z]
36 | #param_4:[10;20],[-50;5]
37 | #param_5:[1{ 1 }2,5{ a;c }-9{ a;z }8{ 6 }]
38 | #param_5:[1{ 1 }2;5{ a;c }-9{ a;z }8{ 6 }]
39 | #param_5:[start;5{ a;z }]
40 | #param_5:[start,end{ a;c }-9{ a;z }8{ 6 }]
41 | #param_5:[jeason-john]
42 | #param_1:[1{ a;c }-5{ A;C }],[start;end{ a;z }-9{ a;z }8{ 6 }] ,[start;5{ 1;9 }]
43 | #param_1:[ ]
44 | #param_1:[start;end{ a;z }]
45 | #param_2:[start;end{ a;z }]
46 | #param_1:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ *;~ }]
47 | #param_2:[-100;0],[0;100],[100;200],[200;300],[300;400]
48 | #param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ *;~ }]
49 | #param_3:[-p]
50 | #param_3:[-100;0],[0;100],[100;200],[200;300],[300;400]
51 | #param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ ;/ }],[start;end{ :;@ }],[start;end{ [;` }],[start;end{ \{;~ }],[start;end{ A;z }],[start;end{ ;~ }],[start,end{ 0;z }]
52 | #param_4:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ ;/ }],[start;end{ :;@ }],[start;end{ [;` }],[start;end{ \{;~ }],[start;end{ A;z }],[start;end{ ;~ }],[start,end{ 0;z }]
53 |
54 |
55 |
--------------------------------------------------------------------------------
/Project_Files/source/__init__.py:
--------------------------------------------------------------------------------
1 | import logging
2 |
3 |
4 |
5 | logging.disable(logging.CRITICAL)
6 |
7 |
--------------------------------------------------------------------------------
/Project_Files/source/analysis/__init__.py:
--------------------------------------------------------------------------------
1 | from .CFGPartAnalysis import CFGPartAnalysis
2 | from .Units import Units
3 |
--------------------------------------------------------------------------------
/Project_Files/source/config.py:
--------------------------------------------------------------------------------
1 | DEFAULT_BUF_SYMBOLIC_BYTES=100
2 | BUF_SYMBOLIC_BYTES=100
3 | MAX_STR_LEN=100
4 |
--------------------------------------------------------------------------------
/Project_Files/source/constraintTree/VNode.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 | Created on Fri Sep 11 23:39:17 2020
5 |
6 | @author: ali
7 | """
8 |
9 |
10 |
11 | class _VNode:
12 | def __init__(self,inode=None,addr=None,block=None,constraints=None,parent_addr=None,satisfiable=False):
13 | if block is None:
14 | self.blocks=[]
15 | else:
16 | self.blocks=[block]
17 |
18 | if constraints is None:
19 | self.constraints=[]
20 | else:
21 | self.constraints=constraints
22 | self.addr=addr
23 | self.Term=[]
24 | self.V=[]
25 | self.v=[]
26 | self._called=[]
27 | self.inode=inode
28 | self._has_child=False
29 | self._parent_addr=parent_addr
30 | self._satisfiable=satisfiable
31 | self._vul_susp=False
32 | self._extra_vul_const=[]
33 | self._vulMsg=[]
34 | ##
35 | self._stack={}
36 |
37 | ##
38 | def _setUpStack(self,stack_values,parent={}):
39 | if len(parent) > 0:
40 | self._stack=parent.copy()
41 | for addr,value in stack_values:
42 | self._stack[addr]=value
43 |
44 |
45 | def _correctStack(self,new_stack):
46 | for addr,value in new_stack.items():
47 | self._stack[addr]=value
48 |
49 | def isEqual(self,other,isEntryLoop=False):
50 |
51 | if isEntryLoop:
52 | if self.addr == other.addr:
53 | return True
54 |
55 | if self._parent_addr != other._parent_addr:
56 | return False
57 |
58 |
59 | if self.addr != other.addr:
60 | return False
61 |
62 |
63 |
64 | return True
65 |
66 |
67 |
68 | def addVulMessage(self,mesg):
69 | self._vulMsg.append(mesg)
70 |
71 |
72 | def setSatisfaiablilyStatus(self,status):
73 | self._satisfiable=status
74 |
75 | def setVulSusp(self,value):
76 | self._vul_susp=value
77 |
78 | def addVulConstraint(self,constraint):
79 | self._extra_vul_const.append(constraint)
80 |
81 |
82 | def addSystemIn(self,V):
83 | self.V.append(V)
84 |
85 | def _addCallee(self,addr):
86 | self._called.append(addr)
87 |
88 | def addUnitIn(self,v):
89 | self.v.append(v)
90 |
91 | def checkISINParent(self,item_con,parent_cons):
92 | for item in parent_cons:
93 | if item_con is item:
94 | return True
95 | return False
96 |
97 | def addConstraints(self,consts,parent):
98 | self.constraints=consts
99 | for item in self.constraints:
100 | if self.checkISINParent(item,parent.constraints) == False:
101 | self.Term.append(item)
102 |
103 | for item in parent.constraints:
104 | if self.checkISINParent(item,self.constraints) == False:
105 | self.constraints.append(item)
106 |
107 |
108 |
109 | def addBlock(self,addr):
110 | self.blocks.append(addr)
111 |
112 | @classmethod
113 | def getNodeNumber(cls):
114 | return cls.inode
115 |
116 | def pp(self):
117 | content='Node-{0}\nConstraints: {1}\nUnitInputs: {2}\nSystemInputs: {3}\nBasicBlocks Addr: {4}\nCallees: {5}\n'.format(self.inode,self.constraints,self.v,self.V,self.blocks,self._called)
118 | print(content)
119 |
120 | def __str__(self):
121 | return 'Node-{0}'.format(self.inode)
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
--------------------------------------------------------------------------------
/Project_Files/source/constraintTree/__init__.py:
--------------------------------------------------------------------------------
1 | from .VNode import _VNode
2 | from .VTree import _VTree
3 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/Tar3Ranges.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sun Nov 1 19:12:42 2020
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 | from collections import Counter
14 |
15 | class Range:
16 |
17 | def __init__(self):
18 | self.var_names=[]
19 | self.bound={}
20 |
21 | def addRange(self,reng):
22 | for var_name,bnd in reng:
23 | self.var_names.append(var_name)
24 | self.bound[var_name]=bnd
25 |
26 | def correctBounds(self,reng):
27 | for var_name,bnd in reng:
28 | bound=self.bound[var_name]
29 | old_upper=float(bound[1])
30 | old_lower=float(bound[0])
31 | new_upper=float(bnd[1])
32 | new_lower=float(bnd[0])
33 |
34 | if new_upper > old_upper and new_lower >= old_upper:
35 | bound[1]=new_upper
36 | elif new_upper <= old_lower and new_lower < old_lower :
37 | bound[0]=new_lower
38 | else:
39 | if new_upper < old_upper :
40 | bound[1]=str(new_upper)
41 | if new_lower > old_lower :
42 | bound[0] = str(new_lower)
43 |
44 | def isMatch(self,var_names):
45 | return Counter(var_names) == Counter(self.var_names)
46 |
47 | def pp(self):
48 | content=''
49 | for name in self.var_names:
50 | if content == '':
51 | content='{0}:{1}'.format(name,self.bound.get(name))
52 | else:
53 | content=content+' And {0}:{1}'.format(name,self.bound.get(name))
54 | print(content)
55 |
56 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/__init__.py:
--------------------------------------------------------------------------------
1 | from .Tar3Ranges import Range
2 | from .Cover import Cover
3 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/bin/tar3.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/bin/tar3.exe
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/bin/xval.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/bin/xval.exe
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02itar2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02itar2.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02metrics.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02metrics.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02moreodc.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02moreodc.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02pairprog.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02pairprog.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02re02.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02re02.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02sereuse.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02sereuse.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/02trust.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/02trust.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/TAR2intro.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/TAR2intro.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/TAR3Manual.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/TAR3Manual.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/ch4-TAR3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/ch4-TAR3.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/itarv2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/itarv2.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/kdd.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/kdd.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/lazyagents.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/lazyagents.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/mbtar.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/mbtar.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/ml4re.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/ml4re.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/soft.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/soft.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/doc/truisms.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/doc/truisms.pdf
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/data.cfg:
--------------------------------------------------------------------------------
1 | granularity: 4
2 | maxNumber: 10
3 | minSize: 1
4 | maxSize: 2
5 | randomTrials: 100
6 | futileTrials: 30
7 | bestClass : 62%
8 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/data.data:
--------------------------------------------------------------------------------
1 | 79,77,good
2 | 68,66,good
3 | 102,108,bad
4 | 55,49,bad
5 | 105,106,bad
6 | 49,55,bad
7 | 53,55,bad
8 | 105,107,bad
9 | 68,75,good
10 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/data.names:
--------------------------------------------------------------------------------
1 | |Class:
2 | bad,good
3 |
4 | |Attributes : 4
5 |
6 | NOW
7 |
8 | CHANGES
9 |
10 | SCORE
11 | 4,8
12 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/golf.cfg:
--------------------------------------------------------------------------------
1 | granularity: 4
2 | maxNumber: 10
3 | minSize: 1
4 | maxSize: 4
5 | randomTrials: 100
6 | futileTrials: 30
7 | bestClass : 42%
8 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/golf.data:
--------------------------------------------------------------------------------
1 | Sunny,85,86,False,None
2 | Sunny,80,90,True,None
3 | Sunny,72,95,False,None
4 | Rain,65,70,True,None
5 | Rain,65,70,True,None
6 | Rain,70,96,False,Some
7 | Rain,68,80,False,Some
8 | Rain,75,80,False,Some
9 | Sunny,69,70,False,Lots
10 | Sunny,75,70,True,Lots
11 | Overcast,83,88,False,Lots
12 | Overcast,64,65,True,Lots
13 | Overcast,72,90,True,Lots
14 | Overcast,81,75,False,Lots
15 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/golf.names:
--------------------------------------------------------------------------------
1 | |Class:
2 | None,Some,Lots
3 |
4 | |Attributes : 4
5 | Outlook:Sunny,Rain,Overcast
6 | Temp:continuous
7 | Humidity:continuous
8 | Windy:True,False
9 |
10 | NOW
11 | Outlook:true
12 | Temp:true
13 | Humidity:true
14 | Windy:true
15 |
16 | CHANGES
17 | Outlook:true
18 | Temp:true
19 | Humidity:true
20 | Windy:True
21 |
22 | SCORE
23 | 2,4,8
24 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/shadow.cfg:
--------------------------------------------------------------------------------
1 | granularity: 4
2 | maxNumber: 10
3 | minSize: 1
4 | maxSize: 4
5 | randomTrials: 100
6 | futileTrials: 30
7 | bestClass : 42%
8 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/shadow.data:
--------------------------------------------------------------------------------
1 | -72,118,6285986842816126458,082259467843261318,good
2 | -193,1,786864510225301167,53696684562121602270,bad
3 | 133,49,41168486242589526421,4112870881966486,bad
4 | -26,7,4220393476054403851,7026012411366343640,bad
5 | 101,-37,13489267505555475059,86991058312657543,bad
6 | -30,58,1866604664826342119,1222448726443874325,good
7 | -162,115,77681786442656674666,66515868466913177,bad
8 | 34,-22,25607426788273231931,65222977817613118728,bad
9 | 89,-83,23124732786685151760,186013874751315689,bad
10 | 6,-53,7489285160257428766,36601143883850794542,bad
11 | 29,8,20401077168048538049,2737323460184555815,good
12 | -9,4,52232514676559865760,7966395729776562362,bad
13 | -9,15,3750349147836726565,6447914459684835263,bad
14 | -45,-51,82819152545469282083,4115239462171911635,bad
15 | -81,-109,44478691377037291126,2133793083749892176,bad
16 | -95,-78,3313582679337113567,6672569119268250387,good
17 | -75,-59,21508137401131848839,105640856585802829,bad
18 | -29,-105,32289130365628375871,3518196921678794272,bad
19 | 55,15,44241612126538448423,77103068606792143334,bad
20 | 33,-41,63794469806667322540,2241315559181783362,bad
21 | 60,-67,29201444592479776441,114076836451675124,good
22 | 69,-50,5464326964129025371,286001690536847765,bad
23 | -76,-256,8824704271843706016,6885387594253428,bad
24 | 103,-62,17743273786149118034,915780411271173763,bad
25 | -55,63,7933661541332436917,15701185266638582216,bad
26 | 36,-26,5552756665437484418,6527491511186503639,good
27 | -91,-99,1458453906418548583,27141377444228531660,bad
28 | 57,228,3971642883583842875,316141371891165149,bad
29 | 5,-186,86196237642782863846,32501087535754709086,bad
30 | -1,102,886119121622402163,76446937525253854643,bad
31 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/shadow.names:
--------------------------------------------------------------------------------
1 | |Class:
2 | bad,good
3 |
4 | |Attributes : 4
5 | var_1:continuous
6 | var_2:continuous
7 | var_3:continuous
8 | var_4:continuous
9 |
10 | NOW
11 | var_1:true
12 | var_2:true
13 | var_3:true
14 | var_4:true
15 |
16 | CHANGES
17 | var_1:true
18 | var_2:true
19 | var_3:true
20 | var_4:true
21 |
22 | SCORE
23 | 4,8
24 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/tar3.bat:
--------------------------------------------------------------------------------
1 | ..\bin\tar3.exe iris > iris.out
2 |
3 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/xval.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | ..\bin\xval.exe ..\bin\tar3.exe iris 10
4 |
5 | echo on
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/sample/xval_usage.txt:
--------------------------------------------------------------------------------
1 | xval usage:
2 |
3 | xval is now compatible with both tar2(v2.2) and tar3(tar2r version)
4 |
5 | Command line parameters:
6 | xval -p filestem N: perform datafile split on filestem.data
7 | xval tar2 filestem N: N-way validation with tar2 on filestem
8 | xval tar2r filestem N: N-way validation with tar2r on filestem
9 |
10 | Specify path for tar2/tar2r/filestem if they are in different folders.
11 |
12 | exp:
13 | c:\prog\xvalnew\debug\xval.exe c:\prog\tar2r\debug\tar2.exe iris 10
14 | (path for xval) (path for tar2) (filestem=iris) (N=10)
15 |
16 | A easy way to perform the xval trial is to copy tar2.exe and xval.exe and
17 | all the data files into the same the directory and issue the command:
18 | xval tar2 filestem N
19 |
20 | xval first splits the data file in to N .data file and N.test files, which results in:
21 | XDF[0..N-1].data
22 | XDF[0..N-1].test
23 | (Note: old xval results in XDF.data[0..N-1] and XDF.test[0..N-1]
24 |
25 | Then xval invokes tar2 or tar3 N times, generates N result files and one summary file.
26 |
27 | After done, it automatically delete XDF*.data and XDF*.test
28 |
29 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/defns.h:
--------------------------------------------------------------------------------
1 |
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 |
10 | #define false 0
11 | #define true 1
12 | #define Nil 0
13 | #define Unknown -999 /* must be int */
14 | #define Invalid -998 /* must be int */
15 |
16 | #define Max(a,b) ((a)>(b)? a:b)
17 | #define Min(a,b) ((a)<(b)? a:b)
18 | #define Round(x) ((int) (x+0.5))
19 |
20 | #define ForEach(v,f,l) for(v=f;v<=l;++v)
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/extern.h:
--------------------------------------------------------------------------------
1 | /*****************************************/
2 | /* Global data declaration */
3 | /* ----------------------- */
4 | /*****************************************/
5 |
6 | extern short MaxAtt, /* max att number */
7 | MaxClass, /* max class number */
8 | *MaxAttVal, /* number of values for each att */
9 | *MaxAttNow, /* number of values for each att in Now */
10 | *MaxAttChg; /* number of values for each att in Changes*/
11 |
12 | extern long MaxItem; /* max data item number */
13 |
14 | extern int MaxTreat, /* max treatment number */
15 | TreatSetSpace, /* space allocated to TreatSet*/
16 | MaxDistSet, /* max DistSet number */
17 | MaxFailedRx, /* max FailedTreatSet number */
18 | FailedRxSpace; /* space allocated to FailedRx */
19 |
20 |
21 | extern BandInfo *AttBand; /* band info for each attribute */
22 |
23 | extern Description *Item; /* data items */
24 |
25 | extern DistItem *DistSet; /* deltaf distribution set */
26 |
27 | extern TreatItem *TreatSet, /* treatment set */
28 | *FailedRx; /* failed treatment set */
29 |
30 | extern String *ClassName, /* class names */
31 | *AttName, /* att names */
32 | **AttValName, /* att value names */
33 | **AttValNow, /* att value names in Now */
34 | **AttValChg, /* att value names in Changes */
35 | FileName; /* family name of files */
36 |
37 | extern float Baseline, /* the baseline worth */
38 | MinWorth; /* the baseline worth */
39 |
40 | extern Boolean ReverseClass; /* flag of class order */
41 |
42 |
43 | /*****************************************/
44 | /* Global parameter declaration */
45 | /* ---------------------------- */
46 | /*****************************************/
47 |
48 | extern short Granularity; /* parameter indicate the percentile bands */
49 |
50 | extern float Step, /* step factor for the score function */
51 | Skew; /* option for skew/not skew the worth */
52 | extern int MaxTreatNum, /* maximum treatment number */
53 | MinTreatSize, /* minimum treatment size */
54 | MaxTreatSize, /* maximum treatment size */
55 | FutileTrials, /* maximum successive futile trials allowed */
56 | RandomTrials; /* number of random trials conducted */
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/global.h:
--------------------------------------------------------------------------------
1 | /*****************************************/
2 | /* Global data definition */
3 | /* ----------------------- */
4 | /*****************************************/
5 |
6 | short MaxAtt, /* max att number */
7 | MaxClass, /* max class number */
8 | *MaxAttVal, /* number of values for each att */
9 | *MaxAttNow, /* number of values for each att in Now */
10 | *MaxAttChg; /* number of values for each att in Changes */
11 |
12 | long MaxItem; /* max data item number */
13 | int MaxTreat, /* max treatment number */
14 | TreatSetSpace, /* space allocated to TreatSet*/
15 | MaxDistSet, /* max DistSet number */
16 | MaxFailedRx, /* max FailedTreatSet number */
17 | FailedRxSpace; /* space allocated to FailedRx */
18 |
19 | BandInfo *AttBand; /* band info for each attribute */
20 |
21 | Description *Item; /* data items */
22 |
23 | TreatItem *TreatSet, /* treatment set */
24 | *FailedRx; /* failed treatment set */
25 |
26 | DistItem *DistSet; /* deltaf distribution set */
27 |
28 | String *ClassName, /* class names */
29 | *AttName, /* att names */
30 | **AttValName, /* att value names */
31 | **AttValNow, /* att value names in Now */
32 | **AttValChg, /* att value names in Changes */
33 | FileName; /* family name of files */
34 |
35 | float Baseline, /* the baseline worth */
36 | MinWorth; /* the baseline worth */
37 |
38 | Boolean ReverseClass; /* flag of class order */
39 |
40 | /*****************************************/
41 | /* Global parameter definition */
42 | /* --------------------------- */
43 | /*****************************************/
44 |
45 | short Granularity; /* parameter indicate the percentile bands */
46 |
47 | float Step, /* step factor for the score function */
48 | Skew; /* option for skew/not skew the worth */
49 |
50 | int MaxTreatNum, /* maximum treatment number */
51 | MinTreatSize, /* minimum treatment size */
52 | MaxTreatSize, /* maximum treatment size */
53 | FutileTrials, /* maximum successive futile trials allowed */
54 | RandomTrials; /* number of random trials conducted */
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/sort.c:
--------------------------------------------------------------------------------
1 | #include "defns.h"
2 | #include "types.h"
3 | #include "extern.h"
4 |
5 | /* quicksort */
6 |
7 | typedef float T; /* type of item to be sorted */
8 | typedef long tblIndex; /* type of subscript */
9 |
10 | #define compGT(a,b) (a > b) /* for ascending order */
11 |
12 | /***********************************
13 | * insertion sort array a[lb..ub] *
14 | ************************************/
15 | void insertSort(T *a, tblIndex lb, tblIndex ub)
16 | {
17 | T t;
18 | tblIndex i, j;
19 |
20 | for (i = lb + 1; i <= ub; i++)
21 | {
22 | t = a[i];
23 |
24 | /* Shift elements down until insertion point found. */
25 | for (j = i-1; j >= lb && compGT(a[j], t); j--)
26 | a[j+1] = a[j];
27 |
28 | /* insert */
29 | a[j+1] = t;
30 | }
31 | }
32 |
33 | /*******************************
34 | * partition array a[lb..ub] *
35 | *******************************/
36 | tblIndex partition(T *a, tblIndex lb, tblIndex ub)
37 | {
38 | T t, pivot;
39 | tblIndex i, j, p;
40 |
41 | /* select pivot and exchange with 1st element */
42 | p = lb + ((ub - lb)>>1);
43 | pivot = a[p];
44 | a[p] = a[lb];
45 |
46 | /* sort lb+1..ub based on pivot */
47 | i = lb;
48 | j = ub + 1;
49 | while (1)
50 | {
51 | while (j > i && compGT(a[--j], pivot));
52 | while (i < j && compGT(pivot, a[++i]));
53 | if (i >= j) break;
54 |
55 | /* swap a[i], a[j] */
56 | t = a[i];
57 | a[i] = a[j];
58 | a[j] = t;
59 | }
60 |
61 | /* pivot belongs in a[j] */
62 | a[lb] = a[j];
63 | a[j] = pivot;
64 |
65 | return j;
66 | }
67 |
68 | /******************************
69 | * quicksort array a[lb..ub] *
70 | *******************************/
71 | void quickSort(T *a, tblIndex lb, tblIndex ub)
72 | {
73 | tblIndex m;
74 |
75 | while (lb < ub)
76 | {
77 |
78 | /* quickly sort short lists */
79 | if (ub - lb <= 12)
80 | {
81 | insertSort(a, lb, ub);
82 | return;
83 | }
84 |
85 | /* partition into two segments */
86 | m = partition (a, lb, ub);
87 |
88 | /* sort the smallest partition */
89 | /* to minimize stack requirements */
90 | if (m - lb <= ub - m)
91 | {
92 | quickSort(a, lb, m - 1);
93 | lb = m + 1;
94 | }
95 | else
96 | {
97 | quickSort(a, m + 1, ub);
98 | ub = m - 1;
99 | }
100 | }
101 | }
102 |
103 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/tar3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/source/tar3/tar3
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/types.h:
--------------------------------------------------------------------------------
1 | typedef char Boolean, *String;
2 |
3 | typedef union _attribute_value
4 | {
5 | short _discr_val;
6 | float _cont_val;
7 | }
8 | AttValue, *Description;
9 |
10 | #define CVal(Case,Attribute) Case[Attribute]._cont_val
11 | #define DVal(Case,Attribute) Case[Attribute]._discr_val
12 | #define Class(Case) Case[MaxAtt+1]._discr_val
13 |
14 | typedef struct _band
15 | {
16 | int _continuous;
17 | int _maxband;
18 | float* _min;
19 | float* _max;
20 | } BandInfo;
21 |
22 | typedef struct _candidate /* one candidate item = one attribute range */
23 | {
24 | int _att;
25 | int _val;
26 | } CandiItem;
27 |
28 | typedef struct _dist /* deltaf value for one candidate*/
29 | {
30 | struct _candidate _candiItem;
31 | int _weight;
32 | double _CDF;
33 | Boolean _flag;
34 | } DistItem;
35 |
36 | typedef struct _treatment /* one treatment item = one candidate set */
37 | {
38 | struct _candidate *_candiSet;
39 | int _num;
40 | float _worth_data;
41 | float _worth_test;
42 | } TreatItem;
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/tar3/xvalsum.c:
--------------------------------------------------------------------------------
1 | /************************************************/
2 | /* */
3 | /* Print out xval summary */
4 | /* -------------------------- */
5 | /* */
6 | /************************************************/
7 |
8 | #include "defns.h"
9 | #include "types.h"
10 | #include "extern.h"
11 |
12 |
13 | /************************************************/
14 | /* */
15 | /* Fn is supposed to be "XDFxx" */
16 | /* -------------------------- */
17 | /* */
18 | /************************************************/
19 |
20 | void Summary(char* Fn)
21 | {
22 | int i,j,TrialNo,Size,Att,Val;
23 | char Tmp[20];
24 | FILE *Nf;
25 |
26 | strcpy(Tmp, Fn+3);
27 | TrialNo = atoi(Tmp);
28 |
29 | if ( TrialNo == 0 )
30 | {
31 | Nf = fopen( "XDFsum.out", "w" );
32 | fprintf(Nf,"---------------------------------------------\n");
33 | fprintf(Nf,"Summary of N-way cross validation experiments\n");
34 | fprintf(Nf,"---------------------------------------------\n");
35 | fprintf(Nf,"\tData file: %d cases * %d attributes\n\n",MaxItem+1,MaxAtt+1);
36 | fprintf(Nf,"\tParameter: granularity=%d\n",Granularity);
37 | fprintf(Nf,"\t maxNumber=%d\n",MaxTreatNum);
38 | fprintf(Nf,"\t minSize=%d\n",MinTreatSize);
39 | fprintf(Nf,"\t maxSize=%d\n",MaxTreatSize);
40 | fprintf(Nf,"\t randomTrials=%d\n",RandomTrials);
41 | fprintf(Nf,"\t futileTrials=%d\n",FutileTrials);
42 | fprintf(Nf,"\t bestClass=%5.2f%%\n",Skew*100);
43 | fprintf(Nf,"\n");
44 | }
45 | else
46 | Nf = fopen( "XDFsum.out", "a" );
47 |
48 | fprintf(Nf,"\n----- Trial %d: Treatments=%d -----",TrialNo,MaxTreat+1);
49 | ForEach(i, 0, MaxTreat)
50 | {
51 | fprintf(Nf,"\nworthOnData=%4f worthOnTest=%4f ",TreatSet[i]._worth_data,TreatSet[i]._worth_test);
52 | Size = TreatSet[i]._num;
53 | ForEach(j, 0, Size)
54 | {
55 | Att = TreatSet[i]._candiSet[j]._att;
56 | Val = TreatSet[i]._candiSet[j]._val;
57 | fprintf(Nf,"[%s=%s] ",AttName[Att],AttValName[Att][Val]);
58 | }
59 | }
60 | fprintf(Nf,"\n");
61 |
62 | fclose(Nf);
63 | }
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/xval/xval:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SoftwareSecurityLab/Heap-Overflow-Detection/23c79173376eab65e931ed50795401d45b8e4665/Project_Files/source/learning/tar3/source/xval/xval
--------------------------------------------------------------------------------
/Project_Files/source/learning/tar3/source/xval/xval.c:
--------------------------------------------------------------------------------
1 | /*****************************************************************/
2 | /* */
3 | /* Program to perform the cross-validation trials */
4 | /* ------------------------------------------------- */
5 | /* invocation: xval filestem N */
6 | /*****************************************************************/
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #define ForEach(var,F,L) for(var=F; var<=L; ++var)
14 |
15 | void xvalPrep();
16 | void xval();
17 |
18 | void main(int argc, char *argv[])
19 | /* ---- */
20 | {
21 | char Fn[30],Prog[100];
22 | int Splits;
23 | time_t ltime,etime;
24 |
25 | /* usage info*/
26 | if (argc != 4 )
27 | {
28 | printf("\nUsage Examples:");
29 | printf("\n---------------------------------------------------------");
30 | printf("\n(1)Perform xval preparation (data split) only\n");
31 | printf("\n xval -p c:\\ying\\data\\iris 10\n");
32 | printf("\n(2)Perform xval with tar2 on iris.data\n");
33 | printf("\n xval c:\\ying\\bin\\tar2.exe c:\\ying\\data\\iris 10\n");
34 | printf("\n(3)Perform xval with tar2r on iris.data\n");
35 | printf("\n xval c:\\ying\\bin\\tar2r.exe c:\\ying\\data\\iris 10\n");
36 | printf("\n---------------------------------------------------------");
37 | printf("\n\n");
38 | exit(1);
39 | }
40 |
41 | sscanf(argv[argc-2], "%s", Fn);
42 | sscanf(argv[argc-1], "%d", &Splits);
43 |
44 | time(<ime);
45 |
46 | xvalPrep(Fn, Splits);
47 |
48 | /* if invoke tar2 or tar2r */
49 | if ( strcmp(argv[1], "-p") )
50 | {
51 | strcpy(Prog, argv[1]);
52 | printf("\nPerform %d-way cross validation with %s on %s...\n\n",Splits,Prog,Fn);
53 | xval(Fn, Prog, Splits);
54 | }
55 |
56 | time(&etime);
57 | printf("\nRun time: %ld sec\n",(etime-ltime));
58 | }
59 |
60 |
61 | /*****************************************************************
62 |
63 | invoke xvalPrep and program
64 |
65 | *****************************************************************/
66 |
67 | void xval(char *Fn, char* Program, int Splits)
68 | {
69 | char command[100],suffix[5],OldName[20],NewName[20];
70 | int Loop;
71 |
72 | /* perform the cross-validation trials */
73 |
74 | strcpy(OldName, Fn);
75 |
76 | ForEach(Loop, 0, Splits-1)
77 | {
78 | sprintf(suffix,"%d",Loop);
79 | strcpy(NewName, "XDF");
80 | strcat(NewName, suffix);
81 |
82 | /* rename filestem.cfg XDF.cfg */
83 | strcpy(command, "rename ");
84 | strcat(command, OldName);
85 | strcat(command, ".cfg ");
86 | strcat(command, NewName);
87 | strcat(command, ".cfg");
88 | system(command);
89 |
90 | /* rename filestem.names XDF.names */
91 | strcpy(command, "rename ");
92 | strcat(command, OldName);
93 | strcat(command, ".names ");
94 | strcat(command, NewName);
95 | strcat(command, ".names");
96 | system(command);
97 |
98 | /* invoke program: "program filestem > filestem.out " */
99 | strcpy(command, Program);
100 | strcat(command, " ");
101 | strcat(command, NewName);
102 | strcat(command, " > ");
103 | strcat(command, NewName);
104 | strcat(command, ".out");
105 | /*printf("%s\n",command);*/
106 | system(command);
107 |
108 | /* update OldName*/
109 | strcpy(OldName, NewName);
110 | }
111 |
112 | /* rename back */
113 | strcpy(command, "rename ");
114 | strcat(command, OldName);
115 | strcat(command, ".cfg ");
116 | strcat(command, Fn);
117 | strcat(command, ".cfg");
118 | system(command);
119 |
120 | strcpy(command, "rename ");
121 | strcat(command, OldName);
122 | strcat(command, ".names ");
123 | strcat(command, Fn);
124 | strcat(command, ".names");
125 | system(command);
126 |
127 | /* delete XDF files*/
128 | strcpy(command, "del XDF*.data ");
129 | system(command);
130 | strcpy(command, "del XDF*.test ");
131 | system(command);
132 |
133 | }
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/ExtractParams.py:
--------------------------------------------------------------------------------
1 |
2 |
3 | import angr ,claripy
4 | import numpy as np
5 |
6 | class SimExtractParams(angr.SimProcedure):
7 |
8 | def run(self, *args, pointers=None):
9 | self.state.globals['args']=[]
10 | for numb,typ in pointers.items():
11 | argRes=None
12 | if typ == 'intPointer':
13 | addr=args[numb-1].ast.args[0]
14 | argRes=int(np.int32(self.state.mem[addr].long.concrete))
15 | elif typ == 'charPointer':
16 | addr = args[numb - 1].to_claripy()
17 | value=self.state.mem[addr].string.concrete
18 | if isinstance(value,str):
19 | argRes=value
20 | else:
21 | argRes=value.decode('ascii','replace')
22 | argRes=argRes+'\x00'
23 | elif typ == 'floatPointer':
24 | addr=args[numb-1].ast.args[0]
25 | value=self.state.mem[addr].long.concrete
26 | tmp_val=claripy.BVV(value,32)
27 | argRes=tmp_val.raw_to_fp().args[0]
28 | elif typ == 'doublePointer':
29 | addr=args[numb-1].ast.args[0]
30 | value=self.state.mem[addr].long.concrete
31 | tmp_val=claripy.BVV(value,64)
32 | fp=tmp_val.raw_to_fp()
33 | argRes=tmp_val.raw_to_fp().args[0]
34 | elif typ in 'char':
35 | argRes=chr(args[numb-1].ast.args[0])
36 | elif typ in 'int':
37 | val=args[numb-1].ast
38 | argRes=int(np.int32(self.state.solver.eval(val)))
39 | elif typ in 'float':
40 | tmp_val=claripy.BVV(args[numb-1].args[0],32)
41 | argRes=tmp_val.raw_to_fp().args[0]
42 | elif typ == "double":
43 | tmp_val=claripy.BVV(args[numb-1].args[0],64)
44 | argRes=tmp_val.raw_to_fp().args[0]
45 | else:
46 | argRes=args[numb-1]
47 | self.state.globals['args'].append(argRes)
48 | self.exit(0)
49 | return 0
50 |
51 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/UnConstraintRetValue.py:
--------------------------------------------------------------------------------
1 | import angr,claripy
2 |
3 | class ExeFunc(angr.SimProcedure):
4 | def run(*argv):
5 | pass
6 | #return claripy.BVS('UNConstrainRetValue',8)
7 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/__init__.py:
--------------------------------------------------------------------------------
1 | from .ExtractParams import SimExtractParams
2 | from .UnConstraintRetValue import ExeFunc
3 | from .vul_memcpy import _memcpy_vul
4 | from .vul_memmove import _memmove_vul
5 | from .vul_memset import _memset_vul
6 | from .vul_sprintf import _sprintf_vul
7 | from .vul_strcat import _strcat_vul
8 | from .vul_strcpy import _strcpy_vul
9 | from .wcslen import wcslen
10 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_memcpy.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 |
14 | import angr,claripy
15 |
16 |
17 | class _memcpy_vul(angr.SimProcedure):
18 | def run(self,dst_addr, src_addr ,limit):
19 | strlen = angr.SIM_PROCEDURES['libc']['strlen']
20 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
21 | hist_addr=self.state.history.bbl_addrs.hardcopy
22 | self.state.globals['block_addr']=hist_addr
23 |
24 | if self.state.solver.symbolic(limit) ==False:
25 | limit=self.state.solver.eval(limit.to_claripy())
26 | else:
27 | limit=limit.to_claripy()
28 |
29 | con_res=['memcpy',limit]
30 |
31 |
32 | self.state.globals['extra_const'].append(tuple(con_res))
33 |
34 | self.inline_call(memcpy, dst_addr, src_addr,limit)
35 |
36 | return dst_addr
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_memmove.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 |
14 | import angr,claripy
15 |
16 | class _memmove_vul(angr.SimProcedure):
17 | def run(self,dst_addr, src_addr ,limit):
18 | strlen = angr.SIM_PROCEDURES['libc']['strlen']
19 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
20 |
21 | hist_addr=self.state.history.bbl_addrs.hardcopy
22 | self.state.globals['block_addr']=hist_addr
23 |
24 | if self.state.solver.symbolic(limit) ==False:
25 | limit=self.state.solver.eval(limit.to_claripy())
26 | else:
27 | limit=limit.to_claripy()
28 |
29 | con_res=['memmove',limit]
30 |
31 |
32 |
33 |
34 | self.state.globals['extra_const'].append(tuple(con_res))
35 |
36 | self.inline_call(memcpy, dst_addr, src_addr,limit)
37 |
38 | return dst_addr
39 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_memset.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 | import angr,claripy
14 | class _memset_vul(angr.SimProcedure):
15 | def run(self, dst_addr, char, num):
16 | memset = angr.SIM_PROCEDURES['libc']['memset']
17 | hist_addr=self.state.history.bbl_addrs.hardcopy
18 | self.state.globals['block_addr']=hist_addr
19 |
20 |
21 | if self.state.solver.symbolic(num) ==False:
22 | self.state.globals['extra_const'].append(('memset',self.state.solver.eval(num.to_claripy())))
23 | else:
24 | self.state.globals['extra_const'].append(('memset',num.to_claripy()))
25 |
26 |
27 | self.inline_call(memset,dst_addr,char,num)
28 | return dst_addr
29 |
30 |
31 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_sprintf.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 |
4 |
5 | from angr.procedures.stubs.format_parser import FormatParser
6 | import angr,claripy
7 |
8 |
9 | class _sprintf_vul(FormatParser):
10 |
11 |
12 | def run(self, dst_ptr):
13 | fmt_str = self._parse(1)
14 | out_str = fmt_str.replace(2, self.arg)
15 |
16 |
17 | hist_addr=self.state.history.bbl_addrs.hardcopy
18 | self.state.globals['block_addr']=hist_addr
19 | if self.state.solver.symbolic(out_str) ==False:
20 | value=self.state.solver.eval(out_str,cast_to=bytes).decode('ascii')
21 | self.state.globals['extra_const'].append(('sprintf',value))
22 |
23 |
24 |
25 | self.state.memory.store(dst_ptr, out_str)
26 |
27 | self.state.memory.store(dst_ptr + (out_str.size() // 8), self.state.solver.BVV(0, 8))
28 |
29 | return self.state.solver.BVV(out_str.size()//8, self.state.arch.bits)
30 |
31 |
32 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_strcat.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 |
14 | import angr,claripy
15 | class _strcat_vul(angr.SimProcedure):
16 | def run(self,dst_addr, src_addr):
17 | strlen = angr.SIM_PROCEDURES['libc']['strlen']
18 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
19 |
20 | hist_addr=self.state.history.bbl_addrs.hardcopy
21 | self.state.globals['block_addr']=hist_addr
22 | src_len = self.inline_call(strlen, src_addr).ret_expr
23 | dst_len = self.inline_call(strlen, dst_addr).ret_expr
24 |
25 |
26 | mem_src=self.state.memory.load(src_addr,10)
27 |
28 | if self.state.solver.symbolic(mem_src) ==False:
29 | value=self.state.mem[src_addr.to_claripy()].string.concrete.decode('ascii')
30 | self.state.globals['extra_const'].append(('strcat',dst_len,len(value)))
31 | else:
32 | if isinstance(dst_len,angr.state_plugins.sim_action_object.SimActionObject):
33 | dst_len=dst_len.to_claripy()
34 | self.state.globals['extra_const'].append(('strcat',dst_len,src_len))
35 | self.inline_call(memcpy, dst_addr + dst_len, src_addr,src_len+1)
36 |
37 | return dst_addr
38 |
39 |
40 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/vul_strcpy.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 | import angr,claripy
14 |
15 | class _strcpy_vul(angr.SimProcedure):
16 | def run(self,dst_addr, src_addr):
17 | strlen = angr.SIM_PROCEDURES['libc']['strlen']
18 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
19 |
20 | hist_addr=self.state.history.bbl_addrs.hardcopy
21 | self.state.globals['block_addr']=hist_addr
22 |
23 | src_len = self.inline_call(strlen, src_addr).ret_expr
24 |
25 |
26 |
27 | mem_src=self.state.memory.load(src_addr,10)
28 | if self.state.solver.symbolic(mem_src) ==False:
29 | value=self.state.mem[src_addr.to_claripy()].string.concrete.decode('ascii','replace')
30 | self.state.globals['extra_const'].append(value)
31 | else:
32 | self.state.globals['extra_const'].append(src_len)
33 |
34 | self.inline_call(memcpy, dst_addr, src_addr,src_len+1)
35 |
36 | return dst_addr
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/Project_Files/source/simprocedure/wcslen.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 | """
4 |
5 | Created on Sat Feb 13 22:07:00 2021
6 |
7 | @authors: Ali Kamali
8 | Sara Baradaran
9 | Mahdi Heidari
10 |
11 | """
12 |
13 | import angr
14 |
15 | class wcslen(angr.SimProcedure):
16 | def run(self, s):
17 | print('in wcslen')
18 | f=angr.SIM_PROCEDURES['libc']['strlen']
19 | self.state.globals['iswchar']=True
20 | re = self.inline_call(f,s,wchar=True).ret_expr
21 | return re
22 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | ailment==9.0.9166
2 | angr==9.0.9166
3 | archinfo==9.0.9166
4 | bitstring==3.1.7
5 | cachetools==4.2.4
6 | capstone==4.0.2
7 | cffi==1.15.0
8 | claripy==9.0.9166
9 | cle==9.0.9166
10 | covertable==2.0.1
11 | CppHeaderParser==2.7.4
12 | decorator==4.4.2
13 | dpkt==1.9.7.2
14 | future==0.18.2
15 | gitdb==4.0.9
16 | GitPython==3.1.18
17 | itanium-demangler==1.0
18 | monkeyhex==1.7.4
19 | mpmath==1.2.1
20 | mulpyplexer==0.9
21 | nampa==0.1.1
22 | networkx==2.5.1
23 | numpy==1.19.5
24 | pandas==1.1.5
25 | pefile==2021.9.3
26 | plumbum==1.7.2
27 | ply==3.11
28 | progressbar2==3.55.0
29 | protobuf==3.19.3
30 | psutil==5.9.0
31 | pycparser==2.21
32 | pyelftools==0.27
33 | PySMT==0.9.1.dev139
34 | python-dateutil==2.8.2
35 | python-utils==3.1.0
36 | pytz==2021.3
37 | pyvex==9.0.9166
38 | rpyc==5.0.1
39 | scipy==1.5.4
40 | six==1.16.0
41 | smmap==5.0.0
42 | sortedcontainers==2.4.0
43 | sympy==1.9
44 | typing_extensions==4.0.1
45 | unicorn==1.0.2rc4
46 | z3-solver==4.8.14.0
47 |
--------------------------------------------------------------------------------