This test case allocates a buffer on the heap, copies the input string into it, and then capitalizes each letter in the buffer. It searches that buffer to see if it contains the letter 'E', using a while loop that increments the pointer to the buffer each time through the loop. When it finds a le...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case implements an incorrectly checked write into a heap allocated buffer. The buffer is malloc()'d with a fixed size and pointed to by a local variable. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character to the first. Th...

This test case implements an unchecked write into a buffer is contained within a heap-allocated struct. The struct contains a function pointer, a fixed-size buffer, and another function pointer. Untrusted input is not properly sanitized or restricted before being copied into the target buffer, re...

This test case takes a buffer as input and copies it into another buffer. It then converts the new buffer to uppercase and prints it out. If the provided input is larger than the buffer it is being copied into, then this will result in a buffer overwrite due to access with an incorrect length. Th...

This test case creates a struct on the stack that contains a function pointer and a char*. It examines the length of the taint source. If the length is not equal to 10, it sets the function pointer and char* within the struct to benign values. If the length is equal to 10, it does not set the fun...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the heap. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters...

This test case creates a buffer on the stack of 1024 bytes and a struct on the stack containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte ...

This test case creates a struct that has a message_type field and a message_data field. The message_type field should be 1 if the message_data field contains a char*, and 0 if it contains an int. The message_data field is set to be the taint source, and the message_type field is set to 1. If the ...

This test case takes a buffer as input and copies it into another buffer. It then converts the new buffer to uppercase and prints it out. If the provided input is larger than the buffer it is being copied into, then this will result in a buffer overwrite due to access with an incorrect length. Th...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the heap. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters...

This test case creates a function pointer that takes 2 const char * as input and returns an int. If the length of the taint source is 0 mod 3, the test case sets the function pointer to be strcmp. If the length of the taint source is 1 mod 3, the test case sets the function pointer to strcoll. Ot...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size member of a struct that is allocated on the stack. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case checks if the taint source is less than 20 characters, and if so, allocates a buffer on the heap with 20 characters. It sets the buffer to all 0's, then calls realpath on the taint source, with the destination being the 20-character heap buffer. If realpath evaluates to more than 2...

This test case implements an incorrectly checked write into a buffer that is contained within a heap allocated struct. The buffer is declared as a struct member with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character ...

This test case implements an unchecked write into a stack allocated buffer. The buffer is declared as a fixed size local variable within a function. Untrusted input is not properly sanitized or restricted before being copied into the target buffer, resulting in a buffer overflow. The overflow pot...

This test case implements an incorrectly checked write into a buffer that is contained within a stack allocated struct. The buffer is declared as a struct member with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character...

This test case implements an incorrectly checked write into a heap allocated buffer. The buffer is malloc()'d with a fixed size and pointed to by a local variable. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character to the first. Th...

This test case creates two buffers on the stack, one of 64 bytes and one of 1024 bytes. It copies the taint source into the larger buffer. It checks if the length of the taint source is less than the length of the shorter buffer. If it is, it uses strncpy to copy the taint source into the shorter...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer on the stack. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters to wrap around to ...

This test case implements an sprintf that uses untrusted user input without a format string. The test case takes untrusted user input and passes it to an sprintf that does not implement a format string. This allows the user to pass format strings to the test case causing it to leak sensitive data...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer on the stack. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters to wrap around to ...

This test case implements an unchecked read from a buffer. The buffer is allocated as a fixed size buffer on the heap. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows input greater than 63 charact...

This test case creates a buffer on the stack of 1024 bytes and a struct on the stack containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte ...