Sprintf is used to copy a string to a stack buffer. The length is guarded with a length specifier in the format string but the wrong length is given.

sprintf allows a stack buffer to be overrun.

Snprintf is called with a bad bound but is protected with a length specifier in the format string.

Snprintf is called with an improper bound. A guard in the caller prevents an overflow condition from occuring.

Snprintf is called with an improper bound. A guard in the caller attempts to prevent an overflow condition but is done incorrectly.

A snprintf with an improper bound is protected with a guard that prevents an overflow condition from occuring.

A snprintf with incorrect bound is used to copy a string. An attempt to prevent an overflow condition is made but the guard is incorrect.

snprintf is used repeatedly while keeping track of the residual buffer length.

snprintf is used repeatedly while keeping track of the residual buffer length, however an accounting error allows a stack buffer to be overrun.

Snprintf with a bad bounds is used to copy a string. The buffer is protected from overflowing by a length qualifier in the format.

Sprintf with a bad bounds is allows a stack buffer to be overrun. An attempt is made to limit the string length with a length qualifier in the format but is done incorrectly.

Snprintf is used to copy several static strings. Although an incorrect bound is given to snprintf, neither string is large enough to cause a buffer overflow.

Snprintf is used to copy a large static string. Since an incorrect bound is specified the stack buffer is overrun.

snprintf with correct bounds safely copies a string into a stack buffer.

snprintf with incorrect bounds allows a stack buffer to be overrun.

A strcpy does not overflows a stack buffer because a check is made to avoid an overflow condition.

A strcpy overflows a stack buffer. A check was made to avoid an overflow condition but the check is off by one.

A strcpy is used to copy a string into a stack buffer. The caller shortens the string to prevent a buffer overflow from occuring.

A strcpy is used to copy a string into a stack buffer. The caller shortens the string but an overflow condition is still allowed.

A strcpy is used to copy a string into a stack buffer. Because the string is shortened first no buffer overflow occurs.

A strcpy is used to copy a string into a stack buffer. The string is shortened first but a buffer overflow is still allowed.

A strncpy safely copies a string into a stack buffer.

An strncpy is used to copy a string but the length is given incorrectly leading to a stack buffer overflow.

An strcpy overflows a stack buffer.

Buffer overflow if the input is not validated. Every operation may write outside the bound of the statically allocated character array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 28, Figure 2-2