CWE: 690 Unchecked Return Value To NULL Pointer BadSource: malloc Allocate data using malloc() Sinks: GoodSink: Check to see if the data allocation failed and if not, use data BadSink : Dont check for NULL and use data Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_...

CWE: 690 Unchecked Return Value To NULL Pointer BadSource: realloc Allocate data using realloc() Sinks: GoodSink: Check to see if the data allocation failed and if not, use data BadSink : Dont check for NULL and use data Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONS...

CWE: 590 Free Memory Not on Heap BadSource: static Data buffer is declared static on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)

CWE: 563 Unused Variable BadSource: Initialize data Sinks: GoodSink: Use data BadSink : do nothing Flow Variant: 17 Control flow: for loops

CWE: 377 Insecure Temporary File Sinks: mktemp GoodSink: Create and open a temporary file, created with _wmktemp(), more securely BadSink : Create and open a temporary file, created with _wmktemp(), insecurely Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)

CWE: 272 Least Privilege Violation Sinks: RegCreateKeyEx GoodSink: Create a registry key using RegCreateKeyExA() and HKEY_CURRENT_USER BadSink : Create a registry key using RegCreateKeyExA() and HKEY_LOCAL_MACHINE Flow Variant: 15 Control flow: switch(6)

CWE: 259 Use of Hard-coded Password BadSource: Use a hardcoded password GoodSource: Read the password from the console Sinks: BadSink : Authenticate the user using LogonUserA() Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same sourc...

CWE: 197 Numeric Truncation Error BadSource: rand Set data to result of RAND32(), which could be negative GoodSource: Less than CHAR_MAX Sink: BadSink : Convert data to a char Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file ...

CWE: 197 Numeric Truncation Error BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Less than CHAR_MAX Sink: BadSink : Convert data to a char Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; all five fu...

CWE: 197 Numeric Truncation Error BadSource: rand Set data to result of rand(), which may be zero GoodSource: Less than CHAR_MAX Sink: to_short BadSink : Convert data to a short Flow Variant: 51 Data flow: data passed as an argument from one function to another in different source files

CWE: 197 Numeric Truncation Error BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Less than CHAR_MAX Sinks: to_short BadSink : Convert data to a short Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 196 Unsigned To Signed Conversion Error Sinks: GoodSink: Dont allow very large values of intUnsigned BadSink : Convert a possibly large unsigned int (larger than INT_MAX) to an int Flow Variant: 17 Control flow: for loops

CWE: 191 Integer Underflow BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Set data to a small, non-zero number (negative two) Sinks: sub GoodSink: Ensure there will not be an underflow before subtracting 1 from data BadSink : Subtract 1 from data, which ca...

CWE: 190 Integer Overflow BadSource: max Set data to the max value for short GoodSource: Set data to a small, non-zero number (two) Sinks: multiply GoodSink: Ensure there will not be an overflow before multiplying data by 2 BadSink : If data is positive, multiply by 2, which can cause an ove...

CWE: 134 Uncontrolled Format String BadSource: file Read input from a file GoodSource: Copy a fixed string into data Sinks: fprintf GoodSink: fprintf with %s as the second argument and data as the third BadSink : fprintf with data as the second argument Flow Variant: 68 Data flow: data pass...

CWE: 134 Uncontrolled Format String BadSource: console Read input from the console GoodSource: Copy a fixed string into data Sinks: vprintf GoodSink: vprintf with a format string BadSink : vprintf without a format string Flow Variant: 18 Control flow: goto statements

CWE: 124 Buffer Underwrite BadSource: fgets Read data from the console using fgets() GoodSource: Non-negative but less than 10 Sinks: GoodSink: Ensure the array index is valid BadSink : Improperly check the array index by not checking the lower bound Flow Variant: 45 Data flow: data passed ...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: ncpy BadSink : Copy data to string using strncpy Flow Variant: 63 Data flow: pointer to data passed from one function to another in different source files

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: ncpy BadSink : Copy data to string using strncpy Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: memmove BadSink : Copy int64_t array to data using memmove Flow Variant: 01 Baseline

CWE: 121 Stack Based Buffer Overflow BadSource: Point data to a buffer that does not have space for a NULL terminator GoodSource: Point data to a buffer that includes space for a NULL terminator Sink: loop BadSink : Copy array to data using a loop Flow Variant: 15 Control flow: switch(6)

CWE: 121 Stack Based Buffer Overflow BadSource: Point data to a buffer that does not have space for a NULL terminator GoodSource: Point data to a buffer that includes space for a NULL terminator Sinks: memcpy BadSink : Copy string to data using memcpy() Flow Variant: 31 Data flow using a co...

CWE: 114 Process Control BadSource: file Read input from a file GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)

A strcpy is used to copy a string into a stack buffer. The caller shortens the string but an overflow condition is still allowed.

Buffer Overflow. This code has been donated by MIT. This test case has the following characteristics : write/read = Write, Which bound = Upper, Data type = character, Memory location = stack, Scope = same, Container = no, Pointer = no, Index complexity = constant, Address complexity = arr...