CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

CWE: 190 Integer Overflow BadSource: max Set data to the max value for int GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 07 C...

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 66 Data ...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 18 Contr...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size member of a struct that is allocated on the heap. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows ...

This test case implements an unchecked read from a buffer. The buffer is allocated as a fixed size buffer on the heap. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows input greater than 63 charact...

This test case creates a buffer on the stack of 1024 bytes and a struct on the stack containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte ...

This test case creates a function pointer that takes 2 const char * as input and returns an int. If the length of the taint source is 0 mod 3, the test case sets the function pointer to be strcmp. If the length of the taint source is 1 mod 3, the test case sets the function pointer to strcoll. Ot...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case checks if the taint source is less than 20 characters, and if so, allocates a buffer on the heap with 20 characters. It sets the buffer to all 0's, then calls realpath on the taint source, with the destination being the 20-character heap buffer. If realpath evaluates to more than 2...

Metadata - Base program: PostgreSQL - Source Taint: FILE_CONTENTS - Data Type: ARRAY - Data Flow: BASIC - Control Flow: INTERPROCEDURAL_1

Metadata - Base program: OpenSSL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: TYPEDEF - Data Flow: BUFFER_ADDRESS_ARRAY_INDEX - Control Flow: CALLBACK

Metadata - Base program: PostgreSQL - Source Taint: SOCKET - Data Type: UNION - Data Flow: ADDRESS_ALIAS_50 - Control Flow: RECURSIVE

Metadata - Base program: PostgreSQL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: UNION - Data Flow: INDEX_ALIAS_10 - Control Flow: SET_JUMP_LONG_JUMP

Metadata - Base program: Gimp - Source Taint: ENVIRONMENT_VARIABLE - Data Type: UNION - Data Flow: ADDRESS_AS_NONLINEAR_EXPRESSION - Control Flow: POINTER_TO_FUNCTION

Metadata - Base program: FFmpeg - Source Taint: SOCKET - Data Type: VOID_POINTER - Data Flow: BASIC - Control Flow: INDIRECTLY_RECURSIVE

Metadata - Base program: PostgreSQL - Source Taint: SHARED_MEMORY - Data Type: UNION - Data Flow: INDEX_ALIAS_1 - Control Flow: INFINITE_LOOP

Metadata - Base program: Subversion - Source Taint: SHARED_MEMORY - Data Type: UNION - Data Flow: ADDRESS_AS_CONSTANT - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: Tree - Source Taint: SHARED_MEMORY - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE

This weakness reads a number to be used as a loop counter. The loop counter is initially read as an unsigned long, then converted to an int. If the number read in is larger than MAX_UINT, it is silently converted to a negative number. This breaks the loop counter logic, resulting in an infinite l...

This test case converts a user string to a short, and then converts that short to an unsigned int. If the short is negative, this will result in unexpected sign extension. The unsigned int value is used to determine how much data to read from a file, resulting in massive buffer overwrite if the f...

This test case uses a counting semaphore initialized to one count of a shared resource to implement multiple unlocks of a critical resource for certain input. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files ...

This test case implements a time of check time of use vulnerability that allows arbitrary link following. The test case takes in a control file and an input file. The input file is checked to see if it is in the current working directory and not a symbolic link. If both of these conditions are tr...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...