Defect Type: Stack related defects Defect Sub-type: Cross thread stack access Description: Defect Free Code to identify false positives in cross thread access

This test case creates a struct on the stack that contains a function pointer and a char*. It examines the length of the taint source. If the length is not equal to 10, it sets the function pointer and char* within the struct to benign values. If the length is equal to 10, it does not set the fun...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case implements an unchecked read from a buffer. The buffer is allocated as a fixed size buffer on the heap. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows input greater than 63 charact...

This test case allocates a buffer on the heap, copies the input string into it, and then capitalizes each letter in the buffer. It searches that buffer to see if it contains the letter 'E', using a while loop that increments the pointer to the buffer each time through the loop. When it finds a le...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the stack. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii character...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

Metadata - Base program: Gimp - Source Taint: SOCKET - Data Type: STRUCT - Data Flow: ADDRESS_ALIAS_1 - Control Flow: CALLBACK

Metadata - Base program: Gimp - Source Taint: ENVIRONMENT_VARIABLE - Data Type: VOID_POINTER - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: CALLBACK

Metadata - Base program: Wireshark - Source Taint: SOCKET - Data Type: VOID_POINTER - Data Flow: INDEX_ALIAS_50 - Control Flow: INTERPROCEDURAL_50

Metadata - Base program: FFmpeg - Source Taint: FILE_CONTENTS - Data Type: HEAP_POINTER - Data Flow: BUFFER_ADDRESS_POINTER - Control Flow: INTERPROCEDURAL_2

Metadata - Base program: FFmpeg - Source Taint: FILE_CONTENTS - Data Type: VOID_POINTER - Data Flow: VAR_ARG_LIST - Control Flow: POINTER_TO_FUNCTION

Metadata - Base program: PostgreSQL - Source Taint: FILE_CONTENTS - Data Type: VOID_POINTER - Data Flow: ADDRESS_AS_LINEAR_EXPRESSION - Control Flow: INDIRECTLY_RECURSIVE

Metadata - Base program: Gimp - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: ADDRESS_AS_LINEAR_EXPRESSION - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: Gimp - Source Taint: SHARED_MEMORY - Data Type: ARRAY - Data Flow: ADDRESS_ALIAS_2 - Control Flow: MACROS

This test case squares a positive number. If the number is large enough, the square will wrap around and become a negative number. The test case then uses the number as a decrementing counter in a while loop. If the number is negative when entering the loop, the loop will never terminate. Metadat...

This weakness reads a number to be used as a loop counter. The loop counter is initially read as an unsigned long, then converted to an int. If the number read in is larger than MAX_UINT, it is silently converted to a negative number. This breaks the loop counter logic, resulting in an infinite l...

This test case takes an unsigned long value and uses it in an initialization function for a struct. Within the initialization function, the long gets converted to an unsigned short when a struct uses the unsigned long as an initialization value for an unsigned short member. If the unsigned long n...

This test case uses a counting semaphore initialized to one count of a shared resource to implement multiple unlocks of a critical resource for certain input. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files ...

This test case implements a non-reentrant function that is called by a signal handler. The test case takes a control file and input string as input. The control file is used for timing and the input string is used as data for the test case to manipulate. The test case assigns a signal handler tha...

This test case implements two threads that each use a separate mutex lock object while accessing a shared resource. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used for timing within the test case to...

This test case implements two threads that do not use synchronization while accessing a shared resource. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used for timing within the test case to ensure tha...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...

This test case reads entries from a comma-separated-value file. It expects to read 3 strings from a file in the format: double quote, up to 79 characters, double quote, comma; double quote, up to 79 characters, double quote, comma; and double quote, up to 79 characters, double quote. The test cas...

This test case looks for the substring 'aba' within the taint source. If it finds the substring, it sets a pointer called stonesoup_second_buff to the beginning of the 'aba' substring, and the weakness continues without incident. If it does not find the substring, stonesoup_second_buff retains it...