This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size member of a struct that is allocated on the stack. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the heap. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters...

This test case allocates a buffer on the stack, with a canary function pointer immediately after it. It checks if the taint source is less than 20 characters, and if so, it sets the canary function pointer to strlen and call realpath on the taint source, putting the result into the stack buffer. ...

This test case creates a buffer on the stack of 1024 bytes and a struct on the heap containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte b...

Metadata - Base program: Tree - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE

Metadata - Base program: Wireshark - Source Taint: ENVIRONMENT_VARIABLE - Data Type: UNION - Data Flow: BASIC - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: PostgreSQL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: SIMPLE - Data Flow: BUFFER_ADDRESS_ARRAY_INDEX - Control Flow: POINTER_TO_FUNCTION

Metadata - Base program: FFmpeg - Source Taint: SHARED_MEMORY - Data Type: SIMPLE - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: RECURSIVE

Metadata - Base program: Gimp - Source Taint: SHARED_MEMORY - Data Type: VOID_POINTER - Data Flow: ADDRESS_AS_CONSTANT - Control Flow: SET_JUMP_LONG_JUMP

Metadata - Base program: FFmpeg - Source Taint: FILE_CONTENTS - Data Type: VOID_POINTER - Data Flow: BASIC - Control Flow: INDIRECTLY_RECURSIVE

Metadata - Base program: FFmpeg - Source Taint: FILE_CONTENTS - Data Type: UNION - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: SEQUENCE

Metadata - Base program: PostgreSQL - Source Taint: SOCKET - Data Type: TYPEDEF - Data Flow: BUFFER_ADDRESS_POINTER - Control Flow: CALLBACK

Metadata - Base program: PostgreSQL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: ARRAY - Data Flow: VAR_ARG_LIST - Control Flow: CALLBACK

This test case allocates a stack buffer of size 16. It takes the user input and performs a check to see if it is possible to copy the user input into a 16-byte buffer. If the user input is larger than 15 bytes, then the check method returns a -1. This value is converted to an unsigned type (size_...

This test case takes an integer and mods it by four. That resulting number is then used to divide the number 1024, and the result is then printed. If the source integer is directly divisible by 4, this will result in a divide by zero error. Metadata - Base program: OpenSSL - Source Taint: FILE...

Metadata - Base program: OpenSSL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: HEAP_POINTER - Data Flow: VAR_ARG_LIST - Control Flow: MACROS

This weakness reads a number and attempts to modify the two high bytes of it, if it is greater than 65535. If the calculation to modify the two high bytes is performed, it will happen incorrectly due to the placement of the pointer modification and it instead changes the bytes on function pointer...

C programs have two main options for mutual exclusion of a shared resource in a concurrent setting: the mutex lock and the semaphore. Mutex locks exist in two states, locked and unlocked. However a semaphore, more specifically a counting semaphore, can be used to keep track of an arbitrary number...

This test case implements a single signal handler that is associated with two signals. The test case takes the names of two control files and an input string. The control files are used for timing within the test case to ensure that the test case follows an exploiting or benign execution path, an...

This test case looks for the substring 'aba' within the taint source. If it finds the substring, it sets a pointer called stonesoup_second_buff to the beginning of the 'aba' substring, and the weakness continues without incident. If it does not find the substring, stonesoup_second_buff retains it...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...

This test case reads a space-delimited string from the taint source. The first element in the string is the number of elements following it. The test cases reads in the following elements and outputs them. If there are fewer elements than expected, a segmentation fault occurs. Metadata - Base p...

This test case looks for the substring 'aba' within the taint source. If it finds the substring, it sets a pointer called stonesoup_second_buff to the beginning of the 'aba' substring, and the weakness continues without incident. If it does not find the substring, stonesoup_second_buff retains it...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...

CVE-2010-3133