CWE: 191 Integer Underflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflow Flow Varia...

CWE: 191 Integer Underflow BadSource: min Set data to the min value for unsigned int GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflo...

CWE: 190 Integer Overflow BadSource: max Set data to the max value for short GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 42...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

CWE: 190 Integer Overflow BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an over...

CWE: 190 Integer Overflow BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an over...

CWE: 190 Integer Overflow BadSource: max Set data to the max value for int64_t GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: ...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 52 Data ...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

This test case implements an sprintf that uses untrusted user input without a format string. The test case takes untrusted user input and passes it to an sprintf that does not implement a format string. This allows the user to pass format strings to the test case causing it to leak sensitive data...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case implements an incorrectly checked write into a buffer that is contained within a heap allocated struct. The buffer is declared as a struct member with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character ...

This test case implements an file read of 16 characters which does not properly null terminate the copied string if the original string is 16 characters in length or greater. The test case takes the name of a file, opens the file, and reads up to the first 16 characters into an internal buffer of...

Metadata - Base program: Subversion - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: RECURSIVE

Metadata - Base program: Gimp - Source Taint: ENVIRONMENT_VARIABLE - Data Type: STRUCT - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: INTERPROCEDURAL_1

Metadata - Base program: Tree - Source Taint: SHARED_MEMORY - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE

Metadata - Base program: OpenSSL - Source Taint: FILE_CONTENTS - Data Type: TYPEDEF - Data Flow: VAR_ARG_LIST - Control Flow: INTERPROCEDURAL_50

This test case squares a positive number. If the number is large enough, the square will wrap around and become a negative number. The test case then uses the number as a decrementing counter in a while loop. If the number is negative when entering the loop, the loop will never terminate. Metadat...

This test case converts a user string to a short, and then converts that short to an unsigned int. If the short is negative, this will result in unexpected sign extension. The unsigned int value is used to determine how much data to read from a file, resulting in massive buffer overwrite if the f...

This test case takes an integer and mods it by four. That resulting number is then used to divide the number 1024, and the result is then printed. If the source integer is directly divisible by 4, this will result in a divide by zero error. Metadata - Base program: Gimp - Source Taint: FILE_CO...

This test case implements a non-reentrant function that uses a static integer to iterate through a string setting each character to null. The test case takes a control integer and an input string. The control integer is used for timing within the test case to ensure that we hit either a good or b...

This test case implements two thread that both lock two shared mutex locks such that if the timing works out, they will cause each other to deadlock. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used ...

This test case reads a space-delimited string from the taint source. The first element in the string is the number of elements following it. The test cases reads in the following elements and outputs them. If there are fewer elements than expected, a segmentation fault occurs. Metadata - Base p...

This test case reads the taint source. If it contains a non-alphanumeric value, the source taint buffer is set to NULL. Subsequently, strcpy is called with the source taint buffer as this source. This causes a null pointer dereference. Metadata - Base program: FFmpeg - Source Taint: SHARED_MEMO...