This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case creates a struct on the stack that contains a function pointer and a char*. It examines the length of the taint source. If the length is not equal to 10, it sets the function pointer and char* within the struct to benign values. If the length is equal to 10, it does not set the fun...

This test case creates a buffer on the stack of 1024 bytes and a struct on the heap containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte b...

This test case creates two buffers on the stack, one of 64 bytes and one of 1024 bytes. It copies the taint source into the larger buffer. It checks if the length of the taint source is less than the length of the shorter buffer. If it is, it uses strncpy to copy the taint source into the shorter...

This test case allocates a buffer on the heap, copies the input string into it, and then capitalizes each letter in the buffer. It searches that buffer to see if it contains the letter 'E', using a while loop that increments the pointer to the buffer each time through the loop. When it finds a le...

This test case creates a buffer on the stack of 1024 bytes and buffer on the heap of 64 bytes. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte buffer. If it is, it uses strncpy to copy the taint source into t...

Metadata - Base program: Gimp - Source Taint: FILE_CONTENTS - Data Type: VOID_POINTER - Data Flow: BASIC - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: Subversion - Source Taint: ENVIRONMENT_VARIABLE - Data Type: TYPEDEF - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: SET_JUMP_LONG_JUMP

Metadata - Base program: OpenSSL - Source Taint: FILE_CONTENTS - Data Type: HEAP_POINTER - Data Flow: ADDRESS_AS_VARIABLE - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: PostgreSQL - Source Taint: SOCKET - Data Type: STRUCT - Data Flow: ADDRESS_AS_CONSTANT - Control Flow: RECURSIVE

Metadata - Base program: PostgreSQL - Source Taint: SHARED_MEMORY - Data Type: ARRAY - Data Flow: ADDRESS_AS_NONLINEAR_EXPRESSION - Control Flow: UNCONDITIONAL_JUMP

Metadata - Base program: OpenSSL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: SIMPLE - Data Flow: BUFFER_ADDRESS_POINTER - Control Flow: MACROS

Metadata - Base program: Wireshark - Source Taint: SHARED_MEMORY - Data Type: TYPEDEF - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: MACROS

This test case takes an integer and checks for an upper limit. If the number is less than the upper limit, then, a buffer the size of the upper limit will be created and filled with 'a's. The buffer will then be filled with 'b's using the input integer. If the input is negative, this will result ...

This weakness reads a number and attempts to modify the two high bytes of it, if it is greater than 65535. If the calculation to modify the two high bytes is performed, it will happen incorrectly due to the placement of the pointer modification and it instead changes the bytes on function pointer...

This test case takes an unsigned long value and uses it in an initialization function for a struct. Within the initialization function, the long gets converted to an unsigned short when a struct uses the unsigned long as an initialization value for an unsigned short member. If the unsigned long n...

This test case implements two thread that both lock two shared mutex locks such that if the timing works out, they will cause each other to deadlock. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used ...

This test case takes the name of an externally accessible file as input, and treats the file as a global mutex lock. The test case will attempt to 'grab' the mutex lock by checking for the files existence, and creating it if it doesn't exist. The creation of the file is treated as grabbing the lo...

This test case implements a non-reentrant function that uses a static integer to iterate through a string setting each character to null. The test case takes a control integer and an input string. The control integer is used for timing within the test case to ensure that we hit either a good or b...

This test case implements an asynchronous unsafe signal handler that access a string without properly null checking the pointer. The test case takes the name of a control file and an input string. The control file is used for timing within the test case to ensure that the test case follows an exp...

This test case implements a non-reentrant function that uses a static integer to iterate through a string setting each character to null. The test case takes a control integer and an input string. The control integer is used for timing within the test case to ensure that we hit either a good or b...

This test case implements two thread that both lock two shared mutex locks such that if the timing works out, they will cause each other to deadlock. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used ...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...

CVE-2010-2995

CVE-2011-2597