CWE: 191 Integer Underflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflow Flow Varia...

CWE: 191 Integer Underflow BadSource: min Set data to the min value for short GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflow Flow...

CWE: 191 Integer Underflow BadSource: rand Set data to result of rand(), which may be zero GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Un...

CWE: 191 Integer Underflow BadSource: min Set data to the min value for int64_t GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflow Fl...

CWE: 191 Integer Underflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underf...

CWE: 191 Integer Underflow BadSource: min Set data to the min value for int64_t GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underflow Fl...

CWE: 191 Integer Underflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (negative two) Sinks: decrement GoodSink: Ensure there will not be an underflow before decrementing data BadSink : Decrement data, which can cause an Underf...

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Variant: 01 Baseline

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: increment GoodSink: Ensure there will not be an overflow before incrementing data BadSink : Increment data, which can cause an overflow Flow Va...

Defect Type: Concurrency defects Defect Sub-type: Unlock without lock Description: Defect Code to identify if a shared resource is unlocked without preceeding lock The test case contains coincidental weaknesses along with intended ones as follows for file unlock_without_lock.c: * line(s): 43,104,...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case creates a function pointer that takes 2 const char * as input and returns an int. If the length of the taint source is 0 mod 3, the test case sets the function pointer to be strcmp. If the length of the taint source is 1 mod 3, the test case sets the function pointer to strcoll. Ot...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case allocates a struct on the stack, with a 20-character buffer and a pointer following that buffer. It checks if the taint source is less than 20 characters. If so, it sets the 20-charcter buffer to all 0's then sets the pointer following the buffer to point to the beginning of the bu...

This test case implements an incorrectly checked write into a stack allocated buffer. The buffer is declared as a fixed size local variable within a function. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character to the first. This al...

Metadata - Base program: PostgreSQL - Source Taint: SOCKET - Data Type: UNION - Data Flow: INDEX_ALIAS_1 - Control Flow: CALLBACK

Metadata - Base program: Gimp - Source Taint: FILE_CONTENTS - Data Type: SIMPLE - Data Flow: BUFFER_ADDRESS_POINTER - Control Flow: SEQUENCE

Metadata - Base program: Subversion - Source Taint: SHARED_MEMORY - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: RECURSIVE

Metadata - Base program: Gimp - Source Taint: SHARED_MEMORY - Data Type: TYPEDEF - Data Flow: VAR_ARG_LIST - Control Flow: INTERPROCEDURAL_1

This weakness reads a number and attempts to modify the two high bytes of it, if it is greater than 65535. If the calculation to modify the two high bytes is performed, it will happen incorrectly due to the placement of the pointer modification and it instead changes the bytes on function pointer...

This test case takes an integer and checks for an upper limit. If the number is less than the upper limit, then, a buffer the size of the upper limit will be created and filled with 'a's. The buffer will then be filled with 'b's using the input integer. If the input is negative, this will result ...

This test case allocates a stack buffer of size 16. It takes the user input and performs a check to see if it is possible to copy the user input into a 16-byte buffer. If the user input is larger than 15 bytes, then the check method returns a -1. This value is converted to an unsigned type (size_...

This test case implements a singleton struct without synchronization that can lead to two threads receiving separate instances of the singleton struct resulting in a deadlocked state. It takes a control integer, the names of two control files, and another integer as input. The control integer and...

This test case reads the taint source, and converts it to an integer, then an unsigned int. It uses a wrapped malloc to allocate a buffer of the size specified by the taint source. If the size is greater than 512, the wrapped malloc returns NULL. The program attempts to use the buffer, and if the...