This test case implements an sprintf that uses untrusted user input without a format string. The test case takes untrusted user input and passes it to an sprintf that does not implement a format string. This allows the user to pass format strings to the test case causing it to leak sensitive data...

This test case checks if the taint source is less than 20 characters, and if so, allocates a buffer on the heap with 20 characters. It sets the buffer to all 0's, then calls realpath on the taint source, with the destination being the 20-character heap buffer. If realpath evaluates to more than 2...

This test case implements a buffer that is used after it has been free()'d and it's memory allocated to another task. The test case takes a string as input and copies this string into an internal buffer allocated on the heap. For certain inputs (any string starting with an ASCII character with va...

This test case implements a heap allocated buffer that erroneously gets double free()'d causing a segfault. The test case takes an input string and copies it into a heap allocated buffer. It then checks to see if the first character is an 'a' or greater and if so, calls a function that finishes b...

This test case implements an incorrectly checked write into a buffer that is contained within a heap allocated struct. The buffer is declared as a struct member with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character ...

Metadata - Base program: GNU Grep - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE

Metadata - Base program: Tree - Source Taint: FILE_CONTENTS - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE

Metadata - Base program: PostgreSQL - Source Taint: FILE_CONTENTS - Data Type: STRUCT - Data Flow: ADDRESS_AS_LINEAR_EXPRESSION - Control Flow: MACROS

Metadata - Base program: Subversion - Source Taint: ENVIRONMENT_VARIABLE - Data Type: UNION - Data Flow: BASIC - Control Flow: RECURSIVE

Metadata - Base program: Gimp - Source Taint: FILE_CONTENTS - Data Type: TYPEDEF - Data Flow: BASIC - Control Flow: SEQUENCE

Metadata - Base program: OpenSSL - Source Taint: SHARED_MEMORY - Data Type: TYPEDEF - Data Flow: VAR_ARG_LIST - Control Flow: MACROS

Metadata - Base program: OpenSSL - Source Taint: ENVIRONMENT_VARIABLE - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: RECURSIVE

This test case takes an integer and mods it by four. That resulting number is then used to divide the number 1024, and the result is then printed. If the source integer is directly divisible by 4, this will result in a divide by zero error. Metadata - Base program: OpenSSL - Source Taint: SHAR...

This test case squares a positive number. If the number is large enough, the square will wrap around and become a negative number. The test case then uses the number as a decrementing counter in a while loop. If the number is negative when entering the loop, the loop will never terminate. Metadat...

This weakness reads a number to be used as a loop counter. The loop counter is initially read as an unsigned long, then converted to an int. If the number read in is larger than MAX_UINT, it is silently converted to a negative number. This breaks the loop counter logic, resulting in an infinite l...

This test case squares a positive number. If the number is large enough, the square will wrap around and become a negative number. The test case then uses the number as a decrementing counter in a while loop. If the number is negative when entering the loop, the loop will never terminate. Metadat...

This test case converts a user string to a short, and then converts that short to an unsigned int. If the short is negative, this will result in unexpected sign extension. The unsigned int value is used to determine how much data to read from a file, resulting in massive buffer overwrite if the f...

This test case implements a single signal handler that is associated with two signals. The test case takes the names of two control files and an input string. The control files are used for timing within the test case to ensure that the test case follows an exploiting or benign execution path, an...

This test case implements two thread that both lock two shared mutex locks such that if the timing works out, they will cause each other to deadlock. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used ...

This test case implements a missing lock check that allows two threads to access a shared character array simultaneously, leading to a null pointer deference. It takes an integer, the names of two control files, and an input string as input. The integer and two control files are used for timing, ...

This test case implements a singleton struct without synchronization that can lead to two threads receiving separate instances of the singleton struct resulting in a deadlocked state. It takes a control integer, the names of two control files, and another integer as input. The control integer and...

This test case reads the taint source. If it contains a non-alphanumeric value, the source taint buffer is set to NULL. Subsequently, strcpy is called with the source taint buffer as this source. This causes a null pointer dereference. Metadata - Base program: Wireshark - Source Taint: FILE_CON...

This test case reads entries from a comma-separated-value file. It expects to read 3 strings from a file in the format: double quote, up to 79 characters, double quote, comma; double quote, up to 79 characters, double quote, comma; and double quote, up to 79 characters, double quote. The test cas...

This test case reads the taint source. If it contains a non-alphanumeric value, the source taint buffer is set to NULL. Subsequently, strcpy is called with the source taint buffer as this source. This causes a null pointer dereference. Metadata - Base program: Subversion - Source Taint: FILE_CO...

This test case reads the taint source. If the length of the taint source is 63 bytes or less, it allocates a buffer to copy the taint source into. It then copies the taint source into the buffer, regardless of whether it actually allocated any memory or not. If it did not allocate memory, the buf...