This test case implements an unchecked write into a buffer that is contained within stack-allocated struct. The struct contains a function pointer, a fixed-size buffer, and another function pointer. Untrusted input is not properly sanitized or restricted before being copied into the target buffer...

This test case implements an unchecked write into a heap allocated buffer. The buffer is malloc'ed with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the target buffer, resulting in a buffer overflow. The overflow potentially modifies other variabl...

This test case implements an file read of 128 characters which does not properly null terminate the copied string if the original string is 128 characters in length or greater. The test case takes the name of a file, opens the file, and reads up to the first 128 characters into an internal buffer...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case allocates a buffer on the stack, with a canary function pointer immediately after it. It checks if the taint source is less than 20 characters, and if so, it sets the canary function pointer to strlen and call realpath on the taint source, putting the result into the stack buffer. ...

This test case implements a heap allocated buffer that erroneously gets double free()'d causing a segfault. The test case takes an input string and copies it into a heap allocated buffer. It then checks to see if the first character is an 'a' or greater and if so, calls a function that finishes b...

This test case implements an unchecked write into a heap allocated buffer. The buffer is malloc'ed with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the target buffer, resulting in a buffer overflow. The overflow potentially modifies other variabl...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the heap. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters...

This test case implements an incorrectly checked write into a heap allocated buffer. The buffer is malloc()'d with a fixed size and pointed to by a local variable. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character to the first. Th...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case allocates a buffer on the stack, with a canary function pointer immediately after it. It checks if the taint source is less than 20 characters, and if so, it sets the canary function pointer to strlen and call realpath on the taint source, putting the result into the stack buffer. ...

This test case implements an incorrectly checked write into a buffer that is contained within a stack allocated struct. The buffer is declared as a struct member with a fixed size. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size member of a struct that is allocated on the heap. Untrusted input is not properly sanitized or restricted before being used to determine the number of characters to read from the buffer. This allows ...

This test case implements an unchecked read from a buffer. The buffer is declared as a fixed size buffer as part of a struct on the heap. Untrusted input is not properly sanitized or restricted before being used as an index of the buffer to read. This allows inputs containing non-ascii characters...

This test case implements an incorrectly checked write into a heap allocated buffer. The buffer is malloc()'d with a fixed size and pointed to by a local variable. Untrusted input is not properly sanitized or restricted before being copied into the buffer, from the last character to the first. Th...

This test case implements a buffer that is used after it has been free()'d and it's memory allocated to another task. The test case takes a string as input and copies this string into an internal buffer allocated on the heap. For certain inputs (any string starting with an ASCII character with va...

This test case implements an sprintf that uses untrusted user input without a format string. The test case takes untrusted user input and passes it to an sprintf that does not implement a format string. This allows the user to pass format strings to the test case causing it to leak sensitive data...

This test case creates a struct on the stack that contains a function pointer and a char*. It examines the length of the taint source. If the length is not equal to 10, it sets the function pointer and char* within the struct to benign values. If the length is equal to 10, it does not set the fun...

This test case implements an improper array index validation that can cause a function pointer to get overwritten leading to a segfault. The test case takes untrusted user input and uses it to calculate array indexes which then get modified. If the untrusted input contains certain ASCII character...

This test case creates a struct on the stack that contains a function pointer and a char*. It examines the length of the taint source. If the length is not equal to 10, it sets the function pointer and char* within the struct to benign values. If the length is equal to 10, it does not set the fun...

This test case implements an unchecked write into a buffer that is contained within stack-allocated struct. The struct contains a function pointer, a fixed-size buffer, and another function pointer. Untrusted input is not properly sanitized or restricted before being copied into the target buffer...

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the leng...