Syslog is called with a programmer supplied format string.

An ad-hoc string copy with bounds check does not overflows a stack buffer.

An ad hoc gets with bounds check does not allow a stack buffer to be overrun.

A string decode function properly checks for termination and no buffer overflow occurs.

Syslog is called with a programmer supplied format string.

Printf is called with a programmer supplied format string.

Integer pointer is assigned a value within current buffer.

Printf is called with a format from a table. This is not a defect.

Tainted input allows arbitrary files to be read and written. (fixed version)

A chroot() is performed with a chdir().

The semantics of virtual functions. As most C++ compilers implement virtual functions using a Virtual Function Table (VTBL). The VTBL is an array of function pointers that is used at runtime for dispatching virtual function calls. It"s possible to overwrite function pointers in the VTBL or change...

Exploits of the .dtors section. An attacker can transfer control to arbitrary code by overwriting the address of the function pointer in the .dtors section. This .dtors section exists only in programs that have been compiled and linked with GCC. From "Secure Coding in C and C++" by Robert C. Seac...

Extracting object from cin to std::string object. This example is quite safe because if there is a buffer overflow, C++ will throw a out_of_range exception. From "Secure Coding in C and C++" by Robert C. Seacord. Page 61, Figure 2-33

Input validation. The size of the first argument must be lower than 99 even it will produces a buffer overflow when copied into the buff array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 52, Figure 2-29

Extracting characters using the field width member. Ensure that the operator>> will not extract more thant 12 characters. From "Secure Coding in C and C++" by Robert C. Seacord. Page 29, Figure 2-5

Dynamic allocation of the character array ensure that sufficient space is allocated to copy the input and the null character. From "Secure Coding in C and C++" by Robert C. Seacord. Page 28, Figure 2-3

Memory for a Struct object is freed and not referenced further.

Memory is freed, then the pointer variable (not the memory location) is assigned a value.

Variable used as index of array is correctly initialized before use.

Variable used in boolean expression is correctly initialized before use.

Memory pointer is returned in function return value, and therefore can be freed at another point in the program.

No memory leak because of proper use of the delete() function.

Memory allocated via new() constructor is deallocated via delete() call.

fixed threaded_strncpy_fix1

fixed threaded_strcpy_fix1