Downloads:
Back to the previous page
| Test Case ID |  153801 |
| Bad / Good / Mixed | Bad |
| Author | IARPA STONESOUP Test and Evaluation team |
| Associations | Test suite: 102 Application: 18 |
| Added by | Charles Oliveira |
| Language | C |
| Type of test case | Source Code |
| Input string | |
| Expected Output | |
| Instructions | See src/INSTALL file for instructions on how to install. |
| Submission date | 2015-10-06 |
| Description | This test case allocates a struct on the stack, with a 20-character buffer and a pointer following that buffer. It checks if the taint source is less than 20 characters. If so, it sets the 20-charcter buffer to all 0's then sets the pointer following the buffer to point to the beginning of the buffer. It then calls realpath with the destination being the 20-character buffer inside the struct. If realpath evaluates to more than 20 characters, the buffer inside the struct will overflow into the pointer inside the struct. The test case then calls strlen on the pointer inside the struct. If an overflow has occurred, this pointer will be invalid, and a segmentation fault will occur. Metadata - Base program: Gimp - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE - Control Flow: UNCONDITIONAL_JUMP |
| File(s) |
|
| Flaw |
There are no comments
Have any comments on this test case? Please,
.
- tile-manager.c
- runFifos.py
- service_mon.sh
- C-C785D-GIMP-06-ST03-DT02-DF06-CF24-01.xml
- C-C785D-GIMP-06-ST03-DT02-DF06-CF24-01.yaml
File Contains:
CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer on line(s): 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936
CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer on line(s): 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936