Creating test case using base program. Added an environment variable read to the function definition. Completed injection. UNSPECIFIED UNSPECIFIED $SS_TC_ROOT/$SS_TC_INSTALL/bin/tree make install CC="$SS_CC" LD="$SS_LNK" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" LDFLAGS="$LDFLAGS" prefix="$SS_TC_ROOT/$SS_TC_INSTALL" LIBS="$LIBS" Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q input/good-01 STDOUT-REPORT-01 AND STDOUT-CONTENT-LENGTH-01 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT 5 directories, 10 files SIMILAR DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read NONE Hello World! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q -L 2 input/good-02 STDOUT-REPORT-02 AND STDOUT-CONTENT-LENGTH-02 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT 5 directories, 4 files SIMILAR DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read NONE Short is good $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q -J input/good-03 STDOUT-REPORT-03 AND STDOUT-CONTENT-LENGTH-03 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT {"type":"report","directories":7,"files":367} SIMILAR DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q -P "test*" -F input/good-03 STDOUT-REPORT-04 AND STDOUT-CONTENT-LENGTH-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT 7 directories, 62 files SIMILAR DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read NONE Hello World! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q -H "" input/good-01 STDOUT-REPORT-05 AND STDOUT-CONTENT-LENGTH-05 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT 5 directories, 10 files SIMILAR DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read READ_APPLICATION_DATA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q -H "" input/good-01 weakness_started_bV80MpejWleTussTJEy0 AND ((NOT PERFORMER AND (output_exceeds_63_bytes_QUukDHG4KD AND output_excess_non_null_RUu4EzESMk) AND NOT timeout_ciZXdEXr23) or (PERFORMER AND NOT ((output_exceeds_63_bytes_QUukDHG4KD AND output_excess_non_null_RUu4EzESMk) OR timeout_ciZXdEXr23))) (NOT PERFORMER AND (output_exceeds_63_bytes_QUukDHG4KD AND output_excess_non_null_RUu4EzESMk) AND NOT timeout_ciZXdEXr23) or (PERFORMER AND NOT ((output_exceeds_63_bytes_QUukDHG4KD AND output_excess_non_null_RUu4EzESMk) OR timeout_ciZXdEXr23)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(wc -c "logfile.txt" | cut -d " " -f 1) > 126 )); then true; else false; fi; if (( $(head -c -126 "logfile.txt" | tr -d '0\n' | wc -c) > 0 )); then true; else false; fi; None stonesoup_trace:weakness_start Has a fixed heap buffer of size 64. (malloc(64*sizeof(char))) When input has a larger size, the heap buffer will be over read READ_APPLICATION_DATA This is probably going to overflow a buffer of some sort. Let's run it anyway and see what happens. I hope that everything turns out ok, because I would love to see what this looks like in all CAPS. Converting ASCII characters to upper case is easy, you can either call a system function, or just add the standard difference between the start of the two character sets. But, I am sure there is a reason that system functions exist for this sort of functionality. $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --charset ASCII --sort=name -n -q input/good-01 weakness_started_D3kWCk4iT9SSZvjZzTas AND ((NOT PERFORMER AND (output_exceeds_63_bytes_nOtsrRDKl0 AND output_excess_non_null_bKrJ41D08S) AND NOT timeout_jTB5xsbb8n) or (PERFORMER AND NOT ((output_exceeds_63_bytes_nOtsrRDKl0 AND output_excess_non_null_bKrJ41D08S) OR timeout_jTB5xsbb8n))) (NOT PERFORMER AND (output_exceeds_63_bytes_nOtsrRDKl0 AND output_excess_non_null_bKrJ41D08S) AND NOT timeout_jTB5xsbb8n) or (PERFORMER AND NOT ((output_exceeds_63_bytes_nOtsrRDKl0 AND output_excess_non_null_bKrJ41D08S) OR timeout_jTB5xsbb8n)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(wc -c "logfile.txt" | cut -d " " -f 1) > 126 )); then true; else false; fi; if (( $(head -c -126 "logfile.txt" | tr -d '0\n' | wc -c) > 0 )); then true; else false; fi; None stonesoup_trace:weakness_start