Creating test case using base program. Added an environment variable read to the function definition. Completed injection. UNSPECIFIED UNSPECIFIED $SS_TC_ROOT/$SS_TC_INSTALL/bin/ffmpeg env ./configure --prefix="$SS_TC_ROOT/$SS_TC_INSTALL" --enable-pic --disable-static --enable-shared --disable-yasm --disable-doc --enable-pthreads --disable-w32threads --disable-os2threads --enable-zlib --enable-openssl --disable-asm --extra-cflags="$SS_CFLAGS" --extra-ldflags="$SS_LDFLAGS" --extra-libs="$SS_LIBS" mv config.mak config.mak.bak awk -v compiler="$SS_CC" '/CC=gcc/{gsub(/gcc/, compiler)};{print}' config.mak.bak > config.mak && true make V=1 make install V=1 remove the audio from a video Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -an -i grsm_0001-shorter.mov good-01/grsm_0001_no_audio.mov (GOOD-01-CENTOS OR GOOD-01-UBUNTU OR GOOD-01-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-01/grsm_0001_no_audio.mov good-01/grsm_0001_no_audio-centos.mov good-01/grsm_0001_no_audio.mov good-01/grsm_0001_no_audio-ubuntu.mov good-01/grsm_0001_no_audio.mov good-01/grsm_0001_no_audio-debian.mov DOES_NOT_RETURN CONTROLLED_EXIT change the frame rate and aspect ration of a video Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE This is probably not going to overflow a buffer of some sort. Let's run it anyway and see what happens. AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -r 20 -aspect 16:9 -i elis_m0001-shorter.mov good-02/elis_m0001_rate_aspect.mov (GOOD-02-CENTOS OR GOOD-02-UBUNTU OR GOOD-02-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-02/elis_m0001_rate_aspect.mov good-02/elis_m0001_rate_aspect-centos.mov good-02/elis_m0001_rate_aspect.mov good-02/elis_m0001_rate_aspect-ubuntu.mov good-02/elis_m0001_rate_aspect.mov good-02/elis_m0001_rate_aspect-debian.mov DOES_NOT_RETURN CONTROLLED_EXIT remove the audio and change the video format from .mov to .mp4 using the mpeg4 codec Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE As long as this statement has more than 64 characters, then nothing bad should happen AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -an -i bost_people_0001-shorter.mov -vcodec mpeg4 -strict -2 good-03/bost_people_0001.mp4 (GOOD-03-CENTOS OR GOOD-03-UBUNTU OR GOOD-03-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-03/bost_people_0001.mp4 good-03/bost_people_0001-centos.mp4 good-03/bost_people_0001.mp4 good-03/bost_people_0001-ubuntu.mp4 good-03/bost_people_0001.mp4 good-03/bost_people_0001-debian.mp4 DOES_NOT_RETURN CONTROLLED_EXIT copy the audio file and convert the number of audio channels to 2. Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -i ApacheTomcat-SomewhereInMyMind.mp3 -acodec copy -ac 2 good-04/ApacheTomcat_dualchannelaudio.mp3 GOOD-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-04/ApacheTomcat_dualchannelaudio.mp3 good-04/ApacheTomcat_dualchannelaudio.mp3 DOES_NOT_RETURN CONTROLLED_EXIT remove original audio from a file and combine the audio from another file to create a new video and audio file Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE This is probably not going to overflow a buffer of some sort. Let's run it anyway and see what happens. AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -an -i grsm_0001-shorter.mov -i ApacheTomcat-SomewhereInMyMind.mp3 -acodec copy good-05/combined.mov (GOOD-05-CENTOS OR GOOD-05-UBUNTU OR GOOD-05-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-05/combined.mov good-05/combined-centos.mov good-05/combined.mov good-05/combined-ubuntu.mov good-05/combined.mov good-05/combined-debian.mov DOES_NOT_RETURN CONTROLLED_EXIT Convert the size of a video to vga (640x480) Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE As long as this statement has more than 64 characters, then nothing bad should happen AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -i good-06/combined.mov -strict -2 -s vga good-06/combined_vga_sized.mov (GOOD-06-CENTOS OR GOOD-06-UBUNTU OR GOOD-06-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-06/combined_vga_sized.mov good-06/combined_vga_sized-centos.mov good-06/combined_vga_sized.mov good-06/combined_vga_sized-ubuntu.mov good-06/combined_vga_sized.mov good-06/combined_vga_sized-debian.mov DOES_NOT_RETURN CONTROLLED_EXIT Covert a .wav file to .mp2 at 22050Hz Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -i good-07/Bow_To_My_firewall.wav -ar 22050 good-07/Bow_To_My_firewall.mp2 GOOD-07 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-07/Bow_To_My_firewall.mp2 good-07/Bow_To_My_firewall.mp2 DOES_NOT_RETURN CONTROLLED_EXIT Change the bitrate and do it in two passes Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE This is probably not going to overflow a buffer of some sort. Let's run it anyway and see what happens. AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -b 300 -pass 2 -i grsm_0001-shorter.mov good-08/grsm_0001_bitrate.mov (GOOD-08-CENTOS OR GOOD-08-UBUNTU OR GOOD-08-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-08/grsm_0001_bitrate.mov good-08/grsm_0001_bitrate-centos.mov good-08/grsm_0001_bitrate.mov good-08/grsm_0001_bitrate-ubuntu.mov good-08/grsm_0001_bitrate.mov good-08/grsm_0001_bitrate-debian.mov DOES_NOT_RETURN CONTROLLED_EXIT Convert images into a video Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE As long as this statement has more than 64 characters, then nothing bad should happen AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -f image2 -i good-09/%03d.jpg -r 12 -s vga good-09/images.avi (GOOD-09-CENTOS OR GOOD-09-UBUNTU OR GOOD-09-DEBIAN) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-09/images.avi good-09/images-centos.avi good-09/images.avi good-09/images-ubuntu.avi good-09/images.avi good-09/images-debian.avi DOES_NOT_RETURN CONTROLLED_EXIT Extract every fifth frame and convert it to an image Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read NONE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -i elis_m0001-shorter.mov -r 5 -s vga good-10/elise-%04d.jpg ((GOOD-10-1-CENTOS AND GOOD-10-2-CENTOS) OR (GOOD-10-1-UBUNTU AND GOOD-10-2-UBUNTU) OR (GOOD-10-1-DEBIAN AND GOOD-10-2-DEBIAN)) AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-10/elise-0001.jpg good-10/elise-0001-centos.jpg good-10/elise-0028.jpg good-10/elise-0028-centos.jpg good-10/elise-0001.jpg good-10/elise-0001-ubuntu.jpg good-10/elise-0028.jpg good-10/elise-0028-ubuntu.jpg good-10/elise-0001.jpg good-10/elise-0001-debian.jpg good-10/elise-0028.jpg good-10/elise-0028-debian.jpg DOES_NOT_RETURN CONTROLLED_EXIT Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read READ_APPLICATION_DATA QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUGugIE= AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -i ApacheTomcat-SomewhereInMyMind.mp3 -acodec copy -ac 2 good-04/ApacheTomcat_dualchannelaudio.mp3 weakness_started_vVTBX8xvlcyJam9H9s0t AND ((NOT PERFORMER AND (output_excess_non_null_XDy8RHPGRk) AND NOT timeout_SRQ6XUc9hR) or (PERFORMER AND NOT ((output_excess_non_null_XDy8RHPGRk) OR timeout_SRQ6XUc9hR))) (NOT PERFORMER AND (output_excess_non_null_XDy8RHPGRk) AND NOT timeout_SRQ6XUc9hR) or (PERFORMER AND NOT ((output_excess_non_null_XDy8RHPGRk) OR timeout_SRQ6XUc9hR)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(/bin/grep -P "value [\x80-\xFF] appears: 5555 times" "logfile.txt" | wc -l) > 0)); then true; else false; fi; None stonesoup_trace:weakness_start Has a heap buffer of size 128 within a struct. reads in an ascii string from an environmentvariable and increments the corresponding values in the heap buffer. Then reads in an input and prints out the count of the characters from the heap buff of those in the input. If input contains extended ascii characters, they will be wrapped around to negative values and the buffer will be under read READ_APPLICATION_DATA SGVsbKUgV6lybGSI AAAABVVCUYEOAISDHGUEHGU:WOJOQIUFGUYGBJdjsafihuegakdlfm9238946665232kmemiucyds78fy2 $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -an -i grsm_0001-shorter.mov -i ApacheTomcat-SomewhereInMyMind.mp3 -acodec copy good-05/combined.mov weakness_started_ZvZkflbe4ZFCm7z8FbGe AND ((NOT PERFORMER AND (output_excess_non_null_HYsZHX2z16) AND NOT timeout_OblQZrlLRa) or (PERFORMER AND NOT ((output_excess_non_null_HYsZHX2z16) OR timeout_OblQZrlLRa))) (NOT PERFORMER AND (output_excess_non_null_HYsZHX2z16) AND NOT timeout_OblQZrlLRa) or (PERFORMER AND NOT ((output_excess_non_null_HYsZHX2z16) OR timeout_OblQZrlLRa)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(/bin/grep -P "value [\x80-\xFF] appears: 5555 times" "logfile.txt" | wc -l) > 0)); then true; else false; fi; None stonesoup_trace:weakness_start