Creating test case using base program. Added an environment variable read to the function definition. Completed injection. TRUE UNSPECIFIED UNSPECIFIED ./configure -v --prefix="$SS_TC_ROOT/$SS_TC_INSTALL" --with-apr="$SS_TC_DEPS/bin/apr-1-config" --with-apr-util="$SS_TC_DEPS/bin/apu-1-config" --with-serf --with-sqlite="$SS_TC_DEPS" --with-sasl --with-libmagic --with-zlib --without-kwallet --without-gnome-keyring --disable-keychain --without-trang --without-doxygen --without-swig --without-jikes --without-ctypesgen --without-junit --without-jdk --without-apxs --with-editor="/usr/bin/vi" --disable-shared --with-pic=yes make VERBOSE=1 CC="$SS_CC" CCLD="$SS_LNK" make install CC="$SS_CC" CCLD="$SS_LNK" create a repository Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svnserve -d --foreground -r $SS_TC_ROOT/testData/svnrepos --pid-file=$SS_TC_ROOT/$SS_TC_INSTALL/svnserve.pid STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT Checked out revision 0. DOES_NOT_RETURN CONTROLLED_EXIT commit a file Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Hello World! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svnserve -d --foreground -r $SS_TC_ROOT/testData/svnrepos --pid-file=$SS_TC_ROOT/$SS_TC_INSTALL/svnserve.pid CHECKOUT AND ADD AND COMMIT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT Checked out revision 0. A file.txt good-02/output.txt DOES_NOT_RETURN CONTROLLED_EXIT diff two files using svn diff Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Short is good $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn diff css/main.css css/main2.css STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-03/output.txt DOES_NOT_RETURN CONTROLLED_EXIT use svn mkdir to create a directory and add it to the svn repo Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn mkdir newdir STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT A newdir DOES_NOT_RETURN CONTROLLED_EXIT use svn to move a file and its position in the repo Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Hello World! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn move 404.html js/ STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-05/output.txt DOES_NOT_RETURN CONTROLLED_EXIT run blame on 404.html Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Short is good $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn blame 404.html STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-06/output.txt DOES_NOT_RETURN CONTROLLED_EXIT apply a patch Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn patch good-07.diff STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT U 404.html DOES_NOT_RETURN CONTROLLED_EXIT add a property Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Hello World! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn propset rating "awesome" 404.html STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT property 'rating' set on '404.html' DOES_NOT_RETURN CONTROLLED_EXIT get a property Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE Short is good $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn propget rating 404.html STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT awesome DOES_NOT_RETURN CONTROLLED_EXIT delete a property Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read NONE AAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn propdel rating 404.html STDOUT AND NOT TIMEOUT AND NOT CONTROLLED_EXIT property 'rating' deleted from '404.html'. DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read READ_APPLICATION_DATA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svnserve -d --foreground -r $SS_TC_ROOT/testData/svnrepos --pid-file=$SS_TC_ROOT/$SS_TC_INSTALL/svnserve.pid weakness_started_rwvsIG9T8YM04vu2zTO7 AND ((NOT PERFORMER AND (output_exceeds_63_bytes_2jUZ7X2pef AND output_excess_non_null_l8DBHXD2an) AND NOT timeout_nL7GQKAPVl) or (PERFORMER AND NOT ((output_exceeds_63_bytes_2jUZ7X2pef AND output_excess_non_null_l8DBHXD2an) OR timeout_nL7GQKAPVl OR controlled_exit_0MNiRB02eK))) (NOT PERFORMER AND (output_exceeds_63_bytes_2jUZ7X2pef AND output_excess_non_null_l8DBHXD2an) AND NOT timeout_nL7GQKAPVl) or (PERFORMER AND NOT ((output_exceeds_63_bytes_2jUZ7X2pef AND output_excess_non_null_l8DBHXD2an) OR timeout_nL7GQKAPVl OR controlled_exit_0MNiRB02eK)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(wc -c "../logfile.txt" | cut -d " " -f 1) > 126 )); then true; else false; fi; if (( $(head -c -126 "../logfile.txt" | tr -d '0\n' | wc -c) > 0 )); then true; else false; fi; None stonesoup_trace:weakness_start Has a fixed heap buffer of size 64, allocated within a struct When input has a larger size, the heap buffer will be over read READ_APPLICATION_DATA This is probably going to overflow a buffer of some sort. Let's run it anyway and see what happens. I hope that everything turns out ok, because I would love to see what this looks like in all CAPS. Converting ASCII characters to upper case is easy, you can either call a system function, or just add the standard difference between the start of the two character sets. But, I am sure there is a reason that system functions exist for this sort of functionality. $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 $SS_TC_ROOT/$SS_TC_INSTALL/bin/svn propset rating "awesome" 404.html weakness_started_tji1B9T51ckGX3qfDqYU AND ((NOT PERFORMER AND (output_exceeds_63_bytes_Qqf9UAVw1w AND output_excess_non_null_i7MSI0IjXi) AND NOT timeout_h0oHFQzAsZ) or (PERFORMER AND NOT ((output_exceeds_63_bytes_Qqf9UAVw1w AND output_excess_non_null_i7MSI0IjXi) OR timeout_h0oHFQzAsZ))) (NOT PERFORMER AND (output_exceeds_63_bytes_Qqf9UAVw1w AND output_excess_non_null_i7MSI0IjXi) AND NOT timeout_h0oHFQzAsZ) or (PERFORMER AND NOT ((output_exceeds_63_bytes_Qqf9UAVw1w AND output_excess_non_null_i7MSI0IjXi) OR timeout_h0oHFQzAsZ)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION if (( $(wc -c "../logfile.txt" | cut -d " " -f 1) > 126 )); then true; else false; fi; if (( $(head -c -126 "../logfile.txt" | tr -d '0\n' | wc -c) > 0 )); then true; else false; fi; None stonesoup_trace:weakness_start