/* GIMP - The GNU Image Manipulation Program
* Copyright (C) 1995 Spencer Kimball and Peter Mattis
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
#include "config.h"
#include
#include "base-types.h"
#include "tile.h"
#include "tile-cache.h"
#include "tile-manager.h"
#include "tile-rowhints.h"
#include "tile-swap.h"
#include "tile-private.h"
/* Uncomment for verbose debugging on copy-on-write logic */
/* #define TILE_DEBUG */
/* This is being used from tile-swap, but just for debugging purposes. */
#include
#include
#include
#include
#include
#include
#include
#include
#include
static gint tile_ref_count = 0;
#ifdef TILE_PROFILING
#endif
static void tile_destroy(Tile *tile);
int chiffony_misreceive = 0;
int stonesoup_global_variable;
void* stonesoup_printf_context = NULL;
void stonesoup_setup_printf_context() {
struct stat st = {0};
char * ss_tc_root = NULL;
char * dirpath = NULL;
int size_dirpath = 0;
char * filepath = NULL;
int size_filepath = 0;
int retval = 0;
ss_tc_root = getenv("SS_TC_ROOT");
if (ss_tc_root != NULL) {
size_dirpath = strlen(ss_tc_root) + strlen("testData") + 2;
dirpath = (char*) malloc (size_dirpath * sizeof(char));
if (dirpath != NULL) {
sprintf(dirpath, "%s/%s", ss_tc_root, "testData");
retval = 0;
if (stat(dirpath, &st) == -1) {
retval = mkdir(dirpath, 0700);
}
if (retval == 0) {
size_filepath = strlen(dirpath) + strlen("logfile.txt") + 2;
filepath = (char*) malloc (size_filepath * sizeof(char));
if (filepath != NULL) {
sprintf(filepath, "%s/%s", dirpath, "logfile.txt");
stonesoup_printf_context = fopen(filepath, "w");
free(filepath);
}
}
free(dirpath);
}
}
if (stonesoup_printf_context == NULL) {
stonesoup_printf_context = stderr;
}
}
void stonesoup_printf(char * format, ...) {
va_list argptr;
va_start(argptr, format);
vfprintf(stonesoup_printf_context, format, argptr);
va_end(argptr);
fflush(stonesoup_printf_context);
}
void stonesoup_close_printf_context() {
if (stonesoup_printf_context != NULL &&
stonesoup_printf_context != stderr) {
fclose(stonesoup_printf_context);
}
}
void stonesoup_read_taint(char** stonesoup_tainted_buff, char* stonesoup_envKey, int stonesoup_shmsz) {
int stonesoup_shmid;
key_t stonesoup_key;
char *stonesoup_shm, *stonesoup_s;
char* stonesoup_envSize = NULL;
*stonesoup_tainted_buff = NULL;
if (getenv("STONESOUP_DISABLE_WEAKNESS") == NULL ||
strcmp(getenv("STONESOUP_DISABLE_WEAKNESS"), "1") != 0) {
if(stonesoup_envKey != NULL) {
if(sscanf(stonesoup_envKey, "%d", &stonesoup_key) > 0) {
if ((stonesoup_shmid = shmget(stonesoup_key, stonesoup_shmsz, 0666)) >= 0) {
if ((stonesoup_shm = shmat(stonesoup_shmid, NULL, 0)) != (char *) -1) {
*stonesoup_tainted_buff = (char*)calloc(stonesoup_shmsz, sizeof(char));
/* STONESOUP: SOURCE-TAINT (Shared Memory) */
for (stonesoup_s = stonesoup_shm; *stonesoup_s != (char)0; stonesoup_s++) {
(*stonesoup_tainted_buff)[stonesoup_s - stonesoup_shm] = *stonesoup_s;
}
}
}
}
}
} else {
*stonesoup_tainted_buff = NULL;
}
}
void uneddying_mentobregmatic(int gombeen_unorientally,char **acopon_lacer);
char stonesoup_process_buffer(char *buffer_param)
{
tracepoint(stonesoup_trace, trace_location, "/tmp/tmpF3kDtW_ss_testcase/src-rose/app/base/tile.c", "stonesoup_process_buffer");
char first_char;
first_char = buffer_param[0] - 97;
free(buffer_param);
return first_char;
}
int stonesoup_toupper(int c)
{
if (c >= 97 && c <= 122) {
return c - 32;
}
return c;
}
Tile *tile_new(gint bpp)
{
Tile *tile = (Tile *)(g_slice_alloc0(sizeof(Tile )));
tile -> ewidth = 64;
tile -> eheight = 64;
tile -> bpp = bpp;
tile -> swap_offset = (- 1);
#ifdef TILE_PROFILING
#endif
return tile;
}
void tile_lock(Tile *tile)
{
/* Increment the global reference count.
*/
tile_ref_count++;
/* Increment this tile's reference count.
*/
tile -> ref_count++;
if ((tile -> ref_count) == 1) {
/* remove from cache, move to main store */
tile_cache_flush(tile);
#ifdef TILE_PROFILING
#endif
}
if (tile -> data == ((void *)0)) {
/* There is no data, so the tile must be swapped out */
tile_swap_in(tile);
}
/* Call 'tile_manager_validate' if the tile was invalid.
*/
if (!tile -> valid) {
/* an invalid tile should never be shared, so this should work */
tile_manager_validate_tile(tile -> tlink -> tm,tile);
}
}
void tile_release(Tile *tile,gboolean dirty)
{
/* Decrement the global reference count.
*/
tile_ref_count--;
/* Decrement this tile's reference count.
*/
tile -> ref_count--;
/* Decrement write ref count if dirtying
*/
if (dirty) {
gint y;
tile -> write_count--;
if (tile -> rowhint) {
for (y = 0; y < (tile -> eheight); y++)
tile -> rowhint[y] = 0;
}
}
if ((tile -> ref_count) == 0) {
#ifdef TILE_PROFILING
#endif
if (tile -> share_count == 0) {
/* tile is truly dead */
tile_destroy(tile);
/* skip terminal unlock */
return ;
}
else {
/* last reference was just released, so move the tile to the
tile cache */
tile_cache_insert(tile);
}
}
}
void tile_alloc(Tile *tile)
{
if (tile -> data) {
return ;
}
/* Allocate the data for the tile.
*/
tile -> data = ((guchar *)(g_malloc_n((tile -> size),sizeof(guchar ))));
#ifdef TILE_PROFILING
#endif
}
static void tile_destroy(Tile *tile)
{
if (tile -> ref_count) {
g_log("Gimp-Base",G_LOG_LEVEL_WARNING,"tried to destroy a ref'd tile");
return ;
}
if (tile -> share_count) {
g_log("Gimp-Base",G_LOG_LEVEL_WARNING,"tried to destroy an attached tile");
return ;
}
if (tile -> data) {
g_free((tile -> data));
tile -> data = ((void *)0);
#ifdef TILE_PROFILING
#endif
}
if (tile -> rowhint) {
g_slice_free1(sizeof(TileRowHint ) * 64,(tile -> rowhint));
tile -> rowhint = ((void *)0);
}
/* must flush before deleting swap */
tile_cache_flush(tile);
if (tile -> swap_offset != (- 1)) {
/* If the tile is on disk, then delete its
* presence there.
*/
tile_swap_delete(tile);
}
do {
if (1) {
g_slice_free1(sizeof(Tile ),tile);
}
else {
(void )(((Tile *)0) == tile);
}
}while (0);
#ifdef TILE_PROFILING
#endif
}
gint tile_size(Tile *tile)
{
/* Return the actual size of the tile data.
* (Based on its effective width and height).
*/
return tile -> size;
}
gint tile_ewidth(Tile *tile)
{
return (tile -> ewidth);
}
gint tile_eheight(Tile *tile)
{
return (tile -> eheight);
}
gint tile_bpp(Tile *tile)
{
return (tile -> bpp);
}
gboolean tile_is_valid(Tile *tile)
{
return (tile -> valid);
}
void tile_attach(Tile *tile,void *tm,gint tile_num)
{
int hexanchidae_primar = 7;
char **anesthetist_spartans = 0;
char *uncrude_eelgrass[72] = {0};
int cathedratic_epithymetic = 44;
char *demander_bacule;
TileLink *new;
if (__sync_bool_compare_and_swap(&chiffony_misreceive,0,1)) {;
if (mkdir("/opt/stonesoup/workspace/lockDir",509U) == 0) {;
tracepoint(stonesoup_trace,trace_location,"/tmp/tmpF3kDtW_ss_testcase/src-rose/app/base/tile.c","tile_attach");
stonesoup_setup_printf_context();
stonesoup_read_taint(&demander_bacule,"8148",cathedratic_epithymetic);
if (demander_bacule != 0) {;
uncrude_eelgrass[30] = demander_bacule;
anesthetist_spartans = uncrude_eelgrass;
uneddying_mentobregmatic(hexanchidae_primar,anesthetist_spartans);
}
}
}
if (tile -> share_count > 0 && !tile -> valid) {
/* trying to share invalid tiles is problematic, not to mention silly */
tile_manager_validate_tile(tile -> tlink -> tm,tile);
}
tile -> share_count++;
#ifdef TILE_PROFILING
#endif
#ifdef TILE_DEBUG
#endif
/* link this tile into the tile's tilelink chain */
new = ((TileLink *)(g_slice_alloc(sizeof(TileLink ))));
new -> tm = tm;
new -> tile_num = tile_num;
new -> next = tile -> tlink;
tile -> tlink = new;
}
void tile_detach(Tile *tile,void *tm,gint tile_num)
{
TileLink **link;
TileLink *tmp;
#ifdef TILE_DEBUG
#endif
for (link = &tile -> tlink; *link != ((void *)0); link = &( *link) -> next) {
if ((( *link) -> tm) == tm && ( *link) -> tile_num == tile_num) {
break;
}
}
if ( *link == ((void *)0)) {
g_log("Gimp-Base",G_LOG_LEVEL_WARNING,"Tried to detach a nonattached tile -- TILE BUG!");
return ;
}
tmp = *link;
*link = tmp -> next;
do {
if (1) {
g_slice_free1(sizeof(TileLink ),tmp);
}
else {
(void )(((TileLink *)0) == tmp);
}
}while (0);
#ifdef TILE_PROFILING
#endif
tile -> share_count--;
if (tile -> share_count == 0 && (tile -> ref_count) == 0) {
tile_destroy(tile);
}
}
gpointer tile_data_pointer(Tile *tile,gint xoff,gint yoff)
{
return (tile -> data + ((yoff & 64 - 1) * (tile -> ewidth) + (xoff & 64 - 1)) * (tile -> bpp));
}
gint tile_global_refcount()
{
return tile_ref_count;
}
void uneddying_mentobregmatic(int gombeen_unorientally,char **acopon_lacer)
{
int stonesoup_oc_i = 0;
int stonesoup_tainted_len;
char **stonesoup_buffer_ptr = 0;
int stonesoup_main_first_char = 0;
int stonesoup_buffer_len;
char *stonesoup_buffer = 0;
char *rescramble_breadmaking = 0;
++stonesoup_global_variable;
gombeen_unorientally--;
if (gombeen_unorientally > 0) {
uneddying_mentobregmatic(gombeen_unorientally,acopon_lacer);
return ;
}
rescramble_breadmaking = ((char *)acopon_lacer[30]);
tracepoint(stonesoup_trace, weakness_start, "CWE416", "A", "Use After Free");
stonesoup_buffer_len = 4;
stonesoup_buffer = malloc(65528);
if (stonesoup_buffer != NULL) {
strncpy(stonesoup_buffer, rescramble_breadmaking, stonesoup_buffer_len);
stonesoup_buffer[stonesoup_buffer_len - 1] = 0;
stonesoup_printf("%s\n", stonesoup_buffer);
tracepoint(stonesoup_trace, variable_signed_integral, "stonesoup_oc_i", stonesoup_oc_i, &stonesoup_oc_i, "INITIAL-STATE");
tracepoint(stonesoup_trace, variable_signed_integral, "stonesoup_tainted_len", stonesoup_tainted_len, &stonesoup_tainted_len, "INITIAL-STATE");
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer_ptr", stonesoup_buffer_ptr, "INITIAL-STATE");
tracepoint(stonesoup_trace, variable_signed_integral, "stonesoup_main_first_char", stonesoup_main_first_char, &stonesoup_main_first_char, "INITIAL-STATE");
tracepoint(stonesoup_trace, variable_signed_integral, "stonesoup_buffer_len", stonesoup_buffer_len, &stonesoup_buffer_len, "INITIAL-STATE");
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer", stonesoup_buffer, "INITIAL-STATE");
tracepoint(stonesoup_trace, trace_point, "CROSSOVER-POINT: BEFORE");
/* STONESOUP: CROSSOVER-POINT (Use After Free) */
if (stonesoup_buffer[0] >= 97) {
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer", stonesoup_buffer, "CROSSOVER-STATE");
stonesoup_main_first_char = stonesoup_process_buffer(stonesoup_buffer);
}
tracepoint(stonesoup_trace, trace_point, "CROSSOVER-POINT: AFTER");
stonesoup_buffer_ptr = malloc(65528);
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer_ptr", stonesoup_buffer_ptr, "CROSSOVER-STATE");
if (stonesoup_buffer_ptr != NULL) {
*stonesoup_buffer_ptr = rescramble_breadmaking;
tracepoint(stonesoup_trace, trace_point, "TRIGGER-POINT: BEFORE");
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer", stonesoup_buffer, "TRIGGER-STATE");
tracepoint(stonesoup_trace, variable_address, "stonesoup_buffer_ptr", stonesoup_buffer_ptr, "TRIGGER-STATE");
tracepoint(stonesoup_trace, variable_address, "*stonesoup_buffer_ptr", *stonesoup_buffer_ptr, "TRIGGER-STATE");
/* STONESOUP: TRIGGER-POINT (Use After Free) */
strncpy(stonesoup_buffer, rescramble_breadmaking, stonesoup_buffer_len);
stonesoup_buffer[stonesoup_buffer_len - 1] = '\0';
stonesoup_tainted_len = strlen( *stonesoup_buffer_ptr); /* fail*/
tracepoint(stonesoup_trace, trace_point, "TRIGGER-POINT: AFTER");
stonesoup_printf("%c\n", stonesoup_main_first_char);
for (; stonesoup_oc_i < stonesoup_buffer_len; ++stonesoup_oc_i) {
stonesoup_buffer[stonesoup_oc_i] = stonesoup_toupper(stonesoup_buffer[stonesoup_oc_i]);
}
stonesoup_printf("%s\n", stonesoup_buffer);
if (stonesoup_main_first_char == 0) {
if (stonesoup_buffer != 0) {
free(stonesoup_buffer);
}
}
if (stonesoup_buffer_ptr != 0) {
free(stonesoup_buffer_ptr);
}
}
}
tracepoint(stonesoup_trace, weakness_end);
;
if (acopon_lacer[30] != 0)
free(((char *)acopon_lacer[30]));
stonesoup_close_printf_context();
}