/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE191_Integer_Underflow__short_rand_predec_75b.java Label Definition File: CWE191_Integer_Underflow.label.xml Template File: sources-sinks-75b.tmpl.java */ /* * @description * CWE: 191 Integer Underflow * BadSource: rand Set data to result of rand() * GoodSource: A hardcoded non-zero, non-min, non-max, even number * Sinks: decrement * GoodSink: Ensure there will not be an underflow before decrementing data * BadSink : Decrement data, which can cause an Underflow * Flow Variant: 75 Data flow: data passed in a serialized object from one method to another in different source files in the same package * * */ package testcases.CWE191_Integer_Underflow.s05; import testcasesupport.*; import java.io.ByteArrayInputStream; import java.io.ObjectInputStream; import java.io.IOException; import java.util.logging.Level; public class CWE191_Integer_Underflow__short_rand_predec_75b { public void badSink(byte[] dataSerialized ) throws Throwable { /* unserialize data */ ByteArrayInputStream streamByteArrayInput = null; ObjectInputStream streamObjectInput = null; try { streamByteArrayInput = new ByteArrayInputStream(dataSerialized); streamObjectInput = new ObjectInputStream(streamByteArrayInput); short data = (Short)streamObjectInput.readObject(); /* POTENTIAL FLAW: if data == Short.MIN_VALUE, this will overflow */ short result = (short)(--data); IO.writeLine("result: " + result); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO); } catch (ClassNotFoundException exceptClassNotFound) { IO.logger.log(Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound); } finally { /* clean up stream reading objects */ try { if (streamObjectInput != null) { streamObjectInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO); } try { if (streamByteArrayInput != null) { streamByteArrayInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO); } } } /* goodG2B() - use GoodSource and BadSink */ public void goodG2BSink(byte[] dataSerialized ) throws Throwable { /* unserialize data */ ByteArrayInputStream streamByteArrayInput = null; ObjectInputStream streamObjectInput = null; try { streamByteArrayInput = new ByteArrayInputStream(dataSerialized); streamObjectInput = new ObjectInputStream(streamByteArrayInput); short data = (Short)streamObjectInput.readObject(); /* POTENTIAL FLAW: if data == Short.MIN_VALUE, this will overflow */ short result = (short)(--data); IO.writeLine("result: " + result); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO); } catch (ClassNotFoundException exceptClassNotFound) { IO.logger.log(Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound); } finally { /* clean up stream reading objects */ try { if (streamObjectInput != null) { streamObjectInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO); } try { if (streamByteArrayInput != null) { streamByteArrayInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO); } } } /* goodB2G() - use BadSource and GoodSink */ public void goodB2GSink(byte[] dataSerialized ) throws Throwable { /* unserialize data */ ByteArrayInputStream streamByteArrayInput = null; ObjectInputStream streamObjectInput = null; try { streamByteArrayInput = new ByteArrayInputStream(dataSerialized); streamObjectInput = new ObjectInputStream(streamByteArrayInput); short data = (Short)streamObjectInput.readObject(); /* FIX: Add a check to prevent an underflow from occurring */ if (data > Short.MIN_VALUE) { short result = (short)(--data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too small to decrement."); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO); } catch (ClassNotFoundException exceptClassNotFound) { IO.logger.log(Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound); } finally { /* clean up stream reading objects */ try { if (streamObjectInput != null) { streamObjectInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO); } try { if (streamByteArrayInput != null) { streamByteArrayInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO); } } } }