National Institute of Standards and Technology
Package illustrating a test case

Test case 153333

Description

This test case allocates a struct on the stack, with a 20-character buffer and a pointer following that buffer. It checks if the taint source is less than 20 characters. If so, it sets the 20-charcter buffer to all 0's then sets the pointer following the buffer to point to the beginning of the buffer. It then calls realpath with the destination being the 20-character buffer inside the struct. If realpath evaluates to more than 20 characters, the buffer inside the struct will overflow into the pointer inside the struct. The test case then calls strlen on the pointer inside the struct. If an overflow has occurred, this pointer will be invalid, and a segmentation fault will occur.
Metadata
- Base program: FFmpeg
- Source Taint: SHARED_MEMORY
- Data Type: VOID_POINTER
- Data Flow: ADDRESS_AS_LINEAR_EXPRESSION
- Control Flow: POINTER_TO_FUNCTION

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.