SAMATE Logo NIST Logo The SAMATE Project Department of Homeland Security
Downloads:  Download this Test Case #153801

Back to the previous page... Back to the previous page

Test Case IDCandidate153801
Bad / Good / MixedBadBad test case
AuthorIARPA STONESOUP Test and Evaluation team
Associations
Test suite: 102  
Application: 18  
Added byCharles Oliveira
LanguageC
Type of test caseSource Code
Input string
Expected Output
Instructions
See src/INSTALL file for instructions on how to install.
Submission date2015-10-06
DescriptionThis test case allocates a struct on the stack, with a 20-character buffer and a pointer following that buffer. It checks if the taint source is less than 20 characters. If so, it sets the 20-charcter buffer to all 0's then sets the pointer following the buffer to point to the beginning of the buffer. It then calls realpath with the destination being the 20-character buffer inside the struct. If realpath evaluates to more than 20 characters, the buffer inside the struct will overflow into the pointer inside the struct. The test case then calls strlen on the pointer inside the struct. If an overflow has occurred, this pointer will be invalid, and a segmentation fault will occur.
Metadata
- Base program: Gimp
- Source Taint: SOCKET
- Data Type: SIMPLE
- Data Flow: ADDRESS_AS_FUNCTION_RETURN_VALUE
- Control Flow: UNCONDITIONAL_JUMP
File(s)
Flaw

There are no comments
Have any comments on this test case? Please, .

File Contains:
CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer on line(s): 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936