/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
wchar_t * &dataRef = data;
wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
wmemset(dataBuffer, L'A', 100-1);
dataBuffer[100-1] = L'\0';
/* FIX: Set data pointer to the allocated memory buffer */
data = dataBuffer;
{
wchar_t * data = dataRef;
{
wchar_t dest[100];
wmemset(dest, L'C', 100-1); /* fill with 'C's */
dest[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
memmove(dest, data, 100*sizeof(wchar_t));
/* Ensure null termination */
dest[100-1] = L'\0';
printWLine(dest);
}
}
}
void bad()
{
long * data;
data = NULL; /* Initialize data */
if(globalReturnsTrue())
{
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
long * dataBuffer = (long *)ALLOCA(100*sizeof(long));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i] = 5L;
}
}
data = dataBuffer;
}
}
printLongLine(data[0]);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
delete [] data;
}
/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
static void goodG2B1()
{
wchar_t * data;
data = NULL;
if(STATIC_CONST_FIVE!=5)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Use memory allocated on the stack with ALLOCA */
data = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
/* Initialize and make use of data */
wcscpy(data, L"A String");
printWLine(data);
}
if(STATIC_CONST_FIVE==5)
{
/* POTENTIAL FLAW: No deallocation */
; /* empty statement needed for some flow variants */
}
}
/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */
static void goodG2B1()
{
int64_t * data;
data = NULL;
if(STATIC_CONST_FALSE)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Use memory allocated on the stack with ALLOCA */
data = (int64_t *)ALLOCA(100*sizeof(int64_t));
/* Initialize and make use of data */
data[0] = 5LL;
printLongLongLine(data[0]);
}
if(STATIC_CONST_TRUE)
{
/* POTENTIAL FLAW: No deallocation */
; /* empty statement needed for some flow variants */
}
}
/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
static void goodG2B()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
while(1)
{
/* FIX: Set data pointer to the allocated memory buffer */
data = dataBuffer;
break;
}
{
char dest[100];
memset(dest, 'C', 100-1); /* fill with 'C's */
dest[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
memmove(dest, data, 100*sizeof(char));
/* Ensure null termination */
dest[100-1] = '\0';
printLine(dest);
}
}
void CWE590_Free_Memory_Not_on_Heap__free_long_alloca_11_bad()
{
long * data;
data = NULL; /* Initialize data */
if(globalReturnsTrue())
{
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
long * dataBuffer = (long *)ALLOCA(100*sizeof(long));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i] = 5L;
}
}
data = dataBuffer;
}
}
printLongLine(data[0]);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
free(data);
}
void bad()
{
int * data;
data = NULL; /* Initialize data */
if(staticTrue)
{
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
int * dataBuffer = (int *)ALLOCA(100*sizeof(int));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i] = 5;
}
}
data = dataBuffer;
}
}
printIntLine(data[0]);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
delete [] data;
}
/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */
static void good1()
{
if(globalReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
{
twoIntsStruct data;
twoIntsStruct * pointer = (twoIntsStruct *)ALLOCA(sizeof(twoIntsStruct));
data.intOne = 1;
data.intTwo = 2;
*pointer = data; /* FIX: Assign a value to the thing pointed to by pointer */
{
twoIntsStruct data = *pointer;
printIntLine(data.intOne);
printIntLine(data.intTwo);
}
}
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
wmemset(dataBuffer, L'A', 100-1);
dataBuffer[100-1] = L'\0';
/* FIX: Set data pointer to the allocated memory buffer */
data = dataBuffer;
{
wchar_t * dataCopy = data;
wchar_t * data = dataCopy;
{
wchar_t source[100];
wmemset(source, L'C', 100-1); /* fill with 'C's */
source[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
wcsncpy(data, source, 100-1);
/* Ensure the destination buffer is null terminated */
data[100-1] = L'\0';
printWLine(data);
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */
static void goodG2B1()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
data = dataBuffer;
if(staticReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
memset(data, 'A', 50-1); /* fill with 'A's */
data[50-1] = '\0'; /* null terminate */
}
{
char dest[50] = "";
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
strcat(dest, data);
printLine(data);
}
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
static void goodG2B2()
{
TwoIntsClass * data;
data = reinterpret_cast<TwoIntsClass *>(ALLOCA(10*sizeof(TwoIntsClass)));
if(1)
{
/* FIX: Completely initialize data */
for(int i=0; i<10; i++)
{
data[i].intOne = i;
data[i].intTwo = i;
}
}
if(1)
{
/* POTENTIAL FLAW: Use data without initializing it */
for(int i=0; i<10; i++)
{
printIntLine(data[i].intOne);
printIntLine(data[i].intTwo);
}
}
}
/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
static void goodG2B()
{
wchar_t * data;
wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
data = dataBuffer;
goto source;
source:
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
wmemset(data, L'A', 50-1); /* fill with L'A's */
data[50-1] = L'\0'; /* null terminate */
{
wchar_t dest[50] = L"";
size_t i, dataLen;
dataLen = wcslen(data);
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
for (i = 0; i < dataLen; i++)
{
dest[i] = data[i];
}
dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
printWLine(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_loop_18_bad()
{
wchar_t * data;
wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
data = dataBuffer;
goto source;
source:
/* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
wmemset(data, L'A', 100-1); /* fill with L'A's */
data[100-1] = L'\0'; /* null terminate */
{
wchar_t dest[50] = L"";
size_t i, dataLen;
dataLen = wcslen(data);
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
for (i = 0; i < dataLen; i++)
{
dest[i] = data[i];
}
dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
printWLine(data);
}
}
void CWE127_Buffer_Underread__char_alloca_ncpy_17_bad()
{
int i;
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
for(i = 0; i < 1; i++)
{
/* FLAW: Set data pointer to before the allocated memory buffer */
data = dataBuffer - 8;
}
{
char dest[100];
memset(dest, 'C', 100-1); /* fill with 'C's */
dest[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
strncpy(dest, data, strlen(dest));
/* Ensure null termination */
dest[100-1] = '\0';
printLine(dest);
}
}
void bad()
{
int64_t * data;
list<int64_t *> dataList;
data = NULL; /* Initialize data */
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
int64_t * dataBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i] = 5LL;
}
}
data = dataBuffer;
}
/* Put data in a list */
dataList.push_back(data);
dataList.push_back(data);
dataList.push_back(data);
badSink(dataList);
}
void bad()
{
TwoIntsClass * data;
data = reinterpret_cast<TwoIntsClass *>(ALLOCA(10*sizeof(TwoIntsClass)));
if(STATIC_CONST_FIVE==5)
{
/* POTENTIAL FLAW: Partially initialize data */
for(int i=0; i<(10/2); i++)
{
data[i].intOne = i;
data[i].intTwo = i;
}
}
if(STATIC_CONST_FIVE==5)
{
/* POTENTIAL FLAW: Use data without initializing it */
for(int i=0; i<10; i++)
{
printIntLine(data[i].intOne);
printIntLine(data[i].intTwo);
}
}
}
void bad()
{
int64_t * data;
vector<int64_t *> dataVector;
data = NULL; /* Initialize data */
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
int64_t * dataBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i] = 5LL;
}
}
data = dataBuffer;
}
/* Put data in a vector */
dataVector.insert(dataVector.end(), 1, data);
dataVector.insert(dataVector.end(), 1, data);
dataVector.insert(dataVector.end(), 1, data);
badSink(dataVector);
}
void CWE124_Buffer_Underwrite__char_alloca_memmove_31_bad()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
/* FLAW: Set data pointer to before the allocated memory buffer */
data = dataBuffer - 8;
{
char * dataCopy = data;
char * data = dataCopy;
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
memmove(data, source, 100*sizeof(char));
/* Ensure the destination buffer is null terminated */
data[100-1] = '\0';
printLine(data);
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the first GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
static void goodG2B1()
{
char * data;
data = NULL;
if(GLOBAL_CONST_FALSE)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Use memory allocated on the stack with ALLOCA */
data = (char *)ALLOCA(100*sizeof(char));
/* Initialize and make use of data */
strcpy(data, "A String");
printLine(data);
}
if(GLOBAL_CONST_TRUE)
{
/* POTENTIAL FLAW: No deallocation */
; /* empty statement needed for some flow variants */
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
/* FIX: Set data pointer to the allocated memory buffer */
data = dataBuffer;
{
char * dataCopy = data;
char * data = dataCopy;
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
memmove(data, source, 100*sizeof(char));
/* Ensure the destination buffer is null terminated */
data[100-1] = '\0';
printLine(data);
}
}
}
/* good1() uses if(staticFalse) instead of if(staticTrue) */
static void good1()
{
if(staticFalse)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
{
int * data;
int * * pointer = (int * *)ALLOCA(sizeof(int *));
/* initialize both the pointer and the data pointed to */
data = (int *)malloc(sizeof(int));
*data = 5;
*pointer = data; /* FIX: Assign a value to the thing pointed to by pointer */
{
int * data = *pointer;
printIntLine(*data);
}
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
static void goodG2B1()
{
wchar_t * data;
wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
data = dataBuffer;
if(globalReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
wmemset(data, L'A', 50-1); /* fill with L'A's */
data[50-1] = L'\0'; /* null terminate */
}
{
wchar_t dest[50] = L"";
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
wcscpy(dest, data);
printWLine(data);
}
}
void bad()
{
char * data;
data = NULL; /* Initialize data */
switch(6)
{
case 6:
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
char * dataBuffer = (char *)ALLOCA(sizeof(char));
*dataBuffer = 'A';
data = dataBuffer;
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
printHexCharLine(*data);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
delete data;
}
int _dFactorCholesky (dReal *A, int n, void *tmpbuf/*[n]*/)
{
dAASSERT (n > 0 && A);
bool failure = false;
const int nskip = dPAD (n);
dReal *recip = tmpbuf ? (dReal *)tmpbuf : (dReal*) ALLOCA (n * sizeof(dReal));
dReal *aa = A;
for (int i=0; i<n; aa+=nskip, ++i) {
dReal *cc = aa;
{
const dReal *bb = A;
for (int j=0; j<i; bb+=nskip, ++cc, ++j) {
dReal sum = *cc;
const dReal *a = aa, *b = bb, *bend = bb + j;
for (; b != bend; ++a, ++b) {
sum -= (*a)*(*b);
}
*cc = sum * recip[j];
}
}
{
dReal sum = *cc;
dReal *a = aa, *aend = aa + i;
for (; a != aend; ++a) {
sum -= (*a)*(*a);
}
if (sum <= REAL(0.0)) {
failure = true;
break;
}
dReal sumsqrt = dSqrt(sum);
*cc = sumsqrt;
recip[i] = dRecip (sumsqrt);
}
}
return failure ? 0 : 1;
}
/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
static void goodG2B1()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
data = dataBuffer;
if(GLOBAL_CONST_FALSE)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
memset(data, 'A', 50-1); /* fill with 'A's */
data[50-1] = '\0'; /* null terminate */
}
{
char dest[50] = "";
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
strncpy(dest, data, strlen(data));
dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
void bad()
{
twoIntsStruct * data;
data = NULL; /* Initialize data */
if(globalFive==5)
{
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
twoIntsStruct * dataBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i].intOne = 1;
dataBuffer[i].intTwo = 1;
}
}
data = dataBuffer;
}
}
printStructLine(&data[0]);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
delete [] data;
}
int altlog_write_w3c_header(void)
{
time_t now;
struct tm *tm;
struct tm gmt;
char *alloca_line;
size_t line_size;
if ((now = time(NULL)) == (time_t) -1 ||
(tm = localtime(&now)) == NULL ||
tm->tm_mon > 11 || tm->tm_mon < 0) {
return -1;
}
gmt = *gmtime(&now);
line_size = sizeof "#Date: 001975-04-13 12:34:56\n"; /* be year-999999 compliant :) */
if ((alloca_line = ALLOCA(line_size)) == NULL) {
return -1;
}
altlog_write("#Software: Pure-FTPd " VERSION "\n");
altlog_write("#Version: 1.0\n");
if (!SNCHECK(snprintf(alloca_line, line_size,
"#Date: %04d-%02d-%02d %02d:%02d:%02d\n",
gmt.tm_year + 1900, gmt.tm_mon + 1, gmt.tm_mday,
gmt.tm_hour, gmt.tm_min, gmt.tm_sec),
line_size)) {
altlog_write(alloca_line);
}
altlog_write("#Fields: date time c-ip cs-method cs-uri-stem sc-status cs-username sc-bytes\n");
ALLOCA_FREE(alloca_line);
return 0;
}
void bad()
{
TwoIntsClass * data;
data = NULL; /* Initialize data */
if(staticTrue)
{
{
/* FLAW: data is allocated on the stack and deallocated in the BadSink */
TwoIntsClass * dataBuffer = (TwoIntsClass *)ALLOCA(100*sizeof(TwoIntsClass));
{
size_t i;
for (i = 0; i < 100; i++)
{
dataBuffer[i].intOne = 1;
dataBuffer[i].intTwo = 1;
}
}
data = dataBuffer;
}
}
printIntLine(data[0].intOne);
/* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */
delete [] data;
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
static void goodG2B2()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
data = dataBuffer;
if(1)
{
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
memset(data, 'A', 50-1); /* fill with 'A's */
data[50-1] = '\0'; /* null terminate */
}
{
char dest[50] = "";
size_t i, dataLen;
dataLen = strlen(data);
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
for (i = 0; i < dataLen; i++)
{
dest[i] = data[i];
}
dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_loop_02_bad()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
data = dataBuffer;
if(1)
{
/* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
memset(data, 'A', 100-1); /* fill with 'A's */
data[100-1] = '\0'; /* null terminate */
}
{
char dest[50] = "";
size_t i, dataLen;
dataLen = strlen(data);
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
for (i = 0; i < dataLen; i++)
{
dest[i] = data[i];
}
dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
