/* good2() reverses the bodies in the if statement */ static void good2() { if(staticFive==5) { { wchar_t * password = (wchar_t *)malloc(100*sizeof(wchar_t)); size_t passwordLen = 0; HANDLE hUser; wchar_t * username = L"User"; wchar_t * domain = L"Domain"; /* Initialize password */ password[0] = L'\0'; if (fgetws(password, 100, stdin) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ password[0] = L'\0'; } /* Remove the carriage return from the string that is inserted by fgetws() */ passwordLen = wcslen(password); if (passwordLen > 0) { password[passwordLen-1] = L'\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserW( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } passwordLen = wcslen(password); /* FIX: Clear password prior to freeing */ SecureZeroMemory(password, passwordLen * sizeof(wchar_t)); free(password); } } }
void Trace::process(bool doBasicBlocks) { // Decide what kind of trace file it is FILE *fin = fopen(this->tracefile, "r"); if (fin == 0) { throw wxString(wxT("Could not open trace file")); } wchar_t linew[LINELEN] = {0}; char line[LINELEN] = {0}; fgetws(linew, sizeof(linew), fin); fseek(fin, 0, 0); fgets(line, sizeof(line), fin); fclose(fin); // The first line of the file determines the type of trace // Validate it before proceeding if ( (wcsstr(linew, L"vera_trace_version=0.1") == linew) ) processVeraPin(doBasicBlocks); else if ( wcsstr(linew, L"After init") == linew ) processEther(doBasicBlocks); else { // Check to make sure it isn't an Ether trace file without the header. char *colPos = strchr(line, ':'); size_t colLen = ((size_t) colPos) - ((size_t) line); if (colPos && colLen > 0 && isHexString(line, colLen) ) { processEther(doBasicBlocks); } else { throw wxString(wxT("Unrecognized trace file %s (unrecognized format)")); } } if (bblMap.size() <= 1 || edgeMap.size() <= 1) // Error { throw wxString(wxT("Could not parse trace file (bad format)")); } }
/* goodB2G2() - use badsource and goodsink by reversing statements in if */ static void goodB2G2() { wchar_t * data; data = (wchar_t *)malloc(100*sizeof(wchar_t)); data[0] = L'\0'; { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } if(STATIC_CONST_FIVE==5) { { size_t i; /* FIX: Use a loop variable to traverse through the string pointed to by data */ for (i=0; i < wcslen(data); i++) { if (data[i] == SEARCH_CHAR) { printLine("We have a match!"); break; } } free(data); } } }
void bad() { wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } { HANDLE hFile; /* POTENTIAL FLAW: Possibly creating and opening a file without validating the file name or path */ hFile = CreateFileW(data, (GENERIC_WRITE|GENERIC_READ), 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); } } }
void CWE244_Heap_Inspection__w32_wchar_t_free_13_bad() { if(GLOBAL_CONST_FIVE==5) { { wchar_t * password = (wchar_t *)malloc(100*sizeof(wchar_t)); if (password == NULL) {exit(-1);} size_t passwordLen = 0; HANDLE hUser; wchar_t * username = L"User"; wchar_t * domain = L"Domain"; /* Initialize password */ password[0] = L'\0'; if (fgetws(password, 100, stdin) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ password[0] = L'\0'; } /* Remove the carriage return from the string that is inserted by fgetws() */ passwordLen = wcslen(password); if (passwordLen > 0) { password[passwordLen-1] = L'\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserW( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FLAW: free() password without clearing the password buffer */ free(password); } } }
void CWE114_Process_Control__w32_wchar_t_file_16_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; while(1) { { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } break; } { HMODULE hModule; /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to * replace his own file with the intended library */ hModule = LoadLibraryW(data); if (hModule != NULL) { FreeLibrary(hModule); printLine("Library loaded and freed successfully"); } else { printLine("Unable to load library"); } } }
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */ static void goodG2B2() { wchar_t * password; wchar_t passwordBuffer[100] = L""; password = passwordBuffer; if(STATIC_CONST_TRUE) { { size_t passwordLen = 0; /* FIX: Read the password from the console */ if (fgetws(password, 100, stdin) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ password[0] = L'\0'; } /* Remove the carriage return from the string that is inserted by fgetws() */ passwordLen = wcslen(password); if (passwordLen > 0) { password[passwordLen-1] = L'\0'; } } } { HANDLE pHandle; wchar_t * username = L"User"; wchar_t * domain = L"Domain"; /* POTENTIAL FLAW: Attempt to login user with password from the source (which may be hardcoded) */ if (LogonUserW( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } } }
void CWE134_Uncontrolled_Format_String__wchar_t_file_w32_vsnprintf_15_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; switch(6) { case 6: { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } switch(7) { case 7: badVaSinkB(data, data); break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } }
int SimpleLoader::Load(const wchar_t *filename, ifc_playlistloadercallback *playlist) { FILE *simpleFile = _wfopen(filename, L"rt"); if (simpleFile) { wchar_t nextFile[1024]; while (!feof(simpleFile)) { if (fgetws(nextFile, 1024, simpleFile)) playlist->OnFile(nextFile, 0, -1, 0); } return IFC_PLAYLISTLOADER_SUCCESS; } return IFC_PLAYLISTLOADER_FAILED; }
void CWE78_OS_Command_Injection__wchar_t_console_w32_execv_32_bad() { wchar_t * data; wchar_t * *dataPtr1 = &data; wchar_t * *dataPtr2 = &data; wchar_t dataBuffer[100] = L""; data = dataBuffer; { wchar_t * data = *dataPtr1; { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } *dataPtr1 = data; } { wchar_t * data = *dataPtr2; { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecv - specify the path where the command is located */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECV(COMMAND_INT_PATH, args); } } }
void bad() { int i; wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = L""; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (FILENAME_MAX-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } } { HANDLE hFile; /* POTENTIAL FLAW: Possibly creating and opening a file without validating the file name or path */ hFile = CreateFileW(data, (GENERIC_WRITE|GENERIC_READ), 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); } } }
void bad() { wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; if(globalReturnsTrueOrFalse()) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } else { /* FIX: Use a fixed file name */ wcscat(data, L"file.txt"); } { ifstream inputFile; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ inputFile.open((char *)data); inputFile.close(); } }
void CWE226_Sensitive_Information_Uncleared_Before_Release__w32_wchar_t_alloca_16_bad() { while(1) { { wchar_t * password = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); size_t passwordLen = 0; HANDLE hUser; wchar_t * username = L"User"; wchar_t * domain = L"Domain"; /* Initialize password */ password[0] = L'\0'; if (fgetws(password, 100, stdin) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ password[0] = L'\0'; } /* Remove the carriage return from the string that is inserted by fgetws() */ passwordLen = wcslen(password); if (passwordLen > 0) { password[passwordLen-1] = L'\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserW( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hUser) != 0) { printLine("User logged in successfully."); CloseHandle(hUser); } else { printLine("Unable to login."); } /* FLAW: Release password from the stack without first clearing the buffer */ } break; } }
void CWE761_Free_Pointer_Not_at_Start_of_Buffer__wchar_t_console_06_bad() { wchar_t * data; data = (wchar_t *)malloc(100*sizeof(wchar_t)); data[0] = L'\0'; { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } if(STATIC_CONST_FIVE==5) { /* FLAW: We are incrementing the pointer in the loop - this will cause us to free the * memory block not at the start of the buffer */ for (; *data != L'\0'; data++) { if (*data == SEARCH_CHAR) { printLine("We have a match!"); break; } } free(data); } }
void CWE78_OS_Command_Injection__wchar_t_file_popen_15_bad() { wchar_t * data; wchar_t data_buf[100] = FULL_COMMAND; data = data_buf; switch(6) { case 6: { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } { FILE *pipe; /* POTENTIAL FLAW: Execute command in data possibly leading to command injection */ pipe = POPEN(data, L"wb"); if (pipe != NULL) { PCLOSE(pipe); } } }
//search for all words given in file_name and save results to output_file_name void search_words(TREE_NODE *root, char * file_name, char * output_file_name){ FILE *file, *output_file; file = fopen(file_name,"r"); output_file = fopen(output_file_name,"w"); if(!file){ printf("arquivo de entrada invalido\n"); return; } if(!output_file){ printf("arquivo de saida invalido\n"); return; } wchar_t line [ 10000 ]; wchar_t *result = malloc(sizeof(wchar_t) * 10000); //start benchmark double start_time, end_time, time_elapsed; start_time = (double)clock(); while ( fgetws ( line, sizeof line, file ) != NULL ){//read line by line if(line[wcslen(line) -1] == '\n') line[wcslen(line) -1] = '\0';//remove new line char if(line[wcslen(line) -1] == ' ') line[wcslen(line) -1] = '\0'; W_TOKEN *token = malloc(sizeof(W_TOKEN)); str_to_lower(line); token->word = line; search_word(root, token, result); fwprintf(output_file, L"%ls",result); fputws ( result, stdout ); } end_time = (double)clock(); time_elapsed = ( end_time - start_time )/CLOCKS_PER_SEC; //end benchmark fwprintf(output_file, L"%s","\n"); fwprintf(output_file, L"O tempo gasto na busca foi de %fms.\n", time_elapsed*1000); printf("\n"); printf("O tempo gasto na busca foi de %fms.\n", time_elapsed*1000); fclose(file); fclose(output_file); }
void bad() { wchar_t * data; wchar_t * *dataPtr1 = &data; wchar_t * *dataPtr2 = &data; wchar_t dataBuffer[FILENAME_MAX] = L""; data = dataBuffer; { wchar_t * data = *dataPtr1; { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (FILENAME_MAX-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } *dataPtr1 = data; } { wchar_t * data = *dataPtr2; { FILE *pFile = NULL; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ pFile = FOPEN(data, L"wb+"); if (pFile != NULL) { fclose(pFile); } } } }
int main ( int argc, char * * argv ) { wchar_t sz[100]; char * psz = "No Name"; setlocale(LC_ALL, ""); if (argc >= 2) { psz = argv[1]; } fprintf(stderr, "[%s] Standard In Begin\n", psz); while (fgetws(sz, sizeof (sz) / sizeof (wchar_t), stdin)) { fprintf(stderr, "[%s] %ls", psz, sz); } fprintf(stderr, "[%s] Standard In End\n", psz); fprintf(stderr, "[%s] Standard Error\n", psz); return (0); }
void CWE390_Error_Without_Action__fgets_wchar_t_18_bad() { goto sink; sink: { /* By initializing dataBuffer, we ensure this will not be the * CWE 690 (Unchecked Return Value To NULL Pointer) flaw for fgetws() */ wchar_t dataBuffer[100] = L""; wchar_t * data = dataBuffer; printWLine(L"Please enter a string: "); /* FLAW: check the return value, but do nothing if there is an error */ if (fgetws(data, 100, stdin) == NULL) { /* do nothing */ } printWLine(data); } }
void CWE78_OS_Command_Injection__wchar_t_console_popen_16_bad() { wchar_t * data; wchar_t data_buf[100] = FULL_COMMAND; data = data_buf; while(1) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } break; } { FILE *pipe; /* POTENTIAL FLAW: Execute command in data possibly leading to command injection */ pipe = POPEN(data, L"wb"); if (pipe != NULL) { PCLOSE(pipe); } } }
/* good1() uses the GoodSinkBody in the for statements */ static void good1() { int k; for(k = 0; k < 1; k++) { { wchar_t password[100] = L""; size_t passwordLen = 0; HANDLE pHandle; wchar_t * username = L"User"; wchar_t * domain = L"Domain"; if (fgetws(password, 100, stdin) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ password[0] = L'\0'; } /* Remove the carriage return from the string that is inserted by fgetws() */ passwordLen = wcslen(password); if (passwordLen > 0) { password[passwordLen-1] = L'\0'; } /* Use the password in LogonUser() to establish that it is "sensitive" */ if (LogonUserW( username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) { printLine("User logged in successfully."); CloseHandle(pHandle); } else { printLine("Unable to login."); } /* FIX: Do not write sensitive data to stderr */ fwprintf(stderr, L"User attempted access\n"); } } }
void bad() { int i; wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = L""; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } { int fileDesc; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ fileDesc = OPEN(data, O_RDWR|O_CREAT, S_IREAD|S_IWRITE); if (fileDesc != -1) { CLOSE(fileDesc); } } }
void CWE78_OS_Command_Injection__wchar_t_console_execlp_15_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; switch(6) { case 6: { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } /* wexeclp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECLP(COMMAND_INT, COMMAND_INT, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL); }
/* goodB2G1() - use badsource and goodsink by changing the second GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */ static void goodB2G1() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(GLOBAL_CONST_TRUE) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } if(GLOBAL_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Specify the format disallowing a format string vulnerability */ wprintf(L"%s\n", data); } }
/* goodB2G1() - use badsource and goodsink by changing the second globalTrue to globalFalse */ static void goodB2G1() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(globalTrue) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } if(globalFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { goodB2G1VaSinkG(data, data); } }
void CWE134_Uncontrolled_Format_String__wchar_t_console_snprintf_05_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(staticTrue) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } if(staticTrue) { { wchar_t dest[100] = L""; /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ SNPRINTF(dest, 100-1, data); printWLine(dest); } } }
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */ static void goodB2G2() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(GLOBAL_CONST_FIVE==5) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } if(GLOBAL_CONST_FIVE==5) { { wchar_t dest[100] = L""; /* FIX: Specify the format disallowing a format string vulnerability */ SNPRINTF(dest, 100-1, L"%s", data); printWLine(dest); } } }
void scorelist_load() { int i, j; wchar_t chunk[1024]; wchar_t delim[2] = L" "; wchar_t *ptr; wchar_t *token; FILE *fp = fopen(scorelist_file, "r, ccs=UTF-8"); if (fp != NULL) { i = 0; while (fgetws(chunk, 1024, fp) != NULL) { chunk[wcslen(chunk) - 1] = L'\0'; if (wcslen(chunk) > 0) { j = 0; token = wcstok(chunk, delim, &ptr); while (token != NULL) { switch (j) { case 0: wcsncpy(scorelist[i].name, token, 255); break; case 1: scorelist[i].points = (unsigned int)wcstoul(token, NULL, 0); break; case 2: scorelist[i].chars = (unsigned int)wcstoul(token, NULL, 0); break; case 3: scorelist[i].seconds = (unsigned int)wcstoul(token, NULL, 0); break; } token = wcstok(ptr, delim, &ptr); j++; } i++; } } fclose(fp); scorelist_length = i; } free(ptr); free(token); }
/* goodB2G2() - use badsource and goodsink by reversing statements in if */ static void goodB2G2() { wchar_t * data; data = (wchar_t *)malloc(100*sizeof(wchar_t)); data[0] = L'\0'; { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } if(5==5) { { size_t i; /* FIX: Use a loop variable to traverse through the string pointed to by data */ for (i=0; i < wcslen(data); i++) { if (data[i] == SEARCH_CHAR) { printLine("We have a match!"); break; } } free(data); } } }
void bad() { wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = L""; data = dataBuffer; if(staticReturnsTrue()) { { /* Read input from the console */ size_t dataLen = wcslen(data); /* if there is room in data, read into it from the console */ if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgetws(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgetws() */ dataLen = wcslen(data); if (dataLen > 0 && data[dataLen-1] == L'\n') { data[dataLen-1] = L'\0'; } } else { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } } } } { FILE *pFile = NULL; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ pFile = FOPEN(data, L"wb+"); if (pFile != NULL) { fclose(pFile); } } }