1

Makefile

@@ -0,0 +1,30 @@
+CC=clang
+BUILD_PATH=build
+
+default:
+	if [ ! -d $(BUILD_PATH) ]; then \
+		mkdir build; \
+	fi
+	make all
+
+double_free: simple/basic_double_free.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+double_free_interprocedure: simple/double_free_interprocedure.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+simple_mem_leak : simple/simple_mem_leak.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+simple_buffer_overflow : simple/simple_buffer_overflow.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+	
+pointer_overflow : simple/bof.ptrarith.limit.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+	
+
+all: double_free double_free_interprocedure simple_mem_leak simple_buffer_overflow pointer_overflow
+
+clean:
+	cd $(BUILD_PATH)
+	rm double_free simple_pointer

simple/basic_double_free.c

@@ -0,0 +1,13 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // Double free
+    free(i_ptr);
+    free(i_ptr);
+  }
+}

simple/bof.inter.loop.c

@@ -0,0 +1,40 @@
+const unsigned G_MAX = 32;
+
+int getargs(s, arps, count)
+register char *s, *arps[];
+register int count;
+{
+    register int i;
+
+    for (i = 0; i < count; i++) {
+        while (*s == ' ' || *s == '\t')
+            *s++ = '\0';
+        if (*s == '\n')
+            *s = '\0';
+        if (*s == '\0')
+            break;
+        arps[i] = s++;
+        while (*s != '\0' && *s != ' '
+            && *s != '\t' && *s != '\n')
+                s++;
+    }
+    arps[i] = 0; //#1bug-4# 
+    return(i);
+}
+
+static int testf1(char *line) {
+    char *carray[G_MAX];
+
+    (void) getargs(line, carray, G_MAX); 
+
+    return 0;
+}
+
+int main(int argc, char **argv) {
+    testf1("12345678901234567890"); // 20 chars
+    testf1("123456789012345678901234567890"); // 30 chars
+    testf1("12345678901234567890123456789012345678901234567890"); // 50 chars
+
+    return 0;
+}
+

simple/bof.ptrarith.limit.c

@@ -0,0 +1,24 @@
+
+void f() {
+    int buf[10];
+    int *limit = buf + 10;
+    int *p = buf;
+    while (p < limit)
+        *p++ = 0;
+}
+
+void f2() {
+    int buf[10];
+    int *limit = buf + 11;
+    int *p = buf;
+    while (p < limit)
+        *p++ = 0; //#1bug-5# 
+}
+
+void f3() {
+    int buf[10];
+    int *limit = buf;
+    int *p = buf + 9;
+    while (p >= limit)
+        *p-- = 0;
+}

simple/bofsa.for-loop.c

@@ -0,0 +1,28 @@
+int a[32];
+int bar()
+{
+   int label;
+   int i;
+
+   for(i=0;a[i]!=0 && i<32; i++); //#1bug-5# 
+
+   return a[i]; //#1bug-5# 
+}
+
+char arr[64];
+int foo( unsigned int inlen ) {
+
+    unsigned char loop, offset;
+
+    /* Test handling of casts around add-rec */
+    while( inlen-- ) {
+        for( loop=0, offset=0; loop < 16; loop++, offset += 4 ) {
+            arr[offset] = 0;
+            arr[offset+1] = 1;
+            arr[offset+2] = 2;
+            arr[offset+3] = 3;
+        }
+        arr[offset] = 0; //#1bug-5# 
+    }
+    return 0;
+}

simple/double_free_interprocedure.c

@@ -0,0 +1,22 @@
+/**
+ * This file is a simple pointer double free case
+ */
+
+
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+void subroutine(int* i_ptr) {
+  free(i_ptr);
+}
+
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    printf("malloc() success...\n");
+    subroutine(i_ptr);
+    // Use after free
+    free(i_ptr);
+  }
+}

simple/simple_buffer_overflow.c

@@ -0,0 +1,10 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int buffer[16];
+  for (int i = 0; i < 32; i++) {
+    buffer[i] = i;
+  }
+}

simple/simple_mem_leak.c

@@ -0,0 +1,39 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+int uadd_ok(unsigned short x, unsigned short y);
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // mem leak
+  }
+  unsigned short x1 =65530;
+  int re  = uadd_ok(x1,200);
+ 
+
+  return re;
+}
+
+int func(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // mem leak
+  }
+}
+int uadd_ok(unsigned short x, unsigned short y){
+    unsigned short sum =x+y;
+    char c1;
+    char c2 = -128;
+   
+    c1=~c2;    //error
+
+
+    if(sum >=x) {
+      return 1;
+    }
+
+    if (c1 > 0) return 0;
+
+}