From ab31e77d30f734401441e6eae2e0ad49b9d06f61 Mon Sep 17 00:00:00 2001
From: weishao <wanwei@educoder.com>
Date: Fri, 10 Mar 2023 16:17:15 +0800
Subject: [PATCH] 1

---
 .DS_Store                           | Bin 0 -> 6148 bytes
 Makefile                            |  30 +++++++++++++++++++++
 simple/basic_double_free.c          |  13 +++++++++
 simple/bof.inter.loop.c             |  40 ++++++++++++++++++++++++++++
 simple/bof.ptrarith.limit.c         |  24 +++++++++++++++++
 simple/bofsa.for-loop.c             |  28 +++++++++++++++++++
 simple/double_free_interprocedure.c |  22 +++++++++++++++
 simple/simple_buffer_overflow.c     |  10 +++++++
 simple/simple_mem_leak.c            |  39 +++++++++++++++++++++++++++
 9 files changed, 206 insertions(+)
 create mode 100644 .DS_Store
 create mode 100644 Makefile
 create mode 100644 simple/basic_double_free.c
 create mode 100644 simple/bof.inter.loop.c
 create mode 100644 simple/bof.ptrarith.limit.c
 create mode 100644 simple/bofsa.for-loop.c
 create mode 100644 simple/double_free_interprocedure.c
 create mode 100644 simple/simple_buffer_overflow.c
 create mode 100644 simple/simple_mem_leak.c

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..3e4978ad5dd709ed4874cfb46a5606402ae4854c
GIT binary patch
literal 6148
zcmeHKI|>3p3{6x-u(7n9D|mxJ^aNf&{1n29g4l26xjdRL9|T!#1RHsQ<jrLAX4zM4
zHX@?)>ux485s?wxP;M5wX6NP|>t#lPaNN<zes|e6o71W3RKHIccPJM*$WhK;@ZaCc
zEES*vRDcRl0V?oG0qec6(KwKi3Qz$m@KnIQ4+U;m6Wc)lbRhT$030CghPBTUz+wqt
zO>6^^foV{ILDd{FH0a2etgDG_V9-T#_|SZ^=7ggDblhLOT(kx<QUNOPsz5)s6YKv=
z_=oxbmBbwtpaOrTfDRU`#T>7cy|wdl)@uuV4Y!&*+ze}{Ab2|ldOOC(+VRwjqORB)
X=QXhnbUN}*2l8jYbfHm!Un}qcf~OUe

literal 0
HcmV?d00001

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d5c7c09
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,30 @@
+CC=clang
+BUILD_PATH=build
+
+default:
+	if [ ! -d $(BUILD_PATH) ]; then \
+		mkdir build; \
+	fi
+	make all
+
+double_free: simple/basic_double_free.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+double_free_interprocedure: simple/double_free_interprocedure.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+simple_mem_leak : simple/simple_mem_leak.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+
+simple_buffer_overflow : simple/simple_buffer_overflow.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+	
+pointer_overflow : simple/bof.ptrarith.limit.c
+	$(CC) -o $(BUILD_PATH)/$@ $^
+	
+
+all: double_free double_free_interprocedure simple_mem_leak simple_buffer_overflow pointer_overflow
+
+clean:
+	cd $(BUILD_PATH)
+	rm double_free simple_pointer
diff --git a/simple/basic_double_free.c b/simple/basic_double_free.c
new file mode 100644
index 0000000..b019119
--- /dev/null
+++ b/simple/basic_double_free.c
@@ -0,0 +1,13 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // Double free
+    free(i_ptr);
+    free(i_ptr);
+  }
+}
diff --git a/simple/bof.inter.loop.c b/simple/bof.inter.loop.c
new file mode 100644
index 0000000..eb8cb80
--- /dev/null
+++ b/simple/bof.inter.loop.c
@@ -0,0 +1,40 @@
+const unsigned G_MAX = 32;
+
+int getargs(s, arps, count)
+register char *s, *arps[];
+register int count;
+{
+    register int i;
+
+    for (i = 0; i < count; i++) {
+        while (*s == ' ' || *s == '\t')
+            *s++ = '\0';
+        if (*s == '\n')
+            *s = '\0';
+        if (*s == '\0')
+            break;
+        arps[i] = s++;
+        while (*s != '\0' && *s != ' '
+            && *s != '\t' && *s != '\n')
+                s++;
+    }
+    arps[i] = 0; //#1bug-4# 
+    return(i);
+}
+
+static int testf1(char *line) {
+    char *carray[G_MAX];
+
+    (void) getargs(line, carray, G_MAX); 
+
+    return 0;
+}
+
+int main(int argc, char **argv) {
+    testf1("12345678901234567890"); // 20 chars
+    testf1("123456789012345678901234567890"); // 30 chars
+    testf1("12345678901234567890123456789012345678901234567890"); // 50 chars
+
+    return 0;
+}
+
diff --git a/simple/bof.ptrarith.limit.c b/simple/bof.ptrarith.limit.c
new file mode 100644
index 0000000..a67423c
--- /dev/null
+++ b/simple/bof.ptrarith.limit.c
@@ -0,0 +1,24 @@
+
+void f() {
+    int buf[10];
+    int *limit = buf + 10;
+    int *p = buf;
+    while (p < limit)
+        *p++ = 0;
+}
+
+void f2() {
+    int buf[10];
+    int *limit = buf + 11;
+    int *p = buf;
+    while (p < limit)
+        *p++ = 0; //#1bug-5# 
+}
+
+void f3() {
+    int buf[10];
+    int *limit = buf;
+    int *p = buf + 9;
+    while (p >= limit)
+        *p-- = 0;
+}
diff --git a/simple/bofsa.for-loop.c b/simple/bofsa.for-loop.c
new file mode 100644
index 0000000..f3be790
--- /dev/null
+++ b/simple/bofsa.for-loop.c
@@ -0,0 +1,28 @@
+int a[32];
+int bar()
+{
+   int label;
+   int i;
+
+   for(i=0;a[i]!=0 && i<32; i++); //#1bug-5# 
+
+   return a[i]; //#1bug-5# 
+}
+
+char arr[64];
+int foo( unsigned int inlen ) {
+
+    unsigned char loop, offset;
+
+    /* Test handling of casts around add-rec */
+    while( inlen-- ) {
+        for( loop=0, offset=0; loop < 16; loop++, offset += 4 ) {
+            arr[offset] = 0;
+            arr[offset+1] = 1;
+            arr[offset+2] = 2;
+            arr[offset+3] = 3;
+        }
+        arr[offset] = 0; //#1bug-5# 
+    }
+    return 0;
+}
diff --git a/simple/double_free_interprocedure.c b/simple/double_free_interprocedure.c
new file mode 100644
index 0000000..ddbefdd
--- /dev/null
+++ b/simple/double_free_interprocedure.c
@@ -0,0 +1,22 @@
+/**
+ * This file is a simple pointer double free case
+ */
+
+
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+void subroutine(int* i_ptr) {
+  free(i_ptr);
+}
+
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    printf("malloc() success...\n");
+    subroutine(i_ptr);
+    // Use after free
+    free(i_ptr);
+  }
+}
diff --git a/simple/simple_buffer_overflow.c b/simple/simple_buffer_overflow.c
new file mode 100644
index 0000000..17438b9
--- /dev/null
+++ b/simple/simple_buffer_overflow.c
@@ -0,0 +1,10 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int buffer[16];
+  for (int i = 0; i < 32; i++) {
+    buffer[i] = i;
+  }
+}
diff --git a/simple/simple_mem_leak.c b/simple/simple_mem_leak.c
new file mode 100644
index 0000000..bd853fb
--- /dev/null
+++ b/simple/simple_mem_leak.c
@@ -0,0 +1,39 @@
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+int uadd_ok(unsigned short x, unsigned short y);
+int main(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // mem leak
+  }
+  unsigned short x1 =65530;
+  int re  = uadd_ok(x1,200);
+ 
+
+  return re;
+}
+
+int func(void) {
+  int* i_ptr = malloc(sizeof(int));
+  if (i_ptr) {
+    (void)printf("malloc() success...\n");
+    // mem leak
+  }
+}
+int uadd_ok(unsigned short x, unsigned short y){
+    unsigned short sum =x+y;
+    char c1;
+    char c2 = -128;
+   
+    c1=~c2;    //error
+
+
+    if(sum >=x) {
+      return 1;
+    }
+
+    if (c1 > 0) return 0;
+
+}