weishao
3 years ago
commit
ab31e77d30
9 changed files with 206 additions and 0 deletions
Unified View
Diff Options
-
BIN.DS_Store
-
+30 -0Makefile
-
+13 -0simple/basic_double_free.c
-
+40 -0simple/bof.inter.loop.c
-
+24 -0simple/bof.ptrarith.limit.c
-
+28 -0simple/bofsa.for-loop.c
-
+22 -0simple/double_free_interprocedure.c
-
+10 -0simple/simple_buffer_overflow.c
-
+39 -0simple/simple_mem_leak.c
BIN
.DS_Store
View File
+ 30
- 0
Makefile
View File
| @@ -0,0 +1,30 @@ | |||||
| CC=clang | |||||
| BUILD_PATH=build | |||||
| default: | |||||
| if [ ! -d $(BUILD_PATH) ]; then \ | |||||
| mkdir build; \ | |||||
| fi | |||||
| make all | |||||
| double_free: simple/basic_double_free.c | |||||
| $(CC) -o $(BUILD_PATH)/$@ $^ | |||||
| double_free_interprocedure: simple/double_free_interprocedure.c | |||||
| $(CC) -o $(BUILD_PATH)/$@ $^ | |||||
| simple_mem_leak : simple/simple_mem_leak.c | |||||
| $(CC) -o $(BUILD_PATH)/$@ $^ | |||||
| simple_buffer_overflow : simple/simple_buffer_overflow.c | |||||
| $(CC) -o $(BUILD_PATH)/$@ $^ | |||||
| pointer_overflow : simple/bof.ptrarith.limit.c | |||||
| $(CC) -o $(BUILD_PATH)/$@ $^ | |||||
| all: double_free double_free_interprocedure simple_mem_leak simple_buffer_overflow pointer_overflow | |||||
| clean: | |||||
| cd $(BUILD_PATH) | |||||
| rm double_free simple_pointer | |||||
+ 13
- 0
simple/basic_double_free.c
View File
| @@ -0,0 +1,13 @@ | |||||
| #include <memory.h> | |||||
| #include <stdlib.h> | |||||
| #include <stdio.h> | |||||
| int main(void) { | |||||
| int* i_ptr = malloc(sizeof(int)); | |||||
| if (i_ptr) { | |||||
| (void)printf("malloc() success...\n"); | |||||
| // Double free | |||||
| free(i_ptr); | |||||
| free(i_ptr); | |||||
| } | |||||
| } | |||||
+ 40
- 0
simple/bof.inter.loop.c
View File
| @@ -0,0 +1,40 @@ | |||||
| const unsigned G_MAX = 32; | |||||
| int getargs(s, arps, count) | |||||
| register char *s, *arps[]; | |||||
| register int count; | |||||
| { | |||||
| register int i; | |||||
| for (i = 0; i < count; i++) { | |||||
| while (*s == ' ' || *s == '\t') | |||||
| *s++ = '\0'; | |||||
| if (*s == '\n') | |||||
| *s = '\0'; | |||||
| if (*s == '\0') | |||||
| break; | |||||
| arps[i] = s++; | |||||
| while (*s != '\0' && *s != ' ' | |||||
| && *s != '\t' && *s != '\n') | |||||
| s++; | |||||
| } | |||||
| arps[i] = 0; //#1bug-4# | |||||
| return(i); | |||||
| } | |||||
| static int testf1(char *line) { | |||||
| char *carray[G_MAX]; | |||||
| (void) getargs(line, carray, G_MAX); | |||||
| return 0; | |||||
| } | |||||
| int main(int argc, char **argv) { | |||||
| testf1("12345678901234567890"); // 20 chars | |||||
| testf1("123456789012345678901234567890"); // 30 chars | |||||
| testf1("12345678901234567890123456789012345678901234567890"); // 50 chars | |||||
| return 0; | |||||
| } | |||||
+ 24
- 0
simple/bof.ptrarith.limit.c
View File
| @@ -0,0 +1,24 @@ | |||||
| void f() { | |||||
| int buf[10]; | |||||
| int *limit = buf + 10; | |||||
| int *p = buf; | |||||
| while (p < limit) | |||||
| *p++ = 0; | |||||
| } | |||||
| void f2() { | |||||
| int buf[10]; | |||||
| int *limit = buf + 11; | |||||
| int *p = buf; | |||||
| while (p < limit) | |||||
| *p++ = 0; //#1bug-5# | |||||
| } | |||||
| void f3() { | |||||
| int buf[10]; | |||||
| int *limit = buf; | |||||
| int *p = buf + 9; | |||||
| while (p >= limit) | |||||
| *p-- = 0; | |||||
| } | |||||
+ 28
- 0
simple/bofsa.for-loop.c
View File
| @@ -0,0 +1,28 @@ | |||||
| int a[32]; | |||||
| int bar() | |||||
| { | |||||
| int label; | |||||
| int i; | |||||
| for(i=0;a[i]!=0 && i<32; i++); //#1bug-5# | |||||
| return a[i]; //#1bug-5# | |||||
| } | |||||
| char arr[64]; | |||||
| int foo( unsigned int inlen ) { | |||||
| unsigned char loop, offset; | |||||
| /* Test handling of casts around add-rec */ | |||||
| while( inlen-- ) { | |||||
| for( loop=0, offset=0; loop < 16; loop++, offset += 4 ) { | |||||
| arr[offset] = 0; | |||||
| arr[offset+1] = 1; | |||||
| arr[offset+2] = 2; | |||||
| arr[offset+3] = 3; | |||||
| } | |||||
| arr[offset] = 0; //#1bug-5# | |||||
| } | |||||
| return 0; | |||||
| } | |||||
+ 22
- 0
simple/double_free_interprocedure.c
View File
| @@ -0,0 +1,22 @@ | |||||
| /** | |||||
| * This file is a simple pointer double free case | |||||
| */ | |||||
| #include <memory.h> | |||||
| #include <stdlib.h> | |||||
| #include <stdio.h> | |||||
| void subroutine(int* i_ptr) { | |||||
| free(i_ptr); | |||||
| } | |||||
| int main(void) { | |||||
| int* i_ptr = malloc(sizeof(int)); | |||||
| if (i_ptr) { | |||||
| printf("malloc() success...\n"); | |||||
| subroutine(i_ptr); | |||||
| // Use after free | |||||
| free(i_ptr); | |||||
| } | |||||
| } | |||||
+ 10
- 0
simple/simple_buffer_overflow.c
View File
| @@ -0,0 +1,10 @@ | |||||
| #include <memory.h> | |||||
| #include <stdlib.h> | |||||
| #include <stdio.h> | |||||
| int main(void) { | |||||
| int buffer[16]; | |||||
| for (int i = 0; i < 32; i++) { | |||||
| buffer[i] = i; | |||||
| } | |||||
| } | |||||
+ 39
- 0
simple/simple_mem_leak.c
View File
| @@ -0,0 +1,39 @@ | |||||
| #include <memory.h> | |||||
| #include <stdlib.h> | |||||
| #include <stdio.h> | |||||
| int uadd_ok(unsigned short x, unsigned short y); | |||||
| int main(void) { | |||||
| int* i_ptr = malloc(sizeof(int)); | |||||
| if (i_ptr) { | |||||
| (void)printf("malloc() success...\n"); | |||||
| // mem leak | |||||
| } | |||||
| unsigned short x1 =65530; | |||||
| int re = uadd_ok(x1,200); | |||||
| return re; | |||||
| } | |||||
| int func(void) { | |||||
| int* i_ptr = malloc(sizeof(int)); | |||||
| if (i_ptr) { | |||||
| (void)printf("malloc() success...\n"); | |||||
| // mem leak | |||||
| } | |||||
| } | |||||
| int uadd_ok(unsigned short x, unsigned short y){ | |||||
| unsigned short sum =x+y; | |||||
| char c1; | |||||
| char c2 = -128; | |||||
| c1=~c2; //error | |||||
| if(sum >=x) { | |||||
| return 1; | |||||
| } | |||||
| if (c1 > 0) return 0; | |||||
| } | |||||