(root)/
gcc-13.2.0/
gcc/
testsuite/
gcc.dg/
analyzer/
CWE-131-examples.c
       1  /* Examples adapted from https://cwe.mitre.org/data/definitions/131.html
       2     which states "Copyright © 2006–2022, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation."
       3     and which has this on:
       4       https://cwe.mitre.org/about/termsofuse.html
       5  
       6     Terms of Use
       7  
       8     CWE™ is free to use by any organization or individual for any research, development, and/or commercial purposes, per these CWE Terms of Use. The MITRE Corporation ("MITRE") has copyrighted the CWE List, Top 25, CWSS, and CWRAF for the benefit of the community in order to ensure each remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. CWE is a trademark of MITRE. Please contact cwe@mitre.org if you require further clarification on this issue.
       9  
      10     LICENSE
      11  
      12     CWE Submissions: By submitting materials to The MITRE Corporation’s ("MITRE") Common Weakness Enumeration Program (CWE™), you hereby grant to MITRE a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to use, reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your submitted materials and derivative works. Unless otherwise required by applicable law or agreed to in writing, it is understood that you are providing such materials on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
      13  
      14     CWE Usage: MITRE hereby grants you a non-exclusive, royalty-free license to use CWE for research, development, and commercial purposes. Any copy you make for such purposes is authorized on the condition that you reproduce MITRE’s copyright designation and this license in any such copy.
      15  
      16     DISCLAIMERS
      17  
      18     ALL DOCUMENTS AND THE INFORMATION CONTAINED IN THE CWE ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
      19  
      20     IN NO EVENT SHALL THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE INFORMATION OR THE USE OR OTHER DEALINGS IN THE CWE.  */
      21  
      22  #include <stdio.h>
      23  #include <stdlib.h>
      24  #include <string.h>
      25  
      26  /* Support decls for example 1.  */
      27  
      28  extern unsigned int GetUntrustedSizeValue();
      29  extern void ExitError(const char *) __attribute__((noreturn));
      30  
      31  typedef struct Widget
      32  {
      33  } Widget;
      34  
      35  #define MAX_NUM_WIDGETS 100
      36  
      37  extern Widget *InitializeWidget();
      38  extern void showWidgets(Widget **);
      39  
      40  void example_1 (void)
      41  {
      42    int i;
      43    unsigned int numWidgets;
      44    Widget **WidgetList;
      45  
      46    numWidgets = GetUntrustedSizeValue();
      47    if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {
      48      ExitError("Incorrect number of widgets requested!");
      49    }
      50    WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));
      51    printf("WidgetList ptr=%p\n", WidgetList);
      52    for(i=0; i<numWidgets; i++) {
      53      WidgetList[i] = InitializeWidget(); /* { dg-warning "dereference of possibly-NULL 'WidgetList'" } */
      54    }
      55    WidgetList[numWidgets] = NULL; /* { dg-warning "heap-based buffer overflow" } */
      56    showWidgets(WidgetList);
      57  }
      58  
      59  /* Support decls for example 2.  */
      60  
      61  typedef struct img_t
      62  {
      63    char placeholder[1024];
      64  } img_t;
      65  
      66  extern int get_num_imgs();
      67  
      68  img_t *example_2 (void)
      69  {
      70    img_t *table_ptr; /*struct containing img data, 10kB each*/
      71    int num_imgs;
      72    /* ... */
      73    num_imgs = get_num_imgs();
      74    table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs); /* TODO: ideally we'd warn about possible overflow here.  */
      75    /* ... */
      76    return table_ptr;
      77  }
      78  
      79  /* Support decls for example 3.  */
      80  
      81  #define MAX_SIZE 100
      82  extern void die(const char *) __attribute__((noreturn));
      83  
      84  char * example_3 (char *user_supplied_string)
      85  {
      86    int i, dst_index;
      87    char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);
      88    if ( MAX_SIZE <= strlen(user_supplied_string) ){
      89      die("user string too long, die evil hacker!");
      90    }
      91    dst_index = 0;
      92    for ( i = 0; i < strlen(user_supplied_string); i++ ){
      93      if( '&' == user_supplied_string[i] ){
      94        dst_buf[dst_index++] = '&'; /* { dg-warning "dereference of possibly-NULL 'dst_buf'" } */
      95        dst_buf[dst_index++] = 'a';
      96        dst_buf[dst_index++] = 'm';
      97        dst_buf[dst_index++] = 'p';
      98        dst_buf[dst_index++] = ';'; /* TODO: ideally we'd warn about possible out-of-bounds write here.  */
      99      }
     100      else if ('<' == user_supplied_string[i] ){
     101        /* encode to &lt; */
     102      }
     103      else dst_buf[dst_index++] = user_supplied_string[i]; /* { dg-warning "dereference of possibly-NULL 'dst_buf'" } */
     104    }
     105    return dst_buf;
     106  }
     107  
     108  /* Support decls for example 4.  */
     109  
     110  typedef struct DataPacket { int headers; } DataPacket;
     111  typedef struct PacketHeader {} PacketHeader;
     112  extern int AcceptSocketConnection();
     113  extern void ReadPacket(DataPacket *, int);
     114  extern void ParsePacketHeaders(DataPacket *, PacketHeader *);
     115  
     116  void example_4 (DataPacket *packet)
     117  {
     118    int sock;
     119  
     120    int numHeaders;
     121    PacketHeader *headers;
     122  
     123    sock=AcceptSocketConnection();
     124    ReadPacket(packet, sock);
     125    numHeaders =packet->headers;
     126  
     127    if (numHeaders > 100) {
     128      ExitError("too many headers!");
     129    }
     130    headers = malloc(numHeaders * sizeof(PacketHeader)); /* TODO: ideally we'd warn about possible overflow here with negative numHeaders.  */
     131    ParsePacketHeaders(packet, headers);
     132  }
     133  
     134  void example_5 (void)
     135  {
     136    int *id_sequence;
     137  
     138    /* Allocate space for an array of three ids. */
     139    id_sequence = (int*) malloc(3); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
     140    if (id_sequence == NULL) exit(1);
     141  
     142    /* Populate the id array. */
     143    id_sequence[0] = 13579; /* { dg-warning "heap-based buffer overflow" } */
     144    id_sequence[1] = 24680; /* { dg-warning "heap-based buffer overflow" } */
     145    id_sequence[2] = 97531; /* { dg-warning "heap-based buffer overflow" } */
     146  } /* { dg-warning "leak of 'id_sequence'" } */