Added counter examples

CWE-119/src/SCE_1_test1.c

@@ -0,0 +1,19 @@
+#include <stdio.h>
+
+/*This function attempts to extract a pair of numbers from a user-supplied string.*/
+void parse_data(char *untrusted_input){
+    int m = 0, n = 0, error; // Initialize m and n to 0
+    error = sscanf(untrusted_input, "%d:%d", &m, &n);
+
+    if (error != 2){ // Check if two values were parsed
+        printf("Did not specify two integer values. Die evil hacker!\n");
+        return; // Exit the function
+    }
+
+    printf("m is %d and n is %d", m, n);
+}
+
+int main(){
+    parse_data("123:");
+    return 0;
+}

CWE-119/src/SCE_2_test2.c

@@ -0,0 +1,56 @@
+#define MAX_SIZE 16
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+
+char * copy_input(char *user_supplied_string){
+    int i, dst_index;
+    size_t potential_length = strlen(user_supplied_string) * 5; // Maximum expansion factor is 5
+
+    if (potential_length > 4 * MAX_SIZE) {
+        printf("Encoded string might be too long, die evil hacker!\n");
+        exit(0);
+    }
+
+    char *dst_buf = (char*) malloc(potential_length + 1); // +1 for null terminator
+    if (!dst_buf) {
+        printf("Memory allocation failed!\n");
+        exit(0);
+    }
+
+    dst_index = 0;
+    for (i = 0; i < strlen(user_supplied_string); i++) {
+        if ('&' == user_supplied_string[i]) {
+            dst_buf[dst_index++] = '&';
+            dst_buf[dst_index++] = 'a';
+            dst_buf[dst_index++] = 'm';
+            dst_buf[dst_index++] = 'p';
+            dst_buf[dst_index++] = ';';
+        }
+        else if ('<' == user_supplied_string[i]) {
+            // encode to &lt;
+        }
+        else {
+            dst_buf[dst_index++] = user_supplied_string[i];
+        }
+    }
+    dst_buf[dst_index] = '\0'; // Null-terminate the string
+    return dst_buf;
+}
+
+int main(){
+    char uss[MAX_SIZE + 1]; // +1 for null terminator
+    ssize_t bytes_read = read(0, uss, MAX_SIZE);
+    if (bytes_read <= 0) {
+        printf("Failed to read input or input is empty.\n");
+        return 1;
+    }
+    uss[bytes_read] = '\0'; // Null-terminate the string
+
+    char *dst_buff = copy_input(uss);
+    printf("%s", dst_buff); // Use %s format specifier for strings
+
+    free(dst_buff); // Free the allocated memory
+    return 0;
+}

CWE-119/src/SCE_3_test3.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+
+/*The following example asks a user for an offset into an array to select an item.*/
+int GetUntrustedOffset(){
+    int x = -1;
+    return x;
+}
+
+int main (int argc, char **argv) {
+    char *items[] = {"boat", "car", "truck", "train"};
+    int num_items = sizeof(items) / sizeof(items[0]); // Calculate the number of items in the array
+
+    int index = GetUntrustedOffset();
+
+    // Validate the index to ensure it's within the valid range
+    if (index <= 0 || index > num_items) {
+        printf("Invalid selection.\n");
+        return 1;
+    }
+
+    printf("You selected %s\n", items[index-1]);
+    return 0;
+}

CWE-119/src/SCE_4_test4.c

@@ -0,0 +1,45 @@
+#define MAX_SIZE 16
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]){
+    int i, j = 0;
+    char a[MAX_SIZE + 1]; // +1 for null terminator
+
+    /*checks if the user provided an input*/
+    if (argc < 2) return 0;
+
+    /* Calculate the potential length of the encoded string */
+    int potential_length = 0;
+    for (i = 0; i < strlen(argv[1]); i++) {
+        if ('&' == argv[1][i]) {
+            potential_length += 5; // For &amp;
+        } else {
+            potential_length += 1;
+        }
+    }
+
+    /*checks if the potential encoded length fits in the array a*/
+    if (potential_length >= MAX_SIZE) {
+        printf("Encoded string might be too long\n");
+        return 0;
+    }
+
+    /*performs the encoding*/
+    for (i = 0; i < strlen(argv[1]) && j < MAX_SIZE; i++) {
+        if ('&' == argv[1][i]) {
+            a[j++] = '&';
+            a[j++] = 'a';
+            a[j++] = 'm';
+            a[j++] = 'p';
+            a[j++] = ';';
+        } else {
+            a[j++] = argv[1][i];
+        }
+    }
+    a[j] = '\0'; // Null-terminate the string
+    printf("The encoded string is %s \n", a);
+    return 0;
+}

CWE-120/src/SCE_1_test1.c

@@ -0,0 +1,8 @@
+#include <stdio.h>
+
+int main(){
+    char last_name[20];
+    printf("Enter your last name: ");
+    scanf("%19s", last_name); // Limit input to 19 characters
+    return 0;
+}

CWE-125/src/SCE_1.c

@@ -0,0 +1,7 @@
+int main()
+{
+    int a[10];
+    int last_index = sizeof(a) / sizeof(a[0]) - 1;  // Calculate the last index of the array
+    a[last_index] = 0;  // Set the last element of the array to 0
+    return 0;
+}

CWE-125/src/SCE_2.c

@@ -0,0 +1,18 @@
+int main()
+{
+    int x;
+    int y = 10;
+    int a[10];
+
+    int array_size = sizeof(a) / sizeof(a[0]);
+
+    if (y >= 0 && y < array_size) {
+        x = a[y];
+    } else {
+        // Handle out-of-bounds access, e.g., set x to a default value or print an error message
+        x = 0;  // Default value
+        printf("Index out of bounds!\n");
+    }
+
+    return 0;
+}

CWE-125/src/SCE_3.c

@@ -0,0 +1,18 @@
+int main()
+{
+    int x;
+    int y = 10;
+    int a[10];
+
+    int array_size = sizeof(a) / sizeof(a[0]);
+
+    if (y+2 >= 0 && y+2 < array_size) {
+        x = a[y+2];
+    } else {
+        // Handle out-of-bounds access, e.g., set x to a default value or print an error message
+        x = 0;  // Default value
+        printf("Index out of bounds!\n");
+    }
+
+    return 0;
+}

CWE-125/src/SCE_4.c

@@ -0,0 +1,13 @@
+int main()
+{
+    int a[10];
+    int array_size = sizeof(a) / sizeof(a[0]);
+    int y = array_size - 1;  // Start with the last valid index of the array
+
+    while (y >= 0) 
+    {   
+        a[y] = y;
+        y = y - 1;
+    }
+    return 0;
+}

CWE-134/src/SCE_1.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <string.h>
+
+void printWrapper(char *string) {
+    printf("%s", string);  // Use a fixed format string
+}
+
+int main(int argc, char **argv) {
+    if (argc < 2) {
+        printf("Usage: %s <string>\n", argv[0]);
+        return 1;
+    }
+
+    char buf[5012];
+    strncpy(buf, argv[1], sizeof(buf) - 1);  // Use strncpy to prevent buffer overflow
+    buf[sizeof(buf) - 1] = '\0';  // Ensure null termination
+
+    printWrapper(buf);
+    return 0;
+}

CWE-134/src/SCE_2.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+int main(int argc, char **argv)
+{
+    if (argc < 2) {
+        printf("Usage: %s <string>\n", argv[0]);
+        return 1;
+    }
+
+    char buf[100];
+    int x = 1;
+
+    // Use a fixed format string with snprintf
+    snprintf(buf, sizeof(buf), "%s", argv[1]);
+    buf[sizeof(buf) - 1] = 0;
+
+    printf("Buffer size is: (%d) \n Data input: %s \n", strlen(buf), buf);
+    printf("X equals: %d in hex: %#x\n Memory address for x: (%p) \n", x, x, &x);
+    return 0;
+}

CWE-170/SCE_1.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#define MAXLEN 1024
+
+int main() {
+    char inputbuf[MAXLEN];
+    char pathbuf[MAXLEN];
+
+    // Read data and ensure it's null-terminated
+    ssize_t bytes_read = read(0, inputbuf, MAXLEN - 1); // Leave space for null terminator
+    if (bytes_read <= 0) {
+        perror("Failed to read data");
+        return 1;
+    }
+    inputbuf[bytes_read] = '\0'; // Null-terminate the string
+
+    // Safely copy the string
+    strncpy(pathbuf, inputbuf, MAXLEN - 1);
+    pathbuf[MAXLEN - 1] = '\0'; // Ensure pathbuf is null-terminated
+
+    return 0;
+}

CWE-190/SCE_1.c

@@ -0,0 +1,30 @@
+#include <unistd.h>
+#include <stdlib.h>
+
+int main()
+{
+    char *buf;
+    int len;
+
+    // Read the length
+    read(0, &len, sizeof(len));
+
+    // Check for negative values and a safe upper limit
+    if (len <= 0 || len > 8000) {
+        return 0;
+    }
+
+    // Allocate memory
+    buf = malloc(len);
+    if (!buf) {
+        perror("Memory allocation failed");
+        return 1;
+    }
+
+    // Read data into the buffer
+    read(0, buf, len);
+
+    // Clean up
+    free(buf);
+    return 0;
+}

CWE-193/src/SCE_1.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <string.h>
+
+int main() {
+    char firstname[20];
+    char lastname[20];
+    char fullname[40];
+
+    // Assuming you want to initialize both firstname and lastname to empty strings
+    firstname[0] = '\0';
+    lastname[0] = '\0';
+
+    strncat(fullname, firstname, 20); // Appends up to 20 characters plus a null terminator
+    strncat(fullname, lastname, 19);  // Appends up to 19 characters to leave space for the null terminator
+
+    return 0;
+}

CWE-195/src/SCE_1.c

@@ -0,0 +1,16 @@
+#include <stdio.h>
+
+unsigned int amount(int y) {
+    if (y < 0) {
+        printf("Error: Negative value provided.\n");
+        return 0; // or handle the error as appropriate
+    }
+    return (unsigned int)y;
+}
+
+int main() {
+    int amoun;
+    int value = -300;
+    amoun = amount(value);
+    return 0;
+}

CWE-197/src/SCE_1.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <limits.h>
+
+int main() {
+    int intPrimitive;
+    short shortPrimitive;
+
+    intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1)));
+
+    // Check if intPrimitive exceeds the range of short
+    if (intPrimitive > SHRT_MAX || intPrimitive < SHRT_MIN) {
+        printf("Error: Value exceeds the range of short.\n");
+        return 1;
+    }
+
+    shortPrimitive = (short)intPrimitive;
+
+    // Use appropriate format specifiers
+    printf("Int MAXINT: %d\nShort MAXINT: %hd\n", intPrimitive, shortPrimitive);
+
+    return 0;
+}