From b80c9b589c3956c5a9e1e63d4b8dc49d7da79d44 Mon Sep 17 00:00:00 2001
From: Huyou <huyou36@126.com>
Date: Thu, 22 Oct 2020 13:43:24 +0800
Subject: [PATCH] 5 vulns

---
 poc/vuln-1.poc  |  2 ++
 poc/vuln-2.poc  |  3 +++
 poc/vuln-3.poc  |  4 ++++
 poc/vuln-4.poc  |  3 +++
 poc/vuln-5.poc  |  4 ++++
 src/vuln-1/dc.c | 10 ++++++----
 src/vuln-2/dc.c |  7 ++-----
 src/vuln-3/dc.c | 10 +++++++---
 src/vuln-4/dc.c |  5 +++--
 src/vuln-5/dc.c | 10 +++++++---
 10 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/poc/vuln-1.poc b/poc/vuln-1.poc
index e69de29..eba4958 100644
--- a/poc/vuln-1.poc
+++ b/poc/vuln-1.poc
@@ -0,0 +1,2 @@
+push 5
+store aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/poc/vuln-2.poc b/poc/vuln-2.poc
index e69de29..0724af2 100644
--- a/poc/vuln-2.poc
+++ b/poc/vuln-2.poc
@@ -0,0 +1,3 @@
+push 5
++
+print
\ No newline at end of file
diff --git a/poc/vuln-3.poc b/poc/vuln-3.poc
index e69de29..9898eb7 100644
--- a/poc/vuln-3.poc
+++ b/poc/vuln-3.poc
@@ -0,0 +1,4 @@
+push 5
+store a
+load a
+print
\ No newline at end of file
diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc
index e69de29..51b30b9 100644
--- a/poc/vuln-4.poc
+++ b/poc/vuln-4.poc
@@ -0,0 +1,3 @@
+push 5
+-
+print
\ No newline at end of file
diff --git a/poc/vuln-5.poc b/poc/vuln-5.poc
index e69de29..5bd0e4a 100644
--- a/poc/vuln-5.poc
+++ b/poc/vuln-5.poc
@@ -0,0 +1,4 @@
+push 5
+store a
+remove a
+list
\ No newline at end of file
diff --git a/src/vuln-1/dc.c b/src/vuln-1/dc.c
index 63fb7f4..9aecf11 100644
--- a/src/vuln-1/dc.c
+++ b/src/vuln-1/dc.c
@@ -72,7 +72,10 @@ static void node_print(const node_t *p){
 static node_t *node_new(const char *varname, const value_t value){
   node_t *new = malloc(sizeof(node_t));
   assert(new != NULL && "new: malloc failed");
-  new->varname = strdup(varname);
+  //new->varname = strdup(varname);
+  //vuln-1
+  new->varname = (char *)malloc(1015 * sizeof(char));
+  strcpy(new->varname, varname);
   assert(new->varname != NULL && "new: strdup varname failed");
   new->value = value;
   new->left = NULL;
@@ -109,7 +112,7 @@ static node_t * node_insert(node_t *p, node_t *q){
   node_t ** new = NULL;
   node_t * const start = p;
   while (new == NULL) {
-    int ret = strcmp(q->varname,p->varname);
+    int ret = strcmp(q->varname,p->varname);//exchange p and q
     if (ret == 0){
       assert (q->left == NULL && q->right == NULL && "illegal insertion");
       /* edit the node in place */
@@ -146,8 +149,7 @@ static void destroy(node_t *p){
     node_t * left = p->left;
     node_t * const right = p->right;
     left = node_insert(left,right);
-    //node_free(p);
-    free(p);
+    node_free(p);
     p = left;
   }
 }
diff --git a/src/vuln-2/dc.c b/src/vuln-2/dc.c
index ed843fe..bc2abf1 100644
--- a/src/vuln-2/dc.c
+++ b/src/vuln-2/dc.c
@@ -74,10 +74,6 @@ static node_t *node_new(const char *varname, const value_t value){
   assert(new != NULL && "new: malloc failed");
   new->varname = strdup(varname);
   assert(new->varname != NULL && "new: strdup varname failed");
-  /***********/
-  new->varname = (char *)malloc (1002*sizeof(char));
-  strcpy(new->varname, varname);
- /*********/
   new->value = value;
   new->left = NULL;
   new->right = NULL;
@@ -477,7 +473,8 @@ static int execute(void){
       return -1;
     }
     
-    if (stack_size() < 2){
+	//vuln-2
+    if (stack_size() < 1){
       debug_printf("Add from insufficient stack\n");
       return -1;
     }
diff --git a/src/vuln-3/dc.c b/src/vuln-3/dc.c
index 1a47cd0..0d9795a 100644
--- a/src/vuln-3/dc.c
+++ b/src/vuln-3/dc.c
@@ -429,8 +429,10 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-  char * toks[4]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,4);
+
+	/*---- vuln3 ----*/
+  char * toks[2]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,2);
     
   if (numToks == 0){
     /* blank line */
@@ -443,7 +445,9 @@ static int execute(void){
       return -1;
     }
     debug_printf("Looking up: %s\n",toks[1]);
-    const node_t *p = lookup(map,toks[1]);
+
+	/*---- vuln3 ----*/
+    const node_t *p = lookup(map,toks[2]);
     if (p != NULL){
       if (stack_full()){
         debug_printf("Trying to load onto full stack\n");
diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c
index 1a47cd0..a7421ab 100644
--- a/src/vuln-4/dc.c
+++ b/src/vuln-4/dc.c
@@ -182,7 +182,7 @@ static node_t * rem(node_t *p, const char *varname){
   return start; // not found
 }
 
-const char WHITESPACE[] = " \t\r\n";
+const char WHITESPACE[] = " \r\n";
 
 
 /* tokenise a string, splitting on characters in WHITESPACE, up to
@@ -488,7 +488,8 @@ static int execute(void){
       return -1;
     }
     
-    if (stack_size() < 2){
+	/*---- vuln4 ----*/
+    if (stack_size() == 0){
       debug_printf("Sub from insufficient stack\n");
       return -1;
     }
diff --git a/src/vuln-5/dc.c b/src/vuln-5/dc.c
index 1a47cd0..de84ea6 100644
--- a/src/vuln-5/dc.c
+++ b/src/vuln-5/dc.c
@@ -429,8 +429,10 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-  char * toks[4]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,4);
+
+	/*---- vuln5 ----*/
+  char * toks[2]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,2);
     
   if (numToks == 0){
     /* blank line */
@@ -566,7 +568,9 @@ static int execute(void){
       return -1;
     }
     debug_printf("Removing: %s\n",toks[1]);
-    map = rem(map,toks[1]);
+
+	/*---- vuln5 ----*/
+    map = rem(map,toks[2]);
     
   } else if (strcmp(toks[0],INSTRUCTION_SAVE) == 0){
     if (numToks != 2){
-- 
GitLab