up

bench/reachability-benchmark/benchmark/truth/c-memcpy-overflow.json

@@ -0,0 +1,33 @@
+{
+  "version": "1.0.0",
+  "cases": [
+    {
+      "case_id": "c-memcpy-overflow:001",
+      "case_version": "1.0.0",
+      "notes": "Attacker-controlled length passed to memcpy without bounds.",
+      "sinks": [
+        {
+          "sink_id": "Overflow::process",
+          "label": "reachable",
+          "confidence": "medium",
+          "static_evidence": {
+            "call_path": [
+              "process_buffer(len)",
+              "memcpy(dst, src, len)"
+            ]
+          },
+          "dynamic_evidence": {
+            "covered_by_tests": [
+              "tests/run-tests.sh"
+            ],
+            "coverage_files": [
+              "outputs/coverage.json"
+            ]
+          },
+          "config_conditions": [],
+          "notes": "len parameter flows directly to memcpy; overflow possible when len > sizeof(dst)."
+        }
+      ]
+    }
+  ]
+}