{
  "version": "1.0.0",
  "cases": [
    {
      "case_id": "c-memcpy-overflow:001",
      "case_version": "1.0.0",
      "notes": "Attacker-controlled length passed to memcpy without bounds.",
      "sinks": [
        {
          "sink_id": "Overflow::process",
          "label": "reachable",
          "confidence": "medium",
          "static_evidence": {
            "call_path": [
              "process_buffer(len)",
              "memcpy(dst, src, len)"
            ]
          },
          "dynamic_evidence": {
            "covered_by_tests": [
              "tests/run-tests.sh"
            ],
            "coverage_files": [
              "outputs/coverage.json"
            ]
          },
          "config_conditions": [],
          "notes": "len parameter flows directly to memcpy; overflow possible when len > sizeof(dst)."
        }
      ]
    }
  ]
}