Note: For a few days, I've been trying to detect runtime issues such as buffer
      overflows (wether they are stack based or heap based) or use-after-frees. 
      I tried to do that without changing the execution flow nor using any
      intermediate representationa - Only via  the behavior analysis.
      Detecting buffer overflows or user-after-frees isn't really difficult. 
      The most difficult part was to detect the stack overflows but that was also 
      the most interesting part. Below, there is an example execution of my analyzer 
      so that you can have a better idea of what it catches. I'm going to write a 
      blog post about that very soon. 


---------- Simple code with several tests ----------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define BUFF_MAX 32

void test4_heap_overflow(char *buff1)
{
  /* 5 bytes overwritten outside the area "42 42 42 42 00" */
  strcpy(buff1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB");
}

void test5_stack_overflow(void)
{
  int a, b, i;

  a = 0x90909090;
  b = 0x91919191;

  for (i = 0; i <= sizeof(b); i++)
    *(((unsigned char *)(&b))+i) = 'E';

}

int main(int ac, const char *av[])
{
  char *buff1 = NULL, *buff2 = NULL;
  int i = 0;  

  buff1 = malloc(BUFF_MAX);
  buff2 = malloc(BUFF_MAX);
  if (!buff1 || !buff2)
    return -1;

  /* Test 1 - heap overflow (off-by-one) */
  for (i = 0; i <= BUFF_MAX; i++)
    buff1[i] = 'A';
  
  /* Test 2 - heap overflow (off-by-one) - Via linear buffer buff1->buff2 */
  for (i = 0; i <= BUFF_MAX; i++)
    buff2[i] = 'B';

  /* Test 3 - Use after free */
  free(buff1);
  buff1[16] = 'C';          /* Will match */
  buff1 = malloc(BUFF_MAX);
  buff1[16] = 'C';          /* Will not match */
 
  /* Test 4 - Classical Heap overflow */
  test4_heap_overflow(buff1);

  /* Test 5 - Stack overclow */
  test5_stack_overflow();

  return 0;
}

---------------------------------------------------

Run my Pin tool on the above code.

$ gcc -o test test.c
$ ../../../pin -t ./obj-intel64/OverflowDetection.so -- ./test
400694: mov byte ptr [rax], 0x41 -- Heap overflow in f31030
4006b7: mov byte ptr [rax], 0x42 -- Heap overflow in f31060
4006d8: mov byte ptr [rax], 0x43 -- Use after free in f31020
4005df: mov dword ptr [rax+0x20], 0x42424242 -- Heap overflow in f31030
4005e6: mov byte ptr [rax+0x24], 0x0 -- Heap overflow in f31034
400613: mov byte ptr [rax], 0x45 -- Stack overflow in 7fff531e7688
$