Description
The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Modes of Introduction:
Likelihood of Exploit:
Related Weaknesses
CWE-119
CWE-119
CWE-119
CWE-125
CWE-787
Consequences
Confidentiality: Read Memory
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Availability: DoS: Crash, Exit, or Restart
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Potential Mitigations
CVE References
- CVE-2010-2160
- Invalid offset in undocumented opcode leads to memory corruption.
- CVE-2010-1281
- Multimedia player uses untrusted value from a file when using file-pointer calculations.
- CVE-2009-3129
- Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
- CVE-2009-2694
- Instant messaging library does not validate an offset value specified in a packet.
- CVE-2009-2687
- Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
- CVE-2009-0690
- negative offset leads to out-of-bounds read
- CVE-2008-4114
- untrusted offset in kernel
- CVE-2010-2873
- “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
- CVE-2010-2866
- negative value (signed) causes pointer miscalculation
- CVE-2010-2872
- signed values cause incorrect pointer calculation
- CVE-2007-5657
- values used as pointer offsets
- CVE-2010-2867
- a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
- CVE-2009-1097
- portions of a GIF image used as offsets, causing corruption of an object pointer.
- CVE-2008-1807
- invalid numeric field leads to a free of arbitrary memory locations, then code execution.
- CVE-2007-2500
- large number of elements leads to a free of an arbitrary address
- CVE-2008-1686
- array index issue (CWE-129) with negative offset, used to dereference a function pointer
- CVE-2010-2878
- “buffer seek” value – basically an offset?
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...