Description
The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Modes of Introduction:
Likelihood of Exploit:
Related Weaknesses
CWE-119
CWE-119
CWE-119
CWE-125
CWE-787
Consequences
Confidentiality: Read Memory
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Availability: DoS: Crash, Exit, or Restart
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Potential Mitigations
CVE References
- CVE-2010-2160
- Invalid offset in undocumented opcode leads to memory corruption.
- CVE-2010-1281
- Multimedia player uses untrusted value from a file when using file-pointer calculations.
- CVE-2009-3129
- Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
- CVE-2009-2694
- Instant messaging library does not validate an offset value specified in a packet.
- CVE-2009-2687
- Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
- CVE-2009-0690
- negative offset leads to out-of-bounds read
- CVE-2008-4114
- untrusted offset in kernel
- CVE-2010-2873
- “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
- CVE-2010-2866
- negative value (signed) causes pointer miscalculation
- CVE-2010-2872
- signed values cause incorrect pointer calculation
- CVE-2007-5657
- values used as pointer offsets
- CVE-2010-2867
- a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
- CVE-2009-1097
- portions of a GIF image used as offsets, causing corruption of an object pointer.
- CVE-2008-1807
- invalid numeric field leads to a free of arbitrary memory locations, then code execution.
- CVE-2007-2500
- large number of elements leads to a free of an arbitrary address
- CVE-2008-1686
- array index issue (CWE-129) with negative offset, used to dereference a function pointer
- CVE-2010-2878
- “buffer seek” value – basically an offset?