Description

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

Potential Mitigations

CVE References

• CVE-2010-2160
  • Invalid offset in undocumented opcode leads to memory corruption.

• CVE-2010-1281
  • Multimedia player uses untrusted value from a file when using file-pointer calculations.

• CVE-2009-3129
  • Spreadsheet program processes a record with an invalid size field, which is later used as an offset.

• CVE-2009-2694
  • Instant messaging library does not validate an offset value specified in a packet.

• CVE-2009-2687
  • Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.

• CVE-2009-0690
  • negative offset leads to out-of-bounds read

• CVE-2008-4114
  • untrusted offset in kernel

• CVE-2010-2873
  • “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution

• CVE-2010-2866
  • negative value (signed) causes pointer miscalculation

• CVE-2010-2872
  • signed values cause incorrect pointer calculation

• CVE-2007-5657
  • values used as pointer offsets

• CVE-2010-2867
  • a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic

• CVE-2009-1097
  • portions of a GIF image used as offsets, causing corruption of an object pointer.

• CVE-2008-1807
  • invalid numeric field leads to a free of arbitrary memory locations, then code execution.

• CVE-2007-2500
  • large number of elements leads to a free of an arbitrary address

• CVE-2008-1686
  • array index issue (CWE-129) with negative offset, used to dereference a function pointer

• CVE-2010-2878
  • “buffer seek” value – basically an offset?