CWE-823 – Use of Out-of-range Pointer Offset

Read Time:2 Minute, 4 Second

Description

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-125
CWE-787

 

Consequences

Confidentiality: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is “malformed” or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

 

Potential Mitigations

CVE References

 

  • CVE-2010-2160
    • Invalid offset in undocumented opcode leads to memory corruption.
  • CVE-2010-1281
    • Multimedia player uses untrusted value from a file when using file-pointer calculations.
  • CVE-2009-3129
    • Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
  • CVE-2009-2694
    • Instant messaging library does not validate an offset value specified in a packet.
  • CVE-2009-2687
    • Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
  • CVE-2010-2873
    • “blind trust” of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
  • CVE-2010-2866
    • negative value (signed) causes pointer miscalculation
  • CVE-2010-2872
    • signed values cause incorrect pointer calculation
  • CVE-2010-2867
    • a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
  • CVE-2009-1097
    • portions of a GIF image used as offsets, causing corruption of an object pointer.
  • CVE-2008-1807
    • invalid numeric field leads to a free of arbitrary memory locations, then code execution.
  • CVE-2007-2500
    • large number of elements leads to a free of an arbitrary address
  • CVE-2008-1686
    • array index issue (CWE-129) with negative offset, used to dereference a function pointer