CWE-823

BaseIncomplete

Use of Out-of-range Pointer Offset

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

83 linked vulnerabilities

5 related weaknesses

Extended Description

While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array.

Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error.

If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.

ConfidentialityRead Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

AvailabilityDoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.

IntegrityConfidentialityAvailabilityExecute Unauthorized Code or CommandsModify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

Automated Static AnalysisEffectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Automated Dynamic AnalysisEffectiveness: Moderate

Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].

Modes of Introduction

Implementation

Related Weaknesses

CWE-119ChildOf CWE-119ChildOf CWE-119ChildOf CWE-125CanPrecede CWE-787CanPrecede

Example CVEs (17)

CVE-2010-2160

Invalid offset in undocumented opcode leads to memory corruption.

CVE-2010-1281

Multimedia player uses untrusted value from a file when using file-pointer calculations.

CVE-2009-3129

Spreadsheet program processes a record with an invalid size field, which is later used as an offset.

CVE-2009-2694

Instant messaging library does not validate an offset value specified in a packet.

CVE-2009-2687

Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.

External Links

MITRE CWE Database