When performing pointer arithmetic, the size of the value to add to a pointer is automatically scaled to the size of the type of the pointed-to object. For instance, when adding a value to the byte address of a four4-byte integer, the value is scaled by a factor of four 4 and then added to the pointer. Failing to understand how pointer arithmetic works can lead to miscalculations that result in serious errors, such as buffer overflows.
...
An arguably better solution is to use the address of the non-existent nonexistent element following the end of the array as follows:
...
The following example is based on a flaw in the OpenBSD operating system. An integer, skip, is added as an offset to a pointer of type struct big. The adjusted pointer is then used as a destination address in a call to memset(). However, when skip is added to the struct big pointer, it is automatically scaled by the size of struct big, which is 32 bytes (assuming 4-byte integers, 8-byte long long integers, and no structure padding). This results in the call to memset() writing to unintended memory.
...
| Wiki Markup |
|---|
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" (Vulnerabilities)
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "RVG Pointer Arithmetic"
\[[MISRA 04|AA. C References#MISRA 04]\] Rules 17.1-17.4
\[[Murenin 07|AA. C References#Murenin 07]\] |
...