...
This noncompliant code example is similar to an Adobe Flash Player vulnerability that was first exploited in 2008. This code allocates a block of memory, and initializes it with some data. The data does not belong at the beginning of the block, which is left uninitialized. Instead, it is placed offset bytes within the block. The function ensures that the data fits within the allocated block.
...
An attacker who can supply the arguments to this function can exploit it to execute arbitrary code. This can be accomplished by providing an overly large value for block_size, which causes malloc() to fail and return a null pointer. The offset argument will then serve as the destination address to the call to memcpy(). The attacker can specify the data and data_size arguments to provide the address and length of the address, respectively, that the attacker wishes to write into the memory referenced by offset. The overall result is that the call to memcpy() can be exploited by an attacker to overwrite an arbitrary memory location with an attacker-supplied address, typically resulting in arbitrary code execution.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| LANG.MEM.BO LANG.MEM.TO LANG.STRUCT.PBB BADFUNC.BO.* | Buffer overrun Type overrun Pointer before beginning of object A collection of warning classes that report uses of library functions prone to internal buffer overflows. | ||||||
Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | |||||||||
| ARRAY_VS_SINGLETON NEGATIVE_RETURNS OVERRUN_STATIC | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically | |||||||
| ABV.ITERATOR SV.TAINTED.LOOP_BOUND | ||||||||
| LDRA tool suite |
| 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X | Partially implemented | ||||||
| PRQA QA-C |
| 2840, 2841, 2842, 2843, 2844, 2930, 2931, 2932, 2933, 2934, 2950, 2951, 2952, 2953 | Partially implemented | ||||||
| Cppcheck |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead. Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds. |
...
| ISO/IEC TR 24772:2013 | Arithmetic Wrap-around Error [FIF] Unchecked Array Indexing [XYZ] |
| ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] |
| MITRE CWE | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer |
| MISRA C:2012 | Rule 18.1 (required) |
...