logo

Use of Out-of-range Pointer Offset

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a program calculates a new memory address using a valid pointer and an offset, but the resulting address points outside the intended, safe memory region, such as beyond the bounds of an array or structure.

Extended Description

Pointers are designed to reference memory, but software logic typically expects them to operate within specific boundaries, like an array's allocated space. When an offset—often from user input, a miscalculation, or corrupted data—pushes the pointer beyond these boundaries, it can read or write to arbitrary, unintended memory locations. An attacker who controls this offset can exploit this to leak sensitive data, corrupt critical program variables, crash the application, or potentially execute malicious code. The core issue is a failure to properly validate that the pointer arithmetic result remains within the legitimate range of the target data structure before it is used.
Common Consequences 3
Scope: Confidentiality

Impact: Read Memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.

Scope: IntegrityConfidentialityAvailability

Impact: Execute Unauthorized Code or CommandsModify Memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Observed Examples 17
CVE-2010-2160Invalid offset in undocumented opcode leads to memory corruption.
CVE-2010-1281Multimedia player uses untrusted value from a file when using file-pointer calculations.
CVE-2009-3129Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
CVE-2009-2694Instant messaging library does not validate an offset value specified in a packet.
CVE-2009-2687Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
CVE-2009-0690negative offset leads to out-of-bounds read
CVE-2008-4114untrusted offset in kernel
CVE-2010-2873"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
CVE-2010-2866negative value (signed) causes pointer miscalculation
CVE-2010-2872signed values cause incorrect pointer calculation
CVE-2007-5657values used as pointer offsets
CVE-2010-2867a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
CVE-2009-1097portions of a GIF image used as offsets, causing corruption of an object pointer.
CVE-2008-1807invalid numeric field leads to a free of arbitrary memory locations, then code execution.
CVE-2007-2500large number of elements leads to a free of an arbitrary address
CVE-2008-1686array index issue (Improper Validation of Array Index) with negative offset, used to dereference a function pointer
CVE-2010-2878"buffer seek" value - basically an offset?
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Related Attack Patterns
Alternate Terms

Untrusted pointer offset

This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values.
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
ChildOf: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
ChildOf: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CanPrecede: Out-of-bounds Read (CWE-125)
CanPrecede: Out-of-bounds Write (CWE-787)
Notes
MaintenanceThere are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.
TerminologyMany weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants.