Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
CWE-122 Variante Brouillon
Heap-based Buffer Overflow
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers…
Définition
What is CWE-122?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
This vulnerability happens when your code fails to properly validate the size of data being copied into a dynamically allocated buffer. When you write past the buffer's boundary, you overwrite critical heap management data—like metadata that tracks free and allocated blocks. This corruption can crash the program, lead to unpredictable behavior, or be exploited to execute arbitrary code by an attacker who carefully crafts the overflow data to control program execution.
Preventing heap overflows requires rigorous bounds checking, using safe functions (like strncpy instead of strcpy), and tools to detect memory mismanagement. While SAST tools can catch the dangerous pattern, Plexicus uses AI to analyze the context and suggest the precise code fix—such as inserting the correct size check—saving hours of manual review and helping you remediate these flaws across your entire application stack.
Impact réel
Real-world CVEs caused by CWE-122
-
Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
-
Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
-
Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
-
Chain: machine-learning product can have a heap-based buffer overflow (CWE-122) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (CWE-1339)
-
Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
- 2
The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.
- 3
This example applies an encoding procedure to an input string and stores it into a buffer.
- 4
The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
Exemple de code vulnérable
Vulnerable C
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
#define BUFSIZE 256
int main(int argc, char **argv) {
char *buf;
buf = (char *)malloc(sizeof(char)*BUFSIZE);
strcpy(buf, argv[1]);
} Exemple de code sécurisé
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-122
- Pre-design: Use a language or compiler that performs automatic bounds checking.
- Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Operation / Build and Compilation Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- Operation / Build and Compilation Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
- Implementation Implement and perform bounds checking on input.
- Implementation Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
- Operation Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
Signaux de détection
How to detect CWE-122
Plexicus détecte automatiquement CWE-122 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-122 ?
Quelle est la gravité de CWE-122 ?
Quels langages ou plateformes sont affectés par CWE-122 ?
Comment puis-je prévenir CWE-122 ?
Comment Plexicus détecte et corrige CWE-122 ?
Où puis-je en savoir plus sur CWE-122 ?
Frequently asked questions
Qu'est-ce que CWE-122 ?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
Quelle est la gravité de CWE-122 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-122 ?
MITRE lists the following affected platforms: C, C++.
Comment puis-je prévenir CWE-122 ?
Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution.
Comment Plexicus détecte et corrige CWE-122 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-122 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-122 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/122.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-122
CWE-788 Parent
Access of Memory Location After End of Buffer
This vulnerability occurs when software attempts to read from or write to a memory buffer using an index or pointer that points past the…
CWE-121 Frère
Stack-based Buffer Overflow
A stack-based buffer overflow occurs when a program writes more data to a buffer located on the call stack than it can hold, corrupting…
CWE-126 Frère
Buffer Over-read
This vulnerability occurs when a program reads data from a memory buffer using an index or pointer that points beyond the buffer's…
Ressources
Further reading
- MITRE — CWE-122 officiel https://cwe.mitre.org/data/definitions/122.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Address Space Layout Randomization in Windows Vista https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista
- PaX https://en.wikipedia.org/wiki/Executable_space_protection#PaX
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.