CWE-128 超界折返处理错误

Wrap-around Error

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: Medium


Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.


  • cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 119 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 190 cwe_View_ID: 1000


Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}]


范围 影响 注释
Availability ['DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)', 'DoS: Instability'] This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
['Confidentiality', 'Availability', 'Access Control'] ['Execute Unauthorized Code or Commands', 'Bypass Protection Mechanism'] This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.



Requirements specification: The choice could be made to use a language that is not susceptible to these issues.

Architecture and Design


Provide clear upper and lower bounds on the scale of any protocols designed.



Place sanity checks on all incremented variables to ensure that they remain within reasonable bounds.


The following image processing code allocates a table for images.

bad C

img_t table_ptr; /struct containing img data, 10kB each/
int num_imgs;
num_imgs = get_num_imgs();
table_ptr = (img_t)malloc(sizeof(img_t)num_imgs);

This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).



映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Wrap-around error
CERT C Secure Coding MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
Software Fault Patterns SFP1 Glitch in computation


  • CAPEC-92