CWE-823: Use of Out-of-range Pointer Offset
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
常见后果
影响范围: Confidentiality
技术影响: Read Memory
说明: If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands Modify Memory
说明: If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2010-2160
Invalid offset in undocumented opcode leads to memory corruption.
参考: CVE-2010-1281
Multimedia player uses untrusted value from a file when using file-pointer calculations.
参考: CVE-2009-3129
Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
参考: CVE-2009-2694
Instant messaging library does not validate an offset value specified in a packet.
参考: CVE-2009-2687
Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
参考: CVE-2009-0690
negative offset leads to out-of-bounds read
参考: CVE-2008-4114
untrusted offset in kernel
参考: CVE-2010-2873
"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
参考: CVE-2010-2866
negative value (signed) causes pointer miscalculation
参考: CVE-2010-2872
signed values cause incorrect pointer calculation
参考: CVE-2007-5657
values used as pointer offsets
参考: CVE-2010-2867
a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
参考: CVE-2009-1097
portions of a GIF image used as offsets, causing corruption of an object pointer.
参考: CVE-2008-1807
invalid numeric field leads to a free of arbitrary memory locations, then code execution.
参考: CVE-2007-2500
large number of elements leads to a free of an arbitrary address
参考: CVE-2008-1686
array index issue (CWE-129) with negative offset, used to dereference a function pointer
参考: CVE-2010-2878
"buffer seek" value - basically an offset?