CWE -- Out-of-bounds Write 例子

原文地址：

https://cwe.mitre.org/data/definitions/787.html

1. 什么是 out-of-bound write  

Description Summary

The software writes data past the end, or before the beginning, of the intended buffer.

Extended Description

This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.

Example 1

The following code attempts to save four different identification numbers into an array.

(Bad Code)

Example Language: C 

int id_sequence[3];

/* Populate the id array. */

id_sequence[0] = 123;

id_sequence[1] = 234;

id_sequence[2] = 345;

id_sequence[3] = 456;

Example 2

In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:

(Bad Code)

Example Language: C 

int returnChunkSize(void *) {

/* if chunk info is valid, return the size of usable memory,

* else, return -1 to indicate an error

*/

...

}

int main() {

...

memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));

...

}

If returnChunkSize() happens to encounter an error it will return -1. Notice that the return value is not checked before the memcpy operation (CWE-252), so -1 can be passed as the size argument to memcpy() (CWE-805). Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788).

重点： returnChunkSize() 需要被check