Buffer overflow through pointer

A memory write through a pointer creates a buffer overflow.

This is another variant of the buffer overflow error; in this case, the buffer was accessed through a pointer. The pointer is pointing somewhere into an array, but applying the given index takes the pointer outside the bounds of the array. For example, a pointer that is pointing to the third element of an array of four elements can only be indexed only by values between -2 and +1.

When this error occurs on dynamically allocated storage, it is usually possible to provide an additional observation that indicates where the storage was allocated.

Sometimes the value of the index, offset, and size expressions cannot be established exactly. In this case, the buffer overflow is described as "possible." For example, a message may indicate that analysis has concluded that the offset could be as large as 10 and the index could be as large as 20, and the size could be as small as 25. If all these conditions happened at the same time, then a buffer overflow would occur. However, even if any one or all of these conditions cannot really happen, it may still be possible for a buffer overflow error to occur (for example, if the offset were only 9 and the index were only 19 and the size as big as 26).

Care must be taken to ensure that a buffer overflow cannot occur even if the particular conditions identified by analysis turn out to be impossible.

ID

Observation

Description

1

Buffer overflow

The location of the bounds error

Examples


#include <stdio.h>

int main(int argc, char **argv)
{
    int a[4] = {1,2,3,4};
    int * ptr;

    ptr = &a[2];
    printf("%d\n", ptr[2]); // bad - indexes off end of array using pointer
    return 0;
}
        

Copyright © 2010, Intel Corporation. All rights reserved.