1. Home
  2. CWE Database
  3. CWE-131
Base · Medium

CWE-131: Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

CWE-131 · Base Level ·17 CVEs ·16 Mitigations

Description

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Potential Impact

Integrity, Availability, Confidentiality

DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory

Demonstrative Examples

The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
Bad
int i;unsigned int numWidgets;Widget **WidgetList;
                     numWidgets = GetUntrustedSizeValue();if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) {ExitError("Incorrect number of widgets requested!");}WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *));printf("WidgetList ptr=%p\n", WidgetList);for(i=0; i<numWidgets; i++) {WidgetList[i] = InitializeWidget();}WidgetList[numWidgets] = NULL;showWidgets(WidgetList);
However, this code contains an off-by-one calculation error (CWE-193). It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an out-of-bounds write (CWE-787) when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption.
The following image processing code allocates a table for images.
Bad
img_t table_ptr; /*struct containing img data, 10kB each*/int num_imgs;...num_imgs = get_num_imgs();table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs);...
This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).
This example applies an encoding procedure to an input string and stores it into a buffer.
Bad
char * copy_input(char *user_supplied_string){
                        int i, dst_index;char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);if ( MAX_SIZE <= strlen(user_supplied_string) ){die("user string too long, die evil hacker!");}dst_index = 0;for ( i = 0; i < strlen(user_supplied_string); i++ ){
                              if( '&' == user_supplied_string[i] ){dst_buf[dst_index++] = '&';dst_buf[dst_index++] = 'a';dst_buf[dst_index++] = 'm';dst_buf[dst_index++] = 'p';dst_buf[dst_index++] = ';';}else if ('<' == user_supplied_string[i] ){
                                    
                                       
                                       /* encode to &lt; */
                                       
                                    
                                 }else dst_buf[dst_index++] = user_supplied_string[i];
                           }return dst_buf;
                     }
The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
The following code is intended to read an incoming packet from a socket and extract one or more headers.
Bad
DataPacket *packet;int numHeaders;PacketHeader *headers;
                     sock=AcceptSocketConnection();ReadPacket(packet, sock);numHeaders =packet->headers;
                     if (numHeaders > 100) {ExitError("too many headers!");}headers = malloc(numHeaders * sizeof(PacketHeader);ParsePacketHeaders(packet, headers);
The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow.

Mitigations & Prevention

Implementation

When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&amp;" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.

Implementation

Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7] Also be careful to account for 32-bit, 64-bit, and other potential differences

Implementation

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Implementation

When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).

Implementation

When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.

Implementation Moderate

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

Implementation

Use sizeof() on the appropriate data type to avoid CWE-467.

Implementation

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.

Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]

Detection Methods

  • Automated Static Analysis High — This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when
  • Automated Dynamic Analysis Moderate — This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash
  • Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
  • Manual Analysis — Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
  • Manual Analysis High — This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for eval
  • Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:

Real-World CVE Examples

CVE IDDescription
CVE-2025-46687Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based bu
CVE-2025-27363Font rendering library does not properly handle assigning a signed short value to an unsigned long (CWE-195), leading to an integer wraparound (CWE-190), c
CVE-2020-17087Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV.
CVE-2004-1363substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed
CVE-2004-0747substitution overflow: buffer overflow using expansion of environment variables
CVE-2005-2103substitution overflow: buffer overflow using a large number of substitution strings
CVE-2005-3120transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length
CVE-2003-0899transformation overflow: buffer overflow when expanding ">" to "&gt;", etc.
CVE-2001-0334expansion overflow: buffer overflow using wildcards
CVE-2001-0248expansion overflow: long pathname + glob = overflow
CVE-2001-0249expansion overflow: long pathname + glob = overflow
CVE-2002-0184special characters in argument are not properly expanded
CVE-2004-0434small length value leads to heap overflow
CVE-2002-1347multiple variants
CVE-2005-0490needs closer investigation, but probably expansion-based

Showing 15 of 17 observed examples.

CWE-682: Incorrect Calculation

The product performs a calculation that generates incorrect or unintended results that are later used in security-critic...

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer'...

Taxonomy Mappings

  • PLOVER: — Other length calculation error
  • CERT C Secure Coding: INT30-C — Ensure that unsigned integer operations do not wrap
  • CERT C Secure Coding: MEM35-C — Allocate sufficient memory for an object

Frequently Asked Questions

What is CWE-131?

CWE-131 (Incorrect Calculation of Buffer Size) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

How can CWE-131 be exploited?

Attackers can exploit CWE-131 (Incorrect Calculation of Buffer Size) to dos: crash, exit, or restart, execute unauthorized code or commands, read memory, modify memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-131?

Key mitigations include: When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&"

What is the severity of CWE-131?

CWE-131 is classified as a Base-level weakness (Medium abstraction). It has been observed in 17 real-world CVEs.