CWE-823: Use of Out-of-range Pointer Offset

Description

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.

Potential Impact

Detection Methods

• Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
• Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].

Real-World CVE Examples

CVE ID	Description
CVE-2010-2160	Invalid offset in undocumented opcode leads to memory corruption.
CVE-2010-1281	Multimedia player uses untrusted value from a file when using file-pointer calculations.
CVE-2009-3129	Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
CVE-2009-2694	Instant messaging library does not validate an offset value specified in a packet.
CVE-2009-2687	Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
CVE-2009-0690	negative offset leads to out-of-bounds read
CVE-2008-4114	untrusted offset in kernel
CVE-2010-2873	"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
CVE-2010-2866	negative value (signed) causes pointer miscalculation
CVE-2010-2872	signed values cause incorrect pointer calculation
CVE-2007-5657	values used as pointer offsets
CVE-2010-2867	a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
CVE-2009-1097	portions of a GIF image used as offsets, causing corruption of an object pointer.
CVE-2008-1807	invalid numeric field leads to a free of arbitrary memory locations, then code execution.
CVE-2007-2500	large number of elements leads to a free of an arbitrary address

Showing 15 of 17 observed examples.

Related Weaknesses

Frequently Asked Questions

What is CWE-823?

CWE-823 (Use of Out-of-range Pointer Offset) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

How can CWE-823 be exploited?

Attackers can exploit CWE-823 (Use of Out-of-range Pointer Offset) to read memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-823?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-823?

CWE-823 is classified as a Base-level weakness (Medium abstraction). It has been observed in 17 real-world CVEs.