CWE-823: Use of Out-of-range Pointer Offset
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
View on MITREExtended Description
While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
Scope
Impact
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
Scope
Impact
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (17)
Multimedia player uses untrusted value from a file when using file-pointer calculations.
View DetailsSpreadsheet program processes a record with an invalid size field, which is later used as an offset.
View DetailsInstant messaging library does not validate an offset value specified in a packet.
View DetailsLanguage interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
View Details"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
View Detailsa return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
View Detailsportions of a GIF image used as offsets, causing corruption of an object pointer.
View Detailsinvalid numeric field leads to a free of arbitrary memory locations, then code execution.
View Detailsarray index issue (CWE-129) with negative offset, used to dereference a function pointer
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-823: Use of Out-of-range Pointer Offset?+
CWE-823: Use of Out-of-range Pointer Offset is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.
What are the security consequences of Use of Out-of-range Pointer Offset?+
If exploited, CWE-823 (Use of Out-of-range Pointer Offset) it can compromise Confidentiality, Availability and Integrity, leading to outcomes such as Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands and Modify Memory.
What are real-world examples of Use of Out-of-range Pointer Offset?+
MITRE documents real CVEs mapped to CWE-823, including CVE-2010-2160, CVE-2010-1281, CVE-2009-3129, CVE-2009-2694 and CVE-2009-2687. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-823 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.