The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
N/A
Threat Mapped score: 1.5
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2021-43537
Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
CVE: CVE-2017-1000121
chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).
N/A
| Phase | Note |
|---|---|
| None listed. | |
Intro: The following image processing code allocates a table for images.
Body: This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).
img_t table_ptr; /*struct containing img data, 10kB each*/ int num_imgs; ... num_imgs = get_num_imgs(); table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs); ...