[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

Use of Out-of-range Pointer Offset

ID: 823Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base


The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Extended Description

While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array.

Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error.

If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.

Applicable Platforms

Common Consequences

ScopeTechnical ImpactNotes
Read memory
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
DoS: crash / exit / restart
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
Execute unauthorized code or commands
Modify memory
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

Detection Methods

Potential Mitigations


Related CWETypeViewChain
CWE-823 CanPrecede CWE-787 Weakness CWE-1000  

Demonstrative Examples

Observed Examples

  1. CVE-2010-2160 : Invalid offset in undocumented opcode leads to memory corruption.
  2. CVE-2010-1281 : Multimedia player uses untrusted value from a file when using file-pointer calculations.
  3. CVE-2009-3129 : Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
  4. CVE-2009-2694 : Instant messaging library does not validate an offset value specified in a packet.
  5. CVE-2009-2687 : Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
  6. CVE-2009-0690 : negative offset leads to out-of-bounds read
  7. CVE-2008-4114 : untrusted offset in kernel
  8. CVE-2010-2873 : "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
  9. CVE-2010-2866 : negative value (signed) causes pointer miscalculation
  10. CVE-2010-2872 : signed values cause incorrect pointer calculation
  11. CVE-2007-5657 : values used as pointer offsets
  12. CVE-2010-2867 : a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
  13. CVE-2009-1097 : portions of a GIF image used as offsets, causing corruption of an object pointer.
  14. CVE-2008-1807 : invalid numeric field leads to a free of arbitrary memory locations, then code execution.
  15. CVE-2007-2500 : large number of elements leads to a free of an arbitrary address
  16. CVE-2008-1686 : array index issue (CWE-129) with negative offset, used to dereference a function pointer
  17. CVE-2010-2878 : "buffer seek" value - basically an offset?

For more examples, refer to CVE relations in the bottom box.

White Box Definitions

Black Box Definitions

Taxynomy Mappings


  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Pointer Arithmetic", Page 277.'. Published on 2006.

© SecPod Technologies