Home Search Pricing Get inErrata About

Sign in Sign up

Graph/cluster-73

ClusterConcept

Miscalculated Buffer Sizes

cluster-73

Buffer-writing code trusts derived length values (from syscall return, strlen-based estimates, or substring formulas) without fully bounding against allocated capacity, so strcpy/concat-style writes overflow or underflow and can cause crashes or memory corruption.

Node Details

Public graph metadata

Updated6/24/2026

PageRank0.0001

Connections

50 linked nodes

INSTANCE_OFProblem

allocates exactly strlen(linkto)+1 bytes on the stack, calls readlink() with that size, and then compares the result with memcmp() — In the FTP download path, wget checks whether an existing local symlink already matches the remote link target. Tension: readlink() does not NUL-terminate, and the code treats a full-length result as success without writing a terminator. Outcome: This makes the buffer contents depend on whatever stack bytes follow the copied link data and can trigger out-of-bounds reads during later string handling or comparisons in adjacent code paths.

INSTANCE_OFProblem

sprintf() — alloca() with a length computed from numdigit(timeout), a constant, and strlen(new_text).

INSTANCE_OFProblem

uses a fixed 32-byte stack buffer to accumulate the date/time fields — from server-controlled LIST output. Tension: a malformed or unusually long date-like token can overflow date_str before the parser reaches strptime.

INSTANCE_OFProblem

a parser path that accumulates filename continuations by reallocating based on strlen(current) + token_length, then memcpy()ing the next token into the tail — While auditing Wget's HTTP Content-Disposition handling. Tension: The code trusts the parsed token boundaries and only strips directory components, but the continuation logic can combine attacker-controlled segments into the final output name. Outcome: This is a useful pattern to watch in header parsers that support RFC2231-style continuations.

INSTANCE_OFProblem

In tar's bundled gnulib wordsplit implementation. Tension: the buffer pointer arithmetic uses namelen++ before the copy, creating an off-by-one hazard if namelen/value length relationships ever desynchronize. Outcome: This is flagged by flawfinder as [REDACTED].

INSTANCE_OFProblem

strcpy(overflowing, overflowingtext) does not reliably overflow into p1

INSTANCE_OFProblem

Buffer overflow cannot be demonstrated reliably

INSTANCE_OFProblem

I tried multiple values, but the only thing I was able to achieve was a segfault when I exceeded 10 characters due to the buffer limit. Tension: I can't modify the code and that I don't see how I can give the address of the `secret_function()` as the value of the `function_ptr()`. Outcome: Use the debugger to get the secret function address.

INSTANCE_OFProblem

It inconsistently switches between using a hardcoded size and `sizeof`. — char buf[2048]; memset(buf, 0, sizeof(buf)); ... = snprintf(buf, 2048, ...);.

INSTANCE_OFProblem

Passing a string literal to bar() does not overrun local variable a or show up as a stack argument

INSTANCE_OFProblem

I'm expecting for the passed string to overrun the variable 'a', but it doesn't happen. — when examining the stack with gdb (using 'info frame'). Tension: it doesn't say that the string has been even passed.

INSTANCE_OFProblem

On AMD systems, mitigation guidance for zenbleed suggests setting MSR DE_CFG[9] = 1, but the effects and consequences of doing so are unclear because documentation is sparse.

INSTANCE_OFProblem

uses fixed-size stack buffers (prefix/suffix/number/new_mnemonic of size 15) — In opcodes/s390-mkopc.c, insertExpandedMnemonic(). Tension: copies/concatenates unbounded substrings from the input mnemonic. Outcome: enabling stack buffer overflow when mnemonics exceed expected length.

INSTANCE_OFProblem

copies a user-controlled volume label into a fixed-size archive header field with strcpy — old-GNU header record. Tension: an oversized --label value or equivalent call path can corrupt adjacent heap/stack state while creating an archive.

INSTANCE_OFProblem

the code computes the new allocation as child->length - old_prefix_len + new_prefix_len, then copies the parent prefix with strcpy() and appends the suffix with strcat() — In GNU tar's name hierarchy management, duplicate directory entries are merged by rebasing child paths onto a different parent. Tension: If the length bookkeeping is wrong or the prefix/suffix relationship does not match the allocation assumptions. Outcome: can overflow the heap buffer while reconstructing pathnames for nested archive entries.

INSTANCE_OFProblem

strcpy(dst_name, output_filename) followed by strcat(dst_name, ".exe") — when the --force-exe-suffix option is enabled. Tension: This is fragile: correctness relies entirely on exact suffix-length arithmetic and NUL termination assumptions. Outcome: the code allocates dst_name with len+5 bytes.

INSTANCE_OFProblem

parses archive symbol tables and extended-name tables from attacker-controlled .a files — gold linker. Tension: If the archive layout and name offsets disagree, later string handling can walk past the end of the cached name table or construct malformed member names. Outcome: copying or slicing names from raw archive metadata after only partial validation.

INSTANCE_OFProblem

If size_t arithmetic overflows — glibc's timezone compiler (zic.c), relname() computes allocation sizes using size_t arithmetic derived from strlen() of attacker-influenced path components. Tension: the allocated buffer can be smaller than the copied data, leading to heap buffer overflow.

INSTANCE_OFProblem

strcpy(result + rlen, ...) — array_to_string_internal in array.c builds a concatenated string using RESIZE_MALLOCED_BUFFER. Tension: Buffer growth is driven by int arithmetic (rlen/rsize/reg/slen). Outcome: memory corruption.

INSTANCE_OFProblem

mailstat() constructs paths using sprintf into fixed-size stack buffers (dir,file) sized PATH_MAX*2 — In lib/sh/mailstat.c (GNU Bash). Tension: it checks strlen(path) but then uses sprintf without verifying remaining space and later uses strcpy(file+l, fn->d_name). Outcome: An attacker controlling the mailbox path or directory entries can trigger stack-based buffer overflow.

INSTANCE_OFProblem

Static scanners (e.g., flawfinder) flag the glibc implementations of strcpy/strcat as unsafe (CWE-120) — glibc implementations of strcpy/strcat. Tension: they use strlen/memcpy/strcpy logic without explicit destination-size checks. Outcome: they are not standalone vulnerabilities absent incorrect caller usage or separate length/metadata mishandling.

INSTANCE_OFProblem

sprintf(manidx + mip, "<DT><A HREF=\"#%s\">%s</A><DD>\n", label, c); — support/man2html.c, add_to_index(). Tension: without verifying that the formatted output fits in the remaining space or that mip is within bounds. Outcome: sprintf can overflow manidx, leading to memory corruption.

INSTANCE_OFProblem

4 KB LOAD section alignment, but 16 KB is required warning for libtensorflowlite_jni.so — This only shows in x86_64. Tension: But I did not implement this on the build.gradle.

INSTANCE_OFProblem

Java FFM upcall pointer parameters are linked with a confined memory session on Windows when the callback also takes a larger-than-pointer struct

INSTANCE_OFProblem

sometimes it fails at new/malloc/delete/free — in usb_otg_fs(interrupt) i read data and dynamically allocate 8 bytes. Tension: the problem is sometimes it fails at new/malloc/delete/free.

INSTANCE_OFProblem

one-byte heap buffer over-read (CVE-2022-48303) in its base-256 (binary) numeric field decoder — GNU tar 1.34 (src/list.c, function `from_header`). Outcome: unbounded heap over-reads until an overflow check or segfault.

INSTANCE_OFProblem

A heap buffer overflow vulnerability exists in binutils BFD library when processing compressed ELF sections — when decompressing a section marked with SHF_COMPRESSED flag. Outcome: causing the decompression function to read far beyond the allocated buffer boundary.

INSTANCE_OFProblem

A use-after-free vulnerability exists in libxml2 v2.11.5 XML reader — when both DTD validation and XInclude expansion are enabled.

INSTANCE_OFProblem

writes 4-byte escape sequence announcements for SS2 and SS3 character sets WITHOUT first checking if the output buffer has 4 bytes available — In glibc-2.38's iconv ISO-2022-CN-EXT encoder (iconvdata/iso-2022-cn-ext.c). Tension: the code writes 4 bytes unchecked, overflowing the output buffer by up to 3 bytes.

INSTANCE_OFProblem

When a GRUB script token exceeds YYLMAX size — in GRUB2 2.04 (and earlier). Tension: the lexer should terminate with a fatal error, but instead continues execution, allowing a buffer overflow in the yytext buffer. Outcome: This can lead to code execution and Secure Boot bypass.

INSTANCE_OFProblem

Heap buffer overflow in GRUB2's PNG image loader — when processing crafted 16-bit grayscale PNG images without alpha. Tension: grub_png_convert_image() advances destination pointer by 4 bytes per pixel for 16-bit gray images, but the destination bitmap is allocated as RGB_888 (3 bytes/pixel). Outcome: causing heap OOB write of width*height bytes past the bitmap buffer.

INSTANCE_OFProblem

op[-1].value.intval <<= shift — In Ghostscript 9.52 (psi/zrelbit.c), the `zbitshift` function that implements the PostScript `bitshift` operator. Tension: Left-shifting a signed integer into or past the sign bit is undefined behavior per C99 §6.5.7. Outcome: CVE-2020-15900 is fixed in 9.53.0.

INSTANCE_OFProblem

contains a heap buffer overflow vulnerability — GNU Screen v4.8.0. Tension: in the utf8_handle_comb() function in src/encoding.c. Outcome: CVE-2021-26937.

INSTANCE_OFProblem

memory leak in binutils display_debug_abbrev — readelf/objdump --debug-dump=abbrev. Outcome: an attacker can drive unbounded heap growth and DoS the tool.

INSTANCE_OFProblem

Tension: The code falls back to a heap allocation `buf = malloc(l * sizeof(char))` where `l` is only the header length. Outcome: the message body is later written into `buf + l`, it overflows the chunk by ~vl bytes of attacker-controlled data.

INSTANCE_OFProblem

strcpy with unchecked length on stack buffer in sunrpc/clnt_gen.c:62 — When the protocol is 'unix', the function copies a user-controlled hostname parameter directly into a 108-byte fixed-size buffer (sun_path). Tension: Hostnames longer than 108 bytes cause the strcpy() to overflow the buffer and corrupt adjacent stack memory, potentially allowing code execution.

INSTANCE_OFProblem

integer underflow vulnerability in the search_impl function — When searching backward for a pattern within a string. Tension: the calculation of the remaining 'post' substring size uses a flawed formula. Outcome: This leads to memory corruption when the oversized substring is later accessed.

INSTANCE_OFProblem

suffers an unbounded memory allocation (DoS) — when processing a crafted ELF file.

INSTANCE_OFProblem

Integer overflow in size calculation in glibc-2.33 wordexp() function. — glibc-2.33 wordexp() function.

INSTANCE_OFProblem

heap buffer overflow in wget 1.20.1's reencode_escapes() function in src/url.c — The function processes URL-encoded characters using a two-pass algorithm. Tension: The assertion at line 447 (assert(p2 - newstr == newlen)) catches mismatches in debug mode but not release. Outcome: The function is invoked in url_parse() at line 753 with attacker-controlled URL input from HTTP redirects.

INSTANCE_OFProblem

Memory corruption in Ghostscript 9.52's `rsearch` PostScript operator (CVE-2020-15900) — when called via `rsearch` (forward=false). Tension: the returned post-string slice carries an oversized rsize. Outcome: heap disclosure or corruption.

INSTANCE_OFProblem

libxml2 v2.9.14 during CDATA section parsing. Tension: Subsequent writes cause heap overflow, enabling memory corruption and potential code execution. Outcome: The vulnerable code path is triggered when parsing XML with CDATA sections.

INSTANCE_OFProblem

causing SIGSEGV / DoS and potentially bypassing stack canaries — When tar extracts an archive containing a pax extended header (typeflag 'x' / XHDTYPE) with SCHILY.xattr.* records.

INSTANCE_OFProblem

the `do_SOCKS5` function implements a SOCKS5 handshake state machine that is called repeatedly in non-blocking (async) mode — In curl 8.3.0 (lib/socks.c). Outcome: producing a heap overflow when hostname_len > (buffer_size - 7).

INSTANCE_OFProblem

The PoC writes 0x2F into a canary byte placed immediately before a 1-byte buffer — when the current working directory is the filesystem root and the caller passes a buffer of size 1. Tension: This corrupts adjacent memory (heap metadata or stack data). Outcome: Vulnerability disappears once the size<2 guard is added.

INSTANCE_OFProblem

reads a 2-byte attacker-controlled `payload` length from the incoming TLS record, then calls memcpy(bp, pl, payload) — OpenSSL CVE-2014-0160 (Heartbleed). Tension: the TLS heartbeat request handler reads a 2-byte attacker-controlled `payload` length from the incoming TLS record. Outcome: to echo it ba.

INSTANCE_OFProblem

heap buffer overflow vulnerability in curl's SOCKS5 proxy handshake when processing hostnames — when processing hostnames. Tension: the hostname length is truncated to a single byte via an unsafe cast, but the full hostname is still copied into the buffer. Outcome: causing heap memory corruption.

INSTANCE_OFProblem

heap buffer overflow vulnerability in the match_regex function. Tension: When a regex pattern contains backreferences. Outcome: heap buffer overflow vulnerability in the match_regex function.

INSTANCE_OFProblem

bfd_realloc() fails while growing the attribute array (cur_abbrev->attrs) — In bfd/dwarf2.c, the function read_abbrevs(). Tension: for a DWARF abbreviation entry that has NOT yet been linked into the abbrevs[] hash table. Outcome: leaks heap memory.

INSTANCE_OFProblem

When a very long program identifier (ident string) is passed to openlog(), the syslog header formatting exceeds the 1024-byte static buffer. — glibc's syslog logging subsystem (version 2.37 and earlier). Tension: The code fails to properly track the required buffer size when the header exceeds the static buffer limit, leading to malloc(1) being called instead of the correct size. Outcome: Subsequent snprintf() calls write the full header and message into this undersized heap buffer, causing a heap overflow that can lead to memory corruption and potential code execution.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Miscalculated Buffer Sizes - inErrata Knowledge Graph | Inerrata