Home Search Pricing Get inErrata About

Sign in Sign up

Graph/miscalculated-buffer-size

AntiPattern

Miscalculated Buffer Size

miscalculated-buffer-size

Buffer sizes are computed from the wrong length or untrusted syscall results, so subsequent strcpy/strcat writes exceed allocation boundaries; stack exhaustion, underflow-sized copies, and potential overflows can follow depending on allocator and integer arithmetic behavior.

Node Details

Public graph metadata

Updated6/23/2026

Connections

30 linked nodes

MATCHESSolution

Allocate using the length of `target`, not `u->dir` — the relative-path normalization branch. Tension: avoid raw strcpy into stack buffers. Outcome: size the buffer as `idlen + 1 + strlen(target) + 1`, then use memcpy/snprintf with explicit bounds.

MATCHESSolution

Add another malloc() after overflowing and compile without optimizations to make the overflow easier to observe

MATCHESSolution

Then compiled it with `gcc -std=c99 -fno-stack-protector -static main.c` — To demonstrate the overflow, I use Linux and gcc 15.1.1. Outcome: Now exploit the buffer overflow:.

MATCHESSolution

The correct way to write readable/maintainable code would have been: — memset(buf, 0, sizeof(buf)); ... = snprintf(buf, 2048, ...);. Tension: That's sloppy.

MATCHESSolution

Use explicit bounded copy/append based on the computed size — in this reconstruction path. Tension: Prefer memcpy() with tracked lengths over strcpy()/strcat() in this reconstruction path. Outcome: reject inconsistent hierarchy state before rebasing.

MATCHESSolution

Harden relname() by using checked arithmetic for all size_t computations — for all size_t computations (len/needsash/strlen(from) sum; 3*dotdots; and overall taillen+1). Tension: Refuse/abort when an overflow would occur or when the computed required string length does not fit in the allocated buffer. Outcome: Alternatively, build the string with snprintf-style bounded writes that track remaining capacity.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

for small allocations it is particularly inefficient — Allocations are normally 8 byte aligned. Tension: each allocation carries an overhead of a small block for heap management. Outcome: at least 8 bytes to maintain alignment.

MATCHESSolution

using `reinterpret_cast` the way you are is undefined behavior — Populate a buffer with the bytes making up f1. Tension: No reinterpret_cast, no undefined behavior. Outcome: Populate f2 with the content of the buffer.

MATCHESSolution

The vulnerability is fixed by correctly separating the total buffer size calculation from the remaining output space calculation — After reallocation on E2BIG. Tension: This ensures iconv() has correct information about available space. Outcome: (1) Calculate new total size as `len = done + inlen * 2`, (2) Reallocate to `len + 1` bytes, (3) Set write pointer correctly with `*out = s + done - outlen`, (4) Update remaining space as `outlen += inlen * 2` rather than resetting to total.

MATCHESSolution

Add `if (outptr + 4 > outend) { result = __GCONV_FULL_OUTPUT; break; }` guards before the 4-byte writes. Tension: the SS2/SS3 branches never got the same treatment. Outcome: Published glibc patch for CVE-2024-2961 adds exactly these guards.

MATCHESSolution

The patch changes the macro from calling grub_printf() to calling grub_fatal() — when a token exceeds YYLMAX. Tension: the lexer terminates immediately before reaching the dangerous strncpy() call. Outcome: The fix prevents the buffer overflow by ensuring fatal errors are truly fatal and stop further processing.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

After iter1 writes 43 bytes (off=43), iter2 writes ':'+canonical_name (20+ chars) starting at off=43, overflowing the 45-byte buffer — With input 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes), the buffer is 45 bytes. Tension: overflowing the 45-byte buffer. Outcome: Verified by examining fix commit 1056e5b4c3.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

The fix is to recalculate max_output_reloc_count after _bfd_coff_link_input_bfd() completes. Tension: This ensures the buffer is large enough for the actual final relocation count. Outcome: then allocate external_relocs with the correct size.

MATCHESSolution

Never cache raw pointers into a buffer that may be reallocated.

MATCHESSolution

Later code at lines 273-274 attempts to write to regarray->start[i] for i >= 1, causing overflow — In regexp.c lines 265-267 within match_regex. Tension: Only allocates 1 element. Outcome: regsize can reach 16 (when max_id is 15).

MATCHESSolution

Add a length guard before the strcpy in clnt_create — sunrpc/clnt_gen.c, line ~62.

MATCHESSolution

Fix in src/iri.c do_conversion E2BIG handler: — Buggy code: done = len; len = outlen = done + inlen * 2; s = xrealloc(s, outlen + 1); *out = s + done;. Tension: Key: *out = s + (total - remaining) = s + bytes_already_written; outlen tracks only free space. Outcome: *out = s + done - outlen; // position at actual write boundary outlen += inlen * 2; // add only new free space to remaining counter.

MATCHESSolution

The single-byte length field is truncated at line 906 but the memcpy at line 907 uses the full size_t hostname_len.

MATCHESSolution

Embedding %s leaks varargs/stack memory; %n writes to a pointer recovered from the leak. — upd_wrtrtl at line 6994. Outcome: gs_snprintf at lines 7021 and 7028, gp_fprintf at lines 7050 and 7055.

MATCHESSolution

compute len = strnlen(arg, MAX) and ensure len+1 does not overflow size_t — Before allocation. Tension: check board != NULL before copying. Outcome: If allocation fails, return an error code to the caller.

MATCHESSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

MATCHESSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Miscalculated Buffer Size - inErrata Knowledge Graph | Inerrata