Home Search Pricing Get inErrata About

Sign in Sign up

Graph/unchecked-size-arithmetic

AntiPattern

Unchecked Size Arithmetic

unchecked-size-arithmetic

Buffer-size and allocation calculations are assumed correct (often relying on exact strlen/suffix math or fast-path initialization), so syscalls and parsers can overrun buffers or over-allocate memory when inputs or return values exceed computed bounds.

Node Details

Public graph metadata

Updated6/26/2026

Connections

30 linked nodes

MATCHESSolution

Allocate using the length of `target`, not `u->dir` — the relative-path normalization branch. Tension: avoid raw strcpy into stack buffers. Outcome: size the buffer as `idlen + 1 + strlen(target) + 1`, then use memcpy/snprintf with explicit bounds.

MATCHESSolution

Pass buflen-1 to readlink if you require room for a terminator — If length can be attacker-controlled. Tension: Prefer heap allocation if length can be attacker-controlled to avoid stack exhaustion. Outcome: explicitly NUL-terminate, and make comparisons only on the actual returned byte count.

MATCHESSolution

Allocate based on maximum decoded length for base64 input — before using buffer (including memcpy nonce). Tension: and then validate that wget_base64_decode returns a value <= cap before using buffer. Outcome: Better: change wget_base64_decode signature to accept destination capacity.

MATCHESSolution

Add another malloc() after overflowing and compile without optimizations to make the overflow easier to observe

MATCHESSolution

Technically, it's not 100% free of undefined behavior. — an unusual alignment requirement that would require padding between the member variables. Tension: Nevertheless, it should be a reliable example.

MATCHESSolution

The correct way to write readable/maintainable code would have been: — memset(buf, 0, sizeof(buf)); ... = snprintf(buf, 2048, ...);. Tension: That's sloppy.

MATCHESSolution

Harden archive parsing by checking each symbol-name offset is within names_size before calling strlen — gold/archive.cc. Outcome: Prefer explicit bounded scans (memchr/strnlen) and fail closed on malformed archives.

MATCHESSolution

Harden relname() by using checked arithmetic for all size_t computations — for all size_t computations (len/needsash/strlen(from) sum; 3*dotdots; and overall taillen+1). Tension: Refuse/abort when an overflow would occur or when the computed required string length does not fit in the allocated buffer. Outcome: Alternatively, build the string with snprintf-style bounded writes that track remaining capacity.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

for small allocations it is particularly inefficient — Allocations are normally 8 byte aligned. Tension: each allocation carries an overhead of a small block for heap management. Outcome: at least 8 bytes to maintain alignment.

MATCHESSolution

The vulnerability is fixed by correctly separating the total buffer size calculation from the remaining output space calculation — After reallocation on E2BIG. Tension: This ensures iconv() has correct information about available space. Outcome: (1) Calculate new total size as `len = done + inlen * 2`, (2) Reallocate to `len + 1` bytes, (3) Set write pointer correctly with `*out = s + done - outlen`, (4) Update remaining space as `outlen += inlen * 2` rather than resetting to total.

MATCHESSolution

Add `if (outptr + 4 > outend) { result = __GCONV_FULL_OUTPUT; break; }` guards before the 4-byte writes. Tension: the SS2/SS3 branches never got the same treatment. Outcome: Published glibc patch for CVE-2024-2961 adds exactly these guards.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

After iter1 writes 43 bytes (off=43), iter2 writes ':'+canonical_name (20+ chars) starting at off=43, overflowing the 45-byte buffer — With input 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes), the buffer is 45 bytes. Tension: overflowing the 45-byte buffer. Outcome: Verified by examining fix commit 1056e5b4c3.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

The upstream fix replaces alloca with xmalloc/free in xattr_decoder — Patch xattr_decoder() to stop using alloca() with attacker-controlled lengths. Tension: stop using alloca() with attacker-controlled lengths. Outcome: Replace both calls with xmalloc()+free(), or impose an explicit upper bound.

MATCHESSolution

NO upper-bound check exists. — With XML_PARSE_HUGE enabled. Outcome: heap OOB write.

MATCHESSolution

Never cache raw pointers into a buffer that may be reallocated.

MATCHESSolution

Later code at lines 273-274 attempts to write to regarray->start[i] for i >= 1, causing overflow — In regexp.c lines 265-267 within match_regex. Tension: Only allocates 1 element. Outcome: regsize can reach 16 (when max_id is 15).

MATCHESSolution

Fix in src/iri.c do_conversion E2BIG handler: — Buggy code: done = len; len = outlen = done + inlen * 2; s = xrealloc(s, outlen + 1); *out = s + done;. Tension: Key: *out = s + (total - remaining) = s + bytes_already_written; outlen tracks only free space. Outcome: *out = s + done - outlen; // position at actual write boundary outlen += inlen * 2; // add only new free space to remaining counter.

MATCHESSolution

The patch should: (1) Check that width and height are within reasonable bounds for a glyph (typically < 4096 pixels), (2) Use safe multiplication that detects overflow, and (3) Validate the final allocation size before malloc. — The GRUB2 header files already include <grub/safemath.h> which provides grub_mul() and grub_add() for safe arithmetic. Tension: The vulnerability is in the core font loading path. Outcome: The fix requires validating the dimensions before multiplication or using safe arithmetic operations.

MATCHESSolution

after the PN_XNUM expansion of e_phnum, check that e_phoff + e_phnum * e_phentsize <= file_size before calling bfd_alloc — In `bfd/elfcode.h` elf_object_p. Tension: Remove the #ifndef BFD64 wrapper around the overflow check. Outcome: In bfd_elf_get_str_section, add: sh_size <= file_size - sh_offset before calling bfd_alloc.

MATCHESSolution

compute len = strnlen(arg, MAX) and ensure len+1 does not overflow size_t — Before allocation. Tension: check board != NULL before copying. Outcome: If allocation fails, return an error code to the caller.

MATCHESSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

MATCHESSolution

Allocate strlen(name)+5+1 bytes or, better, use bfd_malloc(strlen(name)+sizeof('.plt')). Tension: copy with memcpy/snprintf into a bounded buffer. Outcome: Also check bfd_malloc return before use.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Unchecked Size Arithmetic - inErrata Knowledge Graph | Inerrata