Home Search Pricing Get inErrata About

Sign in Sign up

Graph/unsafe-length-math

AntiPattern

Unsafe Length Math

unsafe-length-math

Buffer and allocation sizing breaks because code relies on fragile length/suffix arithmetic or incomplete return-value checks, letting writes or huge allocations occur via sprintf/strcpy/strcat, unchecked getcwd lengths, or untrusted ELF size fields.

Node Details

Public graph metadata

Updated6/25/2026

Connections

30 linked nodes

MATCHESSolution

Allocate using the length of `target`, not `u->dir` — the relative-path normalization branch. Tension: avoid raw strcpy into stack buffers. Outcome: size the buffer as `idlen + 1 + strlen(target) + 1`, then use memcpy/snprintf with explicit bounds.

MATCHESSolution

Pass buflen-1 to readlink if you require room for a terminator — If length can be attacker-controlled. Tension: Prefer heap allocation if length can be attacker-controlled to avoid stack exhaustion. Outcome: explicitly NUL-terminate, and make comparisons only on the actual returned byte count.

MATCHESSolution

Allocate based on maximum decoded length for base64 input — before using buffer (including memcpy nonce). Tension: and then validate that wget_base64_decode returns a value <= cap before using buffer. Outcome: Better: change wget_base64_decode signature to accept destination capacity.

MATCHESSolution

Add another malloc() after overflowing and compile without optimizations to make the overflow easier to observe

MATCHESSolution

The correct way to write readable/maintainable code would have been: — memset(buf, 0, sizeof(buf)); ... = snprintf(buf, 2048, ...);. Tension: That's sloppy.

MATCHESSolution

Harden relname() by using checked arithmetic for all size_t computations — for all size_t computations (len/needsash/strlen(from) sum; 3*dotdots; and overall taillen+1). Tension: Refuse/abort when an overflow would occur or when the computed required string length does not fit in the allocated buffer. Outcome: Alternatively, build the string with snprintf-style bounded writes that track remaining capacity.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

for small allocations it is particularly inefficient — Allocations are normally 8 byte aligned. Tension: each allocation carries an overhead of a small block for heap management. Outcome: at least 8 bytes to maintain alignment.

MATCHESSolution

The vulnerability is fixed by correctly separating the total buffer size calculation from the remaining output space calculation — After reallocation on E2BIG. Tension: This ensures iconv() has correct information about available space. Outcome: (1) Calculate new total size as `len = done + inlen * 2`, (2) Reallocate to `len + 1` bytes, (3) Set write pointer correctly with `*out = s + done - outlen`, (4) Update remaining space as `outlen += inlen * 2` rather than resetting to total.

MATCHESSolution

Add `if (outptr + 4 > outend) { result = __GCONV_FULL_OUTPUT; break; }` guards before the 4-byte writes. Tension: the SS2/SS3 branches never got the same treatment. Outcome: Published glibc patch for CVE-2024-2961 adds exactly these guards.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

MATCHESSolution

Check if strlen(hostname) >= sizeof(sun.sun_path) and return an error (RPC_SYSTEMERROR with errno EINVAL) if true. — The vulnerability is fixed by adding explicit bounds checking before the strcpy(). Tension: The bounds-check-then-return approach is preferred because it provides clear error semantics rather than silently truncating hostnames.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

After iter1 writes 43 bytes (off=43), iter2 writes ':'+canonical_name (20+ chars) starting at off=43, overflowing the 45-byte buffer — With input 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes), the buffer is 45 bytes. Tension: overflowing the 45-byte buffer. Outcome: Verified by examining fix commit 1056e5b4c3.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

The upstream fix replaces alloca with xmalloc/free in xattr_decoder — Patch xattr_decoder() to stop using alloca() with attacker-controlled lengths. Tension: stop using alloca() with attacker-controlled lengths. Outcome: Replace both calls with xmalloc()+free(), or impose an explicit upper bound.

MATCHESSolution

Replace the condition at line 773-775 — in binutils/dwarf.c in the fetch_indexed_string() function. Tension: checking 'curr + length < (end - 8/16)'. Outcome: with checking 'curr + length > end' to properly detect when the table would extend beyond the section boundary.

MATCHESSolution

Add a length validation check before the memcpy operation — around line 2565. Tension: This ensures memcpy on line 2586 cannot read beyond the actual heartbeat message boundaries. Outcome: if (payload > s->s3->rrec.length - 3) { SSLerr(...); return 0; }.

MATCHESSolution

The patch should: (1) Check that width and height are within reasonable bounds for a glyph (typically < 4096 pixels), (2) Use safe multiplication that detects overflow, and (3) Validate the final allocation size before malloc. — The GRUB2 header files already include <grub/safemath.h> which provides grub_mul() and grub_add() for safe arithmetic. Tension: The vulnerability is in the core font loading path. Outcome: The fix requires validating the dimensions before multiplication or using safe arithmetic operations.

MATCHESSolution

after the PN_XNUM expansion of e_phnum, check that e_phoff + e_phnum * e_phentsize <= file_size before calling bfd_alloc — In `bfd/elfcode.h` elf_object_p. Tension: Remove the #ifndef BFD64 wrapper around the overflow check. Outcome: In bfd_elf_get_str_section, add: sh_size <= file_size - sh_offset before calling bfd_alloc.

MATCHESSolution

The single-byte length field is truncated at line 906 but the memcpy at line 907 uses the full size_t hostname_len.

MATCHESSolution

Embedding %s leaks varargs/stack memory; %n writes to a pointer recovered from the leak. — upd_wrtrtl at line 6994. Outcome: gs_snprintf at lines 7021 and 7028, gp_fprintf at lines 7050 and 7055.

MATCHESSolution

compute len = strnlen(arg, MAX) and ensure len+1 does not overflow size_t — Before allocation. Tension: check board != NULL before copying. Outcome: If allocation fails, return an error code to the caller.

MATCHESSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

MATCHESSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

MATCHESSolution

Allocate strlen(name)+5+1 bytes or, better, use bfd_malloc(strlen(name)+sizeof('.plt')). Tension: copy with memcpy/snprintf into a bounded buffer. Outcome: Also check bfd_malloc return before use.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata