Out-of-bounds read: off-by-one vulnerability

Question

The following code is being flagged as a probable out of bounds read vulnerability. I don't understand how this can be an issue because the variable value should contain the data present in the address of the valuePtr. I would like to know if the code below is writing the data to value in an incorrect manner.

 long GetItemData(long Index);
 double* valuePtr = (double*) GetItemData(1);
 double value = *valuePtr;

If the array `GetItemData` tries to read is length-0 or length-1, then `GetItemData(1)` will be index-out-of-bounds. — Kan Li, Dec 03 '15 at 00:02
why is that function returning a `long` when it should return a `double*`? — Nim, Dec 03 '15 at 00:04

score 0 · Answer 1 · answered Dec 03 '15 at 00:50

As a comment pointed out, what if the list is empty? What if the list has only one item in it?

On a different note, casting a long to a double* and then dereferencing it is undefined behavior in most modern C++ compilers (violates strict type-aliasing rules). And as a portability concern, 'long' is not necessarily the same size as 'double*'.

score 0 · Answer 2 · answered Dec 03 '15 at 00:54

0

Yes, your code may be in an incorrect manner.

Converting integer to pointer is implementation-defined and if pointer requires more memory than long -- for example, sizeof(long)=4, sizeof(double*)=8 -- The conversion will lead to dropping some information and it may lead to Segmentation Fault.

To pass pointers, you should use correct pointer types.

I don't know if there will be out-of-bounds error because I do bot know the implementation of GetItemData().

answered Dec 03 '15 at 00:54

MikeCAT

73,922
11
45
70

I believe it's actually undefined behavior at the point where he dereferences it, by the strict aliasing rule: http://stackoverflow.com/a/7005988/5557309 – James Picone Dec 03 '15 at 01:14

Out-of-bounds read: off-by-one vulnerability

2 Answers2