Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-131 (缓冲区大小计算不正确) — Vulnerability Class 82

82 vulnerabilities classified as CWE-131 (缓冲区大小计算不正确). AI Chinese analysis included.

CWE-131 represents a critical logic error where software fails to accurately determine the necessary memory allocation size for a buffer. This miscalculation typically stems from using incorrect data types, ignoring header overhead, or neglecting null terminators during size computations. Attackers exploit this vulnerability by crafting inputs that exceed the allocated memory space, triggering a buffer overflow. This overflow allows malicious actors to overwrite adjacent memory, potentially executing arbitrary code, crashing the application, or gaining unauthorized system access. To prevent such exploits, developers must rigorously validate input lengths and employ safe, bounds-checking functions like strncpy or snprintf instead of unsafe alternatives. Additionally, utilizing static analysis tools and conducting thorough code reviews can help identify arithmetic errors in memory allocation logic before deployment, ensuring that buffer sizes accurately reflect the actual data requirements.

MITRE CWE Description
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Common Consequences (1)
Integrity, Availability, ConfidentialityDoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory
If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing a…
Mitigations (5)
ImplementationWhen allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
ImplementationUnderstand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]…
ImplementationPerform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
ImplementationWhen processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
Examples (2)
The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
int i; unsigned int numWidgets; Widget **WidgetList; numWidgets = GetUntrustedSizeValue(); if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { ExitError("Incorrect number of widgets requested!"); } WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); printf("WidgetList ptr=%p\n", WidgetList); for(i=0; i<numWidgets; i++) { WidgetList[i] = InitializeWidget(); } WidgetList[numWidgets] = NULL; showWidgets(WidgetList);
Bad · C
The following image processing code allocates a table for images.
img_t table_ptr; /*struct containing img data, 10kB each*/ int num_imgs; ... num_imgs = get_num_imgs(); table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-5000 CODESYS: Incorrect calculation of buffer size can cause DoS on CODESYS OPC UA products — CODESYS Control for BeagleBone SL 7.5 High2024-06-04
CVE-2024-30405 Junos OS: SRX 5000 Series with SPC2: Processing of specific crafted packets when ALG is enabled causes a transit traffic Denial of Service — Junos OS 7.5 High2024-04-12
CVE-2023-52558 OpenBSD 7.4 and 7.3 m_split() network buffer kernel crash — OpenBSD 7.5 -2024-03-01
CVE-2023-52557 OpenBSD 7.3 invalid l2tp message npppd crash — OpenBSD 7.5 -2024-03-01
CVE-2023-50736 A vulnerability has been identified in the PostScript interpreter in various Lexmark devices. — various 9.0 Critical2024-02-28
CVE-2024-23606 Biosig Project libbiosig 安全漏洞 — libbiosig 9.8 Critical2024-02-20
CVE-2024-23805 F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability — BIG-IP 7.5 High2024-02-14
CVE-2023-6780 Glibc: integer overflow in __vsyslog_internal() — glibc 5.3 Medium2024-01-31
CVE-2024-23622 IBM Merge Healthcare eFilm Workstation License Server CopySLS_Request3 Buffer Overflow — eFilm Workstation 10.0 Critical2024-01-25
CVE-2024-23621 IBM Merge Healthcare eFilm Workstation License Server Buffer Overflow — eFilm Workstation 10.0 Critical2024-01-25
CVE-2023-30575 Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths — Apache Guacamole 6.5 Medium2023-06-07
CVE-2023-24819 RIOT-OS vulnerable to Buffer Overflow during IPHC receive — RIOT 9.8 Critical2023-04-24
CVE-2022-25731 Incorrect Calculation of Buffer Size in MODEM — Snapdragon 7.5 High2023-04-04
CVE-2023-1175 Incorrect Calculation of Buffer Size in vim/vim — vim/vim 6.6 -2023-03-04
CVE-2023-0568 Array overrun in common path resolve code — PHP 7.5 High2023-02-16
CVE-2022-4378 Linux kernel 缓冲区错误漏洞 — kernel 7.8 -2023-01-05
CVE-2022-41907 Overflow in `ResizeNearestNeighborGrad` in Tensorflow — tensorflow 4.8 Medium2022-11-18
CVE-2022-41887 Overflow in `tf.keras.losses.poisson` in Tensorflow — tensorflow 4.8 Medium2022-11-18
CVE-2022-41886 Overflow in `ImageProjectiveTransformV2` in Tensorflow — tensorflow 4.8 Medium2022-11-18
CVE-2022-41885 Overflow in `FusedResizeAndPadConv2D` in Tensorflow — tensorflow 4.8 Medium2022-11-18
CVE-2022-31630 OOB read due to insufficient input validation in imageloadfont() — PHP 6.5 Medium2022-11-14
CVE-2022-39377 sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow — sysstat 7.0 High2022-11-08
CVE-2022-43945 Linux kernel 安全漏洞 — linux_kernel 7.5 -2022-11-04
CVE-2022-2520 LibTIFF 安全漏洞 — libtiff 6.5 -2022-08-31
CVE-2021-4155 Red Hat Enterprise Linux 权限许可和访问控制问题漏洞 — kernel 5.5 -2022-08-24
CVE-2022-2873 Linux kernel 安全漏洞 — Kernel 5.5 -2022-08-22
CVE-2021-38435 RTI Connext DDS Professional and Connext DDS Secure Incorrect Calculation of Buffer Size — Connext DDS Professional 6.6 Medium2022-05-05
CVE-2021-38423 GurumDDS Heap-based Incorrect Calculation of Buffer Size — GurumDDS 6.6 Medium2022-05-05
CVE-2022-22137 Accusoft ImageGear 安全漏洞 — ImageGear 8.1 -2022-05-03
CVE-2021-21793 Accusoft ImageGear缓冲区错误漏洞 — Accusoft 8.8 -2021-07-08

Vulnerabilities classified as CWE-131 (缓冲区大小计算不正确) represent 82 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.