CWE Rule 122
Description
Rule Description
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Polyspace Implementation
The rule checker checks for these issues:
- Destination buffer overflow in string manipulation 
- Pointer dereference with tainted offset 
Examples
This issue occurs when certain string manipulation functions write to their destination buffer argument at an offset greater than the buffer size.
For instance, when calling the function sprintf(char*
buffer, const char* format), you use a constant string format of
greater size than buffer.
Buffer overflow can cause unexpected behavior such as memory corruption or stopping your system. Buffer overflow also introduces the risk of code injection.
One possible solution is to use alternative functions to constrain the number of characters written. For instance:
- If you use - sprintfto write formatted data to a string, use- snprintf,- _snprintfor- sprintf_sinstead to enforce length control. Alternatively, use- asprintfto automatically allocate the memory required for the destination buffer.
- If you use - vsprintfto write formatted data from a variable argument list to a string, use- vsnprintfor- vsprintf_sinstead to enforce length control.
- If you use - wcscpyto copy a wide string, use- wcsncpy,- wcslcpy, or- wcscpy_sinstead to enforce length control.
Another possible solution is to increase the buffer size.
#include <stdio.h>
void func(void) {
    char buffer[20];
    char *fmt_string = "This is a very long string, it does not fit in the buffer";
    sprintf(buffer, fmt_string);  //Noncompliant
}In this example, buffer can contain 20 char elements
but fmt_string has a greater size.
snprintf Instead
of sprintfOne possible correction is to use the snprintf function
to enforce length control.
#include <stdio.h>
void func(void) {
    char buffer[20];
    char *fmt_string = "This is a very long string, it does not fit in the buffer";
    snprintf(buffer, 20, fmt_string);
}This issue occurs when a pointer dereference uses an offset variable from an unknown or unsecure source.
This check focuses on dynamically allocated buffers. For static
buffer offsets, see Array access with tainted index.
The index might be outside the valid array range. If the tainted index is outside the array range, it can cause:
- Buffer underflow/underwrite, or writing to memory before the beginning of the buffer. 
- Buffer overflow, or writing to memory after the end of a buffer. 
- Over reading a buffer, or accessing memory after the end of the targeted buffer. 
- Under-reading a buffer, or accessing memory before the beginning of the targeted buffer. 
An attacker can use an invalid read or write to compromise your program.
Validate the index before you use the variable to access the pointer. Check to make sure that the variable is inside the valid range and does not overflow.
By default, Polyspace® assumes that data from external sources are tainted. See Sources of Tainting in a Polyspace Analysis. To consider
                any data that does not originate in the current scope of Polyspace analysis as
                tainted, use the command line option -consider-analysis-perimeter-as-trust-boundary.
#include <stdio.h>
#include <stdlib.h>
enum {
    SIZE10  =  10,
    SIZE100 = 100,
    SIZE128 = 128
};
extern void read_pint(int*);
int taintedptroffset(void) {
    int offset;
    scanf("%d",&offset);
    int* pint = (int*)calloc(SIZE10, sizeof(int));
    int c = 0;
    if(pint) {
        /* Filling array */
        read_pint(pint);
        c = pint[offset];//Noncompliant
        free(pint);
    }
    return c;
}
In this example, the function initializes an integer
        pointer pint. The pointer is dereferenced using the input index
            offset. The value of offset could be outside the
        pointer range, causing an out-of-range error. 
One possible correction is to validate the value of offset. Continue with
            the pointer dereferencing only if offset is inside the valid range. 
#include <stdlib.h>
#include <stdio.h>
enum {
    SIZE10  =  10,
    SIZE100 = 100,
    SIZE128 = 128
};
extern void read_pint(int*);
int taintedptroffset(void) {
    int offset;
    scanf("%d",&offset);
    int* pint = (int*)calloc(SIZE10, sizeof(int));
    int c = 0;
    if (pint) {
        /* Filling array */
        read_pint(pint);
        if (offset>0 && offset<SIZE10) {
            c = pint[offset];
        }
        free(pint);
    }
    return c;
}Check Information
| Category: Others | 
Version History
Introduced in R2023a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)