Data Type Bugs Examples

CVE-2021-21834 - Bad Allocation Chain

BF Taxonomy

DVR (Verify)

Cause: Improper Operation - Missing

Attributes:
Mechanism: Range
Source Code: Third Party (Library box_code_base.c)
Execution Space: Local
Data State: Stored(“number of entries” read from file)

Consequence: Improper Data Value - Inconsistent Value ( > max 64-bit int )

TCM (Calculate)

Cause: Improper Data Value - Wrong Argument Value

Attributes:
Mechanism: Operator(Arithmetic: ‘*’)
Source Code: Third Party (Library box_code_base.c)
Data Value Kind: Numeric
Data Type Kind: Structured

Consequence: Improper Data Value - Wrap Around

MAL (Allocate)

Cause: Improper Data Value - Wrong Size Used (size of memory to allocate

Attributes:
Mechanism: Explicit
Source Code: Third Party (Library box_code_base.c)
Execution Space: Userland
Ownership: Single
Location: Heap

Consequence: Improper Object Size - Not Enough Memory Allocated

MAD (Reposition)

Cause: Improper Object Size - Not Enough Memory Allocated

Attributes:
Mechanism: Sequential
Source Code: Third Party (Library box_code_base.c)
Execution Space: Userland
Location: Heap

Consequence: Improper Data Value - Over Bounds Pointer

MUS (Write)

Cause: Improper Data Value - Over Bounds Pointer

Attributes:
Mechanism: Sequential
Source Code: Third Party (Library box_code_base.c)
Execution Space: Userland
Span: Huge
Location: Heap

Consequence: Memory Overflow - Buffer Overflow

BF Description:

The GPAC Project on Advanced Content is a C language implementation of the MPEG- 4 audio/video compression standard. In version 1.0.1, the library is vulnerable to decoding a specially crafted MPEG-4 input file.

CVE Description

Analysis

The library code reads the “number of entries” value from a file into a 32-bit integer object (ptr−→nb_entries) and checks if it is not larger than the 64- bits input size (ptr−→size/8). Then, the size of memory that should be allocated is calculated by multiplying the “number of entries” by the size of a u64 object (sizeof(u64)), which can result in an integer overflow on a 32-bit platform. When such an overflowed integer is used, the allocation routine will create an undersized buffer, which will be populated based on its larger actual size, leading to a buffer overflow. Fig.10 presents the BF taxonomy for this vulnerability.

The Fix

To fix the bug, the GPAC team checked the maximum integer size ((u64)ptr−→nb_entries > (u64)SIZE_MAX/sizeof(u64)), fixing the DVR bug and resolving the entire vulnerability.

CWE-468 - Incorrect Pointer Scaling

BF Taxonomy

TCV (Cast)

Cause: Improper Operation - Wrong

Attributes:
Mechanism: Pass In
Source Code: Codebase
Data Value Kind: Pointer
Data Type Kind: Primitive

Consequence: Improper Data Type - Wrong Type ( int instead of char )

NRS (Call)

Cause: Improper Data Type - Wrong Argument Type

Attributes:
Mechanism: Ad-hoc Bind
Source Code: Codebase
Entity: Functino
Data Type Kind: Primitive

Consequence: Improper Func�on - Wrong Overloaded Func�on Bound ( +(int*,int) instead of +(char*,int) )

TCM (Calculate)

Cause: Improper Function - Wrong Overloaded Func�on

Attributes:
Mechanism: Operator
Source Code: Codebase
Data Value Kind: Pointer
Data Type Kind: Primitive

Consequence: Improper Data Value - Wrong Result ( Pointer position )

MAD (Reposition)

Cause: Improper Data Value - Wrong Index

Attributes:
Mechanism: Direct
Source Code: Codebase
Execution Space: Userland
Location: Stack

Consequence: Improper Object Address - Over Bounds Pointer

MUS (Read)

Cause: Improper Object Address - Over Bounds Pointer

Attributes:
Mechanism: Direct
Source Code: Codebase
Execution Space: Userland
Span: Little
Location: Stack

Consequence: Memory Overflow - Buffer Overflow

BF Description:

CVE Description

Analysis

The chain starts with an improper casting of the pointer p to char * that leads to invocation of a wrong addition operator *int + 16 instead of *char + 1. Therefore, the pointer moves 4 bytes instead of 1 byte (3 bytes off), reading the wrong value, outside the object x (buffer overflow). Fig.11 presents the BF taxonomy for this weakness.

The Fix

To fix the bug, the programmer should first cast and then add: int *p = x; char * second_char = (char *)p + 1;

CVE-2021-23440 - Type Mismatch bypassing Input Validation

BF Taxonomy

TCM (Evaluate)

Cause: Improper Operation - Wrong

Attributes:
Mechanism: Operator
Source Code: Codebase
Data Value Kind: Boolean
Data Type Kind: Structured

Consequence: Improper Data Value - Wrong Result

TCV (Cast)

Cause: Improper Operation - Missing

Attributes:
Mechanism: Pass In
Source Code: Codebase
Data Value Kind: Text
Data Type Kind: Structured

Consequence: Improper DataType - Wrong Type ( nested list with [‘_proto_’’] instead of string value

DVL (Validate)

Cause: Improper Data - Tampered Data ( nested list with[‘_proto_’’] )

Attributes:
Mechanism: Safelist
Source Code: Codebase
Execution Space: Local/attribute>
Data State: Entered

Consequence: Injec�on Error - Command Injec�on

BF Description:

The package set-value for JavaScript is vulnerable to prototype pollution in versions <2.0.1, >=3.0.0, <4.0.1. It happens due to a type mismatch in the prototype pollution verification.

CVE Description

Analysis

This vulnerability has two possible BF chains. The first chain is: the loose comparison operator is misused. The second chain is: a type conversion is missing before using the loose comparison, leading to improper input validation and prototype pollution, a kind of command injection in JavaScript.

The Fix

There are two ways of fixing this vulnerability: the developers could use strict comparison, solving the TCM bug, or they could do a type conversion before the loose comparison. They chose the latter.