Test case 1510

Type: source code
State: bad
Author: Robert C. Seacord
Status: candidate
Language: C++
Submission Date: 22 May 2006
Operating System: cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Description

Exploit of buffer overflow in dynamic memory on Windows. This exploit requires that the overwriten memory adress is executable.
The HeapFree() on line 38 creates a gap in the contiguous allocated memory. The memcpy() on line 39 is an example of exploit. The first 16 bytes of malArg overwrite the user data area, the next 8 bytes overwrite the boundary tag for the free chunk and the next 8 bytes of malArg overwrite the pointers to the next and previous chunck.
From "Secure Coding in C and C++" by Robert C. Seacord.
Page 128, Figure 4-29

Flaws

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Have any comments on this test case? Please, send us an email.