This example of printing usage information with formatted output shows a flaw that can be exploited to run arbitrary code. By controlling the content of the format string a user can, in effect, cotrol execution of the formatted output function. From "Secure Coding in C and C++" by Robert C. Seaco...

Exploit of buffer overflow in dynamic memory on Windows. This exploit requires that the overwriten memory adress is executable. The HeapFree() on line 38 creates a gap in the contiguous allocated memory. The memcpy() on line 39 is an example of exploit. The first 16 bytes of malArg overwrite the ...

The semantics of virtual functions. As most C++ compilers implement virtual functions using a Virtual Function Table (VTBL). The VTBL is an array of function pointers that is used at runtime for dispatching virtual function calls. It"s possible to overwrite function pointers in the VTBL or change...

Modifying the instruction pointer. The invocation through the function pointer funcPtr uses an indirect reference, and the address inthe referenced location can be overwritten. As the function pointer address cannot be resolved at compiled time, it can be exploited to transfer control to arbitrar...

Extracting object from cin to std::string object. This example is quite safe because if there is a buffer overflow, C++ will throw a out_of_range exception. From "Secure Coding in C and C++" by Robert C. Seacord. Page 61, Figure 2-33

Input validation. The size of the first argument must be lower than 99 even it will produces a buffer overflow when copied into the buff array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 52, Figure 2-29

Program vulnerable to arc injection exploit. The buffer overflow occurs on line 25 when memcpy() will copy the first entry argument into the 3 characters array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 49, Figure 2-27

Get password program. The security flaw is due to the gets() on line 25. If the entry contains more than 11 characters (remember the null terminating character) the gets() function performs a buffer overflow. From "Secure Coding in C and C++" by Robert C. Seacord. Page 33, Figure 2-9

Defective string manipulation code. If the first argument exceeds 128 characters (including the null one) the program will write outside of the bounds of the fixed size array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 32, Figure 2-8

Null-termination defect. There is no place allocated for the null terminating character. Thereby, the strcpy() writes beyond the character array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 31, Figure 2-7

Common off-by-one defect. The strcpy() copies 11 characters in the source buffer including the terminating null character. Due to the index value, the assignment on line 31 cause an out-of-bound. From "Secure Coding in C and C++" by Robert C. Seacord. Page 30, Figure 2-6

Extracting characters using the field width member. Ensure that the operator>> will not extract more thant 12 characters. From "Secure Coding in C and C++" by Robert C. Seacord. Page 29, Figure 2-5

Extracting characters from cin into character array. The operator>> will copy outside the bound of the statically allocated array if the length of the input is more than 11 characters. From "Secure Coding in C and C++" by Robert C. Seacord. Page 29, Figure 2-4

Dynamic allocation of the character array ensure that sufficient space is allocated to copy the input and the null character. From "Secure Coding in C and C++" by Robert C. Seacord. Page 28, Figure 2-3

Buffer overflow if the input is not validated. Every operation may write outside the bound of the statically allocated character array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 28, Figure 2-2

Buffer overflow by gets() if input is more than 80 characters. From "Secure Coding in C and C++" by Robert C. Seacord. Page 27, Figure 2-1

No memory leak because of proper use of the delete() function.

Memory allocated via new() constructor is deallocated via delete() call.

When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. (from TCCLASP-5_6_18_10)

A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location. (from TCCLASP-5_2_5_9)