CWE-135: Incorrect Calculation of Multi-Byte String Length
Weakness ID: 135
The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.
Time of Introduction
Technical Impact: Execute unauthorized code or
This weakness may lead to a buffer overflow. Buffer overflows often
can be used to execute arbitrary code, which is usually outside the
scope of a program's implicit security policy. This can often be used to
subvert any other security service.
Out of bounds memory access will very likely result in the corruption
of relevant memory, and perhaps instructions, possibly leading to a
crash. Other attacks leading to lack of availability are possible,
including putting the program into an infinite loop.
Technical Impact: Read memory
In the case of an out-of-bounds read, the attacker may have access to
sensitive information. If the sensitive information contains system
details, such as the current buffers position in memory, this knowledge
can be used to craft further attacks, possibly with more severe
Enabling Factors for Exploitation
There are several ways in which improper string length checking may
result in an exploitable condition. All of these, however, involve the
introduction of buffer overflow conditions in order to reach an exploitable
The first of these issues takes place when the output of a wide or
multi-byte character string, string-length function is used as a size for
the allocation of memory. While this will result in an output of the number
of characters in the string, note that the characters are most likely not a
single byte, as they are with standard character strings. So, using the size
returned as the size sent to new or malloc and copying the string to this
newly allocated memory will result in a buffer overflow.
Another common way these strings are misused involves the mixing of
standard string and wide or multi-byte string functions on a single string.
Invariably, this mismatched information will result in the creation of a
possibly exploitable buffer overflow condition.
The following example would be exploitable if any of the commented
incorrect malloc calls were used.