In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
Time of Introduction
Modes of Introduction
Programmers may try to index from a pointer by adding a number of bytes.
This is incorrect because C and C++ implicitly scale the operand by the size
of the data type.
Technical Impact: Read memory; Modify memory
Incorrect pointer scaling will often result in buffer overflow
conditions. Confidentiality can be compromised if the weakness is in the
context of a buffer over-read or under-read.
Likelihood of Exploit
This example attempts to calculate the position of the second byte
of a pointer.
int *p = x;
char * second_char = (char *)(p + 1);
In this example, second_char is intended to point to the second byte
of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result
that is incorrect (3 bytes off on 32-bit platforms). If the resulting
memory address is read, this could potentially be an information leak.
If it is a write, it could be a security-critical write to unauthorized
memory-- whether or not it is a buffer overflow. Note that the above
code may also be wrong in other ways, particularly in a little endian
Phase: Architecture and Design
Use a platform with high-level memory abstractions.
Always use array indexing instead of direct pointer
A weakness where code path has a statement that performs a pointer
arithmetic operation on a pointer to datatype1 and casts the result of the
operation to a pointer type to datatype2 where datatype2 has different
length than the datatype1 and the datatype1 has different length than a
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Pointer Arithmetic", Page
277.. 1st Edition. Addison Wesley. 2006.