ABV.UNICODE.FAILED_MAP
Buffer overflow-array index out of bounds in failed mapping function
ABV.UNICODE.FAILED_MAP checks for buffer overrun conditions caused in failed MultiByteToWideChar and WideCharToMultiByte mapping functions. Typically, the checker detects a condition when the source and destination pointers are the same, or the pointer to a buffer that receives the converted string is NULL, but the next parameter (buffer size, in characters) is not set to 0.
For more information on the MultiByteToWideChar and WideCharToMultiByte mapping functions, see the MSDN website.
Vulnerability and risk
Using these mapping functions incorrectly can compromise the security of an application by causing a buffer overflow. To avoid this potential condition, it's important to specify a buffer size that is appropriate for the data type the buffer receives.
Vulnerable code example 1
int
foo1 (void *src, int size) {
int res;
res = WideCharToMultiByte(CP_ACP, 0, src, -1, 0, 3, 0, 0);
if (res) return res;
res = WideCharToMultiByte(CP_ACP, 0, src, -1, NULL, size, 0, 0);
if (res) return res;
return WideCharToMultiByte(CP_ACP, 0, src, -1, 0, 0, 0, 0);
Klocwork reports an invalid parameter because the pointer to the buffer that receives the converted string is NULL, but the size in bytes is set to 3 instead of 0 in line 4. In this case, the buffer size parameter doesn't correspond to the converted-string buffer pointer.
Related checkers
External guidance
- CERT ARR00-C: Understand how arrays work
- CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
- CERT ENV01-C: Do not make assumptions about the size of an environment variable
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-124: Buffer Underwrite ('Buffer Underflow')
- CWE-125: Out-of-bounds Read
- CWE-176: Improper Handling of Unicode Encoding
- CWE-787: Out-of-bounds Write
- CWE-806: Buffer Access Using Size of Source Buffer
- STIG-ID:APP3590.1 Application is vulnerable to buffer overflows
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.