ABV.UNICODE.BOUND_MAP

Buffer overflow-array index out of bounds in mapping function

ABV.UNICODE.BOUND_MAP checks for buffer overrun conditions caused in MultiByteToWideChar and WideCharToMultiByte mapping functions. Typically, the checker detects a condition when WideCharToMultiByte checks buffer boundaries incorrectly and the buffer overflows.

For more information on the operation of the MultiByteToWideChar and WideCharToMultiByte mapping functions, see the MSDN website.

Vulnerability and risk

Using these mapping functions incorrectly can compromise the security of an application by causing a buffer overflow. It's particularly easy to cause a buffer overflow with MultiByteToWideChar because the size of the input buffer is the number of bytes in the string, and the size of the output buffer is the number of characters. (The opposite is true in the WideCharToMultiByte function.) To avoid this potential condition, it's important to specify a buffer size that is appropriate for the data type the buffer receives.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
  #include "stdafx.h"
  #include <string.h>
  #include <iostream>
  
  using namespace std;
  
  void convert(WCHAR *wcsPath)
  {
      char cpszPath[5] ="";
      WideCharToMultiByte(CP_ACP, 0, wcsPath, -1, cpszPath, 260, 0, 0);
      cout << cpszPath << endl;
  }

Klocwork produces a buffer overflow report for line 10, indicating that function WideCharToMultiByte may incorrectly check buffer boundaries and overflow buffer 'cpszPath' with size (260). In this case, the function WideCharToMultiByte causes a buffer overflow through a lack of validation of the input buffer size.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
  #include "stdafx.h"
  #include <string.h>
  #include <iostream>
  
  using namespace std;
  
  
  void convert(WCHAR sText[100]) {
      char szTemp[20];
      int nSize = WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, sText, -1, szTemp, 0, 0, 0);
      if (nSize > sizeof(szTemp)) 
      {
          return;
      }else
      { 
          WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, sText, -1, szTemp, nSize , 0, 0); 
      }
      cout << szTemp << endl;
  }

When the size of the target buffer is zero in the fixed example, the function returns the number of bytes needed for the conversion. The input character size is compared to the size of the buffer before the conversion.

Related checkers

• ABV.GENERAL
• ABV.TAINTED
• ABV.UNICODE.BOUND_MAP
• ABV.UNICODE.FAILED_MAP
• ABV.UNICODE.NNTS_MAP
• ABV.UNICODE.SELF_MAP
• NNTS.MIGHT
• NNTS.MUST
• NNTS.TAINTED
• SV.STRBO.BOUND_COPY.OVERFLOW
• SV.STRBO.BOUND_COPY.UNTERM
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.UNBOUND_COPY
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CERT ARR00-C: Understand how arrays work
• CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
• CERT ENV01-C: Do not make assumptions about the size of an environment variable
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-124: Buffer Underwrite ('Buffer Underflow')
• CWE-125: Out-of-bounds Read
• CWE-176: Improper Handling of Unicode Encoding
• CWE-787: Out-of-bounds Write
• CWE-806: Buffer Access Using Size of Source Buffer
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.