Comprehensive Categorization: Memory Safety

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

The product accesses or uses a pointer that has not been initialized.

The product sets a pointer to a specific address other than NULL or 0.

The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of...

The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds ...

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer ...

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, l...

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of mem...

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to al...

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

The product reads data past the end, or before the beginning, of the intended buffer.

The product writes data past the end, or before the beginning, of the intended buffer.

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter ...

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer der...

The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing...

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the result...

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...