BF Specification of CVE-2014-0160

Missing verification of 'payload' length towards a upper limit leads to use of an inconsistent size for an object, allowing a pointer reposition over its bounds, which, when used in 'memcpy()' leads to a heap buffer over-read. If exploited, this can lead to exposure of sensitive information – confidentiality loss.



Bug ReportCode with BugCode with FixNVD Entry
DVRData are verified (semantics check) or corrected (assign, remove) improperly.
MADThe pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSAn object is initialized, read, written, or cleared improperly.
VerifyCheck data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it.
RepositionChange the pointer to another position inside its object.
ReadUse the value of an object data.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
Data Error/FaultThe object data has harmed semantics or inconsistent or wrong value
   Inconsistent ValueData value does not correspond to the value of a related data (e.g., inconstancy between the value of a size variable and the actual buffer size).
   Wrong SizeThe value used as size does not match the actual size of the object.
Address Error/FaultThe object address in use is wrong.
   Over Bounds PointerPoints above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer Over-ReadReads above the upper bound of an object.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   RangeChecking data are within a (min, max) interval.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   Third-PartyThe operation is in a third-party software.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   LocalThe bugged code runs in an environment with access control policy with limited (local user) permission.
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
Operand AttributeDefinition
Data StateShows where the data come from.
   TransferredThe data are from another device via a network (e.g., connecting analog device or another computer).
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindShows what the limit for traversal of the object is.
   UsedA supplied size for an object.