BF Specification of CVE-2015-0235

Missing factor (the size of the '*h_alias_ptr') while calculating the 'size_needed' size of a buffer leads to reallocation of not enough memory, allowing a pointer reposition over its bounds, which, when used in 'strcpy()' leads to a heap buffer overflow. If exploited, this can lead to arbitrary code execution.



Bug ReportCode with BugCode with FixNVD Entry
TCMAn arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly.
MMNAn object is allocated, deallocated, or resized improperly.
MADThe pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSAn object is initialized, read, written, or cleared improperly.
CalculateFind the result of a numeric, pointer, or string operation.
Reallocate-ReduceReserve a new smaller space in memory for an object at a new address, copy part of the object content there, reassign the pointer, and deallocate the previous piece of memory.
RepositionChange the pointer to another position inside its object.
WriteChange the data value of an object to another meaningful value.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Erroneous CodeThe operation implementation has a bug.
Data Error/FaultThe object data has harmed semantics or inconsistent or wrong value
   Wrong ResultIncorrect value from type conversion or computation.
   Wrong SizeThe value used as size does not match the actual size of the object.
Size Error/FaultThe object size in use is wrong.
   Not Enough MemoryThe allocated memory is too little for the data it should store.
Address Error/FaultThe object address in use is wrong.
   Over Bounds PointerPoints above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowWrites above the upper bound of an object -- aka Buffer Over-Write.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   OperatorA function with a symbolic name that implements a mathematical, relational or logical operation.
   ExplicitThe operation is performed by a function/method call.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   Standard LibraryThe operation is in the standard library for a particular programming language.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   LocalThe bugged code runs in an environment with access control policy with limited (local user) permission.
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
Operand AttributeDefinition
Name StateShows at what stage the entity name is.
   BoundThe name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation.
Data KindShows what the data value is.
   NumericA number -- a sequence of digits.
Type KindShows what the data type composition is.
   PrimitiveA scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types.
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindShows what the limit for traversal of the object is.
   UsedA supplied size for an object.