mutated × unstructured — blows up live on input you didn't expect
Integer Overflow Sizes a Buffer Too Small
A size computed by multiplying or incrementing wraps past the integer max to a tiny value; the allocation looks fine, then an in-range-looking index writes off the end.
01the recipe
In the wild
compound of++ / -- & Integer OverflowCWE-190 Integer OverflowIndex Out of Bounds & Missing KeysCWE-129compoundCWE-680 Integer to Buffer OverflowCWE-787 OOB Write
example.c
// SMELL: the size multiply wraps, so the buffer is far too small.
// (increment/decrement operators x index out of bounds)
size_t n = count * width; // count*width overflows size_t -> tiny n
char *buf = malloc(n); // allocates the wrapped (small) size
for (size_t i = 0; i < count * width; i++)
buf[i] = src[i]; // runs to the true length -> OOB write
// RIGHT: detect the overflow before allocating.
if (width != 0 && count > SIZE_MAX / width)
return -1; // refuse the impossible size
char *buf = malloc(count * width);Multiplying two attacker-influenced sizes overflows the integer and wraps to a small value (CWE-190); malloc honors the small size, but the copy loop runs to the true count*width and writes past the buffer -- the named chain CWE-680 'Integer Overflow to Buffer Overflow', ending in an out-of-bounds write. Check count > SIZE_MAX/width (or use a checked multiply) before allocating.
// observed
overflow: malloc(small) then a full-length copy -> heap corruption right: oversized request rejected; no wrap, no overflow
02weakness catalog
Mapped weaknesses (CWE)
On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.