SQ14113
Detected Windows executable files that do not implement protection from integer based memory allocation overflow attacks.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | hardening: warning Reason: outdated toolchain issues |
About the issueโ
Protection from integer-based memory allocation overflow attacks is a vulnerability mitigation implemented by the programming language compiler. It enables enforcement of memory allocation limits during code execution. This is achieved by instrumenting each memory allocation instance (through the programming language keyword 'new') and validating its parameters. Should an application try to allocate a maximum number of elements via a single call to 'new', the execution will be terminated. This vulnerability mitigation is designed to protect against resource exhaustion and improper handling of memory allocation failures.
How to resolve the issueโ
- Microsoft VisualStudio users can take advantage of this configuration-free vulnerability mitigation by updating to a newer compiler version. With this update, additional vulnerability mitigation options will also become available.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Integer Overflow Attack and Prevention (External resource - SecureCoding)
- Static and Dynamic Memory allocation (External resource - codestudio)