Weakness reference
CWE-1284

Improper Validation of Specified Quantity in Input

This weakness occurs when software accepts a quantity value—such as a file size, array index, buffer length, or count—without properly checking whether it is…

01Summary

This weakness occurs when software accepts a quantity value—such as a file size, array index, buffer length, or count—without properly checking whether it is safe to use. An attacker can supply an unexpectedly large, negative, or zero value to trigger memory corruption, denial of service, or logic errors. The flaw is common in code that trusts user-supplied dimensions without bounds checking.

02How It Happens

Applications often receive numeric inputs that describe the scope or extent of an operation: how many bytes to read, which array element to access, how much memory to allocate, or how many records to process. If the code does not validate these quantities before using them—checking for negative values, zero, overflow conditions, or bounds relative to available resources—an attacker can supply malicious values. The software may then attempt an unsafe operation: allocating negative memory (wrapping to a huge positive value), reading past buffer boundaries, or entering infinite loops.

03Real-World Impact

Improper quantity validation can lead to buffer overflows, heap corruption, denial of service, or information disclosure. For example, a negative size passed to a memory allocation function may wrap to an extremely large value, exhausting system memory. An out-of-bounds array index can read or write sensitive data. In web applications, accepting an unchecked "limit" parameter in a database query can cause resource exhaustion or timeout attacks.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import io

def read_user_data(file_obj, size_from_input):
    # size_from_input comes from user input (e.g., query parameter)
    data = file_obj.read(size_from_input)
    return data

# Attacker supplies size_from_input = -1 or 999999999
# read() with -1 reads entire file; huge positive value exhausts memory

Why it's vulnerable:
The function does not validate that size_from_input is a reasonable, non-negative value before passing it to read(). Negative or extremely large values can cause unexpected behavior or resource exhaustion.

Fixed pattern
import io

def read_user_data(file_obj, size_from_input, max_size=1024*1024):
    # Validate quantity: must be positive and within bounds
    if not isinstance(size_from_input, int) or size_from_input <= 0:
        raise ValueError("Size must be a positive integer")
    if size_from_input > max_size:
        raise ValueError(f"Size exceeds maximum allowed: {max_size}")
    
    data = file_obj.read(size_from_input)
    return data
Vulnerable pattern
<?php
function process_records($count_from_input) {
    // $count_from_input comes from $_GET or $_POST
    $records = array();
    for ($i = 0; $i < $count_from_input; $i++) {
        $records[] = fetch_record($i);
    }
    return $records;
}

// Attacker supplies count_from_input = -1 or 2147483647
// Loop may not execute, execute forever, or cause memory exhaustion
?>

Why it's vulnerable:
The loop counter is not validated. Negative values may cause unexpected loop behavior; extremely large values can exhaust memory or CPU.

Fixed pattern
<?php
function process_records($count_from_input, $max_count = 1000) {
    // Validate quantity: must be a positive integer within bounds
    $count = intval($count_from_input);
    if ($count <= 0 || $count > $max_count) {
        throw new Exception("Invalid count: must be between 1 and $max_count");
    }
    
    $records = array();
    for ($i = 0; $i < $count; $i++) {
        $records[] = fetch_record($i);
    }
    return $records;
}
?>

05Prevention Checklist

Define acceptable ranges
for every quantity input: minimum, maximum, and whether zero or negative values are allowed.
Validate before use:
Check type (integer, not string), sign (non-negative if required), and bounds (less than or equal to a safe maximum) before passing to memory allocation, loops, or array access.
Use allowlists for critical quantities:
If only specific values are valid (e.g., page sizes of 10, 25, or 50), reject anything else.
Test boundary conditions:
Verify behavior with zero, negative values, and values at or beyond the stated maximum.
Reject invalid input early:
Fail fast with a clear error rather than attempting to sanitize or coerce unexpected values.
Document assumptions:
Clearly comment the expected range and units for each quantity parameter in your code.

06Signs You May Already Be Affected

Monitor application logs for repeated requests with unusually large or negative numeric parameters, or for crashes/timeouts correlated with specific input values. Check for unexpected memory usage spikes or CPU exhaustion during normal operation. If your application processes user-supplied counts, sizes, or indices without explicit validation, audit those code paths immediately.

07Related Recent Vulnerabilities