01Summary

Out-of-bounds write occurs when a program writes data to a memory location outside the boundaries of an allocated buffer. This can corrupt adjacent memory, crash the application, or in severe cases allow an attacker to execute arbitrary code. It is one of the most dangerous memory safety issues and commonly appears in C/C++ codebases that manage memory manually.

02How It Happens

Out-of-bounds writes typically result from missing or incorrect bounds checking before writing to a buffer. Common causes include:

- Fixed-size buffers without length validation:
A function copies user input into a fixed-size array without verifying the input length first. - Off-by-one errors:
Loop conditions or pointer arithmetic miscalculate the valid range, writing one byte past the intended boundary. - Integer overflow in size calculations:
A calculation meant to determine safe buffer space wraps around, resulting in a smaller-than-expected allocation. - Unsafe string functions:
Functions like strcpy() or sprintf() that do not enforce length limits. - Pointer arithmetic mistakes:
Manual pointer manipulation that fails to account for buffer boundaries.

When data is written beyond the buffer's end, it overwrites adjacent memory—which may contain other variables, function pointers, return addresses, or heap metadata. This corruption can cause unpredictable behavior, denial of service, or controlled code execution.

03Real-World Impact

Out-of-bounds writes are critical vulnerabilities. An attacker who can control the data written past a buffer boundary may overwrite function pointers or return addresses, redirecting program execution to malicious code. Even without code execution, memory corruption can leak sensitive data or crash services, resulting in denial of service. These bugs have been the root cause of major security incidents across operating systems, browsers, and widely deployed libraries.

04Vulnerable & Fixed Patterns

Vulnerable pattern
def process_user_data(user_input):
    buffer = [0] * 10
    for i in range(len(user_input)):
        buffer[i] = ord(user_input[i])
    return buffer

Why it's vulnerable:
If user_input is longer than 10 characters, the loop writes past the end of the buffer list, corrupting adjacent memory or raising an exception that reveals the vulnerability.

Fixed pattern
def process_user_data(user_input, max_length=10):
    buffer = [0] * max_length
    for i in range(min(len(user_input), max_length)):
        buffer[i] = ord(user_input[i])
    return buffer
Vulnerable pattern
function copy_to_buffer($user_input) {
    $buffer = array_fill(0, 10, 0);
    for ($i = 0; $i < strlen($user_input); $i++) {
        $buffer[$i] = ord($user_input[$i]);
    }
    return $buffer;
}

Why it's vulnerable:
If $user_input exceeds 10 characters, the loop writes beyond the bounds of $buffer, corrupting adjacent array elements or memory.

Fixed pattern
function copy_to_buffer($user_input, $max_length = 10) {
    $buffer = array_fill(0, $max_length, 0);
    $input_length = min(strlen($user_input), $max_length);
    for ($i = 0; $i < $input_length; $i++) {
        $buffer[$i] = ord($user_input[$i]);
    }
    return $buffer;
}

05Prevention Checklist

Always validate input length
before copying or writing to a fixed-size buffer; reject or truncate oversized input.
Use safe string functions
that enforce length limits (e.g., strncpy() instead of strcpy(), snprintf() instead of sprintf()).
Prefer dynamic allocation or language-level collections
(vectors, lists, arrays with bounds checking) over manual fixed-size buffers.
Check for integer overflow
in size calculations; ensure computed buffer sizes cannot wrap around to a smaller value.
Enable compiler warnings and runtime checks
(e.g., AddressSanitizer, stack canaries) during development and testing.
Perform code review
focusing on loops, pointer arithmetic, and any manual memory operations.

06Signs You May Already Be Affected

Look for unexpected application crashes, segmentation faults, or memory access violations in logs. If you observe memory corruption errors, heap corruption warnings, or stack smashing detection alerts, an out-of-bounds write may be occurring. Unusual behavior in adjacent data structures or unexplained changes to function behavior can also indicate memory corruption.

07Related Recent Vulnerabilities