Weakness reference
CWE-789

Memory Allocation with Excessive Size Value

This weakness occurs when a program allocates memory based on a size value that comes from untrusted input without proper validation. An attacker can supply an…

01Summary

This weakness occurs when a program allocates memory based on a size value that comes from untrusted input without proper validation. An attacker can supply an extremely large or maliciously crafted size value, causing the application to attempt allocating more memory than available, leading to denial of service, crashes, or in some cases, integer overflow vulnerabilities that enable further exploitation.

02How It Happens

The vulnerability arises when user-controlled input directly influences the amount of memory requested from the operating system. If the application does not validate that the requested size is reasonable—checking against available memory, system limits, or application-specific maximums—an attacker can trigger excessive allocation attempts. In languages like C and C++, integer overflow in size calculations (e.g., size * count) can also wrap around to a small value, causing a buffer to be allocated that is far smaller than the code expects, leading to buffer overflows. Even in managed languages, unbounded allocation requests can exhaust heap memory and crash the process.

03Real-World Impact

Successful exploitation typically results in denial of service: the application crashes or becomes unresponsive when it runs out of memory. In some cases, the system itself may become unstable if the allocation attempt consumes all available RAM. Integer overflow scenarios can be more severe, potentially allowing an attacker to bypass size checks and trigger heap corruption or code execution. Even without overflow, repeated large allocations can degrade performance across the entire system.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import io

def process_file_upload(file_size_header):
    # file_size_header comes from untrusted HTTP header
    buffer_size = int(file_size_header)
    data_buffer = bytearray(buffer_size)
    return data_buffer

Why it's vulnerable:
The function directly converts untrusted input to an allocation size with no upper bound check. An attacker can send a header claiming a file size of several gigabytes, exhausting available memory.

Fixed pattern
import io

MAX_UPLOAD_SIZE = 100 * 1024 * 1024  # 100 MB limit

def process_file_upload(file_size_header):
    try:
        buffer_size = int(file_size_header)
    except ValueError:
        raise ValueError("Invalid file size")
    
    if buffer_size <= 0 or buffer_size > MAX_UPLOAD_SIZE:
        raise ValueError("File size exceeds maximum allowed")
    
    data_buffer = bytearray(buffer_size)
    return data_buffer
Vulnerable pattern
<?php
function allocate_buffer($user_count) {
    // $user_count comes from $_GET or $_POST
    $item_size = 1024;
    $total_size = $user_count * $item_size;
    $buffer = str_repeat("\x00", $total_size);
    return $buffer;
}
?>

Why it's vulnerable:
The multiplication $user_count * $item_size is not validated. An attacker can supply a very large $user_count, causing str_repeat() to attempt allocating gigabytes of memory, or triggering an integer overflow if the result exceeds PHP's limits.

Fixed pattern
<?php
define('MAX_ITEMS', 10000);
define('ITEM_SIZE', 1024);
define('MAX_BUFFER_SIZE', 10 * 1024 * 1024); // 10 MB

function allocate_buffer($user_count) {
    $user_count = intval($user_count);
    
    if ($user_count <= 0 || $user_count > MAX_ITEMS) {
        throw new Exception("Invalid item count");
    }
    
    $total_size = $user_count * ITEM_SIZE;
    if ($total_size > MAX_BUFFER_SIZE) {
        throw new Exception("Requested size exceeds limit");
    }
    
    $buffer = str_repeat("\x00", $total_size);
    return $buffer;
}
?>

05Prevention Checklist

Define and enforce a maximum allocation size appropriate to your application's use case (e.g., max file upload size, max array length).
Validate all size parameters before use: check that they are positive integers and do not exceed your limit.
Be aware of integer overflow in multiplication or addition of size values; use safe arithmetic or check for overflow before allocating.
Use language-level protections where available (e.g., PHP's memory_limit directive, Python's resource limits).
Log and alert on allocation requests that approach or exceed your limits, as they may indicate an attack.
Test your application with edge cases: zero, negative, and very large size values.

06Signs You May Already Be Affected

Monitor system logs and application error logs for out-of-memory (OOM) errors or crashes that correlate with specific user requests or input patterns. Unexpected spikes in memory usage following particular API calls or file uploads may indicate an attacker is probing for this vulnerability. If your application has recently experienced unexplained crashes or performance degradation tied to user input, investigate whether size validation is in place.

07Related Recent Vulnerabilities