CWE-125 Out-of-bounds Read
What this means
SiteShadow flagged code that may read past the end of a buffer/array.
Why it matters
Out-of-bounds reads can leak data or crash processes.
- Data leakage: memory contents can include secrets, keys, or user data.
- Crashes/DoS from invalid memory access.
Safer examples
1) Use bounds-checked access
Prefer safe indexing APIs and validate indices and lengths.
2) Validate parsing lengths and offsets
Reject malformed inputs before using offsets to slice buffers.
3) Use fuzzing/sanitizers for native code
Fuzzers + ASan catch OOB reads early.
How SiteShadow detects it (high level)
- Flags suspicious indexing/slicing patterns and unsafe buffer reads.
- Prioritizes cases where indices/lengths come from untrusted input or overflowable arithmetic.
References
- CWE-125: https://cwe.mitre.org/data/definitions/125.html
---