This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Improper pointer subtraction

Revision as of 15:20, 30 July 2016 by Johanna Curiel (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This page contains out-of-date content. Please help OWASP to FixME.
Last revision (yyyy-mm-dd): 2017-07-31
Comment: The page should be review updated.It requires better explanation


The subtraction of one pointer from another in order to determine size is dependant on the assumption that both pointers exist in the same memory chunk.


  • Authorization: There is the potential for arbitrary code execution with privileges of the vulnerable program.

Exposure period

  • Pre-design through Build: The use of tools to prevent these errors should be used.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.


  • Languages: C/C++/C#
  • Operating Platforms: Any

Required resources




Likelihood of exploit


Avoidance and mitigation

  • Pre-design through Build: Most static analysis programs should be able to catch these errors.
  • Implementation: Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable "walk" from one pointer to the other and calculate the difference. Always sanity check this number.

Related problems