In "Re: IE ActiveX 0day?" to Bugtraq on September 18, Alexander Sotirov asked: >What is your definition of memory corruption? How can a buffer >overflow not be a memory corruption error? The term "buffer overflow" continues to be too general for the variety of issues out there. Array index/offset errors, buffer "underflows," out-of-bounds reads, frees of invalid pointers, length field inconsistencies, off-by-ones, insufficient memory allocation that is resultant from integer overflows, other kinds of incorrect size calculations, and other problems all involve memory access outside of expected boundaries, so they are called "buffer overflows." But they are different than the "classic" overflows that strcpy() is known for. And the term is interchangeably used for attacks, results/impacts, and programming bugs. Terminology has not evolved to cope with all the variety, so "memory corruption" is acting as a placeholder in some cases. I have some preliminary thoughts on how to do more precise classification, but they're not ready for prime time, so people can contact me privately if they're interested. - Steve
