What is a buffer overrun?

78 Comments

• And actually, buffer overruns exploited by bad people is only one problem. Allowing a buffer overrun also means just plain bad code can cause buffer overruns as well. I discovered a nasty bug in a C++ Windows Service that could have likely been exposed as a security problem, but ended up appearing as a result of some non-hack related unexpected input. Buffer overruns are not only security issues, but code quality issues even for applicaitons inside the firewall.
  

• "The buffer (pBuff) starts to bleed into nCount and the method foo"
  
  
  
  Say what?! How'd foo() get itself on the stack?
  
  
  
  The example code above is in C. There are three points worth making here:
  
  
  
  First: Last I checked (just now, in the VC++ debugger), the stack grows downward on x86. This means that nCount's address will be LOWER than that of pBuff: Somebody writing "forward" (toward higher addresses) off the end of pBuff won't ever touch nCount. Instead, it'll corrupt memory "lower down" on the stack, in particular the return address for myMethod(). THAT is the vulnerability people get upset about.
  
  
  
  Second: foo() is not on the stack. It's code. If you put its code on the stack right after myMethod()'s locals... wait, where do those locals live on the stack anyway? Why, they live "above" some housekeeping stuff, "below" which live the locals for whoever called it. Where's THAT, you ask? You want an address? Could be anything. You won't know until runtime, because that's how the stack works. a() calls b(), b() calls c(), and maybe this time c() calls d(), or maybe it calls e() because bazfaz happens to be nonzero at the moment -- or whatever. Each one "rents" space on the stack when it's called, and hangs onto that space until it exits, and then that space is used by the next function called. The stack grows and shrinks, and everything on it is written in sand. Putting the code for foo() at some arbitrary point on the stack makes no sense at all. That's not what the stack is for.
  
  
  
  If foo() were calling myMethod(), then you'd have some kind of guaranteed relative relationship between their respective *locals* on the stack at runtime in SOME cases, but foo() itself, its code, would still be somewhere else. In cases where myMethod() was called by somebody other than foo(), of course, that possible occasional relationship between their two stack areas would again be meaningless.
  
  
  
  Proximity in the source code doesn't necessarily tell you anything at all about proximity in memory at runtime. It's usually a hint about the relative position of two things that are on the stack in the same (or nested) scope, but unless my memory has deserted me, the standard guarantees nothing about that. Variable names are an abstraction. That's why they were invented.
  
  
  
  Third: Scribbling on foo() wouldn't EXECUTE foo(), anyway. In fact, it'd pretty well guarantee that foo() will NOT be executed until somebody loads the image again.
  
  
  
  
  
  This buffer overrun, properly exploited, WOULD allow foo() to be executed by the exploit, but not by the mechanism that seems to be implied. It'd be done by writing foo()'s address into the "return address of this call" spot on the stack for the current call to myMethod(). You could just as easly write myMethod()'s own address there, or 0xdeadbeef, or anything you damn well please. foo() gains no special status here just by being close to myMethod() in the source file.
  
  
  
  

• To Yawnsssss - If you want to post a criticism of the info I linked to without the gratuitous abusiveness, I'll be happy to leave it, but I won't put up with people wasting space in my comments on insults, so I deleted your first attempt.
  
  

• How do you fix a buffer overrun? Please use plain english. I'm not a programmer, but I am receiving a message MS Visual C++ runtimelibrary - Buffer overrun detected....
  
  
  
  I can't use anything, IE, Outlook, Excel, etc. Is there a way to fix this?
  

• Marilyn,
  
  
  
  If what you're asking is how an end-user can fix a buffer overrun, the answer is that the only way is by applying the appropriate patch from the vendor of the software in which the buffer overrun is occurring.
  
  
  
  If you're asking about fixing a buffer overrun in code, there are lots of ways to prevent them, from avoiding the use of unsafe string functions, to migrating to managed code, among others.
  
  
  
  I'm not sure what to tell you about your problems with IE, Excel, etc., other than perhaps you might try giving MS support a call.
  
  
  
  

• Aimee,
  
  
  
  The best recommendation I can give is to pick up a copy of the book "Writing Secure Code, 2nd Edition" by Michael Howard (ISBN: 0-7356-1722-8). It's a terrific book, and has extensive coverage of buffer overruns. In fact, an entire chapter (Chapter 5) is devoted to this subject alone. I'm sure that a thorough read of that chapter should provide you with the description you require.
  
  

• Marilyn,
  
  
  
  Hopefully, it was fixed over a week ago, but if not, I had the problem today and traced it to NHUpdater.exe, which was in the NavExcel folder in the ProgramFiles. Navexcel nly contained a folder which only contained a folder which had a file with uninstall as part of the name. Ran that and it cleared things up.
  

• I've read and absorbed the response to Marilyn (and googled Groups) but remain confused. I'm getting Buffer Overun Detected error 100% of time when loading eudora pro 5.2, beginning yesterday after - but not necessarily caused by - installation of Norton AV (upgrade) and Internet Security (new). Had been running Eudora since 1.3.1 without incident, 5.2 since release. Re-installed Eudora: no change. Is the problem likely to be with the Eudora.exe code, with a necessary DLL, or something else? I.e., where can I look to fix it? Here's complete error message: Microsoft Visual C++ Runtime Library, Program c:\Program Files\Qualcomm\Eudora\Eudora.exe,
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  
  
  
  Tim
  
  

• Tim,
  
  
  
  You'd have to talk with either Eudora or Norton tech support for assistance troubleshooting your problem, though if it cropped up only after installing/upgrading Norton AV and/or Internet Security, I'd check in with Norton first.
  
  
  
  

• Thanks. Norton blew me off, and Eudora wants me to upgrade before they'll give me any support. (I've been paying for Eudora since they started charging 10+ years ago, but my current version is more than a year old.) I'll give Norton another go. I appreciate the response.
  

• error "Microsoft visual C++ runtime library
  
  buffer overrun detected program c:/progra~1/plus!/micros~1/iexplore.exe
  
  a buffer overrun has been detected which has corrupted the programs internal state, the program cannot safely continue execution and must now be terminated."
  
  
  
  Can you offer any suggestions on how to rectify this. I am not a coder and this is doing my head in. Have read the rest of the inserts and I'm at a loss. sorry.
  
  
  
  Many thanks
  

• Tricia,
  
  
  
  I'd suggest a call to Microsoft Product Support. I really don't have the expertise to help you troubleshoot or diagnose your problem.
  
  

• I have a multithread MFC application. I enconter "chkesp" error when try to Pause one of the thread. Is it related to buffer overrun?
  

• Some ammendment to the previous post.
  
  
  
  When I run the multi-threaded application, after a certain period, this error code automatically pop-up by itself:
  
  
  
  Error!
  
  Program: ***
  
  Module:
  
  FIle:i386\chkesp.c
  
  Line: 42
  
  
  
  The value of ESP was not properly saved across a funciton call. This is
  
  usually a result of calling a function declared with one calling convention
  
  with a funciton pointer declared with a different calling convention.
  
  
  
  (a) Is it caused by buffer overflow?
  
  (b) How do I detect the source of the problem?
  
  (c) Any suggesstion to resolve it?
  
  
  
  Thank you
  

• Rain,
  
  
  
  It doesn't look like your problem has anything to do with a buffer overrun, but I'm not a C/C++ programmer, so I can't be sure of that. You might try Googling all or part of the error message, and see if perhaps others have run into similar issues.
  
  
  
  

• I'm havin a buffer overrun with Halo
  Here's the message
  
  Microsoft Visual C++ Runtime LIbrary
  
  Buffer overrun detected!
  
  Program: C:\Program Files\Microsoft GAmes\halo.exe
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  
  Is it a patch I need or what because I have the latest update supposedly
  

• My buffer overrun affects explorer.exe. Can you help me fix itt
  

• hi evrytime i use my computer i get a message saying microsft visual C++ runtime library and when i quiet it my desktop disappers and so does my tool bar . can anyone help me im killing my self trying to fix it!!!!!!
  

• how do i fix this. i need step by step simple instructions as i am not a cpu tech.
  
  
  thanks
  
  micklen7@verizon.net
  

• something keeps popping up saying..
  
  Buffer overrun detected!
  
  Program: C:\WINDOWS\explorer.exe
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  
  wen i press OK my taskbar where the start menu n stuff is goes away n it takes a while to come back n sometimes it doesnt come back.
  
  what is this thing?
  

• yea, im having the same thig with the buffer overrun with halo, anyone know how to fix it?
  

• Adam I am having the same problem when I try to host a game on halo C.E., and also noticed there arn't many games and servers running atm. Btw I have the hacked version so I dont need to pop in the CD to play like its 1992. Don't know if that matters but any help would would earn my eternal gratitude...
  Thanks!
  

• Buffer overrun detected!
  
  Program: C:\WINDOWS\explorer.exe
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  

• I have a friend whos computer shows a window named : Microsoft Visual C++ Runtime Library! Inside the window it has a couple of items written.
  The 1st is: Buffer overrun detected
  
  then it has:
  C:\windows\explorer.exe
  
  
  Can you or anyone Help me to resolve this matter..Thanks in advance!
  

• I have the same problem as Shai above date 7/20.
  ---------------------------
  
  Buffer overrun detected!
  
  Program: C:\WINDOWS\explorer.exe
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  -----------------------------------------
  
  What is this? Please help!
  

• Nice post Andrew. Sorry your blog turned into a tech support forum =P
  

• I`m getting the same thing as everyone above is getting except my pc still seems to be running ok.What`s up and how do I fix this pain in the a---?
  

• having same trouble C:\windows\explorer.exe buffer overrun . what is the answer. surely someone can fix it and in plain non wiz kid format. or do we get a pro to come and help us? any help appreciated. gracalanBuffer overrun detected!
  
  
  Buffer overrun detected!
  
  Program: C:\WINDOWS\explorer.exe
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  
  

• still waiting from you guys how do we fix this brain numbing promlem buffer overrun exporer exe .-----lot's of peaple having the problem but no ideas on fixing the problem. come on let's have a few ideas on solving the problem
  

• gRaCiie- hAD any answers in fixing the
  buffer overrun yet? if you have found a way post the method you used. gracalan
  

• how do i get rid of a buffer overrun
  

• Ive been trying to get a solution from the programmers of this programs for months. They consider this a known issue and claim they are at fix. Where in the programming code of this application did they bork up ?
  

• Now that we know what it is. How do we fix it? I am not a computer geek, but I do know how to fix things if I have instructions. Please help. This thing is killing my computer. I have had it to the shop and it did nothing while there. They told me I did not have a problem. Thanks
  

• I keep getting C++ Buffer overrun in a WINDOWS file or something like that. And in my toolbar I get a little pop-up that tells me to run the Chkdsk utility, so i do then my computer is fine for 2 minuets and i get ANOTHER buffer overrun! What do i do? And please keep it simple because im an idiot when it comes to these things. Thanks.
  

• I had the same problem. Called Norton tech. several times after runnig Norton They adviced to format harddrive. So I downloaded a other virus program (free) from Avira AntiVir found several bugs in my PC. After that I loaded window explorer 7 and that took care of my buffer overflow. I got rit of Norton because it does not work to keep my PC virus free. Hope this wil help you there with Buffer overrun
  

• Is there a patch to fix it? my old PC had corrupted files that are at the moment lost to me unless I can remove the buffer overrun problem, so they can be uploaded to my new PC. Can you e-mail me an answer blspann1234@aol.com
  

• every website i open on my computer will not let me open it, it says buffer overrun dected. how do i fix this problem?
  

• Google Vundofix, run and kill if any melware;s there, update IE6, recommendations: use firefox insted of IE,
  

• The attack technique relies on knowing what address the target buffer is at in order to work. Obviously it's not the only possible attack, but it is a common one. If we can deny the attack this knowledge, we can gain ourselves a little more time to fix the bugs properly.
  
  One way to do this is to make the stack appear at a different address every time the program runs. Here's our victim program modified to do this - it allocates a random amount of space on the stack before it does anything else.
  

• Oops:
  
  The user with Nickname "sum" has said it.
  
  Google Vundofix, I did it and was guided to a good page that deleted a file called... a sec... OK, it said on the right of the page after I clicked on an icon that was marked "Vundofix":
  
  " VundoFix V4.2.57
  
  Listing files found while scanning....
  
  C:\WINDOWS\System32\gebcb.dll
  C:\WINDOWS\System32\bcbeg.ini
  C:\WINDOWS\System32\bcbeg.bak1
  
  Attempting to delete C:\WINDOWS\System32\gebcb.dll
  C:\WINDOWS\System32\gebcb.dll Has been deleted! "
  
  Hm. I think about trying to deinstall Visual C and then install it again - maybe this isn't necessary because I will first rather try to install the new version of firefox, 2. something, and this time choose the language of the operating system instead of another one.
  
  The cool dude before also said maybe update IE, but I think smart people only use firefox - I know we're all sad when some page doesn't show all content in firefox!, btw - and the dude said it "would work", I gather, with Firefox.
  
  I'm working on a way to find the solution for most of the cases where exactly this oh so annoying error message is delivered onto mankind...
  

• Oh, I forgot:
  
  What's also important after all these attempts of failure-remedy -of changes to the system - is to reboot the machine so those changes can take effect.
  
  ("Like a SHOCK to the System ... " Billy Idol)
  

• hey ive read thru all dese comments to find an answer as to wot a buffer overrun is and im havin da same problem!! is a buffer overrun a serious risk to da computer or its security nd duz it need immediate seein to ??
  

• If you got Antivir (www.antivir.com -> download the free version, called "Classic"), it's not a problem, you're on the safe side then.
  
  i don't support other antivir software than this "AVIRA ANTIVIR" currently.
  
  a "Buffer Underrun" can occur if thou downloadest games and got the wrong crax for em which can be viruses.
  
  it's SURELY absolutely no severe risk to our PCs if you installed and severely configured Antivir.
  
  What I do in addition to that is i take "File Security Manager" Version 1.8 and I cut all not necessary Permissions - except SYSTEM, , and maybe LOCAL, if you got Service Pack 2 which I don't need, fortunately, because installing SP2 results in having to reactive the whole Windows which at my place would be simple, because the PC is bought. But it could end up in a mess afterwards somehow, anyway.
  
  Without the permission "Evryone", you're safe from attacks from the Internet. Otherwise, if you leave this "Evryone" in as it is when you install Windows, then EVRYONE can write on your harddisk. Funny, ey?
  
  :-)
  

• I'm having trouble with buffer overrun. Microsoft Visual C++ Runtime Library C:\Program Files\Real\RealPlayer\realplay.exe
  Does anyone know how to correct this problem? I would very much appreciate it.
  

• im having the same problem as everyone else only with a game called warrock
  
  i looked around microsoft site downloaded patches and it still didnt do anything this has caused alot of frusteration and im looking to get this fixed should i just call microsoft or something i enjoy the game and i would like for this to be fixed plese, help!
  

• Please give me an easy instruction to solve buffer Overrun detected thing !!!
  

• Format and Recovery
  

• I get the message
  Buffer Overrun
  C:\WINNT\Explorer.exe
  ??????????
  

• From my experience, it seems that buffer overruns are a result of generally just bad coding practices. I won't say always as I think some of the mandated shared components (i.e. libs) have problems of their own and operating environments change the "playing field" that screw up good original work. Just my 2¢.
  

• how do youfix it!!!!!!!!!!!!!!!!!!!!!!! help plz send to rickeyleee@hotamil.com
  

• The solution :
  download "Super antispyware "
  it will fix everything , and ur system will run smoothly .
  it worked for me ......
  

• Just delete the file thats buffer overun but first system restore its simple. but if its continute i would do a full scan in safe mode and delete.
  
  if thats not it call whatever your using and consult it.
  

• HOW TO REPAIR BUFFER OVERRUN IN MS OFFICE?
  

• briefly describe at least three c++ fuctions, the use of which renders your programs vulnerable to buffer overrun attacks
  

• Kevin please dont try to do your assignment here. You can be seriously penalized for pulling such a stunt.
  
  
  
  
  Respectfully
  NCC Education Ltd.
  - Jane Watson.
  

• I also have a buffer override and it has stopped me playing my windows media from desktop and a choice of radio stations from its own site on desktop. I am very frustrated and it has stopped my lavasoft updating and many other things are not right. How do I fix it
  

• I too get the 'Buffer Overrun' message but it happens as soon as I turn the computer on [XP SP2]. I then have no option but to shut the computer down using the power button on the tower. After re-starting, the message may or may not come back. Various fixes as described in previous posts were tried but none worked.
  

• Further to my post of August 04: I found the program causing the buffer overrun message. Looking through the list of programs I found a strange one called Microsoft Visual C++ Redistributable. I then removed it. Later when I tried to transfer photos from my Nikon it wouldn't work. After uninstalling Nikon Transfer and View NX and then re-installing them, I noticed that Microsoft Visual C++ Redistributable was installed as part of Nikon Transfer. Since the buffer overrun message was occurring when the computer was first turned on, I went to Windows Defender and disabled Nikon Transfer on the list of startup programs. No problems since. Hope this helps a few of you. Ed.
  

• I am not a programmer, but I continue to get the following message that just blanks out the screen that results in me having to log back in:
  
  "BUFFER OVERRUN DETECTED!
  PROGRAM: C:\WINDOWS\EXPLORER.EXE
  
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannott safely continue execution and must now be terminated."
  
  Please advise on how to fix this problem.
  
  

• I keep getting these same buffer overruns, heres what they say:
  
  Microsoft Visual C++ Runtime Library
  
  Buffer overrun detected!
  
  Program...owerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
  
  A buffer overrun has been detected which has corrupted the programs internal state. THe program cannot safely continue execution and must now be terminated.
  
  tell me how i can solve this problem...step by step.
  Thank you!
  

• How do I prevent this?
  

• My pc has a buffer overrun warning window popping up when I try to launch IE I am writing this from my Apple, anyway how can I fix? Anyone! Thank you, Max...
  

• I don't know how to get rid of the buffer overunInternet explorerext. Please advise how to eliminate and get my computer bacck to corect fuctioning Thank YOu Marlene
  

• I am getting message buffer overun detected...please help
  

• I find it incredible that the same problem appears constantly ever since 2004 - 5 yrs now ! - and still no solution.
  Come on you coputer wizards, rise to the challenge.
  I got the same "buffer overrun" only with microsoft office/office11 reference.
  

• how do i fix a buffer overrun
  

• I Got the same problem when i try to execute my vaio`s recovery, any solutions?
  TKS
  

• I got here by doing a search on what the heck a "buffer overrun" is.
  I'm not a programmer - but I will say that in all my years abusing computers, this problem only popped up for the first time after installing new and "necessary" Microsoft
  updates.
  
  Things that make you go "hmmm".
  
  Fran
  

• Buffer overrun detected!
  
  Program: C:\Program Files\Trillian\Trillian.exe
  A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.
  
  Please Help...
  

• I get the same message when I attempt to open a link. Help!!!!
  

• my fiance keeps getting this message: Microsoft Visual C++ Runtime Library ( X in BIG RE CIRCLE ) BUFFER OVERRUN DETECTED! A buffer overrun has been detected which has corrupted the programs internal state. The program cannot safely continue and must now be terminated. I looked up buffer overruns and came to your site. It it painfully obvious that we are both in way over our heads. Hell, I probably won't even be able to find my wayback to this damn page! If you would be so kind as to email your response, it would be ever so appreciated by us both...........Thanking you in advance....David and Donna cadlackjak68@yahoo.com or dnnl_kirchner@yahoo.com
  

• There might be the case that your application uses buffer in a wrong way this means you are handling buffer that is not supported.
  

• how can i fix my laptop when it always cannot logon and just say buffer overrun
  

• Visual C++ Buffer Underrun when installing Battlefield 2. It used to work one year ago on this machine with all the same settings, and now reinstalling it just CANNOT work.
  
  I've even tried slowing the CD write speed and that doesn't work either. Virus scans, punkbuster reinstalls, latest patches, sound and video card latest drivers, wiping clean space on the hard disk, trying both NTFS and FAT32 partitions, changing everything in my BIOs.
  
  This looks to be a way too common problem with a much too rare solution. I don't even know if I can uninstall and reinstall Visual C++! I guess I'll find out though...
  

• IDONOT KNOW HOW TO A BUFFER BUT IAM GOING TO HAVE AN EXPERT LOOK AT MY COMPUTER IF IT CAN BE FIXED HE CAN DO IT 0 I WISH SOMEONE WOULD EXPLAIN HOW FIX THESE PROBLEMS!!!!!!!!!!!!!!!!!!!!!!!
  

• MY BUFFER HAS OVERRUN AND NOW IT"S DRIPPING DOWN MY LEFT PANT LEG!!! PLEASE WRITE A ROUTINE TO FIX THIS. USING THE "NO_MORE_FAST_FOOD" LIBRARIES SHOULD HELP!1!!!@
  

• One simple solution to the "buffer overrun" problem in explorer.exe:
  
  The path may just be too long for Windows to handle. Change the location or filename to something shorter or less buried in sub-folders.
  
  Example: If trying to open
  "D://mainfolder/anotherfolder/yetanotherfolder/looooongfilename.ext"
  
  causes your buffer overrun problem, try changing it to:
  "D://mainfolder/shorterfilename.ext" instead. If it's a game or program, try reinstalling it in a higher-level directory.
  
  Also run all the anti-virus/anti-spyware stuff too just in case, but this fixed my problem. BTW, I'm running Windows 7 Release Candidate & had this problem for the first time tonight after months of using the same stuff - no spyware or viruses at all. Thought they'd fixed this w/Windows 95, but I guess not :\
  

• Thanks Andrew, I faced this while developing an xml parser.
  I thought it to be because of loading the entire XML in memory while parsing.
  But Now i ll try to make a managed code exe.and then see.
  thanks for this "To the point" article !
  
  thanks,
  umesh