Referenced in the recent VLC vulnerability and other places, apparently buffer overreads can cause arbitrary code execution. How does it do that? Suppose in the following toy example
void badcpy(const char* src, char* dst, int n) {
for(int i = 0; i < n; i++)
dst[i] = src[i];
dst[n] = '\0';
}
int main(int argc, char** argv) {
const char* str = "I'm being overread!";
int n = argc > 1 ? atoi(argv[1]) : strlen(str);
char* buf = (char*)malloc(n + 1);
badcpy(str, buf, n);
for(int i = 0; i < n; i++)
buf[i] += 42;
printf("%s", buf);
free(buf);
return 0;
}
The worst that could happen is either the application crashing or leaking some value in memory that shouldn't be, no arbitrary execution ever takes place.