Exploit - Code execution without assembly call instruction, int etc on ia_64

Question

Found a bug in a function in a loop where I can go past a loop in assignment where value is read from past malloced memory

The function has no call, int or other assembly instructions afterwards.

Instruction I control is movzbl. I control the source registry value. Pseudocode in C:

For(...) 
{
ptr=array[i] <---- here i go past ptr allocation
} 

Can this be exploited to get code execution?

Update 1:

This is the case, I control the ptr values and here arr[i]=inptr[0]; it overflows

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


void main(void)
{
    char *ptr=NULL;

    ptr=malloc(10*sizeof(char));
    for(int i=0;i<10;i++)
    {
        ptr[i]=1;
    }


    char arr[11]={1,2,3,4,5,6,7,8,9,10,11};
    char *inptr = NULL;
    inptr= ptr;
    for(int i=0;i<1000;i++)
    {
        arr[i]=inptr[0];
        inptr+=1;
    }

    for(int i=0;i<10;i++)
    {
        printf("%i\n",arr[i]);
    }


}

Disassembly:

gef➤  disass
Dump of assembler code for function main:
   0x00000000004005d6 <+0>: push   rbp
   0x00000000004005d7 <+1>: mov    rbp,rsp
   0x00000000004005da <+4>: sub    rsp,0x40
=> 0x00000000004005de <+8>: mov    rax,QWORD PTR fs:0x28
   0x00000000004005e7 <+17>:    mov    QWORD PTR [rbp-0x8],rax
   0x00000000004005eb <+21>:    xor    eax,eax
   0x00000000004005ed <+23>:    mov    QWORD PTR [rbp-0x28],0x0
   0x00000000004005f5 <+31>:    mov    edi,0xa
   0x00000000004005fa <+36>:    call   0x4004c0 <malloc@plt>
   0x00000000004005ff <+41>:    mov    QWORD PTR [rbp-0x28],rax
   0x0000000000400603 <+45>:    mov    DWORD PTR [rbp-0x3c],0x0
   0x000000000040060a <+52>:    jmp    0x400620 <main+74>
   0x000000000040060c <+54>:    mov    eax,DWORD PTR [rbp-0x3c]
   0x000000000040060f <+57>:    movsxd rdx,eax
   0x0000000000400612 <+60>:    mov    rax,QWORD PTR [rbp-0x28]
   0x0000000000400616 <+64>:    add    rax,rdx
   0x0000000000400619 <+67>:    mov    BYTE PTR [rax],0x1
   0x000000000040061c <+70>:    add    DWORD PTR [rbp-0x3c],0x1
   0x0000000000400620 <+74>:    cmp    DWORD PTR [rbp-0x3c],0x9
   0x0000000000400624 <+78>:    jle    0x40060c <main+54>
   0x0000000000400626 <+80>:    mov    BYTE PTR [rbp-0x20],0x1
   0x000000000040062a <+84>:    mov    BYTE PTR [rbp-0x1f],0x2
   0x000000000040062e <+88>:    mov    BYTE PTR [rbp-0x1e],0x3
   0x0000000000400632 <+92>:    mov    BYTE PTR [rbp-0x1d],0x4
   0x0000000000400636 <+96>:    mov    BYTE PTR [rbp-0x1c],0x5
   0x000000000040063a <+100>:   mov    BYTE PTR [rbp-0x1b],0x6
   0x000000000040063e <+104>:   mov    BYTE PTR [rbp-0x1a],0x7
   0x0000000000400642 <+108>:   mov    BYTE PTR [rbp-0x19],0x8
   0x0000000000400646 <+112>:   mov    BYTE PTR [rbp-0x18],0x9
   0x000000000040064a <+116>:   mov    BYTE PTR [rbp-0x17],0xa
   0x000000000040064e <+120>:   mov    BYTE PTR [rbp-0x16],0xb
   0x0000000000400652 <+124>:   mov    QWORD PTR [rbp-0x30],0x0
   0x000000000040065a <+132>:   mov    rax,QWORD PTR [rbp-0x28]
   0x000000000040065e <+136>:   mov    QWORD PTR [rbp-0x30],rax
   0x0000000000400662 <+140>:   mov    DWORD PTR [rbp-0x38],0x0
   0x0000000000400669 <+147>:   jmp    0x400684 <main+174>
   0x000000000040066b <+149>:   mov    rax,QWORD PTR [rbp-0x30]
   0x000000000040066f <+153>:   movzx  edx,BYTE PTR [rax]
   0x0000000000400672 <+156>:   mov    eax,DWORD PTR [rbp-0x38]
   0x0000000000400675 <+159>:   cdqe   
   0x0000000000400677 <+161>:   mov    BYTE PTR [rbp+rax*1-0x20],dl
   0x000000000040067b <+165>:   add    QWORD PTR [rbp-0x30],0x1
   0x0000000000400680 <+170>:   add    DWORD PTR [rbp-0x38],0x1
   0x0000000000400684 <+174>:   cmp    DWORD PTR [rbp-0x38],0x3e7
   0x000000000040068b <+181>:   jle    0x40066b <main+149>
   0x000000000040068d <+183>:   mov    DWORD PTR [rbp-0x34],0x0
   0x0000000000400694 <+190>:   jmp    0x4006b8 <main+226>
   0x0000000000400696 <+192>:   mov    eax,DWORD PTR [rbp-0x34]
   0x0000000000400699 <+195>:   cdqe   
   0x000000000040069b <+197>:   movzx  eax,BYTE PTR [rbp+rax*1-0x20]
   0x00000000004006a0 <+202>:   movsx  eax,al
   0x00000000004006a3 <+205>:   mov    esi,eax
   0x00000000004006a5 <+207>:   mov    edi,0x400764
   0x00000000004006aa <+212>:   mov    eax,0x0
   0x00000000004006af <+217>:   call   0x4004a0 <printf@plt>
   0x00000000004006b4 <+222>:   add    DWORD PTR [rbp-0x34],0x1
   0x00000000004006b8 <+226>:   cmp    DWORD PTR [rbp-0x34],0x9
   0x00000000004006bc <+230>:   jle    0x400696 <main+192>
   0x00000000004006be <+232>:   nop
   0x00000000004006bf <+233>:   mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004006c3 <+237>:   xor    rax,QWORD PTR fs:0x28
   0x00000000004006cc <+246>:   je     0x4006d3 <main+253>
   0x00000000004006ce <+248>:   call   0x400490 <__stack_chk_fail@plt>
   0x00000000004006d3 <+253>:   leave  
   0x00000000004006d4 <+254>:   ret    
End of assembler dump.
gef➤ 

I think this is not exploitable other than DoS/Crash? Any thoughts?

Update 2:

It is actually in a library code. In my PoC it overflows always to unmapped mem. So I guess I have to make a PoC that allocates a lot of mem. If you look at my question update 1 c code, how would u modify to make the oob read, write there exploitable?