...
Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR32-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Coverity |
| REVERSE_NEGATIVE | Fully implemented | ||||||
| LDRA tool suite |
| 621 S | Enhanced enforcement | ||||||
| Polyspace Bug Finder | R2016a | Size of the variable-length array (VLA) is from an unsecure source and may be zero, negative, or too large | |||||||
| PRQA QA-C |
| 1051 | Partially implemented | ||||||
| Cppcheck |
| negativeArraySize | Context sensitive analysis |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | INT01-C. Use rsize_t or size_t for all integer values representing the size of an object | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961:2013 | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-758 | 2017-06-29: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
...
- ARR32-C is not about providing a valid buffer but reading/writing outside it. It is about providing an invalid buffer, or one that exhausts the stack.
Bibliography
...
...