Page History

...

The type size_t generally covers the entire address space. ISO/IEC TR 24731-1-2007 introduces a new type, rsize_t, defined to be size_t but explicitly used to hold the size of a single object [Meyers 2004]. In code that documents this purpose by using the type rsize_t, the size of an object can be checked to verify that it is no larger than RSIZE_MAX, the maximum size of a normal single object, which provides additional input validation for library functions. See recommendation STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code for additional discussion of TR 24731-1.

...

The unsigned n may contain a value greater than INT_MAX. Assuming quiet wraparound on signed overflow, the loop executes n times because the comparison i < n is an unsigned comparison. Once i is incremented beyond INT_MAX, i takes on negative values starting with (INT_MIN). Consequently, the memory locations referenced by p[i] precede the memory referenced by p and a write-outside-array bounds occurs.

...

For values of n where INT_MAX < n <= (size_t)INT_MIN, the loop executes INT_MAX times. Once i becomes negative, the loop stops, and i remains in the range 0 through INT_MAX.

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: INT01-CPP. Use rsize_t or size_t for all integer values representing the size of an object

ISO/IEC 9899:19992011,Section 7.1719, "Common definitions <stddef.h>," , Section and Section 7.2022.3, "Memory management functions"

...