Page History

where the integer expression {{size}} and the declaration of {{vla}} are both evaluated at runtime. If the size argument supplied to a variable-length array is not a positive integer value, the behavior is undefined (see [undefined behavior 69|CC. Undefined Behavior#ub_69] in Annex J of C99). In addition, if the magnitude of the argument is excessive the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data \[[Griffiths 06|AA. C References#Griffiths 06]\]. The programmer must ensure that size arguments to variable-length arrays are valid and have not been corrupted as the result of an exceptional integer condition.

\[[Griffiths 06|AA. C References#Griffiths 06]\]
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing"