Page History

C99 includes support for variable-length arrays (VLAs) \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. If the array length is derived from an untrusted data source, an attacker can cause the process to perform an excessive allocation on the stack.

The BSD extension function {{alloca()}} behaves in a similar fashion to variable-length arrays; its use is not recommended \[[Loosemore 07|AA. C References#Loosemore 07]\].

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators", and Section 7.20.3, "Memory management functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "GDL Recursion"
\[[Loosemore 07|AA. C References#Loosemore 07]\] [Section 3.2.5, "Automatic Storage with Variable Size"|http://www.gnu.org/software/libc/manual/html_mono/libc.html#Variable-Size-Automatic]
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 16.2
\[[Seacord 05a|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[van Sprundel 06|http://ilja.netric.org/files/Unusual%20bugs.pdf]\] "Stack Overflow"