Variable length arrays (VLAVLAs) are essentially the same as traditional C arrays except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable length array can be declared
...
where the integer expression size
and the declaration of vla
are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75behavior 75 in Annex J of C11 the C Standard [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
| REVERSE_NEGATIVE NEGATIVE_RETURNS | Can find the instances where data is read/write from a negative array index. | |||||||
PRQA QA-C |
| 1051 | Partially implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
TS 17961 | (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] |
ISO/IEC TR 24772 |
...
Boundary beginning violation |
...
[XYX] Unchecked array indexing |
...
[XYZ] |