Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Variable length arrays (VLAVLAs) are essentially the same as traditional C arrays except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable length array can be declared

...

where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75behavior 75 in Annex J of C11 the C Standard [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.

...

Tool

Version

Checker

Description

Coverity

Include Page
Coverity_V
Coverity_V

REVERSE_NEGATIVE NEGATIVE_RETURNS

Can find the instances where data is read/write from a negative array index.

PRQA QA-C
Include Page
PRQA_V
PRQA_V
1051Partially implemented.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

TS 17961(Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
ISO/IEC TR 24772

...

Boundary beginning violation

...

[XYX]
Unchecked array indexing

...

[XYZ]

Bibliography