...
In this noncomplaint code example, control reaches the end of the the getlen() function when input does not contain the integer delim. Because the potentially undefined return value of getlen is later used as an index into an array, this can lead to a buffer overflow.
| Code Block | ||||
|---|---|---|---|---|
| ||||
size_t getlen(int *input, size_t maxlen, int delim) {
size_t i;
for (i = 0; i < maxlen; ++i) {
if (input[i] == delim) {
return i;
}
}
}
/* ... */
size_t i;
int data[] = {1, 1, 1};
i = getlen(data, sizeof(data), 0);
data[i] = userdata;
|
...