Page History

In this non-compliant code example derived from \[[Dowd|AA. C References#Dowd 06]], {{buf_ptrinteger values returned by {{parseint(getdata())}} isare usedstored tointo insertan newarray integers intoof {{bufINTBUFSIZE}}, whichelements isof an array of 1024 integers.type {{int}} called {{buf}}.  If theredata is dataavailable tofor beinsertion inserted into {{buf}} (which is indicated by {{havedata()}}) and {{buf_ptr}} has not been incremented past {{buf + sizeof(buf)}}, an integer value is stored at the address referenced by {{buf_ptr}}. However, the {{sizeof}} operator returns the total number of bytes in {{buf}} which is 4096 bytes, assuming four-byte integerstypically a multiple of the number of elements in {{buf}}. This value is scaled to the size of an integer and added to {{buf}}. As a result, the check to make sure integers are not written past the end of {{buf}} is incorrect and a buffer overflow is possible.