Variable-length arrays (VLA) are essentially the same as traditional C arrays, except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable-length array can be declared
| Code Block |
|---|
{ /* block scope */
char vla[size];
}
|
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable-length array is not a positive integer value, the behavior is undefined. (See undefined behavior 69 in Annex J of C99.) In addition, if the magnitude of the argument is excessive the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable-length arrays, especially those derived from untrusted data, are valid and have not been corrupted as the result of an exceptional integer conditionin a valid range.
Noncompliant Code Example
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
void func(size_t size) {
int vla[size];
/* ... */
}
/* ... */
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { MAX_ARRAY = 1024 };
void func(size_t size) {
if (0 < size && size < MAX_ARRAY) {
int vla[size];
/* ... */
} else {
/* Use dynamic allocation */
}
}
/* ... */
|
...