...
This compliant solution ensures the size argument used to allocate vla is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation. The solution also avoids unsigned integer wrapping that, given a sufficiently large value of size, would cause malloc to allocate insufficient storage for the array.
...
The following noncompliant code example defines A to be a variable length array and then uses the sizeof operator to compute its size at runtime. When the function is called with an argument greater than SIZE_MAX / (N1 * sizeof (int)), the runtime sizeof expression may wrap around, yielding a result that is smaller than the mathematical product N1 * n2 * sizeof (int). The call to malloc(), when successful, will then allocate storage for fewer than n2 elements of the array, causing one or more of the final memset() calls in the for loop to write past the end of that storage.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
#include <string.h>
enum { N1 = 4096 };
void * func(size_t n2) {
typedef int A[n2][N1];
A *array = malloc(sizeof (A));
if (!array) {
/* Handle error */
return NULL;
}
for (size_t i = 0; i != n2; ++i) {
memset(array [i], 0, N1 * sizeof (int));
}
return array;
}
|
Compliant Solution (sizeof)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
enum { N1 = 4096 };
void * func(size_t n2) {
if (n2 > SIZE_MAX / (N1 * sizeof (int))) {
/* Prevent sizeof wrapping */
return NULL;
}
typedef int A[n2][N1];
A *array = malloc(sizeof (A));
if (!array == NULL) {
/* Handle malloc failureerror */
return NULL;
}
for (size_t i = 0; i != n2; ++i) {
memset( array[i], 0, N1 * sizeof (int));
}
return array;
}
|
Implementation Details
...