Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: This claim needs to be verified, and the text clarified.

...

Code Block
char vla[s];

Wiki Markup
TheThis abovedeclaration statement is evaluated at runtime, allocating storage for {{s}} characters in stack memory. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data \[[Griffiths 06|http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txt]\]. The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.

Non-Compliant Code Example

In this non-compliant code example, a VLA of size s is declared. In accordance with recommendation The size s is declared as size_t in compliance with INT01-A. Use rsize_t or size_t for all integer values representing the size of an object.


, s is of type size_t, as it is used to specify the size of an object. However, it is unclear whether the value of s is a valid size argument. Depending on how VLAs are implemented, s may be interpreted as a negative value or a very large positive value. In either case, this may result in a security vulnerability.

Code Block
bgColor#FFCCCC
void func(size_t s) {
  int vla[s];
  /* ... */
}
/* ... */
func(size);
/* ... */

...