...
Integer values must not be allowed to wrap, especially if they are used in any of the following ways:
- integer operands of any pointer arithmetic, including array indexing;
- the assignment expression for the declaration of a variable length array;
- the postfix expression preceding square brackets
[]or the expression in square brackets[]of a subscripted designation of an element of an array object; and - function arguments of type
size_torrsize_t(for example, an argument to a memory allocation function). - in security-critical code
The C Standard defines arithmetic on atomic integer types as read-modify-write operations with the same representation as non-atomic integer types. As a result, wrapping of atomic unsigned integers is identical to non-atomic unsigned integers and should also be prevented or detected.
...