Variable - length arrays (VLA) are essentially the same as traditional C arrays , except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable-A variable length array can be declared
...
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable-a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 69behavior 75 in Annex J of C99C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable - length arrays, especially those derived from untrusted data, are in a valid range.
...
In this noncompliant code example, a variable-a variable length array of size size is declared. The size is declared as size_t in compliance with recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
...
Newer versions of GCC have incorporated variable length arrays , but do not yet claim full C99 conformance. Therefore, variable length arrays should only be used on GCC with great care.
...
Tool | Version | Checker | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Section | |
| REVERSE_NEGATIVE NEGATIVE_RETURNS | | Section | Can find the instances where data is read/write from a negative array index. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
ISO/IEC TR 24772 "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing"
...