...
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
...
In this noncompliant code example, a variable length array of size size is declared. The size is declared as size_t in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
| Code Block | ||||
|---|---|---|---|---|
| ||||
void func(size_t size) {
int vla[size];
/* ... */
}
/* ... */
|
However, it is not guaranteed that the value of size is a valid size argument, potentially giving rise to a security vulnerability.
Compliant Code Solution
This compliant solution ensures the size argument used to allocate vla is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| REVERSE_NEGATIVE NEGATIVE_RETURNS | Can find the instances where data is read/write from a negative array index. |
...
ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
ISO/IEC TR 24772 "XYX Boundary beginning violation" and "XYZ Unchecked array indexing"
Bibliography
...