Page History

The type {{size_t}} generally covers the entire address space. ISO/IEC TR 24731-1-2007 introduces a new type {{rsize_t}}, defined to be {{size_t}} but explicitly used to hold the size of a single object \[[Meyers 2004|AA. Bibliography#Meyers 2004]\]. In code that documents this purpose by using the type {{rsize_t}}, the size of an object can be checked to verify that it is no larger than {{RSIZE_MAX}}, the maximum size of a normal single object, which provides additional input validation for library functions. See guidelinerecommendation [STR07-C. Use TR 24731 for remediation of existing string manipulation code] for additional discussion of TR 24731-1.

The unsigned {{n}} may contain a value greater than {{INT_MAX}}.  Assuming quiet wraparound on signed overflow, the loop executes {{n}} times because the comparison {{i < n}} is an unsigned comparison. Once {{i}} is incremented beyond {{INT_MAX}}, {{i}} takes on negative values starting with ({{INT_MIN}}).  Consequently, the memory locations referenced by {{p\[i\]}} precede the memory referenced by {{p}} and a write-outside-array bounds occurs.