...
| Code Block |
|---|
|
void f3(int *a) {
float b = 3.14;
const size_t n = sizeof(*b);
void *p = a;
void *q = &b;
if (n <= size(*p) && n <= size(*q)) {
memcpy(p, q, n);
}
else {
/* Handle Error */
}
}
|
Noncompliant Code Example
In this noncompliant code example, the size of 'n' could be greater than the size of *p. Also, the effective type of *p (int) is not same as the effective type of *q (float).
| Code Block |
|---|
|
wchar_t *f7() {
const wchar_t *p = L"Hello, World!";
const size_t n = sizeof(p) * (wcslen(p) + 1);
wchar_t *q = (wchar_t *)malloc(n);
return q;
}
|
Compliant Solution
This compliant solution makes sure that the of 'n' is not greater the the minimum of effective sizes of *p and *q.
| Code Block |
|---|
|
wchar_t *f7() {
const wchar_t *p = L"Hello, World!";
const size_t n = sizeof(wchar_t);
wchar_t *q = (wchar_t *)malloc(n);
return q;
}
|
Risk Assessment
Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code. The detection of checks specified in description can be automated but the remediation has to be manual.
...
