...
| Code Block |
|---|
|
void f1 (size_t nchars) {
char *p = (char *)malloc(nchars);
const size_t n = nchars + 1;
memset(p, 0, n);
/* More program code */
}
|
...
| Code Block |
|---|
|
void f1 (size_t nchars, size_t val) {
char *p = (char *)malloc(nchars);
const size_t n = val;
if (nchars - n < 0) {
    /* Handle Error */
}
else {
memset(p, 0, n);
}
/* More program code */ }
}
|
Noncompliant Code Example
...
| Code Block |
|---|
|
void f2() {
float a[4];
const size_t n= sizeof(int) * 4;
void *p = a;
memset(p, 0, n);
/* More program code */
}
|
...
| Code Block |
|---|
|
void f2() {
float a[4];
const size_t n= sizeof(float) * 4;
void *p = a;
memset(p, 0, n);
/* More program code */
}
|
...
| Code Block |
|---|
|
void f3(int *a) {
float b = 3.14;
const size_t n = sizeof(*b);
void *p = a;
void *q = &b;
memcpy(p, q, n);
/* More program code */
}
|
...
| Code Block |
|---|
|
void f3(int *a) {
float b = 3.14;
const size_t n = sizeof(*b);
void *p = a;
void *q = &b;
if (n <= size(*p) && n <= size(*q)) {
memcpy(p, q, n);
}
else {
/* Handle Error */
}
}
|
Risk Assessment
Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code. The detection of checks specified in description can be automated but the remediation has to be manual.
...
