...
The unsigned n may contain a value greater than INT_MAX. Assuming quiet wraparound on signed overflow, the loop executes n times because the comparison i < n is an unsigned comparison. Once i is incremented beyond INT_MAX, i takes on negative values starting with (INT_MIN). Consequently, the memory locations referenced by p[i] precede the memory referenced by p and a write - outside - array bounds occurs.
sizeof(size_t) > sizeof(int)
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
| INT01-CPP. Use rsize_t or size_t for all integer values representing the size of an object | |
| ISO/IEC TR 24731-1:2007 |
Bibliography
...
Section 7.19, "Common definitions <stddef.h>," and Section 7.22.3, "Memory management functions" |
|---|
Bibliography
...