Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.

...

In this noncompliant code example, a variable length array of size size is declared. The size is declared as size_t in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.

Code Block
bgColor#FFCCCC
langc
void func(size_t size) {
  int vla[size];
  /* ... */
}
/* ... */

However, it is not guaranteed that the value of size is a valid size argument, potentially giving rise to a security vulnerability.

Compliant Code Solution

This compliant solution ensures the size argument used to allocate vla is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.

...

Tool

Version

Checker

Description

Coverity

Include Page
Coverity_V
Coverity_V

REVERSE_NEGATIVE NEGATIVE_RETURNS

Can find the instances where data is read/write from a negative array index.

PRQA QA·CQA-C
Include Page
PRQA_V
PRQA_V
 Partially implemented

...

ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]

ISO/IEC TR 24772 "XYX Boundary beginning violation" and "XYZ Unchecked array indexing"

Bibliography

[Griffiths 2006]

...