...
In the following non-compliant code example, length is a user-supplied argument that is used to determine the length of table.
| Code Block | ||
|---|---|---|
| ||
int create_table(size_t length) {
char **table;
if (sizeof(char *) > SIZE_MAX/length) {
/* handle overflow */
}
size_t table_length = length * sizeof(char *);
table = (char **)malloc(table_length)
if (table == NULL) {
/* Handle error condition */
}
/* ... */
return 0;
}
|
Because length is user - controlled, the value could result in a large block of memory being allocated or cause the call to malloc() to fail. Depending on how error handling is implemented, this may result in a denial of service or other error. A length of zero results in a division by zero in the overflow check, which can also result in a denial of service.
...