...
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of the C Standard [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR32-C | highHigh | probableProbable | highHigh | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Coverity | 6.5 | REVERSE_NEGATIVE | Fully Implemented | ||||||
| PRQA QA-C |
| 1051 | Partially implemented |
...
| CERT C Secure Coding Standard | INT01-C. Use rsize_t or size_t for all integer values representing the size of an object |
| ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] |
| ISO/IEC TS 17961 | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] |
Bibliography
...
| Annex J, J.2, "Undefined behavior" | [Griffiths 2006] |
...