...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
#include <string.h>
enum { N1 = 4096 };
void *func(size_t n2) {
typedef int A[n2][N1];
A *array = malloc(sizeof(A));
if (!array) {
/* Handle error */
return NULL;
}
for (size_t i = 0; i != n2; ++i) {
memset(array[i], 0, N1 * sizeof(int));
}
return array;
}
|
Furthermore, this code also violates ARR39-C. Do not add or subtract a scaled integer to a pointer, where array is a pointer to the two-dimensional array, where it should really be a pointer to the latter dimension instead. This means that the memset() call does out-of-bounds writes on all of its invocations except the first.
Compliant Solution (sizeof)
This compliant solution prevents sizeof wrapping by detecting the condition before it occurs and avoiding the subsequent computation when the condition is detected. The code also uses an additional typedef to fix the type of array so that memset() never writes past the two-dimensional array.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
enum { N1 = 4096 };
void *func(size_t n2) {
if (n2 > SIZE_MAX / (N1 * sizeof(int))) {
/* Prevent sizeof wrapping */
return NULL;
}
typedef int A1[N1];
typedef A1 A[n2][N1];
AA1 *array = (A1*) malloc(sizeof(A));
if (!array) {
/* Handle error */
return NULL;
}
for (size_t i = 0; i != n2; ++i) {
memset(array[i], 0, N1 * sizeof(int));
}
return array;
}
|
...
Tool | Version | Checker | Description | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| ALLOC.SIZE.IOFLOW | Integer Overflow of Allocation Size | ||||||||||||||||||||||
| Coverity |
| REVERSE_NEGATIVE | Fully implemented | ||||||||||||||||||||||
| Cppcheck |
| negativeArraySize | Context sensitive analysis | ||||||||||||||||||||||
| Cppcheck Premium |
| negativeArraySize premium-cert-arr32-c | Context sensitive analysis Will warn only if given size is negative | ||||||||||||||||||||||
| Helix QAC |
| C1051 | |||||||||||||||||||||||
| Klocwork |
| MISRA.ARRAY.VAR_LENGTH.2012 | |||||||||||||||||||||||
| LDRA tool suite |
| 621 S | Enhanced enforcementPolyspace Bug Finder | ||||||||||||||||||||||
| Parasoft C/C++test |
| Polyspace Bug Finder
| Polyspace Bug Finder
| Size argument to memory function is from an unsecure source Size of the variable-length array (VLA) is from an unsecure source and may be zero, negative, or too large | PRQA QA-C | ||||||||||||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | 1051 | Partially implemented | Cppcheck | ||||||||||||||||||||
| Include Page | Cppcheck_V | Cppcheck_V | negativeArraySize | Context sensitive analysisCERT_C-ARR32-a | Ensure the size of the variable length array is in valid range | ||||||||||||||||||||
| PC-lint Plus |
| 9035 | Assistance provided | ||||||||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||||||||||||||||||
| TrustInSoft Analyzer |
| alloca_bounds | Exhaustively verified. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...