Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
#include <stdlib.h>
#include <string.h>
 
enum { N1 = 4096 };

void *func(size_t n2) {
  typedef int A[n2][N1];

  A *array = malloc(sizeof(A));
  if (!array) {
    /* Handle error */
    return NULL;
  }

  for (size_t i = 0; i != n2; ++i) {
    memset(array[i], 0, N1 * sizeof(int));
  }

  return array;
}

Furthermore, this code also violates ARR39-C. Do not add or subtract a scaled integer to a pointer, where array is a pointer to the two-dimensional array, where it should really be a pointer to the latter dimension instead. This means that the memset() call does out-of-bounds writes on all of its invocations except the first.

Compliant Solution (sizeof)

This compliant solution prevents sizeof wrapping by detecting the condition before it occurs and avoiding the subsequent computation when the condition is detected. The code also uses an additional typedef to fix the type of array so that memset() never writes past the two-dimensional array.

Code Block
bgColor#ccccff
langc
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
 
enum { N1 = 4096 };

void *func(size_t n2) {
  if (n2 > SIZE_MAX / (N1 * sizeof(int))) {
    /* Prevent sizeof wrapping */
    return NULL;
  }

  typedef int A1[N1];
  typedef A1 A[n2][N1];

  AA1 *array = (A1*) malloc(sizeof(A));

  if (!array) {
    /* Handle error */
    return NULL;
  } 

  for (size_t i = 0; i != n2; ++i) {
    memset(array[i], 0, N1 * sizeof(int));
  }
  return array;
}

...

Context sensitive analysis
Will warn only if given size is negative

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.IOFLOW
ALLOC.SIZE.MULOFLOW
MISC.MEM.SIZE.BAD

Integer Overflow of Allocation Size
Multiplication Overflow of Allocation Size
Unreasonable Size Argument

Coverity
Include Page
Coverity_V
Coverity_V
REVERSE_NEGATIVEFully implemented
Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

negativeArraySize

Context sensitive analysis
Will warn only if given size is negative

Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

negativeArraySize

premium-cert-arr32-c

Context sensitive analysis
Will warn only if given size is negative
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1051
Klocwork
Include Page
Klocwork_V
Klocwork_V

MISRA.ARRAY.VAR_LENGTH.2012


LDRA tool suite
 
Include Page
LDRA_V
LDRA_V
621 SEnhanced enforcement
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-ARR32-a

Ensure the size of the variable length array is in valid range

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

9035

Assistance provided

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule ARR32-C

Checks for:

  • Memory allocation with tainted size
  • Tainted size of variable length array

Rule fully covered.

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v1051, 2052Partially implementedCppcheck
Include Page
Cppcheck_VCppcheck_VnegativeArraySize

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

alloca_boundsExhaustively verified.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...