Variable length arrays (VLA) are basically the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:
char vla[s];
The above statement is evaluated at runtime allocating storage for s
characters on the stack. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data (Feline 1). The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.
Non-Compliant Example 1
In this example, a VLA of size s
is declared with s
being type size_t
. However, it is unclear whether or not s
is a valid size argument. Depending on how VLAs are implemented s
may be interpreted as a negative value or a very large value. In either case, this may result in a security vulnerability.
void func(size_t s) { vla[s]; ... } ... func(size); ...