...
Non-Compliant Code Example
...
| Wiki Markup |
|---|
In this non-compliant code example, the function {{clear()}} zeros the elements in an array. The function has one parameter declared as {{int array\[\]}} and is passed a static array consisting of twelve {{int}} as the argument. The function {{clear()}} uses the idiom {{sizeof (array) / sizeof (array\[0\])}} to determine the number of elements in the array. However, {{array}} has a pointer type because it is a parameter. As a result, {{sizeof(array)}} is {{sizeof(int \*)}}. For example, in GCC on IA32, the expression {{sizeof (array) / sizeof (array\[0\])}} evaluates to 1, regardless of the length of the array passed, leaving the rest of the array unaffected. |
| Code Block | ||
|---|---|---|
| ||
void clear(int array[]) {
size_t i;
for (i = 0; i < sizeof (array) / sizeof (array[0]); ++i) {
array[i] = 0;
}
}
/* ... */
int dis[12];
clear(dis);
/* ... */
|
| Wiki Markup |
|---|
The footnote in Section 6.5.3.4 of the C Standard \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] explains: |
When applied to a parameter declared to have array or function type, the
sizeofoperator yields the size of the adjusted (pointer) type . . . .
Compliant Solution
In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function.
| Code Block | ||
|---|---|---|
| ||
void clear(int array[], size_t size) {
size_t i;
for (i = 0; i < size; i++) {
array[i] = 0;
}
}
/* ... */
int dis[12];
clear(dis, sizeof (dis) / sizeof (dis[0]));
/* ... */
|
...
Compliant Solution
...
Risk Assessment
Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.
...