...
In this compliant solution, len is declared as a size_t, so there is no possibility of this variable having a negative value and bypassing the range check:
...
In this noncompliant code example, an array of long is allocated and assigned to p. However, sizeof(int) is used to size the allocated memory. If sizeof(long) is larger than sizeof(int), then an insufficient amount of memory is allocated.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM35-C | highHigh | probableProbable | highHigh | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
| could check violations of this rule by examining the size expression to
| |||||||
| BAD_ALLOC_STRLEN
| Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block | |||||||
5.0 |
| Can detect violations of this rule with CERT C Rule Pack, except those involving the | |||||||
| 487 S | Fully implemented |
...
CVE-2009-0587 results from a violation of this rule. Before version 2.24.5, Evolution Data Server performed unchecked arithmetic operations on the length of a user-input string and used the value to allocate space for a new buffer. An attacker could thereby execute arbitrary code by inputting a long string, resulting in incorrect allocation and buffer overflow [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
...