...
This compliant solution uses fstat() instead to obtain the size of the binary file.
...
However, the file position indicator returned by ftell() with a file opened in text mode is only useful in calls to fseek(). As such, the value of file_size may not necessarily be a meaningful measure of the number of characters in the file and, consequently, the amount of memory allocated may be incorrect, leading to a potential vulnerability.
...
This compliant solution uses fstat() instead to obtain the size of the text file.
...
Understanding the difference between text mode and binary mode with file streams is critical when working with functions that operate on them. Setting the file position indicator to end-of-file with fseek() has undefined behavior for a binary stream. In addition, the return value of ftell() for streams opened in text mode is useful only in calls to fseek(), and not to determine for determining file sizes or for any other use. As such, fstat(), or other platform-equivalent functions, should be used to determine the size of a file.
...