...
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
...
However, it is not guaranteed that the value of size is a valid size argument, potentially giving rise to a security vulnerability.
Compliant Code Solution
This compliant solution ensures the size argument used to allocate vla is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| REVERSE_NEGATIVE NEGATIVE_RETURNS | Can find the instances where data is read/write from a negative array index. | |||||||
| PRQA QA·C |
| Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
ISO/IEC TR 24772 "XYX Boundary beginning violation" and "XYZ Unchecked array indexing"
Bibliography
...