...
| Code Block | ||
|---|---|---|
| ||
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
if (num_blocks == 0 || num_blocks > SIZE_MAX / BLOCKSIZE)
return NULL;
return malloc(num_blocks * BLOCKSIZE);
}
|
...
In this non-compliant code example, the string referenced by str and the string length represented by len orginate originate from untrusted sources. The length is used to perform a memcpy() into the fixed size static array buf. The len variable is guaranteed to be less than BUFF_SIZE. However, because len is declared as an int it can have a negative value that would bypass the check. The memcpy() function implicitly converts len to an unsigned size_t type, and the resulting operation results in a buffer overflow.
...