 
                            Wiki Markup [\]  are   not   checked   unless   the   programmer   provides   adequate   bounds   checking.   As   a   result,   the   expression  {{array  \ [pos\]   =   value}}  can   be   used   by   an   attacker   to   transfer   control   to   arbitrary   code.
As a result, if the attacker can control the values of both {{pos}} and {{value}} in the expression {{array \[pos\] = value}}, he can perform an arbitrary write (overwrite other storage locations with contents of his choice).  The consequences range from changing a variable used to determine what permissions the program grants to executing arbitrary code with the permissions of the vulnerable process.  Arrays are also a common source of buffer overflows when iterators exceed the dimensions of the 
An attacker who can control the values of both pos and value in the expression array [pos] = value can perform an arbitrary write (which is when the attacker overwrites other storage locations with different content). The consequences range from changing a variable used to determine what permissions the program grants to executing arbitrary code with the permissions of the vulnerable process. Arrays are also a common source of buffer overflows when iterators exceed the bounds of the array.
An array is a series of objects, all of which are the same size and type. Each object in an array is called an array element. The entire array is stored contiguously in memory (that is, there are no gaps between elements). Arrays are commonly used to represent a sequence of elements where random access is important but there is little or no need to insert new elements into the sequence (which can be an expensive operation with arrays).
Arrays containing a constant number of elements can be declared as follows:
| Code Block | 
|---|
| enum { ARRAY_SIZE = 12 }; int disarray[ARRAY_SIZE]; | 
These statements allocate storage for an array of twelve 12 integers referenced by dis array. Arrays are indexed from 0..n-1 (where n represents an array dimensionbound). Arrays can also be declared as follows:
| Code Block | 
|---|
| int itaarray[]; | 
This array is called an incomplete type because the size is unknown. If an array of unknown size is initialized, its size is determined by the largest indexed element with an explicit initializer. At the end of its initializer list, the array no longer has incomplete type.
| Code Block | 
|---|
| int itaarray[] = { 1, 2 }; | 
While Although these declarations work fine when the size of the array is known at compilation compile time, it is not possible to declare an array in this fashion when the size can be determined only at runtime. The C99 standard C Standard adds support for variable length arrays or arrays whose size is determined at runtime. Before the introduction of variable length arrays in C99, however, these "arrays" were typically implemented as pointers to their respective element types allocated using malloc(), as shown in this example:
| Code Block | 
|---|
| int *dis = (int *)malloc(ARRAY_SIZE * sizeof(int));
 | 
Always check that malloc() returns a non-null pointer, as per ERR33-C. Detect and handle standard library errors.
It is important to retain any pointer value returned by malloc() so that the referenced memory may eventually be deallocated. One possible way to preserve such a value is to use a constant pointer:
| Code Block | 
|---|
| Code Block | 
| int * const dat = (int * const) malloc( ARRAY_SIZE * sizeof(int) ); /* ... */ free(dat); | 
Below we consider some techniques for array initialization.  Both dis and dat arrays can then be initialized as follows:
| Code Block | 
|---|
| for (i = 0; i < ARRAY_SIZE; i++) { dis[i] = 42; /* Assigns 42 to each element; of dis */ dat[i] = 42; /* ... Assigns 42 to each element of dat */ } | 
The dat dis array can also be initialized as follows:
| Code Block | 
|---|
| for (i = 0; i < ARRAY_SIZE; i++) { *datdis = 42; datdis++; } datdis -= ARRAY_SIZE; | 
It is important to retain any value returned by malloc() so that it may be later sent to free(). One possible way of preserving such a value would be to use a constant pointer.
| Code Block | 
|---|
| 
int * const dat = (int * const) malloc(ARRAY_SIZE * sizeof(int));
/* ... */
free(dat);
 | 
The dis identifier cannot be incremented, so the expression dis++ results in a fatal compilation error. Both arrays can be initialized as follows:
This technique, however, will not work for dat.  The dat identifier cannot be incremented (produces a fatal compilation error), as it was declared with type int * const.  This problem can be circumvented by copying dat into a separate pointer:
| Code Block | 
|---|
| Code Block | 
| int *p = disdat; for (i = 0; i < ARRAY_SIZE; i++) { *p = 42; //* Assigns 42 to each element; */ p++; } | 
The variable p is declared as a pointer to an integer, initialized with the value stored in dat, and then incremented in the loop. This technique can be used to initialize both arrays, and is a better style of programming than incrementing the original pointer to the array because it does not change the pointer (e.g., dis++, in the above example), as it avoids having to reset the pointer back to the start of the array after the loop completes. 
Wiki Markup [\]}}  and   pointers.   The   expression  {{dis\[i\]}}  is   equivalent   to  {{\*(dis+i)}}. In other words, if {{dis}} is an array object (equivalently, a pointer to the initial element of an array object) and {{i}} is an integer, {{dis\[i\]}} designates the {{i{}}}th element of {{dis}} (counting from zero). In fact, because {{\ for all integral values of i. In other words, if dis is an array object (equivalently, a pointer to the initial element of an array object) and i is an integer, dis[i] designates the ith element of dis. In fact, because *(dis+i)}}  can   be   expressed   as  {{\*(i+dis)}},   the   expression  {{dis\[i\]}}  can   be   represented   as  {{i\[dis\]}},   although   doing   so   is   not   encouraged. Wiki Markup dis[0], or equivalently as *(dis+0) or simply *dis.
Risk Assessment
Arrays are a common source of vulnerabilities in C language programs , because they are frequently used but not always fully understood.
| Recommendation | Severity | Likelihood | 
|---|
| Detectable | Repairable | Priority | Level | 
|---|
ARR01-A
high
probable
low
P18
| ARR00-C | High | Probable | No | No | P6 | L2 | 
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar | 
 | LANG.CAST.ARRAY.TEMP | Array to Pointer Conversion on Temporary Object | ||||||
| Helix QAC | 
 | C0304, C0450, C0453, C0455, C0459, C0464, C0465, C0491, C0590, C0642, C0676, C0677, C0678, C0680, C0686, C0687, C0688, C0691, C0710, C0711, C0941, C1037, C1051, C1052, C1121, C1122, C1123, C1188, C1189, C1312, C2668, C2669, C2781, C2782, C2783, C2810, C2811, C2812, C2813, C2814, C2820, C2821, C2822, C2823, C2824, C2840, C2841, C2842, C2843, C2845, C2846, C2847, C2848, C2950, C2951, C2952, C2953, C3337, C3405, C3639, C3640, C3650, C3651, C3674, C3684, C4500, C4510 | |||||||
| Klocwork | 
 | ABV.ANY_SIZE_ARRAY ABV.GENERAL ABV.GENERAL.MULTIDIMENSION ABV.ITERATOR ABV.MEMBER ABV.STACK ABV.TAINTED ABV.UNICODE.BOUND_MAP ABV.UNICODE.FAILED_MAP ABV.UNICODE.NNTS_MAP ABV.UNICODE.SELF_MAP ABV.UNKNOWN_SIZE NNTS.MIGHT NNTS.MUST NNTS.TAINTED SV.STRBO.BOUND_COPY.OVERFLOW SV.STRBO.BOUND_COPY.UNTERM SV.STRBO.BOUND_SPRINTF SV.STRBO.UNBOUND_COPY SV.STRBO.UNBOUND_SPRINTF SV.TAINTED.ALLOC_SIZE SV.TAINTED.CALL.INDEX_ACCESS SV.TAINTED.CALL.LOOP_BOUND SV.TAINTED.INDEX_ACCESS SV.TAINTED.LOOP_BOUND SV.UNBOUND_STRING_INPUT.CIN SV.UNBOUND_STRING_INPUT.FUNC | |||||||
| LDRA tool suite | 
 | 45 D, 47 S, 489 S, 567 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X | Partially implemented | ||||||
| PC-lint Plus | 
 | 409, 413, 429, 613 | Partially supported: conceptually includes all other ARR items which are mapped to their respective guidelines; explicit mappings for ARR00 are present when a situation mentioned in the guideline itself is encountered | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup | 
|---|
| \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators" | 
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship | 
|---|---|---|
| CERT C | CTR00-CPP. Understand when to prefer vectors over arrays | Prior to 2018-01-12: CERT: Unspecified Relationship | 
| CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | Prior to 2018-01-12: CERT: | 
| CWE 2.11 | CWE-123, Write-what-where Condition | Prior to 2018-01-12: CERT: | 
| CWE 2.11 | CWE-125, Out-of-bounds Read | Prior to 2018-01-12: CERT: | 
| CWE 2.11 | CWE-129, Unchecked array indexing | Prior to 2018-01-12: CERT: | 
...
06. Arrays (ARR) 06. Arrays (ARR) ARR01-A. Do not apply the sizeof operator to an incomplete type