...
where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 72.) Additionally, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
Because variable length arrays are a conditionally supported feature of C11, their use in portable code should be guarded by testing the value of the macro __STDC_NO_VLA__. Implementations that do not support variable length arrays indicate it by setting __STDC_NO_VLA__ to the integer constant 1.
Noncompliant Code Example
...
Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ARR32-C | High | Probable | No | NoHigh | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| ALLOC.SIZE.IOFLOW | Integer Overflow of Allocation Size | ||||||
| Coverity |
| REVERSE_NEGATIVE | Fully implemented | ||||||
| Cppcheck |
| negativeArraySize | |||||||
| Cppcheck Premium |
| negativeArraySize premium-cert-arr32-c | |||||||
| Helix QAC |
| C1051 | |||||||
| Klocwork |
| MISRA.ARRAY.VAR_LENGTH.2012 | |||||||
| LDRA tool suite |
| 621 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
| CERT_C-ARR32-a | Ensure the size of the variable length array is in valid range | ||||||
| PC-lint Plus |
| 9035 | Assistance provided | ||||||
| Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||
| TrustInSoft Analyzer |
| alloca_bounds | Exhaustively verified. |
...