CERT C: Rec. MEM04-C

Zero length memory allocation occurs when a memory allocation function such as malloc or calloc takes a size argument (or number of elements) that might contain the value zero.

According to the C Standard (C11, Subclause 7.22.3), if zero-sized memory is requested from a memory allocation function, the behavior is implementation-defined. In some implementations, the function might return NULL and your existing guards against NULL might suffice to protect against the zero length allocation. In other cases, the function might return a memory region that must not be accessed. Attempts to dereference this region results in undefined behavior.

Check the size to be passed to malloc, or the size and number of elements to be passed to calloc, for zero.

#include <stdlib.h>

void  func(unsigned int size) {
    int *list = (int *)malloc(size);//Noncompliant
    if (list == NULL) {
      /* Handle allocation error */
    }
    else {
    /* Continue processing list */
    }
}

In this example, the variable size might contain the value zero leading to a zero length memory allocation.

Validate external inputs for zero values before using as size argument to the malloc function.

#include <stdlib.h>

void  func(unsigned int size) {
    if(size == 0) {
        /* Handle zero size error */
    }
    else {
        int *list = (int *)malloc(size);
        if (list == NULL) {
          /* Handle allocation error */
        }
        else {
          /* Continue processing list */
        }
    }
}

Variable length array with non-positive size occurs when size of a variable-length array is zero or negative.

If the size of a variable-length array is zero or negative, unexpected behavior can occur, such as stack overflow.

When you declare a variable-length array as a local variable in a function:

You can place a test for positive value either before the function call or the array declaration in the function body.

int input(void);

void add_scalar(int n, int m) {
    int r=0;
    int arr[m][n]; //Noncompliant
    for (int i=0; i<m; i++) {
        for (int j=0; j<n; j++) {
            arr[i][j] = input();
            r += arr[i][j];
        }
    }
}

void main() {
    add_scalar(2,2);
    add_scalar(-1,2);
    add_scalar(2,0);
}

In this example, the second and third calls to add_scalar result in a negative and zero size of arr.

One possible correction is fix or remove calls that result in a nonpositive array size.

Tainted size of variable length array detects variable length arrays (VLA) whose size is from an unsecure source.

If an attacker changed the size of your VLA to an unexpected value, it can cause your program to crash or behave unexpectedly.

If the size is non-positive, the behavior of the VLA is undefined. Your program does not perform as expected.

If the size is unbounded, the VLA can cause memory exhaustion or stack overflow.

Validate your VLA size to make sure that it is positive and less than a maximum value.

#include<stdio.h>
#inclule<stdlib.h>
#define LIM 40

long squaredSum(int size) {

	int tabvla[size]; //Noncompliant
	long res = 0;
	for (int i=0 ; i<LIM-1 ; ++i) {
		tabvla[i] = i*i;
		res += tabvla[i];
	}
	return res;
}
int main(){
	int size;
	scanf("%d",&size);
	//...
	long result = squaredSum(size);
	//...
	return 0;
}

In this example, a variable length array size is based on an input argument. Because this input argument value is not checked, the size may be negative or too large.

One possible correction is to check the size variable before creating the variable length array. This example checks if the size is larger than 0 and less than 40, before creating the VLA

#include <stdio.h>
#include <stdlib.h>
#define LIM 40

long squaredSum(int size) {
	long res = 0;
	if (size>0 && size<LIM){
		int tabvla[size];
		for (int i=0 ; i<size || i<LIM-1 ; ++i) {
			tabvla[i] = i*i;
			res += tabvla[i];
		}
	}else{
		res = -1;
	}
	return res;
}
int main(){
	int size;
	scanf("%d",&size);
	//...
	long result = squaredSum(size);
	//...
	return 0;
}