CodeQL documentation

Call to alloca in a loop

ID: cpp/alloca-in-loop
Kind: problem
Severity: warning
Precision: high
Tags:
   - reliability
   - correctness
   - security
   - external/cwe/cwe-770
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The alloca macro allocates memory by expanding the current stack frame. Invoking alloca within a loop may lead to a stack overflow because the memory is not released until the function returns.

Recommendation

Consider invoking alloca once outside the loop, or using malloc or new to allocate memory on the heap if the allocation must be done inside the loop.

Example

The variable path is allocated inside a loop with alloca. Consequently, storage for all copies of the path is present in the stack frame until the end of the function.

char *dir_path;
char **dir_entries;
int count;

for (int i = 0; i < count; i++) {
  char *path = (char*)alloca(strlen(dir_path) + strlen(dir_entry[i]) + 2);
  // use path
}

In the revised example, path is allocated with malloc and freed at the end of the loop.

char *dir_path;
char **dir_entries;
int count;

for (int i = 0; i < count; i++) {
  char *path = (char*)malloc(strlen(dir_path) + strlen(dir_entry[i]) + 2);
  // use path
  free(path);
}

References