...
This noncompliant code example is derived from a real-world example taken from a vulnerable version of the libpng library as deployed on a popular ARM-based cell phone [Jack 2007]. The libpng library allows applications to read, create, and manipulate PNG (Portable Network Graphics) raster image files. The libpng library implements its own wrapper to malloc() that returns a null pointer on error or on being passed a 0-byte-length argument.
This code also violates MEM32-C. Detect and handle memory allocation errors.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <png.h> /* From libpng */
void func(png_structp png_ptr, int length) {
png_charp chunkdata;
chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
/* ... */
} |
If length is passed has the value −1, the addition wraps around to 0, and png_malloc() subsequently returns a null pointer, which is assigned to chunkdata. The chunkdata pointer is later used as a destination argument in a call to memcpy(), resulting in user-defined data overwriting memory starting at address 0. A write from or read to the memory address 0x0 will generally reference invalid or unused memory. In the case of the ARM and XScale architectures, the 0x0 address is mapped in memory and serves as the exception vector table; consequently dereferencing 0x0 did not cause program termination.
Compliant Solution
This compliant solution ensures that the pointer returned by png_malloc() is not null. This practice ensures compliance with MEM32-C. Detect and handle memory allocation errors. It It also uses the unsigned type size_t to pass the length parameter, ensuring that negative values are not passed to func().
...
In this noncompliant code example, input_str is copied into dynamically allocated memory referenced by str. If malloc() fails, it returns a null pointer that is assigned to str. When str is dereferenced in memcpy(), the program exhibits undefined behavior. Additionally, if input_str is a null pointer, the call to strlen() dereferences a null pointer, resulting in undefined behavior. This code also violates MEM32-C. Detect and handle memory allocation errors.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <string.h>
#include <stdlib.h>
void f(const char *input_str) {
size_t size = strlen(input_str) + 1;
char *c_str = (char *)malloc(size);
memcpy(c_str, input_str, size);
/* ... */
free(c_str);
c_str = NULL;
/* ... */
} |
...
This compliant solution ensures input_str is non-null, and the pointer returned by malloc() is not null. This solution also complies with MEM32-C. Detect and handle memory allocation errors.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <string.h>
#include <stdlib.h>
void f(const char *input_str) {
size_t size;
char *c_str;
if (NULL == input_str) {
/* Handle error */
}
size = strlen(input_str) + 1;
c_str = (char *)malloc(size);
if (NULL == c_str) {
/* Handle error */
}
memcpy(c_str, input_str, size);
/* ... */
free(c_str);
c_str = NULL;
/* ... */
} |
...
The sk pointer is initialized to tun->sk before checking if tun is a null pointer. Because null pointer dereferencing is undefined behavior, the compiler (GCC in this case) can optimize away the if (!tun) check because it is performed after tun->sk is dereferenced, implying that tun is non-null. As a result, this noncompliant code example is vulnerable to a null pointer dereference exploit. Typically, a null pointer dereference results in access violation and abnormal program termination. However, , because it is possible to permit null pointer dereferencing on several operating systemsplatforms, for example, using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X or using shmat(2) with the SHM_RND flag on Linux [Liu 2009].
...