...
In this compliant solution, the two arguments num_elements
and sizeof(long)
are checked before the call to calloc()
to determine if wrapping will occur.:
Code Block | ||||
---|---|---|---|---|
| ||||
long *buffer; size_t num_elements; if (num_elements > SIZE_MAX/sizeof(long)) { /* Handle error condition */ } buffer = (long *)calloc(num_elements, sizeof(long)); if (buffer == NULL) { /* Handle error condition */ } |
...
[RUS-CERT] | Advisory 2002-08:02, "Flaw in calloc and Similar Routines" |
[Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
[Secunia] | Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability" |
...
...