Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this compliant solution, the two arguments num_elements and sizeof(long) are checked before the call to calloc() to determine if wrapping will occur.:

Code Block
bgColor#ccccff
langc
long *buffer;
size_t num_elements;

if (num_elements > SIZE_MAX/sizeof(long)) {
  /* Handle error condition */
}
buffer = (long *)calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* Handle error condition */
}

...

[RUS-CERT]Advisory 2002-08:02, "Flaw in calloc and Similar Routines"
[Seacord 2013]Chapter 4, "Dynamic Memory Management"
[Secunia]Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability"

...

 
 

...