...
In this compliant solution do not free the memory until it is no longer required.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int main(int argc, const char *argv[]) {
char *buff;
buff = (char *)malloc(BUFFERSIZE);
if (!buff) {
/* Handle error condition */
}
/* ... */
strncpy(buff, argv[1], BUFFERSIZE-1);
/* ... */
free(buff);
}
|
...
The compliant solution simply reassigns im->clip->list to the value of more after the call to realloc.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
Compass/ROSE |
|
|
| ||||||
| USE_AFTER_FREE | Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer. | |||||||
Fortify SCA | 5.0 |
|
| ||||||
| UFM.DEREF.MIGHT |
| |||||||
| 51 D | Fully implemented. | |||||||
Splint |
|
|
|
...
| CERT C++ Secure Coding Standard | MEM30-CPP. Do not access freed memory |
| ISO/IEC TR 24772:2013 | Dangling References to Stack Frames [DCM] Dangling Reference to Heap [XYK] |
| ISO/IEC TS 17961 (Draft) | Accessing freed memory [accfree] |
| MISRA - C:2012 | Rule 1718.6 (required) |
| MITRE CWE | CWE-416, Use after free |
...
| [Kernighan 1988] | Section 7.8.5, "Storage Management" |
| [OWASP Freed Memory] | |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
| [Viega 2005] | Section 5.2.19, "Using Freed Memory" |
| [xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |