...
In this example, a dynamic array of integers is allocated to store s elements. However, if s is zero, the call to malloc(s) will return a reference to a block of memory of size 0. When data is copied to this location, a heap-buffer overflow will occur.
| Code Block |
|---|
...
list = malloc(sizeof(int) * s);
if (list == NULL) {
/* Handle Allocation Error */
}
/* Continue Processing list */
|
...
Compliant Code Example 1
To ensure that zero is never passed as a size argument to malloc(), a check must be made on s to ensure it is not zero.
| Code Block |
|---|
... if (s == 0) { /* Handle Error */ } list = malloc(sizeof(int) * s); if (list == NULL) { /* Handle Allocation Error */ } /* Continue Processing list */ ... |
Priority: P12 Level: L1
Assuming that allocating zero bytes results in an error can lead to buffer overflows when zero bytes are allocated. Buffer overflows can be exploited by an attacker to run arbitrary code with the permissions of the vulnerable process.
...