...
In this example, the user-defined function get_size() (not shown) is used to calculate the size requirements for a dynamic array of long int that is assigned to the variable num_elements. When calloc() is called to allocate the buffer, num_elements is multiplied by sizeof(long) to compute the overall size requirements. If the number of elements multiplied by the size cannot be represented as a size_t, calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer overflow may occur.
| Code Block | ||
|---|---|---|
| ||
size_t num_elements = get_size();
long *buffer = calloc(num_elements, sizeof(long));
if (buffer == NULL) {
/* handle error condition */
}
|
...
In this compliant solution, the multiplication of the two arguments num_elements and sizeof(long) is evaluated before the call to calloc() to determine if an overflow will occur. The multsize_t() function sets errno to a non-zero value if the multiplication operation overflows.
| Code Block | ||
|---|---|---|
| ||
long *buffer;
size_t num_elements = calc_size();
(void) multsize_t(num_elements, sizeof(long));
if (errno) {
/* handle error condition */
}
buffer = calloc(num_elements, sizeof(long));
if (buffer == NULL) {
/* handle error condition */
}
|
...
References
- ISO/IEC 9899-1999 Section 7.18.3, "Limits of other integer types"
- Seacord 05 Chapter 4, "Dynamic Memory Management"
- RUS-CERT Advisory 2002-08:02
- Secunia Advisory SA10635