The result of malloc(0) and calloc(0 is undefined. From a practical standpoint, calloc(0) and malloc(0) can lead to programming errors with critical security implications, such as buffer overflows. This occurs because the result of calloc(0) and malloc(0) may not considered an error, thus the pointer returned may not be NULL. Instead, the pointer may reference a block of memory on the heap of size zero. If memory is fetched from, or stored in this a location serious error could occur. Numerous, vulnerabilities may allow calloc(0) or malloc(0) to occur, such as VU#179014, VU#226184, and VU#855118.
Non-compliant Code Example 1
In this example, the user defined function calc_size (not shown) is used to calculate the size of the string other_srting. The result of calc_size is returned to str_size and used as the size parameter in a call to calloc. However, if calc_size returned zero, then when the strncpy is executed, a heap buffer overflow will occur.
Code Block |
---|
size_t str_size = calc_size(other_string);
char *str_copy = malloc(str_size);
strncpy(str_copy, other_string, str_size);
|
Compliant Code Example 1
To assure that zero (0) is never passed as a size argument to malloc, a check must be made on the size parameter.
Code Block |
---|
size_t str_size = calc_size(other_string);
if (str_size != 0) {
char *str_copy = malloc(str_size);
strncpy(str_copy, other_string, str_size);
}
|