SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Jeffrey Gennari

Saved on

compared with

New Version 11

changes.mady.by.user Robert C. Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. The calloc() function multiples these arguments together , and uses the result to specify the amount allocates the resulting quantity of memory to allocate. However, if the result of multiplying the number of elements to allocate and the storage size cannot be represented properly by an unsigned intas a size_t, an arithmetic overflow will occur. Therefore, it is necessary to check the product of the arguments to calloc() for an arithmetic overflow. If an overflow occurs, the program should detect and handle it appropriately.

...

In this example, the user defined function get_size() (not shown) is used to calculate the size requirements for a dynamic array of unsigned long long integers int and stored in the variable num_elements. When calloc() is called to allocate the buffer, num_elements will be is multiplied with by the sizeof(unsigned long long) to compute the overall size requirements. If the value returned by get_size() is too large to be multiplied by sizeof(unsigned long long) and properly stored in an intermediate location within calloc(), then number of elements multiplied by the size can not be represented as a size_t calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer overflow may occur.

Code Block
size_t num_elements = get_size();
long *buffer = calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* handle error condition */
}

Compliant Solution 1

To correct this, a test is performed on the product of num_elements and sizeof(long) post before the call to calloc(). The test reproduces valides that the multiplication performed by calloc() and evaluates the product to determine if an overflow occuredcan be performed successfully. The comparison checks the product against the system defined limit on a for size_t data type ISO/IEC 9899 shifted left by one against the product of num_elements and sizeof(long). if the product's highest bit is set, then it is assumed that an arithmetic overflow has occured. Although this limits the amount of memory that can be allocated, it is important to note that typically, the maximum amount of allocatable memory is limited to a value less than SIZE_MAX.

Code Block

long *buffer;
size_t num_elements = calc_size();
if ((num_elements*sizeof(long)) >= (SIZE_MAX>>1)) {
   /* handle error condition */
}
else {
  buffer = calloc(num_elements, sizeof(long));
  if ((num_elements*sizeof(long)) >= (SIZE_MAX>>1)buffer == NULL) {
    /* Handlehandle error condition */
  }
}

References

...

...