The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. The Historically, many implementations of the calloc() function multiples multiplied these arguments together and allocates the resulting quantity of memory. Some implementations fail to determine how much memory to allocate. Historically, some implementations failed to check if this multiplication overflows, so if results in a numeric overflow. If the result of multiplying the number of elements to allocate and the storage size cannot be represented properly as a size_t, less memory is allocated than was requested. Therefore, it may be necessary to check the product of the arguments to calloc() for an arithmetic overflow. If an overflow occurs, the program should detect and handle it appropriately.
According to RUS-CERT Advisory 2002-08:02, the following C/C++ implementations of{{calloc()}} were affected by this issue:
- GNU libc 2.2.5
- dietlibc CVS
- Microsoft Visual C++ version 4.0 and 6.0
- HP-UX 11
- GNU C++ Compiler (GCC 2.95, 3.0, 3.1.1)
- GNU Ada Compiler (GNAT 3.14p, GCC 3.1.1)
- libgcrypt 1.1.10 (GNU Crypto Library)
Non-Compliant Code Example
...
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.18.3, "Limits of other integer types" \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" \[[RUS-CERT Advisory 2002-08:02|http://cert.uni-stuttgart.de/advisories/calloc.php]\] \[[Secunia Advisory SA10635|http://secunia.com/advisories/10635/]\] |