...
This includes all three standard memory allocation functions: malloc()
, calloc()
, and realloc()
. In cases where the memory allocation functions return a non-NULL pointer, using this pointer results in undefined behavior. Typically these pointer refer to a zero-length block of memory consisting entirely of control structures. Overwriting these control structures will damage the data structures used by the memory manager.
malloc()
Non-Compliant Code Example
...
The result of calling malloc(0)
to allocate 0 bytes is implementation defined. In this example, a dynamic array of integers is allocated to store s
elements. However, if s
is zero, the call to malloc(s)
may return a reference to a block of memory of size 0 rather than NULL
. When data is copied to this location, a heap-buffer overflow occurs.
Code Block | ||
---|---|---|
| ||
/* ... */ list = malloc(sizeof(int) * s); if (list == NULL) { /* Handle Allocation Error */ } /* Continue Processing list */ /* ... */ |
Compliant Code Example
...
To ensure that zero is never passed as a size argument to malloc()
, a check must be made on s
to ensure it is not zero.
Code Block | ||
---|---|---|
| ||
/* ... */ if (s <= 0) { /* Handle Error */ } list = malloc(sizeof(int) * s); if (list == NULL) { /* Handle Allocation Error */ } /* Continue Processing list */ /* ... */ |
realloc()
Non-Compliant Code Example
...
The realloc()
function deallocates the old object returns a pointer to a new object of a specified size. If memory for the new object cannot be allocated, the realloc()
function does not deallocate the old object and its value is unchanged. If the realloc() function returns NULL, failing to free the original memory will result in a memory leak. As a result, the following idiom is generally recommended for reallocating memory:
Code Block | ||
---|---|---|
| ||
char *p2; char *p = malloc(100); /* ... */ if ((p2 = realloc(p, nsize)) == NULL) { if (p) free(p); p = NULL; return NULL; } p = p2; |
...
The realloc()
function for gcc 3.4.6 with libc 2.3.4 returns a non-NULL pointer to a zero-sized object (the same as malloc(0)
). However, the realloc()
function for both Microsoft Visual Studio Version 7.1 and gcc version 4.1.0 return a null pointer, resulting in a double free on the call to free()
in this example.
Compliant Code Example
...
Do not pass a size argument of zero to the realloc()
function.
Code Block | ||
---|---|---|
| ||
char *p2; char *p = malloc(100); /* ... */ if ( (nsize == 0) || (p2 = realloc(p, nsize)) == NULL) { if (p) free(p); p = NULL; return NULL; } p = p2; |
...