Page History

...

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib<png.h> /* From libpng */
 
errno_t f(voidvoid func(png_structp png_ptr, int length) { 
  png_charp chunkdata;
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  /* ... */
  return 0;
}

If a length field of −1 is supplied to the code in this noncompliant exampleIf length is passed −1, the addition wraps around to 0, and png_malloc() subsequently returns a null pointer, which is assigned to chunkdata. The chunkdata pointer is later used as a destination argument in a call to memcpy(), resulting in user-defined data overwriting memory starting at address 0. A write from or read to the memory address 0x0 will generally reference invalid or unused memory. In the case of the ARM and XScale architectures, the 0x0 address is mapped in memory and serves as the exception vector table.

Compliant Solution

...

This compliant solution ensures that the pointer returned by png_malloc() is not null. This practice ensures compliance with MEM32-C. Detect and handle memory allocation errors.  It also uses the unsigned type size_t to pass the length parameter, ensuring that negative values are not passed to func().

Code Block
bgColor #ccccff lang c
#define __STDC_WANT_LIB_EXT1__ 1 #include <stdlib<png.h>   errno /* From libpng */ void func(png_structp png_ptr, size_t f(voidlength) { png_charp chunkdata; chunkdata = (png_charp)png_malloc(png_ptr, length + 1); if (NULL == chunkdata) { return ENOMEM; /* IndicateHandle failureerror */ } /* ... */ return 0; }

...

Noncompliant Code Example

In this noncompliant code example, input_str is copied into dynamically allocated memory referenced by str. If malloc() fails, it returns a null pointer that is assigned to str. When str is dereferenced in memcpy(), the program behaves in an unpredictable mannerexhibits undefined behavior.  Additionally, if input_str is a null pointer, the call to strlen() dereferences a null pointer, resulting in undefined behavior.

#include <string.h>
#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib.h>
 
errno_tvoid f(const char *input_str) {
  size_t size = strlen(input_str) + 1;
  char *c_str = (char *)malloc(size);
  memcpy(c_str, input_str, size);
  /* ... */
  free(c_str);
  c_str = NULL;
  /* ... */
  return 0;
}

Compliant Solution

...

This compliant solution ensures the ensures input_str is non-null, and the pointer returned by malloc() is not null. This solution also complies with MEM32-C. Detect and handle memory allocation errors.

Code Block
bgColor #ccccff lang c
#include <string.h> #define __STDC_WANT_LIB_EXT1__ 1 #include <stdlib.h> #include <errno.h>   errno_tvoid f(const char *input_str) { size_t size; char *c_str;   if (NULL == input_str) { /* Handle error */ } size = strlen(input_str) + 1; char *c_str = (char *)malloc(size); if (NULL == c_str) { return ENOMEM; /* IndicateHandle allocationerror failure */ } memcpy(c_str, input_str, size); /* ... */ free(c_str); c_str = NULL; /* ... */ return 0; }

...

Noncompliant Code Example

...

The sk pointer is initialized to tun->sk before checking if tun is a null pointer. Because null pointer dereferencing is undefined behavior, the compiler (GCC in this case) can optimize away the if (!tun) check because it is performed after tun->sk is dereferenced, implying that tun is non-null. As a result, this noncompliant code example is vulnerable to a null pointer dereference exploit. Typically, a null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systems, for example, using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X or using shmat(2) with the SHM_RND flag on Linux [Liu 2009].

Compliant Solution

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check:

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...