...
This noncompliant code example is a real-world example taken from a vulnerable version of the libpng library as deployed on a popular ARM-based cell phone [Jack 2007]. The libpng implements its own wrapper to malloc() that returns a null pointer on error or on being passed a 0 byte length argument.
...
If a length field of −1 is supplied to the code in this noncompliant example, the addition wraps around to 0, and png_malloc() subsequently returns a null pointer, which is assigned to chunkdata. The chunkdata pointer is later used as a destination argument in a call to memcpy(), resulting in user-defined data overwriting memory starting at address 0. A write from or read to the memory address 0x0 will generally reference invalid or unused memory. In the case of the ARM and XScale architectures, the 0x0 address is mapped in memory and serves as the exception vector table.
Compliant Solution
To correct this error, ensure This compliant solution ensures that the pointer returned by malloc() is not null. This practice ensures compliance with MEM32-C. Detect and handle memory allocation errors.
| Code Block | ||||
|---|---|---|---|---|
| ||||
png_charp chunkdata;
int f(void) {
chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
if (chunkdataNULL == NULLchunkdata) {
return -1; /* Indicate failure */
}
/* ... */
return 0;
} |
Noncompliant Code Example
...