SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 67

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 68

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even when calloc() returns a null pointer, Flash writes to an offset from the return value. Dereferencing a null pointer usually results in a program crash, but dereferencing an offset from a null pointer allows an exploit to succeed without crashing the program.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding Standard

ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy
EXP34-C. Do not dereference null pointers
FIO13-C. Never push back anything other than one read character
MEM04-C. Do not perform zero-length allocations
MEM12-C. Consider using a goto chain when leaving a function on error when using and releasing resources

SEI CERT C++ Coding StandardERR10-CPP. Check for error conditions
FIO04-CPP. Detect and handle input and output errors
ISO/IEC TS 17961:2013Failing to detect and handle standard library errors [liberr]
MITRE CWECWE-252, Unchecked Return Value
CWE-253, Incorrect Check of Function Return Value
CWE-390, Detection of Error Condition without Action
CWE-391, Unchecked Error Condition
CWE-476, NULL Pointer Dereference

...

[DHS 2006]Handle All Errors Safely
[Henricson 1997]Recommendation 12.1, "Check for All Errors Reported from Functions"
[ISO/IEC 9899:2011]Subclause 7.21.7.10, "The ungetc Function"
[VU#159523] 

 

...