Page History

The default memory allocation operator, ::operator new(std::size_t), will throw throws a std::bad_alloc exception if the allocation fails. Therefore, you need not check whether calling ::operator new(std::size_t) results in nullptr. The nonthrowing form, ::operator new(std::size_t, const std::nothrow_t &), will does not throw an exception if the allocation fails , but will instead return returns nullptr. The same behaviors apply for the operator new[] versions of both allocation functions. Additionally, the default allocator object (std::allocator) uses ::operator new(std::size_t) to perform allocations , and should be treated similarly.

T *p1 = new T; // Throws std::bad_alloc if allocation fails.
T *p2 = new (std::nothrow) T; // Returns nullptr if allocation fails.

T *p3 = new T[1]; // Throws std::bad_alloc if the allocation fails.
T *p4 = new (std::nothrow) T[1]; // Returns nullptr if the allocation fails.

In addition, operator new[] can , a subclass of std::bad_alloc, can throw an error of type std::bad_array_new_length if the size argument passed to new is negative or excessively large. This is a subclass of std::bad_alloc.

When using the nonthrowing form, it is imperative to check that the return value is not nullptr before accessing the resulting pointer. When using either form, be sure to comply with ERR50-CPP. Do not call std::terminate(), std::abort(), or std::_Exit().

...

In this noncompliant code example, an array of int is created using ::operator new[](std::size_t), but the results of the allocation are not checked. Since the The function is marked as noexcept, so the caller assumes this function does not throw any exceptions. Because ::operator new[](std::size_t) can throw an exception if the allocation fails, this it could lead to abnormal termination of the program.

#include <cstring>
 
void f(const int *array, std::size_t size) noexcept {
  int *copy = new int[size];
  std::memcpy(copy, array, size * sizeof(*copy));
  // ...
  delete [] copy;
}

...

When using std::nothrow, the new operator returns either a null pointer or a pointer to the allocated space. Always test the returned pointer to ensure it is not nullptr before referencing the pointer. This compliant solution handles the error condition appropriately when the returned pointer is nullptr.:

#include <cstring>
 
void f(const int *array, std::size_t size) noexcept {
  int *copy = new (std::nothrow) int[size];
  if (!copy) {
    // Handle error
    return;
  }
  std::memcpy(copy, array, size * sizeof(*copy));
  // ...
  delete [] copy;
}

Compliant Solution (std::bad_alloc)

Alternatively, one you can use ::operator new[] without std::nothrow, and instead catch a std::bad_alloc exception if sufficient memory cannot be allocated.:

#include <cstring>
 
void f(const int *array, std::size_t size) noexcept {
  int *copy;
  try {
    copy = new int[size];
  } catch(std::bad_alloc) {
    // Handle error
    return;
  }
  // At this point, copy has been initialized to allocated memory.
  std::memcpy(copy, array, size * sizeof(*copy));
  // ...
  delete [] copy;
}

...

If the design of the function is such that the caller is expected to handle exceptional situations, it is permissible to mark the function explicitly as one that may throw, as in this compliant solution. This Marking the function is not strictly required, as any function without a noexcept specifier is presumed to allow throwing.

...

struct A { /* ... */ };
struct B { /* ... */ }; 
 
void g(A *, B *);
void f() {
  g(new A, new B);
}

Consider the situation where in which A is allocated and constructed first, and then B is allocated and throws an exception. Wrapping the call to g() in a try/catch block is insufficient because it would be impossible to free the memory allocated for A.

...

When possible, the more resilient compliant solution is to remove the memory allocation entirely , and pass the objects by reference instead:

...

Failing to detect allocation failures can lead to abnormal program termination and denial-of-service attacks.

If the vulnerable program references memory offset from the return value, an attacker can exploit the program to read or write arbitrary memory. This has been used to execute arbitrary code [VU#159523].

...

Related Vulnerabilities

The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even though calloc() returns NULL, Flash does not attempt to read or write to the return value. Instead, but rather it attempts to write to an offset from the return value. Dereferencing NULL usually results in a program crash, but dereferencing an offset from NULL allows an exploit to succeed without crashing the program.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...