Wiki Markup |
---|
The return values for {{malloc()}} and other C memory allocation routines indicate the failure or success of the allocation. According to C99, {{calloc()}}, {{malloc()}}, and {{realloc()}} return null pointers if the requested memory allocation fails \[[ISO/IEC 9899:1999|AA. C++ References#ISO/IEC 9899-1999]\]. Failure to detect and properly handle memory management errors can lead to unpredictable and unintended program behavior. As a result, it is necessary to check the final status of memory management routines and handle errors appropriately. |
...
Wiki Markup |
---|
The vulnerability in Adobe Flash \[[VU#159523|AA. C++ References#VU#159523]\] arises because Flash neglects to check the return value from {{calloc()}}. Even though {{calloc()}} returns NULL, Flash does not attempt to read or write to the return value, but rather attempts to write to an offset from the return value. Dereferencing NULL usually results in a program crash, but dereferencing an offset from NULL allows an exploit to succeed without crashing the program. |
...
Wiki Markup |
---|
\[[ISO/IEC 9899:1999|AA. C++ References#ISO/IEC 9899-1999]\] Section 7.20.3, "Memory management functions" \[[ISO/IEC 14882-2003|AA. C++ References#ISO/IEC 14882-2003]\] Section 5.3.4 \[[MITRE 07|AA. C++ References#MITRE 07]\] [CWE ID 476|http://cwe.mitre.org/data/definitions/476.html], "NULL Pointer Dereference," and [CWE ID 252|http://cwe.mitre.org/data/definitions/252.html], "Unchecked Return Value" \[[Seacord 05|AA. C++ References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" \[[VU#159523|AA. C++ References#VU#159523]\] |
...
MEM31-CPP. Free dynamically allocated memory exactly once 08. Memory Management (MEM) MEM34-CPP. Only free memory allocated dynamically