System-allocation function: A function which yields a pointer that may be used to access a particular object or an array of such objects in the space allocated (until the space is explicitly deallocated). The functions calloc(), malloc(), realloc() and aligned_alloc() are system-allocation functions.
System-deallocation function: A function which causes space to be deallocated, that is, made available for further allocation. The function free is a system-deallocation function.
Any other system-allocation and system-deallocation functions are implementation-defined.
void *realloc (void *ptr, size_t size);
The function realloc is a system-allocation function and a system-deallocation function. The realloc function deallocates an old object pointed to by ptr and returns a pointer to a new object that has the specified size. The contents of the new object shall be the same as that of the old object prior to deallocation, up to the minimum of the new and old sizes and the remaining bytes have indeterminate values.
The realloc function behaves like the malloc function if ptr is null. Otherwise, if ptr does not match a pointer earlier returned by the calloc, malloc, or realloc function, or if the space has been deallocated by a call to the free or realloc function, the behavior is undefined.
If ptr was allocated with an alignment greater than alignof(max_align_t), the behavior is undefined.
Non- Compliant Code
The non-compliant code shows an example where ptr is aligned to an alignment greater than the maximum alignment possible:
size_t size = 16; size_t alignment = 2<<29; float *ptr; float *ptr1; ptr = aligned_alloc(align , size); ptr1 = realloc(ptr, size);
The realloc function has an undefined behavior as the alignement is maximum alignment possible.
Compliant Solution
The compliant solution shows an example where ptr is always aligned to an alignment less than the maximum alignment possible.
size_t size = 16; size_t alignment = 2<<29; float *ptr; float *ptr1; ptr = aligned_alloc(align , size); if(align < MAX_ALIGN_T) { ptr1 = realloc(ptr, size); }
Risk Assessment
Improper alignment could lead to accessing arbitrary memory locations and write into it.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
MEM36-C |
medium |
probable |
medium |
P8 |
L2 |
References
ISO/IEC 9899:201x#http://www.open-std.org/Jtc1/sc22/wg14/www/docs/n1401.pdf