The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. calloc() multiples these arguments together, and uses the result to specify the amount of memory to allocate. However, if the result of multiplying the number of elements to allocate and the storage size cannot be represented properly by an unsigned int, an integer overflow will occur. Therefore it is necessary to check the product of the arguments to calloc() for an integer overflow. If an overflow occurs, the program should detect and handle it appropriately.
This design itself was considered a vulnerability. [RU-CERT