The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. calloc() multiples these arguments together, and uses the result to specify the amount of memory to allocate. However, if the result of multiplying the number of elements to allocate and the storage size cannot be represented properly by an unsigned int, an integer overflow will occur. Therefore it is necessary to check the product of the arguments to calloc() for an integer overflow. If an overflow occurs, the program should detect and handle it appropriately.
Non-compliant Code Example 1
In this example, the user defined function get_size (not shown) is used to calculate the size requirements for a dynamic array of unsigned long long integers and stored in the variable num_elements. When calloc() is called to allocate the buffer, num_elements will be multiplied with the sizeof(unsigned long long) to compute the overall size requirements. If the value returned by get_size() is too large to be multiplied by sizeof(unsigned long long) and properly stored in an intermediate location within calloc(), then calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer overflow may occur.
size_t num_elements = get_size(); long *buffer = calloc(num_elements, sizeof(long));
Compliant Solution 1
To correct this, a test is performed on the product of num_elements and sizeof(long) post the call to calloc(). The test reproduces the multiplication performed by calloc() and evaluates the product to determine if an overflow occured. The comparison checks the product against the system defined limit on a size_t data type ISO/IEC 9899 shifted left by one against the product of num_elements and sizeof(long). if the product's highest bit is set, then it is assumed that an arithmetic overflow has occured. Although this limits the amount of memory that can be allocated, it is important to note that typically, the maximum amount of allocatable memory is limited to a value less than SIZE_MAX.
size_t num_elements = calc_size();
long *buffer = calloc(num_elements, sizeof(long));
if ((num_elements*sizeof(long)) >= (SIZE_MAX>>1)) {
/* Handle error condition*/
}
References
RUS-CERT Advisory 2002-08:02, http://cert.uni-stuttgart.de/advisories/calloc.php
Secunia Advisory SA10635, http://secunia.com/advisories/10635/
ISO/IEC 9899, 7.18.3 Limits of other integer types