svn commit: r265367 - head/lib/libc/regex
Andrey Chernov
ache at freebsd.org
Mon May 5 21:51:30 UTC 2014
On 06.05.2014 1:43, David Chisnall wrote:
> While reallocf() is nice, it doesn't address the problem of overflow. It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one. If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting.
For standard malloc/realloc interface it is up to the caller to check
n*size not overflows. You must trust caller already does such check.
Using calloc() to enforce it instead of caller is semantically wrong,
and especially strange when the caller is standard C library under your
control.
--
http://ache.vniz.net/
More information about the svn-src-head
mailing list