[Freeciv-Dev] [bug #19005] calloc can overflow

Wed, 16 Nov 2011 00:54:23 -0800 

URL:
  <http://gna.org/bugs/?19005>

                 Summary: calloc can overflow
                 Project: Freeciv
            Submitted by: akfaew
            Submitted on: Wed Nov 16 08:54:10 2011
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: S2_3
         Discussion Lock: Any
        Operating System: None
         Planned Release: 

    _______________________________________________________

Details:

fc_real_calloc states:

size_t size = nelem*elsize;   /* potential overflow */

A check for potential overflow is the only reason calloc was created in the
first place (at least I think that was the case).

Here is how OpenBSD does it:

/usr/src/lib/libc/stdlib/malloc.c:1383:         if ((nmemb >= MUL_NO_OVERFLOW
|| size >= MUL_NO_OVERFLOW) &&
/usr/src/lib/libc/stdlib/malloc.c:1384:             nmemb > 0 && SIZE_MAX /
nmemb < size) {
/usr/src/lib/libc/stdlib/malloc.c:1385:                 _MALLOC_UNLOCK();
/usr/src/lib/libc/stdlib/malloc.c:1386:                 if
(mopts.malloc_xmalloc)
/usr/src/lib/libc/stdlib/malloc.c:1387:                         wrterror("out
of memory", NULL);
/usr/src/lib/libc/stdlib/malloc.c:1388:                 errno = ENOMEM;
/usr/src/lib/libc/stdlib/malloc.c:1389:                 return NULL;
/usr/src/lib/libc/stdlib/malloc.c:1390:         }


The attached patch ports this behaviour. It is untested.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed Nov 16 08:54:10 2011  Name: calloc.diff  Size: 2kB   By: akfaew

<http://gna.org/bugs/download.php?file_id=14562>

    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?19005>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to