URL: <http://gna.org/bugs/?19005>
Summary: calloc can overflow Project: Freeciv Submitted by: akfaew Submitted on: Wed Nov 16 08:54:10 2011 Category: None Severity: 3 - Normal Priority: 5 - Normal Status: None Assigned to: None Originator Email: Open/Closed: Open Release: S2_3 Discussion Lock: Any Operating System: None Planned Release: _______________________________________________________ Details: fc_real_calloc states: size_t size = nelem*elsize; /* potential overflow */ A check for potential overflow is the only reason calloc was created in the first place (at least I think that was the case). Here is how OpenBSD does it: /usr/src/lib/libc/stdlib/malloc.c:1383: if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && /usr/src/lib/libc/stdlib/malloc.c:1384: nmemb > 0 && SIZE_MAX / nmemb < size) { /usr/src/lib/libc/stdlib/malloc.c:1385: _MALLOC_UNLOCK(); /usr/src/lib/libc/stdlib/malloc.c:1386: if (mopts.malloc_xmalloc) /usr/src/lib/libc/stdlib/malloc.c:1387: wrterror("out of memory", NULL); /usr/src/lib/libc/stdlib/malloc.c:1388: errno = ENOMEM; /usr/src/lib/libc/stdlib/malloc.c:1389: return NULL; /usr/src/lib/libc/stdlib/malloc.c:1390: } The attached patch ports this behaviour. It is untested. _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Wed Nov 16 08:54:10 2011 Name: calloc.diff Size: 2kB By: akfaew <http://gna.org/bugs/download.php?file_id=14562> _______________________________________________________ Reply to this item at: <http://gna.org/bugs/?19005> _______________________________________________ Message sent via/by Gna! http://gna.org/ _______________________________________________ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev