Summary: calloc can overflow
                 Project: Freeciv
            Submitted by: akfaew
            Submitted on: Wed Nov 16 08:54:10 2011
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: S2_3
         Discussion Lock: Any
        Operating System: None
         Planned Release: 



fc_real_calloc states:

size_t size = nelem*elsize;   /* potential overflow */

A check for potential overflow is the only reason calloc was created in the
first place (at least I think that was the case).

Here is how OpenBSD does it:

/usr/src/lib/libc/stdlib/malloc.c:1383:         if ((nmemb >= MUL_NO_OVERFLOW
|| size >= MUL_NO_OVERFLOW) &&
/usr/src/lib/libc/stdlib/malloc.c:1384:             nmemb > 0 && SIZE_MAX /
nmemb < size) {
/usr/src/lib/libc/stdlib/malloc.c:1385:                 _MALLOC_UNLOCK();
/usr/src/lib/libc/stdlib/malloc.c:1386:                 if
/usr/src/lib/libc/stdlib/malloc.c:1387:                         wrterror("out
of memory", NULL);
/usr/src/lib/libc/stdlib/malloc.c:1388:                 errno = ENOMEM;
/usr/src/lib/libc/stdlib/malloc.c:1389:                 return NULL;
/usr/src/lib/libc/stdlib/malloc.c:1390:         }

The attached patch ports this behaviour. It is untested.


File Attachments:

Date: Wed Nov 16 08:54:10 2011  Name: calloc.diff  Size: 2kB   By: akfaew



Reply to this item at:


  Message sent via/by Gna!

Freeciv-dev mailing list

Reply via email to