[Freeciv-Dev] [bug #19005] calloc can overflow
URL: http://gna.org/bugs/?19005 Summary: calloc can overflow Project: Freeciv Submitted by: akfaew Submitted on: Wed Nov 16 08:54:10 2011 Category: None Severity: 3 - Normal Priority: 5 - Normal Status: None Assigned to: None Originator Email: Open/Closed: Open Release: S2_3 Discussion Lock: Any Operating System: None Planned Release: ___ Details: fc_real_calloc states: size_t size = nelem*elsize; /* potential overflow */ A check for potential overflow is the only reason calloc was created in the first place (at least I think that was the case). Here is how OpenBSD does it: /usr/src/lib/libc/stdlib/malloc.c:1383: if ((nmemb = MUL_NO_OVERFLOW || size = MUL_NO_OVERFLOW) /usr/src/lib/libc/stdlib/malloc.c:1384: nmemb 0 SIZE_MAX / nmemb size) { /usr/src/lib/libc/stdlib/malloc.c:1385: _MALLOC_UNLOCK(); /usr/src/lib/libc/stdlib/malloc.c:1386: if (mopts.malloc_xmalloc) /usr/src/lib/libc/stdlib/malloc.c:1387: wrterror(out of memory, NULL); /usr/src/lib/libc/stdlib/malloc.c:1388: errno = ENOMEM; /usr/src/lib/libc/stdlib/malloc.c:1389: return NULL; /usr/src/lib/libc/stdlib/malloc.c:1390: } The attached patch ports this behaviour. It is untested. ___ File Attachments: --- Date: Wed Nov 16 08:54:10 2011 Name: calloc.diff Size: 2kB By: akfaew http://gna.org/bugs/download.php?file_id=14562 ___ Reply to this item at: http://gna.org/bugs/?19005 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #19005] calloc can overflow
Follow-up Comment #1, bug #19005 (project freeciv): I'm not familiar with the memory management but you should also add the checks in line 1384 1385 to the patch. Else it will not help at all ... ___ Reply to this item at: http://gna.org/bugs/?19005 ___ Nachricht geschickt von/durch Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #19005] calloc can overflow
Follow-up Comment #2, bug #19005 (project freeciv): fc_real_malloc will handle that, it calls sanity_check_size. Calloc only cares about overflow. The SIZE_MAX part is redundant I think, it is equivalent to SIZE_MAX nmemb * size. It can be important on some strange platforms, but on both Intel and sparc processors max adressable memory is equal to what size_t can contain. OpenBSD supports various strange architectures. I might be mistaken though. #define SIZE_MAXUINTPTR_MAX /usr/include/stdint.h:155: #ifdef __LP64__ /usr/include/stdint.h:156: #define INTPTR_MIN INT64_MIN /usr/include/stdint.h:157: #define INTPTR_MAX INT64_MAX /usr/include/stdint.h:158: #define UINTPTR_MAX UINT64_MAX /usr/include/stdint.h:159: #else /usr/include/stdint.h:160: #define INTPTR_MIN INT32_MIN /usr/include/stdint.h:161: #define INTPTR_MAX INT32_MAX /usr/include/stdint.h:162: #define UINTPTR_MAX UINT32_MAX /usr/include/stdint.h:163: #endif so size_t * size_t will never be greater than SIZE_MAX on a PC. ___ Reply to this item at: http://gna.org/bugs/?19005 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev