[Freeciv-Dev] [bug #19005] calloc can overflow
URL:
http://gna.org/bugs/?19005
Summary: calloc can overflow
Project: Freeciv
Submitted by: akfaew
Submitted on: Wed Nov 16 08:54:10 2011
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Assigned to: None
Originator Email:
Open/Closed: Open
Release: S2_3
Discussion Lock: Any
Operating System: None
Planned Release:
___
Details:
fc_real_calloc states:
size_t size = nelem*elsize; /* potential overflow */
A check for potential overflow is the only reason calloc was created in the
first place (at least I think that was the case).
Here is how OpenBSD does it:
/usr/src/lib/libc/stdlib/malloc.c:1383: if ((nmemb = MUL_NO_OVERFLOW
|| size = MUL_NO_OVERFLOW)
/usr/src/lib/libc/stdlib/malloc.c:1384: nmemb 0 SIZE_MAX /
nmemb size) {
/usr/src/lib/libc/stdlib/malloc.c:1385: _MALLOC_UNLOCK();
/usr/src/lib/libc/stdlib/malloc.c:1386: if
(mopts.malloc_xmalloc)
/usr/src/lib/libc/stdlib/malloc.c:1387: wrterror(out
of memory, NULL);
/usr/src/lib/libc/stdlib/malloc.c:1388: errno = ENOMEM;
/usr/src/lib/libc/stdlib/malloc.c:1389: return NULL;
/usr/src/lib/libc/stdlib/malloc.c:1390: }
The attached patch ports this behaviour. It is untested.
___
File Attachments:
---
Date: Wed Nov 16 08:54:10 2011 Name: calloc.diff Size: 2kB By: akfaew
http://gna.org/bugs/download.php?file_id=14562
___
Reply to this item at:
http://gna.org/bugs/?19005
___
Message sent via/by Gna!
http://gna.org/
___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #19005] calloc can overflow
Follow-up Comment #1, bug #19005 (project freeciv): I'm not familiar with the memory management but you should also add the checks in line 1384 1385 to the patch. Else it will not help at all ... ___ Reply to this item at: http://gna.org/bugs/?19005 ___ Nachricht geschickt von/durch Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #19005] calloc can overflow
Follow-up Comment #2, bug #19005 (project freeciv): fc_real_malloc will handle that, it calls sanity_check_size. Calloc only cares about overflow. The SIZE_MAX part is redundant I think, it is equivalent to SIZE_MAX nmemb * size. It can be important on some strange platforms, but on both Intel and sparc processors max adressable memory is equal to what size_t can contain. OpenBSD supports various strange architectures. I might be mistaken though. #define SIZE_MAXUINTPTR_MAX /usr/include/stdint.h:155: #ifdef __LP64__ /usr/include/stdint.h:156: #define INTPTR_MIN INT64_MIN /usr/include/stdint.h:157: #define INTPTR_MAX INT64_MAX /usr/include/stdint.h:158: #define UINTPTR_MAX UINT64_MAX /usr/include/stdint.h:159: #else /usr/include/stdint.h:160: #define INTPTR_MIN INT32_MIN /usr/include/stdint.h:161: #define INTPTR_MAX INT32_MAX /usr/include/stdint.h:162: #define UINTPTR_MAX UINT32_MAX /usr/include/stdint.h:163: #endif so size_t * size_t will never be greater than SIZE_MAX on a PC. ___ Reply to this item at: http://gna.org/bugs/?19005 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
