On Fri, 19 Feb 2021 10:38:13 -0600, Luke Small wrote: > In malloc(3): > “If you use smaller integer types than size_t for ‘nmemb’ and ‘size’, then > multiplication in freezero() may need to be cast to size_t to avoid integer > overflow: > freezero(ptr, (size_t)nmemb * (size_t)size);” > Or maybe even: freezero(ptr, (size_t)nmemb * size);
This is bad advice. The product of two size_t values can exceed SIZE_MAX, at which point you would get integer overflow. This is why the malloc(3) man page warns against it. Note that on 64-bit platforms like amd64, size_t is already 64-bit so casting to unsigned long long or uint64_t is not effective. On OpenBSD, calloc(3) and reallocarray(3) check for integer overflow for you, which is why they are preferred over malloc(nmemb * size). You can examing the code yourself: http://cvsweb.openbsd.org/src/lib/libc/stdlib/reallocarray.c?rev=1.3 - todd