diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2021-04-20 19:30:35 +0200 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2021-04-20 20:33:03 +0200 |
commit | 51defd927427b5b74c3a0c0f0b5c161929547cfc (patch) | |
tree | 7b7dc7a66a95427b3e420f45bd9f1a27ecc4dcf1 /cpukit/libcsupport/src | |
parent | malloc: Hide RTEMS_Malloc_Sbrk_amount (diff) | |
download | rtems-51defd927427b5b74c3a0c0f0b5c161929547cfc.tar.bz2 |
Fix calloc() behaviour in case of overflow
The multiplication to calculate the length of the memory area to
allocate may overflow. Return NULL in case of an overflow.
Close #4389.
Diffstat (limited to '')
-rw-r--r-- | cpukit/libcsupport/src/calloc.c | 13 | ||||
-rw-r--r-- | cpukit/libcsupport/src/rtemscalloc.c | 9 |
2 files changed, 20 insertions, 2 deletions
diff --git a/cpukit/libcsupport/src/calloc.c b/cpukit/libcsupport/src/calloc.c index e015f30d6c..693aa21453 100644 --- a/cpukit/libcsupport/src/calloc.c +++ b/cpukit/libcsupport/src/calloc.c @@ -20,7 +20,10 @@ #if defined(RTEMS_NEWLIB) && !defined(HAVE_CALLOC) #include <stdlib.h> + +#include <errno.h> #include <string.h> + #include <rtems/score/basedefs.h> void *calloc( @@ -31,7 +34,15 @@ void *calloc( void *cptr; size_t length; - length = nelem * elsize; + if ( nelem == 0 ) { + length = 0; + } else if ( elsize > SIZE_MAX / nelem ) { + errno = ENOMEM; + return NULL; + } else { + length = nelem * elsize; + } + cptr = malloc( length ); RTEMS_OBFUSCATE_VARIABLE( cptr ); if ( RTEMS_PREDICT_FALSE( cptr == NULL ) ) { diff --git a/cpukit/libcsupport/src/rtemscalloc.c b/cpukit/libcsupport/src/rtemscalloc.c index 4e189e8367..836f1da64d 100644 --- a/cpukit/libcsupport/src/rtemscalloc.c +++ b/cpukit/libcsupport/src/rtemscalloc.c @@ -46,7 +46,14 @@ void *rtems_calloc( size_t nelem, size_t elsize ) size_t length; void *p; - length = nelem * elsize; + if ( nelem == 0 ) { + length = 0; + } else if ( elsize > SIZE_MAX / nelem ) { + return NULL; + } else { + length = nelem * elsize; + } + p = rtems_malloc( length ); RTEMS_OBFUSCATE_VARIABLE( p ); if ( RTEMS_PREDICT_FALSE( p == NULL ) ) { |