summaryrefslogtreecommitdiffstats
path: root/cpukit
diff options
context:
space:
mode:
authorSebastian Huber <sebastian.huber@embedded-brains.de>2021-04-20 19:30:35 +0200
committerSebastian Huber <sebastian.huber@embedded-brains.de>2021-04-20 20:33:03 +0200
commit51defd927427b5b74c3a0c0f0b5c161929547cfc (patch)
tree7b7dc7a66a95427b3e420f45bd9f1a27ecc4dcf1 /cpukit
parentmalloc: Hide RTEMS_Malloc_Sbrk_amount (diff)
downloadrtems-51defd927427b5b74c3a0c0f0b5c161929547cfc.tar.bz2
Fix calloc() behaviour in case of overflow
The multiplication to calculate the length of the memory area to allocate may overflow. Return NULL in case of an overflow. Close #4389.
Diffstat (limited to 'cpukit')
-rw-r--r--cpukit/libcsupport/src/calloc.c13
-rw-r--r--cpukit/libcsupport/src/rtemscalloc.c9
2 files changed, 20 insertions, 2 deletions
diff --git a/cpukit/libcsupport/src/calloc.c b/cpukit/libcsupport/src/calloc.c
index e015f30d6c..693aa21453 100644
--- a/cpukit/libcsupport/src/calloc.c
+++ b/cpukit/libcsupport/src/calloc.c
@@ -20,7 +20,10 @@
#if defined(RTEMS_NEWLIB) && !defined(HAVE_CALLOC)
#include <stdlib.h>
+
+#include <errno.h>
#include <string.h>
+
#include <rtems/score/basedefs.h>
void *calloc(
@@ -31,7 +34,15 @@ void *calloc(
void *cptr;
size_t length;
- length = nelem * elsize;
+ if ( nelem == 0 ) {
+ length = 0;
+ } else if ( elsize > SIZE_MAX / nelem ) {
+ errno = ENOMEM;
+ return NULL;
+ } else {
+ length = nelem * elsize;
+ }
+
cptr = malloc( length );
RTEMS_OBFUSCATE_VARIABLE( cptr );
if ( RTEMS_PREDICT_FALSE( cptr == NULL ) ) {
diff --git a/cpukit/libcsupport/src/rtemscalloc.c b/cpukit/libcsupport/src/rtemscalloc.c
index 4e189e8367..836f1da64d 100644
--- a/cpukit/libcsupport/src/rtemscalloc.c
+++ b/cpukit/libcsupport/src/rtemscalloc.c
@@ -46,7 +46,14 @@ void *rtems_calloc( size_t nelem, size_t elsize )
size_t length;
void *p;
- length = nelem * elsize;
+ if ( nelem == 0 ) {
+ length = 0;
+ } else if ( elsize > SIZE_MAX / nelem ) {
+ return NULL;
+ } else {
+ length = nelem * elsize;
+ }
+
p = rtems_malloc( length );
RTEMS_OBFUSCATE_VARIABLE( p );
if ( RTEMS_PREDICT_FALSE( p == NULL ) ) {