[llvm-bugs] [Bug 27729] New: Find size_t overflows in calls to malloc, realloc

via llvm-bugs llvm-bugs at lists.llvm.org
Thu May 12 14:54:31 PDT 2016


            Bug ID: 27729
           Summary: Find size_t overflows in calls to malloc, realloc
           Product: clang
           Version: unspecified
          Hardware: Macintosh
                OS: MacOS X
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: mark.rogers at powermapper.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Would be very useful to warn about malloc/realloc overflows. Code like the
following is a fairly common source of exploits, because an attacker can trick
malloc into allocating less memory than the code expects, and overwrite memory
outside the malloc'd block with a payload:

wchar_t* MallocOverflow( const PdfStringTest & rString )
    size_t  lLen = rString.GetCharacterLength();

    if( !lLen )
        return NULL;

    // should warn about size_t overflow: 
    // if lLen == 1GB, and sizeof(wchar_t)=4,
    // then malloc'd buffer is 4 bytes long on 32-bit system
    wchar_t* pDest = static_cast<wchar_t*>(malloc( sizeof(wchar_t) * (lLen + 1)

    return pDest;

Any multiplication involving size_t is suspect since you sometimes see code
like this:

size_t buffLen = sizeof(wchar_t) * (lLen + 1);
wchar_t* pDest = static_cast<wchar_t*>(malloc(buffLen));

Best Regards

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160512/8f9a0e90/attachment.html>

More information about the llvm-bugs mailing list