[llvm-bugs] [Bug 27729] New: Find size_t overflows in calls to malloc, realloc
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu May 12 14:54:31 PDT 2016
https://llvm.org/bugs/show_bug.cgi?id=27729
Bug ID: 27729
Summary: Find size_t overflows in calls to malloc, realloc
Product: clang
Version: unspecified
Hardware: Macintosh
OS: MacOS X
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: kremenek at apple.com
Reporter: mark.rogers at powermapper.com
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
Would be very useful to warn about malloc/realloc overflows. Code like the
following is a fairly common source of exploits, because an attacker can trick
malloc into allocating less memory than the code expects, and overwrite memory
outside the malloc'd block with a payload:
wchar_t* MallocOverflow( const PdfStringTest & rString )
{
size_t lLen = rString.GetCharacterLength();
if( !lLen )
return NULL;
// should warn about size_t overflow:
// if lLen == 1GB, and sizeof(wchar_t)=4,
// then malloc'd buffer is 4 bytes long on 32-bit system
wchar_t* pDest = static_cast<wchar_t*>(malloc( sizeof(wchar_t) * (lLen + 1)
));
return pDest;
}
Any multiplication involving size_t is suspect since you sometimes see code
like this:
size_t buffLen = sizeof(wchar_t) * (lLen + 1);
wchar_t* pDest = static_cast<wchar_t*>(malloc(buffLen));
Best Regards
Mark
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160512/8f9a0e90/attachment.html>
More information about the llvm-bugs
mailing list