From c54db6f008990743c52cf273b9ce6b93ec7f00f3 Mon Sep 17 00:00:00 2001 From: Peter Limkilde Svendsen Date: Sat, 2 Feb 2019 15:52:39 +0100 Subject: [PATCH 1/3] Add integer overflow check to calloc --- src/header/stdlib/mod.rs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/header/stdlib/mod.rs b/src/header/stdlib/mod.rs index d36e13a0c9..713ba6c254 100644 --- a/src/header/stdlib/mod.rs +++ b/src/header/stdlib/mod.rs @@ -186,12 +186,18 @@ pub unsafe extern "C" fn bsearch( #[no_mangle] pub unsafe extern "C" fn calloc(nelem: size_t, elsize: size_t) -> *mut c_void { - let size = nelem * elsize; - let ptr = malloc(size); - if !ptr.is_null() { - intrinsics::write_bytes(ptr as *mut u8, 0, size); + //Handle possible integer overflow in size calculation + let size_result = nelem.checked_mul(elsize); + match size_result { + Some(size) => { + let ptr = malloc(size); + if !ptr.is_null() { + intrinsics::write_bytes(ptr as *mut u8, 0, size); + } + ptr + }, + None => core::ptr::null_mut() } - ptr } #[repr(C)] From 8b7453edf2265f16ac697c55d5c1a30da5f5e5c0 Mon Sep 17 00:00:00 2001 From: Peter Limkilde Svendsen Date: Sat, 2 Feb 2019 16:41:09 +0100 Subject: [PATCH 2/3] Add test of calloc with overflow --- tests/stdlib/alloc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/stdlib/alloc.c b/tests/stdlib/alloc.c index bfb8673400..4875b87519 100644 --- a/tests/stdlib/alloc.c +++ b/tests/stdlib/alloc.c @@ -18,6 +18,10 @@ int main(int argc, char ** argv) { } free(ptrc); + char * ptrco = (char *)calloc(SIZE_MAX, SIZE_MAX); + printf("calloc (overflowing) %p\n", ptrco); + free(ptrco); /* clean up correctly even if overflow is not handled */ + char * ptra = (char *)memalign(256, 256); printf("memalign %p\n", ptra); for(i = 0; i < 256; i++) { From 7aa0fbdf93019e6fd545ce302242415fdd5e9f8b Mon Sep 17 00:00:00 2001 From: Peter Limkilde Svendsen Date: Sat, 2 Feb 2019 16:51:38 +0100 Subject: [PATCH 3/3] Include stdint.h in test --- tests/stdlib/alloc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/stdlib/alloc.c b/tests/stdlib/alloc.c index 4875b87519..d71b78130c 100644 --- a/tests/stdlib/alloc.c +++ b/tests/stdlib/alloc.c @@ -1,6 +1,7 @@ #include #include #include +#include /* for SIZE_MAX */ int main(int argc, char ** argv) { char * ptr = (char *)malloc(256);