OpenBSD has developed reallocarray() which is an API that makes integer overflow detection easier when allocating memory.
This has helped to fix one issue in Henry Spencer's regex library that affected FreeBSD and NetBSD, but not OpenBSD.
Quoting from OpenBSD's man page:
size_t num, size;
...
/ Check for size_t overflow /
if (size && num > SIZE_MAX / size)
errc(1, EOVERFLOW, "overflow");
if ((p = malloc(size * num)) == NULL)
err(1, "malloc");
The above test is not sufficient in all cases. For example, multiplying ints requires a different set of checks:
int num, size;
...
/ Avoid invalid requests /
if (size < 0 || num < 0)
errc(1, EOVERFLOW, "overflow");
/ Check for signed int overflow /
if (size && num > INT_MAX / size)
errc(1, EOVERFLOW, "overflow");
if ((p = malloc(size * num)) == NULL)
err(1, "malloc");
Assuming the implementation checks for integer overflow as OpenBSD does, it is much easier to use calloc() or reallocarray().
The above examples could be simplified to:
if ((p = reallocarray(NULL, num, size)) == NULL)
err(1, "reallocarray");
I have attempted to write an initial patch for giflib.
Comments welcomed.
Dear All,
I have updated the patch, for realloc() to reallocarray().
I would like to add that the malloc(xy) and realloc(xy) have led to at least 1 known vulnerability:
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
OpenBSD was not affected due to the extensive work to adapt those idioms to the new API.
On Thu, May 28, 2015 at 9:07 AM, Eric S. Raymond esr@users.sf.net wrote:
Hi,
Eric,
Thank you for reviewing and accepting the patch.
I attached an updated patch in the comment.
Please see: http://sourceforge.net/p/giflib/patches/21/#a9fb
Related
Patches:
#21