upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Correctly handle the case in calloc(num, size) where

Browse source 
(size_t)(num * size) == 0
but both num and size are nonzero.

Reported by:	Ilja van Sprundel
Approved by:	jasone
Security:	Integer overflow; calloc was allocating 1 byte in
		response to a request for a multiple of 2^32 (or 2^64)
		bytes instead of returning NULL.
This commit is contained in:
Colin Percival 2006-08-13 21:54:47 +00:00
parent 0f9e9c60c0
commit e981a4e863
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/libc/stdlib/malloc.c
View file

@ -3495,7 +3495,7 @@ calloc(size_t num, size_t size)
num_size = num * size;
if (num_size == 0) {
if (opt_sysv == false)
if ((opt_sysv == false) && ((num == 0) || (size == 0)))
num_size = 1;
else {
ret = NULL;