diff options
| author | cperciva <cperciva@FreeBSD.org> | 2006-08-13 21:54:47 +0000 |
|---|---|---|
| committer | cperciva <cperciva@FreeBSD.org> | 2006-08-13 21:54:47 +0000 |
| commit | 230593e64f2ac3d2fa66e8760e14267f14f2b14a (patch) | |
| tree | 736ba4df0ca49aaff077b74a656362848da88172 /lib | |
| parent | 1ca146c4506ba4101ebba61a4cc126f023c1ee2f (diff) | |
| download | FreeBSD-src-230593e64f2ac3d2fa66e8760e14267f14f2b14a.zip FreeBSD-src-230593e64f2ac3d2fa66e8760e14267f14f2b14a.tar.gz | |
Correctly handle the case in calloc(num, size) where
(size_t)(num * size) == 0
but both num and size are nonzero.
Reported by: Ilja van Sprundel
Approved by: jasone
Security: Integer overflow; calloc was allocating 1 byte in
response to a request for a multiple of 2^32 (or 2^64)
bytes instead of returning NULL.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/stdlib/malloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c index a3f6e27..eb9bf56 100644 --- a/lib/libc/stdlib/malloc.c +++ b/lib/libc/stdlib/malloc.c @@ -3495,7 +3495,7 @@ calloc(size_t num, size_t size) num_size = num * size; if (num_size == 0) { - if (opt_sysv == false) + if ((opt_sysv == false) && ((num == 0) || (size == 0))) num_size = 1; else { ret = NULL; |
