From 230593e64f2ac3d2fa66e8760e14267f14f2b14a Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@FreeBSD.org>
Date: Sun, 13 Aug 2006 21:54:47 +0000
Subject: Correctly handle the case in calloc(num, size) where   (size_t)(num *
 size) == 0 but both num and size are nonzero.

Reported by:	Ilja van Sprundel
Approved by:	jasone
Security:	Integer overflow; calloc was allocating 1 byte in
		response to a request for a multiple of 2^32 (or 2^64)
		bytes instead of returning NULL.
---
 lib/libc/stdlib/malloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/libc/stdlib')

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index a3f6e27..eb9bf56 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -3495,7 +3495,7 @@ calloc(size_t num, size_t size)
 
 	num_size = num * size;
 	if (num_size == 0) {
-		if (opt_sysv == false)
+		if ((opt_sysv == false) && ((num == 0) || (size == 0)))
 			num_size = 1;
 		else {
 			ret = NULL;
-- 
cgit v1.1