On Thu 28 May 2015, Eirik Byrkjeflot Anonsen wrote: > Marek Olšák <mar...@gmail.com> writes: > > > I don't understand. Using size_t should prevent the integer overflow. > > Is there anything else wrong other than no fail path for malloc? I > > also don't understand how calloc can help here. > > > > Marek > > "size * sizeof(int_attribs[0])" may overflow and thus wrap to a small > number. Using calloc, you'd have "calloc(size, sizeof(int_attribs[0]))", > moving the overflow inside calloc(). So if calloc() does its job > properly, it will protect against it.
Right. It's very unlikely that an attacker could coerce the size calculation to overflow, but better safe than sorry. calloc() [and ralloc() too] will refuse to allocate memory if the size calculation overflows. ralloc() checks for overflow with some simple arithmetic. I expect that calloc() checks for overflow using a faster method: multiply first, then inspect the overflow flag in a status register. Recent GCC provides builtin functions for that [1]. [1] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html#Integer-Overflow-Builtins _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
