svn commit: r265367 - head/lib/libc/regex
theraven at FreeBSD.org
Mon May 5 21:44:04 UTC 2014
On 5 May 2014, at 22:33, Warner Losh <imp at bsdimp.com> wrote:
> The reallocf() function is identical to the realloc() function, except
> that it will free the passed pointer when the requested memory cannot be
> allocated. This is a FreeBSD specific API designed to ease the problems
> with traditional coding styles for realloc() causing memory leaks in
> The reallocf() function first appeared in FreeBSD 3.0.
While reallocf() is nice, it doesn't address the problem of overflow. It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one. If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting.
More information about the svn-src-head