svn commit: r265367 - head/lib/libc/regex

David Chisnall theraven at
Mon May 5 21:44:04 UTC 2014

On 5 May 2014, at 22:33, Warner Losh <imp at> wrote:

> reallocf():
>     The reallocf() function is identical to the realloc() function, except
>     that it will free the passed pointer when the requested memory cannot be
>     allocated.  This is a FreeBSD specific API designed to ease the problems
>     with traditional coding styles for realloc() causing memory leaks in
>     libraries.
> ...
>     The reallocf() function first appeared in FreeBSD 3.0.

While reallocf() is nice, it doesn't address the problem of overflow.  It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one.  If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting.  


More information about the svn-src-head mailing list