svn commit: r265367 - head/lib/libc/regex

Andrey Chernov ache at
Mon May 5 21:51:30 UTC 2014

On 06.05.2014 1:43, David Chisnall wrote:
> While reallocf() is nice, it doesn't address the problem of overflow.  It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one.  If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting.  

For standard malloc/realloc interface it is up to the caller to check
n*size not overflows. You must trust caller already does such check.
Using calloc() to enforce it instead of caller is semantically wrong,
and especially strange when the caller is standard C library under your


More information about the svn-src-head mailing list