svn commit: r265367 - head/lib/libc/regex

David Chisnall theraven at FreeBSD.org
Mon May 5 21:52:37 UTC 2014


On 5 May 2014, at 22:40, Andrey Chernov <ache at freebsd.org> wrote:

> On 05.05.2014 22:28, David Chisnall wrote:
>> On 5 May 2014, at 18:42, Andrey Chernov <ache at freebsd.org> wrote:
>> 
>>> Please don't commit OpenBSD errors. Now you mix calloc() with the
>>> realloc() for the same variable later which makes calloc() zeroing
>>> pointless and waste of CPU.
>> 
>> The purpose of calloc() here is not (primarily) to get the zero'd size, it's to get the overflow-checking behaviour for calloc.  
> 
> It is better to avoid using undocumented intrinsic knowledge of standard
> function particular implementation, this is unportable at least and hard
> to understand too.

calloc() is required to return either NULL or a valid pointer to the requested amount of memory.  An implementation that does not correctly check for overflow is buggy and will be regarded as a security hole (see: http://cert.uni-stuttgart.de/ticker/advisories/calloc.html), but fortunately these were all fixed by around 2004.

This is not relying on undocumented intrinsic knowledge, this is relying on the standard library doing what is required of it.  There is a reason why secure coding standards have, for over a decade, said to prefer calloc() over malloc() unless profiling shows that calloc() is a bottleneck: it means that only one person needs to get the overflow checking right in one place, rather than everyone getting it right everywhere.  

David



More information about the svn-src-head mailing list