...
| Code Block | ||
|---|---|---|
| ||
void function(size_t len) {
long *p;
if (len == 0 || len > SIZE_MAX / sizeof(*p)) {
/* handle overflow */
}
p = malloc(len * sizeof(*p));
if (p == NULL) {
/* handle error */
}
/* ... */
free(p);
}
|
| Wiki Markup |
|---|
The code also ensures that {{len}} is not equal to zero (see \[[MEM04-A. Do not make assumptions about the result of allocating 0 bytes]]). |
Risk Assessment
Providing invalid size arguments to memory allocation functions can lead to buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process.
...