Page History

The C programming language provides several ways to allocate memory which can be used by a C++ program, such as std::malloc(), std::calloc(), and std::realloc(), which can be used by a C++ program. However, it defines only defines a single way to free the allocated memory: std::free(). See MEM31-C. Free dynamically allocated memory when no longer needed and MEM34-C. Only free memory allocated dynamically for rules specifically regarding C allocation and deallocation requirements.

The C++ programming language adds additional ways to allocate memory, such as the operators new, new[], and placement new, and allocator objects. Unlike C, there are C++ provides multiple ways with which to free dynamically allocated memory, such as the operators delete, delete[](), and deallocation functions on allocator objects.

...

...

The C++ Standard, [expr.delete], paragraph 2 states [ISO/IEC 14882-2014], states in part:

In the first alternative (delete object), the value of the operand of delete may be a null pointer value, a pointer to a non-array object created by a previous new-expression, or a pointer to a subobject (1.8) representing a base class of such an object (Clause 10). If not, the behavior is undefined. In the second alternative (delete array), the value of the operand of delete may be a null pointer value or a pointer value that resulted from a previous array new-expression. If not, the behavior is undefined.

...

Note that when an operator is called, such as new is called, it results in a call to an overloadable operator of the same name, such as operator new(). These overloadable functions can be called directly but carry the same restrictions as their operator counterparts. That is, calling operator delete() and passing a pointer parameter has the same constraints as calling the delete operator on that pointer. Further note that the overloads are subject to scope resolution, so it is possible (but not permissible) to call a class-specific operator to allocate an object , but a global operator to deallocate the object.

See MEM53-CPP. Explicitly initiate and terminate object lifetime when performing manual manually managing lifetime management for information on lifetime management of objects when using memory management functions other than the new and delete operators.

Noncompliant Code Example (placement new())

This In this noncompliant code example, the local variable s1 is passed as the expression to the placement new operator. The resulting pointer of that call is then passed to ::operator delete(), resulting in in undefined behavior due to ::operator delete() attempting to free memory that was not returned by ::operator new().

...

#include <iostream>
 
struct S {
  S() { std::cout << "S::S()" << std::endl; }
  ~S() { std::cout << "S::~S()" << std::endl; }
};
 
void f() {
  S s1;
  S *s2 = new (&s1) S;
 
  // ...
}

Noncompliant Code Example (

...

Uninitialized delete)

In this noncompliant code example, two allocations are attempted within the same try block, and if either fails, the catch handler attempts to free resources that have been allocated. However, since because the pointer variables have not been initialized to a known value, calling delete may result in passing ::operator delete() a value which that was not previously returned by a call to ::operator new(), resulting in undefined behavior.

#include <new>
 
void f() {
  int *i1, *i2;
  try {
    i1 = new int;
    i2 = new int;
  } catch (std::bad_alloc &) {
    delete i1;
    delete i2;
  }
}

Compliant Solution (

...

Uninitialized delete)

This compliant solution initializes both pointer values to nullptr, which is a valid value to pass to ::operator delete():

#include <new>
 
void f() {
  int *i1 = nullptr, *i2 = nullptr;
  try {
    i1 = new int;
    i2 = new int;
  } catch (std::bad_alloc &) {
    delete i1;
    delete i2;
  }
}

Noncompliant Code Example (

...

Double-Free)

Once a pointer has been is passed to the proper deallocation function, that pointer value is invalidated. Passing the pointer to a deallocation function a second time when the pointer value has not been returned by a subsequent call to an allocation function results in an attempt to free memory that has not been allocated dynamically. The underlying data structures that manage the heap can become corrupted in a way that can introduce security vulnerabilities into a program. These types of issues are referred to as called double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code.

In this noncompliant code example, the class C is given ownership of a P * which , which is subsequently deleted by the class destructor. The C++ Standard, [class.copy], paragraph 7, states [ISO/IEC 14882-2014]: 

...

Despite the presence of a user-declared destructor, C will still have an implicity-implicitly defaulted copy constructor defined for it, and this defaulted copy constructor will copy the pointer value stored in p, resulting in a double-free: the first free happens when g() exits, and the second free happens when f() exits.

struct P {};

class C {
  P *p;
  
public:
  C(P *p) : p(p) {}
  ~C() { delete p; }  
  
  void f() {}
};

void g(C c) {
  c.f();
}

void f() {
  P *p = new P;
  C c(p);
  g(c);
}

Compliant Solution (

...

Double-Free)

In this compliant solution, the copy constructor and copy assignment operator for C are explicitly deleted. This deletion would result in an ill-formed program with the definition of g() from the preceding noncompliant code example above due to use of the deleted copy constructor. Consequently, g() was modified to accept its parameter by reference, removing the double-free.

...

In the following noncompliant code example, an array is allocated with array new[], but is deallocated with a scalar delete call instead of an array delete[] call, resulting in undefined behavior:

void f() {
  int *array = new int[10];
  // ...
  delete array;
}

...

In the compliant solution, the code is fixed by replacing the call to delete with a call to delete [] to  to adhere to the correct pairing of memory allocation and deallocation functions:

...

Additionally, this code violates MEM08-CPP. Use new and delete rather than raw memory allocation and deallocation. However, it does not violate MEM53-CPP. Explicitly initiate and terminate object lifetime when performing manual manually managing lifetime management because it complies with the MEM33-EX1 exception.

...

Some implementations of ::operator new() result in calling std::malloc(). On such implementations, the ::operator delete() function is required to call std::free() to deallocate the pointer, and the noncompliant code example would behave in a well-defined manner. However, this is an implementation detail and should not be relied on – implementations on—implementations are under no obligation to use underlying C memory management functions to implement C++ memory management operators.

...

In this noncompliant code example, std::free() is called to deallocate memory that was allocated by new. A common side - effect of the the undefined behavior caused by this using the incorrect deallocation function is that destructors will not be called for the object being deallocated by std::free().

...

Additionally, this code violates MEM53-CPP. Explicitly initiate and terminate object lifetime when performing manual manually managing lifetime management and MEM08-CPP. Use new and delete rather than raw memory allocation and deallocation.

...

struct S {
  ~S();
};

void f() {
  S *s = new S();
  // ...
  delete s;
}

Noncompliant Code Example (

...

Class new)

In this noncompliant code example, the the global new operator is overriden overridden by a class-specific implementation of operator new(). When new is called, the class-specific override is selected, and so S::operator new() is called. However, because the object is destroyed with a scoped ::delete operator, the global operator delete() function is called instead of the class-specific implementation S::operator delete(), resulting in undefined behavior.

#include <new>
#include <cstdlib>
 
struct S {
  static void *operator new(std::size_t size) noexcept(true) {
    return std::malloc(size);
  }
  
  static void operator delete(void *ptr) noexcept(true) {
    std::free(ptr);
  }
};

void f() {
  S *s = new S;
  ::delete s;
}

...

In this compliant solution, the scoped ::delete call was is replaced by a nonscoped delete call, resulting in S::operator delete() being called:

...

Passing a pointer value to a deallocation function that was not previously obtained by the matching allocation function results in undefined behavior, which can lead to exploitable vulnerabilities.

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

...

...