malloc and buffer overflow attacks
H. S. Teoh
hsteoh at quickfur.ath.cx
Fri Dec 31 01:02:36 UTC 2021
On Fri, Dec 31, 2021 at 12:34:46AM +0000, Adam Ruppe via Digitalmars-d wrote:
> On Friday, 31 December 2021 at 00:15:48 UTC, Adam Ruppe wrote:
> > T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf];
>
> eeeek, I did it wrong!
>
> Should be either [0 .. len] on the slice or do the cast on the outside
> instead of inside of parens.
[...]
Actually, if (len * T.sizeof) overflows, then neither [0 .. len] nor
[0 .. len * T.sizeof)] would be safe from buffer overruns.
E.g., if len = size_t.max / 4 and T.sizeof = 8, then (len * T.sizeof)
would wrap around to a much smaller value than expected, which is the
problem Walter is trying to point out.
T
--
That's not a bug; that's a feature!
More information about the Digitalmars-d
mailing list