malloc and buffer overflow attacks

Nick Treleaven nick at
Fri Dec 31 17:57:51 UTC 2021

On Friday, 31 December 2021 at 13:52:26 UTC, Paul Backus wrote:
> For projects using Phobos, an easy way to avoid this is to use 
> [`Mallocator`][1] and [`makeArray`][2] from the 
> `std.experimental.allocator` package.
>     T[] array = Mallocator.instance.makeArray!T(len);
> `makeArray` will perform an overflow check internally and 
> return `null` if the check fails.

This. D code should not keep calling C malloc when we can do 
better. It's unfortunate that the import and the call above are 
quite awkward to remember and type. It's a shame 
core.memory.pureMalloc repeats this vulnerable design. Perhaps 
add an overload for ease of use?

import core.memory;
T[] array = pureMalloc!T(len);

More information about the Digitalmars-d mailing list