[Mesa-dev] [PATCH 12/15] egl: add eglCreateImage

Chad Versace chad.versace at intel.com
Fri May 29 11:09:01 PDT 2015

On Thu 28 May 2015, Eirik Byrkjeflot Anonsen wrote:
> Marek Olšák <maraeo at gmail.com> writes:
> > I don't understand. Using size_t should prevent the integer overflow.
> > Is there anything else wrong other than no fail path for malloc? I
> > also don't understand how calloc can help here.
> >
> > Marek
> "size * sizeof(int_attribs[0])" may overflow and thus wrap to a small
> number. Using calloc, you'd have "calloc(size, sizeof(int_attribs[0]))",
> moving the overflow inside calloc(). So if calloc() does its job
> properly, it will protect against it.


It's very unlikely that an attacker could coerce the size calculation to
overflow, but better safe than sorry.

calloc() [and ralloc() too] will refuse to allocate memory if the size
calculation overflows. ralloc() checks for overflow with some simple
arithmetic. I expect that calloc() checks for overflow using a faster
method: multiply first, then inspect the overflow flag in a status
register. Recent GCC provides builtin functions for that [1].

[1] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html#Integer-Overflow-Builtins

More information about the mesa-dev mailing list