digitalmars.D - malloc and buffer overflow attacks
- Walter Bright (12/12) Dec 30 2021 While D offers buffer overflow detection, it does not protect against bu...
- Adam Ruppe (7/11) Dec 30 2021 What I do in D is always slice the malloc to the given size
- Adam Ruppe (5/6) Dec 30 2021 eeeek, I did it wrong!
- H. S. Teoh (10/17) Dec 30 2021 [...]
- Adam Ruppe (7/8) Dec 30 2021 If you do this correctly on the byte before casting you SHOULD be
- sarn (4/17) Dec 30 2021 Good thing to do, but Walter's talking about integer overflow
- Elronnd (4/6) Dec 30 2021 Slicing should have its own overflow check, meaning it doesn't
- rikki cattermole (7/27) Dec 30 2021 I would argue any usage of malloc and even calloc is itself a bug in
- Walter Bright (3/7) Dec 31 2021 The calculation of `len` can also have overflow problems. `calloc` is no...
- H. S. Teoh (23/31) Dec 31 2021 At my day job we use Coverity to identify potential issues with our C
- Patrick Schluter (6/36) Jan 01 2022 if(__builtin_clz(nbytes)+__builtin_clz(sizeof Element)<64)
- claptrap (2/16) Dec 31 2021 are the asserts not taken out in release mode?
- max haughton (2/6) Dec 31 2021 The compiler ships with assertions turned on.
- =?UTF-8?Q?Ali_=c3=87ehreli?= (13/20) Dec 31 2021 And to remind, dmd's -release picks 'safeonly' for the following command...
- russhy (9/9) Dec 31 2021 Allocators should be first class citizen anyways, malloc/free
- russhy (11/20) Dec 31 2021 Follow up, it's roten:
- Paul Backus (12/28) Dec 31 2021 As far as I can tell, the "uses" of exceptions found by that
- rikki cattermole (5/5) Dec 31 2021 What I can confirm as working right now is make, makeArray and dispose.
- russhy (3/33) Dec 31 2021 Ok great, sounds manageable, i'm starting the work already, we'll
- Paul Backus (11/17) Dec 31 2021 For projects using Phobos, an easy way to avoid this is to use
- Nick Treleaven (10/16) Dec 31 2021 This. D code should not keep calling C malloc when we can do
- Paolo Invernizzi (7/27) Jan 03 2022 In the vulnerability described in the article, the 'len'
- forkit (5/8) Jan 03 2022 That is not entirely correct, and could mislead one into
- Paolo Invernizzi (6/17) Jan 04 2022 I agree that the _surface_ is the couple, but the vulnerability
- Era Scarecrow (23/25) Dec 31 2021 Makes me wish access to the raw multiplication result and carry
- max haughton (7/33) Dec 31 2021 Cleanly expressing access to the flags sounds quite hard, also
- Era Scarecrow (6/9) Dec 31 2021 Ultimately it would mostly be a function of saving the flags.
- Elronnd (3/6) Dec 31 2021 You can check carry using core.checkedint
- Paolo Invernizzi (4/8) Jan 01 2022 I guess you are talking about this [1] ...
- Walter Bright (2/6) Jan 02 2022 Yes, thank you, that was it. The overflow in the computation of numSyms.
- forkit (3/9) Jan 02 2022 but the idea that code is only as safe as the functions it calls,
- Brian Callahan (11/11) Jan 02 2022 OpenBSD has had a function for a long time to deal with this
- rikki cattermole (4/4) Jan 02 2022 That sounds similar to my idea of callocSlice but applied to realloc as
- Era Scarecrow (10/14) Jan 02 2022 mhmm.. i think we need a helper function, which is malloc(size,
- Brian Callahan (2/5) Jan 03 2022 This is exactly what reallocarray does.
- Adam Ruppe (3/4) Jan 02 2022 int[] array;
- Era Scarecrow (9/15) Jan 02 2022 I don't think that helps...
- Era Scarecrow (2/4) Jan 02 2022 Except maybe the item size (*in this case*) is already known.
- Elronnd (2/3) Jan 03 2022 What is wrong with Mallocator, mentioned else-thread?
While D offers buffer overflow detection, it does not protect against buffer
overflows resulting from an array size calculation overflow:
T* p = cast(T*)malloc(len * T.sizeof);
What if `len*T.sizeof` overflows? malloc() will succeed, but the result will be
too small for the data.
I decided to grep dmd for such allocations:
https://github.com/dlang/dmd/pull/13479/files
and fix them with overflow checks. I recommend everyone check their own
projects
and eliminate such vulnerabilities.
I post this as I've recently seen reports on malware injection being enabled by
presenting specially crafted input data to a program that causes an overflow on
the allocation, then overwrites the data beyond the truncated allocated memory.
Dec 30 2021
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:
While D offers buffer overflow detection, it does not protect
against buffer overflows resulting from an array size
calculation overflow:
T* p = cast(T*)malloc(len * T.sizeof);
What I do in D is always slice the malloc to the given size
immediately;
T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf];
Then you'd get the protection of bounds checking and if you need
the ptr, there's still that property.
I'd suggest everyone always do that.
Dec 30 2021
On Friday, 31 December 2021 at 00:15:48 UTC, Adam Ruppe wrote:T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf];eeeek, I did it wrong! Should be either [0 .. len] on the slice or do the cast on the outside instead of inside of parens. This is why just using `new` is the best of all!
Dec 30 2021
On Fri, Dec 31, 2021 at 12:34:46AM +0000, Adam Ruppe via Digitalmars-d wrote:On Friday, 31 December 2021 at 00:15:48 UTC, Adam Ruppe wrote:[...] Actually, if (len * T.sizeof) overflows, then neither [0 .. len] nor [0 .. len * T.sizeof)] would be safe from buffer overruns. E.g., if len = size_t.max / 4 and T.sizeof = 8, then (len * T.sizeof) would wrap around to a much smaller value than expected, which is the problem Walter is trying to point out. T -- That's not a bug; that's a feature!T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf];eeeek, I did it wrong! Should be either [0 .. len] on the slice or do the cast on the outside instead of inside of parens.
Dec 30 2021
Adam Ruppe <destructionator gmail.com> On Friday, 31 December 2021 at 01:02:36 UTC, H. S. Teoh wrote:[0 .. len * T.sizeof)] would be safe from buffer overruns.If you do this correctly on the byte before casting you SHOULD be ok because if the malloc overflows, so will the slice calculation, meaning you get the RangeError when you try to use it, which is what we want. But since I screwed it up twice already i say this is evidence to just use `new` and find joy :P
Dec 30 2021
On Friday, 31 December 2021 at 00:15:48 UTC, Adam Ruppe wrote:On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:Good thing to do, but Walter's talking about integer overflow with the `len * T.sizeof` calculation itself. calloc() doesn't have this problem.While D offers buffer overflow detection, it does not protect against buffer overflows resulting from an array size calculation overflow: T* p = cast(T*)malloc(len * T.sizeof);What I do in D is always slice the malloc to the given size immediately; T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf]; Then you'd get the protection of bounds checking and if you need the ptr, there's still that property. I'd suggest everyone always do that.
Dec 30 2021
On Friday, 31 December 2021 at 00:37:20 UTC, sarn wrote:Walter's talking about integer overflow with the `len * T.sizeof` calculation itself.Slicing should have its own overflow check, meaning it doesn't matter if the other calculation overflows. (I don't know if it does, but should.)
Dec 30 2021
On 31/12/2021 1:37 PM, sarn wrote:On Friday, 31 December 2021 at 00:15:48 UTC, Adam Ruppe wrote:I would argue any usage of malloc and even calloc is itself a bug in your code. Ideally we would deprecate malloc and calloc from being called directly and force people to use a callocSlice version of it instead. This solves most of these issues out right and allows for D's memory safety features to come into play.On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:Good thing to do, but Walter's talking about integer overflow with the `len * T.sizeof` calculation itself. calloc() doesn't have this problem.While D offers buffer overflow detection, it does not protect against buffer overflows resulting from an array size calculation overflow: T* p = cast(T*)malloc(len * T.sizeof);What I do in D is always slice the malloc to the given size immediately; T[] p = (cast(T*)malloc(len * T.sizeof))[0 .. len * T.sizepf]; Then you'd get the protection of bounds checking and if you need the ptr, there's still that property. I'd suggest everyone always do that.
Dec 30 2021
On 12/30/2021 4:37 PM, sarn wrote:Good thing to do, but Walter's talking about integer overflow with the `len * T.sizeof` calculation itself. calloc() doesn't have this problem.The calculation of `len` can also have overflow problems. `calloc` is not sufficient. The provenance of `len` needs to be carefully checked.
Dec 31 2021
On Fri, Dec 31, 2021 at 12:12:45PM -0800, Walter Bright via Digitalmars-d wrote:On 12/30/2021 4:37 PM, sarn wrote:At my day job we use Coverity to identify potential issues with our C codebase. One of the issues it reports is using external inputs as the length of a memory allocation, the typical case being reading an int or long from a file/socket and then passing that to malloc, et al (potentially with a sizeof multipler). So imagine a carefully-crafted malicious input designed to overflow a 64-bit integer just a little -- the malloc call would end up allocating just a tiny amount of memory while the rest of the code thinks that the buffer has more memory than can be addressed. Of course, that tempts the following check (obviously wrong, but I've seen this scarily often in "professional" code): size_t n = ... /* read from file/socket */; size_t nbytes = n * sizeof(Element); // oops if (nbytes > INT64_MAX) // never true error(); // dead code void *p = malloc(n * sizeof(Element)); // uh-oh for (i=0; i < n; i++) { ... /* use p: kaboom */ } T -- INTEL = Only half of "intelligence".Good thing to do, but Walter's talking about integer overflow with the `len * T.sizeof` calculation itself. calloc() doesn't have this problem.The calculation of `len` can also have overflow problems. `calloc` is not sufficient. The provenance of `len` needs to be carefully checked.
Dec 31 2021
On Friday, 31 December 2021 at 22:10:10 UTC, H. S. Teoh wrote:On Fri, Dec 31, 2021 at 12:12:45PM -0800, Walter Bright via Digitalmars-d wrote:if(__builtin_clz(nbytes)+__builtin_clz(sizeof Element)<64) this is the best way to find overflow as it avoids all the undefined behaviour shenanigans of the compilers optimizers. The inconvenience is that not all CPU implement CLZ and some do but quite slowly.On 12/30/2021 4:37 PM, sarn wrote:At my day job we use Coverity to identify potential issues with our C codebase. One of the issues it reports is using external inputs as the length of a memory allocation, the typical case being reading an int or long from a file/socket and then passing that to malloc, et al (potentially with a sizeof multipler). So imagine a carefully-crafted malicious input designed to overflow a 64-bit integer just a little -- the malloc call would end up allocating just a tiny amount of memory while the rest of the code thinks that the buffer has more memory than can be addressed. Of course, that tempts the following check (obviously wrong, but I've seen this scarily often in "professional" code): size_t n = ... /* read from file/socket */; size_t nbytes = n * sizeof(Element); // oops if (nbytes > INT64_MAX) // never trueGood thing to do, but Walter's talking about integer overflow with the `len * T.sizeof` calculation itself. calloc() doesn't have this problem.The calculation of `len` can also have overflow problems. `calloc` is not sufficient. The provenance of `len` needs to be carefully checked.error(); // dead code void *p = malloc(n * sizeof(Element)); // uh-oh for (i=0; i < n; i++) { ... /* use p: kaboom */
Jan 01 2022
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:
While D offers buffer overflow detection, it does not protect
against buffer overflows resulting from an array size
calculation overflow:
T* p = cast(T*)malloc(len * T.sizeof);
What if `len*T.sizeof` overflows? malloc() will succeed, but
the result will be too small for the data.
I decided to grep dmd for such allocations:
https://github.com/dlang/dmd/pull/13479/files
and fix them with overflow checks. I recommend everyone check
their own projects and eliminate such vulnerabilities.
I post this as I've recently seen reports on malware injection
being enabled by presenting specially crafted input data to a
program that causes an overflow on the allocation, then
overwrites the data beyond the truncated allocated memory.
are the asserts not taken out in release mode?
Dec 31 2021
On Friday, 31 December 2021 at 08:46:59 UTC, claptrap wrote:On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:The compiler ships with assertions turned on.[...]are the asserts not taken out in release mode?
Dec 31 2021
On 12/31/21 5:05 AM, max haughton wrote:On Friday, 31 December 2021 at 08:46:59 UTC, claptrap wrote:And to remind, dmd's -release picks 'safeonly' for the following command line switch, which can separately be selected to override the default: -boundscheck=[on|safeonly|off] bounds checks on, in safe only, or off --- safe: // Assertions are checked by-default for safe code int main(string[] args) { int[] arr; return arr[args.length]; } --- AliOn Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:The compiler ships with assertions turned on.[...]are the asserts not taken out in release mode?
Dec 31 2021
Allocators should be first class citizen anyways, malloc/free should not be used directly, not only they are unsafe, they are most of the time not what people need And i hope what will come out of `std.experimental.allocator` won't be using classes..something light, value, extensible and made with betterC in mind It should be the root of everything that comes out of D, not something lightly thought A base to move forward and be future proof
Dec 31 2021
On Friday, 31 December 2021 at 21:37:56 UTC, russhy wrote:Allocators should be first class citizen anyways, malloc/free should not be used directly, not only they are unsafe, they are most of the time not what people need And i hope what will come out of `std.experimental.allocator` won't be using classes..something light, value, extensible and made with betterC in mind It should be the root of everything that comes out of D, not something lightly thought A base to move forward and be future proofFollow up, it's roten: https://github.com/dlang/phobos/search?q=path%3Astd%2Fexperimental%2Fallocator+exception There are words, and facts, unfortunately.. According to DConf, Atila is working to get that mess out of experimental, hopefully he won't repeat same mistakes as Andrei, and step up to remove all of that crap that holds the language back I can offer a hand if he wants to, i personally would hold them for a D3, if that effect happen, making a bigger impact is better than a few in an ocean full of mistakes
Dec 31 2021
On Friday, 31 December 2021 at 21:58:14 UTC, russhy wrote:On Friday, 31 December 2021 at 21:37:56 UTC, russhy wrote:As far as I can tell, the "uses" of exceptions found by that search consist of 1. Code to handle exceptions thrown by copy constructors and postblits. 2. Optional features that must be explicitly enabled by the programmer at compile-time. 3. A try/catch block in GCAllocator. 3. Unit-test code. So, nothing here should block compatibility with BetterC, although it might require some `version` blocks to disable the runtime-dependent stuff.Allocators should be first class citizen anyways, malloc/free should not be used directly, not only they are unsafe, they are most of the time not what people need And i hope what will come out of `std.experimental.allocator` won't be using classes..something light, value, extensible and made with betterC in mind It should be the root of everything that comes out of D, not something lightly thought A base to move forward and be future proofFollow up, it's roten: https://github.com/dlang/phobos/search?q=path%3Astd%2Fexperimental%2Fallocator+exception There are words, and facts, unfortunately..
Dec 31 2021
What I can confirm as working right now is make, makeArray and dispose. What I don't think works right now and that needs to work is RCISharedAllocator. In saying all this, I'm planning on writing my own allocators anyway, so it may be all moot for me.
Dec 31 2021
On Friday, 31 December 2021 at 22:13:15 UTC, Paul Backus wrote:On Friday, 31 December 2021 at 21:58:14 UTC, russhy wrote:Ok great, sounds manageable, i'm starting the work already, we'll see where that'll goOn Friday, 31 December 2021 at 21:37:56 UTC, russhy wrote:As far as I can tell, the "uses" of exceptions found by that search consist of 1. Code to handle exceptions thrown by copy constructors and postblits. 2. Optional features that must be explicitly enabled by the programmer at compile-time. 3. A try/catch block in GCAllocator. 3. Unit-test code. So, nothing here should block compatibility with BetterC, although it might require some `version` blocks to disable the runtime-dependent stuff.Allocators should be first class citizen anyways, malloc/free should not be used directly, not only they are unsafe, they are most of the time not what people need And i hope what will come out of `std.experimental.allocator` won't be using classes..something light, value, extensible and made with betterC in mind It should be the root of everything that comes out of D, not something lightly thought A base to move forward and be future proofFollow up, it's roten: https://github.com/dlang/phobos/search?q=path%3Astd%2Fexperimental%2Fallocator+exception There are words, and facts, unfortunately..
Dec 31 2021
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:
While D offers buffer overflow detection, it does not protect
against buffer overflows resulting from an array size
calculation overflow:
T* p = cast(T*)malloc(len * T.sizeof);
What if `len*T.sizeof` overflows? malloc() will succeed, but
the result will be too small for the data.
For projects using Phobos, an easy way to avoid this is to use
[`Mallocator`][1] and [`makeArray`][2] from the
`std.experimental.allocator` package.
T[] array = Mallocator.instance.makeArray!T(len);
`makeArray` will perform an overflow check internally and return
`null` if the check fails.
[1]:
https://dlang.org/library/std/experimental/allocator/mallocator/mallocator.html
[2]:
https://dlang.org/library/std/experimental/allocator/make_array.html
Dec 31 2021
On Friday, 31 December 2021 at 13:52:26 UTC, Paul Backus wrote:
For projects using Phobos, an easy way to avoid this is to use
[`Mallocator`][1] and [`makeArray`][2] from the
`std.experimental.allocator` package.
T[] array = Mallocator.instance.makeArray!T(len);
`makeArray` will perform an overflow check internally and
return `null` if the check fails.
This. D code should not keep calling C malloc when we can do
better. It's unfortunate that the import and the call above are
quite awkward to remember and type. It's a shame
core.memory.pureMalloc repeats this vulnerable design. Perhaps
add an overload for ease of use?
```d
import core.memory;
T[] array = pureMalloc!T(len);
```
Dec 31 2021
On Friday, 31 December 2021 at 13:52:26 UTC, Paul Backus wrote:On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:In the vulnerability described in the article, the 'len' parameter is the result of a sum overflowing in a previous for loop, so the problem actually is _outside_ of the allocator. Anyway, apart from the vulnerability, the described exploit details are fascinating and terrific at the same time ..."My other compression format is turing-complete!"While D offers buffer overflow detection, it does not protect against buffer overflows resulting from an array size calculation overflow: T* p = cast(T*)malloc(len * T.sizeof); What if `len*T.sizeof` overflows? malloc() will succeed, but the result will be too small for the data.For projects using Phobos, an easy way to avoid this is to use [`Mallocator`][1] and [`makeArray`][2] from the `std.experimental.allocator` package. T[] array = Mallocator.instance.makeArray!T(len); `makeArray` will perform an overflow check internally and return `null` if the check fails. [1]: https://dlang.org/library/std/experimental/allocator/mallocator/mallocator.html [2]: https://dlang.org/library/std/experimental/allocator/make_array.html
Jan 03 2022
On Monday, 3 January 2022 at 12:58:33 UTC, Paolo Invernizzi wrote:In the vulnerability described in the article, the 'len' parameter is the result of a sum overflowing in a previous for loop, so the problem actually is _outside_ of the allocator.That is not entirely correct, and could mislead one into implementing a less than optimal solution to the problem. The overflow and the allocater 'together', provide the attack surface.
Jan 03 2022
On Monday, 3 January 2022 at 21:00:38 UTC, forkit wrote:On Monday, 3 January 2022 at 12:58:33 UTC, Paolo Invernizzi wrote:I agree that the _surface_ is the couple, but the vulnerability to patch is how the needed amount is calculated, and that can be an arbitrary complex piece of code. A super-duper-safe allocator does not help here, if we are talking about a system language and write to memory via pointers arithmetic.In the vulnerability described in the article, the 'len' parameter is the result of a sum overflowing in a previous for loop, so the problem actually is _outside_ of the allocator.That is not entirely correct, and could mislead one into implementing a less than optimal solution to the problem. The overflow and the allocater 'together', provide the attack surface.
Jan 04 2022
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:What if `len*T.sizeof` overflows? malloc() will succeed, but the result will be too small for the data.Makes me wish access to the raw multiplication result and carry flags may have been useful here in some way, although the language might not have liked it. As a quick overview for non-ASM savvy types, x86 will take 2 arguments, you put one argument in AX and the other you pass to mul. So... ``` mov AX, 0x155; mov BX, 0x123; mul BX; //result: AX=839F, DX=0001 ``` The result of which is going to be in AX:DX, where the overflow is put in DX (*if any*), letting you get a 32bit result from 16bit registers (*or in 64 bit machines you'd get a 128bit result*). Most modern languages just ignore the upper result though, which brings us to the following topic. In the 16bit example above you'd be short 64k. Too bad we don't have the cent type yet. Otherwise I'd think using ulong and calculating the result and passing that would be the safest, (*assuming malloc would take a 64bit result*), otherwise checking the upper bits for if it's too big.
Dec 31 2021
On Saturday, 1 January 2022 at 01:44:42 UTC, Era Scarecrow wrote:On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:Cleanly expressing access to the flags sounds quite hard, also note that some architectures don't have flags, and some other architectures make writing to the flags optional. ARM chose optional, it might be one of a few things that could lead them beating RISC-V in the long run (both as a design decision but also as a point about embracing pragmatism)What if `len*T.sizeof` overflows? malloc() will succeed, but the result will be too small for the data.Makes me wish access to the raw multiplication result and carry flags may have been useful here in some way, although the language might not have liked it. As a quick overview for non-ASM savvy types, x86 will take 2 arguments, you put one argument in AX and the other you pass to mul. So... ``` mov AX, 0x155; mov BX, 0x123; mul BX; //result: AX=839F, DX=0001 ``` The result of which is going to be in AX:DX, where the overflow is put in DX (*if any*), letting you get a 32bit result from 16bit registers (*or in 64 bit machines you'd get a 128bit result*). Most modern languages just ignore the upper result though, which brings us to the following topic. In the 16bit example above you'd be short 64k. Too bad we don't have the cent type yet. Otherwise I'd think using ulong and calculating the result and passing that would be the safest, (*assuming malloc would take a 64bit result*), otherwise checking the upper bits for if it's too big.
Dec 31 2021
On Saturday, 1 January 2022 at 02:07:36 UTC, max haughton wrote:Cleanly expressing access to the flags sounds quite hard, also note that some architectures don't have flags, and some other architectures make writing to the flags optional.Ultimately it would mostly be a function of saving the flags. After that a struct or other to check specific flags based on architecture. Setting said flags doesn't seem useful with how the languages are set up, unless you were doing some low-level work with loops immediately following.
Dec 31 2021
On Saturday, 1 January 2022 at 01:44:42 UTC, Era Scarecrow wrote:Makes me wish access to the raw multiplication result and carry flags may have been useful here in some way, although the language might not have liked it.You can check carry using core.checkedint (https://dlang.org/phobos/core_checkedint.html).
Dec 31 2021
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:I post this as I've recently seen reports on malware injection being enabled by presenting specially crafted input data to a program that causes an overflow on the allocation, then overwrites the data beyond the truncated allocated memory.I guess you are talking about this [1] ... [1] https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Jan 01 2022
On 1/1/2022 9:29 AM, Paolo Invernizzi wrote:I guess you are talking about this [1] ... [1] https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.htmlYes, thank you, that was it. The overflow in the computation of numSyms.
Jan 02 2022
On Friday, 31 December 2021 at 00:13:56 UTC, Walter Bright wrote:
While D offers buffer overflow detection, it does not protect
against buffer overflows resulting from an array size
calculation overflow:
T* p = cast(T*)malloc(len * T.sizeof);
What if `len*T.sizeof` overflows? malloc() will succeed, but
the result will be too small for the data.
but the idea that code is only as safe as the functions it calls,
is not a new idea...right?
Jan 02 2022
OpenBSD has had a function for a long time to deal with this exact problem. It's called reallocarray: https://man.openbsd.org/reallocarray Don't let the name fool you--it handles both the initial allocation and reallocation. Perhaps D should provide a similar function (not saying it has to be reallocarray). Asking people to fix their own code is a recipe for everyone creating different, subtly different and potentially incorrect, versions of a problem that should be solved once and then used by everyone. ~Brian
Jan 02 2022
That sounds similar to my idea of callocSlice but applied to realloc as well. Which absolutely is the solution here I think. Using malloc directly should be a red flag.
Jan 02 2022
On Monday, 3 January 2022 at 00:57:55 UTC, rikki cattermole wrote:That sounds similar to my idea of callocSlice but applied to realloc as well. Which absolutely is the solution here I think. Using malloc directly should be a red flag.mhmm.. i think we need a helper function, which is malloc(size, count) much like calloc, the test/protections are done in the helper. If a slice is returned then bounds checking is incorporated when we cast it to something else. So i agree with that idea, though using malloc/calloc slice vs malloc/calloc... It does make me wonder if my ScaledInt will be incorporated so cent/ucent can be used natively (*division being the only real complicated and slow part of the code*). Reminds me, i gotta get back to the optional crypto instruction set to make it faster.
Jan 02 2022
On Monday, 3 January 2022 at 01:29:14 UTC, Era Scarecrow wrote:mhmm.. i think we need a helper function, which is malloc(size, count) much like calloc, the test/protections are done in the helper.This is exactly what reallocarray does.
Jan 03 2022
On Monday, 3 January 2022 at 00:52:38 UTC, Brian Callahan wrote:Perhaps D should provide a similar functionint[] array; array.length = 5;
Jan 02 2022
On Monday, 3 January 2022 at 01:29:11 UTC, Adam Ruppe wrote:On Monday, 3 January 2022 at 00:52:38 UTC, Brian Callahan wrote:I don't think that helps... ```d long cnt=60, itemsize=100; array.length = cnt*itemsize; //cannot pass argument `cnt * itemsize` of type `long` to parameter `uint newlength` ``` Even if you do your math there and it overflows, it's the same problem as using malloc.Perhaps D should provide a similar function```d int[] array; array.length = 5; ```
Jan 02 2022
On Monday, 3 January 2022 at 01:34:38 UTC, Era Scarecrow wrote:Even if you do your math there and it overflows, it's the same problem as using malloc.Except maybe the item size (*in this case*) is already known.
Jan 02 2022
On Monday, 3 January 2022 at 00:52:38 UTC, Brian Callahan wrote:Perhaps D should provide a similar functionWhat is wrong with Mallocator, mentioned else-thread?
Jan 03 2022