path: root/CODING_STYLE
diff options
authorVladimir Vukicevic <>2007-06-19 13:15:21 -0700
committerVladimir Vukicevic <vladimir@feisty.(none)>2007-06-29 09:46:08 -0700
commit5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360 (patch)
treebb1abcb2f1144059d4444d8db343014e07791593 /CODING_STYLE
parentfc34073464c487405b6e2e0a5fa269a1ae15a02a (diff)
[fix] Avoid int overflow when allocating large buffers
This patch introduces three macros: _cairo_malloc_ab, _cairo_malloc_abc, _cairo_malloc_ab_plus_c and replaces various calls to malloc(a*b), malloc(a*b*c), and malloc(a*b+c) with them. The macros return NULL if int overflow would occur during the allocation. See CODING_STYLE for more information.
Diffstat (limited to 'CODING_STYLE')
1 files changed, 25 insertions, 0 deletions
index 2aef41c99..73fe2a9b9 100644
@@ -243,3 +243,28 @@ The return statement is often the best thing to use in a pattern like
this. If it's not available due to additional nesting above which
require some cleanup after the current block, then consider splitting
the current block into a new function before using goto.
+Memory allocation
+Because much of cairo's data consists of dynamically allocated arrays,
+it's very easy to introduce integer overflow issues whenever malloc()
+is called. Use the _cairo_malloc2(), _cairo_malloc3(), and
+_cairo_malloc2_add1 macros to avoid these cases; these macros check
+for overflow and will return NULL in that case.
+ malloc (n * size) => _cairo_malloc_ab (n, size)
+ e.g. malloc (num_elts * sizeof(some_type)) =>
+ _cairo_malloc2 (num_elts, sizeof(some_type))
+ malloc (a * b * size) => _cairo_malloc_abc (a, b, size)
+ e.g. malloc (width * height * 4) =>
+ _cairo_malloc3 (width, height, 4)
+ malloc (n * size + k) => _cairo_malloc_ab_plus_c (n, size, k)
+ e.g. malloc (num * sizeof(entry) + sizeof(header)) =>
+ _cairo_malloc2k (num, sizeof(entry), sizeof(header))
+In general, be wary of performing any arithmetic operations in an
+argument to malloc. You should explicitly check for integer overflow
+yourself in any more complex situations. \ No newline at end of file