Changes between Version 3 and Version 4 of rfc19_safememalloc
- Timestamp:
- Jan 7, 2008, 1:24:15 PM (16 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
rfc19_safememalloc
v3 v4 13 13 In many places in GDAL source code, multiplications are done to compute the size of the memory buffer to allocate, like raster blocks, scanlines, whole image buffers, etc.. Currently no overflow checking is done, thus leading to potential allocation of not large enough buffers. Overflow can occur when raster dimensions are very large (this can be the case with a WMS raster source for example) or when a dataset is corrupted, intentionnaly or unintentionnaly. This can lead to latter crash. 14 14 15 This RFC introduces new API to do multiplications on size_t variables and report overflows when they occur. Overflows are detected by checking that ((a*b)/b) == a. This does not require to make assumptions on the size of the variable types, their signedness, etc. 16 15 This RFC introduces new API to allocate memory when the computation of the size to allocate is based on multiplications. These new API report overflows when they occur. Overflows are detected by checking that ((a*b)/b) == a. This does not require to make assumptions on the size of the variable types, their signedness, etc. 17 16 18 17 {{{ 19 18 /** 20 This function returns (mul1 * mul2) and checks that the result of 21 the multiplication does not overflow the limits of size_t. 22 In case of overflow, 0 is returned, *pbOverflowFlag is set to TRUE 23 and a CE_Failure error is raised with CPLError() 24 */ 25 size_t CPL_DLL CPLSafeMul2( size_t mul1, size_t mul2, int *pbOverflowFlag); 26 27 /** 28 This function returns (mul1 * mul2 * mul3) and checks that the result of 29 the multiplication does not overflow the limits of size_t. 30 In case of overflow, 0 is returned, *pbOverflowFlag is set to TRUE 31 and a CE_Failure error is raised with CPLError() 32 */ 33 size_t CPL_DLL CPLSafeMul3( size_t mul1, size_t mul2, size_t mul3, int *pbOverflowFlag); 34 35 /** 36 This function return the @size argument if it fits into an integer. 37 In case of overflow, 0 is returned, *pbOverflowFlag is set to TRUE 38 and a CE_Failure error is raised with CPLError() 39 */ 40 int CPL_DLL CPLSafeSizetCastToInt( size_t size, int *pbOverflowFlag ); 41 }}} 42 43 Note: the pbOverflowFlag parameter is new in comparison to the initial proposition of ticket #2075 . 44 45 46 To avoid verbosity when using the CPLSafeMulX calls for memory allocation, the following helper functions will also be provided. 47 48 {{{ 49 /** 50 CPLSafeMalloc2 allocates (nSize1 * nSize2) bytes. 19 VSIMalloc2 allocates (nSize1 * nSize2) bytes. 51 20 In case of overflow of the multiplication, or if memory allocation fails, a 52 21 NULL pointer is returned and a CE_Failure error is raised with CPLError(). … … 54 23 CPLFree() or VSIFree() can be used to free memory allocated by this function. 55 24 */ 56 void CPL_DLL * CPLSafeMalloc2( size_t nSize1, size_t nSize2 );25 void CPL_DLL *VSIMalloc2( size_t nSize1, size_t nSize2 ); 57 26 58 27 /** 59 CPLSafeMalloc3 allocates (nSize1 * nSize2 * nSize3) bytes.28 VSIMalloc3 allocates (nSize1 * nSize2 * nSize3) bytes. 60 29 In case of overflow of the multiplication, or if memory allocation fails, a 61 30 NULL pointer is returned and a CE_Failure error is raised with CPLError(). … … 63 32 CPLFree() or VSIFree() can be used to free memory allocated by this function. 64 33 */ 65 void CPL_DLL * CPLSafeMalloc3( size_t nSize1, size_t nSize2, size_t nSize3 );34 void CPL_DLL *VSIMalloc3( size_t nSize1, size_t nSize2, size_t nSize3 ); 66 35 }}} 67 36 68 Implementation of CPLMalloc, CPLCalloc, CPLRealloc, VSIMalloc, VSICalloc, VSIRealloc will not be changed. Developers are encouraged to use the CPLSafeMallocX functions instead of doing CPLMalloc(x * y) or VSIMalloc(x * y). 37 The behaviour of VSIMalloc2 and VSIMalloc3 is consistent with the behaviour of VSIMalloc. 38 Implementation of already existing memory allocation API (CPLMalloc, CPLCalloc, CPLRealloc, VSIMalloc, VSICalloc, VSIRealloc) will not be changed. 39 40 [http://trac.osgeo.org/gdal/wiki/rfc8_devguide RFC-8] will be updated to promote new API for safer memory allocation. For example using VSIMalloc2(x, y) instead of doing CPLMalloc(x * y) or VSIMalloc(x * y). 69 41 70 42 == Implementation steps ==