if the nmemb and size values being passed to calloc() are of a larger integer datatype, they will have been truncated when passed to the function there as well.
Perhaps you need something larger than size_t in the entire malloc manpage series? -Luke On Wed, Feb 17, 2021 at 2:25 PM Theo de Raadt <dera...@openbsd.org> wrote: > > > Would it be too much hand-holding to put in the manpage that to avoid > potential > > > freeezero() integer overflow, > > > it may be useful to run freezero() as freezero((size_t)nmemb * > (size_t)size); > > > > Wow, Those casts make it very clear you don't understand C, if you do > > that kind of stuff elsewhere you are introducing problems. > > If nmemb or size are of a type greater than size_t, those casts serve only > one > purpose -- truncating the high bits before performing multiply, which > results in > an incorrect size. > > > >
