Section: 184.108.40.206 [mem.poly.allocator.mem] Status: New Submitter: Billy O'Neal III Opened: 2017-11-16 Last modified: 2017-11-25
View other active issues in [mem.poly.allocator.mem].
View all other issues in [mem.poly.allocator.mem].
View all issues with New status.
At the moment polymorphic_allocator is specified to do sizeof(T) * n directly; this may allow an attacker to cause this calculation to overflow, resulting in allocate() not meeting its postcondition of returning a buffer suitable to store n copies of T; this is a common bug described in CWE-190.Making this into a saturating multiply should be sufficient to avoid this problem; any memory_resource underneath polymorphic_allocator is going to have to throw bad_alloc (or another exception) for a request of SIZE_MAX. (There's also a minor editorial thing here that Returns should be Effects)
Wording relative to N4700.
Edit 220.127.116.11 [mem.poly.allocator.mem] as indicated:
Tp* allocate(size_t n);
Returns: Equivalent toreturn static_cast<Tp*>(memory_rsrc->allocate( n * sizeof(Tp), alignof(Tp)));