Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the 31st issue of [defect Weekly talk]: wrong memory release related knowledge points, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "defect Weekly talk No. 31: wrong memory release".

1. Wrong memory release method

The common memory request functions in C language include malloc (), realloc () and calloc (). Although they have different functions, they all correspond to the same memory release function free (). New/delete and new [] / delete [] are used to apply for and release memory in C++. Whether it is C language or C++ language, when writing the source code, we should choose the memory release method according to the different memory application methods to avoid using the wrong memory release. For example, memory allocation / release using a mixture of CCompact + or scalar and vector memory allocation / release.

2. The harm of wrong memory release method

Using the wrong memory release method will lead to unexpected program behavior and may even cause the program to crash. In the "effective C++ (second edition)" entry 5, the corresponding new and delete should take the same form "pointed out:" if the elements in the object are released incorrectly, the memory structure of the entire object and even the entire heap may be damaged, resulting in a memory leak, or even cause the program to crash. "

There is also some vulnerability information related to it in CVE, and there are three related vulnerability information in CVE from January 2018 to April 2019. The vulnerability information is as follows:

Overview of CVE vulnerabilities CVE-2018-14948dilawar sound2017-11-27 and previous versions of wav-file.cc files contain incorrect memory release method vulnerabilities (new [] / delete). The 'XmlFontAccu::CSStyle' function of the XmlFonts.cc file in CVE-2018-14947PDF2JSON version 0.69 contains an incorrect memory release vulnerability (new [] / delete). There is a malformed memory method vulnerability (malloc/delete) in the HtmlString class of the ImgOutputDev.cc file in CVE-2018-14946PDF2JSON version 0.69. 3. Sample code

The example is derived from Samate Juliet Test Suite for Cinning + v1.3 (https://samate.nist.gov/SARD/testsuite.php), source file name: CWE762_Mismatched_Memory_Management_Routines__new_array_delete_char_01.cpp.

3.1 defect code

In the above sample code, line 31 uses new [] to create an array of objects, and line 34 uses delete to release. Because the delete [] corresponding to new [] is not used when releasing the array of objects, there is a "wrong memory release method" problem.

Using the code guard to detect the above sample code, you can detect a "wrong memory release method" defect with a display level of medium. As shown in figure 1:

Figure 1: detection example of an incorrect memory release method

3.2 fix the code

In the above fix code, Samate gives the fix by creating an array of objects through new [] on line 31 and releasing it using delete [] on line 33. As a result, the wrong memory release method is avoided.

Using the code guard to detect the repaired code, you can see that there is no "wrong memory release method" defect. Figure 2:

Figure 2: test results after repair

4. How to avoid the wrong memory release method

To avoid incorrect memory release methods, you need to pay attention to the following:

The main results are as follows: (1) when releasing memory, make clear the method of memory application, so as to avoid using the wrong release method due to complex program structure and personnel negligence.

(2) this kind of problem can be detected effectively by using source code static analysis tool.

This is the end of the introduction to "defect Weekly No. 31: wrong memory release". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.