The default memory allocation operator, ::operator new(std::size_t), throws a std::bad_alloc exception if the allocation fails. Therefore, you need not check whether calling ::operator new(std::size_t) results in nullptr. The nonthrowing form, ::operator new(std::size_t, const std::nothrow_t &), does not throw an exception if the allocation fails but instead returns nullptr. The same behaviors apply for the operator new[] versions of both allocation functions. Additionally, the default allocator object (std::allocator) uses ::operator new(std::size_t) to perform allocations and should be treated similarly.
T *p1 = new T; // Throws std::bad_alloc if allocation fails T *p2 = new (std::nothrow) T; // Returns nullptr if allocation fails T *p3 = new T[1]; // Throws std::bad_alloc if the allocation fails T *p4 = new (std::nothrow) T[1]; // Returns nullptr if the allocation fails
Furthermore, operator new[] can throw an error of type std::bad_array_new_length, a subclass of std::bad_alloc, if the size argument passed to new is negative or excessively large.
When using the nonthrowing form, it is imperative to check that the return value is not nullptr before accessing the resulting pointer. When using either form, be sure to comply with ERR50-CPP. Do not abruptly terminate the program.
Noncompliant Code Example
In this noncompliant code example, an array of int is created using ::operator new[](std::size_t) and the results of the allocation are not checked. The function is marked as noexcept, so the caller assumes this function does not throw any exceptions. Because ::operator new[](std::size_t) can throw an exception if the allocation fails, it could lead to abnormal termination of the program.
#include <cstring>
void f(const int *array, std::size_t size) noexcept {
int *copy = new int[size];
std::memcpy(copy, array, size * sizeof(*copy));
// ...
delete [] copy;
}
Compliant Solution (std::nothrow)
When using std::nothrow, the new operator returns either a null pointer or a pointer to the allocated space. Always test the returned pointer to ensure it is not nullptr before referencing the pointer. This compliant solution handles the error condition appropriately when the returned pointer is nullptr.
#include <cstring>
#include <new>
void f(const int *array, std::size_t size) noexcept {
int *copy = new (std::nothrow) int[size];
if (!copy) {
// Handle error
return;
}
std::memcpy(copy, array, size * sizeof(*copy));
// ...
delete [] copy;
}
Compliant Solution (std::bad_alloc)
Alternatively, you can use ::operator new[] without std::nothrow and instead catch a std::bad_alloc exception if sufficient memory cannot be allocated.
#include <cstring>
#include <new>
void f(const int *array, std::size_t size) noexcept {
int *copy;
try {
copy = new int[size];
} catch(std::bad_alloc) {
// Handle error
return;
}
// At this point, copy has been initialized to allocated memory
std::memcpy(copy, array, size * sizeof(*copy));
// ...
delete [] copy;
}
Compliant Solution (noexcept(false))
If the design of the function is such that the caller is expected to handle exceptional situations, it is permissible to mark the function explicitly as one that may throw, as in this compliant solution. Marking the function is not strictly required, as any function without a noexcept specifier is presumed to allow throwing.
#include <cstring>
void f(const int *array, std::size_t size) noexcept(false) {
int *copy = new int[size];
// If the allocation fails, it will throw an exception which the caller
// will have to handle.
std::memcpy(copy, array, size * sizeof(*copy));
// ...
delete [] copy;
}
Noncompliant Code Example
In this noncompliant code example, two memory allocations are performed within the same expression. Because the memory allocations are passed as arguments to a function call, an exception thrown as a result of one of the calls to new could result in a memory leak.
struct A { /* ... */ };
struct B { /* ... */ };
void g(A *, B *);
void f() {
g(new A, new B);
}
Consider the situation in which A is allocated and constructed first, and then B is allocated and throws an exception. Wrapping the call to g() in a try/catch block is insufficient because it would be impossible to free the memory allocated for A.
This noncompliant code example also violates EXP50-CPP. Do not depend on the order of evaluation for side effects, because the order in which the arguments to g() are evaluated is unspecified.
Compliant Solution (std::unique_ptr)
In this compliant solution, a std::unique_ptr is used to manage the resources for the A and B objects with RAII. In the situation described by the noncompliant code example, B throwing an exception would still result in the destruction and deallocation of the A object when then std::unique_ptr<A> was destroyed.
#include <memory>
struct A { /* ... */ };
struct B { /* ... */ };
void g(std::unique_ptr<A> a, std::unique_ptr<B> b);
void f() {
g(std::make_unique<A>(), std::make_unique<B>());
}
Compliant Solution (References)
When possible, the more resilient compliant solution is to remove the memory allocation entirely and pass the objects by reference instead.
struct A { /* ... */ };
struct B { /* ... */ };
void g(A &a, B &b);
void f() {
A a;
B b;
g(a, b);
}
Risk Assessment
Failing to detect allocation failures can lead to abnormal program termination and denial-of-service attacks.
If the vulnerable program references memory offset from the return value, an attacker can exploit the program to read or write arbitrary memory. This vulnerability has been used to execute arbitrary code [VU#159523].
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM52-CPP | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Compass/ROSE | |||
| Coverity | 7.5 | CHECKED_RETURN | Finds inconsistencies in how function call return values are handled |
| Helix QAC | 2024.1 | C++3225, C++3226, C++3227, C++3228, C++3229, C++4632 | |
| Klocwork | 2024.1 | NPD.CHECK.CALL.MIGHT NPD.CHECK.CALL.MUST NPD.CHECK.MIGHT NPD.CHECK.MUST NPD.CONST.CALL NPD.CONST.DEREF NPD.FUNC.CALL.MIGHT NPD.FUNC.CALL.MUST NPD.FUNC.MIGHT NPD.FUNC.MUST NPD.GEN.CALL.MIGHT NPD.GEN.CALL.MUST NPD.GEN.MIGHT NPD.GEN.MUST RNPD.CALL RNPD.DEREF | |
| LDRA tool suite | 9.7.1
| 45 D | Partially implemented |
| Parasoft C/C++test | 2023.1 | CERT_CPP-MEM52-a | Check the return value of new |
| Parasoft Insure++ | Runtime detection | ||
| Polyspace Bug Finder | R2023b | CERT C++: MEM52-CPP | Checks for unprotected dynamic memory allocation (rule partially covered) |
| PVS-Studio | 7.30 | V522, V668 |
Related Vulnerabilities
The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even though calloc() returns NULL, Flash does not attempt to read or write to the return value. Instead, it attempts to write to an offset from the return value. Dereferencing NULL usually results in a program crash, but dereferencing an offset from NULL allows an exploit to succeed without crashing the program.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C Coding Standard | ERR33-C. Detect and handle standard library errors |
| MITRE CWE | CWE 252, Unchecked Return Value |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 7.20.3, "Memory Management Functions" |
| [ISO/IEC 14882-2014] | Subclause 18.6.1.1, "Single-Object Forms" |
| [Meyers 1996] | Item 7, "Be Prepared for Out-of-Memory Conditions" |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
7 Comments
Martin Sebor
I wonder what happens in Compliant Solution (
std::nothrow) whensizeis excessively large. By my reading of [expr.new] it should throwstd::bad_array_new_lengthbut that would seem to defeat the purpose of thenothrowoverload.Aaron Ballman
By my reading of [new.delete.array]p8, that wouldn't happen.
Martin Sebor
The expression
new(std::nothrow)int[size]takes place in two distinct steps:sizeargument is checked to see if it's erroneous and if so, either the program is ill-formed (size is a core constant expression) orbad_array_new_lengthis thrown otherwise. (This is in [expr.new], p7.)sizeis not erroneous,::operator new[](size_t, nothrow_t)is called to allocate memory.What I'm having trouble finding is the text that says that in step (1),
bad_array_new_lengthisn't thrown for the nothrow form of the array new expression.Aaron Ballman
You're absolutely correct, I hadn't noticed that before. And there is implementation divergence as well.
#include <memory> static std::size_t getN() { return 0xFFFFFFFFFFFFFFFF; } void f() { std::size_t N = getN(); int *i = new (std::nothrow) int[N]; (void)i; } int main() { f(); }GCC throws a std::bad_array_new_length, Clang accepts and returns
nullptr, and MSVC diagnoses a truncation warning becausestd::size_tis defined asintfor that platform; in debug mode it results in an assert firing and in release mode results innullptrbeing returned.Aaron Ballman
To follow up on this: http://wg21.cmeerw.net/cwg/issue1992; the wording for the DR was accepted for C++17.
Sridhar Balasubramanian
Coverity CHECKED_RETURN checker will not help much to trap issues relating to memory allocation errors. It can only find instances when function return values are inconsistent. Are you interpreting it from the perspective of a memory allocation routine, whose return values may be inconsistent, which can be trapped by CHECKED_RETURN checker?
David Svoboda
Not knowing the details of that particular checker, I can only refer you to our Automated Detection disclaimer, which applies to all information in the Automated Detection section:
Verification of Mappings to Static Analysis Tool Checkers