[metadata]
id = "MEM07-C"
type = "recommendation"
category = "MEM"
number = 7
title = "Ensure that the arguments to calloc(), when multiplied, do not wrap"
description = """
DeprecatedThis guideline does not apply to code that need conform only to C23.
Code that must conform to older versions of the C standard should still comply
with this guideline. Thecalloc()function takes two arguments: the number of
elements to allocate and the storage size of those elements.
Typically,calloc()implementationsmultiply these arguments to determine how much
memory to allocate. Historically, some implementations failed to check whether
out-of-bounds results silently wrapped [RUS-CERT Advisory 2002-08:02]. If the
result of multiplying the number of elements to allocate and the storage size
wraps, less memory is allocated than was requested. As a result, it is necessary
to ensure that these arguments, when multiplied, do not wrap. Modern
implementations of the C standard library should check for wrap. If
thecalloc()function implemented by the libraries used for a particular
implementation properly handlesunsigned integer wrapping(in conformance
withINT30-C. Ensure that unsigned integer operations do not wrap) when
multiplying the number of elements to allocate and the storage size, that is
sufficient to comply with this recommendation and no further action is required.
"""
severity = "High"
likelihood = "Unlikely"
priority = "P6"
level = "L2"
cert_version = "2016 Edition (Wiki)"
last_modified = "Jul 24, 2025"
[rules.cert_c.MEM07-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/MEM07-C.+Ensure+that+the+arguments+to+calloc%28%29%2C+when+multiplied%2C+do+not+wrap"
cwe = ["CWE-190", "CWE-128"]