Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Binary make use of malloc Function

See original GitHub issue

Bug Report

Cordova iOS Applications scanned with MobSF report use of unsafe malloc function, (See also: https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/372).

Problem

See: CWE-789: Uncontrolled Memory Allocation

What is expected to happen?

Memory should be allocated via calloc.

What does actually happen?

Memory is allocated via unsafe malloc.

Information

See below.

Command or Code

Searching the repository leads me to the following line of code:

Byte* buffer = (Byte*)malloc((unsigned long)[assetRepresentation size]);

Source: https://github.com/apache/cordova-ios/blob/46da4bc34495ec7bfe13c1ec1b4074dd2e82641a/CordovaLib/Classes/Public/CDVURLProtocol.m#L65

Environment, Platform, Device

iOS

Version information

Cordova

Checklist

I searched for existing GitHub issues
I updated all Cordova tooling to most recent version
I included all the necessary information above

Issue Analytics

State:
Created 4 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

breautekcommented, Dec 12, 2019

there is no detriment by switching to calloc

I don’t have the experience with this code base to say exactly how significant this is, but calloc is slower. Because calloc zero-fills the allocated memory first, which you then overwrite a second time.

This is why @brodybits says it’s not necessary to use calloc over malloc because we allocate memory and immediately write to it completely.

If this API is not invoked very often then obviously the consequence of this would be negligible, but if it is a high traffic API, then the performance hit could be noticeable.

0reactions

dpoguecommented, Mar 3, 2020

CDVURLProtocol has been removed on master as part of dropping UIWebView support, so this issue no longer applies.

Top Results From Across the Web

iOS application is using Malloc function instead of calloc

The test team reported that the ipa is using Malloc function instead of calloc. They recommended to avoid use of such function in...

Binary make use of malloc & banned APIs - Ionic Forum

I am building a ionic 4 application for iOS. The PEN test team reported that the ipa make use of malloc and banned...

Security threat due to insecure fu… | Apple Developer Forums

Security threat due to insecure function "malloc()" in GCDAsyncSocket.m ... Issue description: Use of insecure functions/potential dangerous functions

Dynamic Memory Allocation in C using malloc(), calloc(), free ...

The “malloc” or “memory allocation” method in C is used to dynamically allocate a single large block of memory with the specified size....

Security audit report 4 insecures issues inside ipa - MSDN

The binary may use malloc function instead of calloc. =>Is-it possible to change this when converting to Objectiv-C ? Any helps would be...