From b20360f11b77a6c98f5245c938af66cdc5bcbab9 Mon Sep 17 00:00:00 2001 From: Magnus Larsen Date: Sat, 22 Nov 2025 05:37:19 +0000 Subject: [PATCH] Fix multiplication in memoverride calloc macro Without this change, a call such as `calloc( 1 + 1, 2 )` will allocate 3 bytes ( `1 + 1 * 2`) and then memset 4 bytes ( `(1 + 1) * 2` ), overflowing the buffer & corrupting the heap. --- src/public/tier0/memdbgon.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/public/tier0/memdbgon.h b/src/public/tier0/memdbgon.h index 822202aa9f3..415f50691ad 100644 --- a/src/public/tier0/memdbgon.h +++ b/src/public/tier0/memdbgon.h @@ -88,7 +88,7 @@ inline void *MemAlloc_InlineCallocMemset( void *pMem, size_t nCount, size_t nEle } #endif -#define calloc(c, s) MemAlloc_InlineCallocMemset(malloc(c*s), c, s) +#define calloc(c, s) MemAlloc_InlineCallocMemset( malloc( (c) * (s) ), c, s ) #define free(p) g_pMemAlloc->Free( p ) #define _msize(p) g_pMemAlloc->GetSize( p ) #define _expand(p, s) _expand_NoLongerSupported(p, s)