From b7b0f18926295ff4543cf88c94b8bad85becd5a0 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Wed, 4 Jul 2018 10:03:01 +0200
Subject: [PATCH] malloc.3: Note that calloc() detects overflow when
 multiplying its arguments

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man3/malloc.3 | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/man3/malloc.3 b/man3/malloc.3
index fcef8d951..b559687de 100644
--- a/man3/malloc.3
+++ b/man3/malloc.3
@@ -107,6 +107,23 @@ returns either NULL,
 .\" glibc does this:
 or a unique pointer value that can later be successfully passed to
 .BR free ().
+If the multiplication of
+.I nmemb
+and
+.I size
+would result in integer overflow, then
+.BR calloc ()
+returns an error.
+By contrast,
+an integer overflow would not be detected in the following call to
+.BR malloc (),
+with the result that an incorrectly sized block of memory would be allocated:
+.PP
+.in +4n
+.EX
+malloc(nmemb * size);
+.EE
+.in
 .PP
 The
 .BR realloc ()