If there is an integer overflow when calculating an allocation size the new memory on the heap can be too small leading to a heap buffer overflow.
To make it easier to use checked arithmetic for allocation sizes, change
isc_mem_get() to allocate an array by default. Like
calloc(), it now takes two size arguments: an element count, and an element size. (Unlike
ISC_MEM_ZERO must be requested explicitly.)
There is also a new extended variant,
isc_mem_getfx() for allocating a
struct with a flexible array member. It uses a checked multiply-add to calculate the size.
Most of this change is done by Coccinelle. However, Coccinelle's parser has trouble with some of BIND's macros, so the refactoring is done in three stages: suppress the problematic macros; apply the
spatch; then revert the suppression.
spatch is generated by a perl script, because it is very repetitive handling all the variants of
isc_mem_put(), etc., with and without flags.