CWE-762

Mismatched Memory Management Routines. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

Required inputs: IR, StaticSemanticAnalysis

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

This weakness can be generally described as mismatching memory management routines, such as:

• The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory.
• The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator.

When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed.

Demonstrative Examples

Example 1

This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior.

Example Language:C++
    void foo(){
        BarObj *ptr = new BarObj()
        /* do some work with ptr here */

        ...

        free(ptr);
    }

Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator.

Example Language:C++
    void foo(){
        BarObj *ptr = new BarObj()
        /* do some work with ptr here */

        ...

        delete ptr;
    }

Example 2

In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.

Example Language:C++
    class A {
        void foo();
    };
    void A::foo(){
        int *ptr;
        ptr = (int*)malloc(sizeof(int));
        delete ptr;
    }

Example 3

In this example, the program calls the delete[] function on non-heap memory.

Example Language:C++
    class A{
        void foo(bool);
    };
    void A::foo(bool heap) {
        int localArray[2] = {
            11,22
        };
        int *p = localArray;
        if (heap){
            p = new int[2];
        }
        delete[] p;
    }

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
possible_stack_free	{name0} possibly released by call to {node0} is a stack or static object	None	False
possible_wrong_release	Resource possibly released using wrong function (allocation used {node0})	None	False
stack_free	{name0} released by call to {node0} is a stack or static object	None	False
wrong_release	Resource released using wrong function (allocation used {node0})	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

resources

resources

Type: set[str]

Default: {'C++ArrayHeapMemory', 'C++HeapMemory', 'CudaAsyncMemory', 'CudaDeviceMemory', 'CudaDriverAsyncMemory', 'CudaHostMemory', 'CudaManagedMemory', 'FileHandle', 'HeapMemory', 'UniquePtrHeapMemory'}

Set of resources to be checked (selection of rules in the Resources group).

 

witness_paths

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.