Binary Makes Use of Malloc Function Security vulnerability issue

[nkvgopinath]

Description

In C and C++, memory is typically allocated in two ways: statically and dynamically. Static allocation is done
at compile time, and the memory is allocated for the entire duration of the program's execution. Dynamic
allocation, on the other hand, is done at runtime using the malloc function, which allocates memory on the
heap.
If a binary makes use of malloc, there is a risk of memory leaks and buffer overflows. Memory leaks occur
when memory is allocated but not properly freed, leading to a gradual loss of available memory. Buffer
overflows occur when more data is written to a buffer than the buffer can hold, potentially overwriting
adjacent memory.

Thanks and Regards
MBRHE TEAM

Reproducing the issue

Firebase SDK Version

11.4.2

Xcode Version

16.1

Installation Method

CocoaPods

Firebase Product(s)

Analytics, Crashlytics, Firestore

Targeted Platforms

iOS

Relevant Log Output

Our security research team suggested using calloc instead of malloc to ensure safe memory initialization and to prevent memory overflow vulnerabilities."

This version clarifies the intent and highlights the security advantage of calloc, which initializes memory to zero, unlike malloc

If using Swift Package Manager, the project's Package.resolved

No response

If using CocoaPods, the project's Podfile.lock

pod 'Firebase/Messaging'
pod 'Firebase/Analytics'
pod 'Firebase/Crashlytics'

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[themiswang]

I have changed Crashlytics side, gonna remove Crashlytics label and add Analytics and Messaging.

[paulb777]

Thanks @themiswang git grep shows no malloc calls in messaging, but two in Sessions as well as several error messages in Crashlytics.