Proposed resolution:

Wording relative to N4762.

1. Edit [mem.poly.allocator.mem] as indicated:

   Tp* allocate(size_t n);
   

   -1- Effects: If SIZE_MAX / sizeof(Tp) < n, throws length_error. Otherwise Eequivalent to:

   return static_cast<Tp*>(memory_rsrc->allocate(n * sizeof(Tp), alignof(Tp)));
   

[ 2018-11, Adopted in San Diego ]

[ 2018-08-23 Batavia Issues processing ]

Status to Tentatively Ready with updated wording

Previous resolution [SUPERSEDED]:

Wording relative to N4762.

1. Edit [mem.poly.allocator.mem] as indicated:

   Tp* allocate(size_t n);
   

   -1- Effects: If SIZE_MAX / sizeof(Tp) < n, throws length_error, then Eequivalent to:

   return static_cast<Tp*>(memory_rsrc->allocate(n * sizeof(Tp), alignof(Tp)));
   

[ 2018-06 Rapperswil Thursday issues processing ]

Consensus was that the overflow should be detected and an exception thrown rather than leaving that to the underlying memory resource. Billy to reword, and then get feedback on the reflector. Status to Open.

Previous resolution [SUPERSEDED]:

Wording relative to N4700.

1. Edit [mem.poly.allocator.mem] as indicated:

   Tp* allocate(size_t n);
   

   -1- ReturnsEffects: Equivalent to

   return static_cast<Tp*>(memory_rsrc->allocate(SIZE_MAX / sizeof(Tp) < n ? SIZE_MAX : n * sizeof(Tp), alignof(Tp)));
   

At the moment polymorphic_allocator is specified to do sizeof(T) * n directly; this may allow an attacker to cause this calculation to overflow, resulting in allocate() not meeting its postcondition of returning a buffer suitable to store n copies of T; this is a common bug described in CWE-190.

Making this into a saturating multiply should be sufficient to avoid this problem; any memory_resource underneath polymorphic_allocator is going to have to throw bad_alloc (or another exception) for a request of SIZE_MAX.

(There's also a minor editorial thing here that Returns should be Effects)