igrr
commented
3 years ago Thanks for bringing this up @arosso96. In ESP-IDF and other Espressif's SDKs, newlib heap management functions aren't used. ESP-IDF used a custom heap allocator until IDF 4.3 and has switched to TLSF allocator in IDF 4.3. Both do have the integer overflow checks in place.
We will definitely work towards upgrading newlib used in ESP-IDF to newer versions, though!
All newlib versions prior to 4.0.0 suffer of this High Risk security flaw. For more info