mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-01-18 12:16:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

malloc/hooks.c: Correct check for overflow in memalign_check.

Browse Source 
A large value of bytes passed to memalign_check can cause an integer
overflow in _int_memalign and heap corruption. This issue can be
exposed by running tst-memalign with MALLOC_CHECK_=3.

ChangeLog:

2013-10-10  Will Newton  <will.newton@linaro.org>

	* malloc/hooks.c (memalign_check): Ensure the value of bytes
	passed to _int_memalign does not overflow.
This commit is contained in:
Will Newton 2013-10-09 14:41:57 +01:00
parent 40fefba1b5
commit 321e268471
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
2013-10-10 Will Newton <will.newton@linaro.org>
* malloc/hooks.c (memalign_check): Ensure the value of bytes
passed to _int_memalign does not overflow.
2013-10-10 Torvald Riegel <triegel@redhat.com>
* scripts/bench.pl: Add include-sources directive.

11
malloc/hooks.c
View File

@ -361,10 +361,13 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
if (alignment < MINSIZE) alignment = MINSIZE;
if (bytes+1 == 0) {
__set_errno (ENOMEM);
return NULL;
}
/* Check for overflow. */
if (bytes > SIZE_MAX - alignment - MINSIZE)
{
__set_errno (ENOMEM);
return 0;
}
(void)mutex_lock(&main_arena.mutex);
mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
NULL;