| Message ID | 522F1BAD.7070502@linaro.org |
|---|---|
| State | Accepted |
| Headers | show |
On 10 September 2013 18:46, Will Newton <will.newton@linaro.org> wrote: > > A large bytes parameter to valloc could cause an integer overflow > and corrupt allocator internals. Check the overflow does not occur > before continuing with the allocation. > > ChangeLog: > > 2013-08-16 Will Newton <will.newton@linaro.org> > > [BZ #15856] > * malloc/malloc.c (__libc_valloc): Check the value of bytes > does not overflow. > --- > malloc/malloc.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > Changes in v3: > - Reorder if condition > - Set errno appropriately > > diff --git a/malloc/malloc.c b/malloc/malloc.c > index 7f43ba3..3148c5f 100644 > --- a/malloc/malloc.c > +++ b/malloc/malloc.c > @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) > > size_t pagesz = GLRO(dl_pagesize); > > + /* Check for overflow. */ > + if (bytes > SIZE_MAX - pagesz - MINSIZE) > + { > + __set_errno (ENOMEM); > + return 0; > + } > + > void *(*hook) (size_t, size_t, const void *) = > force_reg (__memalign_hook); > if (__builtin_expect (hook != NULL, 0)) > -- > 1.8.1.4 > Wrong mailing list, but the patch is OK. Thanks, Siddhesh
diff --git a/malloc/malloc.c b/malloc/malloc.c index 7f43ba3..3148c5f 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0))