lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-28 00:21:52 +03:00
Code Activity

malloc/hooks.c: Correct check for overflow in memalign_check.

Browse Source 
A large value of bytes passed to memalign_check can cause an integer
overflow in _int_memalign and heap corruption. This issue can be
exposed by running tst-memalign with MALLOC_CHECK_=3.

ChangeLog:

2013-10-10  Will Newton  <will.newton@linaro.org>

	* malloc/hooks.c (memalign_check): Ensure the value of bytes
	passed to _int_memalign does not overflow.
This commit is contained in:
Will Newton
2013-10-09 14:41:57 +01:00
parent 40fefba1b5
commit 321e268471
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
2013-10-10 Will Newton <will.newton@linaro.org>
* malloc/hooks.c (memalign_check): Ensure the value of bytes
passed to _int_memalign does not overflow.
2013-10-10 Torvald Riegel <triegel@redhat.com> 2013-10-10 Torvald Riegel <triegel@redhat.com>
* scripts/bench.pl: Add include-sources directive. * scripts/bench.pl: Add include-sources directive.

11
malloc/hooks.c
View File

@ -361,10 +361,13 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL); if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
if (alignment < MINSIZE) alignment = MINSIZE; if (alignment < MINSIZE) alignment = MINSIZE;
if (bytes+1 == 0) { /* Check for overflow. */
__set_errno (ENOMEM); if (bytes > SIZE_MAX - alignment - MINSIZE)
return NULL; {
} __set_errno (ENOMEM);
return 0;
}
(void)mutex_lock(&main_arena.mutex); (void)mutex_lock(&main_arena.mutex);
mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) : mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
NULL; NULL;