malloc: Improve free checks

The checks on size can be merged and use __builtin_add_overflow. Since tcache only handles small sizes (and rejects sizes < MINSIZE), delay this check until after tcache. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2025-07-28 00:21:52 +03:00 · 2025-03-31 11:44:02 +00:00
parent 0296654d61
commit 9b0c8ced9c
1 changed files with 6 additions and 9 deletions
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@ -3468,16 +3468,8 @@ __libc_free (void *mem)

  INTERNAL_SIZE_T size = chunksize (p);

-  /* Little security check which won't hurt performance: the
-     allocator never wraps around at the end of the address space.
-     Therefore we can exclude some size values which might appear
-     here by accident or by "design" from some intruder.  */
-  if (__glibc_unlikely ((uintptr_t) p > (uintptr_t) -size
-      || misaligned_chunk (p)))
+  if (__glibc_unlikely (misaligned_chunk (p)))
    malloc_printerr ("free(): invalid pointer");
-  /* We know that each chunk is at least MINSIZE bytes.  */
-  if (__glibc_unlikely (size < MINSIZE))
-    malloc_printerr ("free(): invalid size");

  check_inuse_chunk (arena_for_chunk (p), p);

@ -3486,6 +3478,11 @@ __libc_free (void *mem)
    return;
 #endif

+  /* Check size >= MINSIZE and p + size does not overflow.  */
+  if (__glibc_unlikely (__builtin_add_overflow_p ((uintptr_t) p, size - MINSIZE,
+						  (uintptr_t) 0)))
+    malloc_printerr ("free(): invalid size");
+
  _int_free_chunk (arena_for_chunk (p), p, size, 0);
 }
 libc_hidden_def (__libc_free)