malloc: Mitigate null-byte overflow attacks

* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size. (malloc_consolidate): Likewise.
2025-07-29 11:41:21 +03:00 · 2018-08-16 21:08:36 -04:00
parent 30a17d8c95
commit d6db68e66d
2 changed files with 9 additions and 0 deletions
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
      prevsize = prev_size (p);
      size += prevsize;
      p = chunk_at_offset(p, -((long) prevsize));
+      if (__glibc_unlikely (chunksize(p) != prevsize))
+        malloc_printerr ("corrupted size vs. prev_size while consolidating");
      unlink(av, p, bck, fwd);
    }

@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
 	  prevsize = prev_size (p);
 	  size += prevsize;
 	  p = chunk_at_offset(p, -((long) prevsize));
+	  if (__glibc_unlikely (chunksize(p) != prevsize))
+	    malloc_printerr ("corrupted size vs. prev_size in fastbins");
 	  unlink(av, p, bck, fwd);
 	}