Update.

2004-12-09 Ulrich Drepper <drepper@redhat.com> * malloc/malloc.c (public_rEALLOc): Add parameter checks. (_int_free): Provide better error message for invalid pointers.
2025-07-30 22:43:12 +03:00 · 2004-12-10 01:36:18 +00:00
parent bf7c04cd5f
commit dc165f7b0b
3 changed files with 35 additions and 2 deletions
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@ -3434,6 +3434,17 @@ public_rEALLOc(Void_t* oldmem, size_t bytes)
  oldp    = mem2chunk(oldmem);
  oldsize = chunksize(oldp);

+  /* Little security check which won't hurt performance: the
+     allocator never wrapps around at the end of the address space.
+     Therefore we can exclude some size values which might appear
+     here by accident or by "design" from some intruder.  */
+  if (__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0)
+      || __builtin_expect ((uintptr_t) oldp & MALLOC_ALIGN_MASK, 0))
+    {
+      malloc_printerr (check_action, "realloc(): invalid pointer", oldmem);
+      return NULL;
+    }
+
  checked_request2size(bytes, nb);

 #if HAVE_MMAP
@ -4205,7 +4216,6 @@ _int_free(mstate av, Void_t* mem)
  mchunkptr       bck;         /* misc temp for linking */
  mchunkptr       fwd;         /* misc temp for linking */

-
  const char *errstr = NULL;

  p = mem2chunk(mem);
@ -4215,7 +4225,8 @@ _int_free(mstate av, Void_t* mem)
     allocator never wrapps around at the end of the address space.
     Therefore we can exclude some size values which might appear
     here by accident or by "design" from some intruder.  */
-  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0))
+  if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
+      || __builtin_expect ((uintptr_t) p & MALLOC_ALIGN_MASK, 0))
    {
      errstr = "free(): invalid pointer";
    errout: