1 From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001
2 From: mancha <mancha1@hush.com>
6 malloc: Check for integer overflow in pvalloc, valloc, and memalign.
8 A large bytes parameter to pvalloc, valloc, or memalign could cause
9 an integer overflow and corrupt allocator internals. Check the
10 overflow does not occur before continuing with the allocation.
12 Note: This is a backport to glibc 2.17 of the following three commits:
13 * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a
14 * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef
15 * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d
18 malloc.c | 21 +++++++++++++++++++++
19 1 file changed, 21 insertions(+)
23 @@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t
24 /* Otherwise, ensure that it is at least a minimum chunk size */
25 if (alignment < MINSIZE) alignment = MINSIZE;
27 + /* Check for overflow. */
28 + if (bytes > SIZE_MAX - alignment - MINSIZE)
30 + __set_errno (ENOMEM);
34 arena_get(ar_ptr, bytes + alignment + MINSIZE);
37 @@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)
39 size_t pagesz = GLRO(dl_pagesize);
41 + /* Check for overflow. */
42 + if (bytes > SIZE_MAX - pagesz - MINSIZE)
44 + __set_errno (ENOMEM);
48 __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
49 const __malloc_ptr_t)) =
50 force_reg (__memalign_hook);
51 @@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)
52 size_t page_mask = GLRO(dl_pagesize) - 1;
53 size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
55 + /* Check for overflow. */
56 + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
58 + __set_errno (ENOMEM);
62 __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
63 const __malloc_ptr_t)) =
64 force_reg (__memalign_hook);
development / ports / core-arm.git / blob