diff options
author | Will Newton <will.newton@linaro.org> | 2013-08-16 11:59:37 +0100 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2013-10-25 23:53:24 +1000 |
commit | 8f29d3b5ae201ae4af368d2221381c5a856913d5 (patch) | |
tree | 692f2fd38187b3386955e36226829ff33c652984 | |
parent | 63e9a36056fe53621fa3001fe22b4833a9ea9457 (diff) | |
download | glibc-8f29d3b5ae201ae4af368d2221381c5a856913d5.tar glibc-8f29d3b5ae201ae4af368d2221381c5a856913d5.tar.gz glibc-8f29d3b5ae201ae4af368d2221381c5a856913d5.tar.bz2 glibc-8f29d3b5ae201ae4af368d2221381c5a856913d5.zip |
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
(cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331)
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | malloc/malloc.c | 7 |
2 files changed, 13 insertions, 0 deletions
@@ -1,5 +1,11 @@ 2013-09-11 Will Newton <will.newton@linaro.org> + [BZ #15856] + * malloc/malloc.c (__libc_valloc): Check the value of bytes + does not overflow. + +2013-09-11 Will Newton <will.newton@linaro.org> + [BZ #15855] * malloc/malloc.c (__libc_pvalloc): Check the value of bytes does not overflow. diff --git a/malloc/malloc.c b/malloc/malloc.c index bcc08c45f7..31e2dfad91 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0)) |