diff options
author | Ulrich Drepper <drepper@redhat.com> | 2004-11-19 21:35:00 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2004-11-19 21:35:00 +0000 |
commit | 893e609847a2f372970e349e0cede2e8529bea71 (patch) | |
tree | 8f3b331c84468e5fae7ddc3cdc9262529f730053 | |
parent | 3defcff3991314ad57e9b63c37f5e6de9fd5e879 (diff) | |
download | glibc-893e609847a2f372970e349e0cede2e8529bea71.tar glibc-893e609847a2f372970e349e0cede2e8529bea71.tar.gz glibc-893e609847a2f372970e349e0cede2e8529bea71.tar.bz2 glibc-893e609847a2f372970e349e0cede2e8529bea71.zip |
Update.
2004-11-19 Ulrich Drepper <drepper@redhat.com>
* malloc/malloc.c (_int_free): Add a few more cheap tests for
corruption.
* debug/fprintf_chk.c: Adjust all users.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | malloc/malloc.c | 15 |
2 files changed, 20 insertions, 2 deletions
@@ -1,3 +1,8 @@ +2004-11-19 Ulrich Drepper <drepper@redhat.com> + + * malloc/malloc.c (_int_free): Add a few more cheap tests for + corruption. + 2004-11-17 Randolph Chung <tausq@debian.org> * sysdeps/hppa/dl-machine.h (TRAMPOLINE_TEMPLATE): Add unwind @@ -27,7 +32,7 @@ * libio/libio.h (_IO_FLAGS2_FORTIFY): Renamed from _IO_FLAGS2_CHECK_PERCENT_N. - * debug/fprintff_chk.c: Adjust all users. + * debug/fprintf_chk.c: Adjust all users. * debug/printf_chk.c: Likewise. * debug/vfprintf_chk.c: Likewise. * debug/vprintf_chk.c: Likewise. diff --git a/malloc/malloc.c b/malloc/malloc.c index 57074108f1..d6810be7f6 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem) #endif ) { + if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0) + || __builtin_expect (chunksize (chunk_at_offset (p, size)) + >= av->system_mem, 0)) + { + errstr = "invalid next size (fast)"; + goto errout; + } + set_fastchunks(av); fb = &(av->fastbins[fastbin_index(size)]); /* Another simple check: make sure the top of the bin is not the @@ -4276,7 +4284,12 @@ _int_free(mstate av, Void_t* mem) } nextsize = chunksize(nextchunk); - assert(nextsize > 0); + if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0) + || __builtin_expect (nextsize >= av->system_mem, 0)) + { + errstr = "invalid next size (normal)"; + goto errout; + } /* consolidate backward */ if (!prev_inuse(p)) { |