aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2004-11-19 21:35:00 +0000
committerUlrich Drepper <drepper@redhat.com>2004-11-19 21:35:00 +0000
commit893e609847a2f372970e349e0cede2e8529bea71 (patch)
tree8f3b331c84468e5fae7ddc3cdc9262529f730053
parent3defcff3991314ad57e9b63c37f5e6de9fd5e879 (diff)
downloadglibc-893e609847a2f372970e349e0cede2e8529bea71.tar
glibc-893e609847a2f372970e349e0cede2e8529bea71.tar.gz
glibc-893e609847a2f372970e349e0cede2e8529bea71.tar.bz2
glibc-893e609847a2f372970e349e0cede2e8529bea71.zip
Update.
2004-11-19 Ulrich Drepper <drepper@redhat.com> * malloc/malloc.c (_int_free): Add a few more cheap tests for corruption. * debug/fprintf_chk.c: Adjust all users.
-rw-r--r--ChangeLog7
-rw-r--r--malloc/malloc.c15
2 files changed, 20 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index d5cc33e7d1..ae8cc2e29b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2004-11-19 Ulrich Drepper <drepper@redhat.com>
+
+ * malloc/malloc.c (_int_free): Add a few more cheap tests for
+ corruption.
+
2004-11-17 Randolph Chung <tausq@debian.org>
* sysdeps/hppa/dl-machine.h (TRAMPOLINE_TEMPLATE): Add unwind
@@ -27,7 +32,7 @@
* libio/libio.h (_IO_FLAGS2_FORTIFY): Renamed from
_IO_FLAGS2_CHECK_PERCENT_N.
- * debug/fprintff_chk.c: Adjust all users.
+ * debug/fprintf_chk.c: Adjust all users.
* debug/printf_chk.c: Likewise.
* debug/vfprintf_chk.c: Likewise.
* debug/vprintf_chk.c: Likewise.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 57074108f1..d6810be7f6 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
#endif
) {
+ if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0)
+ || __builtin_expect (chunksize (chunk_at_offset (p, size))
+ >= av->system_mem, 0))
+ {
+ errstr = "invalid next size (fast)";
+ goto errout;
+ }
+
set_fastchunks(av);
fb = &(av->fastbins[fastbin_index(size)]);
/* Another simple check: make sure the top of the bin is not the
@@ -4276,7 +4284,12 @@ _int_free(mstate av, Void_t* mem)
}
nextsize = chunksize(nextchunk);
- assert(nextsize > 0);
+ if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0)
+ || __builtin_expect (nextsize >= av->system_mem, 0))
+ {
+ errstr = "invalid next size (normal)";
+ goto errout;
+ }
/* consolidate backward */
if (!prev_inuse(p)) {