aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelinek <jakub@redhat.com>2004-11-15 09:49:06 +0000
committerJakub Jelinek <jakub@redhat.com>2004-11-15 09:49:06 +0000
commita52ef8e41670776f6d3e0acc264a37a366696741 (patch)
tree56a077a5ea2e21decce7291b3c9f356909c62f26
parentb3c20a361d75caf75f670b2fcd64ab8668c16ca5 (diff)
downloadglibc-a52ef8e41670776f6d3e0acc264a37a366696741.tar
glibc-a52ef8e41670776f6d3e0acc264a37a366696741.tar.gz
glibc-a52ef8e41670776f6d3e0acc264a37a366696741.tar.bz2
glibc-a52ef8e41670776f6d3e0acc264a37a366696741.zip
* malloc/malloc.c (_int_free): Further free () protection checks.
-rw-r--r--malloc/malloc.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 57074108f1..f4612046cd 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
#endif
) {
+ if (__builtin_expect (chunksize (chunk_at_offset (p, size)) < MINSIZE, 0)
+ || __builtin_expect (chunksize (chunk_at_offset (p, size))
+ >= av->system_mem, 0))
+ {
+ errstr = "invalid next size (fast)";
+ goto errout;
+ }
+
set_fastchunks(av);
fb = &(av->fastbins[fastbin_index(size)]);
/* Another simple check: make sure the top of the bin is not the