Fix integer overflow in malloc when tcache is enabled [BZ #22375]

When the per-thread cache is enabled, __libc_malloc uses request2size (which does not perform an overflow check) to calculate the chunk size from the requested allocation size. This leads to an integer overflow causing malloc to incorrectly return the last successfully allocated block when called with a very large size argument (close to SIZE_MAX). This commit uses checked_request2size instead, removing the overflow.
author: Arjun Shankar <arjun@redhat.com> 2017-11-30 13:31:45 +0100
committer: Arjun Shankar <arjun@redhat.com> 2017-11-30 13:42:53 +0100
commit: 34697694e8a93b325b18f25f7dcded55d6baeaf6 (patch)
tree: 694ad7ce28c06d16baff488f97f09e46d373564a /ChangeLog
parent: 18305fba5575a09063652014cfc483b898d8bdcd (diff)
download: glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar
glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar.gz
glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar.bz2
glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index b55ed22f32..888f9fbd67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-30  Arjun Shankar  <arjun@redhat.com>
+
+	[BZ #22375]
+	* malloc/malloc.c (__libc_malloc): Use checked_request2size
+	instead of request2size.
+
 2017-11-30  Joseph Myers  <joseph@codesourcery.com>
 
 	* sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
author	Arjun Shankar <arjun@redhat.com>	2017-11-30 13:31:45 +0100
committer	Arjun Shankar <arjun@redhat.com>	2017-11-30 13:42:53 +0100
commit	34697694e8a93b325b18f25f7dcded55d6baeaf6 (patch)
tree	694ad7ce28c06d16baff488f97f09e46d373564a /ChangeLog
parent	18305fba5575a09063652014cfc483b898d8bdcd (diff)
download	glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar.gz glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.tar.bz2 glibc-34697694e8a93b325b18f25f7dcded55d6baeaf6.zip