aboutsummaryrefslogtreecommitdiff
path: root/malloc/malloc.c
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2004-12-10 01:36:18 +0000
committerUlrich Drepper <drepper@redhat.com>2004-12-10 01:36:18 +0000
commitdc165f7b0bfa73ebd64584331d0cb7c2ead66147 (patch)
treef8f707e664d5dec91bc08f5796f967ae5d886b4c /malloc/malloc.c
parentbf7c04cd5f4b3a7d3e3155b0035396e7f1037a13 (diff)
downloadglibc-dc165f7b0bfa73ebd64584331d0cb7c2ead66147.tar
glibc-dc165f7b0bfa73ebd64584331d0cb7c2ead66147.tar.gz
glibc-dc165f7b0bfa73ebd64584331d0cb7c2ead66147.tar.bz2
glibc-dc165f7b0bfa73ebd64584331d0cb7c2ead66147.zip
Update.
2004-12-09 Ulrich Drepper <drepper@redhat.com> * malloc/malloc.c (public_rEALLOc): Add parameter checks. (_int_free): Provide better error message for invalid pointers.
Diffstat (limited to 'malloc/malloc.c')
-rw-r--r--malloc/malloc.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index b62ffb57c0..cf1b935ffd 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3434,6 +3434,17 @@ public_rEALLOc(Void_t* oldmem, size_t bytes)
oldp = mem2chunk(oldmem);
oldsize = chunksize(oldp);
+ /* Little security check which won't hurt performance: the
+ allocator never wrapps around at the end of the address space.
+ Therefore we can exclude some size values which might appear
+ here by accident or by "design" from some intruder. */
+ if (__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0)
+ || __builtin_expect ((uintptr_t) oldp & MALLOC_ALIGN_MASK, 0))
+ {
+ malloc_printerr (check_action, "realloc(): invalid pointer", oldmem);
+ return NULL;
+ }
+
checked_request2size(bytes, nb);
#if HAVE_MMAP
@@ -4205,7 +4216,6 @@ _int_free(mstate av, Void_t* mem)
mchunkptr bck; /* misc temp for linking */
mchunkptr fwd; /* misc temp for linking */
-
const char *errstr = NULL;
p = mem2chunk(mem);
@@ -4215,7 +4225,8 @@ _int_free(mstate av, Void_t* mem)
allocator never wrapps around at the end of the address space.
Therefore we can exclude some size values which might appear
here by accident or by "design" from some intruder. */
- if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0))
+ if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
+ || __builtin_expect ((uintptr_t) p & MALLOC_ALIGN_MASK, 0))
{
errstr = "free(): invalid pointer";
errout: