diff options
Diffstat (limited to 'malloc')
| -rw-r--r-- | malloc/malloc.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 57074108f1..d6810be7f6 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem) #endif ) { + if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0) + || __builtin_expect (chunksize (chunk_at_offset (p, size)) + >= av->system_mem, 0)) + { + errstr = "invalid next size (fast)"; + goto errout; + } + set_fastchunks(av); fb = &(av->fastbins[fastbin_index(size)]); /* Another simple check: make sure the top of the bin is not the @@ -4276,7 +4284,12 @@ _int_free(mstate av, Void_t* mem) } nextsize = chunksize(nextchunk); - assert(nextsize > 0); + if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0) + || __builtin_expect (nextsize >= av->system_mem, 0)) + { + errstr = "invalid next size (normal)"; + goto errout; + } /* consolidate backward */ if (!prev_inuse(p)) { |