This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/23907] Incorrect double-free malloc tcache check disregards tcache size
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 26 Nov 2018 19:12:35 +0000
- Subject: [Bug malloc/23907] Incorrect double-free malloc tcache check disregards tcache size
- Auto-submitted: auto-generated
- References: <bug-23907-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=23907
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via affec03b713c82c43a5b025dddc21bde3334f41e (commit)
from 8ae74eadb60eb36424e4605939cef5fc966724be (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=affec03b713c82c43a5b025dddc21bde3334f41e
commit affec03b713c82c43a5b025dddc21bde3334f41e
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Nov 26 20:06:37 2018 +0100
malloc: tcache: Validate tc_idx before checking for double-frees [BZ
#23907]
The previous check could read beyond the end of the tcache entry
array. If the e->key == tcache cookie check happened to pass, this
would result in crashes.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
malloc/malloc.c | 52 ++++++++++++++++++++++++++--------------------------
2 files changed, 32 insertions(+), 26 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.