This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
A large bytes parameter to valloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-08-16 Will Newton <will.newton@linaro.org> [BZ #15856] * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) Changes in v2: - Add BZ number diff --git a/malloc/malloc.c b/malloc/malloc.c index 7468758..9aecc85 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,10 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes + pagesz + MINSIZE < bytes) + return 0; + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0)) -- 1.8.1.4
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |