This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[RFC][PATCH 4/7] malloc: Ensure lower bound on chunk size in __libc_realloc.
- From: Istvan Kurucsai <pistukem at gmail dot com>
- To: libc-alpha at sourceware dot org
- Cc: Istvan Kurucsai <pistukem at gmail dot com>
- Date: Wed, 31 May 2017 10:43:52 +0200
- Subject: [RFC][PATCH 4/7] malloc: Ensure lower bound on chunk size in __libc_realloc.
- Authentication-results: sourceware.org; auth=none
- References: <1496220235-12750-1-git-send-email-pistukem@gmail.com>
Under some circumstances, a chunk size of SIZE_SZ could lead to an underflow
when calculating the length argument of memcpy.
* malloc/malloc.c (__libc_realloc): Check chunk size.
---
malloc/malloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 873aa29..424c69d 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2989,8 +2989,9 @@ __libc_realloc (void *oldmem, size_t bytes)
accident or by "design" from some intruder. We need to bypass
this check for dumped fake mmap chunks from the old main arena
because the new malloc may provide additional alignment. */
- if ((__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0)
- || __builtin_expect (misaligned_chunk (oldp), 0))
+ if ((__glibc_unlikely ((uintptr_t) oldp > (uintptr_t) -oldsize)
+ || __glibc_unlikely (misaligned_chunk (oldp))
+ || __glibc_unlikely (oldsize <= 2 * SIZE_SZ))
&& !DUMPED_MAIN_ARENA_CHUNK (oldp))
{
malloc_printerr (check_action, "realloc(): invalid pointer", oldmem,
--
2.7.4