malloc: Check for integer overflow in memalign.

A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. (cherry picked from commit c51d675c459aefef8d84d5a0b114010f916ea278)
author: Will Newton <will.newton@linaro.org> 2013-08-16 12:54:29 +0100
committer: Mike Frysinger <vapier@gentoo.org> 2014-01-06 08:43:07 -0500
commit: 4da92b3ac5974326963532aa16c4437d801a0efe (patch)
tree: aa924a64d5d7802c59bc7f2ff2018c8546118869
parent: 42b872e43db7c71cd40357724f1542252eb0c708 (diff)
download: glibc-4da92b3ac5974326963532aa16c4437d801a0efe.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 31e2dfad91..ebbe86dc7c 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;
author	Will Newton <will.newton@linaro.org>	2013-08-16 12:54:29 +0100
committer	Mike Frysinger <vapier@gentoo.org>	2014-01-06 08:43:07 -0500
commit	4da92b3ac5974326963532aa16c4437d801a0efe (patch)
tree	aa924a64d5d7802c59bc7f2ff2018c8546118869
parent	42b872e43db7c71cd40357724f1542252eb0c708 (diff)
download	glibc-4da92b3ac5974326963532aa16c4437d801a0efe.tar.gz