diff options
author | Will Newton <will.newton@linaro.org> | 2013-08-16 12:54:29 +0100 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2014-01-06 08:43:07 -0500 |
commit | 4da92b3ac5974326963532aa16c4437d801a0efe (patch) | |
tree | aa924a64d5d7802c59bc7f2ff2018c8546118869 | |
parent | 42b872e43db7c71cd40357724f1542252eb0c708 (diff) | |
download | glibc-4da92b3ac5974326963532aa16c4437d801a0efe.tar.gz |
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
(cherry picked from commit c51d675c459aefef8d84d5a0b114010f916ea278)
-rw-r--r-- | malloc/malloc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 31e2dfad91..ebbe86dc7c 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; |