diff options
| author | Will Newton <will.newton@linaro.org> | 2013-10-10 13:17:13 +0100 |
|---|---|---|
| committer | Will Newton <will.newton@linaro.org> | 2013-10-30 14:46:02 -0700 |
| commit | a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd (patch) | |
| tree | 02a3f3bc0c86de86bc89f185a8312b9b1a03670d /malloc/hooks.c | |
| parent | c6e4925d4069d38843c02994ffd284e8c87c8929 (diff) | |
| download | glibc-a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd.tar.gz | |
malloc: Fix for infinite loop in memalign/posix_memalign.
A very large alignment argument passed to mealign/posix_memalign
causes _int_memalign to enter an infinite loop. Limit the maximum
alignment value to the maximum representable power of two to
prevent this from happening.
Changelog:
2013-10-30 Will Newton <will.newton@linaro.org>
[BZ #16038]
* malloc/hooks.c (memalign_check): Limit alignment to the
maximum representable power of two.
* malloc/malloc.c (__libc_memalign): Likewise.
* malloc/tst-memalign.c (do_test): Add test for very
large alignment values.
* malloc/tst-posix_memalign.c (do_test): Likewise.
Diffstat (limited to 'malloc/hooks.c')
| -rw-r--r-- | malloc/hooks.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/malloc/hooks.c b/malloc/hooks.c index 3f663bb6b2..1dbe93f383 100644 --- a/malloc/hooks.c +++ b/malloc/hooks.c @@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller) if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL); if (alignment < MINSIZE) alignment = MINSIZE; + /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a + power of 2 and will cause overflow in the check below. */ + if (alignment > SIZE_MAX / 2 + 1) + { + __set_errno (EINVAL); + return 0; + } + /* Check for overflow. */ if (bytes > SIZE_MAX - alignment - MINSIZE) { |