summaryrefslogtreecommitdiff
path: root/malloc
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2002-08-02 01:27:46 +0000
committerUlrich Drepper <drepper@redhat.com>2002-08-02 01:27:46 +0000
commit0950889b810736fe7ad340a13a5ecf76672e1a84 (patch)
tree8c30d88ef6a56aaac152ed2c3fb28375bcbd7b0a /malloc
parentd7e1ad053b0d742f4f9c632dc0c5feb8315a5b90 (diff)
downloadglibc-0950889b810736fe7ad340a13a5ecf76672e1a84.tar.gz
(public_cALLOc): Check for overflow on multiplication.
Diffstat (limited to 'malloc')
-rw-r--r--malloc/malloc.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index cee3f322a0..cd40626504 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3452,16 +3452,23 @@ public_cALLOc(size_t n, size_t elem_size)
{
mstate av;
mchunkptr oldtop, p;
- INTERNAL_SIZE_T sz, csz, oldtopsize;
+ INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
Void_t* mem;
unsigned long clearsize;
unsigned long nclears;
INTERNAL_SIZE_T* d;
-
__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, __const __malloc_ptr_t)) =
__malloc_hook;
+
+ /* size_t is unsigned so the behavior on overflow is defined. */
+ bytes = n * elem_size;
+ if (bytes / elem_size != n) {
+ MALLOC_FAILURE_ACTION;
+ return 0;
+ }
+
if (hook != NULL) {
- sz = n * elem_size;
+ sz = bytes;
mem = (*hook)(sz, RETURN_ADDRESS (0));
if(mem == 0)
return 0;
@@ -3473,8 +3480,7 @@ public_cALLOc(size_t n, size_t elem_size)
#endif
}
- /* FIXME: check for overflow on multiplication. */
- sz = n * elem_size;
+ sz = bytes;
arena_get(av, sz);
if(!av)