diff options
author | Ulrich Drepper <drepper@redhat.com> | 2002-08-02 01:27:46 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2002-08-02 01:27:46 +0000 |
commit | 0950889b810736fe7ad340a13a5ecf76672e1a84 (patch) | |
tree | 8c30d88ef6a56aaac152ed2c3fb28375bcbd7b0a /malloc | |
parent | d7e1ad053b0d742f4f9c632dc0c5feb8315a5b90 (diff) | |
download | glibc-0950889b810736fe7ad340a13a5ecf76672e1a84.tar.gz |
(public_cALLOc): Check for overflow on multiplication.
Diffstat (limited to 'malloc')
-rw-r--r-- | malloc/malloc.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index cee3f322a0..cd40626504 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3452,16 +3452,23 @@ public_cALLOc(size_t n, size_t elem_size) { mstate av; mchunkptr oldtop, p; - INTERNAL_SIZE_T sz, csz, oldtopsize; + INTERNAL_SIZE_T bytes, sz, csz, oldtopsize; Void_t* mem; unsigned long clearsize; unsigned long nclears; INTERNAL_SIZE_T* d; - __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, __const __malloc_ptr_t)) = __malloc_hook; + + /* size_t is unsigned so the behavior on overflow is defined. */ + bytes = n * elem_size; + if (bytes / elem_size != n) { + MALLOC_FAILURE_ACTION; + return 0; + } + if (hook != NULL) { - sz = n * elem_size; + sz = bytes; mem = (*hook)(sz, RETURN_ADDRESS (0)); if(mem == 0) return 0; @@ -3473,8 +3480,7 @@ public_cALLOc(size_t n, size_t elem_size) #endif } - /* FIXME: check for overflow on multiplication. */ - sz = n * elem_size; + sz = bytes; arena_get(av, sz); if(!av) |