about summary refs log tree commit diff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2004-11-20 04:45:06 +0000
committerUlrich Drepper <drepper@redhat.com>2004-11-20 04:45:06 +0000
commit6cce65407e2fc5015c69bb38741d6942b3e412c3 (patch)
treee8ce13071301d740bb358dcb12890b205a9d194b
parent893e609847a2f372970e349e0cede2e8529bea71 (diff)
downloadglibc-6cce65407e2fc5015c69bb38741d6942b3e412c3.tar.gz
glibc-6cce65407e2fc5015c69bb38741d6942b3e412c3.tar.xz
glibc-6cce65407e2fc5015c69bb38741d6942b3e412c3.zip
Update.
	* malloc/malloc.c (_int_malloc): Check for corruption of chunk
	which is about to be returned.
-rw-r--r--ChangeLog3
-rw-r--r--malloc/malloc.c10
2 files changed, 12 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index ae8cc2e29b..a5cd019f9d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2004-11-19  Ulrich Drepper  <drepper@redhat.com>
 
+	* malloc/malloc.c (_int_malloc): Check for corruption of chunk
+	which is about to be returned.
+
 	* malloc/malloc.c (_int_free): Add a few more cheap tests for
 	corruption.
 
diff --git a/malloc/malloc.c b/malloc/malloc.c
index d6810be7f6..b62ffb57c0 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3840,8 +3840,12 @@ _int_malloc(mstate av, size_t bytes)
   */
 
   if ((unsigned long)(nb) <= (unsigned long)(av->max_fast)) {
-    fb = &(av->fastbins[(fastbin_index(nb))]);
+    long int idx = fastbin_index(nb);
+    fb = &(av->fastbins[idx]);
     if ( (victim = *fb) != 0) {
+      if (__builtin_expect (fastbin_index (chunksize (victim)) != idx, 0))
+	malloc_printerr (check_action, "malloc(): memory corruption (fast)",
+			 chunk2mem (victim));
       *fb = victim->fd;
       check_remalloced_chunk(av, victim, nb);
       return chunk2mem(victim);
@@ -3911,6 +3915,10 @@ _int_malloc(mstate av, size_t bytes)
 
     while ( (victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) {
       bck = victim->bk;
+      if (__builtin_expect (victim->size <= 2 * SIZE_SZ, 0)
+	  || __builtin_expect (victim->size > av->system_mem, 0))
+	malloc_printerr (check_action, "malloc(): memory corruption",
+			 chunk2mem (victim));
       size = chunksize(victim);
 
       /*