summary refs log tree commit diff
path: root/malloc/hooks.c
diff options
context:
space:
mode:
authorSiddhesh Poyarekar <siddhesh@redhat.com>2012-09-05 21:49:00 +0530
committerSiddhesh Poyarekar <siddhesh@redhat.com>2012-09-05 21:49:30 +0530
commit6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96 (patch)
tree7dfbbb3bbdde79ba6bc06a209102c988c53e6e1c /malloc/hooks.c
parent4d038ae3163aba04218b05f3983473b25c943b8b (diff)
downloadglibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.tar.gz
glibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.tar.xz
glibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.zip
Return requested size for malloc_usable_size when MALLOC_CHECK_ > 0
[BZ #1349]

malloc_usable_size returns the usable size in an allocated chunk,
which may be >= the requested size. In the case of MALLOC_CHECK_ being
exported to > 0 however, only the requested size is usable, since a
magic value is written at the end of the request size to trap writes
beyond request bounds. Hence, when MALLOC_CHECK_ is exported to > 0,
malloc_usable_size() should return the request size.
Diffstat (limited to 'malloc/hooks.c')
-rw-r--r--malloc/hooks.c31
1 files changed, 30 insertions, 1 deletions
diff --git a/malloc/hooks.c b/malloc/hooks.c
index 8a34c78488..b38dffbdf6 100644
--- a/malloc/hooks.c
+++ b/malloc/hooks.c
@@ -1,5 +1,5 @@
 /* Malloc implementation for multiple threads without lock contention.
-   Copyright (C) 2001-2009, 2011, 2012 Free Software Foundation, Inc.
+   Copyright (C) 2001-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Wolfram Gloger <wg@malloc.de>, 2001.
 
@@ -89,6 +89,35 @@ __malloc_check_init()
 
 #define MAGICBYTE(p) ( ( ((size_t)p >> 3) ^ ((size_t)p >> 11)) & 0xFF )
 
+/* Visualize the chunk as being partitioned into blocks of 256 bytes from the
+   highest address of the chunk, downwards.  The beginning of each block tells
+   us the size of the previous block, up to the actual size of the requested
+   memory.  Our magic byte is right at the end of the requested size, so we
+   must reach it with this iteration, otherwise we have witnessed a memory
+   corruption.  */
+static size_t
+malloc_check_get_size(mchunkptr p)
+{
+  size_t size;
+  unsigned char c;
+  unsigned char magic = MAGICBYTE(p);
+
+  assert(using_malloc_checking == 1);
+
+  for (size = chunksize(p) - 1 + (chunk_is_mmapped(p) ? 0 : SIZE_SZ);
+       (c = ((unsigned char*)p)[size]) != magic;
+       size -= c) {
+    if(c<=0 || size<(c+2*SIZE_SZ)) {
+      malloc_printerr(check_action, "malloc_check_get_size: memory corruption",
+		      chunk2mem(p));
+      return 0;
+    }
+  }
+
+  /* chunk2mem size.  */
+  return size - 2*SIZE_SZ;
+}
+
 /* Instrument a chunk with overrun detector byte(s) and convert it
    into a user pointer with requested size sz. */