diff options
| author | Siddhesh Poyarekar <siddhesh@redhat.com> | 2012-09-05 21:49:00 +0530 |
|---|---|---|
| committer | Siddhesh Poyarekar <siddhesh@redhat.com> | 2012-09-05 21:49:30 +0530 |
| commit | 6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96 (patch) | |
| tree | 7dfbbb3bbdde79ba6bc06a209102c988c53e6e1c /malloc/hooks.c | |
| parent | 4d038ae3163aba04218b05f3983473b25c943b8b (diff) | |
| download | glibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.tar.gz glibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.tar.xz glibc-6ef9cc37f0ea151a54e5c8a19950a6d5b6ff8a96.zip | |
Return requested size for malloc_usable_size when MALLOC_CHECK_ > 0
[BZ #1349] malloc_usable_size returns the usable size in an allocated chunk, which may be >= the requested size. In the case of MALLOC_CHECK_ being exported to > 0 however, only the requested size is usable, since a magic value is written at the end of the request size to trap writes beyond request bounds. Hence, when MALLOC_CHECK_ is exported to > 0, malloc_usable_size() should return the request size.
Diffstat (limited to 'malloc/hooks.c')
| -rw-r--r-- | malloc/hooks.c | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/malloc/hooks.c b/malloc/hooks.c index 8a34c78488..b38dffbdf6 100644 --- a/malloc/hooks.c +++ b/malloc/hooks.c @@ -1,5 +1,5 @@ /* Malloc implementation for multiple threads without lock contention. - Copyright (C) 2001-2009, 2011, 2012 Free Software Foundation, Inc. + Copyright (C) 2001-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Wolfram Gloger <wg@malloc.de>, 2001. @@ -89,6 +89,35 @@ __malloc_check_init() #define MAGICBYTE(p) ( ( ((size_t)p >> 3) ^ ((size_t)p >> 11)) & 0xFF ) +/* Visualize the chunk as being partitioned into blocks of 256 bytes from the + highest address of the chunk, downwards. The beginning of each block tells + us the size of the previous block, up to the actual size of the requested + memory. Our magic byte is right at the end of the requested size, so we + must reach it with this iteration, otherwise we have witnessed a memory + corruption. */ +static size_t +malloc_check_get_size(mchunkptr p) +{ + size_t size; + unsigned char c; + unsigned char magic = MAGICBYTE(p); + + assert(using_malloc_checking == 1); + + for (size = chunksize(p) - 1 + (chunk_is_mmapped(p) ? 0 : SIZE_SZ); + (c = ((unsigned char*)p)[size]) != magic; + size -= c) { + if(c<=0 || size<(c+2*SIZE_SZ)) { + malloc_printerr(check_action, "malloc_check_get_size: memory corruption", + chunk2mem(p)); + return 0; + } + } + + /* chunk2mem size. */ + return size - 2*SIZE_SZ; +} + /* Instrument a chunk with overrun detector byte(s) and convert it into a user pointer with requested size sz. */ |