about summary refs log tree commit diff
path: root/malloc
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2002-08-02 01:27:46 +0000
committerUlrich Drepper <drepper@redhat.com>2002-08-02 01:27:46 +0000
commit0950889b810736fe7ad340a13a5ecf76672e1a84 (patch)
tree8c30d88ef6a56aaac152ed2c3fb28375bcbd7b0a /malloc
parentd7e1ad053b0d742f4f9c632dc0c5feb8315a5b90 (diff)
downloadglibc-0950889b810736fe7ad340a13a5ecf76672e1a84.tar.gz
glibc-0950889b810736fe7ad340a13a5ecf76672e1a84.tar.xz
glibc-0950889b810736fe7ad340a13a5ecf76672e1a84.zip
(public_cALLOc): Check for overflow on multiplication.
Diffstat (limited to 'malloc')
-rw-r--r--malloc/malloc.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index cee3f322a0..cd40626504 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3452,16 +3452,23 @@ public_cALLOc(size_t n, size_t elem_size)
 {
   mstate av;
   mchunkptr oldtop, p;
-  INTERNAL_SIZE_T sz, csz, oldtopsize;
+  INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
   Void_t* mem;
   unsigned long clearsize;
   unsigned long nclears;
   INTERNAL_SIZE_T* d;
-
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, __const __malloc_ptr_t)) =
     __malloc_hook;
+
+  /* size_t is unsigned so the behavior on overflow is defined.  */
+  bytes = n * elem_size;
+  if (bytes / elem_size != n) {
+    MALLOC_FAILURE_ACTION;
+    return 0;
+  }
+
   if (hook != NULL) {
-    sz = n * elem_size;
+    sz = bytes;
     mem = (*hook)(sz, RETURN_ADDRESS (0));
     if(mem == 0)
       return 0;
@@ -3473,8 +3480,7 @@ public_cALLOc(size_t n, size_t elem_size)
 #endif
   }
 
-  /* FIXME: check for overflow on multiplication.  */
-  sz = n * elem_size;
+  sz = bytes;
 
   arena_get(av, sz);
   if(!av)