about summary refs log tree commit diff
path: root/malloc
diff options
context:
space:
mode:
authorJakub Jelinek <jakub@redhat.com>2004-11-15 09:49:06 +0000
committerJakub Jelinek <jakub@redhat.com>2004-11-15 09:49:06 +0000
commita52ef8e41670776f6d3e0acc264a37a366696741 (patch)
tree56a077a5ea2e21decce7291b3c9f356909c62f26 /malloc
parentb3c20a361d75caf75f670b2fcd64ab8668c16ca5 (diff)
downloadglibc-a52ef8e41670776f6d3e0acc264a37a366696741.tar.gz
glibc-a52ef8e41670776f6d3e0acc264a37a366696741.tar.xz
glibc-a52ef8e41670776f6d3e0acc264a37a366696741.zip
* malloc/malloc.c (_int_free): Further free () protection checks.
Diffstat (limited to 'malloc')
-rw-r--r--malloc/malloc.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 57074108f1..f4612046cd 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
 #endif
       ) {
 
+    if (__builtin_expect (chunksize (chunk_at_offset (p, size)) < MINSIZE, 0)
+	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
+			     >= av->system_mem, 0))
+      {
+	errstr = "invalid next size (fast)";
+	goto errout;
+      }
+
     set_fastchunks(av);
     fb = &(av->fastbins[fastbin_index(size)]);
     /* Another simple check: make sure the top of the bin is not the