diff options
author | Will Newton <will.newton@linaro.org> | 2013-08-16 12:54:29 +0100 |
---|---|---|
committer | Will Newton <will.newton@linaro.org> | 2013-09-11 09:42:43 +0100 |
commit | b73ed247781d533628b681f57257dc85882645d3 (patch) | |
tree | d7ba5fb3f9a1dbe14f06849baedece8a03cf4ae7 /malloc | |
parent | 55e17aadc1ef17a1df9626fb0e9fba290ece3331 (diff) | |
download | glibc-b73ed247781d533628b681f57257dc85882645d3.tar.gz glibc-b73ed247781d533628b681f57257dc85882645d3.tar.xz glibc-b73ed247781d533628b681f57257dc85882645d3.zip |
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow.
Diffstat (limited to 'malloc')
-rw-r--r-- | malloc/malloc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 3148c5f57d..f7718a9c9a 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; |