From b73ed247781d533628b681f57257dc85882645d3 Mon Sep 17 00:00:00 2001 From: Will Newton Date: Fri, 16 Aug 2013 12:54:29 +0100 Subject: malloc: Check for integer overflow in memalign. A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. --- ChangeLog | 6 ++++++ malloc/malloc.c | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/ChangeLog b/ChangeLog index f2d2154714..924ac07cec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2013-09-11 Will Newton + + [BZ #15857] + * malloc/malloc.c (__libc_memalign): Check the value of bytes + does not overflow. + 2013-09-11 Will Newton [BZ #15856] diff --git a/malloc/malloc.c b/malloc/malloc.c index 3148c5f57d..f7718a9c9a 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; -- cgit 1.4.1