From a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd Mon Sep 17 00:00:00 2001
From: Will Newton <will.newton@linaro.org>
Date: Thu, 10 Oct 2013 13:17:13 +0100
Subject: malloc: Fix for infinite loop in memalign/posix_memalign.

A very large alignment argument passed to mealign/posix_memalign
causes _int_memalign to enter an infinite loop. Limit the maximum
alignment value to the maximum representable power of two to
prevent this from happening.

Changelog:

2013-10-30  Will Newton  <will.newton@linaro.org>

	[BZ #16038]
	* malloc/hooks.c (memalign_check): Limit alignment to the
	maximum representable power of two.
	* malloc/malloc.c (__libc_memalign): Likewise.
	* malloc/tst-memalign.c (do_test): Add test for very
	large alignment values.
	* malloc/tst-posix_memalign.c (do_test): Likewise.
---
 malloc/malloc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'malloc/malloc.c')

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 79025b16d9..29796fe461 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
+     power of 2 and will cause overflow in the check below.  */
+  if (alignment > SIZE_MAX / 2 + 1)
+    {
+      __set_errno (EINVAL);
+      return 0;
+    }
+
   /* Check for overflow.  */
   if (bytes > SIZE_MAX - alignment - MINSIZE)
     {
-- 
cgit 1.4.1