diff options
author | Rich Felker <dalias@aerifal.cx> | 2011-02-20 16:10:38 -0500 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2011-02-20 16:10:38 -0500 |
commit | a23baf586a1ca78213d43bce5fee2a30715b473b (patch) | |
tree | e6939397742a037f847d93e53c98afa79e980bdc /src/malloc/__simple_malloc.c | |
parent | 96f2197494791f5884c01b5caa908074cc7e90a6 (diff) | |
download | musl-a23baf586a1ca78213d43bce5fee2a30715b473b.tar.gz musl-a23baf586a1ca78213d43bce5fee2a30715b473b.tar.xz musl-a23baf586a1ca78213d43bce5fee2a30715b473b.zip |
fix simple_malloc size restrictions
do not allow allocations that overflow ptrdiff_t; fix some overflow checks that were not quite right but didn't matter due to address layout implementation.
Diffstat (limited to 'src/malloc/__simple_malloc.c')
-rw-r--r-- | src/malloc/__simple_malloc.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/malloc/__simple_malloc.c b/src/malloc/__simple_malloc.c index 49b74c8e..61cd9fc4 100644 --- a/src/malloc/__simple_malloc.c +++ b/src/malloc/__simple_malloc.c @@ -15,16 +15,16 @@ void *__simple_malloc(size_t n) static int lock; size_t align=1; - if (n < SIZE_MAX - ALIGN) - while (align<n && align<ALIGN) - align += align; + if (n > SIZE_MAX/2) goto toobig; + + while (align<n && align<ALIGN) + align += align; n = n + align - 1 & -align; LOCK(&lock); if (!cur) cur = brk = __brk(0)+16; - if (n > SIZE_MAX - brk) goto fail; - base = cur + align-1 & -align; + if (n > SIZE_MAX - PAGE_SIZE - base) goto fail; if (base+n > brk) { new = base+n + PAGE_SIZE-1 & -PAGE_SIZE; if (__brk(new) != new) goto fail; @@ -37,6 +37,7 @@ void *__simple_malloc(size_t n) fail: UNLOCK(&lock); +toobig: errno = ENOMEM; return 0; } |