diff options
Diffstat (limited to 'patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch')
-rw-r--r-- | patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch b/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch new file mode 100644 index 0000000..8bc5718 --- /dev/null +++ b/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch @@ -0,0 +1,37 @@ +From: Will Newton <will.newton@linaro.org> +Date: Fri, 16 Aug 2013 12:54:29 +0100 +Subject: [PATCH] malloc: Check for integer overflow in memalign. + +A large bytes parameter to memalign could cause an integer overflow +and corrupt allocator internals. Check the overflow does not occur +before continuing with the allocation. + +ChangeLog: + +2013-09-11 Will Newton <will.newton@linaro.org> + + [BZ #15857] + * malloc/malloc.c (__libc_memalign): Check the value of bytes + does not overflow. +--- + malloc/malloc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 31e2dfa..ebbe86d 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; |