From: Wilco Dijkstra <wilco.dijkstra@arm.com>
Date: Mon, 31 Mar 2025 11:44:02 +0000 (+0000)
Subject: malloc: Improve free checks
X-Git-Tag: glibc-2.42~302
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b0c8ced9c71a86f68d3e29693979dad6da3b79d;p=thirdparty%2Fglibc.git

malloc: Improve free checks

The checks on size can be merged and use __builtin_add_overflow.  Since
tcache only handles small sizes (and rejects sizes < MINSIZE), delay this
check until after tcache.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---

diff --git a/malloc/malloc.c b/malloc/malloc.c
index e827875acc..19b6cfafa0 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3468,16 +3468,8 @@ __libc_free (void *mem)
 
   INTERNAL_SIZE_T size = chunksize (p);
 
-  /* Little security check which won't hurt performance: the
-     allocator never wraps around at the end of the address space.
-     Therefore we can exclude some size values which might appear
-     here by accident or by "design" from some intruder.  */
-  if (__glibc_unlikely ((uintptr_t) p > (uintptr_t) -size
-      || misaligned_chunk (p)))
+  if (__glibc_unlikely (misaligned_chunk (p)))
     malloc_printerr ("free(): invalid pointer");
-  /* We know that each chunk is at least MINSIZE bytes.  */
-  if (__glibc_unlikely (size < MINSIZE))
-    malloc_printerr ("free(): invalid size");
 
   check_inuse_chunk (arena_for_chunk (p), p);
 
@@ -3486,6 +3478,11 @@ __libc_free (void *mem)
     return;
 #endif
 
+  /* Check size >= MINSIZE and p + size does not overflow.  */
+  if (__glibc_unlikely (__builtin_add_overflow_p ((uintptr_t) p, size - MINSIZE,
+						  (uintptr_t) 0)))
+    malloc_printerr ("free(): invalid size");
+
   _int_free_chunk (arena_for_chunk (p), p, size, 0);
 }
 libc_hidden_def (__libc_free)