malloc: ensure set_max_fast never stores zero [BZ #25733]

The code for set_max_fast() stores an "impossibly small value"
instead of zero, when the parameter is zero.  However, for
small values of the parameter (ex: 1 or 2) the computation
results in a zero being stored anyway.

This patch checks for the parameter being small enough for the
computation to result in zero instead, so that a zero is never
stored.

key values which result in zero being stored:

x86-64:  1..7  (or other 64-bit)
i686:    1..11
armhfp:  1..3  (or other 32-bit)

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6acb5ad43aaa9e059e9c8f813bc082d7436e9982..ee87ddbbf9c3b8da9f0f6daa84b42b0a6a859fe0 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1632,7 +1632,7 @@ static INTERNAL_SIZE_T global_max_fast;
  */
 
 #define set_max_fast(s) \
-  global_max_fast = (((s) == 0)                                                      \
+  global_max_fast = (((size_t) (s) <= MALLOC_ALIGN_MASK - SIZE_SZ)     \
                      ? MIN_CHUNK_SIZE / 2 : ((s + SIZE_SZ) & ~MALLOC_ALIGN_MASK))
 
 static inline INTERNAL_SIZE_T