* malloc/malloc.c (_int_free): Further free () protection checks.

author Jakub Jelinek <jakub@redhat.com>

Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)

committer Jakub Jelinek <jakub@redhat.com>

Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)
author Jakub Jelinek <jakub@redhat.com>
Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)
committer Jakub Jelinek <jakub@redhat.com>
Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)
diff --git a/malloc/malloc.c b/malloc/malloc.c

index 57074108f1d147c380dde6e8ca125affb607db30..f4612046cdac8b32ac2ccfab3737861ebd3d370b 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
  #endif
        ) {
  
+    if (__builtin_expect (chunksize (chunk_at_offset (p, size)) < MINSIZE, 0)
+       || __builtin_expect (chunksize (chunk_at_offset (p, size))
+                            >= av->system_mem, 0))
+      {
+       errstr = "invalid next size (fast)";
+       goto errout;
+      }
+
      set_fastchunks(av);
      fb = &(av->fastbins[fastbin_index(size)]);
      /* Another simple check: make sure the top of the bin is not the
author	Jakub Jelinek <jakub@redhat.com>
	Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)
committer	Jakub Jelinek <jakub@redhat.com>
	Mon, 15 Nov 2004 09:49:06 +0000 (09:49 +0000)