PR other/54411: integer overflow in objalloc_alloc

2012-09-18  Florian Weimer  <fweimer@redhat.com>

	PR other/54411
	* objalloc.h (objalloc_alloc): Do not use fast path on wraparound.

2012-09-18  Florian Weimer  <fweimer@redhat.com>

	PR other/54411
	* objalloc.c (_objalloc_alloc): Add overflow check covering
	alignment and CHUNK_HEADER_SIZE addition.

From-SVN: r191413

diff --git a/include/ChangeLog b/include/ChangeLog
index fa2688d58d4b1be92d1484ba3271b263bcdd2422..4d998edb0e702b60c4d523b89575d26229fd7ac6 100644 (file)
--- a/include/ChangeLog
+++ b/include/ChangeLog
@@ -1,3 +1,8 @@
+2012-09-18  Florian Weimer  <fweimer@redhat.com>
+
+       PR other/54411
+       * objalloc.h (objalloc_alloc): Do not use fast path on wraparound.
+
 2012-09-06  Cary Coutant  <ccoutant@google.com>
 
        * dwarf2.def: Edit comment.

diff --git a/include/objalloc.h b/include/objalloc.h
index 36772d17b50d24ab04ca2b3ec7c623911e7f9de7..52857663ba249df23a0e0d545c6b31a4a671289f 100644 (file)
--- a/include/objalloc.h
+++ b/include/objalloc.h
@@ -1,5 +1,5 @@
 /* objalloc.h -- routines to allocate memory for objects
-   Copyright 1997, 2001 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
    Written by Ian Lance Taylor, Cygnus Solutions.
 
 This program is free software; you can redistribute it and/or modify it
@@ -91,7 +91,7 @@ extern void *_objalloc_alloc (struct objalloc *, unsigned long);
      if (__len == 0)                                                   \
        __len = 1;                                                      \
      __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);     \
-     (__len <= __o->current_space                                      \
+     (__len != 0 && __len <= __o->current_space                                \
       ? (__o->current_ptr += __len,                                    \
         __o->current_space -= __len,                                   \
         (void *) (__o->current_ptr - __len))                           \

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index 9afed43585581a14f2c1c43b8361273605a472f3..9540b4808c5ff0deaf540da4e30bdbd83deae83c 100644 (file)
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,9 @@
+2012-09-18  Florian Weimer  <fweimer@redhat.com>
+
+       PR other/54411
+       * objalloc.c (_objalloc_alloc): Add overflow check covering
+       alignment and CHUNK_HEADER_SIZE addition.
+
 2011-08-28  H.J. Lu  <hongjiu.lu@intel.com>
 
        * argv.c (dupargv): Replace malloc with xmalloc.  Don't check

diff --git a/libiberty/objalloc.c b/libiberty/objalloc.c
index 3ddac2ce4cbfbda496aa320d4578203391d7956f..72e92d2ddce986820c9f8adaf1678ee75d588ac0 100644 (file)
--- a/libiberty/objalloc.c
+++ b/libiberty/objalloc.c
@@ -1,5 +1,5 @@
 /* objalloc.c -- routines to allocate memory for objects
-   Copyright 1997 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
    Written by Ian Lance Taylor, Cygnus Solutions.
 
 This program is free software; you can redistribute it and/or modify it
@@ -112,8 +112,10 @@ objalloc_create (void)
 /* Allocate space from an objalloc structure.  */
 
 PTR
-_objalloc_alloc (struct objalloc *o, unsigned long len)
+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
 {
+  unsigned long len = original_len;
+
   /* We avoid confusion from zero sized objects by always allocating
      at least 1 byte.  */
   if (len == 0)
@@ -121,6 +123,11 @@ _objalloc_alloc (struct objalloc *o, unsigned long len)
 
   len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
 
+  /* Check for overflow in the alignment operation above and the
+     malloc argument below. */
+  if (len + CHUNK_HEADER_SIZE < original_len)
+    return NULL;
+
   if (len <= o->current_space)
     {
       o->current_ptr += len;