From: Will Newton <will.newton@linaro.org>
Date: Wed, 9 Oct 2013 13:41:57 +0000 (+0100)
Subject: malloc/hooks.c: Correct check for overflow in memalign_check.
X-Git-Tag: glibc-2.19~622
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=321e26847188300173a5dc0ca42c2ff7b9bf7a78;p=thirdparty%2Fglibc.git

malloc/hooks.c: Correct check for overflow in memalign_check.

A large value of bytes passed to memalign_check can cause an integer
overflow in _int_memalign and heap corruption. This issue can be
exposed by running tst-memalign with MALLOC_CHECK_=3.

ChangeLog:

2013-10-10  Will Newton  <will.newton@linaro.org>

	* malloc/hooks.c (memalign_check): Ensure the value of bytes
	passed to _int_memalign does not overflow.
---

diff --git a/ChangeLog b/ChangeLog
index 1291b75c732..66780cbaa40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-10-10  Will Newton  <will.newton@linaro.org>
+
+	* malloc/hooks.c (memalign_check): Ensure the value of bytes
+	passed to _int_memalign does not overflow.
+
 2013-10-10  Torvald Riegel  <triegel@redhat.com>
 
 	* scripts/bench.pl: Add include-sources directive.
diff --git a/malloc/hooks.c b/malloc/hooks.c
index 8c25846330a..3f663bb6b2e 100644
--- a/malloc/hooks.c
+++ b/malloc/hooks.c
@@ -361,10 +361,13 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
   if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
-  if (bytes+1 == 0) {
-    __set_errno (ENOMEM);
-    return NULL;
-  }
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   (void)mutex_lock(&main_arena.mutex);
   mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
     NULL;