From: DJ Delorie <dj@delorie.com>
Date: Wed, 13 Jul 2016 15:02:39 +0000 (-0400)
Subject: Fix double-padding bug
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ce11061fb60bb64742b19f626f2471f88554039;p=thirdparty%2Fglibc.git

Fix double-padding bug

The tcache was calling request2size which resulted in double padding.
Store tcache's copy in a separate variable to avoid this.
---

diff --git a/malloc/malloc.c b/malloc/malloc.c
index a0bf8667728..70e7dc8bbab 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3294,8 +3294,9 @@ __libc_malloc (size_t bytes)
   void *victim;
 
 #if USE_TCACHE
-  bytes = request2size(bytes);
-  int tc_idx = size2tidx (bytes);
+  /* int_free also calls request2size, be careful to not pad twice.  */
+  size_t tbytes = request2size(bytes);
+  int tc_idx = size2tidx (tbytes);
 
   if (tcache.initted == 0)
     {
@@ -3312,7 +3313,7 @@ __libc_malloc (size_t bytes)
   __MTB_TRACE_ENTRY (MALLOC,bytes,NULL);
 
 #if USE_TCACHE
-  if (bytes < MAX_TCACHE_SIZE
+  if (tbytes < MAX_TCACHE_SIZE
       && tcache.entries[tc_idx] != NULL
       && tcache.initted == 1)
     {
@@ -3337,7 +3338,7 @@ __libc_malloc (size_t bytes)
   /* This is fast but causes internal fragmentation, as it always
      pulls large chunks but puts small chunks, leading to a large
      backlog of small chunks.  */
-  if (bytes < MAX_TCACHE_SIZE
+  if (tbytes < MAX_TCACHE_SIZE
       && tcache.initted == 1)
     {
       void *ent;
@@ -3346,7 +3347,7 @@ __libc_malloc (size_t bytes)
       size_t total_bytes;
       int i;
 
-      assert (tc_bytes >= bytes);
+      assert (tc_bytes >= tbytes);
 
       if (tc_bytes < 2 * SIZE_SZ)
 	tc_bytes = 2 * SIZE_SZ;