From: Jakub Jelinek <jakub@redhat.com>
Date: Mon, 15 Nov 2004 09:49:06 +0000 (+0000)
Subject: 	* malloc/malloc.c (_int_free): Further free () protection checks.
X-Git-Tag: cvs/fedora-glibc-2_3_3-78~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a52ef8e41670776f6d3e0acc264a37a366696741;p=thirdparty%2Fglibc.git

	* malloc/malloc.c (_int_free): Further free () protection checks.
---

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 57074108f1d..f4612046cda 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
 #endif
       ) {
 
+    if (__builtin_expect (chunksize (chunk_at_offset (p, size)) < MINSIZE, 0)
+	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
+			     >= av->system_mem, 0))
+      {
+	errstr = "invalid next size (fast)";
+	goto errout;
+      }
+
     set_fastchunks(av);
     fb = &(av->fastbins[fastbin_index(size)]);
     /* Another simple check: make sure the top of the bin is not the