Fixed bug 149878 (calloc overflow). This disables some of the calloc silly

arg checking, but that's no great loss.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@10578

diff --git a/coregrind/m_replacemalloc/vg_replace_malloc.c b/coregrind/m_replacemalloc/vg_replace_malloc.c
index e1ed9fde332bee260a1aa3a3e5538076f8bd7948..579ee50e2046e94b6e8cfe0e20dc31001c0ba1f0 100644 (file)
--- a/coregrind/m_replacemalloc/vg_replace_malloc.c
+++ b/coregrind/m_replacemalloc/vg_replace_malloc.c
@@ -407,6 +407,8 @@ FREE(VG_Z_LIBC_SONAME,       _ZdaPvRKSt9nothrow_t, __builtin_vec_delete );
       if (!init_done) init(); \
       MALLOC_TRACE("calloc(%llu,%llu)", (ULong)nmemb, (ULong)size ); \
       \
+      /* Protect against overflow.  See bug 24078. */ \
+      if (size && nmemb > (SizeT)-1 / size) return NULL; \
       v = (void*)VALGRIND_NON_SIMD_CALL2( info.tl_calloc, nmemb, size ); \
       MALLOC_TRACE(" = %p", v ); \
       return v; \

diff --git a/memcheck/tests/Makefile.am b/memcheck/tests/Makefile.am
index cfcf1fd98a69ad22d31fedd3f57d693b353d62e5..09fdb2a1d83c39badec5208f32123cb9b0dc4e4b 100644 (file)
--- a/memcheck/tests/Makefile.am
+++ b/memcheck/tests/Makefile.am
@@ -49,6 +49,7 @@ EXTRA_DIST = \
        badrw.stderr.exp badrw.vgtest \
        brk2.stderr.exp brk2.vgtest \
        buflen_check.stderr.exp buflen_check.vgtest \
+       calloc-overflow.stderr.exp calloc-overflow.vgtest\
        clientperm.stderr.exp \
        clientperm.stdout.exp clientperm.vgtest \
        custom_alloc.stderr.exp custom_alloc.vgtest \
@@ -186,8 +187,14 @@ check_PROGRAMS = \
        addressable \
        atomic_incs \
        badaddrvalue badfree badjump badjump2 \
-       badloop badpoll badrw brk2 buflen_check \
-       clientperm custom_alloc \
+       badloop \
+       badpoll \
+       badrw \
+       brk2 \
+       buflen_check \
+       calloc-overflow \
+       clientperm \
+       custom_alloc \
        deep_templates \
        describe-block \
        doublefree error_counts errs1 exitprog execve execve2 erringfds \

diff --git a/memcheck/tests/calloc-overflow.c b/memcheck/tests/calloc-overflow.c
new file mode 100644 (file)
index 0000000..c4ab6eb
--- /dev/null
+++ b/memcheck/tests/calloc-overflow.c
@@ -0,0 +1,20 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include "pub_tool_basics.h"
+
+int main(void)
+{
+   // The n*size multiplication overflows in this example.  The only sensible
+   // thing to do is return NULL, but old versions of Valgrind didn't (they
+   // often ground to a halt trying to allocate an enormous (but not as
+   // enormous as asked-for!) block.  See bug 149878.
+   int* x;
+#if VG_WORDSIZE == 8
+   size_t szB = 0x1000000010000001ULL;
+#else
+   size_t szB = 0x10000001UL;
+#endif
+   x = calloc(szB, 0x10);
+   fprintf(stderr, "x = %#lx\n", (long)x);
+   return 0;
+}

diff --git a/memcheck/tests/calloc-overflow.stderr.exp b/memcheck/tests/calloc-overflow.stderr.exp
new file mode 100644 (file)
index 0000000..3aea0c5
--- /dev/null
+++ b/memcheck/tests/calloc-overflow.stderr.exp
@@ -0,0 +1 @@
+x = 0

diff --git a/memcheck/tests/calloc-overflow.vgtest b/memcheck/tests/calloc-overflow.vgtest
new file mode 100644 (file)
index 0000000..d3519e2
--- /dev/null
+++ b/memcheck/tests/calloc-overflow.vgtest
@@ -0,0 +1,2 @@
+prog: calloc-overflow
+vgopts: -q

diff --git a/memcheck/tests/malloc3.c b/memcheck/tests/malloc3.c
index 21017f48ae65fd3b2ca6cfcb10d3b4eaa38ec63c..dc4ec0868073189064c06f299a4eb2ba089814b1 100644 (file)
--- a/memcheck/tests/malloc3.c
+++ b/memcheck/tests/malloc3.c
@@ -24,6 +24,9 @@ int main ( void )
   printf("calloc(0,-1) = 0x%lx\n", (unsigned long)p);
   free(p);
 
+  // We no longer get a warning with this due to the calloc overflow checking
+  // done for bug 149878.  It's no great loss, it's extremely unlikely to
+  // occur in practice.
   p = calloc(-1,-1);
   printf("calloc(-1,-1) = 0x%lx\n", (unsigned long)p);
   free(p);

diff --git a/memcheck/tests/malloc3.stderr.exp b/memcheck/tests/malloc3.stderr.exp
index 30a6968a39e3596dc291966b8d681906d8e0c893..71d8d3da09e176a67f61b7cadfa683153a69f4d8 100644 (file)
--- a/memcheck/tests/malloc3.stderr.exp
+++ b/memcheck/tests/malloc3.stderr.exp
@@ -1,3 +1,2 @@
 Warning: silly arg (-1) to malloc()
 Warning: silly args (0,-1) to calloc()
-Warning: silly args (-1,-1) to calloc()