From: Nicholas Nethercote Date: Fri, 24 Jul 2009 06:41:02 +0000 (+0000) Subject: Fixed bug 149878 (calloc overflow). This disables some of the calloc silly X-Git-Tag: svn/VALGRIND_3_5_0~270 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e3f6e429662aa90a6c6d7ace91c63529056aed17;p=thirdparty%2Fvalgrind.git Fixed bug 149878 (calloc overflow). This disables some of the calloc silly arg checking, but that's no great loss. git-svn-id: svn://svn.valgrind.org/valgrind/trunk@10578 --- diff --git a/coregrind/m_replacemalloc/vg_replace_malloc.c b/coregrind/m_replacemalloc/vg_replace_malloc.c index e1ed9fde33..579ee50e20 100644 --- a/coregrind/m_replacemalloc/vg_replace_malloc.c +++ b/coregrind/m_replacemalloc/vg_replace_malloc.c @@ -407,6 +407,8 @@ FREE(VG_Z_LIBC_SONAME, _ZdaPvRKSt9nothrow_t, __builtin_vec_delete ); if (!init_done) init(); \ MALLOC_TRACE("calloc(%llu,%llu)", (ULong)nmemb, (ULong)size ); \ \ + /* Protect against overflow. See bug 24078. */ \ + if (size && nmemb > (SizeT)-1 / size) return NULL; \ v = (void*)VALGRIND_NON_SIMD_CALL2( info.tl_calloc, nmemb, size ); \ MALLOC_TRACE(" = %p", v ); \ return v; \ diff --git a/memcheck/tests/Makefile.am b/memcheck/tests/Makefile.am index cfcf1fd98a..09fdb2a1d8 100644 --- a/memcheck/tests/Makefile.am +++ b/memcheck/tests/Makefile.am @@ -49,6 +49,7 @@ EXTRA_DIST = \ badrw.stderr.exp badrw.vgtest \ brk2.stderr.exp brk2.vgtest \ buflen_check.stderr.exp buflen_check.vgtest \ + calloc-overflow.stderr.exp calloc-overflow.vgtest\ clientperm.stderr.exp \ clientperm.stdout.exp clientperm.vgtest \ custom_alloc.stderr.exp custom_alloc.vgtest \ @@ -186,8 +187,14 @@ check_PROGRAMS = \ addressable \ atomic_incs \ badaddrvalue badfree badjump badjump2 \ - badloop badpoll badrw brk2 buflen_check \ - clientperm custom_alloc \ + badloop \ + badpoll \ + badrw \ + brk2 \ + buflen_check \ + calloc-overflow \ + clientperm \ + custom_alloc \ deep_templates \ describe-block \ doublefree error_counts errs1 exitprog execve execve2 erringfds \ diff --git a/memcheck/tests/calloc-overflow.c b/memcheck/tests/calloc-overflow.c new file mode 100644 index 0000000000..c4ab6ebf8d --- /dev/null +++ b/memcheck/tests/calloc-overflow.c @@ -0,0 +1,20 @@ +#include +#include +#include "pub_tool_basics.h" + +int main(void) +{ + // The n*size multiplication overflows in this example. The only sensible + // thing to do is return NULL, but old versions of Valgrind didn't (they + // often ground to a halt trying to allocate an enormous (but not as + // enormous as asked-for!) block. See bug 149878. + int* x; +#if VG_WORDSIZE == 8 + size_t szB = 0x1000000010000001ULL; +#else + size_t szB = 0x10000001UL; +#endif + x = calloc(szB, 0x10); + fprintf(stderr, "x = %#lx\n", (long)x); + return 0; +} diff --git a/memcheck/tests/calloc-overflow.stderr.exp b/memcheck/tests/calloc-overflow.stderr.exp new file mode 100644 index 0000000000..3aea0c58ce --- /dev/null +++ b/memcheck/tests/calloc-overflow.stderr.exp @@ -0,0 +1 @@ +x = 0 diff --git a/memcheck/tests/calloc-overflow.vgtest b/memcheck/tests/calloc-overflow.vgtest new file mode 100644 index 0000000000..d3519e2914 --- /dev/null +++ b/memcheck/tests/calloc-overflow.vgtest @@ -0,0 +1,2 @@ +prog: calloc-overflow +vgopts: -q diff --git a/memcheck/tests/malloc3.c b/memcheck/tests/malloc3.c index 21017f48ae..dc4ec08680 100644 --- a/memcheck/tests/malloc3.c +++ b/memcheck/tests/malloc3.c @@ -24,6 +24,9 @@ int main ( void ) printf("calloc(0,-1) = 0x%lx\n", (unsigned long)p); free(p); + // We no longer get a warning with this due to the calloc overflow checking + // done for bug 149878. It's no great loss, it's extremely unlikely to + // occur in practice. p = calloc(-1,-1); printf("calloc(-1,-1) = 0x%lx\n", (unsigned long)p); free(p); diff --git a/memcheck/tests/malloc3.stderr.exp b/memcheck/tests/malloc3.stderr.exp index 30a6968a39..71d8d3da09 100644 --- a/memcheck/tests/malloc3.stderr.exp +++ b/memcheck/tests/malloc3.stderr.exp @@ -1,3 +1,2 @@ Warning: silly arg (-1) to malloc() Warning: silly args (0,-1) to calloc() -Warning: silly args (-1,-1) to calloc()