summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2011-02-20 16:10:38 -0500
committerRich Felker <dalias@aerifal.cx>2011-02-20 16:10:38 -0500
commita23baf586a1ca78213d43bce5fee2a30715b473b (patch)
treee6939397742a037f847d93e53c98afa79e980bdc
parent96f2197494791f5884c01b5caa908074cc7e90a6 (diff)
downloadmusl-a23baf586a1ca78213d43bce5fee2a30715b473b.tar.gz
musl-a23baf586a1ca78213d43bce5fee2a30715b473b.tar.bz2
musl-a23baf586a1ca78213d43bce5fee2a30715b473b.tar.xz
musl-a23baf586a1ca78213d43bce5fee2a30715b473b.zip
fix simple_malloc size restrictions
do not allow allocations that overflow ptrdiff_t; fix some overflow checks that were not quite right but didn't matter due to address layout implementation.
-rw-r--r--src/malloc/__simple_malloc.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/src/malloc/__simple_malloc.c b/src/malloc/__simple_malloc.c
index 49b74c8e..61cd9fc4 100644
--- a/src/malloc/__simple_malloc.c
+++ b/src/malloc/__simple_malloc.c
@@ -15,16 +15,16 @@ void *__simple_malloc(size_t n)
static int lock;
size_t align=1;
- if (n < SIZE_MAX - ALIGN)
- while (align<n && align<ALIGN)
- align += align;
+ if (n > SIZE_MAX/2) goto toobig;
+
+ while (align<n && align<ALIGN)
+ align += align;
n = n + align - 1 & -align;
LOCK(&lock);
if (!cur) cur = brk = __brk(0)+16;
- if (n > SIZE_MAX - brk) goto fail;
-
base = cur + align-1 & -align;
+ if (n > SIZE_MAX - PAGE_SIZE - base) goto fail;
if (base+n > brk) {
new = base+n + PAGE_SIZE-1 & -PAGE_SIZE;
if (__brk(new) != new) goto fail;
@@ -37,6 +37,7 @@ void *__simple_malloc(size_t n)
fail:
UNLOCK(&lock);
+toobig:
errno = ENOMEM;
return 0;
}