summaryrefslogtreecommitdiff
path: root/src/malloc
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2011-08-15 01:59:15 -0400
committerRich Felker <dalias@aerifal.cx>2011-08-15 01:59:15 -0400
commitce7c6341d38ecd3af4d1e01032e9ea8b4078aa97 (patch)
treee7b6fdc92a1a60a85d0c3c45a46224e9782f9acb /src/malloc
parent6cb277d75e07557dd8442202722d280c1bf93c08 (diff)
downloadmusl-ce7c6341d38ecd3af4d1e01032e9ea8b4078aa97.tar.gz
musl-ce7c6341d38ecd3af4d1e01032e9ea8b4078aa97.tar.bz2
musl-ce7c6341d38ecd3af4d1e01032e9ea8b4078aa97.tar.xz
musl-ce7c6341d38ecd3af4d1e01032e9ea8b4078aa97.zip
simplify and improve double-free check
a valid mmapped block will have an even (actually aligned) "extra" field, whereas a freed chunk on the heap will always have an in-use neighbor. this fixes a potential bug if mmap ever allocated memory below the main program/brk (in which case it would be wrongly-detected as a double-free by the old code) and allows the double-free check to work for donated memory outside of the brk area (or, in the future, secondary heap zones if support for their creation is added).
Diffstat (limited to 'src/malloc')
-rw-r--r--src/malloc/malloc.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/malloc/malloc.c b/src/malloc/malloc.c
index db4287ef..0888afa9 100644
--- a/src/malloc/malloc.c
+++ b/src/malloc/malloc.c
@@ -394,7 +394,7 @@ void *realloc(void *p, size_t n)
size_t oldlen = n0 + extra;
size_t newlen = n + extra;
/* Crash on realloc of freed chunk */
- if ((uintptr_t)base < mal.brk) *(volatile char *)0=0;
+ if (extra & 1) *(volatile char *)0=0;
if (newlen < PAGE_SIZE && (new = malloc(n))) {
memcpy(new, p, n-OVERHEAD);
free(p);
@@ -457,7 +457,7 @@ void free(void *p)
char *base = (char *)self - extra;
size_t len = CHUNK_SIZE(self) + extra;
/* Crash on double free */
- if ((uintptr_t)base < mal.brk) *(volatile char *)0=0;
+ if (extra & 1) *(volatile char *)0=0;
__munmap(base, len);
return;
}