From e3085308bef8531efad096824db9743fab754af7 Mon Sep 17 00:00:00 2001
From: Jason Evans <jasone@FreeBSD.org>
Date: Tue, 29 Apr 2008 01:32:42 +0000
Subject: [PATCH] Check for integer overflow before calling sbrk(2), since it
 uses a signed increment argument, but the size is an unsigned integer.

---
 lib/libc/stdlib/malloc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index 990cec9c5040..bc1ee0114775 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -1530,6 +1530,13 @@ static void *
 chunk_alloc_dss(size_t size)
 {
 
+	/*
+	 * sbrk() uses a signed increment argument, so take care not to
+	 * interpret a huge allocation request as a negative increment.
+	 */
+	if ((intptr_t)size < 0)
+		return (NULL);
+
 	malloc_mutex_lock(&dss_mtx);
 	if (dss_prev != (void *)-1) {
 		intptr_t incr;