d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for integer overflow before calling sbrk(2), since it uses a

Browse Source 
signed increment argument, but the size is an unsigned integer.
This commit is contained in:
Jason Evans 2008-04-29 01:32:42 +00:00
parent aec0c4d822
commit e3085308be
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=178645
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/libc/stdlib/malloc.c
View File

@ -1530,6 +1530,13 @@ static void *
chunk_alloc_dss(size_t size) chunk_alloc_dss(size_t size)
{ {
/*
* sbrk() uses a signed increment argument, so take care not to
* interpret a huge allocation request as a negative increment.
*/
if ((intptr_t)size < 0)
return (NULL);
malloc_mutex_lock(&dss_mtx); malloc_mutex_lock(&dss_mtx);
if (dss_prev != (void *)-1) { if (dss_prev != (void *)-1) {
intptr_t incr; intptr_t incr;