Import a vendor fix for a list overrun.

This has been considered as a security hole on some specialized ml, but currently the secteam@ doesn't consider that way. Reviewed by: emaste, des Sponsored by: Sandvine Incorporated MFC after: 3 days
2009-09-07 09:30:37 +00:00 · 2009-09-07 09:30:37 +00:00 · 2aef64d798
commit 2aef64d798
parent 811a23dd7d
2 changed files with 13 additions and 7 deletions
--- a/contrib/gdtoa/gdtoaimp.h
+++ b/contrib/gdtoa/gdtoaimp.h
@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2];
 		_pthread_mutex_unlock(&__gdtoa_locks[n]);	\
 } while(0)

-#define Kmax 15
+#define Kmax 9

 struct
 Bigint {
--- a/contrib/gdtoa/misc.c
+++ b/contrib/gdtoa/misc.c
@ -55,7 +55,9 @@ Balloc
 #endif

 	ACQUIRE_DTOA_LOCK(0);
-	if ( (rv = freelist[k]) !=0) {
+	/* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */
+	/* but this case seems very unlikely. */
+	if (k <= Kmax && (rv = freelist[k]) !=0) {
 		freelist[k] = rv->next;
 		}
 	else {
@ -65,7 +67,7 @@ Balloc
 #else
 		len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
 			/sizeof(double);
-		if (pmem_next - private_mem + len <= PRIVATE_mem) {
+		if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
 			rv = (Bigint*)pmem_next;
 			pmem_next += len;
 			}
@ -89,10 +91,14 @@ Bfree
 #endif
 {
 	if (v) {
-		ACQUIRE_DTOA_LOCK(0);
-		v->next = freelist[v->k];
-		freelist[v->k] = v;
-		FREE_DTOA_LOCK(0);
+		if (v->k > Kmax)
+			free((void*)v);
+		else {
+			ACQUIRE_DTOA_LOCK(0);
+			v->next = freelist[v->k];
+			freelist[v->k] = v;
+			FREE_DTOA_LOCK(0);
+			}
 		}
 	}