Check for integer overflow before calling sbrk(2), since it uses a

signed increment argument, but the size is an unsigned integer.
2008-04-29 01:32:42 +00:00 · 2008-04-29 01:32:42 +00:00 · e3085308be
commit e3085308be
parent aec0c4d822
1 changed files with 7 additions and 0 deletions
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@ -1530,6 +1530,13 @@ static void *
 chunk_alloc_dss(size_t size)
 {

+	/*
+	 * sbrk() uses a signed increment argument, so take care not to
+	 * interpret a huge allocation request as a negative increment.
+	 */
+	if ((intptr_t)size < 0)
+		return (NULL);
+
 	malloc_mutex_lock(&dss_mtx);
 	if (dss_prev != (void *)-1) {
 		intptr_t incr;