1
Description: fix another overflow and an infinite loop
2
Origin: backport, https://sourceware.org/git/?p=glibc.git;h=321e26847188300173a5dc0ca42c2ff7b9bf7a78
3
Origin: backport, https://sourceware.org/git/?p=glibc.git;h=a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd
5
Index: eglibc-2.11.1/malloc/hooks.c
6
===================================================================
7
--- eglibc-2.11.1.orig/malloc/hooks.c 2014-07-28 10:57:53.517597728 -0400
8
+++ eglibc-2.11.1/malloc/hooks.c 2014-07-28 11:01:04.701596786 -0400
10
if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
11
if (alignment < MINSIZE) alignment = MINSIZE;
14
- MALLOC_FAILURE_ACTION;
17
+ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
18
+ power of 2 and will cause overflow in the check below. */
19
+ if (alignment > SIZE_MAX / 2 + 1)
21
+ __set_errno (EINVAL);
25
+ /* Check for overflow. */
26
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
28
+ __set_errno (ENOMEM);
32
checked_request2size(bytes+1, nb);
33
(void)mutex_lock(&main_arena.mutex);
34
mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
35
Index: eglibc-2.11.1/malloc/malloc.c
36
===================================================================
37
--- eglibc-2.11.1.orig/malloc/malloc.c 2014-07-28 10:57:53.517597728 -0400
38
+++ eglibc-2.11.1/malloc/malloc.c 2014-07-28 10:57:53.513597728 -0400
39
@@ -3874,6 +3874,14 @@
40
/* Otherwise, ensure that it is at least a minimum chunk size */
41
if (alignment < MINSIZE) alignment = MINSIZE;
43
+ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
44
+ power of 2 and will cause overflow in the check below. */
45
+ if (alignment > SIZE_MAX / 2 + 1)
47
+ __set_errno (EINVAL);
51
/* Check for overflow. */
52
if (bytes > SIZE_MAX - alignment - MINSIZE)