malloc: handle size overflows in realloc()

The malloc() code checks the incoming size to make sure the header adjustment doesn't cause overflow in the size storage. Add the same check to realloc() to catch stupid stuff like realloc(..., -1). Reported-by: James Coleman <james.coleman@ubicom.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Austin Foxley <austinf@cetoncorp.com>
author: Mike Frysinger <vapier@gentoo.org> 2009-10-15 19:47:12 -0400
committer: Austin Foxley <austinf@cetoncorp.com> 2009-10-16 11:36:32 -0700
commit: 6b95077fcb846b21c9b507eaf804e44a8ccd212e (patch)
tree: 2215312a6e9aca564713aff2595791237e809968 /libc/stdlib/malloc/realloc.c
parent: eb15613c63d1baafb072fd2d1fc9b3f579841c8c (diff)
download: uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.bz2
uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/libc/stdlib/malloc/realloc.c b/libc/stdlib/malloc/realloc.c
index fa779205a..8de00665f 100644
--- a/libc/stdlib/malloc/realloc.c
+++ b/libc/stdlib/malloc/realloc.c
@@ -34,6 +34,9 @@ realloc (void *mem, size_t new_size)
     }
   if (! mem)
     return malloc (new_size);
+  /* This matches the check in malloc() */
+  if (unlikely(((unsigned long)new_size > (unsigned long)(MALLOC_HEADER_SIZE*-2))))
+    return NULL;
 
   /* Normal realloc.  */
author	Mike Frysinger <vapier@gentoo.org>	2009-10-15 19:47:12 -0400
committer	Austin Foxley <austinf@cetoncorp.com>	2009-10-16 11:36:32 -0700
commit	6b95077fcb846b21c9b507eaf804e44a8ccd212e (patch)
tree	2215312a6e9aca564713aff2595791237e809968 /libc/stdlib/malloc/realloc.c
parent	eb15613c63d1baafb072fd2d1fc9b3f579841c8c (diff)
download	uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.bz2 uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.xz