diff options
| author | Mike Frysinger <vapier@gentoo.org> | 2009-10-15 19:47:12 -0400 |
|---|---|---|
| committer | Austin Foxley <austinf@cetoncorp.com> | 2009-10-16 11:36:32 -0700 |
| commit | 6b95077fcb846b21c9b507eaf804e44a8ccd212e (patch) | |
| tree | 2215312a6e9aca564713aff2595791237e809968 /libc/stdlib/malloc | |
| parent | eb15613c63d1baafb072fd2d1fc9b3f579841c8c (diff) | |
| download | uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.bz2 uClibc-alpine-6b95077fcb846b21c9b507eaf804e44a8ccd212e.tar.xz | |
malloc: handle size overflows in realloc()
The malloc() code checks the incoming size to make sure the header
adjustment doesn't cause overflow in the size storage. Add the same
check to realloc() to catch stupid stuff like realloc(..., -1).
Reported-by: James Coleman <james.coleman@ubicom.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Austin Foxley <austinf@cetoncorp.com>
Diffstat (limited to 'libc/stdlib/malloc')
| -rw-r--r-- | libc/stdlib/malloc/realloc.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libc/stdlib/malloc/realloc.c b/libc/stdlib/malloc/realloc.c index fa779205a..8de00665f 100644 --- a/libc/stdlib/malloc/realloc.c +++ b/libc/stdlib/malloc/realloc.c @@ -34,6 +34,9 @@ realloc (void *mem, size_t new_size) } if (! mem) return malloc (new_size); + /* This matches the check in malloc() */ + if (unlikely(((unsigned long)new_size > (unsigned long)(MALLOC_HEADER_SIZE*-2)))) + return NULL; /* Normal realloc. */ |