diff options
| author | millert <> | 2003-01-14 02:27:16 +0000 |
|---|---|---|
| committer | millert <> | 2003-01-14 02:27:16 +0000 |
| commit | aba0988fbff5b7f1f5d85fab2531d66d00cc046f (patch) | |
| tree | 5a68b65163ce4971055d5c67ad62b87e993dc19e | |
| parent | 70dea1ea0b6a432fcbb8e10e1ba4dc970c9fa0c0 (diff) | |
| download | openbsd-aba0988fbff5b7f1f5d85fab2531d66d00cc046f.tar.gz openbsd-aba0988fbff5b7f1f5d85fab2531d66d00cc046f.tar.bz2 openbsd-aba0988fbff5b7f1f5d85fab2531d66d00cc046f.zip | |
Add sanity check to prevent int oflow for very large allocations.
Also fix a signed vs. unsigned issue while I am at it.
Found by Jim Geovedi. OK deraadt@
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index 9ab3deb5df..c8aef635d4 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -8,7 +8,7 @@ | |||
| 8 | */ | 8 | */ |
| 9 | 9 | ||
| 10 | #if defined(LIBC_SCCS) && !defined(lint) | 10 | #if defined(LIBC_SCCS) && !defined(lint) |
| 11 | static char rcsid[] = "$OpenBSD: malloc.c,v 1.53 2002/11/27 21:40:32 tdeval Exp $"; | 11 | static char rcsid[] = "$OpenBSD: malloc.c,v 1.54 2003/01/14 02:27:16 millert Exp $"; |
| 12 | #endif /* LIBC_SCCS and not lint */ | 12 | #endif /* LIBC_SCCS and not lint */ |
| 13 | 13 | ||
| 14 | /* | 14 | /* |
| @@ -46,6 +46,7 @@ static char rcsid[] = "$OpenBSD: malloc.c,v 1.53 2002/11/27 21:40:32 tdeval Exp | |||
| 46 | #include <string.h> | 46 | #include <string.h> |
| 47 | #include <unistd.h> | 47 | #include <unistd.h> |
| 48 | #include <fcntl.h> | 48 | #include <fcntl.h> |
| 49 | #include <limits.h> | ||
| 49 | #include <errno.h> | 50 | #include <errno.h> |
| 50 | 51 | ||
| 51 | #include "thread_private.h" | 52 | #include "thread_private.h" |
| @@ -376,12 +377,19 @@ malloc_exit() | |||
| 376 | */ | 377 | */ |
| 377 | static void * | 378 | static void * |
| 378 | map_pages(pages) | 379 | map_pages(pages) |
| 379 | int pages; | 380 | size_t pages; |
| 380 | { | 381 | { |
| 381 | caddr_t result, tail; | 382 | caddr_t result, tail; |
| 382 | 383 | ||
| 383 | result = (caddr_t)pageround((u_long)sbrk(0)); | 384 | result = (caddr_t)pageround((u_long)sbrk(0)); |
| 384 | tail = result + (pages << malloc_pageshift); | 385 | pages <<= malloc_pageshift; |
| 386 | if (pages > SIZE_T_MAX - (size_t)result) { | ||
| 387 | #ifdef MALLOC_EXTRA_SANITY | ||
| 388 | wrterror("(ES): overflow in map_pages fails\n"); | ||
| 389 | #endif /* MALLOC_EXTRA_SANITY */ | ||
| 390 | return 0; | ||
| 391 | } | ||
| 392 | tail = result + pages; | ||
| 385 | 393 | ||
| 386 | if (brk(tail)) { | 394 | if (brk(tail)) { |
| 387 | #ifdef MALLOC_EXTRA_SANITY | 395 | #ifdef MALLOC_EXTRA_SANITY |