diff options
| author | otto <> | 2017-07-07 19:14:46 +0000 |
|---|---|---|
| committer | otto <> | 2017-07-07 19:14:46 +0000 |
| commit | 20cf5b5a283f3b749a3e9b1adb725754a572598c (patch) | |
| tree | e3ea65073ac3b10dd611c7249bac88e02f7a6fdd /src | |
| parent | 9b91fb97f1ba8f97f4670fc409407c82a94c71a2 (diff) | |
| download | openbsd-20cf5b5a283f3b749a3e9b1adb725754a572598c.tar.gz openbsd-20cf5b5a283f3b749a3e9b1adb725754a572598c.tar.bz2 openbsd-20cf5b5a283f3b749a3e9b1adb725754a572598c.zip | |
Only access offset if canaries are enabled *and* size > 0, otherwise offset
is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index eaa97f88bb..dc2c7b1500 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.226 2017/06/19 03:06:26 dlg Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.227 2017/07/07 19:14:46 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -1013,7 +1013,7 @@ malloc_bytes(struct dir_info *d, size_t size, void *f) | |||
| 1013 | /* Adjust to the real offset of that chunk */ | 1013 | /* Adjust to the real offset of that chunk */ |
| 1014 | k += (lp - bp->bits) * MALLOC_BITS; | 1014 | k += (lp - bp->bits) * MALLOC_BITS; |
| 1015 | 1015 | ||
| 1016 | if (mopts.chunk_canaries) | 1016 | if (mopts.chunk_canaries && size > 0) |
| 1017 | bp->bits[bp->offset + k] = size; | 1017 | bp->bits[bp->offset + k] = size; |
| 1018 | 1018 | ||
| 1019 | k <<= bp->shift; | 1019 | k <<= bp->shift; |