diff options
author | attilio <attilio@FreeBSD.org> | 2009-09-07 09:30:37 +0000 |
---|---|---|
committer | attilio <attilio@FreeBSD.org> | 2009-09-07 09:30:37 +0000 |
commit | 2aef64d79819d93a516160eb7761b06a299e9b6e (patch) | |
tree | ec716ee20554bd10012b79cd8478b44be5ffc2f0 /contrib/gdtoa | |
parent | 811a23dd7d498a398a0a099109d98b5c19d3b48b (diff) | |
download | FreeBSD-src-2aef64d79819d93a516160eb7761b06a299e9b6e.zip FreeBSD-src-2aef64d79819d93a516160eb7761b06a299e9b6e.tar.gz |
Import a vendor fix for a list overrun.
This has been considered as a security hole on some specialized ml,
but currently the secteam@ doesn't consider that way.
Reviewed by: emaste, des
Sponsored by: Sandvine Incorporated
MFC after: 3 days
Diffstat (limited to 'contrib/gdtoa')
-rw-r--r-- | contrib/gdtoa/gdtoaimp.h | 2 | ||||
-rw-r--r-- | contrib/gdtoa/misc.c | 18 |
2 files changed, 13 insertions, 7 deletions
diff --git a/contrib/gdtoa/gdtoaimp.h b/contrib/gdtoa/gdtoaimp.h index c550ada..9991ffa 100644 --- a/contrib/gdtoa/gdtoaimp.h +++ b/contrib/gdtoa/gdtoaimp.h @@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2]; _pthread_mutex_unlock(&__gdtoa_locks[n]); \ } while(0) -#define Kmax 15 +#define Kmax 9 struct Bigint { diff --git a/contrib/gdtoa/misc.c b/contrib/gdtoa/misc.c index b3ce7c9..8d2888e 100644 --- a/contrib/gdtoa/misc.c +++ b/contrib/gdtoa/misc.c @@ -55,7 +55,9 @@ Balloc #endif ACQUIRE_DTOA_LOCK(0); - if ( (rv = freelist[k]) !=0) { + /* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */ + /* but this case seems very unlikely. */ + if (k <= Kmax && (rv = freelist[k]) !=0) { freelist[k] = rv->next; } else { @@ -65,7 +67,7 @@ Balloc #else len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) /sizeof(double); - if (pmem_next - private_mem + len <= PRIVATE_mem) { + if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { rv = (Bigint*)pmem_next; pmem_next += len; } @@ -89,10 +91,14 @@ Bfree #endif { if (v) { - ACQUIRE_DTOA_LOCK(0); - v->next = freelist[v->k]; - freelist[v->k] = v; - FREE_DTOA_LOCK(0); + if (v->k > Kmax) + free((void*)v); + else { + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; + FREE_DTOA_LOCK(0); + } } } |