diff options
| author | jasone <jasone@FreeBSD.org> | 2008-04-29 01:32:42 +0000 |
|---|---|---|
| committer | jasone <jasone@FreeBSD.org> | 2008-04-29 01:32:42 +0000 |
| commit | 138e8f0fdcc8bae6c773999e5d91f0e8bc04cba5 (patch) | |
| tree | 10e714edd90a7fc17bab0fc8059378591b5371a9 /lib/libc/stdlib | |
| parent | 94277c3fc6bf58d68705b4efda040adee1f2ab1f (diff) | |
| download | FreeBSD-src-138e8f0fdcc8bae6c773999e5d91f0e8bc04cba5.zip FreeBSD-src-138e8f0fdcc8bae6c773999e5d91f0e8bc04cba5.tar.gz | |
Check for integer overflow before calling sbrk(2), since it uses a
signed increment argument, but the size is an unsigned integer.
Diffstat (limited to 'lib/libc/stdlib')
| -rw-r--r-- | lib/libc/stdlib/malloc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c index 990cec9..bc1ee01 100644 --- a/lib/libc/stdlib/malloc.c +++ b/lib/libc/stdlib/malloc.c @@ -1530,6 +1530,13 @@ static void * chunk_alloc_dss(size_t size) { + /* + * sbrk() uses a signed increment argument, so take care not to + * interpret a huge allocation request as a negative increment. + */ + if ((intptr_t)size < 0) + return (NULL); + malloc_mutex_lock(&dss_mtx); if (dss_prev != (void *)-1) { intptr_t incr; |
