[git commit master] malloc: handle size overflows in realloc()

Mike Frysinger vapier at gentoo.org
Thu Oct 15 23:47:12 UTC 2009


commit: http://git.uclibc.org/uClibc/commit/?id=07e0ce9fa7f428720bee9decb5d0bb368108d93f
branch: http://git.uclibc.org/uClibc/commit/?id=refs/heads/master

The malloc() code checks the incoming size to make sure the header
adjustment doesn't cause overflow in the size storage.  Add the same
check to realloc() to catch stupid stuff like realloc(..., -1).

Reported-by: James Coleman <james.coleman at ubicom.com>
Signed-off-by: Mike Frysinger <vapier at gentoo.org>
---
 libc/stdlib/malloc/realloc.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/libc/stdlib/malloc/realloc.c b/libc/stdlib/malloc/realloc.c
index fa77920..8de0066 100644
--- a/libc/stdlib/malloc/realloc.c
+++ b/libc/stdlib/malloc/realloc.c
@@ -34,6 +34,9 @@ realloc (void *mem, size_t new_size)
     }
   if (! mem)
     return malloc (new_size);
+  /* This matches the check in malloc() */
+  if (unlikely(((unsigned long)new_size > (unsigned long)(MALLOC_HEADER_SIZE*-2))))
+    return NULL;
 
   /* Normal realloc.  */
 
-- 
1.6.3.3



More information about the uClibc-cvs mailing list