summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2009-10-15 19:47:12 -0400
committerMike Frysinger <vapier@gentoo.org>2009-10-15 19:47:12 -0400
commit07e0ce9fa7f428720bee9decb5d0bb368108d93f (patch)
treef5b9628791c8b698b5b1f6901971aef7829f882c
parent3729a87541cdc87e5d1de09f49f39c0eec83a89f (diff)
malloc: handle size overflows in realloc()
The malloc() code checks the incoming size to make sure the header adjustment doesn't cause overflow in the size storage. Add the same check to realloc() to catch stupid stuff like realloc(..., -1). Reported-by: James Coleman <james.coleman@ubicom.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-rw-r--r--libc/stdlib/malloc/realloc.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libc/stdlib/malloc/realloc.c b/libc/stdlib/malloc/realloc.c
index fa779205a..8de00665f 100644
--- a/libc/stdlib/malloc/realloc.c
+++ b/libc/stdlib/malloc/realloc.c
@@ -34,6 +34,9 @@ realloc (void *mem, size_t new_size)
}
if (! mem)
return malloc (new_size);
+ /* This matches the check in malloc() */
+ if (unlikely(((unsigned long)new_size > (unsigned long)(MALLOC_HEADER_SIZE*-2))))
+ return NULL;
/* Normal realloc. */