aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2004-12-11 21:15:24 +0000
committerUlrich Drepper <drepper@redhat.com>2004-12-11 21:15:24 +0000
commit76761b63787f4122ec87f257ec038aba9e7ab236 (patch)
tree336c56bc696ee1d86462265049648694bec6879b
parent8c7d3691c46e9900d847e084dbc23229419562d6 (diff)
downloadglibc-76761b63787f4122ec87f257ec038aba9e7ab236.zip
glibc-76761b63787f4122ec87f257ec038aba9e7ab236.tar.gz
glibc-76761b63787f4122ec87f257ec038aba9e7ab236.tar.bz2
Update.
2004-12-11 Ulrich Drepper <drepper@redhat.com> * malloc/malloc.c (_int_realloc): Add checks for corrupted memory. (_int_free): Make clear message are result of free() calls. * malloc/malloc.c (_int_realloc): Remove unnecessary tests for oldmem and size == 0.
-rw-r--r--ChangeLog8
-rw-r--r--malloc/malloc.c45
2 files changed, 37 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index b668942..0660ad3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2004-12-11 Ulrich Drepper <drepper@redhat.com>
+
+ * malloc/malloc.c (_int_realloc): Add checks for corrupted memory.
+ (_int_free): Make clear message are result of free() calls.
+
+ * malloc/malloc.c (_int_realloc): Remove unnecessary tests for
+ oldmem and size == 0.
+
2004-12-10 Ulrich Drepper <drepper@redhat.com>
* malloc/arena.c (arena_get2): Prevent endless loop if arenas and
diff --git a/malloc/malloc.c b/malloc/malloc.c
index cf1b935..e3ccbde 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4256,7 +4256,7 @@ _int_free(mstate av, Void_t* mem)
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
>= av->system_mem, 0))
{
- errstr = "invalid next size (fast)";
+ errstr = "free(): invalid next size (fast)";
goto errout;
}
@@ -4306,7 +4306,7 @@ _int_free(mstate av, Void_t* mem)
if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0)
|| __builtin_expect (nextsize >= av->system_mem, 0))
{
- errstr = "invalid next size (normal)";
+ errstr = "free(): invalid next size (normal)";
goto errout;
}
@@ -4550,27 +4550,42 @@ _int_realloc(mstate av, Void_t* oldmem, size_t bytes)
INTERNAL_SIZE_T* s; /* copy source */
INTERNAL_SIZE_T* d; /* copy destination */
+ const char *errstr = NULL;
-#if REALLOC_ZERO_BYTES_FREES
- if (bytes == 0) {
- if (oldmem != 0)
- _int_free(av, oldmem);
- return 0;
- }
-#endif
-
- /* realloc of null is supposed to be same as malloc */
- if (oldmem == 0) return _int_malloc(av, bytes);
checked_request2size(bytes, nb);
oldp = mem2chunk(oldmem);
oldsize = chunksize(oldp);
+ /* Simple tests for old block integrity. */
+ if (__builtin_expect ((uintptr_t) oldp & MALLOC_ALIGN_MASK, 0))
+ {
+ errstr = "realloc(): invalid pointer";
+ errout:
+ malloc_printerr (check_action, errstr, oldmem);
+ return NULL;
+ }
+ if (__builtin_expect (oldp->size <= 2 * SIZE_SZ, 0)
+ || __builtin_expect (oldsize >= av->system_mem, 0))
+ {
+ errstr = "realloc(): invalid size";
+ goto errout;
+ }
+
check_inuse_chunk(av, oldp);
if (!chunk_is_mmapped(oldp)) {
+ next = chunk_at_offset(oldp, oldsize);
+ INTERNAL_SIZE_T nextsize = chunksize(next);
+ if (__builtin_expect (next->size <= 2 * SIZE_SZ, 0)
+ || __builtin_expect (nextsize >= av->system_mem, 0))
+ {
+ errstr = "realloc(): invalid next size";
+ goto errout;
+ }
+
if ((unsigned long)(oldsize) >= (unsigned long)(nb)) {
/* already big enough; split below */
newp = oldp;
@@ -4578,11 +4593,9 @@ _int_realloc(mstate av, Void_t* oldmem, size_t bytes)
}
else {
- next = chunk_at_offset(oldp, oldsize);
-
/* Try to expand forward into top */
if (next == av->top &&
- (unsigned long)(newsize = oldsize + chunksize(next)) >=
+ (unsigned long)(newsize = oldsize + nextsize) >=
(unsigned long)(nb + MINSIZE)) {
set_head_size(oldp, nb | (av != &main_arena ? NON_MAIN_ARENA : 0));
av->top = chunk_at_offset(oldp, nb);
@@ -4594,7 +4607,7 @@ _int_realloc(mstate av, Void_t* oldmem, size_t bytes)
/* Try to expand forward into next chunk; split off remainder below */
else if (next != av->top &&
!inuse(next) &&
- (unsigned long)(newsize = oldsize + chunksize(next)) >=
+ (unsigned long)(newsize = oldsize + nextsize) >=
(unsigned long)(nb)) {
newp = oldp;
unlink(next, bck, fwd);