2003-08-19 Jeff Johnston <jjohnstn@redhat.com>

        * libc/stdlib/mallocr.c (mALLOc, rEALLOc, mEMEALIGn): Enhance
        overflow detection.

2 files changed, 12 insertions, 2 deletions

diff --git a/newlib/ChangeLog b/newlib/ChangeLog
index 8136a77..727d31a 100644
--- a/newlib/ChangeLog
+++ b/newlib/ChangeLog
@@ -1,3 +1,8 @@
+2003-08-19  Jeff Johnston  <jjohnstn@redhat.com>
+
+	* libc/stdlib/mallocr.c (mALLOc, rEALLOc, mEMEALIGn): Enhance
+	overflow detection.
+	
 2003-08-13  Aldy Hernandez  <aldyh@redhat.com>
 	
 	* libc/machine/powerpc/machine/stdlib.h: Wrap SPE functions in
diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
index 5e10457..08a3b00 100644
--- a/newlib/libc/stdlib/mallocr.c
+++ b/newlib/libc/stdlib/mallocr.c
@@ -2334,7 +2334,7 @@ Void_t* mALLOc(RARG bytes) RDECL size_t bytes;
   INTERNAL_SIZE_T nb  = request2size(bytes);  /* padded request size; */
 
   /* Check for overflow and just fail, if so. */
-  if (nb > INT_MAX)
+  if (nb > INT_MAX || nb < bytes)
     return 0;
 
   MALLOC_LOCK;
@@ -2797,7 +2797,7 @@ Void_t* rEALLOc(RARG oldmem, bytes) RDECL Void_t* oldmem; size_t bytes;
   nb = request2size(bytes);
 
   /* Check for overflow and just fail, if so. */
-  if (nb > INT_MAX)
+  if (nb > INT_MAX || nb < bytes)
     return 0;
 
 #if HAVE_MMAP
@@ -3028,6 +3028,11 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
   /* Call malloc with worst case padding to hit alignment. */
 
   nb = request2size(bytes);
+
+  /* Check for overflow. */
+  if (nb > INT_MAX || nb < bytes)
+    return 0;
+
   m  = (char*)(mALLOc(RCALL nb + alignment + MINSIZE));
 
   if (m == 0) return 0; /* propagate failure */