1d2596af6f
- fix for malloc()/calloc() overflows (CVE-2012-2673, bnc#765444) OBS-URL: https://build.opensuse.org/request/show/130342 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/gc?expand=0&rev=18
35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001
|
|
From: Hans Boehm <Hans.Boehm@hp.com>
|
|
Date: Thu, 15 Mar 2012 21:09:05 +0400
|
|
Subject: [PATCH] Speedup calloc size overflow check by preventing division if
|
|
small values
|
|
|
|
* malloc.c (GC_SQRT_SIZE_MAX): New macro.
|
|
* malloc.c (calloc): Add fast initial size overflow check to avoid
|
|
integer division for reasonably small values passed.
|
|
---
|
|
malloc.c | 5 ++++-
|
|
1 files changed, 4 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/malloc.c b/malloc.c
|
|
index cb49a5c..c9b9eb6 100644
|
|
--- a/malloc.c
|
|
+++ b/malloc.c
|
|
@@ -381,9 +381,12 @@ void * malloc(size_t lb)
|
|
# define GC_SIZE_MAX (~(size_t)0)
|
|
#endif
|
|
|
|
+#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
|
|
+
|
|
void * calloc(size_t n, size_t lb)
|
|
{
|
|
- if (lb && n > GC_SIZE_MAX / lb)
|
|
+ if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
|
|
+ && lb && n > GC_SIZE_MAX / lb)
|
|
return NULL;
|
|
# if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
|
|
/* libpthread allocated some memory that is only pointed to by */
|
|
--
|
|
1.7.7
|
|
|