PR other/54411: integer overflow in objalloc_alloc

2012-09-18 Florian Weimer <fweimer@redhat.com> PR other/54411 * objalloc.h (objalloc_alloc): Do not use fast path on wraparound. 2012-09-18 Florian Weimer <fweimer@redhat.com> PR other/54411 * objalloc.c (_objalloc_alloc): Add overflow check covering alignment and CHUNK_HEADER_SIZE addition. From-SVN: r191413
2026-02-22 03:47:02 -05:00 · 2012-09-18 10:34:05 +02:00
parent 4d3999876e
commit ed770de906
4 changed files with 22 additions and 4 deletions
--- a/libiberty/objalloc.c
+++ b/libiberty/objalloc.c
@@ -1,5 +1,5 @@
 /* objalloc.c -- routines to allocate memory for objects
-   Copyright 1997 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
   Written by Ian Lance Taylor, Cygnus Solutions.

 This program is free software; you can redistribute it and/or modify it
@@ -112,8 +112,10 @@ objalloc_create (void)
 /* Allocate space from an objalloc structure.  */

 PTR
-_objalloc_alloc (struct objalloc *o, unsigned long len)
+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
 {
+  unsigned long len = original_len;
+
  /* We avoid confusion from zero sized objects by always allocating
     at least 1 byte.  */
  if (len == 0)
@@ -121,6 +123,11 @@ _objalloc_alloc (struct objalloc *o, unsigned long len)

  len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);

+  /* Check for overflow in the alignment operation above and the
+     malloc argument below. */
+  if (len + CHUNK_HEADER_SIZE < original_len)
+    return NULL;
+
  if (len <= o->current_space)
    {
      o->current_ptr += len;