From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001 From: Xi Wang <xi.wang@gmail.com> Date: Thu, 15 Mar 2012 04:55:08 +0800 Subject: [PATCH] Fix allocation size overflows due to rounding. * malloc.c (GC_generic_malloc): Check if the allocation size is rounded to a smaller value. * mallocx.c (GC_generic_malloc_ignore_off_page): Likewise. --- malloc.c | 2 ++ mallocx.c | 2 ++ 2 files changed, 4 insertions(+) Index: libgc/malloc.c =================================================================== --- libgc.orig/malloc.c 2012-07-08 18:23:03.980370526 +0200 +++ libgc/malloc.c 2012-07-08 18:24:58.640366221 +0200 @@ -165,6 +165,9 @@ GC_bool init; lw = ROUNDED_UP_WORDS(lb); lb_rounded = WORDS_TO_BYTES(lw); + if (lb_rounded < lb) + return((*GC_oom_fn)(lb)); + n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; LOCK(); Index: libgc/mallocx.c =================================================================== --- libgc.orig/mallocx.c 2012-07-08 18:21:54.800368132 +0200 +++ libgc/mallocx.c 2012-07-08 18:25:13.620365430 +0200 @@ -179,6 +179,9 @@ return(GC_generic_malloc((word)lb, k)); lw = ROUNDED_UP_WORDS(lb); lb_rounded = WORDS_TO_BYTES(lw); + if (lb_rounded < lb) + return((*GC_oom_fn)(lb)); + n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; if (GC_have_errors) GC_print_all_errors();