From 4acb6c7ff3411ddc4d180b0cbdba4fd2c3651ef0 Mon Sep 17 00:00:00 2001
From: Jason Evans <jasone@canonware.com>
Date: Mon, 14 Sep 2015 22:31:32 -0700
Subject: [PATCH] Fix ixallocx_prof() size+extra overflow.

Fix ixallocx_prof() to clamp the extra parameter if size+extra would
overflow HUGE_MAXCLASS.
---
 src/jemalloc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/jemalloc.c b/src/jemalloc.c
index 7cf1487a..6ed3d4e2 100644
--- a/src/jemalloc.c
+++ b/src/jemalloc.c
@@ -2275,6 +2275,9 @@ ixallocx_prof(tsd_t *tsd, void *ptr, size_t old_usize, size_t size,
 	prof_tctx_t *old_tctx, *tctx;
 
 	old_tctx = prof_tctx_get(ptr);
+	/* Clamp extra if necessary to avoid (size + extra) overflow. */
+	if (unlikely(size + extra > HUGE_MAXCLASS))
+		extra = HUGE_MAXCLASS - size;
 	/*
 	 * usize isn't knowable before ixalloc() returns when extra is non-zero.
 	 * Therefore, compute its maximum possible value and use that in