Fix ixallocx_prof() to check for size greater than HUGE_MAXCLASS.

2015-09-15 00:49:09 -07:00 · 2015-09-15 00:49:09 -07:00 · 8c485b02a6
commit 8c485b02a6
parent 0108b1fd04
2 changed files with 6 additions and 3 deletions
--- a/3
+++ b/3
@ -26,8 +26,7 @@ brevity.  Much more detail can be found in the git revision history:
    with interposed resets (triggered via the "prof.reset" mallctl).  This bug
    could cause data structure corruption that would most likely result in a
    segfault.
-  - Fix xallocx() bugs related to the 'extra' parameter when specified as
-    non-zero.
+  - Fix xallocx() bugs related to size+extra exceeding HUGE_MAXCLASS.
  - Fix irealloc_prof() to prof_alloc_rollback() on OOM.
  - Make one call to prof_active_get_unlocked() per allocation event, and use
    the result throughout the relevant functions that handle an allocation
--- a/src/jemalloc.c
+++ b/src/jemalloc.c
@ -2286,8 +2286,12 @@ ixallocx_prof(tsd_t *tsd, void *ptr, size_t old_usize, size_t size,
 	prof_active = prof_active_get_unlocked();
 	old_tctx = prof_tctx_get(ptr);
 	/* Clamp extra if necessary to avoid (size + extra) overflow. */
-	if (unlikely(size + extra > HUGE_MAXCLASS))
+	if (unlikely(size + extra > HUGE_MAXCLASS)) {
+		/* Check for size overflow. */
+		if (size > HUGE_MAXCLASS)
+			return (old_usize);
 		extra = HUGE_MAXCLASS - size;
+	}
 	/*
 	 * usize isn't knowable before ixalloc() returns when extra is non-zero.
 	 * Therefore, compute its maximum possible value and use that in