From 8c485b02a61ab96d4d248e234302edf57577b77d Mon Sep 17 00:00:00 2001 From: Jason Evans Date: Tue, 15 Sep 2015 00:49:09 -0700 Subject: [PATCH] Fix ixallocx_prof() to check for size greater than HUGE_MAXCLASS. --- ChangeLog | 3 +-- src/jemalloc.c | 6 +++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 269d0898..e4da6384 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,8 +26,7 @@ brevity. Much more detail can be found in the git revision history: with interposed resets (triggered via the "prof.reset" mallctl). This bug could cause data structure corruption that would most likely result in a segfault. - - Fix xallocx() bugs related to the 'extra' parameter when specified as - non-zero. + - Fix xallocx() bugs related to size+extra exceeding HUGE_MAXCLASS. - Fix irealloc_prof() to prof_alloc_rollback() on OOM. - Make one call to prof_active_get_unlocked() per allocation event, and use the result throughout the relevant functions that handle an allocation diff --git a/src/jemalloc.c b/src/jemalloc.c index a29e6139..f403306b 100644 --- a/src/jemalloc.c +++ b/src/jemalloc.c @@ -2286,8 +2286,12 @@ ixallocx_prof(tsd_t *tsd, void *ptr, size_t old_usize, size_t size, prof_active = prof_active_get_unlocked(); old_tctx = prof_tctx_get(ptr); /* Clamp extra if necessary to avoid (size + extra) overflow. */ - if (unlikely(size + extra > HUGE_MAXCLASS)) + if (unlikely(size + extra > HUGE_MAXCLASS)) { + /* Check for size overflow. */ + if (size > HUGE_MAXCLASS) + return (old_usize); extra = HUGE_MAXCLASS - size; + } /* * usize isn't knowable before ixalloc() returns when extra is non-zero. * Therefore, compute its maximum possible value and use that in