From ecea0f6125ea87ee6fd82f16286b61eb8c0f5692 Mon Sep 17 00:00:00 2001 From: Jason Evans Date: Wed, 28 Apr 2010 12:00:59 -0700 Subject: [PATCH] Fix junk filling of cached large objects. Use the size argument to tcache_dalloc_large() to control the number of bytes set to 0x5a when junk filling is enabled, rather than accessing a non-existent arena bin. This bug was capable of corrupting an arbitrarily large memory region, depending on what followed the arena data structure in memory (typically zeroed memory, another arena_t, or a red-black tree node for a huge object). --- jemalloc/include/jemalloc/internal/tcache.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jemalloc/include/jemalloc/internal/tcache.h b/jemalloc/include/jemalloc/internal/tcache.h index fa6c53f2..a8be436d 100644 --- a/jemalloc/include/jemalloc/internal/tcache.h +++ b/jemalloc/include/jemalloc/internal/tcache.h @@ -353,7 +353,7 @@ tcache_dalloc_large(tcache_t *tcache, void *ptr, size_t size) #ifdef JEMALLOC_FILL if (opt_junk) - memset(ptr, 0x5a, arena->bins[binind].reg_size); + memset(ptr, 0x5a, size); #endif tbin = &tcache->tbins[binind];