From 07e0ce9fa7f428720bee9decb5d0bb368108d93f Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Thu, 15 Oct 2009 19:47:12 -0400 Subject: malloc: handle size overflows in realloc() The malloc() code checks the incoming size to make sure the header adjustment doesn't cause overflow in the size storage. Add the same check to realloc() to catch stupid stuff like realloc(..., -1). Reported-by: James Coleman Signed-off-by: Mike Frysinger --- libc/stdlib/malloc/realloc.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'libc/stdlib') diff --git a/libc/stdlib/malloc/realloc.c b/libc/stdlib/malloc/realloc.c index fa779205a..8de00665f 100644 --- a/libc/stdlib/malloc/realloc.c +++ b/libc/stdlib/malloc/realloc.c @@ -34,6 +34,9 @@ realloc (void *mem, size_t new_size) } if (! mem) return malloc (new_size); + /* This matches the check in malloc() */ + if (unlikely(((unsigned long)new_size > (unsigned long)(MALLOC_HEADER_SIZE*-2)))) + return NULL; /* Normal realloc. */ -- cgit v1.2.3