41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From 0a10b49206a29b4aa2f80233a3e53ca0466bb0b3 Mon Sep 17 00:00:00 2001
|
|
From: Richard Weinberger <richard@nod.at>
|
|
Date: Fri, 2 Aug 2024 12:08:45 +0200
|
|
Subject: [PATCH] dlmalloc: Fix integer overflow in sbrk()
|
|
|
|
Make sure that the new break is within mem_malloc_start
|
|
and mem_malloc_end before making progress.
|
|
ulong new = old + increment; can overflow for extremely large
|
|
increment values and memset() can get wrongly called.
|
|
|
|
Signed-off-by: Richard Weinberger <richard@nod.at>
|
|
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
---
|
|
common/dlmalloc.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
|
|
index 48e83da6cbce..8e201ac0dc59 100644
|
|
--- a/common/dlmalloc.c
|
|
+++ b/common/dlmalloc.c
|
|
@@ -581,6 +581,9 @@ void *sbrk(ptrdiff_t increment)
|
|
ulong old = mem_malloc_brk;
|
|
ulong new = old + increment;
|
|
|
|
+ if ((new < mem_malloc_start) || (new > mem_malloc_end))
|
|
+ return (void *)MORECORE_FAILURE;
|
|
+
|
|
/*
|
|
* if we are giving memory back make sure we clear it out since
|
|
* we set MORECORE_CLEARS to 1
|
|
@@ -588,9 +591,6 @@ void *sbrk(ptrdiff_t increment)
|
|
if (increment < 0)
|
|
memset((void *)new, 0, -increment);
|
|
|
|
- if ((new < mem_malloc_start) || (new > mem_malloc_end))
|
|
- return (void *)MORECORE_FAILURE;
|
|
-
|
|
mem_malloc_brk = new;
|
|
|
|
return (void *)old;
|