37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From 8642b2178d2c4002c99a0b69a845a48f2ae2706f Mon Sep 17 00:00:00 2001
|
|
From: Richard Weinberger <richard@nod.at>
|
|
Date: Fri, 2 Aug 2024 12:08:44 +0200
|
|
Subject: [PATCH] dlmalloc: Fix integer overflow in request2size()
|
|
|
|
req is of type size_t, casting it to long opens the door
|
|
for an integer overflow.
|
|
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
|
|
cause and overflow such that request2size() returns MINSIZE.
|
|
|
|
Fix by removing the cast.
|
|
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
|
|
and predates the CVS history.
|
|
Doug Lea's original dlmalloc implementation also doesn't have it.
|
|
|
|
Signed-off-by: Richard Weinberger <richard@nod.at>
|
|
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
---
|
|
common/dlmalloc.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
|
|
index 1e1602a24dec..48e83da6cbce 100644
|
|
--- a/common/dlmalloc.c
|
|
+++ b/common/dlmalloc.c
|
|
@@ -386,8 +386,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
/* pad request bytes into a usable size */
|
|
|
|
#define request2size(req) \
|
|
- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
|
|
- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
|
|
+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
|
|
+ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
|
|
(((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
|
|
|
|
/* Check if m has acceptable alignment */
|