From a23baf586a1ca78213d43bce5fee2a30715b473b Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Sun, 20 Feb 2011 16:10:38 -0500
Subject: fix simple_malloc size restrictions

do not allow allocations that overflow ptrdiff_t; fix some overflow
checks that were not quite right but didn't matter due to address
layout implementation.
---
 src/malloc/__simple_malloc.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'src/malloc/__simple_malloc.c')

diff --git a/src/malloc/__simple_malloc.c b/src/malloc/__simple_malloc.c
index 49b74c8e..61cd9fc4 100644
--- a/src/malloc/__simple_malloc.c
+++ b/src/malloc/__simple_malloc.c
@@ -15,16 +15,16 @@ void *__simple_malloc(size_t n)
 	static int lock;
 	size_t align=1;
 
-	if (n < SIZE_MAX - ALIGN)
-		while (align<n && align<ALIGN)
-			align += align;
+	if (n > SIZE_MAX/2) goto toobig;
+
+	while (align<n && align<ALIGN)
+		align += align;
 	n = n + align - 1 & -align;
 
 	LOCK(&lock);
 	if (!cur) cur = brk = __brk(0)+16;
-	if (n > SIZE_MAX - brk) goto fail;
-
 	base = cur + align-1 & -align;
+	if (n > SIZE_MAX - PAGE_SIZE - base) goto fail;
 	if (base+n > brk) {
 		new = base+n + PAGE_SIZE-1 & -PAGE_SIZE;
 		if (__brk(new) != new) goto fail;
@@ -37,6 +37,7 @@ void *__simple_malloc(size_t n)
 
 fail:
 	UNLOCK(&lock);
+toobig:
 	errno = ENOMEM;
 	return 0;
 }
-- 
cgit v1.2.1