[libxml2] Unsigned addition may overflow in xmlMallocAtomicLoc()
- From: Daniel Veillard <veillard src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Unsigned addition may overflow in xmlMallocAtomicLoc()
- Date: Mon, 23 May 2016 01:25:17 +0000 (UTC)
commit 886529b56ccbf381d9a58c64b4d016a9d05e2c25
Author: David Kilzer <ddkilzer apple com>
Date: Tue Apr 5 12:05:25 2016 -0700
Unsigned addition may overflow in xmlMallocAtomicLoc()
For https://bugzilla.gnome.org/show_bug.cgi?id=764616
This code is used only if turning memory allocation debug
in configure with --with-mem-debug, which should never happen
in real life, so not a serious issue.
* xmlmemory.c:
(MAX_SIZE_T): Macro to define maximum value of size_t.
(xmlMallocAtomicLoc): Add bounds check. Fix description and use
the correct function name in another error message.
xmlmemory.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
---
diff --git a/xmlmemory.c b/xmlmemory.c
index f24fd6d..f08c8c3 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -109,6 +109,7 @@ typedef struct memnod {
#define RESERVE_SIZE (((HDR_SIZE + (ALIGN_SIZE-1)) \
/ ALIGN_SIZE ) * ALIGN_SIZE)
+#define MAX_SIZE_T ((size_t)-1)
#define CLIENT_2_HDR(a) ((MEMHDR *) (((char *) (a)) - RESERVE_SIZE))
#define HDR_2_CLIENT(a) ((void *) (((char *) (a)) + RESERVE_SIZE))
@@ -217,7 +218,7 @@ xmlMallocLoc(size_t size, const char * file, int line)
/**
* xmlMallocAtomicLoc:
- * @size: an int specifying the size in byte to allocate.
+ * @size: an unsigned int specifying the size in byte to allocate.
* @file: the file name or NULL
* @line: the line number
*
@@ -240,11 +241,18 @@ xmlMallocAtomicLoc(size_t size, const char * file, int line)
TEST_POINT
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocAtomicLoc : Unsigned overflow prevented\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
xmlGenericError(xmlGenericErrorContext,
- "xmlMallocLoc : Out of free space\n");
+ "xmlMallocAtomicLoc : Out of free space\n");
xmlMemoryDump();
return(NULL);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]