From 013896fee97e70a00438ef3db35e528f47d91b11 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 20 Sep 2012 00:02:01 +0200
Subject: [PATCH] util: make sure heap allocators fail when array allocations
are out of bounds
https://bugzilla.redhat.com/show_bug.cgi?id=858777
(cherry picked from commit 4b8772bf5f2887aa2bdb74efa2f5dfd40fff946d)
Conflicts:
src/shared/util.h
---
src/shared/util.h | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/shared/util.h b/src/shared/util.h
index 66022ed..804bd37 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -104,13 +104,13 @@ size_t page_size(void);
bool streq_ptr(const char *a, const char *b);
-#define new(t, n) ((t*) malloc(sizeof(t)*(n)))
+#define new(t, n) ((t*) malloc_multiply(sizeof(t), (n)))
#define new0(t, n) ((t*) calloc((n), sizeof(t)))
#define newa(t, n) ((t*) alloca(sizeof(t)*(n)))
-#define newdup(t, p, n) ((t*) memdup(p, sizeof(t)*(n)))
+#define newdup(t, p, n) ((t*) memdup_multiply(p, sizeof(t), (n)))
#define malloc0(n) (calloc((n), 1))
@@ -503,7 +503,7 @@ char *format_bytes(char *buf, size_t l, off_t t);
int fd_wait_for_event(int fd, int event, usec_t timeout);
-void* memdup(const void *p, size_t l);
+void* memdup(const void *p, size_t l) _malloc_;
int is_kernel_thread(pid_t pid);
@@ -521,4 +521,18 @@ int can_sleep(const char *type);
bool is_valid_documentation_url(const char *url);
bool in_initrd(void);
+
+_malloc_ static inline void *malloc_multiply(size_t a, size_t b) {
+ if (_unlikely_(a > ((size_t) -1) / b))
+ return NULL;
+
+ return malloc(a * b);
+}
+
+static inline void *memdup_multiply(const void *p, size_t a, size_t b) {
+ if (_unlikely_(a > ((size_t) -1) / b))
+ return NULL;
+
+ return memdup(p, a * b);
+}
#endif
distrib
>
Fedora
>
17
>
i386
>
media
>
updates-src
>
by-pkgid
>
ab4b662b9827b6375ffd451bf4abd615
>
files
>
551
