yann@1
|
1 |
diff -ur glibc-2.1.3.orig/malloc/malloc.c glibc-2.1.3/malloc/malloc.c
|
yann@1
|
2 |
--- glibc-2.1.3.orig/malloc/malloc.c Wed Feb 23 10:02:55 2000
|
yann@1
|
3 |
+++ glibc-2.1.3/malloc/malloc.c Thu Aug 1 09:24:10 2002
|
yann@1
|
4 |
@@ -3656,12 +3656,20 @@
|
yann@1
|
5 |
{
|
yann@1
|
6 |
arena *ar_ptr;
|
yann@1
|
7 |
mchunkptr p, oldtop;
|
yann@1
|
8 |
- INTERNAL_SIZE_T sz, csz, oldtopsize;
|
yann@1
|
9 |
+ INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
|
yann@1
|
10 |
Void_t* mem;
|
yann@1
|
11 |
|
yann@1
|
12 |
+ /* size_t is unsigned so the behavior on overflow is defined;
|
yann@1
|
13 |
+ * request2size() uses similar post-checks anyway. */
|
yann@1
|
14 |
+ bytes = n * elem_size;
|
yann@1
|
15 |
+ if ((n | elem_size) >= 65536 && elem_size && bytes / elem_size != n) {
|
yann@1
|
16 |
+ __set_errno (ENOMEM);
|
yann@1
|
17 |
+ return 0;
|
yann@1
|
18 |
+ }
|
yann@1
|
19 |
+
|
yann@1
|
20 |
#if defined _LIBC || defined MALLOC_HOOKS
|
yann@1
|
21 |
if (__malloc_hook != NULL) {
|
yann@1
|
22 |
- sz = n * elem_size;
|
yann@1
|
23 |
+ sz = bytes;
|
yann@1
|
24 |
#if defined __GNUC__ && __GNUC__ >= 2
|
yann@1
|
25 |
mem = (*__malloc_hook)(sz, __builtin_return_address (0));
|
yann@1
|
26 |
#else
|
yann@1
|
27 |
@@ -3678,7 +3686,7 @@
|
yann@1
|
28 |
}
|
yann@1
|
29 |
#endif
|
yann@1
|
30 |
|
yann@1
|
31 |
- if(request2size(n * elem_size, sz))
|
yann@1
|
32 |
+ if(request2size(bytes, sz))
|
yann@1
|
33 |
return 0;
|
yann@1
|
34 |
arena_get(ar_ptr, sz);
|
yann@1
|
35 |
if(!ar_ptr)
|