File: allocation_request_was_zero.diff

package info (click to toggle)
libmicrohttpd 0.9.20-1%2Bdeb7u1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 3,884 kB
  • sloc: ansic: 20,914; sh: 11,423; pascal: 972; makefile: 620
file content (82 lines) | stat: -rw-r--r-- 2,698 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
Author: Christian Grothoff <christian@grothoff.org>
Description: handle case that original allocation request was zero and fix
 theoretical overflow issue reported by Florian Weimer.
Origin: upstream, commit: 30926,30927
--- a/src/daemon/memorypool.c
+++ b/src/daemon/memorypool.c
@@ -135,19 +135,22 @@
 		   size_t size, int from_end)
 {
   void *ret;
+  size_t asize;
 
-  size = ROUND_TO_ALIGN (size);
-  if ((pool->pos + size > pool->end) || (pool->pos + size < pool->pos))
+  asize = ROUND_TO_ALIGN (size);
+  if ( (0 == asize) && (0 != size) )
+    return NULL; /* size too close to SIZE_MAX */
+  if ((pool->pos + asize > pool->end) || (pool->pos + asize < pool->pos))
     return NULL;
   if (from_end == MHD_YES)
     {
-      ret = &pool->memory[pool->end - size];
-      pool->end -= size;
+      ret = &pool->memory[pool->end - asize];
+      pool->end -= asize;
     }
   else
     {
       ret = &pool->memory[pool->pos];
-      pool->pos += size;
+      pool->pos += asize;
     }
   return ret;
 }
@@ -175,34 +178,37 @@
 		     size_t new_size)
 {
   void *ret;
+  size_t asize;
 
-  new_size = ROUND_TO_ALIGN (new_size);
-  if ((pool->end < old_size) || (pool->end < new_size))
+  asize = ROUND_TO_ALIGN (new_size);
+  if ( (0 == asize) && (0 != new_size) )
+    return NULL; /* new_size too close to SIZE_MAX */
+  if ((pool->end < old_size) || (pool->end < asize))
     return NULL;                /* unsatisfiable or bogus request */
 
   if ((pool->pos >= old_size) && (&pool->memory[pool->pos - old_size] == old))
     {
       /* was the previous allocation - optimize! */
-      if (pool->pos + new_size - old_size <= pool->end)
+      if (pool->pos + asize - old_size <= pool->end)
         {
           /* fits */
-          pool->pos += new_size - old_size;
-          if (new_size < old_size)      /* shrinking - zero again! */
-            memset (&pool->memory[pool->pos], 0, old_size - new_size);
+          pool->pos += asize - old_size;
+          if (asize < old_size)      /* shrinking - zero again! */
+            memset (&pool->memory[pool->pos], 0, old_size - asize);
           return old;
         }
       /* does not fit */
       return NULL;
     }
-  if (new_size <= old_size)
+  if (asize <= old_size)
     return old;                 /* cannot shrink, no need to move */
-  if ((pool->pos + new_size >= pool->pos) &&
-      (pool->pos + new_size <= pool->end))
+  if ((pool->pos + asize >= pool->pos) &&
+      (pool->pos + asize <= pool->end))
     {
       /* fits */
       ret = &pool->memory[pool->pos];
       memcpy (ret, old, old_size);
-      pool->pos += new_size;
+      pool->pos += asize;
       return ret;
     }
   /* does not fit */