1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
|
Author: Christian Grothoff <christian@grothoff.org>
Description: handle case that original allocation request was zero and fix
theoretical overflow issue reported by Florian Weimer.
Origin: upstream, commit: 30926,30927
--- a/src/daemon/memorypool.c
+++ b/src/daemon/memorypool.c
@@ -135,19 +135,22 @@
size_t size, int from_end)
{
void *ret;
+ size_t asize;
- size = ROUND_TO_ALIGN (size);
- if ((pool->pos + size > pool->end) || (pool->pos + size < pool->pos))
+ asize = ROUND_TO_ALIGN (size);
+ if ( (0 == asize) && (0 != size) )
+ return NULL; /* size too close to SIZE_MAX */
+ if ((pool->pos + asize > pool->end) || (pool->pos + asize < pool->pos))
return NULL;
if (from_end == MHD_YES)
{
- ret = &pool->memory[pool->end - size];
- pool->end -= size;
+ ret = &pool->memory[pool->end - asize];
+ pool->end -= asize;
}
else
{
ret = &pool->memory[pool->pos];
- pool->pos += size;
+ pool->pos += asize;
}
return ret;
}
@@ -175,34 +178,37 @@
size_t new_size)
{
void *ret;
+ size_t asize;
- new_size = ROUND_TO_ALIGN (new_size);
- if ((pool->end < old_size) || (pool->end < new_size))
+ asize = ROUND_TO_ALIGN (new_size);
+ if ( (0 == asize) && (0 != new_size) )
+ return NULL; /* new_size too close to SIZE_MAX */
+ if ((pool->end < old_size) || (pool->end < asize))
return NULL; /* unsatisfiable or bogus request */
if ((pool->pos >= old_size) && (&pool->memory[pool->pos - old_size] == old))
{
/* was the previous allocation - optimize! */
- if (pool->pos + new_size - old_size <= pool->end)
+ if (pool->pos + asize - old_size <= pool->end)
{
/* fits */
- pool->pos += new_size - old_size;
- if (new_size < old_size) /* shrinking - zero again! */
- memset (&pool->memory[pool->pos], 0, old_size - new_size);
+ pool->pos += asize - old_size;
+ if (asize < old_size) /* shrinking - zero again! */
+ memset (&pool->memory[pool->pos], 0, old_size - asize);
return old;
}
/* does not fit */
return NULL;
}
- if (new_size <= old_size)
+ if (asize <= old_size)
return old; /* cannot shrink, no need to move */
- if ((pool->pos + new_size >= pool->pos) &&
- (pool->pos + new_size <= pool->end))
+ if ((pool->pos + asize >= pool->pos) &&
+ (pool->pos + asize <= pool->end))
{
/* fits */
ret = &pool->memory[pool->pos];
memcpy (ret, old, old_size);
- pool->pos += new_size;
+ pool->pos += asize;
return ret;
}
/* does not fit */
|