40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001
|
|
From: wang_yue111 <648774160@qq.com>
|
|
Date: Wed, 7 Apr 2021 10:00:53 +0800
|
|
Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963)
|
|
|
|
When using a system with no malloc_usable_size(), zmalloc_size() assumed
|
|
that the heap allocator always returns blocks that are long-padded.
|
|
|
|
This may not always be the case, and will result with zmalloc_size()
|
|
returning a size that is bigger than allocated. At least in one case
|
|
this leads to out of bound write, process crash and a potential security
|
|
vulnerability.
|
|
|
|
Effectively this does not affect the vast majority of users, who use
|
|
jemalloc or glibc.
|
|
|
|
This problem along with a (different) fix was reported by Drew DeVault.
|
|
|
|
---
|
|
src/zmalloc.c | 3 ---
|
|
1 file changed, 3 deletions(-)
|
|
|
|
diff --git a/src/zmalloc.c b/src/zmalloc.c
|
|
index cc47f71..67b1b65 100644
|
|
--- a/src/zmalloc.c
|
|
+++ b/src/zmalloc.c
|
|
@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) {
|
|
size_t zmalloc_size(void *ptr) {
|
|
void *realptr = (char*)ptr-PREFIX_SIZE;
|
|
size_t size = *((size_t*)realptr);
|
|
- /* Assume at least that all the allocations are padded at sizeof(long) by
|
|
- * the underlying allocator. */
|
|
- if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1));
|
|
return size+PREFIX_SIZE;
|
|
}
|
|
#endif
|
|
--
|
|
2.23.0
|
|
|