Message ID | 1510068430-27816-4-git-send-email-pistukem@gmail.com |
---|---|
State | New |
Headers | show |
Series | Additional integrity checks for the malloc | expand |
On 11/07/2017 04:27 PM, Istvan Kurucsai wrote: > * malloc/malloc.c (malloc_consolidate): Add size check. > --- > malloc/malloc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/malloc/malloc.c b/malloc/malloc.c > index d3fac7e..51d703c 100644 > --- a/malloc/malloc.c > +++ b/malloc/malloc.c > @@ -4406,6 +4406,7 @@ static void malloc_consolidate(mstate av) > mfastbinptr* fb; /* current fastbin being consolidated */ > mfastbinptr* maxfb; /* last fastbin (for loop control) */ > mchunkptr p; /* current chunk being consolidated */ > + unsigned int idx; /* fastbin index of current chunk */ > mchunkptr nextp; /* next chunk to consolidate */ > mchunkptr unsorted_bin; /* bin header */ > mchunkptr first_unsorted; /* chunk to link to */ > @@ -4437,6 +4438,10 @@ static void malloc_consolidate(mstate av) > p = atomic_exchange_acq (fb, NULL); > if (p != 0) { > do { > + idx = fastbin_index (chunksize (p)); > + if ((&fastbin (av, idx)) != fb) > + malloc_printerr ("malloc_consolidate(): invalid chunk size"); > + This looks good. I'm going to minimize the scope for idx and push this. Thanks, Florian
diff --git a/malloc/malloc.c b/malloc/malloc.c index d3fac7e..51d703c 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4406,6 +4406,7 @@ static void malloc_consolidate(mstate av) mfastbinptr* fb; /* current fastbin being consolidated */ mfastbinptr* maxfb; /* last fastbin (for loop control) */ mchunkptr p; /* current chunk being consolidated */ + unsigned int idx; /* fastbin index of current chunk */ mchunkptr nextp; /* next chunk to consolidate */ mchunkptr unsorted_bin; /* bin header */ mchunkptr first_unsorted; /* chunk to link to */ @@ -4437,6 +4438,10 @@ static void malloc_consolidate(mstate av) p = atomic_exchange_acq (fb, NULL); if (p != 0) { do { + idx = fastbin_index (chunksize (p)); + if ((&fastbin (av, idx)) != fb) + malloc_printerr ("malloc_consolidate(): invalid chunk size"); + check_inuse_chunk(av, p); nextp = p->fd;