From 4a550fa72dc79dec1a9bb31e1f935a3da312dabb Mon Sep 17 00:00:00 2001
From: otto <>
Date: Fri, 7 Jul 2017 19:14:46 +0000
Subject: [PATCH] Only access offset if canaries are enabled *and* size > 0,
 otherwise offset is not initialized. Problem spotted by Carlin Bingham; ok
 phessler@ tedu@

---
 src/lib/libc/stdlib/malloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index eaa97f88..dc2c7b15 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: malloc.c,v 1.226 2017/06/19 03:06:26 dlg Exp $	*/
+/*	$OpenBSD: malloc.c,v 1.227 2017/07/07 19:14:46 otto Exp $	*/
 /*
  * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1013,7 +1013,7 @@ malloc_bytes(struct dir_info *d, size_t size, void *f)
 	/* Adjust to the real offset of that chunk */
 	k += (lp - bp->bits) * MALLOC_BITS;
 
-	if (mopts.chunk_canaries)
+	if (mopts.chunk_canaries && size > 0)
 		bp->bits[bp->offset + k] = size;
 
 	k <<= bp->shift;