Browse Source

Only access offset if canaries are enabled *and* size > 0, otherwise offset

is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
OPENBSD_6_2
otto 7 years ago
parent
commit
4a550fa72d
1 changed files with 2 additions and 2 deletions
  1. +2
    -2
      src/lib/libc/stdlib/malloc.c

+ 2
- 2
src/lib/libc/stdlib/malloc.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: malloc.c,v 1.226 2017/06/19 03:06:26 dlg Exp $ */
/* $OpenBSD: malloc.c,v 1.227 2017/07/07 19:14:46 otto Exp $ */
/* /*
* Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
* Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@ -1013,7 +1013,7 @@ malloc_bytes(struct dir_info *d, size_t size, void *f)
/* Adjust to the real offset of that chunk */ /* Adjust to the real offset of that chunk */
k += (lp - bp->bits) * MALLOC_BITS; k += (lp - bp->bits) * MALLOC_BITS;
if (mopts.chunk_canaries)
if (mopts.chunk_canaries && size > 0)
bp->bits[bp->offset + k] = size; bp->bits[bp->offset + k] = size;
k <<= bp->shift; k <<= bp->shift;


Loading…
Cancel
Save