This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12005] malloc(-1ul) segfaults when using mcheck
- From: "andrey dot vihrov at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 11 Sep 2010 16:46:41 -0000
- Subject: [Bug libc/12005] malloc(-1ul) segfaults when using mcheck
- References: <20100911160236.12005.sources.redhat.com@contacts.eelis.net>
- Reply-to: sourceware-bugzilla at sourceware dot org
------- Additional Comments From andrey dot vihrov at gmail dot com 2010-09-11 16:46 -------
With mcheck enabled malloc() and realloc() try to allocate "sizeof (struct hdr)
+ size + 1" instead of the user-specified "size", as seen in mallochook() and
reallochook() in malloc/mcheck.c. However, it is never checked whether the new
value overflows. It seems that checking whether "size" is greater than "SIZE_MAX
- sizeof (struct hdr) - 1" and returning NULL in such case could be a solution.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=12005
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.