This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix malloc after clearenv

From: Jakub Jelinek <jakub at redhat dot com>
To: Roland McGrath <roland at redhat dot com>, Ulrich Drepper <drepper at redhat dot com>
Cc: Glibc hackers <libc-hacker at sources dot redhat dot com>
Date: Fri, 27 Dec 2002 01:09:23 +0100
Subject: [PATCH] Fix malloc after clearenv
Reply-to: Jakub Jelinek <jakub at redhat dot com>

Hi!

Doing clearenv() before first malloc results in segfault (next_env_entry
is called with &runp where runp == NULL, and dereferences the NULL pointer:
char **current = *position; ... while (*current != NULL)).
The patch below is mainly just indentation adjustement, with diff -upb
it is a one-liner, adding if (__builtin_expect (_environ != NULL, 1)).

2002-12-27  Jakub Jelinek  <jakub@redhat.com>

	* malloc/arena.c (ptmalloc_init): Don't call next_env_entry if
	_environ is NULL.

--- libc/malloc/arena.c.jj	2002-12-12 01:38:54.000000000 +0100
+++ libc/malloc/arena.c	2002-12-27 02:19:17.000000000 +0100
@@ -436,49 +436,50 @@ ptmalloc_init __MALLOC_P((void))
 #ifdef _LIBC
   secure = __libc_enable_secure;
   s = NULL;
-  {
-    char **runp = _environ;
-    char *envline;
-
-    while (__builtin_expect ((envline = next_env_entry (&runp)) != NULL,
-			     0))
-      {
-	size_t len = strcspn (envline, "=");
-
-	if (envline[len] != '=')
-	  /* This is a "MALLOC_" variable at the end of the string
-	     without a '=' character.  Ignore it since otherwise we
-	     will access invalid memory below.  */
-	  continue;
-
-	switch (len)
-	  {
-	  case 6:
-	    if (memcmp (envline, "CHECK_", 6) == 0)
-	      s = &envline[7];
-	    break;
-	  case 8:
-	    if (! secure && memcmp (envline, "TOP_PAD_", 8) == 0)
-	      mALLOPt(M_TOP_PAD, atoi(&envline[9]));
-	    break;
-	  case 9:
-	    if (! secure && memcmp (envline, "MMAP_MAX_", 9) == 0)
-	      mALLOPt(M_MMAP_MAX, atoi(&envline[10]));
-	    break;
-	  case 15:
-	    if (! secure)
-	      {
-		if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
-		  mALLOPt(M_TRIM_THRESHOLD, atoi(&envline[16]));
-		else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
-		  mALLOPt(M_MMAP_THRESHOLD, atoi(&envline[16]));
-	      }
-	    break;
-	  default:
-	    break;
-	  }
-      }
-  }
+  if (__builtin_expect (_environ != NULL, 1))
+    {
+      char **runp = _environ;
+      char *envline;
+
+      while (__builtin_expect ((envline = next_env_entry (&runp)) != NULL,
+			       0))
+	{
+	  size_t len = strcspn (envline, "=");
+
+	  if (envline[len] != '=')
+	    /* This is a "MALLOC_" variable at the end of the string
+	       without a '=' character.  Ignore it since otherwise we
+	       will access invalid memory below.  */
+	    continue;
+
+	  switch (len)
+	    {
+	    case 6:
+	      if (memcmp (envline, "CHECK_", 6) == 0)
+		s = &envline[7];
+	      break;
+	    case 8:
+	      if (! secure && memcmp (envline, "TOP_PAD_", 8) == 0)
+		mALLOPt(M_TOP_PAD, atoi(&envline[9]));
+	      break;
+	    case 9:
+	      if (! secure && memcmp (envline, "MMAP_MAX_", 9) == 0)
+		mALLOPt(M_MMAP_MAX, atoi(&envline[10]));
+	      break;
+	    case 15:
+	      if (! secure)
+		{
+		  if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
+		    mALLOPt(M_TRIM_THRESHOLD, atoi(&envline[16]));
+		  else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
+		    mALLOPt(M_MMAP_THRESHOLD, atoi(&envline[16]));
+		}
+	      break;
+	    default:
+	      break;
+	    }
+	}
+    }
 #else
   if (! secure)
     {

	Jakub

Follow-Ups:
- Re: [PATCH] Fix malloc after clearenv
  - From: Roland McGrath

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]