From 8f0211142c47ce7d96d99ada5c673cbb056bad22 Mon Sep 17 00:00:00 2001
From: Jeff Johnston <jjohnstn@redhat.com>
Date: Tue, 19 Aug 2003 18:09:54 +0000
Subject: 2003-08-19  Jeff Johnston  <jjohnstn@redhat.com>

        * libc/stdlib/mallocr.c (mALLOc, rEALLOc, mEMEALIGn): Enhance
        overflow detection.
---
 newlib/libc/stdlib/mallocr.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'newlib/libc/stdlib/mallocr.c')

diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
index 5e104579e..08a3b00fd 100644
--- a/newlib/libc/stdlib/mallocr.c
+++ b/newlib/libc/stdlib/mallocr.c
@@ -2334,7 +2334,7 @@ Void_t* mALLOc(RARG bytes) RDECL size_t bytes;
   INTERNAL_SIZE_T nb  = request2size(bytes);  /* padded request size; */
 
   /* Check for overflow and just fail, if so. */
-  if (nb > INT_MAX)
+  if (nb > INT_MAX || nb < bytes)
     return 0;
 
   MALLOC_LOCK;
@@ -2797,7 +2797,7 @@ Void_t* rEALLOc(RARG oldmem, bytes) RDECL Void_t* oldmem; size_t bytes;
   nb = request2size(bytes);
 
   /* Check for overflow and just fail, if so. */
-  if (nb > INT_MAX)
+  if (nb > INT_MAX || nb < bytes)
     return 0;
 
 #if HAVE_MMAP
@@ -3028,6 +3028,11 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
   /* Call malloc with worst case padding to hit alignment. */
 
   nb = request2size(bytes);
+
+  /* Check for overflow. */
+  if (nb > INT_MAX || nb < bytes)
+    return 0;
+
   m  = (char*)(mALLOc(RCALL nb + alignment + MINSIZE));
 
   if (m == 0) return 0; /* propagate failure */
-- 
cgit v1.2.3