This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] fix to malloc checking
- From: Andreas Schwab <schwab at linux-m68k dot org>
- To: James Lemke <jwlemke at codesourcery dot com>
- Cc: <libc-alpha at sourceware dot org>
- Date: Tue, 11 Nov 2014 21:19:14 +0100
- Subject: Re: [PATCH] fix to malloc checking
- Authentication-results: sourceware.org; auth=none
- References: <5462592E dot 9050301 at codesourcery dot com>
James Lemke <jwlemke@codesourcery.com> writes:
> +/* Visualize the chunk as being partitioned into blocks of 255 bytes from the
> + highest address of the chunk, downwards. The end of each block tells us
> + the size of that block, up to the actual size of the requested memory.
> + The last block has a length of zero and is followed by the magic byte.
> + Our magic byte is right at the end of the requested size. If we don't
> + reach it with this iteration we have witnessed a memory corruption. */
> static size_t
> malloc_check_get_size (mchunkptr p)
> {
> - size_t size;
> + size_t total_sz, size;
> unsigned char c;
> unsigned char magic = MAGICBYTE (p);
>
> assert (using_malloc_checking == 1);
>
> - for (size = chunksize (p) - 1 + (chunk_is_mmapped (p) ? 0 : SIZE_SZ);
> - (c = ((unsigned char *) p)[size]) != magic;
> + /* Validate the length-byte chain. */
> + total_sz = chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ);
> + for (size = total_sz - 1;
> + (c = ((unsigned char *) p)[size]) != 0;
> size -= c)
> {
> - if (c <= 0 || size < (c + 2 * SIZE_SZ))
> - {
> - malloc_printerr (check_action, "malloc_check_get_size: memory corruption",
> - chunk2mem (p));
> - return 0;
> - }
> + if (size - c <= 2 * SIZE_SZ)
If c > size then the difference wraps around.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."