diff options
| author | Dmitriy Vyukov <dvyukov@google.com> | 2014-01-27 20:29:21 +0400 |
|---|---|---|
| committer | Dmitriy Vyukov <dvyukov@google.com> | 2014-01-27 20:29:21 +0400 |
| commit | e1a91c5b8963e3e02c897f96218d4eae17bcb740 (patch) | |
| tree | a4c80ef1b6c28ef75d94e00349b08e3181e17b32 /src/pkg/runtime/malloc.goc | |
| parent | bace9523eed9bc695310cd327b19ecdf7aa44612 (diff) | |
| download | go-e1a91c5b8963e3e02c897f96218d4eae17bcb740.tar.xz | |
runtime: fix buffer overflow in stringtoslicerune
On 32-bits n*sizeof(r[0]) can overflow.
Or it can become 1<<32-eps, and mallocgc will "successfully"
allocate 0 pages for it, there are no checks downstream
and MHeap_Grow just does:
npage = (npage+15)&~15;
ask = npage<<PageShift;
LGTM=khr
R=golang-codereviews, khr
CC=golang-codereviews
https://golang.org/cl/54760045
Diffstat (limited to 'src/pkg/runtime/malloc.goc')
| -rw-r--r-- | src/pkg/runtime/malloc.goc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/pkg/runtime/malloc.goc b/src/pkg/runtime/malloc.goc index 0a0420d415..280a0a2a8f 100644 --- a/src/pkg/runtime/malloc.goc +++ b/src/pkg/runtime/malloc.goc @@ -224,6 +224,8 @@ largealloc(uint32 flag, uintptr *sizep) // Allocate directly from heap. size = *sizep; + if(size + PageSize < size) + runtime·throw("out of memory"); npages = size >> PageShift; if((size & PageMask) != 0) npages++; |