From e1a91c5b8963e3e02c897f96218d4eae17bcb740 Mon Sep 17 00:00:00 2001
From: Dmitriy Vyukov <dvyukov@google.com>
Date: Mon, 27 Jan 2014 20:29:21 +0400
Subject: runtime: fix buffer overflow in stringtoslicerune On 32-bits
 n*sizeof(r[0]) can overflow. Or it can become 1<<32-eps, and mallocgc will
 "successfully" allocate 0 pages for it, there are no checks downstream and
 MHeap_Grow just does: npage = (npage+15)&~15; ask = npage<<PageShift;

LGTM=khr
R=golang-codereviews, khr
CC=golang-codereviews
https://golang.org/cl/54760045
---
 src/pkg/runtime/malloc.goc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/pkg/runtime/malloc.goc')

diff --git a/src/pkg/runtime/malloc.goc b/src/pkg/runtime/malloc.goc
index 0a0420d415..280a0a2a8f 100644
--- a/src/pkg/runtime/malloc.goc
+++ b/src/pkg/runtime/malloc.goc
@@ -224,6 +224,8 @@ largealloc(uint32 flag, uintptr *sizep)
 
 	// Allocate directly from heap.
 	size = *sizep;
+	if(size + PageSize < size)
+		runtime·throw("out of memory");
 	npages = size >> PageShift;
 	if((size & PageMask) != 0)
 		npages++;
-- 
cgit v1.3-5-g9baa