Permalink
Browse files

Merge pull request #3 from velvitonator/large-alloc-corruption

Protect against large sizes resulting in off-the-end free blocks
  • Loading branch information...
mattconte committed Feb 22, 2018
2 parents 16b6a96 + 72601dd commit a1f743ffac0305408b39e791e0ffb45f6d9bc777
Showing with 11 additions and 1 deletion.
  1. +11 −1 tlsf.c
12 tlsf.c
@@ -758,7 +758,17 @@ static block_header_t* block_locate_free(control_t* control, size_t size)
if (size)
{
mapping_search(size, &fl, &sl);
block = search_suitable_block(control, &fl, &sl);
/*
** mapping_search can futz with the size, so for excessively large sizes it can sometimes wind up
** with indices that are off the end of the block array.
** So, we protect against that here, since this is the only callsite of mapping_search.
** Note that we don't need to check sl, since it comes from a modulo operation that guarantees it's always in range.
*/
if (fl < FL_INDEX_COUNT)
{
block = search_suitable_block(control, &fl, &sl);
}
}
if (block)

0 comments on commit a1f743f

Please sign in to comment.