https://projects.archlinux.org/svntogit/packages.git/tree/trunk/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch?h=packages/glibc diff --git a/malloc/malloc.c b/malloc/malloc.c index dd295f5..7f43ba3 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) size_t page_mask = GLRO(dl_pagesize) - 1; size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + /* Check for overflow. */ + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0)) diff --git a/malloc/malloc.c b/malloc/malloc.c index 7f43ba3..3148c5f 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0)) diff --git a/malloc/malloc.c b/malloc/malloc.c index 3148c5f..f7718a9 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0;