$NetBSD: patch-de,v 1.1 2008/08/29 08:08:11 hira Exp $

Fix CVE-2008-3282.

--- sal/rtl/source/alloc_global.c.orig	2008-05-21 21:53:26.000000000 +0900
+++ sal/rtl/source/alloc_global.c	2008-08-29 08:18:14.000000000 +0900
@@ -214,9 +214,7 @@
 		char *     addr;
 		sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
 
-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
 		OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
-
 		if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
 		{
 			/* requested size too large for roundup alignment */
@@ -224,8 +222,8 @@
 		}
 
 try_alloc:
-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
-			addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
+		if (size <= RTL_MEMORY_CACHED_LIMIT)
+			addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
 		else
 			addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
 
@@ -255,9 +253,8 @@
 		char *   addr = (char*)(p) - RTL_MEMALIGN;
 		sal_Size size = ((sal_Size*)(addr))[0];
 
-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
-			rtl_cache_free (g_alloc_table[index], addr);
+		if (size <= RTL_MEMORY_CACHED_LIMIT)
+			rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
 		else
 			rtl_arena_free (gp_alloc_arena, addr, size);
 	}