blob: 21fc650ceb31e4b9ec0e29fe1262a7f6b91c25a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
$NetBSD: patch-de,v 1.1 2008/08/29 08:08:11 hira Exp $
Fix CVE-2008-3282.
--- sal/rtl/source/alloc_global.c.orig 2008-05-21 21:53:26.000000000 +0900
+++ sal/rtl/source/alloc_global.c 2008-08-29 08:18:14.000000000 +0900
@@ -214,9 +214,7 @@
char * addr;
sal_Size size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
-
if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
{
/* requested size too large for roundup alignment */
@@ -224,8 +222,8 @@
}
try_alloc:
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
else
addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
@@ -255,9 +253,8 @@
char * addr = (char*)(p) - RTL_MEMALIGN;
sal_Size size = ((sal_Size*)(addr))[0];
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- rtl_cache_free (g_alloc_table[index], addr);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
else
rtl_arena_free (gp_alloc_arena, addr, size);
}
|
