qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-12 09:50:21 -07:00
Code Releases Activity

runtime: fix buffer overflow in stringtoslicerune

Browse Source 
On 32-bits n*sizeof(r[0]) can overflow.
Or it can become 1<<32-eps, and mallocgc will "successfully"
allocate 0 pages for it, there are no checks downstream
and MHeap_Grow just does:
npage = (npage+15)&~15;
ask = npage<<PageShift;

LGTM=khr
R=golang-codereviews, khr
CC=golang-codereviews
https://golang.org/cl/54760045
This commit is contained in:
Dmitriy Vyukov 2014-01-27 20:29:21 +04:00
parent bace9523ee
commit e1a91c5b89
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/pkg/runtime/malloc.goc
View File

@ -224,6 +224,8 @@ largealloc(uint32 flag, uintptr *sizep)
// Allocate directly from heap.
size = *sizep;
if(size + PageSize < size)
runtime·throw("out of memory");
npages = size >> PageShift;
if((size & PageMask) != 0)
npages++;

2
src/pkg/runtime/string.goc
View File

@ -334,6 +334,8 @@ func stringtoslicerune(s String) (b Slice) {
n++;
}
if(n > MaxMem/sizeof(r[0]))
runtime·throw("out of memory");
mem = runtime·roundupsize(n*sizeof(r[0]));
b.array = runtime·mallocgc(mem, 0, FlagNoScan|FlagNoZero);
b.len = n;