fix simple_malloc size restrictions

do not allow allocations that overflow ptrdiff_t; fix some overflow
checks that were not quite right but didn't matter due to address
layout implementation.

diff --git a/src/malloc/__simple_malloc.c b/src/malloc/__simple_malloc.c
index 49b74c8e9cf44a3c1a1ebb575b87af4cd8fc7eea..61cd9fc491b914e2bd8e9508f82a9a96e2397414 100644 (file)
--- a/src/malloc/__simple_malloc.c
+++ b/src/malloc/__simple_malloc.c
@@ -15,16 +15,16 @@ void *__simple_malloc(size_t n)
        static int lock;
        size_t align=1;
 
-       if (n < SIZE_MAX - ALIGN)
-               while (align<n && align<ALIGN)
-                       align += align;
+       if (n > SIZE_MAX/2) goto toobig;
+
+       while (align<n && align<ALIGN)
+               align += align;
        n = n + align - 1 & -align;
 
        LOCK(&lock);
        if (!cur) cur = brk = __brk(0)+16;
-       if (n > SIZE_MAX - brk) goto fail;
-
        base = cur + align-1 & -align;
+       if (n > SIZE_MAX - PAGE_SIZE - base) goto fail;
        if (base+n > brk) {
                new = base+n + PAGE_SIZE-1 & -PAGE_SIZE;
                if (__brk(new) != new) goto fail;
@@ -37,6 +37,7 @@ void *__simple_malloc(size_t n)
 
 fail:
        UNLOCK(&lock);
+toobig:
        errno = ENOMEM;
        return 0;
 }