diff -Nurp glibc-2.14.1/malloc/malloc.c glibc-2.14.1-cve/malloc/malloc.c --- glibc-2.14.1/malloc/malloc.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/malloc/malloc.c 2013-10-06 17:34:41.671415253 +0300 @@ -3874,6 +3874,13 @@ public_mEMALIGn(size_t alignment, size_t /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; @@ -3919,6 +3926,13 @@ public_vALLOc(size_t bytes) size_t pagesz = mp_.pagesize; + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, __const __malloc_ptr_t)) = force_reg (__memalign_hook); @@ -3967,6 +3981,13 @@ public_pVALLOc(size_t bytes) size_t page_mask = mp_.pagesize - 1; size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + /* Check for overflow. */ + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, __const __malloc_ptr_t)) = force_reg (__memalign_hook);