Sophie: glibc-6:2.20-20.mga5 src

glibc-2.20-20.mga5.src.rpm

From 52ffbdf25a1100986f4ae27bb0febbe5a722ab25 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Sep 2014 20:29:15 +0200
Subject: [PATCH] malloc: additional unlink hardening for non-small bins [BZ
 #17344]

Turn two asserts into a conditional call to malloc_printerr.  The
memory locations are accessed later anyway, so the performance
impact is minor.
---
 ChangeLog       | 6 ++++++
 NEWS            | 2 +-
 malloc/malloc.c | 6 ++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

#diff --git a/ChangeLog b/ChangeLog
#index 0377062..71c9671 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,9 @@
#+2014-09-11  Florian Weimer  <fweimer@redhat.com>
#+
#+	[BZ #17344]
#+	* malloc/malloc.c (unlink): Turn asserts into a call to
#+	malloc_printerr.
#+
# 2014-09-11  Tim Lammens  <tim.lammens@gmail.com>
# 
# 	[BZ #17370]
#diff --git a/NEWS b/NEWS
#index c607d12..680c265 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -29,7 +29,7 @@ Version 2.20
#   16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
#   17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
#   17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
#-  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
#+  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354.
# 
# * Reverted change of ABI data structures for s390 and s390x:
#   On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6ee3840..6cbe9f3 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
         BK->fd = FD;							      \
         if (!in_smallbin_range (P->size)				      \
             && __builtin_expect (P->fd_nextsize != NULL, 0)) {		      \
-            assert (P->fd_nextsize->bk_nextsize == P);			      \
-            assert (P->bk_nextsize->fd_nextsize == P);			      \
+	    if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)	      \
+		|| __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))    \
+	      malloc_printerr (check_action,				      \
+			       "corrupted double-linked list (not small)", P);\
             if (FD->fd_nextsize == NULL) {				      \
                 if (P->fd_nextsize == P)				      \
                   FD->fd_nextsize = FD->bk_nextsize = FD;		      \
-- 
2.1.0