077c9d
commit c0e82f117357a941e4d40fcc08babbd6a3c3a1b5
077c9d
Author: Istvan Kurucsai <pistukem@gmail.com>
077c9d
Date:   Fri Dec 21 00:13:01 2018 -0500
077c9d
077c9d
    malloc: Check the alignment of mmapped chunks before unmapping.
077c9d
    
077c9d
    * malloc/malloc.c (munmap_chunk): Verify chunk alignment.
077c9d
077c9d
diff --git a/malloc/malloc.c b/malloc/malloc.c
077c9d
index 4df5cb4862a7b854..4412a4ffc83b013b 100644
077c9d
--- a/malloc/malloc.c
077c9d
+++ b/malloc/malloc.c
077c9d
@@ -2817,6 +2817,7 @@ systrim (size_t pad, mstate av)
077c9d
 static void
077c9d
 munmap_chunk (mchunkptr p)
077c9d
 {
077c9d
+  size_t pagesize = GLRO (dl_pagesize);
077c9d
   INTERNAL_SIZE_T size = chunksize (p);
077c9d
 
077c9d
   assert (chunk_is_mmapped (p));
077c9d
@@ -2826,6 +2827,7 @@ munmap_chunk (mchunkptr p)
077c9d
   if (DUMPED_MAIN_ARENA_CHUNK (p))
077c9d
     return;
077c9d
 
077c9d
+  uintptr_t mem = (uintptr_t) chunk2mem (p);
077c9d
   uintptr_t block = (uintptr_t) p - prev_size (p);
077c9d
   size_t total_size = prev_size (p) + size;
077c9d
   /* Unfortunately we have to do the compilers job by hand here.  Normally
077c9d
@@ -2833,7 +2835,8 @@ munmap_chunk (mchunkptr p)
077c9d
      page size.  But gcc does not recognize the optimization possibility
077c9d
      (in the moment at least) so we combine the two values into one before
077c9d
      the bit test.  */
077c9d
-  if (__builtin_expect (((block | total_size) & (GLRO (dl_pagesize) - 1)) != 0, 0))
077c9d
+  if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0
077c9d
+      || __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))
077c9d
     malloc_printerr ("munmap_chunk(): invalid pointer");
077c9d
 
077c9d
   atomic_decrement (&mp_.n_mmaps);