diff options
| author | Jason Evans <jasone@canonware.com> | 2011-03-22 16:00:56 (GMT) |
|---|---|---|
| committer | Jason Evans <jasone@canonware.com> | 2011-03-22 16:00:56 (GMT) |
| commit | 47e57f9bdadfaf999c9dea5d126edf3a4f1b2995 (patch) | |
| tree | f87b3e6aa154788b872bd585ab88f8e602c14369 /jemalloc/src | |
| parent | 1dcb4f86b23a5760f5a717ace716360b63b33fad (diff) | |
| download | jemalloc-47e57f9bdadfaf999c9dea5d126edf3a4f1b2995.zip jemalloc-47e57f9bdadfaf999c9dea5d126edf3a4f1b2995.tar.gz jemalloc-47e57f9bdadfaf999c9dea5d126edf3a4f1b2995.tar.bz2 | |
Avoid overflow in arena_run_regind().
Fix a regression due to:
Remove an arena_bin_run_size_calc() constraint.
2a6f2af6e446a98a635caadd281a23ca09a491cb
The removed constraint required that small run headers fit in one page,
which indirectly limited runs such that they would not cause overflow in
arena_run_regind(). Add an explicit constraint to
arena_bin_run_size_calc() based on the largest number of regions that
arena_run_regind() can handle (2^11 as currently configured).
Diffstat (limited to 'jemalloc/src')
| -rw-r--r-- | jemalloc/src/arena.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/jemalloc/src/arena.c b/jemalloc/src/arena.c index 0f4f12a..0693f36 100644 --- a/jemalloc/src/arena.c +++ b/jemalloc/src/arena.c @@ -2427,6 +2427,7 @@ small_size2bin_init_hard(void) * *) bin_info->run_size >= min_run_size * *) bin_info->run_size <= arena_maxclass * *) run header overhead <= RUN_MAX_OVRHD (or header overhead relaxed). + * *) bin_info->nregs <= RUN_MAXREGS * * bin_info->nregs, bin_info->bitmap_offset, and bin_info->reg0_offset are also * calculated here, since these settings are all interdependent. @@ -2459,6 +2460,10 @@ bin_info_run_size_calc(arena_bin_info_t *bin_info, size_t min_run_size) try_run_size = min_run_size; try_nregs = ((try_run_size - sizeof(arena_run_t)) / bin_info->reg_size) + 1; /* Counter-act try_nregs-- in loop. */ + if (try_nregs > RUN_MAXREGS) { + try_nregs = RUN_MAXREGS + + 1; /* Counter-act try_nregs-- in loop. */ + } do { try_nregs--; try_hdr_size = sizeof(arena_run_t); @@ -2500,6 +2505,10 @@ bin_info_run_size_calc(arena_bin_info_t *bin_info, size_t min_run_size) try_nregs = ((try_run_size - sizeof(arena_run_t)) / bin_info->reg_size) + 1; /* Counter-act try_nregs-- in loop. */ + if (try_nregs > RUN_MAXREGS) { + try_nregs = RUN_MAXREGS + + 1; /* Counter-act try_nregs-- in loop. */ + } do { try_nregs--; try_hdr_size = sizeof(arena_run_t); @@ -2526,7 +2535,8 @@ bin_info_run_size_calc(arena_bin_info_t *bin_info, size_t min_run_size) } while (try_run_size <= arena_maxclass && try_run_size <= arena_maxclass && RUN_MAX_OVRHD * (bin_info->reg_size << 3) > RUN_MAX_OVRHD_RELAX - && (try_reg0_offset << RUN_BFP) > RUN_MAX_OVRHD * try_run_size); + && (try_reg0_offset << RUN_BFP) > RUN_MAX_OVRHD * try_run_size + && try_nregs < RUN_MAXREGS); assert(good_hdr_size <= good_reg0_offset); |