Fix junk filling of cached large objects.

Use the size argument to tcache_dalloc_large() to control the number of bytes set to 0x5a when junk filling is enabled, rather than accessing a non-existent arena bin. This bug was capable of corrupting an arbitrarily large memory region, depending on what followed the arena data structure in memory (typically zeroed memory, another arena_t, or a red-black tree node for a huge object).
author: Jason Evans <je@facebook.com> 2010-04-28 19:00:59 (GMT)
committer: Jason Evans <je@facebook.com> 2010-04-28 19:00:59 (GMT)
commit: ecea0f6125ea87ee6fd82f16286b61eb8c0f5692 (patch)
tree: 22569e0140a58a18202db134e039e23d24ce696b /jemalloc
parent: 5055f4516c8852e67668b0e746863a7d6a1c148e (diff)
download: jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.zip
jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.tar.gz
jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/jemalloc/include/jemalloc/internal/tcache.h b/jemalloc/include/jemalloc/internal/tcache.h
index fa6c53f..a8be436 100644
--- a/jemalloc/include/jemalloc/internal/tcache.h
+++ b/jemalloc/include/jemalloc/internal/tcache.h
@@ -353,7 +353,7 @@ tcache_dalloc_large(tcache_t *tcache, void *ptr, size_t size)
 
 #ifdef JEMALLOC_FILL
 	if (opt_junk)
-		memset(ptr, 0x5a, arena->bins[binind].reg_size);
+		memset(ptr, 0x5a, size);
 #endif
 
 	tbin = &tcache->tbins[binind];
author	Jason Evans <je@facebook.com>	2010-04-28 19:00:59 (GMT)
committer	Jason Evans <je@facebook.com>	2010-04-28 19:00:59 (GMT)
commit	ecea0f6125ea87ee6fd82f16286b61eb8c0f5692 (patch)
tree	22569e0140a58a18202db134e039e23d24ce696b /jemalloc
parent	5055f4516c8852e67668b0e746863a7d6a1c148e (diff)
download	jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.zip jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.tar.gz jemalloc-ecea0f6125ea87ee6fd82f16286b61eb8c0f5692.tar.bz2