summaryrefslogtreecommitdiffstats
path: root/src/ctl.c
diff options
context:
space:
mode:
authorJason Evans <jasone@canonware.com>2017-01-04 15:51:49 (GMT)
committerJason Evans <jasone@canonware.com>2017-01-07 02:58:46 (GMT)
commit6edbedd9164d9b7682f7c3afb44e2b85c8eb52de (patch)
treeabed6471e9ca0573c1b827950d523463b4d8f79d /src/ctl.c
parentc0a05e6abaca7d23c2cc225abb1b59a1160632a0 (diff)
downloadjemalloc-6edbedd9164d9b7682f7c3afb44e2b85c8eb52de.zip
jemalloc-6edbedd9164d9b7682f7c3afb44e2b85c8eb52de.tar.gz
jemalloc-6edbedd9164d9b7682f7c3afb44e2b85c8eb52de.tar.bz2
Range-check mib[1] --> arena_ind casts.
Diffstat (limited to 'src/ctl.c')
-rw-r--r--src/ctl.c29
1 files changed, 22 insertions, 7 deletions
diff --git a/src/ctl.c b/src/ctl.c
index d39edbf..0e7a09d 100644
--- a/src/ctl.c
+++ b/src/ctl.c
@@ -899,7 +899,7 @@ ctl_bymib(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
assert(node->nchildren > 0);
if (ctl_named_node(node->children) != NULL) {
/* Children are named. */
- if (node->nchildren <= (unsigned)mib[i]) {
+ if (node->nchildren <= mib[i]) {
ret = ENOENT;
goto label_return;
}
@@ -1010,6 +1010,14 @@ ctl_postfork_child(tsdn_t *tsdn)
} \
} while (0)
+#define MIB_UNSIGNED(v, i) do { \
+ if (mib[i] > UINT_MAX) { \
+ ret = EFAULT; \
+ goto label_return; \
+ } \
+ v = (unsigned)mib[i]; \
+} while (0)
+
/*
* There's a lot of code duplication in the following macros due to limitations
* in how nested cpp macros are expanded.
@@ -1503,10 +1511,12 @@ arena_i_purge_ctl(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
size_t *oldlenp, void *newp, size_t newlen)
{
int ret;
+ unsigned arena_ind;
READONLY();
WRITEONLY();
- arena_i_purge(tsd_tsdn(tsd), (unsigned)mib[1], true);
+ MIB_UNSIGNED(arena_ind, 1);
+ arena_i_purge(tsd_tsdn(tsd), arena_ind, true);
ret = 0;
label_return:
@@ -1518,10 +1528,12 @@ arena_i_decay_ctl(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
size_t *oldlenp, void *newp, size_t newlen)
{
int ret;
+ unsigned arena_ind;
READONLY();
WRITEONLY();
- arena_i_purge(tsd_tsdn(tsd), (unsigned)mib[1], false);
+ MIB_UNSIGNED(arena_ind, 1);
+ arena_i_purge(tsd_tsdn(tsd), arena_ind, false);
ret = 0;
label_return:
@@ -1538,8 +1550,8 @@ arena_i_reset_ctl(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
READONLY();
WRITEONLY();
+ MIB_UNSIGNED(arena_ind, 1);
- arena_ind = (unsigned)mib[1];
if (config_debug) {
malloc_mutex_lock(tsd_tsdn(tsd), &ctl_mtx);
assert(arena_ind < ctl_stats->narenas);
@@ -1566,12 +1578,13 @@ arena_i_dss_ctl(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
{
int ret;
const char *dss = NULL;
- unsigned arena_ind = (unsigned)mib[1];
+ unsigned arena_ind;
dss_prec_t dss_prec_old = dss_prec_limit;
dss_prec_t dss_prec = dss_prec_limit;
malloc_mutex_lock(tsd_tsdn(tsd), &ctl_mtx);
WRITE(dss, const char *);
+ MIB_UNSIGNED(arena_ind, 1);
if (dss != NULL) {
int i;
bool match = false;
@@ -1626,9 +1639,10 @@ arena_i_decay_time_ctl(tsd_t *tsd, const size_t *mib, size_t miblen, void *oldp,
size_t *oldlenp, void *newp, size_t newlen)
{
int ret;
- unsigned arena_ind = (unsigned)mib[1];
+ unsigned arena_ind;
arena_t *arena;
+ MIB_UNSIGNED(arena_ind, 1);
arena = arena_get(tsd_tsdn(tsd), arena_ind, false);
if (arena == NULL) {
ret = EFAULT;
@@ -1661,10 +1675,11 @@ arena_i_extent_hooks_ctl(tsd_t *tsd, const size_t *mib, size_t miblen,
void *oldp, size_t *oldlenp, void *newp, size_t newlen)
{
int ret;
- unsigned arena_ind = (unsigned)mib[1];
+ unsigned arena_ind;
arena_t *arena;
malloc_mutex_lock(tsd_tsdn(tsd), &ctl_mtx);
+ MIB_UNSIGNED(arena_ind, 1);
if (arena_ind < narenas_total_get() && (arena =
arena_get(tsd_tsdn(tsd), arena_ind, false)) != NULL) {
if (newp != NULL) {
generated by cgit v0.12 at 2025-03-23 07:17:31 (GMT)