From 9824fe3e392caa04dc1b4071886e9ac402dd6d95 Mon Sep 17 00:00:00 2001 From: Yossi Gottlieb Date: Mon, 26 Oct 2020 14:49:08 +0200 Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963) When using a system with no malloc_usable_size(), zmalloc_size() assumed that the heap allocator always returns blocks that are long-padded. This may not always be the case, and will result with zmalloc_size() returning a size that is bigger than allocated. At least in one case this leads to out of bound write, process crash and a potential security vulnerability. Effectively this does not affect the vast majority of users, who use jemalloc or glibc. This problem along with a (different) fix was reported by Drew DeVault. --- src/zmalloc.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/zmalloc.c b/src/zmalloc.c index 4a7f2028e..565376721 100644 --- a/src/zmalloc.c +++ b/src/zmalloc.c @@ -236,9 +236,6 @@ void *zrealloc_usable(void *ptr, size_t size, size_t *usable) { size_t zmalloc_size(void *ptr) { void *realptr = (char*)ptr-PREFIX_SIZE; size_t size = *((size_t*)realptr); - /* Assume at least that all the allocations are padded at sizeof(long) by - * the underlying allocator. */ - if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1)); return size+PREFIX_SIZE; } size_t zmalloc_usable_size(void *ptr) {