git-fast-import possible memory corruption problem
Internal "allocate in bulk, we will never free this memory anyway" allocator used in fast-import had a logic to round up the size of the requested memory block in a wrong place (it computed if the available space is enough to fit the request first, and then carved a chunk of memory by size rounded up to the alignment, which could go beyond the actually available space). Signed-off-by: Junio C Hamano <gitster@pobox.com>maint
YONETANI Tomokazu
Junio C Hamano
parent
7e76aba317
commit
2fad5329f4
|
|
@ -554,6 +554,10 @@ static void *pool_alloc(size_t len)
|
||||||
struct mem_pool *p;
|
struct mem_pool *p;
|
||||||
void *r;
|
void *r;
|
||||||
|
|
||||||
|
/* round up to a 'uintmax_t' alignment */
|
||||||
|
if (len & (sizeof(uintmax_t) - 1))
|
||||||
|
len += sizeof(uintmax_t) - (len & (sizeof(uintmax_t) - 1));
|
||||||
|
|
||||||
for (p = mem_pool; p; p = p->next_pool)
|
for (p = mem_pool; p; p = p->next_pool)
|
||||||
if ((p->end - p->next_free >= len))
|
if ((p->end - p->next_free >= len))
|
||||||
break;
|
break;
|
||||||
|
|
@ -572,9 +576,6 @@ static void *pool_alloc(size_t len)
|
||||||
}
|
}
|
||||||
|
|
||||||
r = p->next_free;
|
r = p->next_free;
|
||||||
/* round out to a 'uintmax_t' alignment */
|
|
||||||
if (len & (sizeof(uintmax_t) - 1))
|
|
||||||
len += sizeof(uintmax_t) - (len & (sizeof(uintmax_t) - 1));
|
|
||||||
p->next_free += len;
|
p->next_free += len;
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue