{
int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool;
+/* Ensure we've been asked to allocate memory.
+A negative size is a sign of a security problem.
+A zero size might be also suspect, but our internal usage deliberately
+does this to return a current watermark value for a later release of
+allocated store. */
+
+if (size < 0 || size >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory allocation requested (%d bytes) at %s %d",
+ size, func, linenumber);
+
/* Round up the size to a multiple of the alignment. Although this looks a
messy statement, because "alignment" is a constant expression, the compiler can
do a reasonable job of optimizing, especially if the value of "alignment" is a
if (size > yield_length[pool])
{
- int length = MAX(STORE_BLOCK_SIZE(store_block_order[pool]), size);
+ int length = MAX(
+ STORE_BLOCK_SIZE(store_block_order[pool]) - ALIGNED_SIZEOF_STOREBLOCK,
+ size);
int mlength = length + ALIGNED_SIZEOF_STOREBLOCK;
storeblock * newblock;
int inc = newsize - oldsize;
int rounded_oldsize = oldsize;
+if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory extension requested (%d -> %d bytes) at %s %d",
+ oldsize, newsize, func, linenumber);
+
/* Check that the block being extended was already of the required taint status;
refuse to extend if not. */
bb = b->next;
b->next = NULL;
-/* If there will be only one block left in the pool, drop one
-most-recent allocation size increase, ensuring it does not increase
-forever. */
-
-if (!bb && store_block_order[pool] > 12) store_block_order[pool]--;
-
while ((b = bb))
{
int siz = b->length + ALIGNED_SIZEOF_STOREBLOCK;
+
#ifndef COMPILE_UTILITY
if (debug_store)
assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK,
pool_malloc -= siz;
nblocks[pool]--;
internal_store_free(b, func, linenumber);
+
+#ifndef RESTRICTED_MEMORY
+ if (store_block_order[pool] > 13) store_block_order[pool]--;
+#endif
}
/* Cut out the debugging stuff for utilities, but stop picky compilers from
memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK);
#endif /* COMPILE_UTILITY */
- free(bb);
+ internal_store_free(bb, func, linenumber);
return;
}
}
die_tainted(US"store_newblock", CUS func, linenumber);
#endif
+if (len < 0 || len > newsize)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory extension requested (%d -> %d bytes) at %s %d",
+ len, newsize, func, linenumber);
+
newtext = store_get(newsize, tainted);
memcpy(newtext, block, len);
if (release_ok) store_release_3(block, pool, func, linenumber);
{
void * yield;
+if (size < 0 || size >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "bad memory allocation requested (%d bytes) at %s %d",
+ size, func, line);
+
size += sizeof(int); /* space to store the size, used under debug */
if (size < 16) size = 16;
debug_printf("----Exit npools max: %3d kB\n", max_pool_malloc/1024);
for (int i = 0; i < NPOOLS; i++)
debug_printf("----Exit pool %d max: %3d kB in %d blocks at order %u\t%s %s\n",
- i, maxbytes[i]/1024, maxblocks[i], maxorder[i],
+ i, (maxbytes[i]+1023)/1024, maxblocks[i], maxorder[i],
poolclass[i], pooluse[i]);
}
#endif