PKGBUILDs/core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch

diff --git a/malloc/malloc.c b/malloc/malloc.c
index dd295f5..7f43ba3 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
   size_t page_mask = GLRO(dl_pagesize) - 1;
   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   void *(*hook) (size_t, size_t, const void *) =
     force_reg (__memalign_hook);
   if (__builtin_expect (hook != NULL, 0))
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 7f43ba3..3148c5f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
 
   size_t pagesz = GLRO(dl_pagesize);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   void *(*hook) (size_t, size_t, const void *) =
     force_reg (__memalign_hook);
   if (__builtin_expect (hook != NULL, 0))
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 3148c5f..f7718a9 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;
core/glibc to 2.18-4 2013-09-16 13:29:53 +00:00			`diff --git a/malloc/malloc.c b/malloc/malloc.c`
			`index dd295f5..7f43ba3 100644`
			`--- a/malloc/malloc.c`
			`+++ b/malloc/malloc.c`
			`@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)`
			`size_t page_mask = GLRO(dl_pagesize) - 1;`
			`size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`void (hook) (size_t, size_t, const void *) =`
			`force_reg (__memalign_hook);`
			`if (__builtin_expect (hook != NULL, 0))`
			`diff --git a/malloc/malloc.c b/malloc/malloc.c`
			`index 7f43ba3..3148c5f 100644`
			`--- a/malloc/malloc.c`
			`+++ b/malloc/malloc.c`
			`@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)`

			`size_t pagesz = GLRO(dl_pagesize);`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - pagesz - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`void (hook) (size_t, size_t, const void *) =`
			`force_reg (__memalign_hook);`
			`if (__builtin_expect (hook != NULL, 0))`
			`diff --git a/malloc/malloc.c b/malloc/malloc.c`
			`index 3148c5f..f7718a9 100644`
			`--- a/malloc/malloc.c`
			`+++ b/malloc/malloc.c`
			`@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)`
			`/* Otherwise, ensure that it is at least a minimum chunk size */`
			`if (alignment < MINSIZE) alignment = MINSIZE;`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - alignment - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`arena_get(ar_ptr, bytes + alignment + MINSIZE);`
			`if(!ar_ptr)`
			`return 0;`