|
From: <sv...@va...> - 2009-07-24 06:41:13
|
Author: njn
Date: 2009-07-24 07:41:02 +0100 (Fri, 24 Jul 2009)
New Revision: 10578
Log:
Fixed bug 149878 (calloc overflow). This disables some of the calloc silly
arg checking, but that's no great loss.
Added:
trunk/memcheck/tests/calloc-overflow.c
trunk/memcheck/tests/calloc-overflow.stderr.exp
trunk/memcheck/tests/calloc-overflow.vgtest
Modified:
trunk/coregrind/m_replacemalloc/vg_replace_malloc.c
trunk/memcheck/tests/Makefile.am
trunk/memcheck/tests/malloc3.c
trunk/memcheck/tests/malloc3.stderr.exp
Modified: trunk/coregrind/m_replacemalloc/vg_replace_malloc.c
===================================================================
--- trunk/coregrind/m_replacemalloc/vg_replace_malloc.c 2009-07-24 06:30:17 UTC (rev 10577)
+++ trunk/coregrind/m_replacemalloc/vg_replace_malloc.c 2009-07-24 06:41:02 UTC (rev 10578)
@@ -407,6 +407,8 @@
if (!init_done) init(); \
MALLOC_TRACE("calloc(%llu,%llu)", (ULong)nmemb, (ULong)size ); \
\
+ /* Protect against overflow. See bug 24078. */ \
+ if (size && nmemb > (SizeT)-1 / size) return NULL; \
v = (void*)VALGRIND_NON_SIMD_CALL2( info.tl_calloc, nmemb, size ); \
MALLOC_TRACE(" = %p", v ); \
return v; \
Modified: trunk/memcheck/tests/Makefile.am
===================================================================
--- trunk/memcheck/tests/Makefile.am 2009-07-24 06:30:17 UTC (rev 10577)
+++ trunk/memcheck/tests/Makefile.am 2009-07-24 06:41:02 UTC (rev 10578)
@@ -49,6 +49,7 @@
badrw.stderr.exp badrw.vgtest \
brk2.stderr.exp brk2.vgtest \
buflen_check.stderr.exp buflen_check.vgtest \
+ calloc-overflow.stderr.exp calloc-overflow.vgtest\
clientperm.stderr.exp \
clientperm.stdout.exp clientperm.vgtest \
custom_alloc.stderr.exp custom_alloc.vgtest \
@@ -186,8 +187,14 @@
addressable \
atomic_incs \
badaddrvalue badfree badjump badjump2 \
- badloop badpoll badrw brk2 buflen_check \
- clientperm custom_alloc \
+ badloop \
+ badpoll \
+ badrw \
+ brk2 \
+ buflen_check \
+ calloc-overflow \
+ clientperm \
+ custom_alloc \
deep_templates \
describe-block \
doublefree error_counts errs1 exitprog execve execve2 erringfds \
Added: trunk/memcheck/tests/calloc-overflow.c
===================================================================
--- trunk/memcheck/tests/calloc-overflow.c (rev 0)
+++ trunk/memcheck/tests/calloc-overflow.c 2009-07-24 06:41:02 UTC (rev 10578)
@@ -0,0 +1,20 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include "pub_tool_basics.h"
+
+int main(void)
+{
+ // The n*size multiplication overflows in this example. The only sensible
+ // thing to do is return NULL, but old versions of Valgrind didn't (they
+ // often ground to a halt trying to allocate an enormous (but not as
+ // enormous as asked-for!) block. See bug 149878.
+ int* x;
+#if VG_WORDSIZE == 8
+ size_t szB = 0x1000000010000001ULL;
+#else
+ size_t szB = 0x10000001UL;
+#endif
+ x = calloc(szB, 0x10);
+ fprintf(stderr, "x = %#lx\n", (long)x);
+ return 0;
+}
Added: trunk/memcheck/tests/calloc-overflow.stderr.exp
===================================================================
--- trunk/memcheck/tests/calloc-overflow.stderr.exp (rev 0)
+++ trunk/memcheck/tests/calloc-overflow.stderr.exp 2009-07-24 06:41:02 UTC (rev 10578)
@@ -0,0 +1 @@
+x = 0
Added: trunk/memcheck/tests/calloc-overflow.vgtest
===================================================================
--- trunk/memcheck/tests/calloc-overflow.vgtest (rev 0)
+++ trunk/memcheck/tests/calloc-overflow.vgtest 2009-07-24 06:41:02 UTC (rev 10578)
@@ -0,0 +1,2 @@
+prog: calloc-overflow
+vgopts: -q
Modified: trunk/memcheck/tests/malloc3.c
===================================================================
--- trunk/memcheck/tests/malloc3.c 2009-07-24 06:30:17 UTC (rev 10577)
+++ trunk/memcheck/tests/malloc3.c 2009-07-24 06:41:02 UTC (rev 10578)
@@ -24,6 +24,9 @@
printf("calloc(0,-1) = 0x%lx\n", (unsigned long)p);
free(p);
+ // We no longer get a warning with this due to the calloc overflow checking
+ // done for bug 149878. It's no great loss, it's extremely unlikely to
+ // occur in practice.
p = calloc(-1,-1);
printf("calloc(-1,-1) = 0x%lx\n", (unsigned long)p);
free(p);
Modified: trunk/memcheck/tests/malloc3.stderr.exp
===================================================================
--- trunk/memcheck/tests/malloc3.stderr.exp 2009-07-24 06:30:17 UTC (rev 10577)
+++ trunk/memcheck/tests/malloc3.stderr.exp 2009-07-24 06:41:02 UTC (rev 10578)
@@ -1,3 +1,2 @@
Warning: silly arg (-1) to malloc()
Warning: silly args (0,-1) to calloc()
-Warning: silly args (-1,-1) to calloc()
|