One more sanity check in free.

diff --git a/ChangeLog b/ChangeLog
index f61697c..83e6218 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2010-04-03  Ulrich Drepper  <drepper@redhat.com>
 
+       * malloc/malloc.c (_int_free): Add one more sanity check for fastbins.
+
        * malloc/malloc.c (set_max_fast): Fix computation of the value.
 
 2010-03-30  David S. Miller  <davem@davemloft.net>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 784919e..558e8ba 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4852,7 +4852,8 @@ _int_free(mstate av, mchunkptr p)
       free_perturb (chunk2mem(p), size - SIZE_SZ);
 
     set_fastchunks(av);
-    fb = &fastbin (av, fastbin_index(size));
+    unsigned int idx = fastbin_index(size);
+    fb = &fastbin (av, idx);
 
 #ifdef ATOMIC_FASTBINS
     mchunkptr fd;
@@ -4866,6 +4867,12 @@ _int_free(mstate av, mchunkptr p)
            errstr = "double free or corruption (fasttop)";
            goto errout;
          }
+       if (old != NULL
+           && __builtin_expect (fastbin_index(chunksize(old)) != idx, 0))
+         {
+           errstr = "invalid fastbin entry (free)";
+           goto errout;
+         }
        p->fd = fd = old;
       }
     while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);
@@ -4877,6 +4884,12 @@ _int_free(mstate av, mchunkptr p)
        errstr = "double free or corruption (fasttop)";
        goto errout;
       }
+    if (*fb != NULL
+       && __builtin_expect (fastbin_index(chunksize(*fb)) != idx, 0))
+      {
+       errstr = "invalid fastbin entry (free)";
+       goto errout;
+      }
 
     p->fd = *fb;
     *fb = p;