From 96ab58fb8e34868c16beca2ee99c148e31e8eb09 Mon Sep 17 00:00:00 2001 From: Jean Guyomarc'h Date: Sat, 16 Sep 2017 14:20:11 +0200 Subject: [PATCH] eina: prevent memory corruption in chained mempool The chained mempool uses eina trash to dispose and retrieve memory blobs. Problem is that eina trash requires the memory blobs to be at least of the size of a pointer. If the size of an element in the mempool is less than the size of a pointer, which _is_ possible as no minimal size is enforced, eina_trash will silently corrupt the memory pool. To prevent memory corruption while still allowing small elements, the size of an element defaults to the size of a pointer if it was smaller. This comes at the cost of consuming slightly more memory in these cases, but at least the memory pool can be safely be used. @fix --- src/modules/eina/mp/chained_pool/eina_chained_mempool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/eina/mp/chained_pool/eina_chained_mempool.c b/src/modules/eina/mp/chained_pool/eina_chained_mempool.c index 7ab6954..b50b4dd 100644 --- a/src/modules/eina/mp/chained_pool/eina_chained_mempool.c +++ b/src/modules/eina/mp/chained_pool/eina_chained_mempool.c @@ -563,7 +563,7 @@ eina_chained_mempool_init(const char *context, memcpy((char *)mp->name, context, length); } - mp->item_alloc = eina_mempool_alignof(item_size); + mp->item_alloc = MAX(eina_mempool_alignof(item_size), sizeof(void *)); mp->pool_size = (((((mp->item_alloc * mp->pool_size + aligned_chained_pool) / page_size) + 1) * page_size) -- 2.7.4