Skip to content

Integer Overflow in mallocx()

In lib/isc/jemalloc_shim.h:mallocx() an addition occurs to create place to store size_info in front of the allocated mem- ory. This addition is not checked and could overflow for large values of size. When that happens, less memory than expected by the caller is allocated, which might lead to a heap-based buffer overflow

static inline void *
mallocx(size_t size, int flags) {
        void *ptr = NULL;

        size_info *si = malloc(size + sizeof(*si));
        INSIST(si != NULL);

        si->size = size;
        ptr = &si[1];

        if ((flags & MALLOCX_ZERO) != 0) {
                memset(ptr, 0, size);
        }

        return (ptr);
}

We would recommend to add an overflow check for the multiplication and return NULL on overflow similar to the check implemented in isc__uv_calloc().

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information