Sang Kil Cha discovered that _objalloc_alloc does not guard the addition of CHUNK_HEADER_SIZE to the length against overflow. This can cause _objalloc_alloc to return a pointer to a memory region which is smaller than expected. The pointer alignment arithmetic in the objalloc_alloc macro misses an overflow check as well, with similar consequences.
I'll come up with a patch for both issues (I don't think there is one yet).
You do realise that pretty much nothing in the toolchain checks for overflows in calculating allocation sizes? If you want to fix such issues more systematically, the macros in libiberty.h such as XNEWVEC would be a good starting point in which to insert overflow checks, but there will be loads of other places affected as well.
(In reply to comment #2) > You do realise that pretty much nothing in the toolchain checks for > overflows in calculating allocation sizes? bfd_alloc2 (bfd's XNEWVEC variant) contains an overflow check, and this bug defeats it. Your point about XNEWVEC is appreciated, but this is a different bug. 8-)
On Wed, 29 Aug 2012, fw at gcc dot gnu.org wrote: > > You do realise that pretty much nothing in the toolchain checks for > > overflows in calculating allocation sizes? > > bfd_alloc2 (bfd's XNEWVEC variant) contains an overflow check, and this bug > defeats it. > > Your point about XNEWVEC is appreciated, but this is a different bug. 8-) My point is that there are probably hundreds of such bugs in the toolchain sources (and lots more bugs where BFD and GDB fail to handle invalid input); XNEWVEC is just an example of one that's comparatively easy to find and fix (but I'm sure plenty more are easy to find for anyone going looking for them).
Author: fw Date: Tue Sep 18 08:34:05 2012 New Revision: 191413 URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=191413 Log: PR other/54411: integer overflow in objalloc_alloc 2012-09-18 Florian Weimer <fweimer@redhat.com> PR other/54411 * objalloc.h (objalloc_alloc): Do not use fast path on wraparound. 2012-09-18 Florian Weimer <fweimer@redhat.com> PR other/54411 * objalloc.c (_objalloc_alloc): Add overflow check covering alignment and CHUNK_HEADER_SIZE addition. Modified: trunk/include/ChangeLog trunk/include/objalloc.h trunk/libiberty/ChangeLog trunk/libiberty/objalloc.c
(In reply to Florian Weimer from comment #5) > Author: fw > Date: Tue Sep 18 08:34:05 2012 > New Revision: 191413 > > URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=191413 > Log: > PR other/54411: integer overflow in objalloc_alloc > > 2012-09-18 Florian Weimer <fweimer@redhat.com> > > PR other/54411 > * objalloc.h (objalloc_alloc): Do not use fast path on wraparound. > > 2012-09-18 Florian Weimer <fweimer@redhat.com> > > PR other/54411 > * objalloc.c (_objalloc_alloc): Add overflow check covering > alignment and CHUNK_HEADER_SIZE addition. > > Modified: > trunk/include/ChangeLog > trunk/include/objalloc.h > trunk/libiberty/ChangeLog > trunk/libiberty/objalloc.c Looks like this fixed it.