From: YONETANI Tomokazu Date: Sun, 14 Dec 2008 02:08:22 +0000 (+0900) Subject: git-fast-import possible memory corruption problem X-Git-Tag: v1.6.1-rc3~2 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=2fad5329f4bc03e2328a2994d336c12a9683d9b2;p=git.git git-fast-import possible memory corruption problem Internal "allocate in bulk, we will never free this memory anyway" allocator used in fast-import had a logic to round up the size of the requested memory block in a wrong place (it computed if the available space is enough to fit the request first, and then carved a chunk of memory by size rounded up to the alignment, which could go beyond the actually available space). Signed-off-by: Junio C Hamano --- diff --git a/fast-import.c b/fast-import.c index 3c035a578..3276d5d7a 100644 --- a/fast-import.c +++ b/fast-import.c @@ -554,6 +554,10 @@ static void *pool_alloc(size_t len) struct mem_pool *p; void *r; + /* round up to a 'uintmax_t' alignment */ + if (len & (sizeof(uintmax_t) - 1)) + len += sizeof(uintmax_t) - (len & (sizeof(uintmax_t) - 1)); + for (p = mem_pool; p; p = p->next_pool) if ((p->end - p->next_free >= len)) break; @@ -572,9 +576,6 @@ static void *pool_alloc(size_t len) } r = p->next_free; - /* round out to a 'uintmax_t' alignment */ - if (len & (sizeof(uintmax_t) - 1)) - len += sizeof(uintmax_t) - (len & (sizeof(uintmax_t) - 1)); p->next_free += len; return r; }