dlmalloc: Fix integer overflow in request2size() req is of type size_t, casting it to long opens the door for an integer overflow. Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX cause and overflow such that request2size() returns MINSIZE. Fix by removing the cast. The origin of the cast is unclear, it's in u-boot and ppcboot since ever and predates the CVS history. Doug Lea's original dlmalloc implementation also doesn't have it. Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>

commit: 9bc2d8221c6d7aef81c90bec1b034d1fab71d9a9 [log] [tgz]
author: Richard Weinberger <richard@nod.at> Fri Aug 02 12:08:44 2024 +0200
committer: Tom Rini <trini@konsulko.com> Thu Aug 15 16:14:36 2024 -0600
tree: b96d09d1a763e9e3d0bc9142def8d40be9d67349
parent: dabf943bf2f5dfcfe71d33bde9ad1c2d39c654fd [diff]
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 1e1602a..48e83da 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c

@@ -386,8 +386,8 @@
 /* pad request bytes into a usable size */
 
 #define request2size(req) \
- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
-  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
 
 /* Check if m has acceptable alignment */
commit	9bc2d8221c6d7aef81c90bec1b034d1fab71d9a9	[log] [tgz]
author	Richard Weinberger <richard@nod.at>	Fri Aug 02 12:08:44 2024 +0200
committer	Tom Rini <trini@konsulko.com>	Thu Aug 15 16:14:36 2024 -0600
tree	b96d09d1a763e9e3d0bc9142def8d40be9d67349
parent	dabf943bf2f5dfcfe71d33bde9ad1c2d39c654fd [diff]