ACK.
In practice the Linux kernel didn't map the first MB
(<disclaimer>IIRC</disclaimer>) to catch also errors like "x + 3000"
where x is a pointer x == NULL errors.
And performancewise it makes sense to put the limit to "TLB
granularity" (which is e.g. 4MB on common 32bit Intel CPUs IIRC) to
minimize (quite expensive) TLB switches.
If we have:
foo(somedata *p, int offset) {
....
if(p->some1 == p->some2)
realoc(p->someptr, offset);
....some operations on p->someptr[somevar+offset]; ....
if realoc fails return NULL, and NULL+someuserinputvar can be dangerous, if someinputvar is > 1mb.
