On Tue, 19 Nov 2024 08:15:25 +0100, Ahmad Fatoum wrote:
> req is of type size_t, casting it to long opens the door
> for an integer overflow.
> Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
> cause and overflow such that request2size() returns MINSIZE.
>
> Fix by removing the cast.
> The origin of the cast is unclear, it's in u-boot and ppcboot since ever
> and predates the CVS history.
> Doug Lea's original dlmalloc implementation also doesn't have it.
>
> [...]
Applied, thanks!
[1/1] dlmalloc: Fix integer overflow in request2size()
https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f0 (link may not be stable)
Best regards,
--
Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
