libc_malloc is built without access to barebox headers, so instead of size_mul it's using GCC builtins directly. The check against BAREBOX_MALLOC_MAX_SIZE should've been done using the product as indicated by the variable name, but erroneously __builtin_add_overflow was used instead of __builtin_mul_overflow. Fixes: 8839004152f7 ("sandbox: libc_malloc: fail allocations exceeding MALLOC_MAX_SIZE") Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- arch/sandbox/os/libc_malloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/sandbox/os/libc_malloc.c b/arch/sandbox/os/libc_malloc.c index ac97fc37eee5..dd0f8670ff71 100644 --- a/arch/sandbox/os/libc_malloc.c +++ b/arch/sandbox/os/libc_malloc.c @@ -67,7 +67,7 @@ void *barebox_calloc(size_t n, size_t elem_size) size_t product; void *mem = NULL; - if (!__builtin_add_overflow(n, elem_size, &product) && + if (!__builtin_mul_overflow(n, elem_size, &product) && product <= BAREBOX_MALLOC_MAX_SIZE) mem = calloc(n, elem_size); if (!mem) -- 2.39.5