Mercurial > hg > nginx
comparison src/core/ngx_slab.c @ 4829:40de49cf6b37
Fixed overflow if ngx_slab_alloc() is called with very big "size" argument.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 30 Aug 2012 15:09:21 +0000 |
| parents | 0ed8088f43b4 |
| children | 79b9101cecf4 |
comparison
equal
deleted
inserted
replaced
| 4828:f57154322e0e | 4829:40de49cf6b37 |
|---|---|
| 160 if (size >= ngx_slab_max_size) { | 160 if (size >= ngx_slab_max_size) { |
| 161 | 161 |
| 162 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0, | 162 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0, |
| 163 "slab alloc: %uz", size); | 163 "slab alloc: %uz", size); |
| 164 | 164 |
| 165 page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1) | 165 page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift) |
| 166 >> ngx_pagesize_shift); | 166 + ((size % ngx_pagesize) ? 1 : 0)); |
| 167 if (page) { | 167 if (page) { |
| 168 p = (page - pool->pages) << ngx_pagesize_shift; | 168 p = (page - pool->pages) << ngx_pagesize_shift; |
| 169 p += (uintptr_t) pool->start; | 169 p += (uintptr_t) pool->start; |
| 170 | 170 |
| 171 } else { | 171 } else { |