Mercurial > hg > nginx
comparison src/core/ngx_slab.c @ 4829:40de49cf6b37
Fixed overflow if ngx_slab_alloc() is called with very big "size" argument.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 30 Aug 2012 15:09:21 +0000 |
parents | 0ed8088f43b4 |
children | 79b9101cecf4 |
comparison
equal
deleted
inserted
replaced
4828:f57154322e0e | 4829:40de49cf6b37 |
---|---|
160 if (size >= ngx_slab_max_size) { | 160 if (size >= ngx_slab_max_size) { |
161 | 161 |
162 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0, | 162 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0, |
163 "slab alloc: %uz", size); | 163 "slab alloc: %uz", size); |
164 | 164 |
165 page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1) | 165 page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift) |
166 >> ngx_pagesize_shift); | 166 + ((size % ngx_pagesize) ? 1 : 0)); |
167 if (page) { | 167 if (page) { |
168 p = (page - pool->pages) << ngx_pagesize_shift; | 168 p = (page - pool->pages) << ngx_pagesize_shift; |
169 p += (uintptr_t) pool->start; | 169 p += (uintptr_t) pool->start; |
170 | 170 |
171 } else { | 171 } else { |