Hugo Lefeuvre <[email protected]> writes: > Would it help to add a check after the malloc call, that would make sure > that malloc-ed memory is really available ? > > Something like: > > bm->map = (potrace_word *) malloc(size); > if (!bm->map || malloc_usable_size(bm->map) != size) { > free(bm); > return NULL; > }
I am not really familiar with this malloc_usable_size function. However I suspect it isn't going to help. Simply because Linux by default - AFAIK this is still the case - I am not keeping up to date with Linux memory management - overcommits memory, and I suspect these calls could both still succeed. Which in turn could trigger the OOM killer (does this still exist?), and there is no guarantee it will kill the correct process. I guess that could be a security issue. > I feel like fixing this issue is going to be very time consuming and I'm > not sure whether it's worth taking so much time for this (previously > no-dsa triaged) issue. :) I tend to think the only solution is to prescan the file and check that the file size matches the declared value. Which is probably more time then I am prepared to spend on what I consider a minor issue. -- Brian May <[email protected]>
