http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
Bug #: 54411 Summary: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) Classification: Unclassified Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: other AssignedTo: f...@gcc.gnu.org ReportedBy: f...@gcc.gnu.org Sang Kil Cha discovered that _objalloc_alloc does not guard the addition of CHUNK_HEADER_SIZE to the length against overflow. This can cause _objalloc_alloc to return a pointer to a memory region which is smaller than expected. The pointer alignment arithmetic in the objalloc_alloc macro misses an overflow check as well, with similar consequences.