runtime: fix buffer overflow in stringtoslicerune

On 32-bits n*sizeof(r[0]) can overflow. Or it can become 1<<32-eps, and mallocgc will "successfully" allocate 0 pages for it, there are no checks downstream and MHeap_Grow just does: npage = (npage+15)&~15; ask = npage<<PageShift; LGTM=khr R=golang-codereviews, khr CC=golang-codereviews https://golang.org/cl/54760045

runtime: fix buffer overflow in stringtoslicerune
On 32-bits n*sizeof(r[0]) can overflow. Or it can become 1<<32-eps, and mallocgc will "successfully" allocate 0 pages for it, there are no checks downstream and MHeap_Grow just does: npage = (npage+15)&~15; ask = npage<<PageShift; LGTM=khr R=golang-codereviews, khr CC=golang-codereviews https://golang.org/cl/54760045
e1a91c5b · Dmitriy Vyukov · bace9523 · e1a91c5b · e1a91c5b
Commit e1a91c5b authored Jan 27, 2014 by Dmitriy Vyukov
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

malloc.goc src/pkg/runtime/malloc.goc +2 -0

string.goc src/pkg/runtime/string.goc +2 -0

No files found.
--- a/src/pkg/runtime/malloc.goc
+++ b/src/pkg/runtime/malloc.goc
@@ -224,6 +224,8 @@ largealloc(uint32 flag, uintptr *sizep)

 	// Allocate directly from heap.
 	size = *sizep;
+	if(size + PageSize < size)
+		runtime·throw("out of memory");
 	npages = size >> PageShift;
 	if((size & PageMask) != 0)
 		npages++;

--- a/src/pkg/runtime/string.goc
+++ b/src/pkg/runtime/string.goc
@@ -334,6 +334,8 @@ func stringtoslicerune(s String) (b Slice) {
 		n++;
 	}

+	if(n > MaxMem/sizeof(r[0]))
+		runtime·throw("out of memory");
 	mem = runtime·roundupsize(n*sizeof(r[0]));
 	b.array = runtime·mallocgc(mem, 0, FlagNoScan|FlagNoZero);
 	b.len = n;