Changeset 27698 in webkit for trunk/JavaScriptCore/wtf/FastMalloc.cpp

Timestamp:

Nov 11, 2007, 7:36:03 PM (18 years ago)

Author:

oliver

Message:

Partial fix for <rdar://problem/5585334> numfuzz: integer overflows opening malformed SVG file in WebCore::ImageBuffer::create

Reviewed By Eric.

Unfortunately this is a very slight regression, but is unavoidable.

File:

• trunk/JavaScriptCore/wtf/FastMalloc.cpp (modified) (1 diff)

trunk/JavaScriptCore/wtf/FastMalloc.cpp

@@ -2293 +2293 @@
 #endif
 void* calloc(size_t n, size_t elem_size) {
-  void* result = do_malloc(n * elem_size);
+  const size_t totalBytes = n * elem_size;
+    
+  // Protect against overflow
+  if (n > 1 && elem_size && (totalBytes / elem_size) != n)
+    return 0;
+    
+  void* result = do_malloc(totalBytes);
   if (result != NULL) {
-    memset(result, 0, n * elem_size);
-  }
-#ifndef WTF_CHANGES
-  MallocHook::InvokeNewHook(result, n * elem_size);
+    memset(result, 0, totalBytes);
+  }
+#ifndef WTF_CHANGES
+  MallocHook::InvokeNewHook(result, totalBytes);
 #endif
   return result;