1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
From acb849a8a16499907c554a3c00da201486388459 Mon Sep 17 00:00:00 2001
From: Orgad Shaneh <orgads@gmail.com>
Date: Thu, 4 Nov 2021 03:39:23 +0200
Subject: [PATCH] fix integer overflows in pool::ordered_malloc (#42)
Fixes trac #6701 (https://svn.boost.org/trac10/ticket/6701).
Originally-by: Jonathan Wakely <jwakely.boost@kayari.org>
---
boost/pool/pool.hpp | 31 ++++++++++++++++++++++---------
libs/pool/test/Jamfile.v2 | 1 +
libs/pool/test/suppressions.txt | 7 +++++++
libs/pool/test/test_bug_6701.cpp | 27 +++++++++++++++++++++++++++
4 files changed, 57 insertions(+), 9 deletions(-)
create mode 100644 libs/pool/test/suppressions.txt
create mode 100644 libs/pool/test/test_bug_6701.cpp
diff --git a/boost/pool/pool.hpp b/boost/pool/pool.hpp
index c47b11faf..12728a7ae 100644
--- a/boost/pool/pool.hpp
+++ b/boost/pool/pool.hpp
@@ -26,6 +26,8 @@
#include <boost/pool/poolfwd.hpp>
+// std::numeric_limits
+#include <boost/limits.hpp>
// boost::integer::static_lcm
#include <boost/integer/common_factor_ct.hpp>
// boost::simple_segregated_storage
@@ -355,6 +357,12 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
return s;
}
+ size_type max_chunks() const
+ { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
+ size_type POD_size = integer::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
+ return (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
+ }
+
static void * & nextof(void * const ptr)
{ //! \returns Pointer dereferenced.
//! (Provided and used for the sake of code readability :)
@@ -375,6 +383,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
//! the first time that object needs to allocate system memory.
//! The default is 32. This parameter may not be 0.
//! \param nmax_size is the maximum number of chunks to allocate in one block.
+ set_next_size(nnext_size);
+ set_max_size(nmax_size);
}
~pool()
@@ -398,8 +408,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
}
void set_next_size(const size_type nnext_size)
{ //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
- //! \returns nnext_size.
- next_size = start_size = nnext_size;
+ BOOST_USING_STD_MIN();
+ next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
}
size_type get_max_size() const
{ //! \returns max_size.
@@ -407,7 +417,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
}
void set_max_size(const size_type nmax_size)
{ //! Set max_size.
- max_size = nmax_size;
+ BOOST_USING_STD_MIN();
+ max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
}
size_type get_requested_size() const
{ //! \returns the requested size passed into the constructor.
@@ -708,9 +719,9 @@ void * pool<UserAllocator>::malloc_need_resize()
BOOST_USING_STD_MIN();
if(!max_size)
- next_size <<= 1;
+ set_next_size(next_size << 1);
else if( next_size*partition_size/requested_size < max_size)
- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
// initialize it,
store().add_block(node.begin(), node.element_size(), partition_size);
@@ -748,9 +759,9 @@ void * pool<UserAllocator>::ordered_malloc_need_resize()
BOOST_USING_STD_MIN();
if(!max_size)
- next_size <<= 1;
+ set_next_size(next_size << 1);
else if( next_size*partition_size/requested_size < max_size)
- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
// initialize it,
// (we can use "add_block" here because we know that
@@ -792,6 +803,8 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
{ //! Gets address of a chunk n, allocating new memory if not already available.
//! \returns Address of chunk n if allocated ok.
//! \returns 0 if not enough memory for n chunks.
+ if (n > max_chunks())
+ return 0;
const size_type partition_size = alloc_size();
const size_type total_req_size = n * requested_size;
@@ -840,9 +853,9 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
BOOST_USING_STD_MIN();
if(!max_size)
- next_size <<= 1;
+ set_next_size(next_size << 1);
else if( next_size*partition_size/requested_size < max_size)
- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
// insert it into the list,
// handle border case.
diff --git a/libs/pool/test/Jamfile.v2 b/libs/pool/test/Jamfile.v2
index 9e96abcbd..133879a93 100644
--- a/libs/pool/test/Jamfile.v2
+++ b/libs/pool/test/Jamfile.v2
@@ -34,6 +34,7 @@ test-suite pool :
<toolset>pathscale:<cxxflags>-Wno-long-long ]
[ run test_bug_2696.cpp ]
[ run test_bug_5526.cpp ]
+ [ run test_bug_6701.cpp ]
[ run test_threading.cpp : : : <threading>multi <library>/boost/thread//boost_thread ]
[ compile test_poisoned_macros.cpp ]
;
diff --git a/libs/pool/test/suppressions.txt b/libs/pool/test/suppressions.txt
new file mode 100644
index 000000000..e30fb813c
--- /dev/null
+++ b/libs/pool/test/suppressions.txt
@@ -0,0 +1,7 @@
+{
+ no_fishy_value
+ Memcheck:FishyValue
+ __builtin_vec_new(size)
+ fun:_ZnamRKSt9nothrow_t
+ ...
+}
diff --git a/libs/pool/test/test_bug_6701.cpp b/libs/pool/test/test_bug_6701.cpp
new file mode 100644
index 000000000..e484d3c7e
--- /dev/null
+++ b/libs/pool/test/test_bug_6701.cpp
@@ -0,0 +1,27 @@
+/* Copyright (C) 2012 Étienne Dupuis
+*
+* Use, modification and distribution is subject to the
+* Boost Software License, Version 1.0. (See accompanying
+* file LICENSE_1_0.txt or http://www.boost.org/LICENSE_1_0.txt)
+*/
+
+// Test of bug #6701 (https://svn.boost.org/trac/boost/ticket/6701)
+
+#include <boost/pool/object_pool.hpp>
+#include <boost/limits.hpp>
+
+int main()
+{
+ boost::pool<> p(1024, std::numeric_limits<size_t>::max() / 768);
+
+ void *x = p.malloc();
+ BOOST_ASSERT(!x);
+
+ BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size());
+ BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_max_size());
+
+ void *y = p.ordered_malloc(std::numeric_limits<size_t>::max() / 768);
+ BOOST_ASSERT(!y);
+
+ return 0;
+}
--
2.33.1
|
