1 files changed, 39 insertions, 0 deletions

diff --git a/CVE-2021-3470.patch b/CVE-2021-3470.patch
new file mode 100644
index 0000000..d49e271
--- /dev/null
+++ b/CVE-2021-3470.patch
@@ -0,0 +1,39 @@
+From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Wed, 7 Apr 2021 10:00:53 +0800
+Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963)
+
+When using a system with no malloc_usable_size(), zmalloc_size() assumed
+that the heap allocator always returns blocks that are long-padded.
+
+This may not always be the case, and will result with zmalloc_size()
+returning a size that is bigger than allocated. At least in one case
+this leads to out of bound write, process crash and a potential security
+vulnerability.
+
+Effectively this does not affect the vast majority of users, who use
+jemalloc or glibc.
+
+This problem along with a (different) fix was reported by Drew DeVault.
+
+---
+ src/zmalloc.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index cc47f71..67b1b65 100644
+--- a/src/zmalloc.c
++++ b/src/zmalloc.c
+@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) {
+ size_t zmalloc_size(void *ptr) {
+     void *realptr = (char*)ptr-PREFIX_SIZE;
+     size_t size = *((size_t*)realptr);
+-    /* Assume at least that all the allocations are padded at sizeof(long) by
+-     * the underlying allocator. */
+-    if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1));
+     return size+PREFIX_SIZE;
+ }
+ #endif
+-- 
+2.23.0
+