Add integer overflow check to the malloc wrappers

Port the following security fix from mbed-os repository: ARMmbed/mbed-os#14408 Summary: Add a check that the combined size of the buffer to allocate and alloc_info_t does not exceed the maximum integer value representable by size_t.
adamgreen · May 6, 2021 · 97e0c62 · 97e0c62
1 parent 272e720
commit 97e0c62
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/external/mbed-os/platform/mbed_alloc_wrappers.cpp b/external/mbed-os/platform/mbed_alloc_wrappers.cpp
@@ -92,7 +92,10 @@ extern "C" void * __wrap__malloc_r(struct _reent * r, size_t size) {
     void *ptr = NULL;
 #ifdef MBED_HEAP_STATS_ENABLED
     malloc_stats_mutex->lock();
-    alloc_info_t *alloc_info = (alloc_info_t*)__real__malloc_r(r, size + sizeof(alloc_info_t));
+    alloc_info_t *alloc_info = NULL;
+    if (size <= SIZE_MAX - sizeof(alloc_info_t)) {
+        alloc_info = (alloc_info_t *)__real__malloc_r(r, size + sizeof(alloc_info_t));
+    }
     if (alloc_info != NULL) {
         alloc_info->size = size;
         ptr = (void*)(alloc_info + 1);
@@ -221,7 +224,10 @@ extern "C" void* $Sub$$malloc(size_t size) {
     void *ptr = NULL;
 #ifdef MBED_HEAP_STATS_ENABLED
     malloc_stats_mutex->lock();
-    alloc_info_t *alloc_info = (alloc_info_t*)$Super$$malloc(size + sizeof(alloc_info_t));
+    alloc_info_t *alloc_info = NULL;
+    if (size <= SIZE_MAX - sizeof(alloc_info_t) {
+        alloc_info = (alloc_info_t*)$Super$$malloc(size + sizeof(alloc_info_t));
+    }
     if (alloc_info != NULL) {
         alloc_info->size = size;
         ptr = (void*)(alloc_info + 1);