Closed Bug 431743 Opened 13 years ago Closed 13 years ago
Upstream jemalloc fixes
malloc() uses unsigned integers to represent allocation size, but sbrk() uses a signed increment argument, thus limiting the maximum allocation size possible via sbrk(). Since sbrk() interprets a negative increment as a data storage segment (DSS) shrink, failing to detect this overflow case can cause crashes.
Assignee: jasone → nobody
Status: ASSIGNED → NEW
Component: OS Integration → jemalloc
Product: Firefox → Core
QA Contact: os.integration → jemalloc
Check for integer overflow before calling sbrk(2), since it uses a signed increment argument, but the size is an unsigned integer.
Summary: Avoid sbrk() overflow → Upstream jemalloc fixes
This patch fixes three problems: 1) sbrk() overflow for huge allocations. 2) Deadlock for base (internal) allocations in OOM case. 3) Incorrect bitmap vector initialization for small allocation runs.
changeset: 15456:38972d94e631 user: Jason Evans <firstname.lastname@example.org> date: Fri Jun 20 10:29:43 2008 -0700 summary: Bug 431743: Upstream jemalloc fixes, r=benjamin
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.