Update.

2004-11-19  Ulrich Drepper  <drepper@redhat.com>

	* malloc/malloc.c (_int_free): Add a few more cheap tests for
	corruption.

	* debug/fprintf_chk.c: Adjust all users.

2 files changed, 20 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index d5cc33e7d1..ae8cc2e29b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2004-11-19  Ulrich Drepper  <drepper@redhat.com>
+
+	* malloc/malloc.c (_int_free): Add a few more cheap tests for
+	corruption.
+
 2004-11-17  Randolph Chung  <tausq@debian.org>
 
 	* sysdeps/hppa/dl-machine.h (TRAMPOLINE_TEMPLATE): Add unwind
@@ -27,7 +32,7 @@
 
 	* libio/libio.h (_IO_FLAGS2_FORTIFY): Renamed from
 	_IO_FLAGS2_CHECK_PERCENT_N.
-	* debug/fprintff_chk.c: Adjust all users.
+	* debug/fprintf_chk.c: Adjust all users.
 	* debug/printf_chk.c: Likewise.
 	* debug/vfprintf_chk.c: Likewise.
 	* debug/vprintf_chk.c: Likewise.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 57074108f1..d6810be7f6 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem)
 #endif
       ) {
 
+    if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0)
+	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
+			     >= av->system_mem, 0))
+      {
+	errstr = "invalid next size (fast)";
+	goto errout;
+      }
+
     set_fastchunks(av);
     fb = &(av->fastbins[fastbin_index(size)]);
     /* Another simple check: make sure the top of the bin is not the
@@ -4276,7 +4284,12 @@ _int_free(mstate av, Void_t* mem)
       }
 
     nextsize = chunksize(nextchunk);
-    assert(nextsize > 0);
+    if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0)
+	|| __builtin_expect (nextsize >= av->system_mem, 0))
+      {
+	errstr = "invalid next size (normal)";
+	goto errout;
+      }
 
     /* consolidate backward */
     if (!prev_inuse(p)) {