Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Nov 2020 17:53:41 -0500
From: Rich Felker <>
To: Dominic Chen <>
Subject: Re: [PATCH] Fix crash in malloc_usable_size() if nullptr

On Wed, Nov 25, 2020 at 02:53:16AM -0500, Dominic Chen wrote:
> Please CC me on replies.
> According to the manual for malloc_usable_size(), zero should be
> returned if the input pointer is NULL. Currently, this is not
> checked, which can result in SIGSEGV at runtime.
> Thanks,
> Dominic

> diff --git a/src/malloc/mallocng/malloc_usable_size.c b/src/malloc/mallocng/malloc_usable_size.c
> index a440a4ea..ce6a960c 100644
> --- a/src/malloc/mallocng/malloc_usable_size.c
> +++ b/src/malloc/mallocng/malloc_usable_size.c
> @@ -3,6 +3,7 @@
>  size_t malloc_usable_size(void *p)
>  {
> +	if (!p) return 0;
>  	struct meta *g = get_meta(p);
>  	int idx = get_slot_index(p);
>  	size_t stride = get_stride(g);

Thanks. I wasn't aware of this. I did some research to see if this is
actually documented as supported, since the Linux man pages aren't
normative but just descriptive, and sometimes document things that
aren't actually contracts. It seems glibc doesn't even document the
existence of this function at all though.

FreeBSD documents it but without any special handling of null
pointers. But Solaris documents the same behavior you described. So it
seems this is at least not entirely glibc-specific. Do you know if
there are other implementations that do the same?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.