From ff6c64de114852dbc3bc1981f7121cdccb81a291 Mon Sep 17 00:00:00 2001
From: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Date: Sat, 26 Aug 2017 10:09:24 +0100
Subject: [PATCH] cvs-malloc-hardening

2017-03-17  Chris Evans  <scarybeasts@gmail.com>

	* malloc/malloc.c (unlink): Add consistency check between size and
	next->prev->size, to further harden against 1-byte overflows.

2016-10-27  Florian Weimer  <fweimer@redhat.com>

	* malloc/malloc.c (sysmalloc): Initialize previous size field of
	mmaped chunks.


Gbp-Pq: Topic any
Gbp-Pq: Name cvs-malloc-hardening.diff
---
 malloc/malloc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f5f166ea..37a373c7e 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1405,6 +1405,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != next_chunk(P)->prev_size, 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;								      \
     BK = P->bk;								      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))		      \
@@ -2361,6 +2363,7 @@ sysmalloc (INTERNAL_SIZE_T nb, mstate av)
               else
                 {
                   p = (mchunkptr) mm;
+		  p->prev_size = 0;
                   set_head (p, size | IS_MMAPPED);
                 }
 
-- 
2.30.2