[nginx] svn commit: r4830 - trunk/src/core

Thu Aug 30 15:09:21 UTC 2012

Author: ru
Date: 2012-08-30 15:09:21 +0000 (Thu, 30 Aug 2012)
New Revision: 4830
URL: http://trac.nginx.org/nginx/changeset/4830/nginx

Log:
Fixed overflow if ngx_slab_alloc() is called with very big "size" argument.


Modified:
   trunk/src/core/ngx_slab.c

Modified: trunk/src/core/ngx_slab.c
===================================================================

--- trunk/src/core/ngx_slab.c	2012-08-30 14:58:11 UTC (rev 4829)
+++ trunk/src/core/ngx_slab.c	2012-08-30 15:09:21 UTC (rev 4830)
@@ -162,8 +162,8 @@
         ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0,
                        "slab alloc: %uz", size);
 
-        page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1)
-                                          >> ngx_pagesize_shift);
+        page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift)
+                                          + ((size % ngx_pagesize) ? 1 : 0));
         if (page) {
             p = (page - pool->pages) << ngx_pagesize_shift;
             p += (uintptr_t) pool->start;

