Fixed overflow if ngx_slab_alloc() is called with very big "size" argument.

author: Ruslan Ermilov <ru@nginx.com> 2012-08-30 15:09:21 +0000
committer: Ruslan Ermilov <ru@nginx.com> 2012-08-30 15:09:21 +0000
commit: 9d6d33a5613544b68e5ad8298cb164e71d56548c (patch)
tree: 2a18ef72a1f31a7b423638f23711bcea84b12399 /src
parent: d469482cda460107c034f8d9e723de830a1f768e (diff)
download: nginx-9d6d33a5613544b68e5ad8298cb164e71d56548c.tar.gz
nginx-9d6d33a5613544b68e5ad8298cb164e71d56548c.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/ngx_slab.c b/src/core/ngx_slab.c
index 782792d79..ae9d6f3fc 100644
--- a/src/core/ngx_slab.c
+++ b/src/core/ngx_slab.c
@@ -162,8 +162,8 @@ ngx_slab_alloc_locked(ngx_slab_pool_t *pool, size_t size)
         ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0,
                        "slab alloc: %uz", size);
 
-        page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1)
-                                          >> ngx_pagesize_shift);
+        page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift)
+                                          + ((size % ngx_pagesize) ? 1 : 0));
         if (page) {
             p = (page - pool->pages) << ngx_pagesize_shift;
             p += (uintptr_t) pool->start;
author	Ruslan Ermilov <ru@nginx.com>	2012-08-30 15:09:21 +0000
committer	Ruslan Ermilov <ru@nginx.com>	2012-08-30 15:09:21 +0000
commit	9d6d33a5613544b68e5ad8298cb164e71d56548c (patch)
tree	2a18ef72a1f31a7b423638f23711bcea84b12399 /src
parent	d469482cda460107c034f8d9e723de830a1f768e (diff)
download	nginx-9d6d33a5613544b68e5ad8298cb164e71d56548c.tar.gz nginx-9d6d33a5613544b68e5ad8298cb164e71d56548c.zip