Fixed overflow if ngx_slab_alloc() is called with very big "size" argument.

author Ruslan Ermilov <ru@nginx.com>

Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)

committer Ruslan Ermilov <ru@nginx.com>

Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)
author Ruslan Ermilov <ru@nginx.com>
Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)
committer Ruslan Ermilov <ru@nginx.com>
Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)
diff --git a/src/core/ngx_slab.c b/src/core/ngx_slab.c

index 782792d79eff8791b6e06f3ef574808ae266abbf..ae9d6f3fc0ea2eceeb9ec0dbd995f7e5241b60f8 100644 (file)
--- a/src/core/ngx_slab.c
+++ b/src/core/ngx_slab.c
@@ -162,8 +162,8 @@ ngx_slab_alloc_locked(ngx_slab_pool_t *pool, size_t size)
          ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0,
                         "slab alloc: %uz", size);
  
-        page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1)
-                                          >> ngx_pagesize_shift);
+        page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift)
+                                          + ((size % ngx_pagesize) ? 1 : 0));
          if (page) {
              p = (page - pool->pages) << ngx_pagesize_shift;
              p += (uintptr_t) pool->start;
author	Ruslan Ermilov <ru@nginx.com>
	Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)
committer	Ruslan Ermilov <ru@nginx.com>
	Thu, 30 Aug 2012 15:09:21 +0000 (15:09 +0000)