From ef8804ba277b055fdc3e6d148e680e3c1b597ad8 Mon Sep 17 00:00:00 2001 From: "Felix S. Klock II" Date: Thu, 13 Jul 2017 17:17:08 +0200 Subject: [PATCH] Add precondition to `Layout` that the `align` fit in a u32. This precondition takes the form of a behavorial change in `Layout::from_size_align` (so it returns `None` if the `align` is too large) and a new requirement for safe usage of `Layout::from_size_align_unchecked`. Fix #30170. --- src/liballoc/allocator.rs | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/liballoc/allocator.rs b/src/liballoc/allocator.rs index ca5388b4701..61d48f1588d 100644 --- a/src/liballoc/allocator.rs +++ b/src/liballoc/allocator.rs @@ -65,11 +65,13 @@ pub struct Layout { impl Layout { /// Constructs a `Layout` from a given `size` and `align`, - /// or returns `None` if either of the following conditions + /// or returns `None` if any of the following conditions /// are not met: /// /// * `align` must be a power of two, /// + /// * `align` must not exceed 2^31 (i.e. `1 << 31`), + /// /// * `size`, when rounded up to the nearest multiple of `align`, /// must not overflow (i.e. the rounded value must be less than /// `usize::MAX`). @@ -79,6 +81,10 @@ impl Layout { return None; } + if align > (1 << 31) { + return None; + } + // (power-of-two implies align != 0.) // Rounded up size is: @@ -106,8 +112,10 @@ impl Layout { /// /// # Unsafety /// - /// This function is unsafe as it does not verify that `align` is a power of - /// two nor that `size` aligned to `align` fits within the address space. + /// This function is unsafe as it does not verify that `align` is + /// a power-of-two that is also less than or equal to 2^31, nor + /// that `size` aligned to `align` fits within the address space + /// (i.e. the `Layout::from_size_align` preconditions). #[inline] pub unsafe fn from_size_align_unchecked(size: usize, align: usize) -> Layout { Layout { size: size, align: align } @@ -217,10 +225,10 @@ impl Layout { Some(alloc_size) => alloc_size, }; - // We can assume that `self.align` is a power-of-two. - // Furthermore, `alloc_size` has alreayd been rounded up - // to a multiple of `self.align`; therefore, the call - // to `Layout::from_size_align` below should never panic. + // We can assume that `self.align` is a power-of-two that does + // not exceed 2^31. Furthermore, `alloc_size` has already been + // rounded up to a multiple of `self.align`; therefore, the + // call to `Layout::from_size_align` below should never panic. Some((Layout::from_size_align(alloc_size, self.align).unwrap(), padded_size)) }