Merge branch 'dev' into atat-plusplus

author: hexcoder <hexcoder-@users.noreply.github.com> 2021-03-17 08:00:32 +0100
committer: GitHub <noreply@github.com> 2021-03-17 08:00:32 +0100
commit: d17abce59b846d2008eac3dd1a73939e91f4b653 (patch)
tree: e2715f85ccae8a64a0bce669a7a767dea363f673 /qemu_mode/libqasan/malloc.c
parent: 62f067ec71aff384a197511b33142002ca284c66 (diff)
parent: b715050de9846ab4b1f30a811af83b7a4b9e09a3 (diff)
download: afl++-d17abce59b846d2008eac3dd1a73939e91f4b653.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c
index 5a2d2a0c..6fe6fc8c 100644
--- a/qemu_mode/libqasan/malloc.c
+++ b/qemu_mode/libqasan/malloc.c
@@ -159,6 +159,9 @@ size_t __libqasan_malloc_usable_size(void *ptr) {
   char *p = ptr;
   p -= sizeof(struct chunk_begin);
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   return ((struct chunk_begin *)p)->requested_size;
 
 }
@@ -225,6 +228,9 @@ void __libqasan_free(void *ptr) {
   struct chunk_begin *p = ptr;
   p -= 1;
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   size_t n = p->requested_size;
 
   QASAN_STORE(ptr, n);
author	hexcoder <hexcoder-@users.noreply.github.com>	2021-03-17 08:00:32 +0100
committer	GitHub <noreply@github.com>	2021-03-17 08:00:32 +0100
commit	d17abce59b846d2008eac3dd1a73939e91f4b653 (patch)
tree	e2715f85ccae8a64a0bce669a7a767dea363f673 /qemu_mode/libqasan/malloc.c
parent	62f067ec71aff384a197511b33142002ca284c66 (diff)
parent	b715050de9846ab4b1f30a811af83b7a4b9e09a3 (diff)
download	afl++-d17abce59b846d2008eac3dd1a73939e91f4b653.tar.gz