dlmalloc: Make sure allocation size is within malloc area

Since U-Boot does not support memory overcommit we can
enforce that the allocation size is within the malloc area.
This is a simple and efficient hardening measure to mitigate
further integer overflows in dlmalloc.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>

1 files changed, 6 insertions, 3 deletions

diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 8e201ac0dc5..1ac7ce3f43c 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -1274,7 +1274,8 @@ Void_t* mALLOc_impl(bytes) size_t bytes;
     return NULL;
   }
 
-  if ((long)bytes < 0) return NULL;
+  if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
+     return NULL;
 
   nb = request2size(bytes);  /* padded request size; */
 
@@ -1687,7 +1688,8 @@ Void_t* rEALLOc_impl(oldmem, bytes) Void_t* oldmem; size_t bytes;
   }
 #endif
 
-  if ((long)bytes < 0) return NULL;
+  if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
+     return NULL;
 
   /* realloc of null is supposed to be same as malloc */
   if (oldmem == NULL) return mALLOc_impl(bytes);
@@ -1911,7 +1913,8 @@ Void_t* mEMALIGn_impl(alignment, bytes) size_t alignment; size_t bytes;
   mchunkptr remainder;        /* spare room at end to split off */
   long      remainder_size;   /* its size */
 
-  if ((long)bytes < 0) return NULL;
+  if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
+     return NULL;
 
 #if CONFIG_IS_ENABLED(SYS_MALLOC_F)
 	if (!(gd->flags & GD_FLG_FULL_MALLOC_INIT)) {