From 9d6d33a5613544b68e5ad8298cb164e71d56548c Mon Sep 17 00:00:00 2001 From: Ruslan Ermilov Date: Thu, 30 Aug 2012 15:09:21 +0000 Subject: Fixed overflow if ngx_slab_alloc() is called with very big "size" argument. --- src/core/ngx_slab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/core/ngx_slab.c b/src/core/ngx_slab.c index 782792d79..ae9d6f3fc 100644 --- a/src/core/ngx_slab.c +++ b/src/core/ngx_slab.c @@ -162,8 +162,8 @@ ngx_slab_alloc_locked(ngx_slab_pool_t *pool, size_t size) ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, ngx_cycle->log, 0, "slab alloc: %uz", size); - page = ngx_slab_alloc_pages(pool, (size + ngx_pagesize - 1) - >> ngx_pagesize_shift); + page = ngx_slab_alloc_pages(pool, (size >> ngx_pagesize_shift) + + ((size % ngx_pagesize) ? 1 : 0)); if (page) { p = (page - pool->pages) << ngx_pagesize_shift; p += (uintptr_t) pool->start; -- cgit