[boost] In Boost.Pool, be careful not to overflow allocated chunk size. - Resolves: #828857

Petr Machata pmachata at fedoraproject.org
Wed Jun 6 22:49:52 UTC 2012 

commit b88ee833227b3a3b7f299df93b644e78eb39bd4e
Author: Petr Machata <pmachata at redhat.com>
Date:   Thu Jun 7 00:44:26 2012 +0200

    In Boost.Pool, be careful not to overflow allocated chunk size.
    - Resolves: #828857

 boost-1.48.0-pool.patch |  122 +++++++++++++++++++++++++++++++++++++++++++++++
 boost.spec              |   11 ++++-
 2 files changed, 132 insertions(+), 1 deletions(-)
---
diff --git a/boost-1.48.0-pool.patch b/boost-1.48.0-pool.patch
new file mode 100644
index 0000000..5154027
--- /dev/null
+++ b/boost-1.48.0-pool.patch
@@ -0,0 +1,122 @@
+Index: boost/pool/pool.hpp
+===================================================================
+--- boost/pool/pool.hpp	(revision 78317)
++++ boost/pool/pool.hpp	(revision 78326)
+@@ -27,4 +27,6 @@
+ #include <boost/pool/poolfwd.hpp>
+ 
++// std::numeric_limits
++#include <boost/limits.hpp>
+ // boost::math::static_lcm
+ #include <boost/math/common_factor_ct.hpp>
+@@ -358,4 +360,13 @@
+     }
+ 
++    size_type max_chunks() const
++    { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
++      size_type partition_size = alloc_size();
++      size_type POD_size = math::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
++      size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
++    
++      return max_chunks;
++    }
++
+     static void * & nextof(void * const ptr)
+     { //! \returns Pointer dereferenced.
+@@ -377,5 +388,7 @@
+       //!   the first time that object needs to allocate system memory.
+       //!   The default is 32. This parameter may not be 0.
+-      //! \param nmax_size is the maximum number of chunks to allocate in one block.
++      //! \param nmax_size is the maximum number of chunks to allocate in one block.			
++      set_next_size(nnext_size);
++      set_max_size(nmax_size);
+     }
+ 
+@@ -400,7 +413,7 @@
+     }
+     void set_next_size(const size_type nnext_size)
+-    { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
+-      //! \returns nnext_size.
+-      next_size = start_size = nnext_size;
++    { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.     
++      BOOST_USING_STD_MIN();
++      next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
+     }
+     size_type get_max_size() const
+@@ -410,5 +423,6 @@
+     void set_max_size(const size_type nmax_size)
+     { //! Set max_size.
+-      max_size = nmax_size;
++      BOOST_USING_STD_MIN();
++      max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
+     }
+     size_type get_requested_size() const
+@@ -713,7 +727,7 @@
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  initialize it,
+@@ -753,7 +767,7 @@
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  initialize it,
+@@ -797,4 +811,6 @@
+   //! \returns Address of chunk n if allocated ok.
+   //! \returns 0 if not enough memory for n chunks.
++  if (n > max_chunks())
++    return 0;
+ 
+   const size_type partition_size = alloc_size();
+@@ -845,7 +861,7 @@
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  insert it into the list,
+Index: libs/pool/test/test_bug_6701.cpp
+===================================================================
+--- libs/pool/test/test_bug_6701.cpp	(revision 78326)
++++ libs/pool/test/test_bug_6701.cpp	(revision 78326)
+@@ -0,0 +1,27 @@
++/* Copyright (C) 2012 Étienne Dupuis
++* 
++* Use, modification and distribution is subject to the 
++* Boost Software License, Version 1.0. (See accompanying
++* file LICENSE_1_0.txt or http://www.boost.org/LICENSE_1_0.txt)
++*/
++
++// Test of bug #6701 (https://svn.boost.org/trac/boost/ticket/6701)
++
++#include <boost/pool/object_pool.hpp>
++#include <boost/limits.hpp>
++
++int main()
++{
++  boost::pool<> p(1024, std::numeric_limits<size_t>::max() / 768);
++
++  void *x = p.malloc();
++  BOOST_ASSERT(!x);
++  
++  BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size());
++  BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_max_size());
++
++  void *y = p.ordered_malloc(std::numeric_limits<size_t>::max() / 768);
++  BOOST_ASSERT(!y);
++
++  return 0;
++}
diff --git a/boost.spec b/boost.spec
index f0f8aff..9a0d5ca 100644
--- a/boost.spec
+++ b/boost.spec
@@ -26,7 +26,7 @@ Name: boost
 Summary: The free peer-reviewed portable C++ source libraries
 Version: 1.48.0
 %define version_enc 1_48_0
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: Boost and MIT and Python
 
 # The CMake build framework (set of CMakeLists.txt and module.cmake files) is
@@ -148,6 +148,10 @@ Patch13: boost-1.48.0-python3.patch
 # https://svn.boost.org/trac/boost/ticket/6940
 Patch14: boost-1.48.0-xtime.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=828856
+# https://bugzilla.redhat.com/show_bug.cgi?id=828857
+Patch15: boost-1.48.0-pool.patch
+
 %bcond_with tests
 %bcond_with docs_generated
 
@@ -536,6 +540,7 @@ sed 's/_FEDORA_SONAME/%{sonamever}/' %{PATCH1} | %{__patch} -p0 --fuzz=0
 %patch12 -p3
 %patch13 -p1
 %patch14 -p1
+%patch15 -p0
 
 %build
 # Support for building tests.
@@ -1074,6 +1079,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/bjam.1*
 
 %changelog
+* Wed Jun  6 2012 Petr Machata <pmachata at redhat.com> - 1.48.0-15
+- In Boost.Pool, be careful not to overflow allocated chunk size.
+- Resolves: #828857
+
 * Thu May 24 2012 Petr Machata <pmachata at redhat.com> - 1.48.0-14
 - Don't attempt to install Python 3 portions of boost when given
   --without python3

More information about the scm-commits mailing list