gistfile1.txt

From fb3faca3c6c58fa8c8f993e78b76c7206e135437 Mon Sep 17 00:00:00 2001
From: Jason Evans <jasone@canonware.com>
Date: Sun, 5 Oct 2014 13:05:10 -0700
Subject: [PATCH] Fix OOM-related regression in arena_tcache_fill_small().

Fix an OOM-related regression in arena_tcache_fill_small() that caused
cache corruption that would almost certainly expose the application to
undefined behavior, usually in the form of an allocation request
returning an already-allocated region, or somewhat less likely, a freed
region that had already been returned to the arena, thus making it
available to the arena for any purpose.

This regression was introduced by
9c43c13a35220c10d97a886616899189daceb359 (Reverse tcache fill order.),
and was present in all releases from 2.2.0 through 3.6.0.

This resolves #98.

Conflicts:
	src/arena.c

MERGE NOTE: Removed (most likely) cosmetic use of unlikely().
---
 src/arena.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/arena.c b/src/arena.c
index dad707b..f8d8925 100644
--- a/src/arena.c
+++ b/src/arena.c
@@ -1479,8 +1479,19 @@ arena_tcache_fill_small(arena_t *arena, tcache_bin_t *tbin, size_t binind,
 			ptr = arena_run_reg_alloc(run, &arena_bin_info[binind]);
 		else
 			ptr = arena_bin_malloc_hard(arena, bin);
-		if (ptr == NULL)
+		if (ptr == NULL) {
+			/*
+			 * OOM.  tbin->avail isn't yet filled down to its first
+			 * element, so the successful allocations (if any) must
+			 * be moved to the base of tbin->avail before bailing
+			 * out.
+			 */
+			if (i > 0) {
+				memmove(tbin->avail, &tbin->avail[nfill - i],
+				    i * sizeof(void *));
+			}
 			break;
+		}
 		if (config_fill && opt_junk) {
 			arena_alloc_junk_small(ptr, &arena_bin_info[binind],
 			    true);
-- 
2.1.4