From affec03b713c82c43a5b025dddc21bde3334f41e Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 26 Nov 2018 20:06:37 +0100
Subject: malloc: tcache: Validate tc_idx before checking for double-frees [BZ
 #23907]

The previous check could read beyond the end of the tcache entry
array.  If the e->key == tcache cookie check happened to pass, this
would result in crashes.
---
 ChangeLog | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ChangeLog')

diff --git a/ChangeLog b/ChangeLog
index 77fb773aea..84ddd68d7d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-11-26  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23907]
+	* malloc/malloc.c (_int_free): Validate tc_idx before checking for
+	double-frees.
+
 2018-11-26  Rafael Ávila de Espíndola  <rafael@espindo.la>
 
 	[BZ #19767]
-- 
cgit v1.2.1