runtime: fix buffer overflow in make(chan)

On 32-bits one can arrange make(chan) params so that
the chan buffer gives you access to whole memory.

LGTM=r
R=golang-codereviews, r
CC=bradfitz, golang-codereviews, iant, khr
https://golang.org/cl/50250045

diff --git a/src/pkg/runtime/chan.c b/src/pkg/runtime/chan.c
index fd382f80f151eed62641019384e84f0be6ef8655..a0c285eadb43d62eafda75a96deb0e4cbd94f79e 100644 (file)
--- a/src/pkg/runtime/chan.c
+++ b/src/pkg/runtime/chan.c
@@ -104,7 +104,7 @@ runtime·makechan_c(ChanType *t, int64 hint)
        if((sizeof(*c)%MAXALIGN) != 0 || elem->align > MAXALIGN)
                runtime·throw("makechan: bad alignment");
 
-       if(hint < 0 || (intgo)hint != hint || (elem->size > 0 && hint > MaxMem / elem->size))
+       if(hint < 0 || (intgo)hint != hint || (elem->size > 0 && hint > (MaxMem - sizeof(*c)) / elem->size))
                runtime·panicstring("makechan: size out of range");
 
        // allocate memory in one call