runtime: fix buffer overflow in stringtoslicerune

On 32-bits n*sizeof(r[0]) can overflow.
Or it can become 1<<32-eps, and mallocgc will "successfully"
allocate 0 pages for it, there are no checks downstream
and MHeap_Grow just does:
npage = (npage+15)&~15;
ask = npage<<PageShift;

LGTM=khr
R=golang-codereviews, khr
CC=golang-codereviews
https://golang.org/cl/54760045

diff --git a/src/pkg/runtime/malloc.goc b/src/pkg/runtime/malloc.goc
index 0a0420d415bfdeba4724fe11b9ec03e859eb7443..280a0a2a8f2fafc7dd25161cc1c4bf5bc77d4313 100644 (file)
--- a/src/pkg/runtime/malloc.goc
+++ b/src/pkg/runtime/malloc.goc
@@ -224,6 +224,8 @@ largealloc(uint32 flag, uintptr *sizep)
 
        // Allocate directly from heap.
        size = *sizep;
+       if(size + PageSize < size)
+               runtime·throw("out of memory");
        npages = size >> PageShift;
        if((size & PageMask) != 0)
                npages++;

diff --git a/src/pkg/runtime/string.goc b/src/pkg/runtime/string.goc
index 407188cfe6477db0a66f8c943cbff690540d6cab..a46fa5d8d28d182d46b71d677ee9defbec5a6c9b 100644 (file)
--- a/src/pkg/runtime/string.goc
+++ b/src/pkg/runtime/string.goc
@@ -334,6 +334,8 @@ func stringtoslicerune(s String) (b Slice) {
                n++;
        }
 
+       if(n > MaxMem/sizeof(r[0]))
+               runtime·throw("out of memory");
        mem = runtime·roundupsize(n*sizeof(r[0]));
        b.array = runtime·mallocgc(mem, 0, FlagNoScan|FlagNoZero);
        b.len = n;