From: Dmitriy Vyukov <dvyukov@google.com>
Date: Tue, 28 Jan 2014 18:37:35 +0000 (+0400)
Subject: runtime: fix buffer overflow in make(chan)
X-Git-Tag: go1.3beta1~854
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=d409e44cfb7b2a323658f4b6fd6d5bb3a9104889;p=gostls13.git

runtime: fix buffer overflow in make(chan)
On 32-bits one can arrange make(chan) params so that
the chan buffer gives you access to whole memory.

LGTM=r
R=golang-codereviews, r
CC=bradfitz, golang-codereviews, iant, khr
https://golang.org/cl/50250045
---

diff --git a/src/pkg/runtime/chan.c b/src/pkg/runtime/chan.c
index fd382f80f1..a0c285eadb 100644
--- a/src/pkg/runtime/chan.c
+++ b/src/pkg/runtime/chan.c
@@ -104,7 +104,7 @@ runtime·makechan_c(ChanType *t, int64 hint)
 	if((sizeof(*c)%MAXALIGN) != 0 || elem->align > MAXALIGN)
 		runtime·throw("makechan: bad alignment");
 
-	if(hint < 0 || (intgo)hint != hint || (elem->size > 0 && hint > MaxMem / elem->size))
+	if(hint < 0 || (intgo)hint != hint || (elem->size > 0 && hint > (MaxMem - sizeof(*c)) / elem->size))
 		runtime·panicstring("makechan: size out of range");
 
 	// allocate memory in one call