malloc(65535UL) to malloc(65532UL) succeed while they should not
colinleroy opened this issue · comments
Colin Leroy-Mira commented
FYI, found while working on #2352. When we add #HEAP_ADMIN_SPACE to the user requested size, no carry check is done, and if user asks for a 65535 byte buffer, we'll "add" .sizeof(usedblock) (4) to it, get a new size of 3, and happily allocate #HEAP_MIN_BLOCKSIZE (6 bytes).
Same for realloc.