thread_stats.malloced_by_size[class_id] overflow in asan_allocator.cc

[GoogleCodeExporter]

What version of the product are you using? On what operating system?

Clang 3.7, x86_64-unknown-linux-gnu

Please provide any additional information below.

Performing static analysis for ASan via Coverity Prevent tool, I've noticed, 
that thread_stats.malloced_by_size[class_id] from can be overflowed in Allocate 
function from asan_allocator.cc.

Here:

$ cat lib/asan/asan_allocator.cc
....................................
  uptr class_id =
      Min(kNumberOfSizeClasses, SizeClassMap::ClassID(needed_size));
  thread_stats.malloced_by_size[class_id]++;

If class_id == kNumberOfSizeClasses == 255, than we access 
thread_stats.malloced_by_size[255] and overflow thread_stats.malloced_by_size 
array.

Original issue reported on code.google.com by chefM...@gmail.com on 26 Jun 2015 at 6:21

[GoogleCodeExporter]

Original comment by samso...@google.com on 26 Jun 2015 at 6:31

• Changed state: Accepted

[GoogleCodeExporter]

Should be fixed in r240816, thanks for the report!

Original comment by samso...@google.com on 26 Jun 2015 at 7:18

• Changed state: Fixed

[GoogleCodeExporter]

Thank you, Alexey.

Original comment by chefM...@gmail.com on 26 Jun 2015 at 7:47

[GoogleCodeExporter]

Adding Project:AddressSanitizer as part of GitHub migration.

Original comment by ramosian.glider@gmail.com on 30 Jul 2015 at 9:14

• Added labels: ProjectAddressSanitizer