jayji pushed a commit to branch master. http://git.enlightenment.org/core/efl.git/commit/?id=96ab58fb8e34868c16beca2ee99c148e31e8eb09
commit 96ab58fb8e34868c16beca2ee99c148e31e8eb09 Author: Jean Guyomarc'h <j...@guyomarch.bzh> Date: Sat Sep 16 14:20:11 2017 +0200 eina: prevent memory corruption in chained mempool The chained mempool uses eina trash to dispose and retrieve memory blobs. Problem is that eina trash requires the memory blobs to be at least of the size of a pointer. If the size of an element in the mempool is less than the size of a pointer, which _is_ possible as no minimal size is enforced, eina_trash will silently corrupt the memory pool. To prevent memory corruption while still allowing small elements, the size of an element defaults to the size of a pointer if it was smaller. This comes at the cost of consuming slightly more memory in these cases, but at least the memory pool can be safely be used. @fix --- src/modules/eina/mp/chained_pool/eina_chained_mempool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/eina/mp/chained_pool/eina_chained_mempool.c b/src/modules/eina/mp/chained_pool/eina_chained_mempool.c index 7ab6954c7f..b50b4dd95f 100644 --- a/src/modules/eina/mp/chained_pool/eina_chained_mempool.c +++ b/src/modules/eina/mp/chained_pool/eina_chained_mempool.c @@ -563,7 +563,7 @@ eina_chained_mempool_init(const char *context, memcpy((char *)mp->name, context, length); } - mp->item_alloc = eina_mempool_alignof(item_size); + mp->item_alloc = MAX(eina_mempool_alignof(item_size), sizeof(void *)); mp->pool_size = (((((mp->item_alloc * mp->pool_size + aligned_chained_pool) / page_size) + 1) * page_size) --