Only access offset if canaries are enabled *and* size > 0, otherwise offset

is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index eaa97f8..dc2c7b1 100644 (file)
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: malloc.c,v 1.226 2017/06/19 03:06:26 dlg Exp $        */
+/*     $OpenBSD: malloc.c,v 1.227 2017/07/07 19:14:46 otto Exp $       */
 /*
  * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1013,7 +1013,7 @@ malloc_bytes(struct dir_info *d, size_t size, void *f)
        /* Adjust to the real offset of that chunk */
        k += (lp - bp->bits) * MALLOC_BITS;
 
-       if (mopts.chunk_canaries)
+       if (mopts.chunk_canaries && size > 0)
                bp->bits[bp->offset + k] = size;
 
        k <<= bp->shift;