In Boost.Pool, be careful not to overflow allocated chunk size.

- Resolves: #828857

boost-1.47.0-pool.patch

@@ -0,0 +1,110 @@
+diff -up boost_1_47_0/boost/pool/pool.hpp\~ boost_1_47_0/boost/pool/pool.hpp
+--- boost_1_47_0/boost/pool/pool.hpp~	2011-01-11 15:22:32.000000000 +0100
++++ boost_1_47_0/boost/pool/pool.hpp	2012-06-07 01:00:26.936184589 +0200
+@@ -26,6 +26,10 @@
+ 
+ #include <boost/pool/poolfwd.hpp>
+ 
++// std::numeric_limits
++#include <boost/limits.hpp>
++// boost::math::static_lcm
++#include <boost/math/common_factor.hpp>
+ // boost::details::pool::ct_lcm
+ #include <boost/pool/detail/ct_gcd_lcm.hpp>
+ // boost::details::pool::lcm
+@@ -187,6 +191,15 @@ class pool: protected simple_segregated_
+       return details::pool::lcm<size_type>(requested_size, min_size);
+     }
+ 
++    size_type max_chunks() const
++    { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
++      size_type partition_size = alloc_size();
++      size_type POD_size = math::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
++      size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
++    
++      return max_chunks;
++    }
++
+     // for the sake of code readability :)
+     static void * & nextof(void * const ptr)
+     { return *(static_cast<void **>(ptr)); }
+@@ -198,7 +211,10 @@ class pool: protected simple_segregated_
+         const size_type nnext_size = 32,
+         const size_type nmax_size = 0)
+     :list(0, 0), requested_size(nrequested_size), next_size(nnext_size), start_size(nnext_size),max_size(nmax_size)
+-    { }
++    {
++      set_next_size(nnext_size);
++      set_max_size(nmax_size);
++    }
+ 
+     ~pool() { purge_memory(); }
+ 
+@@ -213,9 +229,17 @@ class pool: protected simple_segregated_
+ 
+     // These functions are extensions!
+     size_type get_next_size() const { return next_size; }
+-    void set_next_size(const size_type nnext_size) { next_size = start_size = nnext_size; }
++    void set_next_size(const size_type nnext_size)
++    {
++      BOOST_USING_STD_MIN();
++      next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
++    }
+     size_type get_max_size() const { return max_size; }
+-    void set_max_size(const size_type nmax_size) { max_size = nmax_size; }
++    void set_max_size(const size_type nmax_size)
++    {
++      BOOST_USING_STD_MIN();
++      max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
++    }
+     size_type get_requested_size() const { return requested_size; }
+ 
+     // Both malloc and ordered_malloc do a quick inlined check first for any
+@@ -447,9 +471,9 @@ void * pool<UserAllocator>::malloc_need_
+   
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  initialize it,
+   store().add_block(node.begin(), node.element_size(), partition_size);
+@@ -476,9 +500,9 @@ void * pool<UserAllocator>::ordered_mall
+ 
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  initialize it,
+   //  (we can use "add_block" here because we know that
+@@ -519,6 +543,9 @@ void * pool<UserAllocator>::ordered_mall
+ template <typename UserAllocator>
+ void * pool<UserAllocator>::ordered_malloc(const size_type n)
+ {
++  if (n > max_chunks())
++    return 0;
++
+   const size_type partition_size = alloc_size();
+   const size_type total_req_size = n * requested_size;
+   const size_type num_chunks = total_req_size / partition_size +
+@@ -549,9 +576,9 @@ void * pool<UserAllocator>::ordered_mall
+ 
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+ 
+   //  insert it into the list,
+   //   handle border case
+
+Diff finished.  Thu Jun  7 01:00:38 2012

boost.spec

@@ -28,7 +28,7 @@ Name: boost
 Summary: The free peer-reviewed portable C++ source libraries
 Version: 1.47.0
 %define version_enc 1_47_0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Boost
 
 # The CMake build framework (set of CMakeLists.txt and module.cmake files) is
@@ -98,6 +98,10 @@ Patch3: boost-1.47.0-exceptions.patch
 # https://svn.boost.org/trac/boost/ticket/5934
 Patch4: boost-1.47.0-tuple.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=828856
+# https://bugzilla.redhat.com/show_bug.cgi?id=828857
+Patch5: boost-1.47.0-pool.patch
+
 %bcond_with tests
 %bcond_with docs_generated
 
@@ -441,6 +445,7 @@ sed 's/_FEDORA_SONAME/%{sonamever}/' %{PATCH1} | %{__patch} -p0 --fuzz=0
 %patch2 -p1
 %patch3 -p0
 %patch4 -p2
+%patch5 -p1
 
 %build
 # Support for building tests.
@@ -894,6 +899,10 @@ find $RPM_BUILD_ROOT%{_includedir}/ \( -name '*.pl' -o -name '*.sh' \) -exec %{_
 %{_bindir}/bjam
 
 %changelog
+* Wed Jun  6 2012 Petr Machata <pmachata@redhat.com> - 1.47.0-7
+- In Boost.Pool, be careful not to overflow allocated chunk size.
+- Resolves: #828857
+
 * Wed Jan  4 2012 Denis Arnaud <denis.arnaud_fedora@m4x.org> - 1.47.0-6
 - Integrated into "upstream" (CMake-ified Boost) the Boost.TR1/Math patch.