Core: fixed overflow in ngx_palloc_small() with alignment.

The original comparison "(size_t) (p->d.end - m) >= size" could produce incorrect results when alignment is enabled. If ngx_align_ptr() moves m beyond p->d.end, the subtraction yields a negative value that wraps to a large unsigned integer due to the size_t cast, causing the check to pass incorrectly. This would return an invalid pointer beyond the pool boundary and corrupt p->d.last. Reordering prevents unsigned wraparound and correctly validates that the aligned pointer m has sufficient space remaining in the pool block.
2 months ago · 9dd81a8966
parent 6ed1188411
commit 9dd81a8966
1 changed files with 1 additions and 1 deletions
--- a/src/core/ngx_palloc.c
+++ b/src/core/ngx_palloc.c
@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size, ngx_uint_t align)
            m = ngx_align_ptr(m, NGX_ALIGNMENT);
        }

-        if ((size_t) (p->d.end - m) >= size) {
+        if (p->d.end - size >= m) {
            p->d.last = m + size;

            return m;