| Reference | 
|   | 
| https://svn.boost.org/trac/boost/changeset/78326 | 
|   | 
| Upstream-Status: Backport | 
| CVE: CVE-2012-2677 | 
| Signed-off-by: Yue Tao <yue.tao@windriver.com> | 
|   | 
| diff --git a/boost/pool/pool.hpp.old b/boost/pool/pool.hpp | 
| index c47b11f..417a1e0 100644 | 
| --- a/boost/pool/pool.hpp.old | 
| +++ b/boost/pool/pool.hpp | 
| @@ -26,6 +26,8 @@ | 
|   | 
|  #include <boost/pool/poolfwd.hpp> | 
|   | 
| +// std::numeric_limits | 
| +#include <boost/limits.hpp> | 
|  // boost::integer::static_lcm | 
|  #include <boost/integer/common_factor_ct.hpp> | 
|  // boost::simple_segregated_storage | 
| @@ -355,6 +357,15 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t | 
|        return s; | 
|      } | 
|   | 
| +    size_type max_chunks() const | 
| +    { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool. | 
| +      size_type partition_size = alloc_size(); | 
| +      size_type POD_size = integer::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type); | 
| +      size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size(); | 
| + | 
| +      return max_chunks; | 
| +    } | 
| + | 
|      static void * & nextof(void * const ptr) | 
|      { //! \returns Pointer dereferenced. | 
|        //! (Provided and used for the sake of code readability :) | 
| @@ -375,6 +386,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t | 
|        //!   the first time that object needs to allocate system memory. | 
|        //!   The default is 32. This parameter may not be 0. | 
|        //! \param nmax_size is the maximum number of chunks to allocate in one block. | 
| +      set_next_size(nnext_size); | 
| +      set_max_size(nmax_size); | 
|      } | 
|   | 
|      ~pool() | 
| @@ -398,8 +411,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t | 
|      } | 
|      void set_next_size(const size_type nnext_size) | 
|      { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0. | 
| -      //! \returns nnext_size. | 
| -      next_size = start_size = nnext_size; | 
| +      BOOST_USING_STD_MIN(); | 
| +      next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks()); | 
|      } | 
|      size_type get_max_size() const | 
|      { //! \returns max_size. | 
| @@ -407,7 +420,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t | 
|      } | 
|      void set_max_size(const size_type nmax_size) | 
|      { //! Set max_size. | 
| -      max_size = nmax_size; | 
| +      BOOST_USING_STD_MIN(); | 
| +      max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks()); | 
|      } | 
|      size_type get_requested_size() const | 
|      { //!   \returns the requested size passed into the constructor. | 
| @@ -708,9 +722,9 @@ void * pool<UserAllocator>::malloc_need_resize() | 
|   | 
|    BOOST_USING_STD_MIN(); | 
|    if(!max_size) | 
| -    next_size <<= 1; | 
| +    set_next_size(next_size << 1); | 
|    else if( next_size*partition_size/requested_size < max_size) | 
| -    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); | 
| +    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); | 
|   | 
|    //  initialize it, | 
|    store().add_block(node.begin(), node.element_size(), partition_size); | 
| @@ -748,9 +762,9 @@ void * pool<UserAllocator>::ordered_malloc_need_resize() | 
|   | 
|    BOOST_USING_STD_MIN(); | 
|    if(!max_size) | 
| -    next_size <<= 1; | 
| +    set_next_size(next_size << 1); | 
|    else if( next_size*partition_size/requested_size < max_size) | 
| -    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); | 
| +    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); | 
|   | 
|    //  initialize it, | 
|    //  (we can use "add_block" here because we know that | 
| @@ -792,6 +806,8 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n) | 
|  { //! Gets address of a chunk n, allocating new memory if not already available. | 
|    //! \returns Address of chunk n if allocated ok. | 
|    //! \returns 0 if not enough memory for n chunks. | 
| +  if (n > max_chunks()) | 
| +    return 0; | 
|   | 
|    const size_type partition_size = alloc_size(); | 
|    const size_type total_req_size = n * requested_size; | 
| @@ -840,9 +856,9 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n) | 
|   | 
|    BOOST_USING_STD_MIN(); | 
|    if(!max_size) | 
| -    next_size <<= 1; | 
| +    set_next_size(next_size << 1); | 
|    else if( next_size*partition_size/requested_size < max_size) | 
| -    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); | 
| +    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); | 
|   | 
|    //  insert it into the list, | 
|    //   handle border case. |