From f89228077b6b9a918910aefc8d6caf4108d8e2c1 Mon Sep 17 00:00:00 2001
From: "jschuh@chromium.org"
 <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue, 25 Sep 2012 01:10:52 +0000
Subject: Ensure we mask freelist pointers properly on 32-bit Linux

Review URL: https://chromiumcodereview.appspot.com/10957067

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@158485 0039d316-1c4b-4281-b951-d872f2087c98
---
 third_party/tcmalloc/chromium/src/free_list.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'third_party/tcmalloc')

diff --git a/third_party/tcmalloc/chromium/src/free_list.cc b/third_party/tcmalloc/chromium/src/free_list.cc
index 25159de..578b732 100644
--- a/third_party/tcmalloc/chromium/src/free_list.cc
+++ b/third_party/tcmalloc/chromium/src/free_list.cc
@@ -82,10 +82,11 @@ void EnsureNonLoop(void* node, void* next) {
 
 inline void* MaskPtr(void* p) {
   // Maximize ASLR entropy and guarantee the result is an invalid address.
-  const uintptr_t q = ~(reinterpret_cast<intptr_t>(TCMalloc_SystemAlloc) >> 13);
+  const uintptr_t mask = ~(reinterpret_cast<uintptr_t>(TCMalloc_SystemAlloc)
+                           >> 13) | 1;
   // Do not mask NULL pointers, otherwise we could leak address state.
   if (p)
-    return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ q);
+    return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ mask);
   return p;
 }
 
-- 
cgit v1.1