id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
686	With some condition,ngx_palloc() function will alloc a illegal memory address	Deming Sun		"in ngx_palloc.c the function ngx_palloc:

{{{
void * ngx_palloc(ngx_pool_t *pool, size_t size)
{
    u_char      *m;
    ngx_pool_t  *p;

    if (size <= pool->max) {

        p = pool->current;

        do {
            m = ngx_align_ptr(p->d.last, NGX_ALIGNMENT);

            if ((size_t) (p->d.end - m) >= size) {
                p->d.last = m + size;

                return m;
            }

            p = p->d.next;

        } while (p);

        return ngx_palloc_block(pool, size);
    }

    return ngx_palloc_large(pool, size);
}
}}}

at this line

{{{
m = ngx_align_ptr(p->d.last, NGX_ALIGNMENT);
}
at sometimes the value of (p->d.end - p->d.last) may less than align coefficient,then ngx_align_ptr make m larger than p->d.end,after this the ""if"" compare the value of (p->d.end - m) and size with a type cast,
when m > p->d.end , (p->d.end - m) will get a negative numbera(e.g： -1、-2、-3) .
Underflow happend here and then p->d.last write a address out of p->d.end.
I'm debuging a segmant fault in these days,at last I found 
p->d.last==0x83e96c 
p->d.end==0x83e96f
after ngx_align_ptr
m ==0x83e970
then (size_t) (p->d.end - m)==18446744073709551615 greate larger than size，the p->d.last got a illegl address.
after this ngx_palloc will always alloc illegl address.

there must add a check of p->d.end and m
"	defect	closed	minor		nginx-core	1.7.x	wontfix	illegal memory address,			nginx version: nginx/1.7.8