[2/4] libm/stdlib: don't read past source in nano_realloc
diff mbox series

Message ID 20200811230543.2169774-3-keithp@keithp.com
State Superseded
Headers show
Series
  • Fixes for memory allocation bugs
Related show

Commit Message

Corinna Vinschen via Newlib Aug. 11, 2020, 11:05 p.m. 
Save the computed block size and use it to avoid reading past
the end of the source block.

Signed-off-by: Keith Packard <keithp@keithp.com>

---
 newlib/libc/stdlib/nano-mallocr.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

-- 
2.28.0

Comments

Corinna Vinschen via Newlib Aug. 12, 2020, 8:01 a.m. | #1 
On Aug 11 16:05, Keith Packard via Newlib wrote:
> Save the computed block size and use it to avoid reading past

> the end of the source block.

> 

> Signed-off-by: Keith Packard <keithp@keithp.com>

> ---

>  newlib/libc/stdlib/nano-mallocr.c | 6 +++++-

>  1 file changed, 5 insertions(+), 1 deletion(-)

> 

> diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c

> index 04465eb9e..cef23977e 100644

> --- a/newlib/libc/stdlib/nano-mallocr.c

> +++ b/newlib/libc/stdlib/nano-mallocr.c

> @@ -466,6 +466,7 @@ void * nano_realloc(RARG void * ptr, malloc_size_t size)

>  {

>      void * mem;

>      chunk * p_to_realloc;

> +    malloc_size_t old_size;

>  

>      if (ptr == NULL) return nano_malloc(RCALL size);

>  

> @@ -477,12 +478,15 @@ void * nano_realloc(RARG void * ptr, malloc_size_t size)

>  

>      /* TODO: There is chance to shrink the chunk if newly requested

>       * size is much small */

> -    if (nano_malloc_usable_size(RCALL ptr) >= size)

> +    old_size = nano_malloc_usable_size(RCALL ptr);

> +    if (old_size >= size)

>        return ptr;


So, after this statement, we can be sure that size > old_size, right?

>      mem = nano_malloc(RCALL size);

>      if (mem != NULL)

>      {

> +	if (size > old_size)


...which makes this condition useless.

> +	    size = old_size;

>          memcpy(mem, ptr, size);


why not just

           memcpy(mem, ptr, old_size);

instead?

>          nano_free(RCALL ptr);

>      }

> -- 

> 2.28.0


Thanks,
Corinna


-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Patch
diff mbox series 

diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
index 04465eb9e..cef23977e 100644
--- a/newlib/libc/stdlib/nano-mallocr.c
+++ b/newlib/libc/stdlib/nano-mallocr.c
@@ -466,6 +466,7 @@  void * nano_realloc(RARG void * ptr, malloc_size_t size)
 {
     void * mem;
     chunk * p_to_realloc;
+    malloc_size_t old_size;
 
     if (ptr == NULL) return nano_malloc(RCALL size);
 
@@ -477,12 +478,15 @@  void * nano_realloc(RARG void * ptr, malloc_size_t size)
 
     /* TODO: There is chance to shrink the chunk if newly requested
      * size is much small */
-    if (nano_malloc_usable_size(RCALL ptr) >= size)
+    old_size = nano_malloc_usable_size(RCALL ptr);
+    if (old_size >= size)
       return ptr;
 
     mem = nano_malloc(RCALL size);
     if (mem != NULL)
     {
+	if (size > old_size)
+	    size = old_size;
         memcpy(mem, ptr, size);
         nano_free(RCALL ptr);
     }