diff options
| author | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2021-03-11 14:09:56 +0000 |
|---|---|---|
| committer | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2021-03-19 11:46:20 +0000 |
| commit | 83efe3b3d2aa419f6a45828de9c38341acbf8ac3 (patch) | |
| tree | e51f20eb994025b41182ae8e5c5d3c81479432b8 | |
| parent | de2ed32e01d157f061bfd3f92314729af8ae2c8b (diff) | |
| download | glibc-83efe3b3d2aa419f6a45828de9c38341acbf8ac3.tar.gz glibc-83efe3b3d2aa419f6a45828de9c38341acbf8ac3.tar.xz glibc-83efe3b3d2aa419f6a45828de9c38341acbf8ac3.zip | |
malloc: Fix a potential realloc issue with memory tagging
At an _int_free call site in realloc the wrong size was used for tag clearing: the chunk header of the next chunk was also cleared which in practice may work, but logically wrong. The tag clearing is moved before the memcpy to save a tag computation, this avoids a chunk2mem. Another chunk2mem is removed because newmem does not have to be recomputed. Whitespaces got fixed too.
| -rw-r--r-- | malloc/malloc.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 8f8f12c276..51cec67e55 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4851,14 +4851,14 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, } else { - void *oldmem = chunk2mem (oldp); + void *oldmem = chunk2rawmem (oldp); + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ; + (void) TAG_REGION (oldmem, sz); newmem = TAG_NEW_USABLE (newmem); - memcpy (newmem, oldmem, - CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ); - (void) TAG_REGION (chunk2rawmem (oldp), oldsize); - _int_free (av, oldp, 1); - check_inuse_chunk (av, newp); - return chunk2mem (newp); + memcpy (newmem, oldmem, sz); + _int_free (av, oldp, 1); + check_inuse_chunk (av, newp); + return newmem; } } } |