diff options
| author | Rich Felker <dalias@aerifal.cx> | 2020-06-16 00:34:12 -0400 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2020-06-16 00:46:09 -0400 |
| commit | cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46 (patch) | |
| tree | d54983469024aa7300e221d182bd4dfadff71431 /src/malloc/oldmalloc | |
| parent | 4bd22b8f3e6ffa8f43ea73e7bb6276aafb5a7743 (diff) | |
| download | musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.tar.gz musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.tar.xz musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.zip | |
fix memset overflow in oldmalloc race fix overhaul
commit 3e16313f8fe2ed143ae0267fd79d63014c24779f introduced this bug by making the copy case reachable with n (new size) smaller than n0 (original size). this was left as the only way of shrinking an allocation because it reduces fragmentation if a free chunk of the appropriate size is available. when that's not the case, another approach may be better, but any such improvement would be independent of fixing this bug.
Diffstat (limited to 'src/malloc/oldmalloc')
| -rw-r--r-- | src/malloc/oldmalloc/malloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/malloc/oldmalloc/malloc.c b/src/malloc/oldmalloc/malloc.c index 0a38690c..52af1975 100644 --- a/src/malloc/oldmalloc/malloc.c +++ b/src/malloc/oldmalloc/malloc.c @@ -409,7 +409,7 @@ copy_realloc: new = malloc(n-OVERHEAD); if (!new) return 0; copy_free_ret: - memcpy(new, p, n0-OVERHEAD); + memcpy(new, p, (n<n0 ? n : n0) - OVERHEAD); free(CHUNK_TO_MEM(self)); return new; } |