avr-libc-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[avr-libc-dev] [bug #27242] realloc: serious error when size shrinks

From: Stefan Ernst
Subject: [avr-libc-dev] [bug #27242] realloc: serious error when size shrinks
Date: Thu, 13 Aug 2009 13:42:49 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729) 
URL:
  <http://savannah.nongnu.org/bugs/?27242>

                 Summary: realloc: serious error when size shrinks
                 Project: AVR C Runtime Library
            Submitted by: sternst
            Submitted on: Do 13 Aug 2009 13:42:48 GMT
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
        Percent Complete: 0%
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.7.*
           Fixed Release: None

    _______________________________________________________

Details:

When realloc is asked to lower the size of an allocated block, it calculates
a wrong start address of the new free block. This results in an overlap, so
the last two bytes of the reallocated block gets corrupted and the size
information of the free block can be overwritten by the application.

Cause:


realloc(void *ptr, size_t len)
{
    ...
    cp = (char *)ptr + len; /* new next pointer */
    ...
    fp2 = (struct __freelist *)(cp - sizeof(size_t));


The comment and the "- sizeof(size_t)" are wrong.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?27242>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]