[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[avr-libc-dev] [bug #25723] Realloc corrupts free list when growing into
From: |
Aleksandar Kanchev |
Subject: |
[avr-libc-dev] [bug #25723] Realloc corrupts free list when growing into the next free item |
Date: |
Sun, 29 Nov 2009 14:21:27 +0000 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0 |
Follow-up Comment #7, bug #25723 (project avr-libc):
Hello, I think that there is a miscalculation in the patch which leads to a
severe bug.
In realloc.c:
58: cp = (char *)ptr + len; /* new next pointer */
62: fp2 = (struct __freelist *)(cp - sizeof(size_t));
71: if (len <= fp1->sz) {
77: fp2->sz = fp1->sz - len - sizeof(size_t);
78: fp1->sz = len;
This leads to fp1 being actually 2 bytes less than the size stored into
fp1->sz. Also it changes the last two bytes of the allocated memory and this
is how I found it.
Code to reproduce the bug:
int main(void) {
uint8_t *p;
p = malloc(16);
p[8] = 8;
p[9] = 9;
p = realloc(p, 10);
if (p[8] != 8 && p[9] != 9)
/* memory looks like this:
* p - 2: 0A 00
* p : FF FF FF FF
* p + 4: FF FF FF FF
* p + 8: 04 00
*/
return 1;
return 0;
}
Since I'm not very sure how to fix this, could please someone confirm and fix
this. Thanks!
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?25723>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
- [avr-libc-dev] [bug #25723] Realloc corrupts free list when growing into the next free item,
Aleksandar Kanchev <=