[avr-libc-dev] [bug #27242] realloc: serious error when size shrinks

Stefan Ernst Thu, 13 Aug 2009 06:48:57 -0700

URL:
  <http://savannah.nongnu.org/bugs/?27242>


                 Summary: realloc: serious error when size shrinks
                 Project: AVR C Runtime Library
            Submitted by: sternst
            Submitted on: Do 13 Aug 2009 13:42:48 GMT
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
        Percent Complete: 0%
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.7.*
           Fixed Release: None

    _______________________________________________________

Details:

When realloc is asked to lower the size of an allocated block, it calculates
a wrong start address of the new free block. This results in an overlap, so
the last two bytes of the reallocated block gets corrupted and the size
information of the free block can be overwritten by the application.

Cause:


realloc(void *ptr, size_t len)
{
    ...
    cp = (char *)ptr + len; /* new next pointer */
    ...
    fp2 = (struct __freelist *)(cp - sizeof(size_t));


The comment and the "- sizeof(size_t)" are wrong.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?27242>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.nongnu.org/



_______________________________________________
AVR-libc-dev mailing list
AVR-libc-dev@nongnu.org
http://lists.nongnu.org/mailman/listinfo/avr-libc-dev

[avr-libc-dev] [bug #27242] realloc: serious error when size shrinks

Reply via email to