Follow-up Comment #7, bug #25723 (project avr-libc):
Hello, I think that there is a miscalculation in the patch which leads to a
severe bug.
In realloc.c:
58: cp = (char *)ptr + len; /* new next pointer */
62: fp2 = (struct __freelist *)(cp - sizeof(size_t));
71: if (len <= fp1->sz) {
77: fp2->sz = fp1->sz - len - sizeof(size_t);
78: fp1->sz = len;
This leads to fp1 being actually 2 bytes less than the size stored into
fp1->sz. Also it changes the last two bytes of the allocated memory and this
is how I found it.
Code to reproduce the bug:
int main(void) {
uint8_t *p;
p = malloc(16);
p[8] = 8;
p[9] = 9;
p = realloc(p, 10);
if (p[8] != 8 && p[9] != 9)
/* memory looks like this:
* p - 2: 0A 00
* p : FF FF FF FF
* p + 4: FF FF FF FF
* p + 8: 04 00
*/
return 1;
return 0;
}
Since I'm not very sure how to fix this, could please someone confirm and fix
this. Thanks!
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?25723>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
_______________________________________________
AVR-libc-dev mailing list
AVR-libc-dev@nongnu.org
http://lists.nongnu.org/mailman/listinfo/avr-libc-dev
