If the realloc call unexpectedly succeeds, the p pointer is invalidated, but it's free'd unconditionally later on, which triggers a user-after-free.
Account for this by zeroing p when it becomes stale. Signed-off-by: Ahmad Fatoum <[email protected]> --- test/self/malloc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/self/malloc.c b/test/self/malloc.c index 52f9fc344c1a..a60e95b2233f 100644 --- a/test/self/malloc.c +++ b/test/self/malloc.c @@ -109,9 +109,15 @@ static void test_malloc(void) if (mem_malloc_size) { tmp = expect_alloc_fail(realloc(p, mem_malloc_size)); + if (tmp) + p = NULL; + free(tmp); tmp = expect_alloc_fail(realloc(p, RELOC_HIDE(MALLOC_MAX_SIZE, -1))); + if (tmp) + p = NULL; + free(tmp); } else { skipped_tests += 2; -- 2.47.3
