Re: [flac-dev] Behavior of safe_realloc_add_2op_()
On Wed, Jul 18, 2018 at 12:30:41PM +0200, Miroslav Lichvar wrote: > Should safe_realloc_add_2op_() be > changed to use safe_realloc_() instead of realloc()? Is there any code > in flac that relies on the current behavior? It does indeed look like some code that (indirectly) uses the safe_realloc_*() functions relies on the pointer not being freed. The reallocation errors are not handled and propagated back, so the pointers that would be freed might be dereferenced again. Please ignore the patches I sent. The callers need to be fixed too. This will require a careful review of a lot of code. -- Miroslav Lichvar ___ flac-dev mailing list flac-dev@xiph.org http://lists.xiph.org/mailman/listinfo/flac-dev
[flac-dev] Behavior of safe_realloc_add_2op_()
I'm looking at an issue reported by the Coverity static analyzer. In iconvert() in src/share/utf8/iconvert.c on line 152 there is newbuf = safe_realloc_add_2op_(utfbuf, ...); If the request size is not valid, the function will free utfbuf and return 0. This is followed by goto fail and utfbuf is freed for the second time. A simply fix would be to set utfbuf to 0 if newbuf is 0. However, this would create a leak in the case when the size is ok, but the reallocation itself failed. Should safe_realloc_add_2op_() be changed to use safe_realloc_() instead of realloc()? Is there any code in flac that relies on the current behavior? -- Miroslav Lichvar ___ flac-dev mailing list flac-dev@xiph.org http://lists.xiph.org/mailman/listinfo/flac-dev
