zstdtest has some inline data where some testcases lack the
uncompressed length field. Thus it computes that but still
ends up allocating memory for the uncompressed buffer based on
that (zero) length. Oops. Causes memory corruption if the
allocator returns non-NULL.
Tested on x86_64-unknown-linux-gnu, pushed as obvious.
libbacktrace/
* zstdtest.c (test_samples): Properly compute the allocation
size for the uncompressed data.
---
libbacktrace/zstdtest.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libbacktrace/zstdtest.c b/libbacktrace/zstdtest.c
index 1b4158a50eb..1a27d90e29e 100644
--- a/libbacktrace/zstdtest.c
+++ b/libbacktrace/zstdtest.c
@@ -197,7 +197,11 @@ test_samples (struct backtrace_state *state)
unsigned char *uncompressed;
size_t uncompressed_len;
- uncompressed = (unsigned char *) malloc (tests[i].uncompressed_len);
+ uncompressed_len = tests[i].uncompressed_len;
+ if (uncompressed_len == 0)
+ uncompressed_len = strlen (tests[i].uncompressed);
+
+ uncompressed = (unsigned char *) malloc (uncompressed_len);
if (uncompressed == NULL)
{
perror ("malloc");
@@ -206,10 +210,6 @@ test_samples (struct backtrace_state *state)
continue;
}
- uncompressed_len = tests[i].uncompressed_len;
- if (uncompressed_len == 0)
- uncompressed_len = strlen (tests[i].uncompressed);
-
if (!backtrace_uncompress_zstd (state,
((const unsigned char *)
tests[i].compressed),
--
2.35.3
