diff options
| author | Rich Felker <dalias@aerifal.cx> | 2020-06-16 00:34:12 -0400 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2020-06-16 00:46:09 -0400 |
| commit | cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46 (patch) | |
| tree | d54983469024aa7300e221d182bd4dfadff71431 | |
| parent | 4bd22b8f3e6ffa8f43ea73e7bb6276aafb5a7743 (diff) | |
| download | musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.tar.gz musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.tar.bz2 musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.tar.xz musl-cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46.zip | |
fix memset overflow in oldmalloc race fix overhaul
commit 3e16313f8fe2ed143ae0267fd79d63014c24779f introduced this bug by
making the copy case reachable with n (new size) smaller than n0
(original size). this was left as the only way of shrinking an
allocation because it reduces fragmentation if a free chunk of the
appropriate size is available. when that's not the case, another
approach may be better, but any such improvement would be independent
of fixing this bug.
| -rw-r--r-- | src/malloc/oldmalloc/malloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/malloc/oldmalloc/malloc.c b/src/malloc/oldmalloc/malloc.c index 0a38690c..52af1975 100644 --- a/src/malloc/oldmalloc/malloc.c +++ b/src/malloc/oldmalloc/malloc.c @@ -409,7 +409,7 @@ copy_realloc: new = malloc(n-OVERHEAD); if (!new) return 0; copy_free_ret: - memcpy(new, p, n0-OVERHEAD); + memcpy(new, p, (n<n0 ? n : n0) - OVERHEAD); free(CHUNK_TO_MEM(self)); return new; } |