[bug #32702] Realloc can reduce size of location less than (sizeof(struct __freelist) - sizeof(size_t))

[avrs-admin]

Tue 08 Mar 2011 12:10:22 AM CET

Necessary check into the beginning realloc as in malloc:

/*

• Our minimum chunk size is the size of a pointer (plus the
• size of the "sz" field, but we don't need to account for
• this), otherwise we could not possibly fit a freelist entry
• into the chunk later. */ if (len < sizeof(struct __freelist) - sizeof(size_t)) len = sizeof(struct __freelist) - sizeof(size_t);

Test case: { struct __freelist *fp; char **p,**p1;

p = malloc( sizeof(struct __freelist) + 1 ); /// 5 if (!p) return 1;

/* really size must not decrease */ p1 = realloc( p,  sizeof(struct __freelist) - sizeof(size_t) - 1 ); /// 1 if (p != p1) return 2;

fp = (struct __freelist *)(p - sizeof(size_t)); if ( fp->sz != sizeof(struct __freelist) + 1 ) return 3; }

file #22869: bug32702.diff

This issue was migrated from https://savannah.nongnu.org/bugs/?32702

[avrs-admin]

Eric Weddington Mon 26 Sep 2011 05:25:26 PM CEST

Joerg, this one is more in your area....

[avrs-admin]

Thomas R. Sun 10 Nov 2013 12:06:30 PM CET

It seems this is already in the code and thus can be closed, can't it?

[avrs-admin]

Thomas R. Sun 10 Nov 2013 12:20:36 PM CET

I am sorry for the noise.

The check is indeed in malloc(), but not in realloc().

So this one would be great to be added as well.

Maybe even the len == 0 check in my bug #40535 could be integrated here as well...