|
 |
978e96 |
commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84
|
|
|
978e96 |
Author: Florian Weimer <fw@deneb.enyo.de>
|
|
|
978e96 |
Date: Mon Dec 31 22:04:36 2018 +0100
|
|
|
978e96 |
|
|
|
978e96 |
malloc: Always call memcpy in _int_realloc [BZ #24027]
|
|
|
978e96 |
|
|
|
978e96 |
This commit removes the custom memcpy implementation from _int_realloc
|
|
|
978e96 |
for small chunk sizes. The ncopies variable has the wrong type, and
|
|
|
978e96 |
an integer wraparound could cause the existing code to copy too few
|
|
|
978e96 |
elements (leaving the new memory region mostly uninitialized).
|
|
|
978e96 |
Therefore, removing this code fixes bug 24027.
|
|
|
978e96 |
|
|
|
978e96 |
diff -rup a/malloc/malloc.c b/malloc/malloc.c
|
|
|
978e96 |
--- a/malloc/malloc.c 2019-03-26 14:12:59.364333388 -0400
|
|
|
978e96 |
+++ b/malloc/malloc.c 2019-03-26 14:17:17.373475418 -0400
|
|
|
978e96 |
@@ -4214,11 +4214,6 @@ _int_realloc(mstate av, mchunkptr oldp,
|
|
|
978e96 |
mchunkptr bck; /* misc temp for linking */
|
|
|
978e96 |
mchunkptr fwd; /* misc temp for linking */
|
|
|
978e96 |
|
|
|
978e96 |
- unsigned long copysize; /* bytes to copy */
|
|
|
978e96 |
- unsigned int ncopies; /* INTERNAL_SIZE_T words to copy */
|
|
|
978e96 |
- INTERNAL_SIZE_T* s; /* copy source */
|
|
|
978e96 |
- INTERNAL_SIZE_T* d; /* copy destination */
|
|
|
978e96 |
-
|
|
|
978e96 |
const char *errstr = NULL;
|
|
|
978e96 |
|
|
|
978e96 |
/* oldmem size */
|
|
|
978e96 |
@@ -4291,39 +4286,7 @@ _int_realloc(mstate av, mchunkptr oldp,
|
|
|
978e96 |
newp = oldp;
|
|
|
978e96 |
}
|
|
|
978e96 |
else {
|
|
|
978e96 |
- /*
|
|
|
978e96 |
- Unroll copy of <= 36 bytes (72 if 8byte sizes)
|
|
|
978e96 |
- We know that contents have an odd number of
|
|
|
978e96 |
- INTERNAL_SIZE_T-sized words; minimally 3.
|
|
|
978e96 |
- */
|
|
|
978e96 |
-
|
|
|
978e96 |
- copysize = oldsize - SIZE_SZ;
|
|
|
978e96 |
- s = (INTERNAL_SIZE_T*)(chunk2mem(oldp));
|
|
|
978e96 |
- d = (INTERNAL_SIZE_T*)(newmem);
|
|
|
978e96 |
- ncopies = copysize / sizeof(INTERNAL_SIZE_T);
|
|
|
978e96 |
- assert(ncopies >= 3);
|
|
|
978e96 |
-
|
|
|
978e96 |
- if (ncopies > 9)
|
|
|
978e96 |
- MALLOC_COPY(d, s, copysize);
|
|
|
978e96 |
-
|
|
|
978e96 |
- else {
|
|
|
978e96 |
- *(d+0) = *(s+0);
|
|
|
978e96 |
- *(d+1) = *(s+1);
|
|
|
978e96 |
- *(d+2) = *(s+2);
|
|
|
978e96 |
- if (ncopies > 4) {
|
|
|
978e96 |
- *(d+3) = *(s+3);
|
|
|
978e96 |
- *(d+4) = *(s+4);
|
|
|
978e96 |
- if (ncopies > 6) {
|
|
|
978e96 |
- *(d+5) = *(s+5);
|
|
|
978e96 |
- *(d+6) = *(s+6);
|
|
|
978e96 |
- if (ncopies > 8) {
|
|
|
978e96 |
- *(d+7) = *(s+7);
|
|
|
978e96 |
- *(d+8) = *(s+8);
|
|
|
978e96 |
- }
|
|
|
978e96 |
- }
|
|
|
978e96 |
- }
|
|
|
978e96 |
- }
|
|
|
978e96 |
-
|
|
|
978e96 |
+ memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
|
|
|
978e96 |
_int_free(av, oldp, 1);
|
|
|
978e96 |
check_inuse_chunk(av, newp);
|
|
|
978e96 |
return chunk2mem(newp);
|