|
 |
bdc76f |
commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84
|
|
|
bdc76f |
Author: Florian Weimer <fw@deneb.enyo.de>
|
|
|
bdc76f |
Date: Mon Dec 31 22:04:36 2018 +0100
|
|
|
bdc76f |
|
|
|
bdc76f |
malloc: Always call memcpy in _int_realloc [BZ #24027]
|
|
|
bdc76f |
|
|
|
bdc76f |
This commit removes the custom memcpy implementation from _int_realloc
|
|
|
bdc76f |
for small chunk sizes. The ncopies variable has the wrong type, and
|
|
|
bdc76f |
an integer wraparound could cause the existing code to copy too few
|
|
|
bdc76f |
elements (leaving the new memory region mostly uninitialized).
|
|
|
bdc76f |
Therefore, removing this code fixes bug 24027.
|
|
|
bdc76f |
|
|
|
bdc76f |
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
|
bdc76f |
index 7bfa66a56786d110..0234d968c0ce65a0 100644
|
|
|
bdc76f |
--- a/malloc/malloc.c
|
|
|
bdc76f |
+++ b/malloc/malloc.c
|
|
|
bdc76f |
@@ -4532,11 +4532,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
|
|
|
bdc76f |
mchunkptr remainder; /* extra space at end of newp */
|
|
|
bdc76f |
unsigned long remainder_size; /* its size */
|
|
|
bdc76f |
|
|
|
bdc76f |
- unsigned long copysize; /* bytes to copy */
|
|
|
bdc76f |
- unsigned int ncopies; /* INTERNAL_SIZE_T words to copy */
|
|
|
bdc76f |
- INTERNAL_SIZE_T* s; /* copy source */
|
|
|
bdc76f |
- INTERNAL_SIZE_T* d; /* copy destination */
|
|
|
bdc76f |
-
|
|
|
bdc76f |
/* oldmem size */
|
|
|
bdc76f |
if (__builtin_expect (chunksize_nomask (oldp) <= 2 * SIZE_SZ, 0)
|
|
|
bdc76f |
|| __builtin_expect (oldsize >= av->system_mem, 0))
|
|
|
bdc76f |
@@ -4604,43 +4599,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
|
|
|
bdc76f |
}
|
|
|
bdc76f |
else
|
|
|
bdc76f |
{
|
|
|
bdc76f |
- /*
|
|
|
bdc76f |
- Unroll copy of <= 36 bytes (72 if 8byte sizes)
|
|
|
bdc76f |
- We know that contents have an odd number of
|
|
|
bdc76f |
- INTERNAL_SIZE_T-sized words; minimally 3.
|
|
|
bdc76f |
- */
|
|
|
bdc76f |
-
|
|
|
bdc76f |
- copysize = oldsize - SIZE_SZ;
|
|
|
bdc76f |
- s = (INTERNAL_SIZE_T *) (chunk2mem (oldp));
|
|
|
bdc76f |
- d = (INTERNAL_SIZE_T *) (newmem);
|
|
|
bdc76f |
- ncopies = copysize / sizeof (INTERNAL_SIZE_T);
|
|
|
bdc76f |
- assert (ncopies >= 3);
|
|
|
bdc76f |
-
|
|
|
bdc76f |
- if (ncopies > 9)
|
|
|
bdc76f |
- memcpy (d, s, copysize);
|
|
|
bdc76f |
-
|
|
|
bdc76f |
- else
|
|
|
bdc76f |
- {
|
|
|
bdc76f |
- *(d + 0) = *(s + 0);
|
|
|
bdc76f |
- *(d + 1) = *(s + 1);
|
|
|
bdc76f |
- *(d + 2) = *(s + 2);
|
|
|
bdc76f |
- if (ncopies > 4)
|
|
|
bdc76f |
- {
|
|
|
bdc76f |
- *(d + 3) = *(s + 3);
|
|
|
bdc76f |
- *(d + 4) = *(s + 4);
|
|
|
bdc76f |
- if (ncopies > 6)
|
|
|
bdc76f |
- {
|
|
|
bdc76f |
- *(d + 5) = *(s + 5);
|
|
|
bdc76f |
- *(d + 6) = *(s + 6);
|
|
|
bdc76f |
- if (ncopies > 8)
|
|
|
bdc76f |
- {
|
|
|
bdc76f |
- *(d + 7) = *(s + 7);
|
|
|
bdc76f |
- *(d + 8) = *(s + 8);
|
|
|
bdc76f |
- }
|
|
|
bdc76f |
- }
|
|
|
bdc76f |
- }
|
|
|
bdc76f |
- }
|
|
|
bdc76f |
-
|
|
|
bdc76f |
+ memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
|
|
|
bdc76f |
_int_free (av, oldp, 1);
|
|
|
bdc76f |
check_inuse_chunk (av, newp);
|
|
|
bdc76f |
return chunk2mem (newp);
|