I have encountered an error with a possible memory leak and an out-of-bounds memory access as a result:
|
buffer_resize(buffer_t *self, size_t n) { |
|
n = nearest_multiple_of(1024, n); |
|
self->len = n; |
|
self->alloc = self->data = realloc(self->alloc, n + 1); |
|
if (!self->alloc) return -1; |
- The
len variable gets set even when the realloc call fails, resulting in out-of-bounds reads and writes.
- According to the C reference,the original pointer is still valid if the reallocation fails. In the current implementation, it immediately overwrites both
self->alloc as well as self->data before it returns, making it impossible to free the original allocation. Unless of course the caller has a copy of the allocation pointer, but that seems quite unlikely to me.
Fixing this would be relatively straightforward, through some reordering of statements and storing the reallocation result in a temporary value.
I have encountered an error with a possible memory leak and an out-of-bounds memory access as a result:
buffer/buffer.c
Lines 134 to 138 in 736ba3c
lenvariable gets set even when therealloccall fails, resulting in out-of-bounds reads and writes.self->allocas well asself->databefore it returns, making it impossible to free the original allocation. Unless of course the caller has a copy of the allocation pointer, but that seems quite unlikely to me.Fixing this would be relatively straightforward, through some reordering of statements and storing the reallocation result in a temporary value.