fix memset overflow in oldmalloc race fix overhaul

richfelker · richfelker · commit cb5babdc8d62 · 2020-06-16T00:46:09.000-04:00
commit 3e16313 introduced this bug by making the copy case reachable with n (new size) smaller than n0 (original size). this was left as the only way of shrinking an allocation because it reduces fragmentation if a free chunk of the appropriate size is available. when that's not the case, another approach may be better, but any such improvement would be independent of fixing this bug.
diff --git a/src/malloc/oldmalloc/malloc.c b/src/malloc/oldmalloc/malloc.c
@@ -409,7 +409,7 @@ void *realloc(void *p, size_t n)
 	new = malloc(n-OVERHEAD);
 	if (!new) return 0;
 copy_free_ret:
-	memcpy(new, p, n0-OVERHEAD);
+	memcpy(new, p, (n<n0 ? n : n0) - OVERHEAD);
 	free(CHUNK_TO_MEM(self));
 	return new;
 }

Original file line number	Diff line number	Diff line change
`@@ -409,7 +409,7 @@ void realloc(void p, size_t n)`
`409`	`409`	`new = malloc(n-OVERHEAD);`
`410`	`410`	`if (!new) return 0;`
`411`	`411`	`copy_free_ret:`
`412`		`- memcpy(new, p, n0-OVERHEAD);`
	`412`	`+ memcpy(new, p, (n<n0 ? n : n0) - OVERHEAD);`
`413`	`413`	`free(CHUNK_TO_MEM(self));`
`414`	`414`	`return new;`
`415`	`415`	`}`