diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2023-05-09 00:31:05 +0300 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2023-05-10 02:22:19 +0200 |
| commit | a6386eda9c4de125e58985b19b6028c3f868de36 (patch) | |
| tree | c2dff5165ef971383a8a223c3cf0988d8f06d88d /libpipe | |
| parent | 070292f3118b75de9fc0e79fac6ca0186d157c28 (diff) | |
| download | hurd-a6386eda9c4de125e58985b19b6028c3f868de36.tar.gz hurd-a6386eda9c4de125e58985b19b6028c3f868de36.tar.bz2 hurd-a6386eda9c4de125e58985b19b6028c3f868de36.zip | |
libpipe: Fix use-after-realloc
We cannot use old_buf after we realloc it, even just for subtracting it
from another pointer. Instead, compute the offsets in advance.
Message-Id: <20230508213136.608575-11-bugaevc@gmail.com>
Diffstat (limited to 'libpipe')
| -rw-r--r-- | libpipe/pq.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libpipe/pq.c b/libpipe/pq.c index af380274..fff03e67 100644 --- a/libpipe/pq.c +++ b/libpipe/pq.c @@ -193,20 +193,21 @@ packet_extend (struct packet *packet, size_t new_len) /* A malloc'd packet. */ { char *new_buf; - char *old_buf = packet->buf; + ptrdiff_t start_offset = packet->buf_start - packet->buf; + ptrdiff_t end_offset = packet->buf_end - packet->buf; if (new_len >= PACKET_SIZE_LARGE) /* The old packet length is malloc'd, but we want to vm_allocate the new length, so we'd have to copy the old contents. */ return 0; - new_buf = realloc (old_buf, new_len); + new_buf = realloc (packet->buf, new_len); if (! new_buf) return 0; packet->buf = new_buf; - packet->buf_start = new_buf + (packet->buf_start - old_buf); - packet->buf_end = new_buf + (packet->buf_end - old_buf); + packet->buf_start = new_buf + start_offset; + packet->buf_end = new_buf + end_offset; } packet->buf_len = new_len; |