URL:
<
http://savannah.nongnu.org/bugs/?27242>
Summary: realloc: serious error when size shrinks
Project: AVR C Runtime Library
Submitted by: sternst
Submitted on: Do 13 Aug 2009 13:42:48 GMT
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Percent Complete: 0%
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 1.7.*
Fixed Release: None
_______________________________________________________
Details:
When realloc is asked to lower the size of an allocated block, it calculates
a wrong start address of the new free block. This results in an overlap, so
the last two bytes of the reallocated block gets corrupted and the size
information of the free block can be overwritten by the application.
Cause:
realloc(void *ptr, size_t len)
{
...
cp = (char *)ptr + len; /* new next pointer */
...
fp2 = (struct __freelist *)(cp - sizeof(size_t));
The comment and the "- sizeof(size_t)" are wrong.
_______________________________________________________
Reply to this item at:
<
http://savannah.nongnu.org/bugs/?27242>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/_______________________________________________
AVR-libc-dev mailing list
AVR-libc-dev@...
http://lists.nongnu.org/mailman/listinfo/avr-libc-dev
