From: Rich Felker Date: Tue, 16 Jun 2020 04:34:12 +0000 (-0400) Subject: fix memset overflow in oldmalloc race fix overhaul X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46;p=oweals%2Fmusl.git fix memset overflow in oldmalloc race fix overhaul commit 3e16313f8fe2ed143ae0267fd79d63014c24779f introduced this bug by making the copy case reachable with n (new size) smaller than n0 (original size). this was left as the only way of shrinking an allocation because it reduces fragmentation if a free chunk of the appropriate size is available. when that's not the case, another approach may be better, but any such improvement would be independent of fixing this bug. --- diff --git a/src/malloc/oldmalloc/malloc.c b/src/malloc/oldmalloc/malloc.c index 0a38690c..52af1975 100644 --- a/src/malloc/oldmalloc/malloc.c +++ b/src/malloc/oldmalloc/malloc.c @@ -409,7 +409,7 @@ copy_realloc: new = malloc(n-OVERHEAD); if (!new) return 0; copy_free_ret: - memcpy(new, p, n0-OVERHEAD); + memcpy(new, p, (n