Ticket 52: valgrind complains about mm_realloc
valgrind is complaining about a call to the mm_realloc function:
Source and destination overlap in memcpy(0x418cbed4, 0x418cbec4, 18)
at 0x40022AE6: memcpy (mac_replace_strmem.c:95)
by 0x4040BCCB: mm_realloc (in /.../libmm.so.12.0.22)
If the memory chunk passed to mm_realloc can't be extended and a new chunk must be allocated, the old memory is copied into the new chunk with a call to memcpy. However, usize is the length of the new data and will cause memcpy to access memory beyond the old data chunk's boundaries.
Other than valgrind errors, it is possible that it could cause a segfault if the old data chunk is near a page boundary. I haven't observed this in practice, however.
I believe the usize from the old data chunk's mem_chunk structure should be used as a parameter to memcpy instead.
Thanks.
Remarks:
Fixed.
Properties:
| Type: |
code |
|
Version: |
1.2.2 |
| Status: |
fixed |
|
Created: |
2004-Oct-18 22:29 |
| Severity: |
3 |
|
Last Change: |
2004-Nov-15 17:48 |
| Priority: |
3 |
|
Subsystem: |
mm |
| Assigned To: |
rse |
|
Derived From: |
|
| Creator: |
anonymous |
Related Check-ins:
| 2004-Nov-15 17:48 |
• |
Check-in [4837]: Fix mm_realloc() function: If the memory chunk passed to mm_realloc() can't be extended and a new chunk must be allocated, the old memory is copied into the new chunk with a call to memcpy(3). However, the used size is the length of the new data and will cause memcpy(3) to access memory beyond the old [...]
(By rse) |
