malloc: Fix a potential realloc issue with memory tagging

At an _int_free call site in realloc the wrong size was used for tag
clearing: the chunk header of the next chunk was also cleared which
in practice may work, but logically wrong.

The tag clearing is moved before the memcpy to save a tag computation,
this avoids a chunk2mem.  Another chunk2mem is removed because newmem
does not have to be recomputed. Whitespaces got fixed too.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 8f8f12c2768124055050cf4ec8cb8163968c4c7b..51cec67e5592e035c3f5c2aff0f679c1ac00563b 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4851,14 +4851,14 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-             void *oldmem = chunk2mem (oldp);
+             void *oldmem = chunk2rawmem (oldp);
+             size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+             (void) TAG_REGION (oldmem, sz);
              newmem = TAG_NEW_USABLE (newmem);
-             memcpy (newmem, oldmem,
-                     CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ);
-             (void) TAG_REGION (chunk2rawmem (oldp), oldsize);
-              _int_free (av, oldp, 1);
-              check_inuse_chunk (av, newp);
-              return chunk2mem (newp);
+             memcpy (newmem, oldmem, sz);
+             _int_free (av, oldp, 1);
+             check_inuse_chunk (av, newp);
+             return newmem;
             }
         }
     }