malloc: Fix a potential realloc issue with memory tagging

At an _int_free call site in realloc the wrong size was used for tag
clearing: the chunk header of the next chunk was also cleared which
in practice may work, but logically wrong.

The tag clearing is moved before the memcpy to save a tag computation,
this avoids a chunk2mem.  Another chunk2mem is removed because newmem
does not have to be recomputed. Whitespaces got fixed too.

Reviewed-by: DJ Delorie <dj@redhat.com>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9d9f7b918a1f778d701eb577b31fbff775d866e3..eae000b87eb09b2834c16797339c8cb63a1ad60a 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4851,14 +4851,14 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-             void *oldmem = chunk2mem (oldp);
+             void *oldmem = chunk2rawmem (oldp);
+             size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+             (void) TAG_REGION (oldmem, sz);
              newmem = TAG_NEW_USABLE (newmem);
-             memcpy (newmem, oldmem,
-                     CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ);
-             (void) TAG_REGION (chunk2rawmem (oldp), oldsize);
-              _int_free (av, oldp, 1);
-              check_inuse_chunk (av, newp);
-              return chunk2mem (newp);
+             memcpy (newmem, oldmem, sz);
+             _int_free (av, oldp, 1);
+             check_inuse_chunk (av, newp);
+             return newmem;
             }
         }
     }