BUG: in mallocr.c: overlapping realloc fails

Fery engard.ferenc@innomed.hu
Fri Jun 3 08:42:00 GMT 2005


If I call realloc in a situation when realloc finds free space before
the current block, and uses that, there is a possibility that the
returned memory block will not contain the data the old memory block
contained, if the following conditions exist:

- the old and new memory blocks are overlapping
- mallocr.c is compiled with HAVE_MEMCPY and USE_MEMCPY (this is the
default on many platforms)
- the block is larger than 9*sizeof(size_t)
- the platform's memcpy() copies with decreasing addresses (e.g. SH2

As the memory blocks passed to memcpy() may not overlap, the overlapping
must be checked, and in that case, the memory must be copied with an
overlapping-safe method. Because overlapping can occur only if the
destination block is before the source block, the internal MALLOC_COPY
macro (if USE_MEMCPY macro equals to 0) would work without error.

I think the problem affects 3 MALLOC_COPY() calls in mallocr.c: line
2894, 2911 and 2923. But I am not sure. ;)

I hope I could help:
Ferenc Engard

More information about the Newlib mailing list