fix memset overflow in oldmalloc race fix overhaul

commit 3e16313f introduced this bug by making the copy case reachable with n (new size) smaller than n0 (original size). this was left as the only way of shrinking an allocation because it reduces fragmentation if a free chunk of the appropriate size is available. when that's not the case, another approach may be better, but any such improvement would be independent of fixing this bug.

fix memset overflow in oldmalloc race fix overhaul
commit 3e16313f introduced this bug by making the copy case reachable with n (new size) smaller than n0 (original size). this was left as the only way of shrinking an allocation because it reduces fragmentation if a free chunk of the appropriate size is available. when that's not the case, another approach may be better, but any such improvement would be independent of fixing this bug.
cb5babdc · Rich Felker · 4bd22b8f · cb5babdc
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

src/malloc/oldmalloc/malloc.c src/malloc/oldmalloc/malloc.c +1 -1

未找到文件。
--- a/src/malloc/oldmalloc/malloc.c
+++ b/src/malloc/oldmalloc/malloc.c
@@ -409,7 +409,7 @@ copy_realloc:
 	new = malloc(n-OVERHEAD);
 	if (!new) return 0;
 copy_free_ret:
-	memcpy(new, p, n0-OVERHEAD);
+	memcpy(new, p, (n<n0 ? n : n0) - OVERHEAD);
 	free(CHUNK_TO_MEM(self));
 	return new;
 }