dbus_realloc () can crash when guards are enabled
Miloslav Trmac
mitr@volny.cz
Sat, 28 Jun 2003 05:16:05 +0200
--yEPQxsgoJgBvi8ip
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Sat, Jun 28, 2003 at 05:11:00AM +0200, Miloslav Trmac wrote:
> Attached patch fixes this.
Um... This patch.
Mirek
--yEPQxsgoJgBvi8ip
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-realloc
diff -ur dbus/dbus/dbus-memory.c sw/dbus/dbus/dbus-memory.c
--- dbus/dbus/dbus-memory.c 2003-06-28 01:16:52.000000000 +0200
+++ sw/dbus/dbus/dbus-memory.c 2003-06-28 02:37:38.000000000 +0200
@@ -555,6 +555,7 @@
{
if (memory)
{
+ size_t old_bytes;
void *block;
check_guards (memory);
@@ -562,7 +563,8 @@
block = realloc (((unsigned char*)memory) - GUARD_START_OFFSET,
bytes + GUARD_EXTRA_SIZE);
- if (block)
+ old_bytes = *(dbus_uint32_t*)block;
+ if (block && bytes >= old_bytes)
/* old guards shouldn't have moved */
check_guards (((unsigned char*)block) + GUARD_START_OFFSET);
@@ -762,3 +764,42 @@
}
/** @} */ /** End of public API docs block */
+
+#ifdef DBUS_BUILD_TESTS
+#include "dbus-test.h"
+
+/**
+ * @ingroup DBusMemoryInternals
+ * Unit test for DBusMemory
+ * @returns #TRUE on success.
+ */
+dbus_bool_t
+_dbus_memory_test (void)
+{
+ dbus_bool_t old_guards;
+ void *p;
+ size_t size;
+
+ old_guards = guards;
+ guards = TRUE;
+ p = dbus_malloc (4);
+ if (p == NULL)
+ _dbus_assert_not_reached ("no memory");
+ for (size = 4; size < 256; size += 4)
+ {
+ p = dbus_realloc (p, size);
+ if (p == NULL)
+ _dbus_assert_not_reached ("no memory");
+ }
+ for (size = 256; size != 0; size -= 4)
+ {
+ p = dbus_realloc (p, size);
+ if (p == NULL)
+ _dbus_assert_not_reached ("no memory");
+ }
+ dbus_free (p);
+ guards = old_guards;
+ return TRUE;
+}
+
+#endif
diff -ur dbus/dbus/dbus-test.c sw/dbus/dbus/dbus-test.c
--- dbus/dbus/dbus-test.c 2003-06-28 01:16:52.000000000 +0200
+++ sw/dbus/dbus/dbus-test.c 2003-06-28 02:39:19.000000000 +0200
@@ -105,7 +105,13 @@
die ("marshalling");
check_memleaks ();
+
+ printf ("%s: running memory tests\n", "dbus-test");
+ if (!_dbus_memory_test ())
+ die ("memory");
+ check_memleaks ();
+
printf ("%s: running memory pool tests\n", "dbus-test");
if (!_dbus_mem_pool_test ())
die ("memory pools");
diff -ur dbus/dbus/dbus-test.h sw/dbus/dbus/dbus-test.h
--- dbus/dbus/dbus-test.h 2003-06-28 01:16:52.000000000 +0200
+++ sw/dbus/dbus/dbus-test.h 2003-06-28 02:06:42.000000000 +0200
@@ -52,6 +52,7 @@
dbus_bool_t _dbus_sysdeps_test (void);
dbus_bool_t _dbus_spawn_test (const char *test_data_dir);
dbus_bool_t _dbus_userdb_test (const char *test_data_dir);
+dbus_bool_t _dbus_memory_test (void);
void dbus_internal_do_not_use_run_tests (const char *test_data_dir);
--yEPQxsgoJgBvi8ip--