diff options
| author | jh <jh@FreeBSD.org> | 2010-03-03 15:43:26 +0000 |
|---|---|---|
| committer | jh <jh@FreeBSD.org> | 2010-03-03 15:43:26 +0000 |
| commit | c5a3b40d67289d8bb591d76ed3c0d1b8ad5715a8 (patch) | |
| tree | a9d8f1dab852c1239fe4b931c69acf8faa323a40 /lib/libc | |
| parent | acf511e4d0cb788a9a050ea1aefef0548aa329ab (diff) | |
| download | FreeBSD-src-c5a3b40d67289d8bb591d76ed3c0d1b8ad5715a8.zip FreeBSD-src-c5a3b40d67289d8bb591d76ed3c0d1b8ad5715a8.tar.gz | |
In reallocf(3), free the memory only when size != 0. Otherwise, when the
System V compatibility option (malloc "V" flag) is in effect a zero sized
reallocf() could cause a double free.
PR: bin/141753
Submitted by: Dan Lukes
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/stdlib/reallocf.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/libc/stdlib/reallocf.c b/lib/libc/stdlib/reallocf.c index 5320926..a85b5a3 100644 --- a/lib/libc/stdlib/reallocf.c +++ b/lib/libc/stdlib/reallocf.c @@ -35,7 +35,14 @@ reallocf(void *ptr, size_t size) void *nptr; nptr = realloc(ptr, size); - if (!nptr && ptr) + + /* + * When the System V compatibility option (malloc "V" flag) is + * in effect, realloc(ptr, 0) frees the memory and returns NULL. + * So, to avoid double free, call free() only when size != 0. + * realloc(ptr, 0) can't fail when ptr != NULL. + */ + if (!nptr && ptr && size != 0) free(ptr); return (nptr); } |
