On 9/1/2020 7:18 AM, Jeff King wrote:
> This patch fixes a bug where xrealloc(ptr, 0) can double-free and
> corrupt the heap on some platforms (including at least glibc).
!!! Good find !!!
> The simplest fix here is to just pass "ret" (which we know to be NULL)
> to the follow-up realloc(). That does mean that a system which _doesn't_
> free the original pointer would leak it. But that interpretation of the
> standard seems unlikely (if a system didn't deallocate in this case, I'd
> expect it to simply return the original pointer). If it turns out to be
> an issue, we can handle the "!size" case up front instead, before we
> call realloc() at all.
Adding an `if (!size) {free(ptr); return NULL;}` block was what I
expected. Was that chosen just so we can rely more on the system
realloc(), or is there a performance implication that I'm not
seeing?
> @@ -120,7 +120,7 @@ void *xrealloc(void *ptr, size_t size)
> memory_limit_check(size, 0);
> ret = realloc(ptr, size);
> if (!ret && !size)
> - ret = realloc(ptr, 1);
> + ret = realloc(ret, 1);
I appreciate all the additional context for such a small change.
LGTM.
-Stolee
