From: Antti Kantee <pooka@iki.fi>
Date: Fri, 16 Jan 2015 00:45:24 +0000 (+0000)
Subject: fix realloc() to use correct existing size
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ffcd777f8062fb24dff7c9d2a46547001e158b05;p=rumpuser-xen.git

fix realloc() to use correct existing size

prevents memory corruption in certain realloc() scenarios
reported by @mato
---

diff --git a/lib/memalloc.c b/lib/memalloc.c
index 239e961..8668d9a 100644
--- a/lib/memalloc.c
+++ b/lib/memalloc.c
@@ -473,7 +473,7 @@ memrealloc(void *cp, size_t nbytes)
 	alignpad = op->ov_alignpad;
 
 	/* don't bother "compacting".  don't like it?  don't use realloc! */
-	if (((1<<(size+MINSHIFT)) - (alignpad+sizeof(*op))) >= nbytes)
+	if (((1<<(size+MINSHIFT)) - alignpad) >= nbytes)
 		return cp;
 
 	/* we're gonna need a bigger bucket */
@@ -481,7 +481,7 @@ memrealloc(void *cp, size_t nbytes)
 	if (np == NULL)
 		return NULL;
 
-	memcpy(np, cp, (1<<(size+MINSHIFT)) - (alignpad+sizeof(*op)));
+	memcpy(np, cp, (1<<(size+MINSHIFT)) - alignpad);
 	memfree(cp);
 	return np;
 }