>From 4863afd5260e11f05f69adc64c496f6d8bace627 Mon Sep 17 00:00:00 2001 From: Collin Funk Date: Thu, 18 Jul 2024 21:45:51 -0700 Subject: [PATCH] malloc: fix out-of-bounds read * lib/malloc/malloc.c (internal_realloc): Check value of nunits before using RIGHT_BUCKET. --- lib/malloc/malloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/malloc/malloc.c b/lib/malloc/malloc.c index 7b2c3f25..07487fa8 100644 --- a/lib/malloc/malloc.c +++ b/lib/malloc/malloc.c @@ -1202,7 +1202,8 @@ internal_realloc (PTR_T mem, size_t n, const char *file, int line, int flags) nbytes = ALLOCATED_BYTES(n); /* If ok, use the same block, just marking its size as changed. */ - if (RIGHT_BUCKET(nbytes, nunits) || RIGHT_BUCKET(nbytes, nunits-1)) + if ((1 <= nunits && RIGHT_BUCKET (nbytes, nunits)) + || (2 <= nunits && RIGHT_BUCKET (nbytes, nunits - 1))) { /* Compensate for increment above. */ m -= 4; -- 2.45.2