In reallocf(3), free the memory only when size != 0. Otherwise, when the

System V compatibility option (malloc "V" flag) is in effect a zero sized reallocf() could cause a double free. PR: bin/141753 Submitted by: Dan Lukes
svn path=/head/; revision=204636
2025-01-14 14:55:41 +00:00 · 2010-03-03 15:43:26 +00:00 · 2010-03-03 15:43:26 +00:00 · 967e82cae0 · 2020-12-20 02:59:44 +00:00
commit 967e82cae0
parent 660df75e8b
1 changed files with 8 additions and 1 deletions
--- a/lib/libc/stdlib/reallocf.c
+++ b/lib/libc/stdlib/reallocf.c
@ -35,7 +35,14 @@ reallocf(void *ptr, size_t size)
 	void *nptr;

 	nptr = realloc(ptr, size);
-	if (!nptr && ptr)
+
+	/*
+	 * When the System V compatibility option (malloc "V" flag) is
+	 * in effect, realloc(ptr, 0) frees the memory and returns NULL.
+	 * So, to avoid double free, call free() only when size != 0.
+	 * realloc(ptr, 0) can't fail when ptr != NULL.
+	 */
+	if (!nptr && ptr && size != 0)
 		free(ptr);
 	return (nptr);
 }