* A bug in the supplied realloc() replacement could result in heap

corruption. (No resulting failures have been observed with ex so far.)
2005-08-18 20:54:54 +00:00 · 2005-08-18 20:54:54 +00:00 · 90dcee7912
parent a28b46f12d
commit 90dcee7912
3 changed files with 19 additions and 10 deletions
--- a/2
+++ b/2
@ -6,6 +6,8 @@ Release ...
  shows the beginning of a line that does not fit onto the screen in its
  entirety.
 * Viewing executables and compressed files is no longer inhibited.
+* A bug in the supplied realloc() replacement could result in heap
+  corruption. (No resulting failures have been observed with ex so far.)

 Release 3/25/05
 * vi no longer dies with a segmentation fault if a line does not fit on the
--- a/ex_version.c
+++ b/ex_version.c
@ -70,12 +70,12 @@
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
- * Sccsid @(#)ex_version.c	1.144 (gritter) 8/6/05
+ * Sccsid @(#)ex_version.c	1.145 (gritter) 8/18/05
 */

 #include "ex.h"

-static char *versionstring = "@(#)Version 4.0 (gritter) 8/6/05";
+static char *versionstring = "@(#)Version 4.0 (gritter) 8/18/05";

 void 
 printver(void)
@ -127,6 +127,6 @@ ex_vput.c:static char sccsid[] = "@(#)ex_vput.c	1.51 (gritter) 8/6/05";
 ex_vwind.c:static char sccsid[] = "@(#)ex_vwind.c	1.9 (gritter) 11/23/04";
 expreserve.c:static char sccsid[] UNUSED = "@(#)expreserve.c	1.23 (gritter) 11/27/04";
 exrecover.c:static char sccsid[] UNUSED = "@(#)exrecover.c	1.22 (gritter) 8/4/05";
-mapmalloc.c: *	Sccsid @(#)mapmalloc.c	1.6 (gritter) 6/19/05
+mapmalloc.c: *	Sccsid @(#)mapmalloc.c	1.7 (gritter) 8/18/05
 printf.c:static char sccsid[] = "@(#)printf.c	1.15 (gritter) 12/1/04";
 */
--- a/mapmalloc.c
+++ b/mapmalloc.c
@ -1,8 +1,7 @@
 /*
 * AT&T Unix 7th Edition memory allocation routines.
 *
- * Modified for ex by Gunnar Ritter, Freiburg i. Br., Germany,
- * February 2005.
+ * Modified by Gunnar Ritter, Freiburg i. Br., Germany, February 2005.
 *
 * Copyright(C) Caldera International Inc. 2001-2002. All rights reserved.
 *
@ -36,7 +35,7 @@
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
- *	Sccsid @(#)mapmalloc.c	1.6 (gritter) 6/19/05
+ *	Sccsid @(#)mapmalloc.c	1.7 (gritter) 8/18/05
 */

 #ifdef	VMUNIX
@ -201,8 +200,8 @@ map(void *addr, size_t len)
 	return(mmap(addr,len,PROT_READ|PROT_WRITE,flags,fd,0));
 }

-void *
-malloc(size_t nbytes)
+static void *
+mallock(size_t nbytes, union store *start, union store *end)
 {
 	register union store *p, *q;
 	struct pool *o;
@ -240,7 +239,9 @@ first:	if(allocs[0].ptr==0) {	/*first time for this pool*/
 					if (ua)
 						allocp = p->ptr;
 				}
-				if(q>=p+nw && p+nw>=p)
+				if(q>=p+nw && p+nw>=p && (start==NULL ||
+						p+nw<start || p>end ||
+						p+2==start))
 					goto found;
 			}
 			q = p;
@ -303,6 +304,12 @@ found:
 	return(p+2);
 }

+void *
+malloc(size_t nbytes)
+{
+	return mallock(nbytes, NULL, NULL);
+}
+
 /*	freeing strategy tuned for LIFO allocation
 */
 void 
@ -350,7 +357,7 @@ realloc(void *ap, size_t nbytes)
 		free(p);
 	onw = p[-2].ptr - p;
 	o = p[-1].pool;
-	q = malloc(nbytes);
+	q = mallock(nbytes, p, &p[onw]);
 	if(q==NULL || q==p)
 		return(q);
 	s = p;