diff options
author | Yu-Ping Wu <yupingso@chromium.org> | 2020-09-11 14:39:03 +0800 |
---|---|---|
committer | Hung-Te Lin <hungte@chromium.org> | 2020-09-13 13:40:11 +0000 |
commit | aec3b1f7d70f2cf59cdd80c7bd1047ca54df034c (patch) | |
tree | 5de5354d734ce82395acf8db0bef0525b539aea5 /util/fuzz-tests/jpeg-test-cases | |
parent | 828a36e32567c9862cc8aad7209b408b8b99b01d (diff) |
libpayload: malloc: Fix realloc for overlapping buffers
The current realloc() works by freeing the origin buffer, allocating a
new one, and copying the data over. It's true that free() won't touch
the actual memory. However, the alloc() following it will potentially
modify the memory that belongs to the old buffer in order to create a
new free block (right after the newly allocated block). This causes 8
bytes (HDRSIZE) to be overwritten before being copied to the new buffer.
To fix the problem, we must create the header of the new free block
after the data is copied. In this patch, the content of alloc() is split
into two functions:
1. find_free_block(): Find a free block with large enough size, without
touching the memory
2. use_block(): Update the header of the newly allocated block, and
create the header of the new free block right after it
Then, inside realloc(), call memmove() call right after
find_free_block() while before use_block().
BUG=b:165439970
TEST=emerge-puff libpayload
TEST=Puff boots
TEST=Verified realloc() correctly copied data when buffers overlapped
Change-Id: I9418320a26820909144890300ddfb09ec2570f43
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45284
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'util/fuzz-tests/jpeg-test-cases')
0 files changed, 0 insertions, 0 deletions