bin/141753: double-free in reallocf()
Dan Lukes
dan at obluda.cz
Fri Dec 18 17:20:02 UTC 2009
The following reply was made to PR bin/141753; it has been noted by GNATS.
From: Dan Lukes <dan at obluda.cz>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: bin/141753: double-free in reallocf()
Date: Fri, 18 Dec 2009 18:12:00 +0100
I missed simple and obvious fix!
Replace
> if (!nptr && ptr)
> free(ptr);
with
> if (!nptr && ptr && size > 0)
> free(ptr);
Because -
When size>0 the previous behavior is maintained.
When size==0 and V option not set, then nptr!=NULL (realloc(,0) never
fail) so the ptr is not free - correct behavior.
When size==0 and V option IS set then we know the ptr is freed by
realloc and it's not freed again here - correct behavior.
Dan
More information about the freebsd-bugs
mailing list