Message-ID: <35C0C339.715CA261@gmx.net>
Date: Thu, 30 Jul 1998 19:02:17 +0000
From: Robert Hoehne <robert DOT hoehne AT gmx DOT net>
Organization: none provided
MIME-Version: 1.0
To: djgpp-workers <djgpp-workers AT delorie DOT com>
Subject: Another bug in malloc.c (realloc())
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Precedence: bulk

As we are here, I found another bug (and I thougt
that such basic functions are bugfree).

When a block is malloc'ed, the size of the block is
remembered in BLOCK struct and when returning from
the malloc() function the size member is or'ed with 1.

==>> we must do the reverse!! when using this size
member in the realloc() function. In the patch below
I do the calculation only once and use then the
copysize variable, since it is not changed.

--- src/libc/ansi/stdlib/malloc.c~	Tue Jul 28 20:42:38 1998
+++ src/libc/ansi/stdlib/malloc.c	Thu Jul 30 18:53:42 1998
@@ -335,12 +335,12 @@
     return malloc(size);
 
   b = (BLOCK *)((char *)ptr-4);
-  copysize = b->size;
-  if (size <= b->size)
+  copysize = b->size & ~1;
+  if (size <= copysize)
   {
 #if 0
-    if (b->size < 2*MIN_SAVE_EXTRA
-	|| (size >= b->size-512 && size >= b->size/2))
+    if (copysize < 2*MIN_SAVE_EXTRA
+	|| (size >= copysize-512 && size >= copysize/2))
 #endif
       return ptr;
     copysize = size;
@@ -349,7 +349,7 @@
   newptr = (char *)malloc(size);
 #if DEBUG
   printf("realloc %d %d/%08x %08x->%08, %d\n",
-	 size, b->size, b, ptr, newptr, copysize);
+	 size, b->size & ~1, b, ptr, newptr, copysize);
 #endif
   memcpy(newptr, ptr, copysize);
   free(ptr);