Fix two quarantine bugs.

Internal reallocation of the quarantined object array leaked the old array. Reallocation failure for internal reallocation of the quarantined object array (very unlikely) resulted in memory corruption.
2013-01-31 14:42:41 -08:00 · 2013-01-31 14:42:41 -08:00 · d0e942e466
commit d0e942e466
parent bbe29d374d
2 changed files with 24 additions and 10 deletions
--- a/5
+++ b/5
@ -12,6 +12,11 @@ found in the git revision history:
  - Fix TLS-related memory corruption that could occur during thread exit if the
    thread never allocated memory.  Only the quarantine and prof facilities were
    susceptible.
+  - Fix two quarantine bugs:
+    + Internal reallocation of the quarantined object array leaked the old
+      array.
+    + Reallocation failure for internal reallocation of the quarantined object
+      array (very unlikely) resulted in memory corruption.

 * 3.3.0 (January 23, 2013)

--- a/src/quarantine.c
+++ b/src/quarantine.c
@ -18,6 +18,7 @@ malloc_tsd_data(, quarantine, quarantine_t *, NULL)
 /* Function prototypes for non-inline static functions. */

 static quarantine_t	*quarantine_grow(quarantine_t *quarantine);
+static void	quarantine_drain_one(quarantine_t *quarantine);
 static void	quarantine_drain(quarantine_t *quarantine, size_t upper_bound);

 /******************************************************************************/
@ -47,8 +48,10 @@ quarantine_grow(quarantine_t *quarantine)
 	quarantine_t *ret;

 	ret = quarantine_init(quarantine->lg_maxobjs + 1);
-	if (ret == NULL)
+	if (ret == NULL) {
+		quarantine_drain_one(quarantine);
 		return (quarantine);
+	}

 	ret->curbytes = quarantine->curbytes;
 	ret->curobjs = quarantine->curobjs;
@ -68,15 +71,14 @@ quarantine_grow(quarantine_t *quarantine)
 		memcpy(&ret->objs[ncopy_a], quarantine->objs, ncopy_b *
 		    sizeof(quarantine_obj_t));
 	}
+	idalloc(quarantine);

 	return (ret);
 }

 static void
-quarantine_drain(quarantine_t *quarantine, size_t upper_bound)
+quarantine_drain_one(quarantine_t *quarantine)
 {
-
-	while (quarantine->curbytes > upper_bound && quarantine->curobjs > 0) {
 	quarantine_obj_t *obj = &quarantine->objs[quarantine->first];
 	assert(obj->usize == isalloc(obj->ptr, config_prof));
 	idalloc(obj->ptr);
@ -84,7 +86,14 @@ quarantine_drain(quarantine_t *quarantine, size_t upper_bound)
 	quarantine->curobjs--;
 	quarantine->first = (quarantine->first + 1) & ((ZU(1) <<
 	    quarantine->lg_maxobjs) - 1);
-	}
+}
+
+static void
+quarantine_drain(quarantine_t *quarantine, size_t upper_bound)
+{
+
+	while (quarantine->curbytes > upper_bound && quarantine->curobjs > 0)
+		quarantine_drain_one(quarantine);
 }

 void