1 files changed, 37 insertions, 20 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index 30cfd48986..9861f6d153 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc.c,v 1.212 2017/01/21 07:47:42 otto Exp $       */
+/*      $OpenBSD: malloc.c,v 1.213 2017/02/01 06:17:42 otto Exp $       */
 /*
 * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
 * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1328,13 +1328,9 @@ ofree(struct dir_info *argpool, void *p)
                                    sz - mopts.malloc_guard,
                                    PAGEROUND(sz - mopts.malloc_guard));
                } else {
-#if notyetbecause_of_realloc
                        /* shifted towards the end */
-                        if (p != ((char *)r->p) + ((MALLOC_PAGESIZE -
+                        if (p != MALLOC_MOVE(r->p, sz))
-                            MALLOC_MINSIZE - sz - mopts.malloc_guard) &
+                                wrterror(pool, "bogus moved pointer %p", p);
-                            ~(MALLOC_MINSIZE-1))) {
-                        }
-#endif
                        p = r->p;
                }
                if (mopts.malloc_guard) {
@@ -1474,7 +1470,7 @@ orealloc(struct dir_info *argpool, void *p, size_t newsz, void *f)
        if (gnewsz > MALLOC_MAXCHUNK)
                gnewsz += mopts.malloc_guard;
-        if (newsz > MALLOC_MAXCHUNK && oldsz > MALLOC_MAXCHUNK && p == r->p &&
+        if (newsz > MALLOC_MAXCHUNK && oldsz > MALLOC_MAXCHUNK &&
            !mopts.malloc_realloc) {
                /* First case: from n pages sized allocation to m pages sized
                   allocation, no malloc_move in effect */
@@ -1484,7 +1480,7 @@ orealloc(struct dir_info *argpool, void *p, size_t newsz, void *f)
                if (rnewsz > roldsz) {
                        /* try to extend existing region */
                        if (!mopts.malloc_guard) {
-                                void *hint = (char *)p + roldsz;
+                                void *hint = (char *)r->p + roldsz;
                                size_t needed = rnewsz - roldsz;
                                STATS_INC(pool->cheap_realloc_tries);
@@ -1502,9 +1498,15 @@ gotit:
                                        STATS_ADD(pool->malloc_used, needed);
                                        if (mopts.malloc_junk == 2)
                                                memset(q, SOME_JUNK, needed);
-                                        r->size = newsz;
+                                        r->size = gnewsz;
+                                        if (r->p != p) {
+                                                /* old pointer is moved */
+                                                memmove(r->p, p, oldsz);
+                                                p = r->p;
+                                        }
                                        if (mopts.chunk_canaries)
-                                                fill_canary(p, newsz, PAGEROUND(newsz));
+                                                fill_canary(p, newsz,
+                                                    PAGEROUND(newsz));
                                        STATS_SETF(r, f);
                                        STATS_INC(pool->cheap_reallocs);
                                        ret = p;
@@ -1517,30 +1519,45 @@ gotit:
                } else if (rnewsz < roldsz) {
                        /* shrink number of pages */
                        if (mopts.malloc_guard) {
-                                if (mprotect((char *)p + roldsz -
+                                if (mprotect((char *)r->p + roldsz -
                                    mopts.malloc_guard, mopts.malloc_guard,
                                    PROT_READ | PROT_WRITE))
                                        wrterror(pool, "mprotect");
-                                if (mprotect((char *)p + rnewsz -
+                                if (mprotect((char *)r->p + rnewsz -
                                    mopts.malloc_guard, mopts.malloc_guard,
                                    PROT_NONE))
                                        wrterror(pool, "mprotect");
                        }
-                        unmap(pool, (char *)p + rnewsz, roldsz - rnewsz);
+                        unmap(pool, (char *)r->p + rnewsz, roldsz - rnewsz);
                        r->size = gnewsz;
-                        if (mopts.chunk_canaries)
+                        if (MALLOC_MOVE_COND(gnewsz)) {
+                                void *pp = MALLOC_MOVE(r->p, gnewsz);
+                                memmove(pp, p, newsz);
+                                p = pp;
+                        } else if (mopts.chunk_canaries)
                                fill_canary(p, newsz, PAGEROUND(newsz));
                        STATS_SETF(r, f);
                        ret = p;
                        goto done;
                } else {
                        /* number of pages remains the same */
-                        if (newsz > oldsz && mopts.malloc_junk == 2)
+                        void *pp = r->p;
-                                memset((char *)p + newsz, SOME_JUNK,
-                                    rnewsz - mopts.malloc_guard - newsz);
                        r->size = gnewsz;
-                        if (mopts.chunk_canaries)
+                        if (MALLOC_MOVE_COND(gnewsz))
-                                fill_canary(p, newsz, PAGEROUND(newsz));
+                                pp = MALLOC_MOVE(r->p, gnewsz);
+                        if (p != pp) {
+                                memmove(pp, p, oldsz < newsz ? oldsz : newsz);
+                                p = pp;
+                        }
+                        if (p == r->p) {
+                                if (newsz > oldsz && mopts.malloc_junk == 2)
+                                        memset((char *)p + newsz, SOME_JUNK,
+                                            rnewsz - mopts.malloc_guard -
+                                            newsz);
+                                if (mopts.chunk_canaries)
+                                        fill_canary(p, newsz, PAGEROUND(newsz));
+                        }
                        STATS_SETF(r, f);
                        ret = p;
                        goto done;

diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index 30cfd48986..9861f6d153 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: malloc.c,v 1.212 2017/01/21 07:47:42 otto Exp $ */	1	/* $OpenBSD: malloc.c,v 1.213 2017/02/01 06:17:42 otto Exp $ */
2	/*	2	/*
3	* Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>	3	* Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
4	* Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>	4	* Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1328,13 +1328,9 @@ ofree(struct dir_info argpool, void p)
1328	sz - mopts.malloc_guard,	1328	sz - mopts.malloc_guard,
1329	PAGEROUND(sz - mopts.malloc_guard));	1329	PAGEROUND(sz - mopts.malloc_guard));
1330	} else {	1330	} else {
1331	#if notyetbecause_of_realloc
1332	/* shifted towards the end */	1331	/* shifted towards the end */
1333	if (p != ((char *)r->p) + ((MALLOC_PAGESIZE -	1332	if (p != MALLOC_MOVE(r->p, sz))
1334	MALLOC_MINSIZE - sz - mopts.malloc_guard) &	1333	wrterror(pool, "bogus moved pointer %p", p);
1335	~(MALLOC_MINSIZE-1))) {
1336	}
1337	#endif
1338	p = r->p;	1334	p = r->p;
1339	}	1335	}
1340	if (mopts.malloc_guard) {	1336	if (mopts.malloc_guard) {
@@ -1474,7 +1470,7 @@ orealloc(struct dir_info argpool, void p, size_t newsz, void *f)
1474	if (gnewsz > MALLOC_MAXCHUNK)	1470	if (gnewsz > MALLOC_MAXCHUNK)
1475	gnewsz += mopts.malloc_guard;	1471	gnewsz += mopts.malloc_guard;
1476		1472
1477	if (newsz > MALLOC_MAXCHUNK && oldsz > MALLOC_MAXCHUNK && p == r->p &&	1473	if (newsz > MALLOC_MAXCHUNK && oldsz > MALLOC_MAXCHUNK &&
1478	!mopts.malloc_realloc) {	1474	!mopts.malloc_realloc) {
1479	/* First case: from n pages sized allocation to m pages sized	1475	/* First case: from n pages sized allocation to m pages sized
1480	allocation, no malloc_move in effect */	1476	allocation, no malloc_move in effect */
@@ -1484,7 +1480,7 @@ orealloc(struct dir_info argpool, void p, size_t newsz, void *f)
1484	if (rnewsz > roldsz) {	1480	if (rnewsz > roldsz) {
1485	/* try to extend existing region */	1481	/* try to extend existing region */
1486	if (!mopts.malloc_guard) {	1482	if (!mopts.malloc_guard) {
1487	void hint = (char )p + roldsz;	1483	void hint = (char )r->p + roldsz;
1488	size_t needed = rnewsz - roldsz;	1484	size_t needed = rnewsz - roldsz;
1489		1485
1490	STATS_INC(pool->cheap_realloc_tries);	1486	STATS_INC(pool->cheap_realloc_tries);
@@ -1502,9 +1498,15 @@ gotit:
1502	STATS_ADD(pool->malloc_used, needed);	1498	STATS_ADD(pool->malloc_used, needed);
1503	if (mopts.malloc_junk == 2)	1499	if (mopts.malloc_junk == 2)
1504	memset(q, SOME_JUNK, needed);	1500	memset(q, SOME_JUNK, needed);
1505	r->size = newsz;	1501	r->size = gnewsz;
		1502	if (r->p != p) {
		1503	/* old pointer is moved */
		1504	memmove(r->p, p, oldsz);
		1505	p = r->p;
		1506	}
1506	if (mopts.chunk_canaries)	1507	if (mopts.chunk_canaries)
1507	fill_canary(p, newsz, PAGEROUND(newsz));	1508	fill_canary(p, newsz,
		1509	PAGEROUND(newsz));
1508	STATS_SETF(r, f);	1510	STATS_SETF(r, f);
1509	STATS_INC(pool->cheap_reallocs);	1511	STATS_INC(pool->cheap_reallocs);
1510	ret = p;	1512	ret = p;
@@ -1517,30 +1519,45 @@ gotit:
1517	} else if (rnewsz < roldsz) {	1519	} else if (rnewsz < roldsz) {
1518	/* shrink number of pages */	1520	/* shrink number of pages */
1519	if (mopts.malloc_guard) {	1521	if (mopts.malloc_guard) {
1520	if (mprotect((char *)p + roldsz -	1522	if (mprotect((char *)r->p + roldsz -
1521	mopts.malloc_guard, mopts.malloc_guard,	1523	mopts.malloc_guard, mopts.malloc_guard,
1522	PROT_READ \| PROT_WRITE))	1524	PROT_READ \| PROT_WRITE))
1523	wrterror(pool, "mprotect");	1525	wrterror(pool, "mprotect");
1524	if (mprotect((char *)p + rnewsz -	1526	if (mprotect((char *)r->p + rnewsz -
1525	mopts.malloc_guard, mopts.malloc_guard,	1527	mopts.malloc_guard, mopts.malloc_guard,
1526	PROT_NONE))	1528	PROT_NONE))
1527	wrterror(pool, "mprotect");	1529	wrterror(pool, "mprotect");
1528	}	1530	}
1529	unmap(pool, (char *)p + rnewsz, roldsz - rnewsz);	1531	unmap(pool, (char *)r->p + rnewsz, roldsz - rnewsz);
1530	r->size = gnewsz;	1532	r->size = gnewsz;
1531	if (mopts.chunk_canaries)	1533	if (MALLOC_MOVE_COND(gnewsz)) {
		1534	void *pp = MALLOC_MOVE(r->p, gnewsz);
		1535	memmove(pp, p, newsz);
		1536	p = pp;
		1537	} else if (mopts.chunk_canaries)
1532	fill_canary(p, newsz, PAGEROUND(newsz));	1538	fill_canary(p, newsz, PAGEROUND(newsz));
1533	STATS_SETF(r, f);	1539	STATS_SETF(r, f);
1534	ret = p;	1540	ret = p;
1535	goto done;	1541	goto done;
1536	} else {	1542	} else {
1537	/* number of pages remains the same */	1543	/* number of pages remains the same */
1538	if (newsz > oldsz && mopts.malloc_junk == 2)	1544	void *pp = r->p;
1539	memset((char *)p + newsz, SOME_JUNK,	1545
1540	rnewsz - mopts.malloc_guard - newsz);
1541	r->size = gnewsz;	1546	r->size = gnewsz;
1542	if (mopts.chunk_canaries)	1547	if (MALLOC_MOVE_COND(gnewsz))
1543	fill_canary(p, newsz, PAGEROUND(newsz));	1548	pp = MALLOC_MOVE(r->p, gnewsz);
		1549	if (p != pp) {
		1550	memmove(pp, p, oldsz < newsz ? oldsz : newsz);
		1551	p = pp;
		1552	}
		1553	if (p == r->p) {
		1554	if (newsz > oldsz && mopts.malloc_junk == 2)
		1555	memset((char *)p + newsz, SOME_JUNK,
		1556	rnewsz - mopts.malloc_guard -
		1557	newsz);
		1558	if (mopts.chunk_canaries)
		1559	fill_canary(p, newsz, PAGEROUND(newsz));
		1560	}
1544	STATS_SETF(r, f);	1561	STATS_SETF(r, f);
1545	ret = p;	1562	ret = p;
1546	goto done;	1563	goto done;