possibly realloc 0 size and cause uaf

irungentoo / toxcore

The future of online communications.

https://tox.chat/

GNU General Public License v3.0

8.74k stars 1.27k forks source link

possibly realloc 0 size and cause uaf #1578

Open yebeloved opened 8 years ago

yebeloved commented 8 years ago

I think it may cause a potential bug in list.c if bs_list_trim is called and list->n is 0. Because in such condition, when resize being called, p = realloc(list->ids, sizeof(int) * new_size); acts like free function but list->data still points to the freed memory. It may cause use-after-free. Although bs_list_trim hasn't been called now, I think it is a potential issue and we could add some check to make the code safer. Thanks.

iphydf commented 8 years ago

If list->n == 0, then list->data will never be accessed.