libpipe: Fix use-after-realloc

We cannot use old_buf after we realloc it, even just for subtracting it from another pointer. Instead, compute the offsets in advance. Message-Id: <20230508213136.608575-11-bugaevc@gmail.com>
author: Sergey Bugaev <bugaevc@gmail.com> 2023-05-09 00:31:05 +0300
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2023-05-10 02:22:19 +0200
commit: a6386eda9c4de125e58985b19b6028c3f868de36 (patch)
tree: c2dff5165ef971383a8a223c3cf0988d8f06d88d /libpipe
parent: 070292f3118b75de9fc0e79fac6ca0186d157c28 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/libpipe/pq.c b/libpipe/pq.c
index af380274..fff03e67 100644
--- a/libpipe/pq.c
+++ b/libpipe/pq.c
@@ -193,20 +193,21 @@ packet_extend (struct packet *packet, size_t new_len)
     /* A malloc'd packet.  */
     {
       char *new_buf;
-      char *old_buf = packet->buf;
+      ptrdiff_t start_offset = packet->buf_start - packet->buf;
+      ptrdiff_t end_offset = packet->buf_end - packet->buf;
 
       if (new_len >= PACKET_SIZE_LARGE)
 	/* The old packet length is malloc'd, but we want to vm_allocate the
 	   new length, so we'd have to copy the old contents.  */
 	return 0;
 
-      new_buf = realloc (old_buf, new_len);
+      new_buf = realloc (packet->buf, new_len);
       if (! new_buf)
 	return 0;
 
       packet->buf = new_buf;
-      packet->buf_start = new_buf + (packet->buf_start  - old_buf);
-      packet->buf_end = new_buf + (packet->buf_end  - old_buf);
+      packet->buf_start = new_buf + start_offset;
+      packet->buf_end = new_buf + end_offset;
     }
 
   packet->buf_len = new_len;
author	Sergey Bugaev <bugaevc@gmail.com>	2023-05-09 00:31:05 +0300
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2023-05-10 02:22:19 +0200
commit	a6386eda9c4de125e58985b19b6028c3f868de36 (patch)
tree	c2dff5165ef971383a8a223c3cf0988d8f06d88d /libpipe
parent	070292f3118b75de9fc0e79fac6ca0186d157c28 (diff)