lib/os/heap: fix out-of-bounds usage of memcpy() in sys_heap_realloc()

Nicolas Pitre · nashif · commit 593997046bff · 2021-02-02T19:08:24.000-05:00
The sys_heap_realloc() code falls back to allocating new memory
and copying the existing data over when it cannot adjust the size
in place. However the size of the data to copy should be the old
size and not the new size if we're extending the allocation.

Signed-off-by: Nicolas Pitre &lt;npitre@baylibre.com&gt;
diff --git a/lib/os/heap.c b/lib/os/heap.c
@@ -368,12 +368,13 @@ void *sys_heap_aligned_realloc(struct sys_heap *heap, void *ptr,
 	/* Fallback: allocate and copy */
 	void *ptr2 = sys_heap_aligned_alloc(heap, align, bytes);
 
-	if (ptr2 == NULL) {
-		return NULL;
-	}
+	if (ptr2 != NULL) {
+		size_t prev_size = chunk_size(h, c) * CHUNK_UNIT
+				   - chunk_header_bytes(h) - align_gap;
 
-	memcpy(ptr2, ptr, bytes);
-	sys_heap_free(heap, ptr);
+		memcpy(ptr2, ptr, MIN(prev_size, bytes));
+		sys_heap_free(heap, ptr);
+	}
 	return ptr2;
 }
 
