Usermode/libc - Fix edge case crash with realloc on last block

diff --git a/Usermode/Libraries/libc.so_src/heap.c b/Usermode/Libraries/libc.so_src/heap.c
index d6d9a40..5346032 100644 (file)
--- a/Usermode/Libraries/libc.so_src/heap.c
+++ b/Usermode/Libraries/libc.so_src/heap.c
@@ -8,6 +8,7 @@
 #include <acess/sys.h>\r
 #include <stdlib.h>\r
 #include <string.h>\r
+#include <assert.h>\r
 #include "lib.h"\r
 \r
 #if 0\r
@@ -308,7 +309,8 @@ EXPORT void *realloc(void *oldPos, size_t bytes)
        \r
        // Check for free space after the block\r
        heap_head *nexthead = NEXT_HEAD(head);\r
-       if( nexthead && nexthead->magic == MAGIC_FREE && head->size + nexthead->size >= reqd_size )\r
+       assert( nexthead <= _heap_end );\r
+       if( nexthead != _heap_end && nexthead->magic == MAGIC_FREE && head->size + nexthead->size >= reqd_size )\r
        {\r
                // Split next block\r
                if( head->size + nexthead->size > reqd_size )\r
@@ -337,12 +339,12 @@ EXPORT void *realloc(void *oldPos, size_t bytes)
        void *ret = _malloc(bytes, __builtin_return_address(0));\r
        if(ret == NULL)\r
                return NULL;\r
+       heap_head *newhead = (heap_head*)ret - 1;\r
        \r
-       //Copy Old Data\r
+       // Copy Old Data\r
+       assert( head->size < newhead->size );\r
        size_t copy_size = head->size-sizeof(heap_head)-sizeof(heap_foot);\r
-       if( copy_size > bytes )\r
-               copy_size = bytes;\r
-       memcpy(ret, oldPos, bytes);\r
+       memcpy(ret, oldPos, copy_size);\r
        free(oldPos);\r
        \r
        //Return\r