From 77f9f442d80027b7ebff595e8147d70c84e5efae Mon Sep 17 00:00:00 2001 From: Gunnar Beutner Date: Sat, 29 May 2021 14:25:48 +0200 Subject: [PATCH] Kernel: Don't overrun the buffer in krealloc() The allocation_size_in_chunks field contains the bytes necessary for the AllocationHeader so we need to subtract that when we try to figure out how much user data we have to copy. Fixes #7549. --- Kernel/Heap/Heap.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Kernel/Heap/Heap.h b/Kernel/Heap/Heap.h index ae4793a982..88786e890e 100644 --- a/Kernel/Heap/Heap.h +++ b/Kernel/Heap/Heap.h @@ -113,7 +113,7 @@ public: VERIFY((u8*)a >= m_chunks && (u8*)ptr < m_chunks + m_total_chunks * CHUNK_SIZE); VERIFY((u8*)a + a->allocation_size_in_chunks * CHUNK_SIZE <= m_chunks + m_total_chunks * CHUNK_SIZE); - size_t old_size = a->allocation_size_in_chunks * CHUNK_SIZE; + size_t old_size = a->allocation_size_in_chunks * CHUNK_SIZE - sizeof(AllocationHeader); if (old_size == new_size) return ptr;