From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2155)
	id A87983858D20; Mon, 27 Feb 2023 09:58:20 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A87983858D20
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1677491900;
	bh=KFuS5sd5u673+smc8W5+6JlkQXXm248+3az49lhm6fU=;
	h=From:To:Subject:Date:From;
	b=MWEGUXbOOvsH2ugj+j6Iss+24/dEx/G2TmKhr/0iteBs7Fi3MuPtVF529W2HXzEKu
	 8K6iP/dPdF216kyrdutluzdyGoeaM/THscdwl0iY3RfHH4YmT/ec8/V0YOOgzkG7S3
	 ff3myTZreSF0XJzNLVgGIjO+UEx36uQOFiXW2tuw=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Corinna Vinschen <corinna@sourceware.org>
To: newlib-cvs@sourceware.org
Subject: [newlib-cygwin/main] nano-mallocr: Prevent NULL pointer de-reference in free_list
X-Act-Checkin: newlib-cygwin
X-Git-Author: Henrik Nilsson via Newlib <newlib@sourceware.org>
X-Git-Refname: refs/heads/main
X-Git-Oldrev: 5011c8cc48a22d9ccfc8d11a0f5cbfc0e5db73a6
X-Git-Newrev: c8397ae8171f00dcfb071130e6ea2b64aea17ded
Message-Id: <20230227095820.A87983858D20@sourceware.org>
Date: Mon, 27 Feb 2023 09:58:20 +0000 (GMT)
List-Id: <newlib-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dnewlib-cygwin.git;h=3Dc8397ae8171=
f00dcfb071130e6ea2b64aea17ded

commit c8397ae8171f00dcfb071130e6ea2b64aea17ded
Author:     Henrik Nilsson via Newlib <newlib@sourceware.org>
AuthorDate: Fri Feb 17 06:56:49 2023 +0100
Commit:     Corinna Vinschen <corinna@vinschen.de>
CommitDate: Mon Feb 27 10:54:26 2023 +0100

    nano-mallocr: Prevent NULL pointer de-reference in free_list
   =20
    The existing code checked if there was a chunk in free_list and
    that the tail was not the next chunk.
   =20
    The check if there is a chunk is not needed since it's already
    known but the case of a single chunk in free_list needs to be
    handled differently.

Diff:
---
 newlib/libc/stdlib/nano-mallocr.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-ma=
llocr.c
index b2273ba60943..a2b50facc35e 100644
--- a/newlib/libc/stdlib/nano-mallocr.c
+++ b/newlib/libc/stdlib/nano-mallocr.c
@@ -333,14 +333,23 @@ void * nano_malloc(RARG malloc_size_t s)
                {
                    p->size +=3D alloc_size;
=20
-                   /* Remove chunk from free_list */
+                   /* Remove chunk from free_list. Since p !=3D NULL there=
 is
+                      at least one chunk */
                    r =3D free_list;
-                   while (r && p !=3D r->next)
+                   if (r->next =3D=3D NULL)
                    {
-                     r =3D r->next;
+                       /* There is only a single chunk, remove it */
+                       free_list =3D NULL;
+                   }
+                   else
+                   {
+                       /* Search for the chunk before the one to be remove=
d */
+                       while (p !=3D r->next)
+                       {
+                           r =3D r->next;
+                       }
+                       r->next =3D NULL;
                    }
-                   r->next =3D NULL;
-
                    r =3D p;
                }
                else