libdwfl: Don't call realloc with zero in cu.c addraranges.

Calling realloc when naranges is zero will result is trying to free
aranges. If realloc does free aranges it returns NULL, which means
aranges is still assigned. This is likely not a problem, because in
most cases aranges will be NULL already. But if it was not and
naranges does turn out to be zero after reduction (which would be
invalid DWARF) we are left with a dangling pointer.

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 1da888f6f9383b8071d64802d0b4cdd33a7f6e8b..3e19d9bd1ebeb63651b1db1d6efa146b23380a02 100644 (file)
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,7 @@
+2019-04-28  Mark Wielaard  <mark@klomp.org>
+
+       * cu.c (addrarange): Only call realloc when naranges is not zero.
+
 2019-03-27  Mark Wielaard  <mark@klomp.org>
 
        * dwfl_segment_report_module.c (dwfl_segment_report_module): Check

diff --git a/libdwfl/cu.c b/libdwfl/cu.c
index 94bfad8df22303109f0d94c5cf07891df1e6985d..4de66248bd2c8b00eae7c8add0bcb7acd006ac08 100644 (file)
--- a/libdwfl/cu.c
+++ b/libdwfl/cu.c
@@ -83,8 +83,11 @@ addrarange (Dwfl_Module *mod, Dwarf_Addr addr, struct dwfl_arange **arange)
 
       /* Store the final array, which is probably much smaller than before.  */
       mod->naranges = naranges;
-      mod->aranges = (realloc (aranges, naranges * sizeof aranges[0])
-                     ?: aranges);
+      if (naranges > 0)
+        mod->aranges = (realloc (aranges, naranges * sizeof aranges[0])
+                       ?: aranges);
+      else if (aranges != NULL)
+       free (aranges);
       mod->lazycu += naranges;
     }