cheri: fix invalid pointer use after realloc in localealias

This code updates pointers to a reallocated buffer to point to the new
buffer.  It is not conforming (does arithmetics with freed pointers),
but it also creates invalid capabilities because the provenance is
derived from the original freed pointers instead of the new buffer.

Change the arithmetics so provenance is derived from the new buffer.
The conformance issue is not fixed.

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363abe45d9b9cd0b74c6b52e2557828cfa..0401f35f9da8ca383b6c905a9f569e19b3b12980 100644 (file)
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
                          for (i = 0; i < nmap; i++)
                            {
-                             map[i].alias += new_pool - string_space;
-                             map[i].value += new_pool - string_space;
+                             map[i].alias = new_pool
+                                            + (map[i].alias - string_space);
+                             map[i].value = new_pool
+                                            + (map[i].value - string_space);
                            }
                        }