From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Fri, 18 Apr 2025 13:08:21 +0000 (-0300)
Subject: malloc: Fix UB in malloc-debug
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fd666fb4bfb5843e7e51bf8a36a19885b1b9e59;p=thirdparty%2Fglibc.git

malloc: Fix UB in malloc-debug

Multiple tests fail when malloc-debug is built with ubsan:

UBSAN: Undefined behaviour in malloc-debug.c:231:24 applying non-zero offset to a NULL pointer

The main issue is it tries to apply DUMPED_MAIN_ARENA_CHUNK or
for mem2chunk for NULL pointers.
---

diff --git a/malloc/malloc-debug.c b/malloc/malloc-debug.c
index d208aa32a3..2edefad2f0 100644
--- a/malloc/malloc-debug.c
+++ b/malloc/malloc-debug.c
@@ -202,7 +202,7 @@ __debug_free (void *mem)
   if (__is_malloc_debug_enabled (MALLOC_MCHECK_HOOK))
     mem = free_mcheck (mem);
 
-  if (DUMPED_MAIN_ARENA_CHUNK (mem2chunk (mem)))
+  if (mem != NULL && DUMPED_MAIN_ARENA_CHUNK (mem2chunk (mem)))
     /* Do nothing.  */;
   else if (__is_malloc_debug_enabled (MALLOC_CHECK_HOOK))
     free_check (mem);
@@ -227,7 +227,7 @@ __debug_realloc (void *oldmem, size_t bytes)
   if ((!__is_malloc_debug_enabled (MALLOC_MCHECK_HOOK)
        || !realloc_mcheck_before (&oldmem, &bytes, &oldsize, &victim)))
     {
-      mchunkptr oldp = mem2chunk (oldmem);
+      mchunkptr oldp = oldmem != NULL ? mem2chunk (oldmem) : NULL;
 
       /* If this is a faked mmapped chunk from the dumped main arena,
 	 always make a copy (and do not free the old chunk).  */