From cf06645316e11077afbc9731693fd19e55619f59 Mon Sep 17 00:00:00 2001
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Fri, 18 Mar 2022 06:55:31 +0000
Subject: [PATCH] cheri: fix invalid pointer use after realloc in localealias

This code updates pointers to a reallocated buffer to point to the new
buffer.  It is not conforming (does arithmetics with freed pointers),
but it also creates invalid capabilities because the provenance is
derived from the original freed pointers instead of the new buffer.

Change the arithmetics so provenance is derived from the new buffer.
The conformance issue is not fixed.
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363ab..0401f35f9da 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}
 
-- 
2.47.2