3350. [bug] Memory read overrun in isc___mem_reallocate if

                        ISC_MEM_DEBUGCTX memory debugging flag is set.
                        [RT #30240]

diff --git a/CHANGES b/CHANGES
index 015f9b3249d2710e31fefb3dac4fc089cf9d1a22..577100719e318569442b631bc68fd7ab8a5a0c5b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3350.  [bug]           Memory read overrun in isc___mem_reallocate if
+                       ISC_MEM_DEBUGCTX memory debugging flag is set.
+                       [RT #30240]
+
 3348.  [security]      prevent RRSIG data from being cached if a negative 
                        record matching the covering type exists at a higher 
                        trust level. Such data already can't be retrieved from 

diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index dac706d60fd57f58fdf812c9d27db11e1e4d49c3..64df00b33269dc2360bb909ece8459e0cf2d1974 100644 (file)
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1405,7 +1405,11 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
                        oldsize = (((size_info *)ptr)[-1]).u.size;
                        INSIST(oldsize >= ALIGNMENT_SIZE);
                        oldsize -= ALIGNMENT_SIZE;
-                       copysize = oldsize > size ? size : oldsize;
+                       if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+                               INSIST(oldsize >= ALIGNMENT_SIZE);
+                               oldsize -= ALIGNMENT_SIZE;
+                       }
+                       copysize = (oldsize > size) ? size : oldsize;
                        memcpy(new_ptr, ptr, copysize);
                        isc__mem_free(ctx, ptr FLARG_PASS);
                }