3350. [bug] Memory read overrun in isc___mem_reallocate if

                        ISC_MEM_DEBUGCTX memory debugging flag is set.
                        [RT #30240]

diff --git a/CHANGES b/CHANGES
index f9ef90b27b9296478b7200bc7b6b5207a11e298b..6fcf53d8c3c53966251b1af4154ea8a38da7fa8c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3350.  [bug]           Memory read overrun in isc___mem_reallocate if
+                       ISC_MEM_DEBUGCTX memory debugging flag is set.
+                       [RT #30240]
+
 3348.  [security]      prevent RRSIG data from being cached if a negative 
                        record matching the covering type exists at a higher 
                        trust level. Such data already can't be retrieved from 

diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 17167b754c5bde4a2d3b57df7ab9898462097d9d..271ead3fe797706c13a23613791d3ad979435e73 100644 (file)
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1592,7 +1592,11 @@ isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
                        oldsize = (((size_info *)ptr)[-1]).u.size;
                        INSIST(oldsize >= ALIGNMENT_SIZE);
                        oldsize -= ALIGNMENT_SIZE;
-                       copysize = oldsize > size ? size : oldsize;
+                       if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+                               INSIST(oldsize >= ALIGNMENT_SIZE);
+                               oldsize -= ALIGNMENT_SIZE;
+                       }
+                       copysize = (oldsize > size) ? size : oldsize;
                        memcpy(new_ptr, ptr, copysize);
                        isc__mem_free(ctx0, ptr FLARG_PASS);
                }