From: Mark Andrews <marka@isc.org>
Date: Tue, 17 Jul 2012 23:54:25 +0000 (+1000)
Subject: 3350.   [bug]           Memory read overrun in isc___mem_reallocate if
X-Git-Tag: v9.6-ESV-R8b1~15
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6439173dae6edce5ee29dea020cf8fa8199d79cb;p=thirdparty%2Fbind9.git

3350.   [bug]           Memory read overrun in isc___mem_reallocate if
                        ISC_MEM_DEBUGCTX memory debugging flag is set.
                        [RT #30240]
---

diff --git a/CHANGES b/CHANGES
index 015f9b3249d..577100719e3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3350.	[bug]		Memory read overrun in isc___mem_reallocate if
+			ISC_MEM_DEBUGCTX memory debugging flag is set.
+			[RT #30240]
+
 3348.	[security]	prevent RRSIG data from being cached if a negative 
 			record matching the covering type exists at a higher 
 			trust level. Such data already can't be retrieved from 
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index dac706d60fd..64df00b3326 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1405,7 +1405,11 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
 			oldsize = (((size_info *)ptr)[-1]).u.size;
 			INSIST(oldsize >= ALIGNMENT_SIZE);
 			oldsize -= ALIGNMENT_SIZE;
-			copysize = oldsize > size ? size : oldsize;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+				INSIST(oldsize >= ALIGNMENT_SIZE);
+				oldsize -= ALIGNMENT_SIZE;
+			}
+			copysize = (oldsize > size) ? size : oldsize;
 			memcpy(new_ptr, ptr, copysize);
 			isc__mem_free(ctx, ptr FLARG_PASS);
 		}