Fix memory managament error in ntfs_inode_close. ntfs_extent_inode_open

allocates buffer for up to 4 extent inodes, to prevent many reallocates. But ntfs_inode_close always reallocate buffer to store exactly @nr_extents inodes. Bug will arise in following scenario: 1) ntfs_extent_inode_open (1 extent, allocate buffer for 4) 2) ntfs_extent_inode_open (2 extents, use already allocated buffer) 3) ntfs_inode_close(extent_ni) (1 extent, reallocate buffer for 1 extent) 4) ntfs_extent_inode_open (2 extents, don't reallocate buffer because it should be for 4 elements, but really it's for 1, write to unitialized space, segfault)
2005-07-02 13:58:02 +00:00 · 2005-07-02 13:58:02 +00:00 · b8e1188102
parent fbe45ebac6
commit b8e1188102
2 changed files with 6 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+xx/xx/xxxx - 1.10.1-WIP
+
+	- Fix memory managament error in ntfs_inode_close.  (Yura)
+
 20/06/2005 - 1.10.0 - Lots of new features, enhancements, and bug fixes.

 	- Add start_vcn parameter to ntfs_get_size_for_mapping_pairs() and
--- a/libntfs/inode.c
+++ b/libntfs/inode.c
@ -255,7 +255,8 @@ int ntfs_inode_close(ntfs_inode *ni)
 			 */
 			if (--base_ni->nr_extents) {
 				/* Resize the memory buffer. */
-				tmp_nis = realloc(tmp_nis, base_ni->nr_extents *
+				tmp_nis = realloc(tmp_nis, ((base_ni->
+						  nr_extents + 3) & ~3) *
 						  sizeof(ntfs_inode *));
 				/* Ignore errors, they don't really matter. */
 				if (tmp_nis)